[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
Enterprises Need Advanced Incident Prevention
In my humble opinion, incident prevention is more important now than ever, and enterprise organizations still need to dedicate ample resources to this effort. Rather than “peanut butter” security controls across the network however, CISOs need to adopt processes and controls for advanced prevention.
What is advanced prevention? Think of more granular security controls based upon things like users, roles, connections, and changes in IT risk. So rather than static rules, configurations and controls, advanced prevention is dynamic as it changes based upon new threats, vulnerabilities, use cases, and business process requirements.
Now, I’m not suggesting for a minute that any of these advanced prevention methods are perfect – the bad guys will still find their way through the door. But if we make it difficult for them to get in, we can also limit “dwell time,” make it easier us to detect and respond when they do get in, and minimize damages. Besides, if we downgraded our focus on prevention, we’d be dealing with a lot more noise from DDoS, pedestrian malware, and script kiddies.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5865593410&e=20056c7556
IETF Officially Deprecates SSLv3
Task Force (IETF) officially declared SSLV3 dead and buried.
An Internet Standards Track document, RFC7568, published this month declares SSLV3 “not sufficiently secure,” and prohibits fallback to SSLv3 in new applications.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5b31413d08&e=20056c7556
Apple : Cybersecurity experts try to predict hackers’ next moves
Cybersecurity experts are trying to predict where hackers might move next. One best guess: a move to application fraud using false credentials to apply for cards in victims’ names, Conroy said. Retailers might see an increase in online and by-phone purchases using stolen cards that are harder to block when the chip-and-PIN protection goes into place.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=925a33d6ab&e=20056c7556
Top 4 cyber risks financial organisations must be ready for
BAE Systems have identified four key risks financial institutions may be vulnerable to in the coming months and years:
1. Lack of integrated approach
2. Criminals diversifying their activities
3. Permeable boundaries
4. Mobile customer base
“New entrants, such as telcos, who are becoming financial services providers in some cases, may have to play catch up on the types of systems they need to put in place to protect them and their customers.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7d826a261a&e=20056c7556
Facial recognition tech will exist on 123M devices by end of 2024, report says
Researchers say that facial recognition can be far more accurate than other biometric methods of recognizing and authenticating users.
According to a new report from Tractica, annual facial recognition devices and licenses will increase from 28.5 million in 2015 to more than 122.8 million worldwide by 2024.
Tractica says the technology will be widespread in devices used by consumers, enterprises, and governments.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4a666ed864&e=20056c7556
What Verizon Missed in the Latest Threat Reports
Out of all attacks that happened when the user was connected to cellular networks, Verizon and AT&T accounted for 31.98%. Out of all communications providers in US, Verizon and AT&T account for 25.92% of all attacks. On average, 6.4% of all users from all networks were involved in some kind of attacks, including attack types that are not mentioned in the report at all.
Our data shows that out of these 6.4%, only 37.32% were under a host attack that would partially fit in the Verizon’s report as malicious Apps. The 37.32% are not completely covered in Verizon’s report due to incomplete detection of other host attacks like Malicious Chargers and other attacks that are described above. 62.68% of the users were under network attacks. Out of the 63% that are not included in the report at all: 9.15% are critical attacks that could lead to complete compromise of the device.
In conclusion, we think Verizon’s reporting on mobile attacks leaves much to be desired. A wide variety of attacks are happening. However, detecting them requires a variety of approaches. Even using next generation methodologies, some attacks are still very difficult or impossible to detect. If you are interested, we are happy to speak with you and quickly show a few examples of attacks that can not be detected due to smartphone architecture and permission model. You might want to take us up on that offer before someone else, with malicious intent, does.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f01f7092e7&e=20056c7556
Magento e-commerce platform targeted with sneaky code
Attackers are using a sneaky method to steal payment card data from websites using Magento, eBay’s widely used e-commerce platform.
Researchers from Sucuri, a company that specializes in securing websites, said the attackers can collect any data submitted by a user to Magento but carefully filters out anything that doesn’t look like credit card data.
The attackers are injecting their malicious code into Magento, but it’s still unclear how that process happens, wrote Peter Gramantik, a senior malware researcher with Sucuri.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=afe614f596&e=20056c7556
Navigating a Sea of Threat Intelligence Specifications
Several publications have already nominated 2015 as “The Year of Threat Intelligence Sharing,” and threat intelligence sharing has certainly been in the news. Though the first half of the year has seen little in the way of new specifications, entire ecosystems of standards that few people previously knew have finally gained some recognition due to their use in threat intelligence sharing efforts.
Much current attention goes to what I will call the DHS specifications. The U.S. Department of Homeland Security (DHS) leads these community-driven efforts, and the MITRE Corporation provides them with an electronic home. These specifications include the well-known Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS) efforts, among a wealth of others. CybOX, STIX and TAXII, specifically, have drawn recent attention.
Neither the concept nor the practice of threat intelligence sharing is revolutionary. Renewed interest can be laid at the door of the successes that attackers have enjoyed over the last few years. The news has been full of the publicly disclosed incidents, and you can bet that quite a few undisclosed ones occurred, as well. The combination of widespread interest and need drive the current activity. Attackers have been painfully successful lately, and we defenders must up our game. Threat intelligence sharing can help us do that. With the need so obvious, activity swirls around threat intelligence sharing at the moment and is unlikely to wane until the situation improves. Luckily, the history of these efforts provides us with experienced practitioners, and the standards and specifications appear to be driving to a convergence. Until that moment arrives, the tools will have to support competing standards in at least some cases. But current work appears to be driving toward a
(mostly) converged environment with a variety of products and projects integrating the standards and capabilities to acquire, package, exchange and consume standards-based threat intelligence data.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=de394231cf&e=20056c7556
Incident response – how late is too late?
Why is it that many victims fail to successfully protect their assets despite a huge host of preventative measures? The answer is that, quite literally, time is of the essence. The following examines why time is critical for successfully fending off an attack, the reality most organisations face and most importantly, what tools and strategies are available to help.
Delayed response time is due to the many steps required to move from detection to containment and resolution. Legacy incident response involves manual effort, manual data entry or transfer, and even variable human analysis that often requires double-checking for accuracy.
For global organisations this legacy incident response process can vary depending on time differences across geographically separated locations as well as the availability of staff across different departments, such as infrastructure, messaging, firewall, etc.
Organisations need threat response technology that takes data from all threat detection tools and narrows down the alerts with enhanced, automated threat intelligence and context. Once threats are prioritised, this same system then confirms infections and helps IT teams focus resources on protecting the organisation against threats.
The bottom line is that intelligent threat response technology, which combines timely detection, verification and protection, is a necessary security layer for any organisation trying to keep up with today’s malicious threats.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b12173a6c7&e=20056c7556
CIOs seek cybersecurity solutions, bigger voice in C-suite
With no cameras rolling, those officials offered a frank assessment of the challenges stemming from the mounting cyberthreats, which Sander places in two broad categories: those from hackers motivated by a political cause and those seeking financial gain.
Part of the challenge is organizational, Sander argues. He believes that a firm’s top security official needs a broader reach than is typically afforded within the tech division. Better than reporting directly to the CIO, he says, the CISO would be accountable to the internal audit unit or audit committee, or, potentially, even the CEO.
Many CIOs at the roundtable disagreed, arguing that the CISO should remain within IT, Sander admits. But while he doesn’t discount the nexus between security and tech, he contends that security must be an enterprise-wide priority.
But CIOs bear some blame on the security front when it comes to dealing with third-party vendors, Sander argues. If a chain is only as strong as its weakest link, enterprises need to give closer consideration to the firms they partner with and offer access to their systems. The high-profile Target breach, after all, came after hackers infiltrated an HVAC vendor that was contracted by the retail giant.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f6813bb8fb&e=20056c7556
Xen project urges urgent hypervisor upgrade
The new release contains over 100 improvements, most bug fixes or improvements on version 4.5.
There is, however, one bigg-ish new flaw in the form of XSA-135, a guest-host escape mess that means “A guest which has access to an emulated PCNET network device (e.g. with “model=pcnet” in their VIF configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ce3d5e9f0e&e=20056c7556
Mobe encryption guru Charles Brookson picks up OBE from the Queen
Charles Brookson – the man behind the encryption algorithms in GSM mobile networks – has collected his OBE from the Queen.
Brookson led the team that produced the A5/1, A5/3 and A5/2 algorithms used by countless mobes worldwide to encrypt calls from eavesdroppers.
Brookson, a keen motor caravanner, has worked as head of corporate security at one2one (later T-Mobile, currently EE) and in BT Corporate Security. Brookson says that when A5/1 was conceived thirty years ago, it was expected to have a lifetime of 20 years. It took about 22 years for someone to crack the algorithm in a practical way, and despite the massive increases in computing power and the use of rainbow tables, it is still largely secure from all but the intelligence services. Most networks have now been upgraded to one of Charles’ later algorithms.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fb94f3e692&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=b7a02b5ea4)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)