[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* 5 Tips For Keeping Your Wireless Network Secure
* Dealing With Cyber Threat in the Middle East
* Ransomware tops list of cyber attacks in Q2
* Essential certifications for smart security pros
* Reclamere Hosts First Conference On Emerging Healthcare Data Security Issues
* Mid-market business leaders reckless with sensitive data
* Cyber Security Survey reveals darknet use higher among 18- to 24-year-olds
* How to develop a cross-organizational compliance program
* Reviewing the latest trends in online fraud
* Can biometrics and the FIDO Alliance save us from password overload?
* Cyber security tops list of transport industry threats, survey says
* Tripwire Study Examines Ransomware Recovery Perceptions Among Info Security Pros
5 Tips For Keeping Your Wireless Network Secure
But not all WIPS security solutions are created the same.
These five key questions will help you evaluate the security features offered by WIPS that protect corporate Wi-Fi networks:
1) How many threats does it detect – and how much information do you get about the attacks?
2) How long does it take the system to detect a rogue device?
3) Does your wireless network support forensic analysis?
4) Does your network support automated regulatory compliance?
5) How easy can you set up and change network rules?
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b2a4359f02&e=20056c7556
Dealing With Cyber Threat in the Middle East
There have been significant efforts from the industry to address cyber security.
These efforts are partly driven by fear, particularly in the aftermath of previous attacks, and reflect industry requirements to ensure availability, reliability and safety – key foundations for profitable and efficient operations.
Increasingly, they are also driven by regulation and the adoption of cyber security standards in the region.
Many national governments in the Middle East have stepped up their requirements.
Qatar, for example, published the third version of its National Standards for Security of Critical Industrial Automation and Control Systems in 2014, and last year outlined further developments in its National ICT Plan 2015.
In 2014, the UAE’s National Electronic Security Authority also published new standards, drawing on international standards such ISO 27001 and the US National Institute of Standards & Technology.
Saudi Arabia, meanwhile, has been developing its National Information Security Strategy (NISS), and has had tough anti-cybercrime laws in place since 2007.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5b44fe9f7b&e=20056c7556
Ransomware tops list of cyber attacks in Q2
* PandaLabs detected 18 million new malware samples in Q2, neutralising around 200 000 threats daily.
* Ransomware attacks and credential theft are tactics most used by cyber criminals.
* Problem areas identified by PandaLabs include POS software, bank attacks, IOT and mobile devices.
Cyber attacks do not only originate from private entities; in recent months, it appears that cyber attacks are the latest weapon governments are using to target their adversaries.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=27ae6593af&e=20056c7556
Essential certifications for smart security pros
I’m a big believer in taking what you know the best first.
Use your first exam and certification to get back into good study habits, and once you pass the exam, let it help build your confidence.
Or if you fail, identify your weaknesses and get back on the horse.
I once taught a guy who failed the same test two dozen times over the course of a year.
But he kept coming back and eventually eked out a passing score.
I’ll hire a honey badger any day of the week.
If your experience qualifies you for taking the CISSP, that would be a great certification to start with.
The breath of the exam (not the depth of material) is what makes the CISSP challenging.
The majority of people who take the exam pass it, and once you’ve earned the certification you can be prepared to share your success with anyone who asks.
If you want to acquire new technical skills, start with the SANS GIAC.
It’s fairly expensive, but nothing is better.
People already in auditing or management or those interested in doing so should consider the ISACA exams.
Compliance folks should look to SANS and ISACA.
Proof of expertise in a vendor’s suite of products can quickly be shared when you have that vendor’s own certification.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8e06f1d053&e=20056c7556
Reclamere Hosts First Conference On Emerging Healthcare Data Security Issues
Reclamere, the company that positions businesses to implement secure data processes in the workplace and safely and securely dispose of their IT assets, announced it will hold its first conference focused on healthcare security, Sept. 22nd.
Open to all interested parties, the free event is scheduled from 8 a.m. to 5 p.m. at The Ben Franklin Institute, Innovation Park, 200 Innovation Blvd., Suite 101, in University Park, Pennsylvania.
Designed for healthcare IT and compliance professionals, the conference will feature insight from Reclamere CEO and nationally-recognized data security expert Angie Singer Keating, and President Joe Harford on how to proactively overcome cybersecurity challenges. (Please see bios here.)
Workshops will cover these key topics:
How to implement technology solutions that don’t hinder patient care while still providing confidentiality and security of patient information
Understanding why risk analysis is the cornerstone of MACRA and HIPAA compliance
How to painlessly vet business associates to ensure compliance with more stringent HIPAA requirements
Learn how even smaller and regional healthcare providers can have world class security expertise
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=50e98e49a2&e=20056c7556
Mid-market business leaders reckless with sensitive data
Iron Mountain’s latest report says managers are the “worst offenders” when it comes to poorly handling business data.
According to the report, both MDs and CxOs have been completely reckless with sensitive information:
· 57 per cent have left confidential data on a printer for everyone to see / snatch · 49 per cent used their private email accounts to send sensitive data (Hillary says Hello)
· 40 per cent have used insecure wireless networks to send confidential information
· 43 per cent have thrown such data in a ‘potentially insecure trash bin’
· 39 per cent lost such data in a public place
One in seven (14 per cent) don’t follow company policies, and 6 per cent were unaware of any policies, at all.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=05748cefb6&e=20056c7556
Cyber Security Survey reveals darknet use higher among 18- to 24-year-olds
A recent survey by the Cyber Security Centre at the University of Kent has revealed that 5% of British adults have browsed the darknet, with 1% acknowledging they have bought items from it, but this percentage is much higher (14%) for 18-24 year olds.
The survey, now in its third year, also revealed that:
– At least 4% of British adults have been victims of ransomware, where their computer has had malware installed, which encrypts their data and then faced demands for a payment to restore it back to normal.
Of those polled, 26% paid the ransom – though even after they complied with the criminals’ demands, 35% of them never recovered their data
– Bitcoins still struggle to become popular among British users – though the ownership figures double in the 18-24 age range
– When it comes to data breaches, it is the older age group that wants the toughest penalties imposed.
Approximately 40% of British adults agree with companies suffering the breach paying larger fines, with the users affected receiving significant compensation.
They believe the government should do more to prevent data breaches in companies
– Almost a third of all GB citizens don’t want their medical data to be shared with third parties for any reason, including improving medical care or research.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4af5edcf8f&e=20056c7556
How to develop a cross-organizational compliance program
The 2016 Phase 2 HIPAA Audit Program is in high gear with its focus on reviewing covered entity and business associate efforts to meet the standards and implementation specifications of the Privacy, Security and Breach Notification Rules.
These Office of Civil Rights enforcement actions are resulting in greater scrutiny on how healthcare organizations maintain compliance with HIPAA.
But it’s not just about HIPAA—many healthcare organizations still lack a coordinated strategy for identifying and addressing all the regulations and standards that apply such as state data breach notification laws, Payment Card Industry Data Security Standard or Federal Rules of Civil Procedure and translating these mandates into corporate policies, procedures and overall compliance.
Compliance accuracy is important because of the potential high costs associated with possible fines, penalties and lawsuits due to negligence or misinterpreting requirements as well as a greater likelihood for the confidentiality, integrity and availability of information to be compromised.
Developing a cross-organizational compliance program formally assigns the accountability and responsibility for proactively identifying and complying with regulations and standards that apply to the organization.
In terms of the characteristics of an effective cross-organizational compliance program, five primary areas should be addressed:
– Organizational alignment
– Training
– Communication
– Research and review
– Governance, risk management and compliance oversight
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5bd2b44e7a&e=20056c7556
Reviewing the latest trends in online fraud
The U.S. credit card industry is now at a point of inflection similar to where the United Kingdom was a few years ago.
Fraudsters targeting point-of-sale machines and e-commerce payment providers, hunting for primary account data, have been successful in stealing bulk credit card data and using their proceeds to literally print credit cards and cash out either physically or online.
A watershed moment like the one the United Kingdom had in 2005 when credit card fraud levels rose above acceptable levels is coming in the United States, where banks and retailers are finally making the move toward Chip-and-PIN to reduce card present fraud.
Ultimately, this approach will seek to further devalue the credit card number for fraudsters as a means of monetising stolen credentials.
It’s possible that the new fraudster funding model will be through ransomware, which is already plaguing many computers, transforming vulnerabilities into profit.
This software holds files to ransom, threatening to destroy an organisation’s data unless it pays up.
However, apart from the ransomware bounty, little further value can be extracted from the fraud.
Yet if the next-generation ransomware were to actually review, analyse and sift through the files being processed, more value from the contents of the victims computer could potentially be extracted and monetised.
Another relatively new fraud marketplace is the selling of compromised machines, which can then be used to support a combination of cybercrimes covering distributed denial of service, spam, click fraud and ransomware bots, or for more targeted crimes in which the victim inadvertently provides access to sensitive private data or intellectual property
Other fraud schemes becoming more prevalent: Attacks in the United Kingdom relating to phishing fraud (e.g., a fake email from an organisation’s CEO to its CFO to request an urgent payment transfer) are becoming increasingly popular.
There have been similar attacks on companies such as private banks and law firms that hold client money – they have reported attempts to target cash under management through similar social-engineering techniques.
The key challenge will be ensuring that companies avoid overspending in the wrong areas and losing focus on addressing what matters most to them.
As anti-cybercrime experts begin to measure, categorise and capture cybercrime events, they ultimately will help the industry contextualise the results and enable organisations to focus on addressing the right things that matter most to them around cybersecurity.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a15cd1550b&e=20056c7556
Can biometrics and the FIDO Alliance save us from password overload?
the FIDO Alliance has emerged to create an open set of standards so all participating members can agree on a methodology to securely authenticate users across industries.
With the creation of this organization that will set the standards, best practices for proper authentication can be developed for the benefit of all organizations and establish a united front against potential consumer compromise and breaches.
Going forward, it’s clear that the FIDO Alliance will be a key driver in moving the industry towards fewer passwords.
At the same time, vendors and corporations will move independently of the FIDO Alliance to lessen our reliance on the broken password system with a biometric approach.
That said, the FIDO Alliance does face some obstacles.
As with any standards organization, it’s a matter of adoption and momentum.
Apple has not yet joined the alliance, which limits the market for FIDO-specific adoption.
Third parties can build a solution around Touch ID that is FIDO compliant, just with a greater degree of difficulty and time investment.
Certainly Apple’s participation would greatly further the FIDO cause.
Also, there have been some delays in the finalization of the FIDO 2.0 specification, leaving some corporations wondering if they should build towards the 1.0 standard, or wait for the new standard to be finalized.
Some corporations may even choose their own route and leverage the built-in biometric authenticators without following the FIDO way.
However, the benefits for the customer, including security and convenience, as well as for the organization—security, customer delight, and a reduced amount of customer support—far outweigh the cost of the integration.
Indeed, FIDO’s mantra, “simpler, stronger authentication” is a good one and will usher in an era when we won’t have to remember a hundred different passwords.
This will be a welcome change for all involved.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7735bd0529&e=20056c7556
Cyber security tops list of transport industry threats, survey says
Digital vulnerability and rapid technological advancement rank among the top concerns for transportation industry executives, according to a recent survey.
But, the survey from global advisory, brokering, and solutions company Wills Towers Watson also found little agreement from mode to mode or country to country with regard to the “most severe risk.” The disparity, WTW concluded, reflects the importance of local solutions despite the growing global interconnectivity of the transportation industry and omnipresent threat of digital vulnerability.
The top overall risk, across all modes of transport and throughout all regions, was the increased security threat from cyber and data-privacy breaches, according to the white paper.
Moreover, five of the top 10 perceived risks reported by company executives were cyber-related, with the potential failure of critical IT systems and the vulnerability of the increasingly digitalized supply chain ranking second and fourth, respectively.
For those doing business on land and sea, cyber and data privacy breaches, such as those behind the IRISL and Antwerp incidents, were the no. 1 issue.
Although transportation providers in the air arena reported the failure of critical IT systems was their top concern.
The recent failure of Delta’s computer system and stranding of thousands of passengers highlights that risk for airlines.
There is also some disparity among respondents from different corners of the world.
In Asia, Australia, Europe, Russia, Central Asia, and among the Commonwealth of Independent States, cyber security was still no. 1.
But, in North America, the top concern was an overdependence on national infrastructure.
In Latin America, third-party security vulnerability and digital supply chain resilience topped the list.
And, in the Middle East and Africa, the threat from new and emerging competitors beat out other concerns.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=09b037d0a7&e=20056c7556
Tripwire Study Examines Ransomware Recovery Perceptions Among Info Security Pros
cybersecurityA new report from Tripwire has revealed that many information security professionals are still apprehensive about ransomware recovery strategies in their organizations.
Thirty-four percent of the 220 information security professionals surveyed by Tripwire said they are “very confident” their companies could recover from a ransomware attack with no critical data loss, the security software developer said Thursday.
The company also surveyed IT security professionals who attended this year’s RSA Conference and Infosecurity Europe forum and found that 38 percent and 32 percent of respondents, respectively, believe their organizations could recover from ransomware infections.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=27126314d6&e=20056c7556
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=693fb7666f)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)
============================================================
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()