[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
The SWAMP helps keep hackers at bay
The SWAMP, the Software Assurance Marketplace, gives developers a chance to run their software programs through a series of tools that can root out potential pitfalls â small gaffes that may cause hiccups in the way a program runs or bigger gaps that could let hackers wriggle in.
The SWAMP has collected nearly a dozen tools, so far, used to identify software problems. The SWAMPâs staff doesnât develop the security programs, but gathers them, offering a selection that can root out glitches in a variety of programming languages. They are all available, for free, to the public; even consumers can use them to make sure the apps they use are secure.
Lloyd, at Redox, depends on open-source software. âA person in one part of the world can write code thatâs supposed to do something. Someone in another part of the world can use it and assume it works,â said Lloyd. It does work, 99 percent of the time, he added
Lloyd said Redox canât use the SWAMP â at least, not yet â because it doesnât support the programming language the startup uses. (So far, C; C++; Java; Python and Ruby are covered; Javascript and PHP are coming.) So to prevent holes in its programs, Redox does its own extensive testing and has others review its work, he said. âItâs baked into every development task that we do,â he said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=807c2b1b4d&e=20056c7556
Vendor risk management: a weak link in many organizations
The outsourcing of critical services to third parties requires a robust vendor risk management program and stringent oversight, yet the results of a new study suggest that many companies may be underperforming in these areas. Organizations must make improvements to their risk management programs in order to keep pace with the latest risks and challenges, according to the 2015 Vendor Risk Management Benchmark Study, released by the Shared Assessments Program and Protiviti.
During the one-year period in between the 2014 and 2015 surveys, there was an epidemic of cybersecurity breaches, the February 2014 release of the NIST Cybersecurity Framework, and more oversight of IT security risk programs in general by both boards of directors and regulators. This increased regulatory focus on third-party risks means that organizations are now more aware of their own program’s strengths and weaknesses, particularly at the C-suite and board level. With greater clarity about what is required to minimize and mitigate cybersecurity risks, many respondents may have rated their capabilities lower even in the face of process improvements in their firms, and may also be setting a higher bar for what they deem to be mature levels of vendor risk management.
Vendor risk management programs require more substantive advances. The overall maturity rating for program governance in this year’s survey (2.7 on a 5-point scale â below the âfully defined and establishedâ maturity level) should serve as a wake-up call that deeper changes are needed that reach into organizational culture and individual behavior, especially for financial institutions that are striving to satisfy the US âGetting to Strongâ regulatory mantra.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d0cfe7a7c4&e=20056c7556
The ticking time-bomb at the heart of our big banks’ computer systems
Last year banks in Europe spent an estimated ÂŁ40 billion on IT but only ÂŁ7bn of that was investment in new systems: the remaining ÂŁ33bn was spent patching and maintaining increasingly creaky and fragmented legacy systems.
A report by Deloitte from as far back as 2008 said that “many banks have now reached a tipping point where the cost and risk of doing nothing outweighs the cost and risk of taking action”. And yet, seven years on, little has since changed.
The reluctance of the old world retail banks to grasp the nettle of investment in new core systems is now giving the new challenger banks – who can launch with brand new, more reliable software – the opportunity to grow market share (see panel).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cb0bb5c323&e=20056c7556
The Need for a Threat Intelligence Maturity Model â Pt 1
Last year, we started working on what we are calling a Threat Intelligence Maturity Model (TIMM). We recognize that while threat intelligence holds tremendous value in facing a changing threat landscape, most struggle with being able to leverage it proactively. There are no current standards for gauging how effective threat intelligence functions are, and how well those functions are integrating with other areas of their cybersecurity capabilities and the business. As such, many early adopters are stuck in a reactive state (at best), are struggling in determining what their future state should be, and cannot articulate why it is important. This is an issue that needs to be solved in order to fully harness the power of threat intelligence â and one that needs to be solved before mass market adoption occurs.
At the core, we feel threat intelligence maturity can be divided into organizational and functional maturity.
Organizational maturity is a way of looking at what resources and organizational structures are in place to fully support the integration of threat intelligence.
Functional maturity can measure how organizations actually apply threat intelligence, in ways that enhance their ability to protect themselves within the threat landscape.
In this blog series, we will walk through our vision for the TIMM concept as it applies to organizational maturity â with the goal of establishing a threat intelligence team in your security operations. We will also work through our concepts around functional maturity to support the mission of integrating cyber threat intelligence into the âSecurity Monitoringâ domain.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7999ff318e&e=20056c7556
Threat intelligence survey: 43 percent only share info internally
While 43 percent of security professionals said that they only share information about threats they discover at work internally, a much larger showing, 81 percent, called for more government-to-private sector sharing, a new survey said.
More than 300 security practitioners participated in the survey, which was conducted by AlienVault at the Infosecurity Europe 2015 conference in London last month. According to the company, the survey was carried out to âpaint a picture of how threat intelligence is obtained, utilized and shared,â the report [PDF], released Tuesday, said.
While 43 percent of respondents said they shared threat intelligence only within the organization, 40.2 percent said they would share such information with âtrusted peersâ or the âclosed community.â Around 20 percent of participants said they shared threat intelligence with the government sector, and only 7.6 percent (25 respondents) said they publicly shared threat intelligence.
Though only 67 respondents (20.4 percent) said they shared threat intelligence with the government, 266 respondents (81.1 percent) felt that the government should share more threat intelligence with the private sector, the survey noted.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=04814313e8&e=20056c7556
Adobe to patch second Hacking Team Flash zero-day bug
Adobe next week will patch a second zero-day vulnerability found in the leaked documents from the Hacking Team, a controversial Italian company that sells surveillance software and exploits to governments.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cc4d15c08e&e=20056c7556
It obligates essential institutions to immediately notify severe cyber attacks on their systems or networks to the Federal Office of Information Security (BSI), based in Bonn.
German hospitals, water utilities, telecommunications and other essential providers will face fines of up to 100,000 euros if they failed to meet minimum information security standards under legislation finalized on Friday.
The law passed its final hurdle in the upper house of the German parliament, the Bundesrat, comprising delegates from Germany’s 16 Länder or regional states.
It obligates essential institutions to immediately notify severe cyber attacks on their systems or networks to the Federal Office of Information Security (BSI), based in Bonn.
These entities or firms are also required to obtain BSI clearance that their operations comply with minimum security standards.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4f29c75d79&e=20056c7556
VMware patches vulnerabilities in Workstation, Player, Fusion and Horizon View Client
The flaws could lead to code execution, privilege escalation and denial-of-service.
To address the code execution issue, VMware released Workstation 11.1.1 and 10.0.6; VMware Player 7.1.1 and 6.0.6; and Horizon Client for Windows 3.4.0, 3.2.1 and 5.4.2 (with local mode). The company also fixed the separate denial-of-service issue in VMware Workstation 10.0.5 and VMware Player 6.0.6 for all platforms and Fusion 7.0.1 and 6.0.6 for OS X.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0bf7215d67&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage2.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=8ac5774b90)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)