[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* Breaking down the walls between IT and physical security
* How to Prepare for a DDOS attack
* What Is Data Minimization? And Why It Matters In The Age Of Big Data
* Taking the pulse of your information security culture
* How to review and test backup procedures to ensure data restoration
* Imperva Hacker Intelligence Initiative Report Finds Insider Threats In 100 Percent of Studied Environments
* Good morning. Thank you for inviting me to be the first speaker at the inaugural Incident Response Forum of the Cybersecurity Docket. I want to take a moment to underscore the importance of what you are launching here today, and that is to sponsor an event that focuses exclusively on response and re
* Beyond Technology: Managing the Blind Spots of Database Security
* Infosys : ACM and Infosys Foundation Honor Innovator in Network Security Research
* Neustar : Security Report Shows Increased Use of Dangerous Multi-Vector DDoS Attacks Targeting Companies
* Healthcare industry seeks to reform its position as hacking target
* Ransomware: Time for a HIPAA Update?
* Cyber insurance rates fall with lull in major hacks
* Chubb adds cyber bullying coverage to U.S. home insurance policies
* New Portal Launched For ICS/SCADA Threat Intelligence-Sharing Among Nations
* Vulnerability Spotlight: Lhasa Integer Underflow Exploit
* Risk and compliance largest information management drivers
* Machine Learning In Security: Good & Bad News About Signatures
* SecureWorld Boston highlights value of partnerships
Breaking down the walls between IT and physical security
According to Kelsey, one of the systemic problems is that each side – physical security and cybersecurity – has been seen as less important by the other and the biggest consequence for that way thinking is increased security exposure for organizations.
In their ambition to realize all of the benefits that connected technology provides, Kelsey believes there has been “blindness” on the part of organizations and even security professionals when it comes to attaching mission critical systems to the Internet.
Given the threats organizations face today, Rosenquist believes that physical and IT security need to find common ground upon which they can both work together more efficiently to improve the overall security posture of the businesses for which they work.
“What I’m starting to see is the budgets are merging,” Kelsey said. “A lot of the fighting within organizations is because they perceive they’re fighting for the same budget dollar, but as you merge those budgets… those walls start to come down.
I think if you push the money together, you end up getting better results.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dfd3e3e1b1&e=20056c7556
How to Prepare for a DDOS attack
Visibility is critical when preparing for issues in your network.
SNMP graphing platforms will tell you an extraordinary amount of information on volumetric attacks.
You’ll be able to see and (depending on the platform) sometimes even alert on anomalous bandwidth events.
You’ll be able to track at which port it entered your network, if it’s saturating any links, and even where the attack is headed.
It’s surprising how many companies I’ve worked with over the years that do not deploy this because it’s such an easy and basic thing to implement.
Primarily, you need devices that can speak SNMP, such as managed switches, routers, etc., and then you need a platform to query them.
SNMP certainly won’t catch everything, even when the attack is volumetric.
Wait, what.
Yes, it’s true, they’re good at monitoring traffic levels, but the downside is that they only poll devices on preconfigured intervals.
The most recent Global Network & Application Security Report found that 57% of cyber attacks lasted less than one hour.
Capacity is a tricky one, though, because how do you plan for enough capacity for a volumetric attack.
Do you buy another 1G link.
More 10G links.
There’s a point where that doesn’t become cost effective, and I’ll discuss Radware’s solutions for that at the end, but capacity is a tool that you can use to help alleviate bottlenecks.
You need a tool that can detect and mitigate instantly.
Traditional firewalls can’t do this and they can even cause an outage, as I’ve shown in a previous post.
To truly have complete coverage, you need a purpose-built DDoS mitigation appliance that can handle these complex attacks and can begin mitigating instantly.
Our award-winning DefensePro product can help you do just that.
There are several ways to test your network and the attack vector doesn’t necessarily matter for this.
Essentially, you want to go through the steps of a mock attack to see how your plan works.
Personally, I believe that the best approach is to begin with detection and mitigation at the perimeter of the network.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4047e96946&e=20056c7556
What Is Data Minimization? And Why It Matters In The Age Of Big Data
the European Union has recently included this in new laws of the Data Protection Act that will come into effect soon.
The act says, “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
The Act doesn’t define “adequate, relevant and not excessive,” but in effect it means collecting and holding only the minimum amount of personal data needed to fulfil your purpose.
This is part of the practice known as “data minimization.”
Instead of a “save everything” approach, smart data managers are now embracing a data minimization policy, keeping only what’s relevant and necessary.
Even Walmart only relies on the previous 4 weeks of data for its day-to-day merchandising strategies.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2389c7438c&e=20056c7556
Taking the pulse of your information security culture
Security culture begins at the top, with the CEO or head of the company.
This person must model good security practices themselves, and speak sincerely about it at every opportunity.
I have been involved in many an all-hands meeting where the CEO attempted to speak sincerely on a topic while reading to a script created by marketing.
It is pretty easy for the employees to see right through this.
The company head must understand enough about security to really speak about it.
As with the CEO, every manager must live and model good security practice.
Their involvement must go deeper, however.
Survey the workforce
Train the workforce
Make security a campaign
Reward good practices
Bottom line — follow the right steps, and your security culture will form on its own.
The reward will be a workforce focused on keeping the organization safe.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ff09593585&e=20056c7556
How to review and test backup procedures to ensure data restoration
In this third approach to improving information security incident response, CSO maps your route to successful backup procedure tests and reviews.
By properly testing and ensuring that your backups are existent and recoverable when data disaster rears its gruesome head, you can rest in the knowledge that information security incidents that could rob your data and interrupt its use will not also leave you without your data altogether.
Microsoft Technet publishes tips for testing backup and restore procedures under the heading “Developing Backup and Restore Procedures” at “Testing Backup and Restore Procedures”.
It’s important to test often enough as well as to test in a quality sort of fashion.
you need a formal change management system.
Such a system will ensure an awareness of change, its potential affects and consequences, and the need to prepare for these ahead of time since something could go wrong during even planned change, according to Gordon.
You should use commonly occurring real life data disaster scenarios to simulate what your backups will and won’t do in a crisis.
ou need to account for instances where you might test backups and restores differently than you typically would.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8c8a95a067&e=20056c7556
Imperva Hacker Intelligence Initiative Report Finds Insider Threats In 100 Percent of Studied Environments
REDWOOD SHORES, Calif., March 31, 2016 (GLOBE NEWSWIRE) — Imperva, Inc. (NYSE:IMPV), committed to protecting business-critical data and applications in the cloud and on-premises, today unveiled the March Hacker Intelligence Initiative Report: “Insiders: The Threat is Already Within.” This new report, published by the Imperva Defense Center and based on primary research conducted by Imperva, shows that insider threat events were found in 100 percent of the studied environments and went undetected by in-place security measures.
Based on the studied environments and follow-on analysis, the researchers found:
Insider threat events were present in 100 percent of the studied environments, confirming suspicions that insider abuse of data is routinely undetected.
Deception technology, deployed to complement behavioral analysis, positively identified insider threats.
Insider threat incidents were not identified by any existing in-place security infrastructure.
Identified insider threats spanned malicious, compromised and careless insiders.
In most cases, insiders took advantage of granted, trusted access to data, rather than trying to directly hack in to databases and file shares.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e6646ca3a5&e=20056c7556
Good morning. Thank you for inviting me to be the first speaker at the inaugural Incident Response Forum of the Cybersecurity Docket. I want to take a moment to underscore the importance of what you are launching here today, and that is to sponsor an event that focuses exclusively on response and re
Good morning.
Thank you for inviting me to be the first speaker at the inaugural Incident Response Forum of the Cybersecurity Docket.
I want to take a moment to underscore the importance of what you are launching here today, and that is to sponsor an event that focuses exclusively on response and recovery in the event of a cyberattack.
So far, the global economy and our financial infrastructure have been spared a cyber attack with far-reaching consequences to our financial system and our nation’s economy.
Hand in hand with the financial sector, as many of you know, we have discussed creating a cyber-resilient financial structure by focusing on three imperatives: First, we have discussed at length the importance of information sharing, which we emphasize is a necessary shield to attacks coming from the same IP addresses, from the same malware, from the same vectors.
Second, we have discussed—at length—baseline protections.[2] We stay apprised of attack methods and vectors that are actually being deployed and with this forensic analysis, we derive a constantly updated set of baseline protections that we recommend that firms deploy.
The third imperative is the subject of today’s conference.
Today, under your leadership, we’re going to discuss together what we can do once attacked, once intruded upon, once we are forced to perhaps shut down, to respond to the incident and then to recover from it in a way that minimizes both the short-term and long-term costs and damage.
The variable that we want to minimize is time.
The longer we take to respond and recover, the greater the damage to the firm, to the firm’s customers, to the entire financial sector, and ultimately and possibly to the nation’s economy and the global economy.
How to minimize the variable of time, in the age of internet speed, is the challenge of effective response and recovery.
Given the increasing number and morphing nature of cyber assaults, we must prepare for the eventuality of significant cyber incidents.
By deploying the tools of preparation, coordination, and practice, the government, the financial sector, and their advisors can exponentially accelerate cyber response and can recover in a way that does not prolong the opportunity for damage—damage not only to the firms that compose our nation’s financial infrastructure, but also damage to the people of our country who rely on this financial infrastructure.
With this preparation, if and when a significant cyber incident occurs, we will be better equipped to respond and recover with level heads, and carry on with the business of returning to normal functioning.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=86a0d44f04&e=20056c7556
Beyond Technology: Managing the Blind Spots of Database Security
A truly effective database security program must incorporate people, process, and policy into a holistic approach customized for every company’s needs, and then be reinforced with robust security technologies.
The technology is not a cure-all on its own, and the human element plays a major role in creating an effective, security program.
Only when done thoroughly and effectively does this strategy provide a solid security framework for a business.
Continuous assessment is the first step to creating an effective database security plan.
You need to know where your data resides in order for you to protect it.
Once you know where your data resides, you can work to monitor it, and protect it from intruders.
Once all baselines—asset and human behavior alike—are created, businesses can begin effectively monitoring for anomalies to enter the database.
Effective database security should be accurate and intuitive, scalable for a distributed architecture, customizable in its policies, comprehensive in its reports and helpful in the prioritization of issues to be addressed.
It should also be layered with existing security efforts and solutions in order to provide a holistic approach to security.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fe41e96352&e=20056c7556
Infosys : ACM and Infosys Foundation Honor Innovator in Network Security Research
NEW YORK and BANGALORE, March 30, 2016 – ACM, the Association for Computing Machinery, (www.acm.org) and the Infosys Foundation announced today that Stefan Savage from the University of California, San Diego is the recipient of the 2015 ACM-Infosys Foundation Award in the Computing Sciences.
He was cited for innovative research in network security, privacy and reliability that has taught us to view attacks and attackers as elements of an integrated technological, societal and economic system.
Savage’s impact on the field of network security stems from the systematic approach he takes to assessing problems and combating adversaries ranging from malicious software and computer worms to distributed attacks.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d2a335d49f&e=20056c7556
Neustar : Security Report Shows Increased Use of Dangerous Multi-Vector DDoS Attacks Targeting Companies
Neustar, Inc. (NYSE: NSR), a trusted, neutral provider of real-time information services, today released its first report from the Neustar Security Operations Center (SOC) that shares technical insights gained from the distributed denial of service (DDoS) attacks mitigated by the company in 2015.
One of the most alarming trends noted in the findings is the rise of multi-vector attacks.
Rather than just use one style of method to breach a company’s infrastructure, attackers are increasingly turning to multi-vector attacks to exhaust defenses.
Statistics from Neustar’sSecurity Operations Center uncovered:
• 47 percent of all multi-vector attacks occurred in the fourth quarter
• 17 percent of attacks involved multiple vectors
• 57 percent of all multi-vector attacks involved reflection attacks
Foster calls out the following five key takeaways for CIOs:
Death by a Thousand Cuts.
Not every attack is intended to cause an outage
• They Are the Most Dangerous Times of the Year.
• Attackers chose high-volume transaction periods – such as the tax return period and Q4 for some of their most vicious strikes.
• Defend your DNS.
• The Combat Continues.
DDoS attacks are inevitable.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=27b328e4c4&e=20056c7556
Healthcare industry seeks to reform its position as hacking target
In a heavily regulated industry like healthcare, IT security officers are not only expected to have data-security chops but also a solid background in compliance — including specific experience with HIPAA, HITECH, and PCI DSS — which isn’t easy to come by in an employment market where even newbie cybersecurity pros are being offered comfortable starting salaries.
“What has changed in the past couple of years is that most entities are asking what their partners are doing to protect information,” Wilkinson says.
To that end, more large healthcare organizations are giving their chief information security officer a seat at the table in vendor evaluations.
Plus, they’re conducting more frequent and more thorough security audits and demanding that vendors and subcontractors do the same.
Finally, many healthcare organizations have adopted a data-centric approach to their security practices by locating and classifying their protected healthcare data and applying security controls based on those classifications.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=410bff37dd&e=20056c7556
Ransomware: Time for a HIPAA Update?
“New cyber threats require Congress to vigilantly review and update the laws already on the books,” says Rep.
Ted Lieu, D-Calif, in a statement provided to Information Security Media Group. “As ransomware attacks against hospitals become more frequent, it is critical for patients to know when their records are being held hostage and for the government to understand the scope of the problem.
I am actively exploring legislation to achieve that transparency.”
But a spokesman for the Department of Health and Human Services’ Office for Civil Rights says in a statement provided to ISMG that some such attacks already are reportable under HIPAA.
Meanwhile, Sen.
Lamar Alexander, R-Tenn., chairman of the Senate Committee on Health, Education, Labor and Pensions, said the attack on MedStar Health shows the need for the Department of Health and Human Services to immediately implement provisions of the Cybersecurity Information Sharing Act of 2015.
The cyber legislation, the senator notes, calls for HHS to “give hospitals and doctors clear information on the best ways to prevent a hack in the first place …
Yesterday’s attack, which, unfortunately, is not unique, shows the need for HHS to implement the law with the urgency patients and hospitals deserve.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b55ba7dc6b&e=20056c7556
Cyber insurance rates fall with lull in major hacks
A lull in high-profile data breaches prompted insurers to cut cyber insurance rates for high-risk businesses such as retailers and healthcare companies during the first three months of this year, according to insurance industry brokers.
The dip comes after sudden rate hikes for many firms last year in the wake of a spate of attacks on Home Depot Inc, Target Corp, Anthem Inc and others.
The average price companies in high-risk industries paid for $1 million in cyber insurance coverage fell 13 percent to $18,756 in the first three months of 2016, according to broker Marsh, a unit of Marsh & McLennan Cos Inc.
It said the average premium rose 28 percent last year to $21,642 for comparable buyers in industries such as retail and healthcare.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=582584d5c7&e=20056c7556
Chubb adds cyber bullying coverage to U.S. home insurance policies
Insurer Chubb Ltd said on Wednesday it has added coverage to help U.S. victims of cyber bullying pay for costs, including mental health treatment, legal expenses and lost wages.
The company said it added $60,000 of cyber bullying coverage to its U.S.
Masterpiece Family Protection policy, a $70-a-year add-on.
The insurance already covers threats including stalking, carjacking, home invasion, air rage, hijacking and child abduction.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5e672e01d0&e=20056c7556
New Portal Launched For ICS/SCADA Threat Intelligence-Sharing Among Nations
The EWI Information Sharing Community portal is based on the Facebook At Work collaboration platform, and initially is being used for sharing threat information, best practices, lessons learned, and other information.
It ultimately will be built out to share more sensitive threat intel including indicators of compromise such as malware markers or malicious IP addresses associated with an attack suffered by a power plant, for example.
Blask says while groups such as the ICS-ISAC are open to international members, it’s still a US-based entity, so the new portal backed by EWI provides a more global connection for ICS/SCADA operators and interests. “They are using this platform for building [online] groups and communities,” he says, and ultimately, it will be built out for real-time, machine-readable threat intel feeds via the STIX (Structured Threat Information Expression) and TAXII (Trusted Automation Exchange of Indicator Information) protocols, he says.
Patterson, who is vice president and global security leader for Unisys, says the EWI Information Sharing Community is not technically a global ISAC or ISAO for ICS/SCADA, but more of a place for public and private sector operators of critical infrastructure, different nations’ ISACs, and government agencies to collaborate.
The ICS-ISAC has set up a registration page for the new portal.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c52efed1ba&e=20056c7556
Vulnerability Spotlight: Lhasa Integer Underflow Exploit
Talos is disclosing the discovery of vulnerability TALOS-2016-0095 / CVE-2016-2347 in the Lhasa LZH/LHA decompression tool and library.
This vulnerability is due to an integer underflow condition.
The software verifies that header values are not too large, but does not check for a too small header length.
Decompressing a LHA or LZH file containing an under-value header size leads to the decompression software allocating a pointer to point to released memory on the heap.
An attacker controlling the length and content of such a file can use the vulnerability to overwrite the heap with arbitrary code.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2463c0712b&e=20056c7556
Risk and compliance largest information management drivers
While smaller businesses use Information Management (IM) to save money and improve productivity, large businesses (44 per cent of them) do it mostly out of fear of risks and compliance.
Those are the results of a new study conducted by AIIM, which says that the number of large companies citing risk and compliance as the main factors behind IM rose from 38 per cent to 59 per cent in a year.
The report, entitled Information Management: State of the Industry 2016, says IM / Enterprise Content Management (ECM) systems and Information Governance are not aligned.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d5071da6eb&e=20056c7556
Machine Learning In Security: Good & Bad News About Signatures
Why security teams that rely solely on signature-based detection are overwhelmed by a high number of alerts.
First in a series of two articles about the history of signature-based detections, and how the methodology has evolved to identify different types of cybersecurity threats.
Over the years, signature-based systems have changed and advanced, but the core concepts still lie at the heart of all modern detection systems – and will continue to be integral for the foreseeable future.
To understand what a “signature system” is in reality, we need to understand the evolution of the detection path as directed and discovered by human intervention.
Historically, the linear progression and sophistication of signature-based detection systems have been dependent upon human signature writers.
For each new threat, a unique signature or signature artifact is created by a skilled engineer or security researcher.
This pairing between signature and its human creator means that as the number of threats have increased, so too have the number of skilled personnel needed to develop and support the signatures that detect them.
For obvious reasons, this is not a scalable business proposition – for neither the vendor or customer.
New developments in machine learning – in particular supervised and unsupervised learning algorithms – are now being applied to information security and are paving the way to a new class of signature systems capable of economically scaling to the threat.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4e3ce4b4ef&e=20056c7556
SecureWorld Boston highlights value of partnerships
The conference dived into cloud, IoT, network and mobile security as well as supply chain risk management and tips for defending against nearly all types of cyberthreats, but if there’s one big takeaway from all the sessions at the conference, it’s the importance of partnerships — both internal and external — in helping keep one’s company secure and compliant in today’s threat-laden enterprise.
In her keynote presentation, Dawn-Marie Hutchinson stressed the importance of partnerships in incident response, explaining that forming (and nurturing) key relationships before a breach occurs is the best form of incident response.
She broke down her list of important partnerships into three categories:
Data inventory is a key component of any compliance initiative, according to Michael Corby, Executive Consultant at CGI.
It helps companies stay within regulation boundaries and avoid costly investigations into their companies’ data management.
But a good data inventory project needs a solid team.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=918342bb54&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=44a4b28800)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)