[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
Survey Reveals Spear Phishing as a Top Security Concern to Enterprises
According to the survey, released today, almost two thirds of IT decision makers interviewed say spear phishing ranks as either their organizationâs top security concern (20 percent) or among their organizationâs top three (42 percent) security concerns.
It is clear that IT security professionals recognize that spear phishing is a primary avenue of risk and vulnerability facing organizations today.
Respondents said that in the past 12 months 84 percent reported that a spear phishing attack had penetrated their security defenses.
These statistics point to a widespread inability to defend against these attacks.
In addition, the respondents said that spear phishing was responsible for 38 percent of cyberattacks on their enterprises.
These attacks are costly.
Respondents reported that the average cost of an attack across all companies from a spear phishing attack was $1.6 million.
One in six companies reported a decrease in stock price as the result of a spear phishing attack.
Email remains the most popular spear phishing medium, respondents said, with 90 percent reporting spear phishing attacks against their company via email.
Spear phishing on mobile platforms was the second most likely with 48 percent of respondents reporting this method.
Third most likely was social networks, with 40 percent.
Removable media was reported by respondents as being targeted by 30 percent of spear phishing attacks.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d6623b132a&e=20056c7556
Rapid7 Research Study Finds Compromised Credentials a Top Concern for 90 Percent of Security Professionals
BOSTON, Jan. 13, 2016 (GLOBE NEWSWIRE) — Rapid7, Inc. (NASDAQ:RPD), a leading provider of security data and analytics solutions, today released the results of its 2015 Incident Detection and Response Survey.
The survey includes findings from hundreds of security professionals at organizations of varied sizes across the globe on their biggest security concerns and planned initiatives for 2016.
Punctuating the results were two key points: (1) 90% of organizations are worried about compromised credentials, though 60% say they cannot catch these types of attacks today; and (2) 62% of organizations are receiving more alerts than they can feasibly investigate.
In an effort to better monitor their IT environments, security teams are investing further in incident detection and response solutions to detect and contain compromise when it occurs.
However, while 55% of organizations say they are using a SIEM (Security Information and Event Management) to aid with incident detection and response, alarmingly, 62% of these organizations report receiving more alerts than they can handle.
In addition, SIEMs are not being used to monitor cloud services in use, leaving organizations blind to this important part of modern IT environments.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6609601a36&e=20056c7556
Speak managementâs language to secure your 2016 cybersecurity budget
If you prepare a well-explained justification for your cybersecurity budget using terminology and language understandable by management, your chances of getting the budget approved without modifications will at minimum double.
For example, letâs take a budget required to protect the front-end of a midsize e-commerce website.
To stay simple, we will not calculate the risks of chained attacks, such as Advanced Persistent Threats.
Instead, we will base our ROI calculations on direct financial loss prevention: if by spending ÂŁ10 you can prevent a highly probable annual loss of ÂŁ100, your management will happily allocate the ÂŁ10.
Often, the problem is to prove that you really need ÂŁ10 (and not just ÂŁ7 or ÂŁ8) and that the risk(s) mitigated by the ÂŁ10 spend really do cause a highly probable ÂŁ100 direct loss to the organisation.
Potential financial loss per incident is a bit trickier, as it consists of numerous factors and sub-factors.
Cyber threats will now affect Moodyâs ratings, however itâs a very subjective impact as itâs almost impossible to predict if a particular data breach will impact the rating.
The same difficulty applies for reputational losses, stock options drop, and all other high-profile losses related to a data breach.
Even if such a huge ROI may be subjective from a purely technical point of view, it will definitely convince your management better than a long saga about the dangers of blind XSS attacks.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=535dc75a57&e=20056c7556
Will FFIEC Revamp Cyber Assessment Tool?
In response to banking institutions’ requests for clarification of the Cybersecurity Assessment Tool, the Federal Financial Institutions Examination Council is taking a preliminary step that could lead to refinements.
The FFIEC recently reopened its comment period for the tool, which was issued in July.
It’s accepting comments through Jan. 15, according to a notice in the Federal Register from the Office of the Comptroller of the Currency, the lead agency for the FFIEC.
The FSSCC wants the FFIEC to clarify how it uses the tool during IT examinations.
Although the FFIEC originally marketed the tool as a voluntary cyber-risk assessment aid, banking institutions report that regulatory examiners are using the tool as part of their IT examination process, Dalpiaz says.
Some banking leaders are concerned that certain recommendations in the tool conflict with the National Institute of Standards and Technology’s cybersecurity framework, which was released in February 2014.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6cb4d9820f&e=20056c7556
The CSO IoT Survival Guide
While CSO has been discussing what IoT means for security for a number of years now, the risks are much less hypothetical now, and we are starting to see real world incidents and research, including everything from security systems to automobiles having been shown to be vulnerable to attack.
All of this could prove to be a real security headache as everything from corporate fleets to manufacturing floors to smart buildings become âend-pointsâ CISOs must protect.
How are IoT vendors doing so far.
Consider this quote from Marc Blackmer,⨠product marketing manager, Industry Solutions, at Cisco from this Q&A with Network World editor in chief John Dix: âIoT is the Wild West right now.
We donât know what itâs going to look like, where itâs going.
Weâre right at the cusp and, while thereâs a lot of opportunity, there is an intrinsic vulnerability because too often security is bolted on after the fact.
So what concerns me is a rush to market to take advantage of the opportunities and not building in the necessary security and privacy protections, meaning we have to patch that together down the road,â Blackmer said.
Security researchers from Hewlett-Packard found 250 security issues when analyzing 10 popular IoT devices
The Internet of Things (IoT) will usher in a new era of network intelligence and automation, but its arrival raises a host of serious security questions.
Network World Editor in Chief John Dix explores the topic in depth with four experts.
Some Democratic senators want new laws that mandate security and privacy measures on the Internet of Things, as concern grows over personal data collected by connected devices.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ff19eb4447&e=20056c7556
UPDATED: The flaw finder has now posted a proof-of-concept. A number of Ubuntu operating system versions are affected by the flaw, among other distros.
A major vulnerability has been found and fixed in OpenSSH, an open-source remote connectivity tool using the Secure Shell protocol.
The flaw was the result of an “experimental” feature that allows users to resume connections.
According to a mailing list disclosing the flaw, a malicious server can trick an affected client to leak client memory, including a client’s private user keys.
The affected code is enabled by default in OpenSSH client versions 5.4 to 7.1.
The matching server code was never shipped, the mailing list said.
A security patch — version 7.1p2 — is now available from the project’s website.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3c720ccae6&e=20056c7556
A quarter of companies would be willing to pay ransom to hackers
To stop cybercriminals from releasing sensitive information, 14% of companies would pay a ransom in excess of $1 million, according to a survey of 209 information technology security professionals worldwide released Wednesday by the nonprofit Cloud Security Alliance.
One factor influencing willingness to pay is whether or not the company has cyber insurance, which would cover the cost, the report says.
About 28.6% of companies with cyber insurance say they would pay ransom, compared with 22.6% for companies without such insurance policies.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=474c4946f3&e=20056c7556
Building Threat Analyst Centaurs Using Artificial Intelligence
The reason AI has become such a focal point of attention for both researchers and entrepreneurs during the last few years is that several factors are contributing to a âperfect stormâ:
Never before has so much information been available in digital form, ready for use.
Computing power and storage capacity continue to grow exponentially, and the cost for accessing these resources in the cloud are continuously decreasing.
Research in algorithms has taken huge strides in giving us the ability to use these new computing resources on the massive data sets now available.
– At the heart of Recorded Future is a structured representation of the world, separated into two parts: ontologies and events.
– Natural language processing (NLP) transforms an unstructured, natural language text into a structured, language-independent representation.
In our system, this means identifying entities, events, and time associated with those events.
There are several steps in this, using different AI techniques:
– The third area where AI techniques are used is for classification of entities and events.
Another application of machine learning is to generate predictive models that can be used to forecast events or classify entities.
We have, for example, created models to predict future risk of social unrest, the likelihood of product vulnerabilities being exploited, and to assess the risk that an IP address will behave maliciously in the future, even though no such activity has yet been observed.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=156fa6c95d&e=20056c7556
22,000 USB sticks go to the dry cleaners
Every year, 22,266 USB sticks and 973 mobiles phones go to the dry cleaners in pockets.
Only 53% of memory sticks get returned to their owners.
The figures come from a survey by security software firm ESET.
ESET surveyed more than 500 UK dry cleaners and launderettes November 2015 and extrapolated results to the 5,839 dry cleaners in the UK.
Along with USB sticks and phones were found: ÂŁ1,600 in cash, dentures, viagra pills, condoms, one dead rat, and lasagne and chips, said ESET.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=24298a21cd&e=20056c7556
U.S. official sees more cyber attacks on industrial control systems
MIAMI (Reuters) – A U.S. government cyber security official warned that authorities have seen an increase in attacks that penetrate industrial control system networks over the past year, and said they are vulnerable because they are exposed to the Internet.
âWe see more and more that are gaining access to that control system layer,” said Marty Edwards, who runs the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=58a51c1974&e=20056c7556
FSC Checks Financial Institution’s Readiness for N. Korea’s Cyber Attacks
The Financial Services Commission (FSC) has held a meeting to check the security readiness of South Korean financial institutions against cyber attacks by North Korea.
The FSC plans to conduct an on-site security inspection this month of the countryâs critical financial infrastructure including the Korean Exchange and the Korea Financial Telecommunications and Clearing Institute.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f4fef63e4a&e=20056c7556
âDark DDoSâ â a growing cyber security threat for 2016
Todayâs DDoS attacks are almost unrecognizable from the simple volumetric attacks that gave the technique its name.
These attacks are far more sophisticated, deceptive and frequent.
They are no longer designed simply to deny service, but to deny security, by acting as a camouflage to mask more sinister activities â usually data theft and network infiltration.
We call this kind of attack âDark DDoSâ because it acts as a smokescreen to distract IT teams from the real breach thatâs taking place, which could see data being exfiltrated, networks being mapped for vulnerabilities, or a whole host of other potential risks manifesting themselves due to the hackersâ actions.
Dark DDoS is a unique tool in the hackerâs toolkit since it evades many of the DDoS scrubbing center legacy solutions that are still widely adopted today.
Before hackers flood a network with traffic, they tend to search a network for vulnerabilities and find pathways to steal sensitive data.
The vast majority of DDoS attacks experienced by Corero customers during 2015 were less than 1Gbps, with more than 95% of these attacks being just 30 minutes or less in duration.
A traditional scrubbing center approach would miss these attacks entirely, leaving security teams clueless and unprepared in the event of an attack.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=59fea75006&e=20056c7556
Accenture: Firms Must Improve âDigital Stewardshipâ
Businesses need to improve âdigital stewardshipâ and transparency and provide a clear âdata dividendâ if theyâre to win back trust from consumers to use their personal data, according to a new report from Accenture.
Trust in firmsâ ability to handle this data securely is at an all-time low, and customers are increasingly being proactive in protecting that data, helped by new privacy-enhancing technologies, Accenture claimed.
And customers now want something in exchange if theyâre going to hand over their data.
Almost 60% of respondents to the study from products and manufacturing companies said their customers were proactively monetizing this data.
… with the General Data Protection Regulation set to land in a couple of years.
This will force some larger firms to meet strict âright to be forgottenâ and âright to data portabilityâ rules, whilst mandating breach notification for serious data breaches and levying fines of up to 4% of global annual turnover for serious infringements.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b7e5e3a8ea&e=20056c7556
Business Confidence in Cloud Security Grows
According to a Cloud Security Alliance (CSA) survey, 64.9% of IT leaders think the cloud is as secure or more secure than on-premises software.
This could be the result of the fact that 71.2% of companies now have a formal process for users to request new cloud services.
Also, the volume of those requests is up: Security professionals indicated receiving, on average, 10.6 requests each month for new cloud services.
Customer relationship management (CRM) is the most widely used cloud-based system of record today, but companies have plans to move other systems to the cloud, including sales and HR.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=36b5b78d16&e=20056c7556
Deloitte Analytics: Cybersecurity and a One Million Data Scientist Shortfall Are Trends Shaping Business in 2016
NEW YORK, Jan. 13, 2016 /PRNewswire/ — Organizations are no longer satisfied with simply “locking the doors” where cybersecurity is concerned and are instead going on the offensive by employing more predictive approaches to threat intelligence and monitoring, according to the “2016 Deloitte Analytics Trends” report.
This, along with five other trends detailed in the report, are driving significant changes in the types of investments the C-suite is making to support business priorities.
“Business leaders continue to face many varying challenges and opportunities, and staying ahead of these trends will have a lasting impact on how their organizations will operate in the future,” said John Lucker, principal, Deloitte Consulting LLP. “By going on the offensive with issues such as cybersecurity, organizations are making a strategic shift in the way they operate.
Concurrently, the widening data scientist talent gap could be a business growth barrier.
One thing is certain: effectively using analytics is essential in delivering insights that help achieve new levels of innovation and value.”
Following are the six major trends most likely to significantly impact business in the coming year:
– Cyber security: Offense can be the best defense
– Companies struggle to bridge the data talent chasm
– Man/machine partnerships are getting stronger
– The Internet of Things, and people, too
– Triumph of the scientists
– The rise of the insight-driven organization: Analytics expands across the enterprise
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a77b970bdb&e=20056c7556
Bromium 2015 Threat Report Highlights Vulnerabilities and Exploits for Popular Applications
Tomorrow, BromiumÂŽ, Inc., the pioneer of threat isolation to prevent data breaches, will officially announce the publication of âEndpoint Exploitation Trends 2015,â a Bromium Labs research report that analyses the ongoing security risk of popular websites and software.
The report highlights that software vulnerabilities and exploits in popular applications spiked in 2015 with vulnerabilities increasing nearly 60 percent and Flash exploits increasing 200 percent.
The report also highlights common attack trends, including the resurgence of macro malware, the continuous growth of ransomware and the ubiquitous presence of malvertising.
Key findings from âEndpoint Exploitation Trends 2015â include:
Vulnerabilities and Exploits Spiked in 2015
Macro Malware Makes a Resurgence
Angler Exploit Kit Most Popular
Ransomware Doubled in 2015
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ce17c5eb37&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage2.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=9c690b361a)
** Update subscription preferences (http://paulgdavis.us3.list-manage2.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)