[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
Also, would it help to include a table of contents at the beginning of the email? This would make the email message longer, but might make it easier to jump to the sections you are interested in. Send an email to mail@paulgdavis.com if you think it is a good idea.
So onto the news:
New European police centre to fight terrorism
A new European counter-terrorism centre opening this month will improve information-sharing among national police forces whose performance is under scrutiny after the jihadist attacks in Paris in November, the director of Europol has told AFP.
Although the creation of the centre was announced seven months before the Paris attacks, the coordinated shootings and suicide bombings in the French capital by a team mainly based in neighboring Belgium have given the 28-country project new impetus.
The centre at Europol’s headquarters in the Hague will also monitor the way in which Islamic State (IS) and other extremist groups “are abusing the Internet and social media, in particular for their propaganda and recruitment purposes,” he added.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=310db3cdcd&e=20056c7556
Cost of data breach investigations might rise in light of US case against IT security company, says expert
Cyber liability specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said the threat of legal action could result in IT security companies taking longer to carry out investigative work they have been contracted to undertake in the aftermath of a data breach.
Birdsey was commenting after Affinity Gaming, a casino operator in the US, launched legal action against IT security company Trustwave.
Affinity Gaming has claimed that Trustwave had made false representations about the security of data on Affinity Gaming’s systems.
Birdsey said that the US case might encourage IT security companies to take steps to minimise their liability.
“This might include amending letters of engagement to address the new threat of legal action against them,” Birdsey said. “They could also seek to revise contractual terms on limitations and exclusions in an attempt to avoid liability for losses stemming from any gaps that are later found in their work or findings.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=407ec77d27&e=20056c7556
Securing our smart infrastructure
In recent months, two major cyber security breaches have come to light.
One, the website of the Indian Space Agencyâs commercial arm, Antrix Corporation, was hacked.
The hackers succeeded in defacing the homepage with an article about 300 kids from Cape Town getting American Major League jerseys at cheap prices from China.
And, second, the Oil and Natural Gas Corporation Ltd (ONGC) is alleged to have lost R197 crore after cyber criminals duplicated the public sector firmâs official e-mail address with minor changes and used it to convince a Saudi Arabia-based client, Aramco, to transfer payments to their account.
Both of these incidents are a grim reminder to the government as well as businesses that a lot needs to be done when it comes to cyber security in the country.
With government embarking on the creation of digital highway and building of smart cities, cyber vulnerabilities need to be reduced and ensured that hackers are unable to use same digital highway and smart platform to steal vital information.
Unfortunately, the under reporting of cyber security incidents is a norm these days.
Globally, security companies are witnessing subdued demand for anti-virus solutions, leading to enhance focus on enterprise market.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=eaf30307ab&e=20056c7556
No One Knows How Much Cybercrime Really Costs
âMany of the private-sector reports are basically marketing brochures from organizations with a strong interest in scaremongering,â says Ross Anderson, a professor of security engineering at the University of Cambridge.
And law enforcement agencies and police donât have good statistics on the incidence and costs of cybercrime because they have not updated their operations for the Internet era as well as criminals have, he says.
A European Union research project recently concluded that a lack of clear figures on costs was preventing companies as well as governments and law enforcement from making good decisions about security.
Anderson and colleagues at Cambridge are in the process of setting up a new research center that could help clear up that confusion.
The Cambridge Cloud Cybercrime Center will operate as a kind of clearinghouse for data from major companiesâdata that can be mined to discover the patterns of criminal activity. âWeâve got to be able to measure cybercrime to be effective in doing anything about it,â says Anderson.
Talks are under way with Google, Yahoo, and others interested in donating data.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=479008bf88&e=20056c7556
CISOs should take security training seriously
A once-a-year, classroom-based approach may be traditional, with security updates and warnings posted on walls and the Intranet, but it is also a sign of a tick-box, compliance-driven approach to security.
It is often done to appease industry regulators, PCI and data protection authorities, and the training can offer relatively basic â arguably condescending- advice.
But times are changing.
The threat landscape is growing with the arrival of millions of mobiles and wearables, each with their own IP address, while organized crime and nation-state APT groups are looking at new ways of compromising victims.
From exploit kits and Trojans to ransomware, phishing and social engineering scams â the criminal game has moved on.
One study, commissioned by ClubCISO last year, found that 21 percent of CISOs had âneverâ given security training, with a further 21 percent indicating that they only did so when new staff joined the company.
Thirty-seven percent said they carried out training on an annual basis and another 21 percent agreed that this was carried out âfrequentlyâ.
It is clear that establishing a positive training program must start with board backing.
The experts are mixed on the new trend for âgamifyingâ training, though.
Sjouwerman says that phishing games between departments can drive lower click rates, but Wood stresses that it must not be a gimmick, and must be joined up with an existing program.
Starnes, who urges CISOs to establish KPIs to establish training effectiveness, adds: âThere cannot be a culture of blame.
I would rather have someone recognize they have made a mistake and notify security.
If they do not notify security because they are concerned they may be punished, your awareness program has failed at the worst possible time.â
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ef5c16c7b8&e=20056c7556
âVital OpenSSL patch coming
So, when Mark Cox, senior director of Red Hat product security and a founding OpenSSL member, writes the “OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2f and 1.0.1r, [which] will fix two security defects, one of ‘high’ severity affecting 1.0.2 releases, and one ‘low’ severity affecting all releases”, I pay attention.
A high severity OpenSSL bug is defined as including “issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable.
These issues will be kept private and will trigger a new release of all supported versions.” This is not as bad as a critical hole but I’ll be updating my servers as soon as the patches are available.
The patches will be made available on 28th January between approximately 1 PM and 5 PM, Coordinated Universal Time (UTC).
Sources at Canonical, Red Hat, and SUSE tell me that they’ll make these patches available on their Linux distributions on the same day.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=efd1b4ca10&e=20056c7556
APAC Banks Say They are Most at Risk from Data Breaches at Large Retailers and Telcos in 2016 Read more at http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=057b65c950&e=20056c7556
FICO Survey: 100 percent of respondents say data breaches in other industries will harm financial institutions this year
38 percent of respondents ranked large retailers as being at the greatest risk for a data breach in 2016, with another 35 percent of respondents choosing telecommunications companies.
By contrast small business (25 percent) and healthcare (22 percent) were voted as the industries least likely to be at risk of a data breach in 2016.
100 percent of respondents said data breaches in other industries will impact financial institutions
72 percent of respondents see a significant rise in the volume of threats from mobile commerce and mobile-first consumers in APAC, with another 22 percent expecting a modest increase.
APAC fraud executives were also asked which factors might inhibit their own organization’s ability to stop a data breach. 24 percent nominated low security awareness amongst employees as the number-one factor, with another 21 percent saying a lack of budget was to blame. 40 percent ranked too many siloed operations as their number-two issue.
Read more at http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2b31f0231f&e=20056c7556
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=18828db314&e=20056c7556
EU Parliament Panel OKs Network Security Directive
Jan. 14 â Web services that are established in European Union member states, including Amazon.com Inc. and Google Inc., would be required to submit their cybersecurity procedures to the oversight of EU national authorities under a proposed directive approved by the European Parliament’s Internal Market Committee Jan. 14.
The directive, formally known as the Network and Information Security (NIS) Directive, would require EU countries to identify critical service providers that could fall victim to cyberattacks, and to then validate the companies’ cybersecurity measures.
The directive would also create a reporting obligation, under which critical service providers would be obliged to notify the authorities of serious cyberattacks on their networks.
The directive would cover attacks on systems, rather than data breaches.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ffbec0c191&e=20056c7556
65% Say Cloud As Secure As On-Premises
Another is a just-released report from the Cloud Security Alliance (CSA), “The Cloud Balancing Act for IT: Between Promise and Peril,” which says 64.9% of security officers and IT managers think the cloud is at least as secure as their on-premises software.
Security of data in the cloud is still a major concern, though: Some 67.8% said that they were concerned they couldn’t enforce their own security policies in the cloud, and 61.2% said that they remained concerned about meeting compliance requirements.
Of the 64.9% who say the cloud is at least as secure as on-premises software, 47.1% say cloud security is equal to and 17.8% say it’s better than what they have on premises.
Perhaps the most surprising conclusion to come out of it was the revelation that 24.6% of respondents said they’d rather pay a ransom to hackers than face the consequences of a successful attack on their systems.
Fourteen percent said they would pay as much as $1 million to get an intruder threat or data-ransom problem to go away.
Two-thirds of organizations concerned about data security have a CISO, while only 50% of those less concerned about security have one.
According to the report, the largest barriers to detecting data loss in the cloud included: lack of skilled security professionals to maximize full value of new technologies (surveyed at 30.7%), lack of internal strategy to operationalize threat intelligence data (at 26.5%), lack of budget to acquire new technologies that detect cloud breaches (at 22.9%), and lack of actionable analytics around threat intelligence data (at 19.9%).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6bcd5bad4b&e=20056c7556
‘Artisanal spam’ fashions emails in a new kind of cyberattack
a new kind of attack, so-called “artisanal spam,” targets smaller groups with painstakingly crafted messages, with the aim of breaking through spam-filtering algorithms and achieving a higher rate of success.
Patrick Peterson, CEO of U.S. cyber-security firm Agari Data, says his company started noticing the attacks between six and nine months ago.
Since then, he estimates, these kinds of attacks have numbered “in the low hundreds,” although he notes that it can be hard to track such relatively small attacks.
This new method of spamming, said Peterson, is more likely to slip through the spam filters built into most email clients, and more likely to get criminals what they want â account credentials like usernames and passwords, as well as potential targets for malware attacks.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=40dac0ec2c&e=20056c7556
New Rhode Island Law Protects Victims of Businessesâ Data Breaches in 2016
To ensure that Rhode Islanders are adequately protected, the Rhode Island General Assembly has recently enacted legislation addressing data breaches.
The Identity Theft Protection Act of 2015 (the â2015 Actâ), which will go into effect in June 2016, repeals and replaces a 2005 breach notification law and contains a number of key provisions.
The 2015 Act clarifies uncertainties that have resulted from prior identity theft laws and expands the protections afforded to Rhode Island residents, including imposing specific notification requirements on companies in the event of the breach.
Under the 2015 Act, persons (including individuals and businesses), municipal agencies, and state agencies must protect the personal information of Rhode Island residents that they store, collect, process, maintain, acquire, use, own or license.
A residentâs âpersonal informationâ is defined broadly and includes: social security number; driver license number; account number, credit or debit card numbers, with any required code or password that would permit access to an individualâs financial account; medical and health insurance information; and email addresses with any required code or password that would permit access to an individualâs personal, medical, insurance or financial account.
The 2015 Act also expands protection to paper records and unencrypted electronic information.
The 2015 Act requires that the listed entities handling residentsâ personal information must implement a ârisk-based information security program which contains reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected.â Personal information must be destroyed in a secure manner and should not be retained for any longer than necessary or the period of time required by law.
The 2015 Act also imposes civil penalties for violations of up to $100 or $200 per record, depending on whether the disclosure or breach was reckless or knowing and willful.
However, unlike the previous legislation, the 2015 Act does not cap the total amount of penalties.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0aa01a6c51&e=20056c7556
Amazon Certificate Manager Brings Free SSL Certs to AWS Users
The company announced late last week that it launched a certificate manager to expedite the process of securing SSL/TLS certificates for customers looking to add HTTPS to their sites or apps.
Jeff Barr, Chief Evangelist for Amazon Web Services, discussed the move in a blog post last week.
Barr claims the manager will provision SSL certificates verified by Amazonâs certificate authority (CA) and Amazon Trust Services (ATS) for free.
For the time being only customers who use Amazon Web Services Elastic Load Balancing or its content delivery network, Amazon CloudFront, can apply for certificates.
The move follows in the footsteps of the Letâs Encrypt initiative, a free certification authority that the Electronic Frontier Foundation, Mozilla, and a handful of other tech companies got off the ground last year.
Cloudflare rolled out a similar initiative a few years back, providing SSL certs to its customers and accepting HTTPS connections for most of their domains.
In Amazon Web Servicesâ Certificate Manager: User Guide (.PDF) â published last week â the company made it clear that it can fail requests for ACM certificates if the domain is believed to contain malware or phishing content, but it doesnât state how active it will be when it comes to patrolling the sites it grants these free certificates to.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e365c39a82&e=20056c7556
The Tor Project Raises $200K Through Crowdfunding
Over $205,000 was raised from more than 5,200 donors.
Contributions were made from personalities such as Laura Poitras, the Citizen Four director; Shari Steele, former EFF executive director; Alison Macrina, the founder and director of the Library Freedom Project; and Tor Project co-founder Roger Dingledine.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1e9ec76248&e=20056c7556
UpGuard, Formerly ScriptRock, Unveils First FICO-Like Score for Cybersecurity and Compliance
MOUNTAIN VIEW, CA — (Marketwired) — 01/26/16 — UpGuard (www.upguard.com), formerly ScriptRock (www.scriptrock.com), today unveiled its Cybersecurity Threat Assessment Report (CSTAR), the industry’s first and only comprehensive and actionable cybersecurity preparedness score for enterprises.
UpGuard’s CSTAR is a FICO-like score that allows businesses to measurably understand the risk of data breaches and unplanned outages due to misconfigurations and software vulnerabilities, while also offering insurance carriers a new standard by which to more effectively assess risk and compliance profiles.
UpGuard’s expertise in configuration anomaly and vulnerability detection allows for a complete picture of an organization’s cybersecurity preparedness.
An organization’s CSTAR represents a company’s aptitude in the areas of compliance, integrity and security across all servers, network devices and cloud applications.
UpGuard customers can trace changes in their CSTAR evaluation down to the smallest building blocks of information technology and use the full report to then remediate potential risks, creating a safer environment for customer data and lowering insurance costs.
Thousands of customers worldwide already use UpGuard’s technology to validate mission-critical infrastructure and continuously detect potential risks.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=15a3e53e39&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage2.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=d6d4d72937)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)