[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
Sorry for missing a day.
So onto the news:
Going for Brokerages: FINRA and SEC
Risk Alert, ‘‘Cybersecurity Examination Sweep Summary,’’ summarizes the cybersecurity policies and practices of 57 registered broker-dealers and 49 registered investment advisers based on examinations conducted by the SEC’s Office of Compliance Inspections and Examinations (OCIE). FINRA’s more detailed ‘‘Report on Cybersecurity Practices’’ also summarizes cybersecurity programs at a broad array of firms, but it goes further, making the FINRA report particularly important for a number of other reasons. First, the report makes clear that FINRA has been active in bringing cybersecurity-related enforcement actions against both firms and individual executive officers when customer data are put at risk or compromised. Careful review of these case studies highlights factors that FINRA considers important in determining whether firms have satisfied their cybersecurity obligations. Second, the report sets out a series of detailed principles and effective practices for risk
assessments, incident response plans and governance, among others. These principles and practices offer a road map for cybersecurity planning and risk management and establish baseline standards to which FINRA will hold firms accountable. Finally, the report provides very specific recommendations that firms can operationalize, demonstrating FINRA.
There should now be no doubt that both the SEC and FINRA are serious about the need for comprehensive cybersecurity programs. Recognizing that there is no one-size-fits-all solution, both agencies contemplate (and expect) information-driven risk management decisions, providing firms with an opportunity to craft a cybersecurity program that is custom fit to their data and physical assets, threat landscape and risk appetite. And, while there is opportunity for thoughtful assessment and improvement, one thing is clear: Firms can no longer stand by and do nothing. They all must grapple with and address the reality that cybersecurity is part of the modern business model, as well as the overall enforcement landscape.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cdfa7eccdf&e=20056c7556
Palo Alto Networks Unit 42 Uncovers New Cyberattacks Targeting Government and Military Networks in Southeast Asia
SANTA CLARA, Calif., June 16, 2015 /PRNewswire/ — Palo Alto Networks® (NYSE: PANW), the leader in enterprise security, today shared research that uncovers a series of potentially state-sponsored cyberattacks targeting government and military organizations in countries throughout Southeast Asia.
“The Trojan backdoor and vulnerability exploits used in Operation Lotus Blossom aren’t cutting-edge by today’s standards, but these types of attacks can be detrimental if they are successful and give attackers access to sensitive data. The fact that older vulnerabilities are still being used tells us that until organizations adopt a prevention-based mindset and take steps to improve cyber hygiene, cyberattackers will continue to use legacy methods because they still work well.”
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=475c0ff26f&e=20056c7556
Advanced 365 reveals top eight technology threats of the future for the financial services sector
Neil Cross, Managing Director of Advanced 365, explains, “The financial services industry must find a balance between embracing innovation to establish a competitive advantage whilst meeting needs for greater compliance and security in order to survive. At present, too many firms are preparing for yesterday’s threat instead of updating their strategies to defend against tomorrow’s.”
Cross outlines below the top eight technology threats that financial services firms will face in the future.
1. Botnet attacks
2. Self-mutating computer virus
3. Near Field Communication (NFC)
4. Payments technology
5. Biohacking
6. Big data and the cloud
7. Mobile
8. Bring Your Own Device (BYOD)
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=126ba70b4b&e=20056c7556
‘Elise’ Cyber-Espionage Attacks Well-Funded: Report
Palo Alto Networks’ (NYSE:PANW) threat intelligence team has uncovered more than 50 separate cyberattacks against government and military organizations in Hong Kong, Taiwan, Vietnam, Indonesia and the Philippines.
In a report released late Tuesday, Santa Clara, Calif.-based Palo Alto Networks said “potentially state-sponsored cyberattacks” over the past three years appear to be an attempt to gain inside information on operations of nation-states throughout Southeast Asia.
All of the attacks used a custom-built Trojan, named “Elise,” to deliver highly targeted spear-phishing emails and gain an initial foothold on targeted systems, the security software company said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=72456ff688&e=20056c7556(Technology%20RSS)
OpenDNS Accelerates Global Expansion with New EMEA Headquarters in the United Kingdom
OpenDNS, a leading provider of cloud-delivered network security, today announced that it has established its first Europe, The Middle East and Africa (EMEA) headquarters in London, accelerating its global expansion efforts. The US-based company will leverage its growing international presence to help companies in the region prevent their employees from reaching out to malicious sites and block incoming advanced threats that can infect their corporate networks — securing users and data anywhere, anytime, on any device. OpenDNS plans to use its increased footprint to provide expanded local support for its growing base of global customers.
OpenDNS also announced that Andre Stewart has joined the company as OpenDNS’s vice president of EMEA. Stewart brings over 22 years of experience in building and growing businesses, developing global sales strategies and leading successful international sales organizations. Prior to OpenDNS, he spent several years in the networking and security industries, including leadership positions at A10 Networks, Corero, and Fortinet where he successfully recruited strong sales teams and channel partners. He also served as Managing Partner at Agora M&A, where he specialized in cross-border mergers and acquisitions in the data-communications reseller channel space.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5e4c332f80&e=20056c7556
Audit project to evaluate vulnerability of traffic lights to cyber attacks
WASHINGTON (WJLA) – The Washington, D.C. Department of Transportation (DDOT) will launch an audit project to evaluate the vulnerability of D.C. traffic lights to cyber attacks.
Cesar Cerrudo, according to a New York Times article, works for an organization called Secure Smart Cities and does Arlington’s Chief Information Security Officer David Jordan. Jordan said if Cerrudo said he did it, “then I believe he did.”
Keith St Clair, a spokesman for the Washington, D.C. Department of Transportation (DDOT) which handles traffic signals, said only 50 of 1,650 D.C. traffic controlled intersections have the wireless technology that allowed Cerrudo to change lights. But he said D.C. is about to to a thorough review of it’s system.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9d6eeed912&e=20056c7556
Apple App Security Fails Leave Macs And iPhones Vulnerable To ‘Devastating’ Attacks
The attacks, known as unauthorized cross-app resource access or XARA, expose design flaws that allow a bad app to access critical pieces of data in other apps. As a result, Apple has struggled to fix the issues, according to a paper released today from Indiana University Bloomington, Peking University and the Georgia Institute of Technology.
Analysis of 1,612 of the most popular Mac apps and 200 iOS apps found more than 88.6 per cent of the kit using the flawed pieces of the operating systems were exposed to the XARA attacks, leaving all kinds of data out in the open for willing hackers.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=367ee76592&e=20056c7556
Managing (in)Security Through Regulation: A Key Phase for Nation States
introducing laws and other regulatory responses to address cyber security issues was regarded with significant hesitation by governments and policy makers. To some extent, this hesitation may well have stemmed from a general perception by those who do not work directly in the field that the world of cyber security is somewhat of a ‘dark art’. More recently, however, there has been a substantial shift in this attitude, with proposals to regulate a range of cyber security related matters becoming increasingly numerous. This shift needs to be regarded with a degree of guarded pragmatism: regulation certainly has the potential to enhance attitudes to cyber security and ultimately security postures within nation states. However, if handled poorly, the effect of regulation may be to achieve the complete opposite.
Today’s environment is clearly different perhaps in large part because of increasing mainstream coverage of cyber security issues – particularly in the context of major data breaches affecting the personal information of an ever larger number of consumers (the data breach that affected Target in 2013 immediately comes to mind, though obviously there have been many others). This growing public spotlight has seemed to transform political appetites such that the notion of applying regulatory levers to address cyber security issues has come to be seen as an increasingly realistic proposition.
Whilst the above discussion is focused on regulatory responses to security issues that occur within a jurisdiction, the two discussions are not entirely disconnected. The establishment of norms around appropriate ways to regulate security issues at a domestic level – assuming there is some level of consensus that eventually emerges among states – may assist in developing consensus at an international level around whether specific types of conduct should be considered as justifiable, or inappropriate forms of cyber warfare. For example, if a majority of states adopt an internally consistent regulatory approach to how the security of critical infrastructure assets should be handled, this may in turn assist with shaping norms around how different types of offensive actions that occur against those assets by other nation states should be regarded.
The reality is that the cyber security field is entering a key phase in its relatively young history. Depending on how effectively this phase is handled by policy makers and regulators, there is a valuable opportunity to ensure that nation states move forward over the next several years with a strong and proactive security culture that will benefit their citizens substantially.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7ffaf23df8&e=20056c7556
Magazine publisher loses $1.5 million in phishing attack
Bonnier Publications, the publisher behind Saveur and Popular Science, might have lost up to $1.5 million in a successful phishing attack in May.
The New York Post reported attackers accessed previous CEO Dave Freygang’s email account and used it to send phony emails to Accounts Payable employees. The emails instructed them to electronically transfer $3 million to a Chinese bank.
One employee fell for the scam and sent two $1.5 million transfers spaced four days apart. The second transfer, sent May 15, was recovered before it arrived at the bank, the Post reported.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ae0238f2e5&e=20056c7556
Microsoft Word Intruder: Malware with a difference
The programs used to create malicious documents that exploit vulnerabilities in Office applications such as Word are now being advertised in underground forums. One such new tool that has recently come up offers the ability to track the effectiveness of campaigns. Microsoft Word Intruder (MWI)as the program is known, is advertised as an “APT” tool to be used in targeted attacks.
Reports suggests Microsoft Word Intruder, is likely developed somewhere in Russia and accompanied by a statistics package known as “MWISTAT” that allows operators to track various campaigns. It is advertised on the underground by an individual who goes by the handle Objekt.
Much like Browser Exploit Kits, this tool Microsoft Word Intruder, lets even the minimal technically qualified, access Document Exploit kits, by allowing them to purchase them.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d2b38b851e&e=20056c7556
Find network anomalies and you’ll ax advanced malware
Today’s enterprises struggle to defend themselves against advanced malware. As research shows, some organizations haven’t yet realized their security focus must extend well beyond their network perimeters; those that have attempted to do this often struggle to get the funding they need for the technology and trained staff that an effective advanced malware defense requires. And even if an organization has virtually every possible defense in place, it can still be compromised, because the evasion techniques advanced malware employs are notoriously difficult to identify and stop.
Because IDS and IPS cannot adequately protect against advanced malware, security pros must change their focus and do more than just try to detect and deny malware at the border. They must acquire and deploy tools that examine the interior of the network as well as the perimeter, tools that possess the ability to detect network anomalies.
Part 2 of this tip will look at security these types of tools, how they work and why, in an age of advanced malware, they are essential to adequately secure the enterprise network.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c250d6765a&e=20056c7556
The Amorphous Nature of Cyber Risk: General Counsels Should Look at the Enterprise-wide Impact of a Breach
In today’s hyper-connected age, safeguarding a company against a security breach is an amorphous task. Determined hackers will ultimately find a way around security protocols. When it comes to assessing cyber risks, many general counsel feel their hands are tied – they know their internal clients are exposed to legal liability, but often they do not fully understand the nature and depth of that liability. While the technical aspects alone of a cyberbreach can be daunting for even the most technologically savvy attorneys, security and systems liability is only one aspect a company faces in the wake of a cyberattack. General counsel would benefit from taking a 360-degree look at how their operation, reputation and overall enterprise would be impacted by a breach. The lessons learned from recent case studies, coupled with the recent introduction of new cyberlegislation, offer guidance to the general counsel in creating and implementing best practices.
Recent new legislation now affords companies, irrespective of size, the ability to more readily and meaningfully address cybersecurity issues through the exchange of information about cyberthreats between the government and the private sector. In mid-April 2015, the House passed two significant pieces of cybersecurity legislation, during what has been called “Cyber Week.” This legislation offers liability protections to companies that share information on cyberthreat indicators on their networks – such as weak or default passwords, outdated software vulnerabilities, or suspicious code – with each other and the federal government. The first bill, the Protecting Cyber Networks Act, Intelligence Committee Bill, H.R. 1560, was passed by the House on April 22, 2015, by a 307-116 vote. The next day, the Homeland Security Committee’s National Cybersecurity Protection Advancement Act, H.R. 1731, passed by a 355-63 vote.
Both bills are aimed at information sharing in order to decrease the significant cyber risks facing the federal government and the private sector. The bills will allow companies to voluntarily share information on cyberthreat indicators, while requiring them to remove any personal data before sending that information to the government. Companies would receive liability protection from certain regulatory actions and fines only if their data undergoes two rounds of data scrubbing of personal information – once by the company before it gives the data to the government and a second round by the government agency that receives the data. Companies would also be protected from liability and would not be subject to private and regulatory actions if they share cyberthreat indicator data in good faith with the government.
companies from cyberbreaches can be, by understanding the unique issues and concerns that arise in this new landscape, the general counsel is better able to protect and inform his company and board. Having a successful internal protocol and working with an industry ISAC can prove to be a significant asset for general counsel.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=93aac6f399&e=20056c7556
Bring intuition to threat intelligence
Daniel Polly, VP, enterprise information security officer, First Financial Bank. Due to the expansion of threat intelligence strategies, tactics and applications, this is an exciting time for security professionals, but it can also be overwhelming. When considering your program’s needs, begin with the following steps:
– Define what threat intelligence means to your organization and the objectives you want to achieve.
– Use curated threat data if possible.
– Leverage expansive threat intelligence repositories.
– Use an aggregation point for analysis.
– Staff or contract an experienced security analyst.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=78dbee09a2&e=20056c7556
Cybrary and WIT partner to help women advance in cybersecurity
A new partnership between IT MOOC platform Cybrary and Women in Technology (WIT), a professional organization for women in the technology field, aims to address two major challenges faced by IT organizations today: a shortage of cybersecurity professionals and a lack of women in technology.
Demand for cybersecurity professionals is growing four times faster than the overall IT job market, and 12 times faster than the total labor market. In 2013, there were more than 200,000 national job postings for cybersecurity positions. What’s more, women make up less than 11 percent of the cybersecurity workforce, according to a March 2014 report by research and analysis firm Burning Glass.
The pilot program with WIT will make Cybrary’s enterprise training platform, which includes extensive security education, available at no cost to WIT members to help advance women and girls in the IT and cybersecurity industries, according to Corey.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=28fc418968&e=20056c7556
Organisations remain unprepared for SQLi attacks, despite popularity
SQLi attacks on web applications most likely in the UK and Norway, an NTT study reveals – even though such attacks are well-documented and understood
The report, based on the analysis of six billion attacks in 2014, said SQLi attacks were the most likely on web applications in the UK and Norway.
SQLi attacks accounted for 26% of web application attacks across all countries, but made up 58% of web application attacks in the UK and Norway. This compared with just 19% in the US and Sweden, 12% in France and Germany and 10% in the Netherlands.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4bf82fb117&e=20056c7556
US National Vulnerability Database contained … yup, an XSS vuln
The US National Vulnerability Database was itself left vulnerable to cross-site scripting last week.
Security consultant Paul Moore, who brought the issue to our attention, told El Reg that the issue presented “minimal risk depending on how payload reaches the site, but could damage reputation/financial wellbeing of firms with fake CVEs”.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=142f6f1f40&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=c0c87a3561)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)