Wake up! What are you doing to battle breach fatigue?
On the surface, there is a silver lining to the fatigue phenomenon: Since the public has been hammered with nonstop news about breaches, it isn’t necessarily perceived to be as severe. This can translate to a quicker recovery for a business whose reputation takes a breach-related hit.
Ultimately, however, this silver lining acts as a false sense of security. A cyber threat that isn’t considered severe is unlikely to be treated as a priority issue.
Apply the three Es:
• Enforce
• Educate
• Evaluate
Link: http://www.scmagazine.com/wake-up-what-are-you-doing-to-battle-breach-fatigue/article/404946/
Admin rights to blame for 97 percent of critical Microsoft flaws – Report
The figures are from the 2014 Microsoft Vulnerabilities Report by UK-based security firm Avecto, in which the company pulled data from every patch issued by Microsoft in 2014 — 240 in total.
In 2013, the same report found that 92 percent of 147 total vulnerabilities with a critical rating could have been prevented via the same admin rights removal — indicating a 63 percent year-over-year increase in the total number of critical vulnerabilities.
Link: http://www.zdnet.com/article/admin-rights-to-blame-for-97-percent-of-critical-microsoft-flaws-report/?utm_source=Threat+Brief&utm_campaign=5a80b96ab6-Threat_Brief4_1_2015&utm_medium=email&utm_term=0_79bf093b3a-5a80b96ab6-388769721
Orgs need to share info, crave more board oversight, study says
The “Third Annual Information Security Survey,” conducted by Blue Lava Consulting and sponsored by vArmour, found that while 36 percent of respondents share information with industry groups, while 50 percent of respondents don’t share any information.
The study also found that legacy security systems that guard the perimeter have lost their luster with the majority (75 percent) of information security professionals surveyed who are stepping away from traditional security approaches, and now will likely allocate their budget dollars on new vendors for “agile security solutions” to protect their data centers.
Link: http://www.scmagazine.com/survey-finds-that-11-of-security-pros-report-to-board-of-directors/article/406878/?utm_source=Threat+Brief&utm_campaign=5a80b96ab6-Threat_Brief4_1_2015&utm_medium=email&utm_term=0_79bf093b3a-5a80b96ab6-388769721
Meet the Top 50 Most Popular Voices in U.S. Hospital Security
SCOTTSDALE, AZ–(Marketwired – Apr 1, 2015) – Guardian 8 Corporation, a wholly-owned subsidiary of Guardian 8 Holdings (OTCQB: GRDH) and the developer and manufacturer of an enhanced non-lethal device called the Pro V2, today announced the results of a research project identifying the 50 most popular voices in U.S. hospital security. The voices belong to a broad range of security pros — from board certified protection professionals and security directors to security consultants, online community leaders, and officers past and present. Collectively, they drive, join or facilitate discussions about how to mitigate risk and de-escalate violence in hospitals.
Link: http://www.reuters.com/article/2015/04/01/idUSnMKWlmflxa+1c0+MKW20150401
Application of Threat Indicators: A Temporal View
To put some definitions in place, I refer to the application of indicators (IP addresses, URLs, domains, MD5 hashes) to future activity as the prospective application of threat indicators. Correspondingly, the application of indicators to historical data such as log management and SIEMs is known as the retrospective application of threat indicators. Both of these techniques have value but occasionally in strikingly different ways, and this distinction is worthy of examination.
As you venture into the world of threat intelligence and indicator sharing, you’ll want to consider optimizations. This is true across the spectrum, whether you happen to be a producer, distributor, or consumer of threat intelligence, or even the provider of the technology that enables the operationalization of data. Enterprises should be evaluating their providers with these objectives in mind — for example, demanding the ability to apply rich indicators to historical events.
Link: http://www.darkreading.com/partner-perspectives/general-dynamics-fidelis/application-of-threat-indicators-a-temporal-view/a/d-id/1319724
CIO – Why you should be spending more on security
Many CIOs endanger their companies simply by not spending enough on security.
That may seem odd to posit, given that a recent Pricewaterhouse Coopers survey found that businesses now spend a higher percentage of their IT budgets on security than ever before. According to the survey, large organizations spend an average of 11 percent of their IT budgets on security while small businesses spend nearly 15 percent.
The good news is that there is new security technology on the horizon, and some of it looks like it will be a worthwhile investment. “Cutting-edge technologies show genuine promise and are already being used by enlightened companies,” Chuvakin says. “Analytics may give a huge boost to defenders, as well as machine learning and threat intelligence. It’s too early to say ‘buy this and you’ll win, but there is definitely light at the end of the tunnel.”
Link: http://www.cio.com/article/2904364/security0/why-you-should-be-spending-more-on-security.html
Three ways a CSO can stop being the bad guy
Are you the Dr. No of your company, always with security-related reasons for stopping or slowing down projects?
But some security executives are redefining their roles to become people who say “yes,” and restructuring their departments around becoming enablers of business.
Meyer urged very CSO and CISO to begin building working relationships with other business leaders in their company, and to stay positive.
Link: http://www.csoonline.com/article/2904027/security-leadership/three-ways-a-cso-can-stop-being-the-bad-guy.html?phint=newt%3Dcso_update&phint=idg_eid%3D3ed717ef9867f793024f9cb8f4bb3860#tk.CSONLE_nlt_update_2015-04-02&siteid=&phint=tpcs%3D&phint=idg_eid%3D3ed717ef9867f793024f9cb8f4bb3860
Do Threat Exchanges Work?
The big question is, do these threat exchanges work? Sharing information about threats is one thing, but does this sharing result in reducing your security risk by preventing your organization falling victim to viruses and other malware infections or more concerted attacks by hackers?
Question of Trust
Does Size Matter?
It’s impossible to know in advance which exchange offers the right combination of these traits to be helpful for your organization. All that can be said is that you’ll recognize it if and when the threat information you receive starts to help you ward off viruses, malware and hacker attacks.
Link: http://www.esecurityplanet.com/network-security/do-threat-exchanges-work.html
Reduce Breach Liability [Infographic]
Customer identity data is a highly valuable asset not only to you as a business, but also to criminals intent on exploiting the data for personal gain. Thieves can make an estimated $50 million from just one data breach, and brands have lost as much as $125 million in breach associated costs*.
While most of us are aware of the dangers, it can be difficult to know what to do to prevent a data breach. However, there are questions that you can ask to understand your areas of vulnerability and ward off an insider security breach later..
Link: http://www.business2community.com/infographics/infographic-reduce-breach-liability-01195068
Google bans Chinese websites, cites security breach
BEIJING, April 2 (UPI) — Google’s tense relationship with Chinese authorities took another turn when the search engine announced its web browser and other applications will not recognize security certificates from the China Internet Network Information Center, or CNNIC.
Google announced the move in a blog post on March 23, saying the CNNIC had farmed out its certification authority to Egypt-based MCS Holdings, an organization Google described as “not fit to hold (authority).”
Link: http://www.upi.com/Top_News/World-News/2015/04/02/Google-bans-Chinese-websites-cites-security-breach/6011427986032/
Google’s Android security scans over 200 million devices a day
Google’s data suggests that the percentage of Android phones that didn’t have any PHAs stood at around 99.5 percent at its lowest in October 2014, although this figure excludes anyone that rooted the phone and, er, freed up the security system built into the mobile OS. Notably, this figure is from before both Android 4.4 and its successor. The company counts that it’s got one billion devices protected by its Android security services: its Verify Apps service now scans over 200 million devices a day in the background, aimed at improving device security. Google is quick to add that none of your pics, location data or personal information is accessed. Phew.
Link: http://www.engadget.com/2015/04/02/google-security-android-2014/
iOS Security Reports Say No iPhone Is Safe
According to the GFI report, Apple took the top vulnerability spots, with its Mac OSX at No. 1 with 147 vulnerabilities, followed by Apple iOS with 127 vulnerabilities. The Linux kernel was a close third, followed very distantly by Ubuntu and Windows. Android, meanwhile, had only six reported vulnerabilities for 2014 (although GFI took care to note that this number did not include certain Linux vulnerabilities that also apply to Android).
Link: http://www.informationweek.com/ios-security-reports-say-no-iphone-is-safe/a/d-id/1319750