[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
Banks, Retailers Debate Cyberdata Security Bills
Among several proposed data breach bills on Capitol Hill, two — both titled the Data Security Act of 2015 — would expand bank standards to retailers.
The bills’ supporters, including the American Bankers Association and the Credit Union National Association, argue that since banking is only one type of business targeted by hackers, it makes sense to apply similar rules to other elements of transactions that get hacked.
Opponents, including the National Retail Federation (NRF), contend that broadly applying standards meant for the financial sector is like putting a square peg into a round hole and would burden small businesses with more regulatory costs and red tape.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=800fa63d99&e=20056c7556
Stegoloader: A Stealthy Information Stealer
Malware authors are evolving their techniques to evade network and host-based detection mechanisms. Stegoloader could represent an emerging trend in malware: the use of digital steganography to hide malicious code. The Stegoloader malware family (also known as Win32/Gatak.DR and TSPY_GATAK.GTK despite not sharing any similarities with the Gataka banking trojan) was first identified at the end of 2013 and has attracted little public attention. Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers have analyzed multiple variants of this malware, which stealthily steals information from compromised systems. Stegoloader’s modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis. This limited exposure makes it difficult to fully assess the threat actors’ intent. The modules analyzed by CTU researchers list recently accessed documents, enumerate installed
programs, list recently visited websites, steal passwords, and steal installation files for the IDA tool.
Stegoloader has a modular design and uses digital steganography to hide its main module’s code inside a Portable Network Graphics (PNG) image downloaded from a legitimate website. Other malware families have used this technique, including the Lurk downloader, which CTU researchers analyzed in April 2014. At the end of 2014, CTU researchers also observed the Neverquest version of the Gozi trojan using this technology to hide information on its backup command and control (C2) server.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4828792aca&e=20056c7556
What defines a mature IT security operation?
Hint: The answer does not relate to the amount of money you spend.
RSA recently published their inaugural and aptly named Cybersecurity Poverty Index. This study is based on self-assessments by organizations who compared their current security implementations against the NIST Cybersecurity Framework. According to the report, almost 66 percent rated themselves as inadequate in every category. With all of the recent breaches in the news, part of me is astounded at this finding. The other part is not surprised, given that this matches what I see in the field every day.
– Security maturity begins in the boardroom.
– There must be someone, staff or service provider, with whom the IT security buck stops.
– the infosec budget must be segregated and discreet from overall IT expenditures
– network and data flow diagrams making clear how data moves in an organization
– Beyond the basics like firewalls and malware software, expensive tools are not essential. Such investments must be viewed as automating what can be done manually
– keep good records about what happens, and know in advance how you will deal with problems when they occur.
– Test your systems and application, and keep testing them
– Everyone in the organization must accept that their responsibilities include information security
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=61aceeb4ad&e=20056c7556
42pc of Indian cyber attacks are by foreign Govts
BANGALORE, INDIA: A report to guide CIOs and CISOs to understand the paradigm shift taking place in the web application security domain has been published by Indusface.
– 91% of the websites that IndusGuard web application scanner tested had SQL Injection vulnerability
– 97% were prone to Cross-Site Scripting attacks
– SQL Injection and Sensitive Information Leakage by web application breach have increased significantly
– More than 10 million internet shoppers, growing yearly by 30%, luring cybercrimes
– 185 million active mobile internet users with 243% growth, a platform which is highly vulnerable
– 58% attacks are for financial gains and 42% by foreign governments 155. GOV and NIC domains were hacked last year
– 32,323 public Indian website were hacked in 2014 with 14% Y-o-Y increase
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0f5a9355a3&e=20056c7556
Enterprise Cyber Threat Intelligence Use Soars
For instance, a recent Threat Intelligence Survey conducted by Enterprise Strategy Group (on behalf of BrightPoint Security), shows that 94 percent of enterprises find value in sharing cyberthreat intelligence data. However, not so surprisingly to those who have been watching, less than one-third of enterprises actually regularly share such data with peers or industry Information Sharing and Analysis Centers. It’s always been the case, except for a few successful ISACs, such as that in the financial services industry, that there is more interest in cross-organization information sharing than willingness to carry it out.
Interest in cyberthreat intelligence isn’t just growing a little bit – it is growing considerably. A total of 72 percent of respondents said they would increase somewhat or significantly their spending on their overall threat intelligence program in the next year to year and a half.
Also coming in at 72 percent was the number of respondents who said that they will “collect and analyze significantly or somewhat more internal threat intelligence over the next 12 to 24 months.” Similarly, 55 percent plan to collect and analyze significantly or somewhat more external threat intelligence over the same period.
And they are finding value, both studies found. A full 75 percent in the SANs survey said that CTI was important to their security. And they are integrating CTI into their security information and event management (55 percent) systems; 54 percent use intrusion monitoring platforms; 76 percent gather intelligence from the security community; and 56 percent use intelligence from vendor-driven CTI feeds.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=16e571504e&e=20056c7556
STIX and TAXII Provide a Higher Standard for Threat Intelligence
Think of STIX as the rules of football and TAXII as team strategies and set plays. The teams are any organizations participating in information sharing and analysis centers (ISACs) that implement STIX and TAXII to share threat intelligence.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=00133ec260&e=20056c7556
Software applications have on average 24 vulnerabilities inherited from buggy components
Many commercial software companies and enterprise in-house developers are churning out applications that are insecure by design due to the rapid and often uncontrolled use of open-source components.
Last year, large software and financial services companies downloaded 240,757 components on average from one of the largest public repositories of open-source Java components. Over 15,000 of those components, or 7.5 percent, had known vulnerabilities, according to Sonatype, the company that manages the repository.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=948aafd452&e=20056c7556
Why security operations centers are the key to the future
All data and information feeds need to be consolidated onto a single dashboard. It is okay to have a follow-the-sun model for a SOC, but each location must have a single dashboard to perform the analysis. If different entities each have a different piece of the puzzle, coordination becomes difficult, which ultimately leads to longer lead time to catch a compromise. The SOC must also have the proper authority to take action when a problem is detected. If the SOC can detect a compromise in a timely manner but it takes a long time to get approval to take action, the amount of damage increases exponentially.
Security solutions are composed of both technology and people. Organizations will often give security a big budget to purchase a lot of equipment, but will not give it the people it needs to implement the solution. Any budget item should include both the dollars and staff that are needed to implement the solution. Many organizations have a room filled with expensive equipment, but no staff to properly run the operations center. A security information and event management piece of software does not magically detect attacks unless it is properly configured. Without proper staffing, all of the money in the world will not create an effective SOC. In summary, when setting up, deploying and running security operations centers, it’s important to have specific goals that need to be accomplished. The following is a SOC checklist that can be used to align an organization’s efforts:
– Clearly define the objectives and what constitutes success
– Plan “long term,” execute “short term”
– Determine metrics to identify what is working and what is not
– Learn, configure and become one with your tools
– Utilize experts/outsourcing to increase effectiveness
– Determine storage capabilities and critical data sources
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1740cf01f6&e=20056c7556
Vapourware no more: Let’s Encrypt announces first cert dates
The Mozilla-backed Let’s Encrypt effort is moving out of its vapourware phase, announcing general availability for September 2015 and an intention to issue its first certificate in the week of July 27.
Launched last year by Mozilla, the Electronic Frontier Foundation (EFF) and Cisco, Let’s Encrypt’s aim is to create no-charge SSL certs in aid of the HTTPS-everywhere cause.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fbd99ed98e&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=ca540cb794)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)