[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions š
So onto the news:
PCI Encryption Standard Updated
The PCI Security Standards Council has released version 2 of its PCI Point-to-Point Encryption Solution Requirements and Testing Procedures.
The standard is designed to help merchants and technology providers determine how encryption can complement compliance with the PCI Data Security Standard, and ultimately improve card security.
Unlike the PCI-DSS, compliance with the PCI encryption standard is not mandatory for merchants or vendors, says Jeremy King, international director of the PCI Security Standards Council, in an interview with Information Security Media Group. The encryption standard is a complementary standard, he explains.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=223092b5f8&e=20056c7556
Burying your head in the sand: a good security strategy for ostriches, not organisations
[A] new Quocirca report shows that the more visibility businesses have into these new security threats, the more concerned about them they become. āMaster of Machines II: Conquering complexity with operational intelligenceā asked European organisations about their top technology concerns, and their ability to capture machine data.
Some of the top concerns ā such as down time and managing data chaos ā were reduced with greater operational intelligence. The odd one out is security. Companies with higher levels of operational intelligence (the ability to draw intelligence from machine data) are actually more concerned about security threats.
Those with the maximum level of operational intelligence had an average concern rating of 3.88 for security. The average for the research was 2.58. Those with very low operational intelligence, rated security 2.09, suggesting that perhaps they have their heads in the sand.
Organisations need to be taking an analytics-based approach if they are to establish what ānormalā looks like and stand a chance at identifying the very faint fingerprints of an advanced threat.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=43262d9de8&e=20056c7556
Spiceworks Hit By Security Vulnerability
Austin-based IT management software developer Spiceworks, said Wednesday that its users discovered a security vulnerability in its latest, desktop software, which resulted in disabling a feature and a security patch. According to Spiceworks, the vulnerablity–in its Spiceworks 7.4 Desktop application–had the potential to put users at risk, but that the security issue only hit sixty instllations, none of which appear to have been exploited.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=08254883ba&e=20056c7556
Information Warfare: Duqu Lives
July 4, 2015: A respected Russian Internet security firm (Kapersky) recently revealed that it had found new spyware software in three hotels used by delegates to negotiations with Iran over sanctions and the Iranian nuclear weapons program. The spyware was described as a much improved version of Duqu and that Israel was probably behind this. Israel denied any involvement but this is actually an old story. In 2012 Internet security researchers accused Israel of a similar stunt when new spyware was found throughout the Middle East. Similar to Stuxnet and Duqu (both created by a joint U.S.-Israeli effort for use against Iran), the new spyware was called Gauss, and it was used to monitor Hezbollah (an Iran backed Lebanese terrorist group) financial activity. Gauss was apparently unleashed in 2011, and had already done its job by the time it was discovered.
The 2015 version is called Duqu 2.0 and it is much improved over the 2011 original. Duqu 2.0 uses a new communications system making it very difficult (and often impossible) to determine where it is sending data and getting orders from. Duqu 2.0 also hides itself much more efficiently, making it more difficult to detect and remove. Duqu 2.0 uses more powerful encryption, making it more difficult to even examine portions of it that are captured. Duqu 2.0 uses all of this, especially the stealth, to compromise entire networks, including routers and āsmartā devices (like printers) attached to the network. This makes it much more difficult to remove because parts of Duqu 2.0 are all over an infected network and well hidden. Clean out one server and surviving Duqu 2.0 components will note this and quietly re-infect the ācleanedā computer or server.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fe85ce641f&e=20056c7556
PWC – State of Security Compliance
With risk and regulation increasing, and change accelerating, itās harder than ever for companies to meet baseline compliance requirements. All business functions are being impacted by not only regulatory change but significant change to the competitive, political, and economic environment, but in our 2015 survey, we have seen only incremental change in the compliance function. According to PwCās 18th Annual Global CEO survey, 54% of CEOs are entering or considering entering new sectors. Combine this with the 78% of CEOs that are concerned about the impact of regulation on their business and the time for the Chief Compliance Officer to elevate the profile of the compliance function is now. Compliance officers need to engage with leadership to minimize the impacts of regulatory pressures on the achievement of strategic goalsā¦.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0e3d4d8870&e=20056c7556
Middle-manager inaction the weak link in enterprise cyber-security
Lethargic, narrow-minded middle-managers are among the biggest remaining obstacles to consolidating enterprise cyber-security, an industry expert has warned.
Speaking at the CBI Cyber Security Conference 2015 in central London this week, Martin Smith MBE, chairman and founder of The Security Company, and of the Security Awareness Special Interest Group, said that in many corporate hierarchies the importance of cyber-security safeguards was now understood by directors, senior executives and increasingly by rank-and-file IT system users.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=81c0c3d6ea&e=20056c7556
China tightens grip over the Internet with new security law
On Wednesday, China’s legislature passed the national security law, which covers a wide range of areas including military defense, food safety, and the technology sector.
A full text of the law’s final draft has yet to be released, but it calls for better cybersecurity, according to a report from China’s state-controlled Xinhua News Agency. The country’s key information systems and data will also be made “secure and controllable” under the law.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6690442e7a&e=20056c7556
The top three banking malware families
SecurityScorecard sinkholes found 11,952 infections affecting 4,702 organizations and identified the top banking malware families to be Dridex, Bebloh and TinyBanker… The top three banking malware families being captured are all direct variants of Zeus, or mimic Zeus-like functionalities. These malware attacks are the preferred method of obtaining stolen credentials, especially when traditional attacks on web applications or network-based attacks are being monitored by internal security teams.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7f69cf5c44&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=ccbd64a075)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)