[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
Adversary Intelligence: Getting Behind the Keyboard
Arguably one of the most controversial subjects in Threat Intelligence currently is the topic of Attribution, or developing Adversary Intelligence.
Without Adversary Intelligence, both producers and consumers of Threat Intelligence may risk overestimating or underestimating a given threat by myopically addressing a single source or facet of a given threat, simply because it is the path of least resistance. However, it is very important for organizations look to carefully compliment their technical analysis with Adversary Intelligence, thereby ensuring that they do not fall victim to biases and oversights.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=38afad659c&e=20056c7556
Be Prepared: Incident Response Plans Help Stem Costs of a Cyberattack
CFOs can be instrumental in helping their organizations prepare for a possible cyberattack. Hoping it won’t happen or simply transferring responsibility for cybersecurity to the IT department are not good options. Financial executives can help their organizations shore up their cybersecurity defenses with the following actions:
Take inventory of your assets.
Assess vendors’ security measures.
Develop a risk profile.
Create an incident response team and develop a plan of action.
Ignoring cybersecurity issues will ultimately cost you in numerous ways, but certainly in terms of dollars. Financial executives can and should play a key role in examining their organization’s cybersecurity measures, supporting efforts to bolster internal defenses and encouraging the development of a robust response plan. While companies cannot completely guard against a cyberattack, they can be prepared for one. And being prepared will not only provide peace of mind but will translate into savings in terms of time, money, reputational damage and headaches if a breach does occur.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3bebd135f9&e=20056c7556
Businesses overestimate data theft readiness, claims report
The research, carried out by Pierre Audin Consultants (PAC), discovered that, also found that only 30 per cent of firms with a cyber readiness plan, which addresses how they will respond in the event of a data security breach, test it monthly, with many of the remaining 70 per cent testing it only annually. This is despite 86 per cent of firms claimed to have a “high state of readiness”, according to the report.
PAC found that the most prepared sectors are government and financial services, but that they also suffer the highests remediation costs when a data breach happens.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cced47454b&e=20056c7556
Due diligence with CPA firm subcontractors
CPA firms often use subcontractors to help provide payroll, tax, accounting, and audit services or to provide administrative support to the firm. In the course of rendering these services, subcontractors may obtain access to a vast amount of confidential client data. Examples of subcontractors include part-time help hired during busy season, other accounting firms assisting with tax return preparation, or even companies that provide mailroom or office cleaning services. … While the above items are good considerations to help evaluate a subcontractor’s privacy and confidentiality policies, what would happen if a client asked your CPA firm similar questions? Now is an excellent time to review and update the firm’s processes to protect confidential client data, train employees, and understand how insurance coverage may apply in the event of a data breach.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=694ddf35e7&e=20056c7556
Cyberbreach and Reputation Woes Hack Away at Bottom Line for 44% of Financial Firms
According to the 2015 Makovsky Wall Street Reputation Study, released Thursday, 42% of U.S. consumers believe that failure to protect personal and financial information is the biggest threat to the reputation of the financial firms they use. What’s more, three-quarters of respondents said that the unauthorized access of their personal and financial information would likely lead them to take their business elsewhere. In fact, security of personal and financial information is much more important to customers compared to a financial services firm’s ethical responsibility to customers and the community (23%).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3e5d2f6c88&e=20056c7556
Attacking cybercrime through infrastructure, not individuals
Cisco’s Talos security team and Level 3 took against a cybercrime group known as SSH Psychos.
The Psychos were scanning the entire internet looking for Linux servers running the secure SSH protocol. Used properly it lets a server’s owner log in securely to that machine even though they may be a long way away from it.
In response, Level 3 and Cisco changed the way data from the attack was handled by net hardware they controlled. They essentially poured it into a virtual dustbin. This ended the scanning and stopped the password attacks. It got more even effective when some other large ISPs joined in.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=90c6652b94&e=20056c7556
The Amorphous Nature of Cyber Risk: GCs should look at the enterprise-wide impact of a breach
General counsel would benefit from taking a 360-degree look at how their operation, reputation and overall enterprise would be impacted by a breach. The lessons learned from recent case studies, coupled with the recent introduction of new cyberlegislation, offer guidance to the general counsel in creating and implementing best practices.
Recent new legislation now affords companies, irrespective of size, the ability to more readily and meaningfully address cybersecurity issues through the exchange of information about cyberthreats between the government and the private sector. In mid-April 2015, the House passed two significant pieces of cybersecurity legislation, during what has been called “Cyber Week.” This legislation offers liability protections to companies that share information on cyberthreat indicators on their networks – such as weak or default passwords, outdated software vulnerabilities, or suspicious code – with each other and the federal government. The first bill, the Protecting Cyber Networks Act, Intelligence Committee Bill, H.R. 1560, was passed by the House on April 22, 2015, by a 307-116 vote. The next day, the Homeland Security Committee’s National Cybersecurity Protection Advancement Act, H.R. 1731, passed by a 355-63 vote.
As daunting as protecting companies from cyberbreaches can be, by understanding the unique issues and concerns that arise in this new landscape, the general counsel is better able to protect and inform his company and board. Having a successful internal protocol and working with an industry ISAC can prove to be a significant asset for general counsel.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fcbebdef47&e=20056c7556
Major payroll processor loses data in physical breach
Heartland Payment Systems, a major payroll processing company, is notifying customers their information may be exposed after computers were stolen from the company’s offices in Santa Ana, Calif.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=30d5bcdef0&e=20056c7556
How to Talk about Security Testing without Scaring People
Sylvia Killinen noted that her company’s most frequent difficulty wasn’t the testing itself. Instead, it was the communication that provided problems, in part because of the words used to explain what would be performed. If you take care with how you describe your process, you may get more support while executing tests and repairing systems.
“There are several steps to a security test at my organization. The first is when we move to sign off that the test is OK to perform, with permission from the product owner as well as the environment manager for whichever system is under test. This is best done by a document, because it’s easy to forget a conversation or lose an IM, so I fill out a statement of intent for each system to be under test. In that document, I describe at a high level what sort of testing will be performed, when, and what impacts may result. Considering any good security test aims to find and exploit vulnerabilities, impacts can include anything from system downtime to loss of data. I use the same language to describe tests as I would to describe vulnerabilities, as the statement of intent will also serve to guide development of test cases.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d44037ee0d&e=20056c7556
76 countries fell to Botnet attacks in first quarter of 2015
The Kaspersky Lab statistics has shown that a total of 23,095 DDoS attacks were carried out on web resources located in 76 countries in the first quarter of 2015.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c0379f0c9f&e=20056c7556
Detection changes: search protection code
Microsoft security products will detect programs with browser search protection functionality from June 1, 2015.
Non-compliant programs that exhibit such functionality will be detected by our software signatures that look for browser search protection code. Any program using code that can potentially perform search protection may be detected, regardless of whether the code is active.
Non-compliant programs that exhibit such functionality will be detected by our software signatures that look for browser search protection code. Any program using code that can potentially perform search protection may be detected, regardless of whether the code is active.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3618fd02cc&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage2.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=09ec41edab)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)