[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* How should CISOs present a security assessment report?
* Improving Fraud Prevention After SWIFT-Related Heists
* From Efficient to Effective – Why This Matters for Security
* Vic govt gets new cyber security rules
* Belden : Where to Find Hard-to-Get Industrial Security Data
* Kenya mulls computer and cybercrime law
* Study: Encryption use increase largest in 11 years
* Italian cybercrime up 30% in 2015 – study
* Hacked stock exchanges must be up and running in 2 hours
* How to enhance protection of your surveillance system against cyber attacks [Slideshow]
* Cyber-threats In 2016: Evolution, Potential, And Overcoming Them
* Identify the “who” in risk mitigation
* Mideast oil and gas sector faces wider cyberattacks
* New Russian law to force service providers to decrypt encrypted comms
* 91% of airlines invest in cyber security for today’s connected world of travel
How should CISOs present a security assessment report?
The board of directors has many responsibilities, and because of an increasing amount of highly publicized data breaches, information security is gaining importance on the board’s agenda.
Board members are typically not technical, so they rely on the CISO to provide assurance that the company will not become another statistic, and if it does, the losses will be minimal, and recovery will be smooth and timely.
CISO security assessment report should document the state of compliance with regulations, laws and internal policies.
The state of compliance report will vary in depth and importance, depending on the industry.
It can be helpful to use a security framework — such as ISO 27002, Cybersecurity Framework or COBIT — to help determine the state of compliance for your enterprise.
A CISO security assessment report should also include a state of security section, which covers all the areas that meet the selected vetted framework objectives.
An outlook report is another important part of a CISO security assessment report.
It should detail areas of focus for the future.
The outlook should be aligned with the overall strategic business model of the company.
The CISO should state attack vectors that will come into play once the business model expands, even though they may be currently nonexistent.
Board members do not want to be indulged in minutia.
They need to know from a high level if there are areas of concern for security that need attention.
Make it graphical, understandable and use board vernacular — do not use technical jargon that will lose your audience.
ISOs typically have five to 15 minutes to present the security assessment report, so plan accordingly.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=be4e4cfd03&e=20056c7556
Improving Fraud Prevention After SWIFT-Related Heists
In an interview with Information Security Media Group, Davies says that more U.S. banking institutions are improving their ability to analyze and monitor various transactions in an effort to prevent all types of fraudulent transactions. “They’re really monitoring that historical behavior, looking for deviations, pulling data into consortium models provided by their vendors and looking at analyzing those transactions to make sure that if something is anomalous, they can stop the transaction before it’s actually released into the settlement infrastructure,” he says.
Banks need to go far beyond using multifactor authentication, Davies stresses. “There are really a number of risks that need to be dealt with, and probably the best way to do that is to … look at some behavioral monitoring of the initiation of these high-value payments,” he says.
During this interview (see audio player below photo), Davies also discusses:
– Why the U.S. must consider establishing a centralized settlement system before deploying real-time payments;
– How core banking processors and vendors are helping institutions analyze data to predict fraud;
– How real-time payments could enhance commerce and improve security.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=72ee2a9bda&e=20056c7556
From Efficient to Effective – Why This Matters for Security
Repetition drives excellence.
Usually.
That’s what experience teaches us.
With limited resources at your disposal, you as the security leader should work hard to make your team as efficient as possible.
Minimize distractions by keeping your team shielded from one-off type of work when possible and streamline your toolset.
Optimizing processes is a surprisingly effective way to improve security overall, and a nice side effect is that it increases job satisfaction.
Imagine actually being able to get good at something, rather than just running around putting out fires.
Clearly, efficiency is extremely important, but what good is efficiency when it does not serve the company’s actual needs.
I’m confident we all know at least one organization out there that’s extremely efficient at security activities but is fairly ineffective at minimizing the impact of key technology risks.
Just because you’re good at something, does it matter if no one cares that you’re doing it well?
Effectiveness is measured differently than efficiency.
While we measure efficiency in spent cycles and average time for closed tickets, we mostly measure effectiveness through improved uptime and productivity.
If there are five levels of maturity in our model—Aware > Reactive > Adaptive > Purposeful > Strategic—where does effectiveness really come into play?
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f60b14bb6d&e=20056c7556
Vic govt gets new cyber security rules
Victoria’s infosec and privacy watchdog has handed down a new set of cyber security rules that will force agency chiefs to attest to their compliance with minimum infosec standards each year.
The plan [pdf] – known as the Victorian protective data security framework (VPSDF) – comes two-and-a-half years after the previous Victorian government promised the state a formal strategy authored by infosec veteran Alastair MacGibbon.
The framework itself, however, is light on prescriptive or practical demands on how agencies should actually build security into their systems and operations.
Instead, it lists a number of documents and policies it expects applicable agencies will have in place, including:
– An organisation-specific security management framework, plus policies and procedures to see it embedded into day-to-day business practices, preferably aligned to ISO/IEC 27001
– An access management regime governing how who can access data and how
– Mandatory security training for staff and awareness programs centred on their data handling obligations
– A formal incident management plan
– A business continuity management plan, and
– Contract terms that ensure third party suppliers also comply with Victorian data standards when they come into contact with public sector information.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=24abc3f25e&e=20056c7556
Belden : Where to Find Hard-to-Get Industrial Security Data
A common best practice in any field is to benchmark performance or results against industry norms.
In the case of industrial control systems (ICS), security breach benchmarking is a challenge.
There isn’t a lot of data available and the data sets that are available are not as extensive or as granular as one would like.
Informal information sharing occurs through government bodies, consulting firms and security vendors as well as at conferences.
Unfortunately, it’s not available to many people involved with designing and operating network infrastructure in the manufacturing and process control fields.
This article provides a list of freely available information on the state of industrial security and provides some context for each source.
Data Specifically about ICS Security :
a) SANS ICS Security Survey – Quantitative Data and Good Recommendations
b) ICS-CERT – U.S.
Focused Data for Critical Infrastructure Industries
c) RISI – Historical Industrial Security Data
d) Fee-based ICS Security Reports
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e80973f94d&e=20056c7556
Kenya mulls computer and cybercrime law
Kenya is fast-tracking the Computer and Cyber Crimes Bill 2016 to have the law in place before the end of the year.
ICT Cabinet Secretary Joe Mucheru said the Bill will be launched next week for participation and input of the public before it is taken to the National Assembly, Senate then Attorney-General office.
Mucheru said the Bill borrows heavily from international standards with input from experts in Europe, Inter-Agency Committee for Formulation on Cyber-crime and the Budapest Convention on Cybercrime.
The offences under the draft Bill carry a penalty of KES 20 million or a 20-year imprisonment.
Mucheru said the Draft Bill emanates from great public interest, arising out of the need to tame the abuse of web based systems and the rise in cyber crime.
Mucheru said there is great public interest and concern over the rise of computer and cyber related crime as some laws were enacted long before the republic adopted new technologies such as M-Pesa mobile internet and Wi-Fi.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=eaadeaeb26&e=20056c7556
Study: Encryption use increase largest in 11 years
encryption technology spending as percent of total IT security budgets has gone down, said John Grimm, senior director of security strategy at Thales e-Security, which sponsored the report.
In 2005, the first year of the report, only 16 percent of enterprises were using encryption extensively.
The percentage increased gradually to 34 percent last year, then jumped to 41 percent this year.
According to Grimm, encryption is now built into many tools, so enterprises don’t have to buy it separately.
In addition, competition and advances in technology has lowered prices for stand-alone products.
The financial sector was in the lead, with 56 percent of companies using encryption extensively, followed by the health care and pharmaceutical industry.
Manufacturing lagged the furthest behind, at 25 percent.
When it came to specific applications, databases had the highest use of encryption technology, followed by Internet communications, laptop hard drives, and backups.
In fact, only 44 percent of organizations said that they protected data at rest in the cloud using encryption, 17 percent used tokenization or another method, and 39 percent stored the data in clear text.
Out of those companies that do protect data at rest in the cloud, 44 percent encrypt the data before it is sent to the cloud, 21 percent encrypt the data while it is in the cloud using tools under their control, and 35 percent allow the cloud provider to handle the encryption.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d888f25c6a&e=20056c7556
Italian cybercrime up 30% in 2015 – study
Italy’s data protection authority, Garante Privacy, has announced that the number of cybercrimes registered in the country increased by 30 percent last year, led by a 50 percent rise in phishing attacks and a 135 percent surge in the use of ransomware.
Presenting the authority’s annual report in the Italian senate, Garante Privacy chairman Antonello Soro said the cybercrime attacks exploited the widespread inadequacy of the security measures adopted by Italian businesses, which had generally failed to grasp the importance of protecting their IT assets and regarding data protection as a new competitive advantage.
He added that the agency had issued 49 data breach communications in 2015, nearly double those issued in 2014, and collected around EUR 3.4 million in fines.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=707c9372e6&e=20056c7556
Hacked stock exchanges must be up and running in 2 hours
On Wednesday, the Bank for International Settlements (BIS) and International Organization of Securities Commissions (IOSCO), the standard-setting bodies for banking and securities regulators around the world, jointly issued guidelines to ensure the safe operation of FMIs.
“An FMI should design and test its systems and processes to enable the safe resumption of critical operations within two hours of a disruption and to enable itself to complete settlement by the end of the day of the disruption, even in the case of extreme… scenarios,” the guidelines said.
“Notwithstanding this capability to resume critical operations within two hours, when dealing with a disruption, FMIs should exercise judgment…so that risks to itself or its ecosystem do not thereby escalate…” it added.
These are the first internationally agreed guidelines on cyber security for the financial industry.
SEBI was part of the working group on cyber resilience, which framed the guidance.
Regulators in India usually tailor the guidance to Indian requirements, typically within a couple of quarters.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=23bece4031&e=20056c7556
How to enhance protection of your surveillance system against cyber attacks [Slideshow]
Following are the nine areas of a network surveillance system that are most vulnerable, and how IT departments, with their security and facility management departments, can mitigate those risks.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e689c97c98&e=20056c7556
Cyber-threats In 2016: Evolution, Potential, And Overcoming Them
The current IT landscape is highly disruptive, but it does promise better business outcomes for those who are Internet of Things (IoT) ready and prepared to embrace Big Data.
However, there are some apprehensions about this more connected, omnipresent, and easily accessible data — it opens many doors to hackers, creating room for Cyber threats to seep in.
We are starting with what is trending in the despicable world of cybercrimes:
* Jail Breaking
* Ghostware
* Blastware
Globally renowned research agencies like Gartner mention two more emerging, highly destructive malwares:
* Headless Worms
* Two–Faced Malware
The First Step To Cybercrime Diagnosis: Accept Your Infection
By the time you realize that critical data has been leaked, hacked or accessed illegally, the damage has been done and little can be done to redeem the lost data or its integrity.
Proceeding With Cybercrime Recovery, Rehabilitation, And Boosting Immunity
Cyber threats will continue to outperform and overpower the best of IT security practices.
So, don’t expect an immediate and future-proof cure.
Sandboxing To Become Malware-Proof.
Are You Serious? Sandboxing does not deserve the faith it is creating, especially among key decision-makers.
It is effective but cannot reveal all the susceptible points of a malware invasion.
Malevolent software creators are equipping themselves with better, surveillance-defying, smartly morphing codes.
The Dummy Malware Prevention Strategy For Everyone: Stay Awake
Cybercrimes breed when business environments are not prepared for illicit intrusions.
– Troubleshoot Early
Deterrence can be the best way to approach the problem — establish a perceptive, scalable, and contemporary security network.
-Strategize To Eliminate And Prevent Malware Attacks
A strategically planned malware strategy can rescue you at the time of crises and help you re-gain control over your network without losing too much.
There Is Nothing Like Being Sufficiently Prepared
So you have applied additional coatings around the data to make it is immune against penetrative cyberattacks, but can you sleep in absolute bliss of knowing that your data is genuinely safe?
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b4fd199b85&e=20056c7556
Identify the “who” in risk mitigation
Adopting risk modeling techniques is one way organizations achieve many important objectives:
It provides information to the decision maker who may have to prioritize how his/her organization’s budget is allocated for security purposes
It may have direct influence in how much of the organization’s budget is ultimately devoted to security
It provides a quantifiable metric as to the potential financial consequences if risk is ultimately assumed and realized
Another “who” in the equation are the organization’s customers and/or clients.
This group is integral for an organization that relies on their patronage in order to succeed and grow as a business.
Protecting this relationship is essential for sustained business operations and continuity.
Taking this “who” into consideration when drawing up risk management plans is increasingly important.
Just because consumers are forgiving, doesn’t mean that organizations should rely on them being so.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=94c6aaec00&e=20056c7556
Mideast oil and gas sector faces wider cyberattacks
According to Repository of Industrial Security Incidents (RISI) data, cyberattacks against oil and gas organisations in the Middle East make up more than half of the recorded instances.
In parallel, in the US or other Western countries, they make up less than 30 per cent of the recorded instances.
The dangers posed by large-scale threats are significant, given the physically expansive infrastructure of oil and gas production and distribution.
For instance, the ramifications of a successful cyberattack on an oil and gas company in the Middle East could carry grave implications on national security.
In most countries in the region, the oil and gas sector is the main source of income for the government and accounts for 60 to 70 per cent of fiscal spending resources.
This, of course, raises three pivotal questions — Why are oil and gas companies in the Middle East more vulnerable to attacks.
How can organisations that have fallen victim to cyberattacks ensure a quick recovery.
And what can they do to fend off future attackers?
According to Jebin George, senior research analyst at research firm International Data Corporation, IT spending by Middle East oil and gas sector is expected to grow to $1.83 billion in 2016 compared to $1.77 billion in 2015.
Another critical point of vulnerability is information flow enforcement.
If false data is fed into the system or information is “siphoned off”, most companies would likely never know that for a fact — it could even go completely undetected.
There is wide speculation that the colossal malware attack on oil giant Saudi Aramco’s systems in 2012 was actually a cover-up for earlier information flow breaches.
The potential points of attack are plenty.
Transactions in the oil and gas arena are broad in scope and range from sensitive information on well sites to end-user consumption at the pumps.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2e356b0609&e=20056c7556
New Russian law to force service providers to decrypt encrypted comms
An extremely wide-ranging anti-terrorism law has been passed last week by the lower house of the Russian Federal Assembly (i.e. parliament), and it is widely expected to pass the upper house without a hitch and be signed into law by president Putin within the next few weeks.
Proposed by right-wing politician Irina Yarovaya, the new law will bring tougher punishments for extremism and international terrorism, make failure to report a crime, as well as justifying terrorism on social media a criminal offense; but also force telecoms and ISPs to store data and metadata for years, and online services that offer encrypted communication to help the Russian intelligence agency (the FSB) to decipher any message sent by its users.
Those information distributors that offer encrypted communications and information will have to aid the FSB in decrypting it and will be fined if they refuse to do so.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=de8117251d&e=20056c7556
91% of airlines invest in cyber security for today’s connected world of travel
As the connected world of travel becomes a reality 91 per cent of airlines plan to invest in cyber security programmes over the next three years.
This is according to the SITA Airline IT Trends 2016 Survey published on Wednesday.
The level of commitment to cyber security reflects the consensus that a lot is being done in this area but there is always more to do.
The focus on cyber security also reflects the move to the ‘Internet of Things’ (IoT) in which a vast number of physical objects will become connected to the internet.
This enables tracking, data collection, analysis and control, which necessitates more security.
An overwhelming majority of airlines (68 per cent) are investing in IoT programs in the next three years, up from 57 per cent this time last year.
A key area of IoT investment is in connected aircraft which 46 per cent of airlines believe will give a better passenger experience.
Today 37 per cent of airlines operate connected aircraft and this will jump to two thirds by 2019.
Currently ‘Internet via passenger devices’ is the service offered by most (33 per cent).
Over the next three years big increases in services are expected with more than half of airlines planning to provide destination services and duty-free shopping apps, while 70 per cent plan to provide multi-media file streaming on passenger devices.
Other trends of note are the move to more software development in-house and the shift to outsource IT operations.
In future a growing proportion of airline IT budgets is likely to be spent on innovation rather than service continuity with innovation rising to 36% of overall IT and telecommunications spend in 2016.
Despite the fact that airlines have baggage tracking as part of their IoT plans, one quarter have no specific IT investment plans for compliance with IATA’s Resolution 753.
However, 77 per cent see a major benefit in improving customer satisfaction from compliance to the Resolution.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8128b815fa&e=20056c7556 (http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5ddb75c134&e=20056c7556)
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=b1cdb92ca0)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)