[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
Checking In On the Federal Data Breach Notification Law
As we reach the midpoint of 2015, it is a good time to check in on the progress of the Data Breach and Security Notification Act of 2015 that is making its way through Congress. Most privacy experts and data breach practitioners agree that a single nationwide data breach notification statute would be superior to the current state-by-state regimeâit would certainly make data breach response much easier and more cost-effectiveâbut there is considerable debate about what that statute should say. Thus far, the bill has remained stagnant in the Senate after being referred to the Senate Commerce, Science and Transportation Committee back in January; but the House version of the bill has made some progress in the Energy and Commerce Committee, where a mark-up session was held and the bill was referred to the Subcommittee on Commerce, Manufacturing and Trade. The amendments considered in committee generally mirrored the overall debate on the statute, with some arguing that the bill
would weaken existing state laws pertaining to data breaches while others argued that the current draft of the bill put too much of a burden on businesses because it arguably requires them to notify consumers even if the data is breached when it is in the hands of another company and even if the data was merely accessed, but not actually acquired.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=800e698842&e=20056c7556
Barclays: âCyber criminals arenât buying castles in eastern Europe, they are investing in the next malwareâ
THE HEAD of fraud prevention at Barclays has called for greater cooperation between the police and banking sector to tackle the growing menace of cyber crime.
Speaking to The Yorkshire Post, Alex Grant hit back at claims by police that financial institutions are not keen to work with the authorities and do not provide useful data.
âAnything within the bounds of the law we will absolutely support the police,â said the managing director of fraud prevention in personal and corporate banking at Barclays.
Mr Grant said Barclays has seen a 30 per cent decrease in the number of âfalse positivesâ – the interruption of geniune transactions – over the last four months, thanks to new tools to analyse big data.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8114ba3d5e&e=20056c7556
The more things change… more amendments to state breach notification laws
– Montanaâs definition of âpersonal informationâ will now include names combined with medical information, taxpayer identification numbers, and IRS-issued identity protections PINs. Businesses will also have to simultaneously submit a copy of the data breach notice to the state Attorney General, specifying how many Montana residents were affected. In some instances, businesses will be required to notify the Commissioner of Insurance as well.
– Nevadaâs definition of âpersonal informationâ will widen to include usernames and emails in conjunction with passwords, access codes, or security questions.
– North Dakotaâs data breach law will apply to any entity that âowns or licensesâ personal information of state residents, not only those entities that conduct business in the state. Compromised employee identification information, however, will only trigger the lawâs notification requirement if combined with passwords or codes.
– Washingtonâs law will impose a 45-day deadline to report breaches to affected residents and the state attorney general, if the breach affects over 500 residents. Notification requirements will also apply to hard copy as well as computerized data, including encrypted data whose encryption keys have been compromised.
– Wyoming adopted a number of amendments that will significantly expand its definition of âpersonal information.â In addition, the law adopts a number of content requirements for data breach notices.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fc72c004d4&e=20056c7556
State-run SSL certificate authorities make Congress nervous about web security
Congress is losing sleep over the possibility other nations could endanger web security, and now it wants the four major browser makers to weigh in. The House of Representatives’ Committee on Energy and Commerce recently sent letters to Apple, Google, Microsoft, and Mozilla with questions about how the backbone of HTTPS security could be violated.
The concern is whether a government-owned SSL certificate authority (CA) could start issuing phony security certificates that look legitimate to browsers. Those certificates could then be used to harvest login details from social networks, corporate networks, and email accounts.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=327344aeb4&e=20056c7556
IT admin errors that lead to network downtime and data loss
Kroll Ontrack today released its most recent list of common IT administrator errors that can lead to data loss and network downtime. The findings indicate that the complexity in storage environments and sheer growth in data volume can result in serious data loss when human error strikes, leaving many organizations vulnerable to security risks and financial implications if they do not properly invest in and adhere to technology risk management policies.
The following are the most common IT mistakes or oversights that could lead to data loss and security vulnerability:
– Failure to document and execute established IT, retention and backup procedures.
– Failure to backup effectively.
– Delay in infrastructure or security investments.
– Failure to adhere to and maintain relevant security policies and/or keep OS and security controls up to date.
– Deleting data that is still in active use.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ef942268b6&e=20056c7556
90% of Data Loss Prevention Violations Happen in Cloud Apps
A vast majorityâ90%âof data loss prevention (DLP) violations occur in cloud storage apps, mostly affecting enterprise confidential intellectual property or customer and regulated data.
According to the Summer 2015 Netskope Cloud Report, 17.9% of all files in enterprise-sanctioned cloud apps violate at least one DLP policy, which are internal rules set to govern the usage of personally identifiable information (PII), payment card information (PCI), personal health information (PHI), source code, profanity and confidential or top-secret information.
Of those DLP-violating files, one in five (22.2%) were shared with one or more people outside of the company.
Among the different types of mishandled sensitive content across aggregate Netskope Active Platform customers, more than half are either PII or PCI. The highest incidence of DLP policy violations occurred with PII at 26.8%, while PCI represented the second highest, at 24.3%.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a134c3d258&e=20056c7556
Cybersecurity Maturity Lacking or Non-Existent for Most
In its inaugural Cybersecurity Poverty Index, the company assessed the maturity of cybersecurity programs using the NIST Cybersecurity Framework (CSF) as a benchmark, and found that 83% of organizations surveyed with more than 10,000+ employees are not well prepared for todayâs threats. Overall, nearly 75% of all businesses lack the maturity to address cybersecurity risks.
The Framework, launched in final form last year, is meant to be a voluntary blueprint of standards, guidelines and practices to help organizations charged with providing the nation’s financial, energy, health care and other critical systems better protect their information and physical assets from cyber-attack.
About 66% of all survey participants rated themselves as inadequate across five key functional areas (identify, protect, detect, respond and recover).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fdd4715ee6&e=20056c7556
Without threat intelligence âyouâre just throwing darts at a board,â Cdn IT pros told
âWithout the intelligence-led program youâre just throwing darts at the board, things change so fast,â George Rettas, managing director U.S. financial giant Citigroupâs global information security told a panel at the SC Congress conference in Toronto on Wednesday.
Correa noted that threat intelligence is âproactive incident responseâ â the CISO knows what to look for before an incident. Itâs also not vulnerability where you know thereâs a hole, he added but more granular: âYou know there is a hole that is being exploited, by how, what exploits are being used and how you can respond to it.â
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d4a2dcb413&e=20056c7556
Novetta Exposes Full Extent of Elasticsearch Attackers’ Malware Capabilities
MCLEAN, Va., June 11, 2015 /PRNewswire/ — Novetta, a leader in advanced analytics technology, today released The Elastic Botnet Report detailing the characteristics of attackers exploiting an Elasticsearch vulnerability to create distributed denial-of-service (DDoS) botnet infrastructures using the Elknot and BillGates DDoS malware families. Novetta’s report includes an overview of the vulnerability, details about the threat actors exploiting the vulnerability to establish DDoS botnets, a detailed analysis of the malware functionality, and remediation steps to help detect and remove infections. Novetta collected this evidence and supporting data by developing and deploying an open source honeypot named Delilah, which provides researchers the capabilities to develop similar honeypots for other research.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ae77509524&e=20056c7556
Fingerprint technology fails to eliminate security concerns in banking apps
Initial indications would suggest that consumers have been quick to adopt the technology, however public dialogue on the efficacy of its deterrence on cyber criminals is limited, as is the literature on application security that surrounds it. The onus is now on the banks to ensure they do not find themselves woefully ill-equipped to deal with the ever-changing vectors of cyber fraud. In a recent report Gartner has predicted that 75 per cent of mobile applications will fail the most basic security tests in 2015, so it is pertinent that the banking industry adopt a security led approach that does not weaken security in favour of user convenience.
The new approach should be whitelist based and one where the burden of responsibility is shared at the app level, moving responsibility from the device user to the app provider, likely to be a financial institution. Furthermore, banks need to broaden their perception of security, which has often been seen as too narrowly linked to money fraud. A wider all-encompassing approach that includes sensitive personal information handled within the app would leave banks well positioned to stop damaging malware attacks now and in the future.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0060e6f524&e=20056c7556
OpenSSL patches Logjam vulnerability
Among the fixes is a patch for the recent Logjam vulnerability that could let attackers with a man in the middle position in networks downgrade Transport Layer Security (TLS) secured connections to weak 512-bit key length export grade cryptography.
Five other OpenSSL flaws, with the Common Vulnerabilities and Exposures classifications CVE-2015-1788 to 1791 and the older CVE-2014-8176 with a severity rating of moderate are also addressed by the latest set of patches.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f210f1f26e&e=20056c7556
Wolves Among Us: Abusing Trusted Providers for Malware Operations
As an example, RSA IR discovered use of malware known as PNGRAT during a recent response effort. PNGRAT, which has since been publicly documented as ZoxPNG, is a substantially equipped trojan with the ability to manage files, enumerate and control processes, and execute commands. In this particular variant, there were additional features that allowed the malware to collect stored HTTP credentials from the registry of the compromised system, as well as monitor for RDP connections. More importantly, these samples of PNGRAT did not contain a hardcoded IP address or domain for C2 communications.
RSA has noted many adversaries who use public services for C2 architecture in order to prevent detection. However, the method in which the C2 IP address is acquired from these samples is considered unique. In this PNGRAT variant, the malware used the method of retrieving its download instructions from Microsoftâs Technet website. By connecting to Technet and retrieving the user profile for a hardcoded user account, PNGRAT retrieved an IP address for further C2 connections. This IP address is stored and encoded within the user profile. Though encoded, the address did have a particular header and footer that made it obvious to those who knew to look for it:
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cf562ff20a&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=c367250ac7)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)