[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
Mature & Unconfident: The Best Information Security Teams Ever!
The organization that is mature and unconfident is the best kind, in my opinion.
These types of organizations took all the same steps as the mature and confident organizations.
What’s the difference.
They are never satisfied.
They always remain hungry.
They are never confident that they are safe.
Organizations that are immature and unconfident are my favorite type of organization to work with.
At first this may seem like a puzzling statement but hear me out: Lack of security maturity may indeed be a weakness.
But if an organization is self-aware enough to honestly evaluate where they stand, it is something that can be overcome.
Which type of organization are you.
I never ask this question of organizations I meet with, for obvious reasons.
It is a question that each organization needs to ask itself and answer honestly.
The resulting introspection and self-awareness may not be comfortable, but it is the best way for an organization to develop a robust and mature security posture based upon security operations and incident response.
Maturity is the key to improving an organization’s security posture, but it is not something that can be arrived at through dishonesty.
Security through maturity and humility is a workable philosophy with proven results for those organizations that are willing to give it a try.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fa08014db4&e=20056c7556 (http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a33472e754&e=20056c7556)
The Future of Passwords Isn’t Just Biometric, It’s Behavioral
Motivated, no doubt, by the rash of large-scale online security breaches in recent years, companies like Apple and Google have attempted to move security into a post-password world with features like fingerprint or iris recognition.
Biometric technology represents a vast improvement over strings of letters and numbers, but the future’s most secure passwords will likely also be behavioral.
Our bodies, it turns out, are easier to imitate than our actions.
The two things in concert, well, that’s what makes us recognizable to each other and will soon be what makes us recognizable to our phones and computers.
Swiping.
Fingerprints, the quintessential personal ID, are less replicable than the average string of alphanumerics, which is why devices from the iPhone to the Lenovo ThinkPad are equipped with fingerprint scanners.
Talking.
In addition to carrying a baseline acoustic “voiceprint,” the human voice carries information about variables like cadence, accent, and emotional state, all of which make hacking more difficult as long as authentication rests on the characteristics of speech and not simply on a spoken password, which could easily be replicated mechanically.
Blinking.
aces can be replicated even more easily than fingerprints and voices.
In addition to recognizing your face, systems like IdentityCheck also require users to blink — verifying that you’re actually there.
Walking.
By analyzing a person’s walk, a phone could determine whether it was in its rightful owner’s pocket without requiring them to actively authenticate.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=93cbde1373&e=20056c7556
Private Reporting Helpline to Check Cyber Crime in Delhi-NCR
New Delhi: Victims of cyber offences can now report their cases and seek technical help at zero cost at the first private cyber crime reporting helpline which has become operational in Delhi-NCR.
Through the helpline number launched last month, the reporting centre has received around 250 complaints in 15 days.
Of the total complaints, 130 pertained to cases of financial fraud mostly phishing, and around 80 cases of outraging modesty of women through social networking sites, said a source in the Indian Cyber Army, developer of the helpline and consultant to Delhi Police and their counterparts in three other states.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ce86b9dc0b&e=20056c7556
Wells Fargo study: Businesses not well-prepared for cyber attacks
The study of 100 U.S. middle-market companies and large corporations found that 85 percent have purchased cyber security and data privacy insurance coverage and 44% have already filed an insurance claim because of a breach.
But besides insurance coverage, companies aren’t very prepared for a cyber breach.
The study found that one in five businesses have not tested their “incident response plan” and 27% don’t have an employee awareness training program for cyber security.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8700a7d48f&e=20056c7556
90% of directors believe regulators should hold firms liable for hacks
A new Veracode and NYSE Governance Services survey of 276 board members reveals how cybersecurity-related corporate liability is being prioritized in the boardroom.
Nine out of 10 of those surveyed believe regulators such as the FTC should hold businesses liable for cyber breaches if due care has not been followed, and more than 50 percent expect investors to demand more transparency as a result of the increased public focus on cybersecurity liability.
Pressure is building for boards and management teams to be especially wary of any corporate behavior that can impact their brand and erode shareholder value.
Security is now the second leading risk to a company’s brand – behind ethical issues and ahead of traditional risks related to safety, health, and the environment.
Nearly 50 percent who knew of the FTC’s lawsuit against a major hotel chain said the case has influenced their executive discussions on cybersecurity liability.
90 percent of respondents feel third-party software providers should bear legal liability when vulnerabilities are found in their packaged software.
This is particularly relevant because, according to Veracode’s 2015 State of Software Security Report, nearly three out of four enterprise applications produced by third-party software vendors contain vulnerabilities listed in the OWASP Top 10, an industry-standard security benchmark.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5597eec119&e=20056c7556
Firefox 42 is out, with many privacy and security improvements
Mozilla has released Firefox 42, and with it, a new feature that should increase user privacy online.
It’s called Tracking Protection and it’s incorporated into the Private Browsing option.
Another new feature in Firefox is a new Control Center – a central place for reviewing and changing site security and privacy controls.
It’s located in the browser’s address bar.
In addition to this, the company has updated the browser’s security indicators.
Finally, the new version of the browser also includes fixes for a dozen security issues, some of which could lead to arbitrary code execution.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a071265293&e=20056c7556
Global banking, cyber, blockchain, digital IDs and Varoufakis – experts examine the future of banking
Key figures voiced big predictions at yesterday’s FT Banking Summit.
Credit Suisse chief executive Tidjane Thiam’s thoughts on why the global economy needs European investment banks to succeed grabbed the headlines, as did, the four point plan on how to boost the Eurozone through reforms to the European Central Bank outlined by former Greek finance minister Yanis Varoufakis.
Three points stood out for me.
There is a pressing need for greater support for cyber threat intelligence sharing; there may be a need for a ‘regulatory pause’ to banking reform, and the hour has come for digital currencies, payments and identities to take online financial services to a new level.
Over the coming months therefore banks have good reason to move forward quickly with this initiative while they still have some advantage in terms of being viewed as the most trusted type of entity to provide financial services.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2bdf4e4624&e=20056c7556
OPINION: Top 10 security predictions for 2016
Sniper’ and ‘shotgun’ malware:
We believe that larger breaches in 2016 will be the result of custom-designed malware designed to get past the defences of specific organisations, such as the attack on US retailer Target.
Moving to mobile:
Mobile attacks continue to increase as mobile devices become more commonplace in the workplace, offering hackers direct and potentially lucrative access to personal and corporate data.
Our 2015 Security Report found that 42% of organisations had suffered mobile security incidents which cost more than $250,000 to remediate, and 82% expected incidents to rise.
Threat prevention:
These new attack vectors require more proactive and advanced solutions that catch evasive malware.
CPU-level sandboxing is able to identify the most dangerous threats in their infancy before they can evade detection and infect networks.
Attacks on critical infrastructure:
Attacks on public utilities and key industrial processes will continue, using malware to target the SCADA systems that control those processes.
And as control systems become increasingly connected, this will extend the potential attack surface â which will require better protection.
IoT and smart devices:
The Internet of Things is still emerging and is unlikely to make a big impact in 2016.
Nevertheless organisations need to think about how they can protect smart devices and prepare themselves for wider adoption of the IoT.
You wear it well:
Wearables like smartwatches are making their way into the enterprise, bringing with them new security risks and challenges.
Trains, planes and automobiles:
2015 saw the emergence of car hacking, in which the vehicle’s software is hijacked to take control of it.
Real security for virtual environments:
As organisations move to virtualised environments, security needs to be designed in from the outset to deliver effective protection.
New environments, new threats:
since adoption of Windows 8 was relatively low, but with Windows 10 experiencing a high uptake driven by the free download available, cyber-criminals will turn their attention to trying to exploit these new operating systems where updates are more frequent and users are less familiar with the environment. – See more at: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=86f69fcc4c&e=20056c7556
Security consolidation keep it simple!:
To protect against multifaceted threats, security professionals are likely to increase their reliance on centralised security management solutions.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=77cf3bf38d&e=20056c7556
4 in 10 Businesses Have Filed a Cyber Insurance Claim: Survey
A recent Wells Fargo survey of 100 U.S. middle-market and large companies found that 85 percent say they have purchased cyber and data privacy insurance, while 44 percent have already filed a claim as a result of a breach.
And how much do companies pay for cyber insurance.
The cost of a policy depends on a variety of factors including the type of business, volume of records (personally identifiable information, protected health information, credit card data) and the organization’s security controls.
“Network security and privacy liability (aka ‘cyber’) is one of the most subjective lines of insurance, meaning that the underwriter has significant flexibility when pricing the risk,” Dena Cusick, national practice leader with Wells Fargo Insurance’s Technology, Privacy and Network Risk National Practice, told NBC News by email. “The premium can be as low as $750 for a small, well-managed organization and well into the seven figures for large organizations with significant volumes of data.”
Meanwhile, the rise in cyber claims filed is also driving up insurance rates.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b27520730d&e=20056c7556
OPM hires new cybersecurity adviser to address data breach concerns
Clifton Triplett will serve as the senior cyber and information technology adviser to acting OPM Director Beth Cobert, the agency announced Wednesday in a press release.
In his new role, Triplett will help carry out OPM’s IT infrastructure plan, which calls for modernizing and overhauling its computer systems and minimizing the threat of future cyber intrusions.
Triplett is expected to work alongside OPM Chief Information Office Donna Seymour to make these improvements to the IT architecture.
Prior to joining OPM, Triplett was the managing partner at SteelPointe Partners, a global management consulting company.
He holds 30 years of cross-industry and IT organizational transformation experience with Fortune 200 companies and industry leaders in the defense, telecommunications, oil field service, tractor, automotive, and aerospace industries.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=efcc499b33&e=20056c7556
Business Demand for Cyber and Data Privacy Insurance Surges While Gaps Remain in Incident Response Plans
The FINANCIAL — In a recent study of 100 U.S. middle market companies and large corporations, 85% say they have purchased cyber security and data privacy insurance coverage to protect against financial loss, while nearly half (44%) have already filed an insurance claim as a result of a breach.
However, while more companies are purchasing cyber security and data privacy insurance, some gaps still remain in incident response plans, making those companies vulnerable to the financial consequences of a data privacy incident, according to the study, commissioned by Wells Fargo Insurance’s Technology, Privacy and Network Risk Practice (TPN), part of Wells Fargo & Co.
Examining middle market companies and large corporations with $100 million or more in annual revenue, the study looked at companies from a variety of industries ranging from manufacturing to educational services.
It measured the companies’ current levels of readiness to respond to a cyber security or data privacy incident, perceptions of their own security and network vulnerabilities, and challenges faced when purchasing coverage.
Not surprisingly, the most common reasons given for purchasing this specialized coverage were to protect the business against financial loss (78%), protect shareholders (64%), and help prepare for data privacy events (61%).
Of those that filed an insurance claim, 96% reported they were satisfied with their coverage, how the claim was handled, and that their policy had enough coverage for expenses and damages.
Companies are not testing their plans – Despite that most companies surveyed have an incident response plan, one in five have not tested their plan.
One in 10 companies that had to implement their plan did so without testing it beforehand, with three in four (74%) saying they needed to revise their plan following the incident.
Leaked data is the top cyber security and data privacy concern, yet one in 10 companies does not have an existing incident response plan – 35% of companies are concerned about private data leaks, while 25% are concerned about hackers.
Of those companies that have a plan, (85%) developed it with the help of a third-party vendor.
For almost half of the companies that have cyber and data privacy insurance, the biggest challenges they faced when purchasing the coverage was finding a policy to adequately fit their company’s needs (47%) or the cost (42%) — highlighting the need for an experienced broker to help with this process.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1c25459148&e=20056c7556
Foreign business lobbies ask China to revise cyber insurance draft rules
(Reuters) — Foreign business lobbies have asked China to substantially revise proposed cyber security regulations for the insurance industry, signaling a dispute that started with the publication of similar bank technology rules earlier this year may widen.
The draft regulations, announced by the China Insurance Regulatory Commission last month, state that insurers, along with their holding companies and asset managers, should prioritize the purchase of “secure and controllable” products, including domestic encryption technologies and local hardware and software.
More than 20 foreign business lobbies, including the American Chamber of Commerce, the American Council of Life Insurers, and Japan Electronics and Information Technology Industries Association, stated that such provisions would run counter to global information security standards, in a joint letter to CIRC which they delivered at the end of last month.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4d0be4fcba&e=20056c7556 (http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1972f33d5c&e=20056c7556)
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=ec6de9325f)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)