[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* Cyber crime ‘evolving’ ahead of Police Scotland
* Boards don’t understand maturity of cybercrime model, warns Trend Micro
* Going ‘disposable’ could save hacking, ID theft nightmares
* Why cyberpreparedness lags. 3 security experts weigh in
* More Businesses Fear Losing Data than Getting Hacked, Survey Shows
* Congressional Probe Says OPM Hackers Arrived in 2012 And We Will Never Know What They Took
* Ransomware prevalent in cloud-based malware
* The Shifting Mindset Of Financial Services CSOs
* FS-ISAC’s First Chief Info Risk Officer Describes New Role
* Google puts screws to HTTP with new warnings in Chrome
* FTC Highlights How Agency’s Approach to Data Security Aligns with NIST Cybersecurity Framework
* New SANS Institute Survey Shows Data Breach Prevention Practices Are Evolving
* Five IT Security Projects That Will Accelerate Your Career
* Private Cloud Security
* White House Announces the First Federal Chief Information Security Officer
* In Information Security, the Only Constant is Change
* The evolution of data breach prevention practices
* Berkeley Research Group Releases Cybersecurity Preparedness Benchmarking Study
Cyber crime ‘evolving’ ahead of Police Scotland
The Association of Scottish Police Superintendents said falling recorded crime figures belied the true picture of a service struggling to come to terms with online offending.
The national force must make savings totalling £1.1 billion by 2026 but is expected to face a budget shortfall of £21m for the current financial year.
While recorded crime is now at its lowest level since the mid-1970s, senior officers are worried about the level of crime taking place online, much of which goes unreported.
A Scottish Government spokeswoman said: “We fully recognise the danger that cyber-crime poses to individuals and businesses and are supporting Police Scotland to respond effectively to the changing nature of modern crime with more specialists, including experts in cyber-crime and counter-fraud.
Last year we launched a new strategy to help individuals and businesses increase their online resilience and enable Scotland to become a world leader in cyber-resilience.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=59b904eba3&e=20056c7556
Boards don’t understand maturity of cybercrime model, warns Trend Micro
That’s the view of Rik Ferguson, vice president, security research at Trend Micro, speaking at the recent Cloudsec 2016 event in London.
“Boards get it with cybersecurity,” said Ferguson. “But they don’t necessarily get how mature the business model is with online crime.
You shouldn’t understimate your adversary.”
Darren Argyle, global CISO at financial services company Markit, explained that while boards now understand the importance of security, they want more detail from security and technology teams on the risks.
“Organisations like Barclays have now started hiring people like Troels, that didn’t happen three to four years ago.
He’s a walking demonstration that attitudes in the boardroom around recruiting C-level positions has changed,” argued Ferguson.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=11591cfa2f&e=20056c7556
Going ‘disposable’ could save hacking, ID theft nightmares
One starting point is adopting a ‘disposable’ identity for credit cards and email addresses.
EntroPay offers a prepaid virtual Visa card to make purchases online.
You can prepay with your credit or debit card, and your personal and financial details are not shared with merchants.
A big trend at the moment is “subscription models” for products ranging from the monthly delivery of nappies to subscribing to podcasts.
Then there are the hopeful deceivers that offer you “free trials” but only if credit card details are provided!
In such cases, disposable cards are your friend.
You can get a card with only $5 value so it will pass as a valid card (these services often conduct a test charge using small amounts like $0.01 to make sure it’s a real card with credit).
You can rest assured that unless you top up the card, they will not be able to charge you.
Disposable email addresses is one way to ensure that stolen private data can be ring-fenced.
Another benefit of using such email addresses is you can easily setup a filter using with that email address to auto-delete unwanted messages from particular vendors or services. .
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=eb3c40484d&e=20056c7556
Why cyberpreparedness lags. 3 security experts weigh in
The barrage of recent headlines about cybersecurity breaches at prominent companies and government institutions should have at least one silver lining: It will prompt organizations to finally get their security act together.
Wikibon chief analyst David Vellante said overreliance on tools is a big part of the problem.
Implementing new technology “demonstrates to management that something is being done,” he said, “but it doesn’t get to the root of the problem which is that security should be both a shared responsibility across the enterprise and also an embedded part of risk management.” Organizational issues are tougher to solve than tech ones, and risk management requires time that many business leaders don’t believe they have in these chaotic times.
No Text in Clipboard
Stikeleather also suspects there is a bit of the “avoiding the doctor” syndrome at work.
It’s better not to know how unprepared you are for a breach than it is to do the work necessary to find out how ugly things really are.
Jon Oltsik stated his views succinctly. “Many organizations are simply overwhelmed by the cybersecurity workload,” said Oltsik, a senior principal analyst at Enterprise Strategy Group. “They are reacting in fire-drill fashion and not spending enough time on assessment, training, planning and strategy.” Putting out fires without priority levels or rehearsed responses “can lead to devastating results.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b708b6b7a1&e=20056c7556
More Businesses Fear Losing Data than Getting Hacked, Survey Shows
A survey released today by San Francisco, Calif.-based Wells Fargo Insurance shows 47 percent of mid-sized companies were concerned with losing private data compared with 26 percent worrying about hackers disrupting their systems.
The survey highlights the top network security and data privacy concerns among companies with $100 million or more in annual revenue.
It was constructed by talking to 100 decision makers empowered to make insurance purchases about network security and data privacy issues.
While losing data topped the list, followed by concerns over hacking, it appears few companies are worried about their employees misusing technology.
Seven percent of those polled cited that as a concern.
Following is the top eight network security and data privacy concerns with last year’s ranking in parentheses:
– Loss of data – 47 percent (45 percent)
– Hackers – 26 percent (25 percent)
– Security breaches – 26 percent (20 percent)
– Maintaining reputation – 9 percent (4 percent)
– Viruses – 7 percent (10 percent)
– Software vulnerabilities – 7 percent (7 percent)
– Employee misuse of technology – 7 percent (0 percent)
– Other – 7 percent (13 percent)
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=aa8de190a1&e=20056c7556
Congressional Probe Says OPM Hackers Arrived in 2012 And We Will Never Know What They Took
A new congressional probe into a massive Office of Personnel Management hack reveals the first traces of adversary activity on OPM’s network date back to 2012, too far back in time to know what else beyond 21.5 million background check records might have been compromised.
The congressional investigation links the breaches to the hacker groups Axiom and Deep Panda, whom security consultants like Novetta and CrowdStrike have tied to the Chinese.
Speaking at the American Enterprise Institute this morning, committee chairman Jason Chaffetz didn’t connect the hackers to a specific nation but said the adversaries were outside of the U.S.
The report also colors in the chronology of four separate heists believed to be part of the cyberspy operation: Following the hack of manuals and potentially other unknown data, attackers next copied the background check records in July and August of 2014.
Third, in December 2014, hackers scurried into a connected Interior Department data center holding OPM repositories and retrieved 4.2 million federal personnel records.
Finally, less than a month before OPM caught on to the game plan, adversaries sucked out 5.6 million employee fingerprints on March 26, 2015.
At the top of the committee’s 13 recommendations for avoiding another federal mega breach is advice that agencies ensure chief information officers are empowered, accountable and competent.
At the AEI event, Chaffetz highlighted how a “zero trust” policy could also prevent future breaches from occurring.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7347c3024c&e=20056c7556
Ransomware prevalent in cloud-based malware
Cloud-based filesharing, collaboration and social networking applications are ransomware delivery vehicles, according to a report released today
Javascript exploits and droppers, Microsoft Office macros, and PDF exploits make up 43.7 percent of the total detected cloud malware, said Jamie Barnett, CMO at Netskope, the company that released the report.
Slack made Netskope’s top 20 enterprise cloud apps list for the first time since the company began gathering this data in 2014, but it is too early to tell how much malware is coming through this platform.
The average enterprise now has a total of 977 cloud apps, up from 935 last quarter, and 95 percent of them are not enterprise ready.
The worst category was cloud-based marketing applications, where 97 percent of the cloud apps used were not appropriate for the enterprise.
The most secure category was cloud storage, where only 77 percent of cloud apps were not enterprise ready.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7a6a32fd73&e=20056c7556
The Shifting Mindset Of Financial Services CSOs
Security professionals in the financial services industry are no longer overconfident that their organizations have the skills and expertise to defend against threats.
They’ve taken a more realistic approach: CSOs now understand that they can’t rely solely on internal expertise or tools to defend their companies against devastating cyber attacks.
Rather, they’re developing specific strategies to help them close gaps so they can protect their firms.
Security professionals in the financial services industry can learn a lot from the steps that we have seen these proactive CSOs taking, which include:
-Turning to outside help
-Training employees to be the first line of defense
-Viewing security as a company-wide issue
Overall, this mindset shift is a positive development.
CSOs at financial services organizations are being realistic about their firms’ strengths and weaknesses.
They’ve realized that relying solely on technology to prevent attacks isn’t an effective approach; security requires everyone at an organization to do their part.
Moreover, by bringing in outside security experts and technology, they’ve demonstrated their willingness to tackle security challenges head on in an effective manner.
Although new security challenges will arise, many of today’s financial services CSOs believe they’re ready to meet them.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=528fe8d5d9&e=20056c7556
FS-ISAC’s First Chief Info Risk Officer Describes New Role
Greg Temm, the first chief information risk officer at the Financial Services Information Sharing and Analysis Center, says he’ll focus on helping members analyze cyberthreats and expand global threat intelligence sharing.
In an interview with Information Security Media Group, Temm says his position was created to help ensure that the FS-ISAC continues to help its 7,000 member firms support the resilience and continuity of the global financial-services infrastructure.
Temm will serve as an adviser to FS-ISAC members, leading the organization’s global intelligence and risk management programs.
He says he’ll work to analyze “cyber threat information that we have at our disposal and glean insight from it to inform our stakeholders about what it might mean to them.
They can then use that intelligence to feed into their own risk management practices to help them further mitigate risk.”
The new FS-ISAC chief information risk officer says his experience at MasterCard, where he led various components of the card association’s security program, helped prepare him to take on the role of disseminating meaningful threat information to FS-ISAC members.
In this interview (see audio link below photo), Temm also discusses:
– Why ransomware attacks are a growing concern for the global financial community;
– How the merging of physical threats and cyber threats is changing how organizations fight cybercrime; and
– Steps the FS-ISAC is taking to expand global intelligence sharing.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=aeb2828e87&e=20056c7556
Google puts screws to HTTP with new warnings in Chrome
Google today continued its campaign to tighten the screws on unencrypted web traffic as it outlined the next steps it will take with Chrome to warn users of insecure connections.
Starting with Chrome 56, which is currently scheduled to ship in stable format on Jan. 31, 2017, the browser will mark sites that transmit either passwords or credit card information over HTTP connections as “non-secure.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d2fd36c57e&e=20056c7556
FTC Highlights How Agency’s Approach to Data Security Aligns with NIST Cybersecurity Framework
The Federal Trade Commission (FTC) recently presented an analysis of how its approach to data security over the past two decades compares with the Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) issued in 2014 by the National Institute of Standards and Technology (NIST) and strongly endorsed by the White House.
The FTC’s recent blog post on “The NIST Cybersecurity Framework and the FTC” frames its discussion around the frequently asked question, “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”
The FTC first explains how this question has a faulty premise, as the Framework is not designed to be a compliance checklist.
Instead, in this new blog post, the FTC outlines how the FTC’s enforcement actions comport with the Framework’s five Core functions—Identify, Protect, Detect, Respond, and Recover—and emphasizes how both the Framework and the FTC’s approach highlight risk assessment and management, along with implementation of reasonable security measures, as the touchstones of any data security compliance program.
The blog post provides background on the NIST Framework and the FTC’s approach under Section 5, then summarizes FTC enforcement actions against companies for practices that allegedly did not comply with the Framework’s Core functions.
The blog post lists a total of thirty-eight data security practices identified in FTC enforcement actions that align with Framework action steps.
– Identify
– Protect
– Detect
– Respond
– Recover
The FTC concludes that use of the Framework can help companies better protect personal information.
As the FTC notes, the Framework “can serve as a model for companies of all sizes to conduct risk assessments and mitigation, and can be used by companies to: (1) establish or improve a data security program; (2) review current data security practices; or (3) communicate data security requirements with stakeholders.” The FTC recommends companies consult the Start with Security guidance alongside the Framework to enhance their data security posture and reduce cybersecurity risks.
Julie Brill, Harriet Pearson and Paul Ott
Julie Brill, Harriet Pearson and Paul Ott
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1a60969339&e=20056c7556
New SANS Institute Survey Shows Data Breach Prevention Practices Are Evolving
The survey, Breach Detected.
Could It Have Been Prevented?, looked at how practitioners might overcome barriers to implementing effective prevention, including developing clear requirements and defining specific preventive measures, such as the role of automation, threat intelligence and others.
The survey also illustrates an apparent disconnect between what is considered preventive by the majority of respondents and the measures that have been implemented for prevention:
– 85 percent of respondents consider blocking known malware as a preventive measure, yet less than half (40 percent) have implemented these methods;
– 63 percent consider robust testing is preventive, while only 39 percent have implemented robust testing;
– Nearly 60 percent consider metrics-based evaluation and reporting preventive but only 40 percent are using evaluation and reporting.
Respondents indicated that lack of enough staffing, inadequate budgets and a deficit of skills are barriers to preventing breaches.
Limitations in legacy infrastructure also emerged as a factor prohibiting organization from not being more proactive in protecting critical data.
The survey also looked at how practitioners might overcome barriers to implementing effective prevention, including developing clear requirements and defining specific preventive measures, including the role of automation, threat intelligence and others.
Full results will be shared during a free webcast Tuesday, Sept. 13, 1:00 p.m.
Eastern Standard Time, sponsored by Palo Alto Networks.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=677a14edd8&e=20056c7556
Five IT Security Projects That Will Accelerate Your Career
The skills required to be successful in IT security are changing.
In a recent survey (download a free copy here) 30.7% IT leaders reported that a lack of skilled IT professionals is the greatest barrier to preventing data loss.
Respondents also listed incident response management, expertise analyzing large datasets, communication with non-IT executives and departments, and security certifications as skills they expect to be more important in the next five years.
But it’s not enough to invest in your skills, you also need visible projects to demonstrate your value within the organization.
This article covers five such projects.
1) Use Real-Time Coaching to Improve Security Awareness
2) Proactively Enable (Not Block) Cloud Usage
3) Complete Your Incident Response Plan
4) Create a Cross-Functional Governance Committee
5) Drive a Data-Centric Security Initiative
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=76654e1fc2&e=20056c7556
Private Cloud Security
Along with the benefits, private clouds do bring some new risks.
For example, there tends to be a big increase in traffic between virtual services, which is not inspected or secured by traditional security systems.
To increase the confidence of CISOs and business leaders, your cloud data center needs a security strategy and architecture that are designed in and built in, not bolted on.
Visibility and protection need to extend wherever the processes and data are.
This should include heterogeneous cloud environments, both private and hybrid, to support future needs.
Integrated security solutions are essential to securing this new cloud architecture in order to effectively and efficiently support security operations.
Intrusion-prevention and anti-malware systems, optimized for virtual environments, need to share threat intelligence to combat emerging threats.
Policies need to be applied to applications and servers as soon as they are provisioned.
The best match for an SDDC is software-defined security, matching the agility of server, storage, and network virtualization with dynamic security provisioning and policy management.
Using security controllers that are designed for virtual environments, you get the same cost efficiencies and flexibility for security operations.
Policies and protections are tied to each virtual machine (VM), and will remain with that VM throughout its life, regardless of where it moves.
Security processes can scale up and down as needed, matching demand.
Automation is a fundamental component of software-defined security, keeping up with the rapid moves and changes of virtual processes and reducing the risk inherent in manual processes.
Private clouds are a critical turning point as IT transitions to a services model, and attackers are responding to this shift.
Legacy security technologies do not afford sufficient or appropriate protection, leaving too many gaps for attackers to exploit.
With the best private cloud security, designed for your architecture, attackers may run, but they cannot hide.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bf0365d826&e=20056c7556
White House Announces the First Federal Chief Information Security Officer
An ongoing effort from the Obama administration to shore up the nation’s digital defenses was punctuated Sept. 8 by the creation of the first federal Chief Information Security Officer (CISO).
The first to fill the role will be Gregory Touhill, a retired brigadier general and deputy assistant secretary of cybersecurity and communications for the U.S.
Department of Homeland Security.
As is typical for a CISO, Touhill will lead cybersecurity policy, planning and implementation across the organization, which in this case includes the federated offices of the U.S. government.
This new office, which was created by the Cybersecurity National Action Plan (CNAP) announced by President Obama in February, will follow in the spirit of the White House’s vision for short- and long-term cybersecurity planning, according to an official release.
Grant Schneider, director for cybersecurity policy on the National Security Council staff at the White House, will fill the acting deputy CISO role.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4c8bb3787d&e=20056c7556
In Information Security, the Only Constant is Change
As the Greek philosopher Heraclitus famously noted, “the only constant is change”.
This statement was as accurate 2,500 years ago as it is now.
The world around us changes constantly, often times at a somewhat frenetic pace.
The field of information security is no different.
Both the organizations we support and the threat landscape we face are changing and evolving constantly.
While this is certainly not an exhaustive list, here are my top five ways that organizations can stay grounded and focused amidst a sea of distractions:
1. Stick to the plan: As I and many others have previously noted, if you don’t already have an incident response plan, you should.
If you do already have a plan, then you are already one step ahead of the game.
2. Focus on risk: The best security organizations use a variety of techniques to understand the unique threat landscape they face.
Those same organizations use this knowledge to help them prioritize the risks and threats that they wish to mitigate.
3. Prioritize holes to plug:
But if today’s distraction poses a minor risk to our organization, does it make sense to divert resources from mitigating risks or plugging holes that we know pose serious risk to the organization.
Not particularly, although without a quantitative handle on risk that includes a robust risk register, it can be hard to justify that stance in the heat of the moment.
4. Go beyond the buzz:
Having insight beyond the buzz allows an organization to more efficiently and effectively apply people, process, and technology to solve real world problems and challenges.
Otherwise, solutions that are purchased and implemented wind up looking for a problem to solve.
Not a great place to be, particularly when looking to justify expenditures and show return on investment.
5. Measure what matters:
Measuring what matters allows an organization to produce metrics that actually help it assess its progress against its strategic objectives.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f7532ffb45&e=20056c7556
The evolution of data breach prevention practices
A new SANS Institute survey looks at the preventive aspect of breaches – and what security and IT practitioners actually are, or are not, implementing for prevention.
The findings illustrates an apparent disconnect between what is considered preventive by the majority of respondents and the measures that have been implemented for prevention:
– 85 percent of respondents consider blocking known malware as a preventive measure, yet less than half (40 percent) have implemented these methods
– 63 percent consider robust testing is preventive, while only 39 percent have implemented robust testing
– Nearly 60 percent consider metrics-based evaluation and reporting preventive but only 40 percent are using evaluation and reporting.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1efc416d2d&e=20056c7556
Berkeley Research Group Releases Cybersecurity Preparedness Benchmarking Study
EMERYVILLE, CA–(Marketwired – September 08, 2016) – Berkeley Research Group released today its Cybersecurity Preparedness Benchmarking Study, detailing findings about cybersecurity practices from a survey of leading global organizations.
The study focuses on six primary topics: Leadership, Information Governance, Risk Management, Essential Protection, Incident Response and Security Culture.
BRG teamed with the Institute of Operational Risk to conduct the survey in the first two quarters of 2016.
Key findings include:
– Despite a strong focus on cybersecurity culture, many organizations do not believe their cybersecurity programs are fully effective.
– Current employees are the likely cause behind most cybersecurity breaches.
– Viruses and malicious software are the most common breaches.
– Organizations mainly rely on cybersecurity assurances from external service providers and vendors.
Most organizations do not have strategies for the emerging fields of the “Internet of Things” or “Big Data.”
– Organizations lack confidence in their cybersecurity incident response capability.
– Organizations anticipate an increase in information security budgets.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dc7edab969&e=20056c7556
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage2.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=40f0b3d6f9)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)
============================================================
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()