[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
I had a request to change the format of the date in the Subject line to make it easier to sort. So I made the change.
* 11+ security questions to consider during an IT risk assessment
* Payment Card Industry Security Standards Council Releases Payment Application Data Security Standard Version 3.2
* Cyberattacks can cripple the construction industry
* A Look at Breach Notification Laws Around the World
* Huge Data Breach Losses Aren’t Forcing Companies to Bolster Security
* IT security skills remain in high demand
* Windows 10 Build 14352 lets Windows Insiders run two antivirus programs on their PC
* EU member states should stress-test banks’ cyber risks
* ITC Launches Investigation Into Chinese Hacking Of U.S. Steel Corp
* 48% of respondents’ organisations still lack key cyber security personnel, says DarkMatter poll
* SWIFT Eyeing New Tools to Spot Bank Fraud
* A Dire Lack of Knowledge about Ransomware Exists Despite Record Number of Infections
* Lloyds: cyber attacks down by up to 90pc
* Retail Security Risks: 2016 Midyear Roundup
* Cybercrime Hit Businesses Hardest in 2015, says IC3 Report
* Prioritising threat intelligence
* ICIT Explains NIST Guide Impact on Healthcare Cybersecurity
* Data security is the most significant risk facing in-house counsel today
* How Security And IT Teams Can Get Along: 4 Ways
* Got $90,000? A Windows 0-Day Could Be Yours
* J.P. Morgan’s CIO on the Bank’s Security Game Plan
11+ security questions to consider during an IT risk assessment
There is never enough time to consider all the ramifications during an attack.
Vogel, for example, uses a data breach to point out risks that may be overlooked when scrambling to recover and getting back to normal operating conditions:
What data is valuable to our consumers and/or members?
What would happen if we were [i.e., the organization] in the news for a data breach, even if the data lost was meaningless?
What legal liability do we have if something happened to the data?
Questions for board officers and investors:
What makes our company or service an appealing target for hackers and cybercriminals?
What is the worst-case scenario; what are our principal assets and “crown jewels” that could be compromised?
What will be the impact if we are targeted and:
– the breach is made public?
– data is held for ransom?
– our corporate or consumer data is destroyed?
Is there a valid business reason for retaining existing information and the collection of new data?
What are our data minimization and destruction policies and procedures?
Is our cyberinsurance coverage adequate.
Have we completed a coverage gap analysis, and do we fully understand the exclusions.
Are we prepared for regulatory enforcement and lawsuits?
How current, complete, and tested is our data breach incident plan?
Are we using industry best practices, and do we adhere to a cybersecurity framework reflecting our current countries of operation and types of business operations?
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b9464e9746&e=20056c7556
Payment Card Industry Security Standards Council Releases Payment Application Data Security Standard Version 3.2
WAKEFIELD, Mass.–(BUSINESS WIRE)–Today the PCI Security Standards Council (PCI SSC) published a new version of its data security standard for payment software, the Payment Application Data Security Standard (PA-DSS) version 3.2.
The Payment Application Data Security Standard is used by payment application vendors to ensure their software products will protect payment card data from theft.
Merchants and other businesses globally use “PA-DSS Validated” software to ensure they can safely accept payments, both in-store and online.
Using “PA-DSS Validated” software also supports businesses in their efforts to secure payment card data throughout their systems and networks –– which is required by the more comprehensive PCI Data Security Standard (PCI DSS).
PA-DSS version 3.2 aligns with the recent release of PCI DSS version 3.2, both of which address growing threats to customer payment information.
Updates to standards are based on feedback from the PCI Council’s more than 700 global Participating Organizations, as well as data breach report findings and changes in payment acceptance.
Key changes in PA-DSS 3.2 include clarifications to existing requirements and updating requirements to align with PCI DSS v3.2.
The revision also makes updates to the detailed instructions included with vendor products (the “PA-DSS Implementation Guide”), which explain how to configure payment applications properly and in accordance with PCI DSS.
These address procedures for secure installation of software patches and updates, and instructions for protecting cardholder data if using debugging logs for troubleshooting, as these can be exploited during a compromise.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=61a5637afc&e=20056c7556
Cyberattacks can cripple the construction industry
Given the increasing popularity of practices such as Building Information Modeling, Integrated Project Delivery, and file sharing between participants in a construction project, contractors may be at increased risk of liability in the event of a data breach.
A hacker may be able to access architectural designs, including the designs of security systems and features; financial information; confidential project-specific information; and personal information of employees.
A construction company can take several steps to mitigate the risk of a cyberattack and/or data breach.
Internally, the contractor should develop and enforce a Written Information Security Program (WISP), which sets forth a protocol for protecting personal and other sensitive information and complying with regulatory requirements.
The Florida Information Protection Act of 2014, Section 501.171 of the Florida Statutes, governs how covered entities (i.e., any commercial entity that acquires, maintains, stores or uses personal information) must prepare for and respond to data breaches.
Given the increasing frequency of cyberattacks and resulting data breaches, contractors and others in the construction industry should be proactive in order to mitigate the attendant risks.
A coordinated effort between IT, management, and in-house and outside counsel is key to an effective cyber-defense strategy.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=502ac48db4&e=20056c7556
A Look at Breach Notification Laws Around the World
On the data breach front, a lot has changed since 2003.
To take stock of the current state of nation’s data breach notification requirements, my colleagues at Information Security Media Group and I have explored efforts in four regions:
Europe: The EU’s General Data Protection Regulation, which goes into effect in May 2018, includes a number of privacy provisions, including mandatory breach notifications.
Some legal experts say the regulation will serve as a model for other countries (see Mandatory Breach Notifications: Europe’s Countdown Begins).
United States: Some 47 states, three U.S. territories and Washington, D.C., have breach notification laws of varying strength.
But efforts to replace them with a single – and more straightforward – federal law have stumbled, in part because previous efforts would have weakened some states’ current approaches, Eric Chabrow reports (see Single U.S.
Breach Notification Law: Stalled).
Australia and New Zealand: Officials in both countries are reviewing mandatory breach notification proposals but have yet to pass any related laws, as Jeremy Kirk reports (see Australia, New Zealand Still Mulling Data Breach Laws).
India: Lacking any mechanism for enforcing a data breach notification law, experts say it’s unlikely the country will see any related laws anytime soon, Geetha Nandikotkur reports (see Why India is Still Not Ready for Breach, Privacy Laws).
Today, nearly 90 countries have data protection laws – or relevant court rulings – on the books, ranging from Angola and Argentina to Venezuela and Zimbabwe, according to the law firm DLA Piper.
But many of those countries still don’t require breached organizations to notify either authorities or the individuals whose personal information was exposed in the event of a breach.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5955598d71&e=20056c7556
Huge Data Breach Losses Aren’t Forcing Companies to Bolster Security
The cost of even huge data breaches are not enough to convince companies to spend vastly more to bolster IT security, since neither investors nor customers permanently abandon them.
In October 2015, hackers compromised the Website of British telecommunications firm TalkTalk, likely using one of 11 known vulnerabilities in the site to steal the personal details of 157,000 customers, including bank-account information on more than 15,000 people.
Earlier this month, the bill for the lapse in security came due: The company saw its profits decline by more than half in the first quarter of 2016.
In its annual report released in February, the company revealed that it lost 95,000 subscribers and attributed more than £55 million (US$80 million) in losses to the hack, including the “exceptional costs of restoring our online capability with enhanced security features, associated IT, incident response and consultancy costs, and free upgrades” that the company offered to retain customers.
While the sacking of CEOs has certainly drawn the attention of executive teams and boards, the financial penalties of breaches tend to be short-lived and easily subsumed by most large companies.
When hacker Albert Gonzales stole information on nearly 100 million credit and debit cards from Heartland Payment Systems in 2009, the company lost more than 75 percent of its stock value in three months.
Yet the price bounced back, and now its stock is up nearly 500 percent since that time.
And, in spite of the $80 million in losses, TalkTalk’s breach costs only cut into profits and did not result in an overall fiscal-year financial loss for the company.
In fact, the company’s efforts to provide customer incentives resulted in churn reaching an all-time low in the last quarter of 2015.
Two trends, however, will raise the stakes for both breached companies and their victimized customers.
First, information that is not easily changed or replaced, such as Social Security numbers, is increasingly targeted by hackers.
In 2015, for example, nearly 165 million records containing Social Security numbers were compromised in 338 breaches.
The second trend is that companies are collecting more and different kinds of personal information about their users.
For example, home video cameras frequently connect to a cloud service to store video.
Attackers could easily gain information on consumers through a breach of such a service.
Other devices that are part of the Internet of things—from heart monitors to GPS-enabled trackers—will only accelerate this trend.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=df02dad055&e=20056c7556
IT security skills remain in high demand
IT security tops the list of the skills that IT decision-makers say they want their team members to have, according to a new report by Global Knowledge, based on input from more than 10,000 IT and business professionals in North America.
Other in-demand skills include cloud computing, IT architecture, and network and systems engineering and operations.
One in three IT decision-makers reported having difficulty finding skilled talent to fill cybersecurity positions, while one in five reported difficulty filling cloud-related roles.
Sixty-two percent of IT decision-makers said their teams currently have measurable skills gaps or will likely have them within the next two years, and 70 percent said the gaps create increased stress on existing employees.
Three-fourths of this year’s IT respondents said they use professional development to build new skills, and half said preparing for a career certification or specialist exam is a top motivator.
More than 45 percent of those who did not train in the previous year blamed a lack of funds.
IT decision-makers who responded said the lack of training funds is also one of the driving reasons behind skills gaps in IT departments.
Seventy percent of application developers use one or more programming languages—six different languages on average.
More than 60 percent of the developers who responded said they use JavaScript, SQL and some version of HTML.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6eb272d22d&e=20056c7556
Windows 10 Build 14352 lets Windows Insiders run two antivirus programs on their PC
If you install a third-party antivirus program, you can let it run as a real-time defense against all sorts of malware.
The new feature, called Limited Periodic Scanning, allows Windows Defender to run periodically as well.
Microsoft claims to scan 500 million devices each month for malware, and Windows Defender catches malware on 1 to 2 million of those at any given time.
Historically, security experts have warned against running multiple antimalware programs at any one time.
It’s unclear whether Limited Periodic Scanning—which can be toggled off—will cause any additional headaches, or prove to be a good thing.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=071c7226d5&e=20056c7556
EU member states should stress-test banks’ cyber risks
BEIJING, May 28 — Domestic authorities in European Union member states should stress-test their financial institutions for cyber risks, a top EU supervisor said, saying banks might be required to hold extra capital as a buffer against what is an emerging threat.
Speaking to Reuters in Beijing today, Andrea Enria, chairman of the European Banking Authority (EBA), said cyber security had become an important issue for EU member states.
He called on domestic regulators to stress-test local banks to understand the possible risks.
“I would not run a massive cyber-risk attack scenario for 28 member states at the same time,” said Enria. “But if you ask me would I recommend competent authorities to think more on this and consider running this type of stress test.
I would say yes.”
The EBA operates as a pan-EU regulator, writing and coordinating banking rules across the 28-country bloc.
“We are developing guidelines on IT risk, which are under the Pillar 2 framework — so how to assess cyber risk and how to assess the mitigating measures that banks are putting into place and, if shortcomings are identified, which types of measures supervisors can take under Pillar 2, including additional capital requirements,” said Enria.
The guidelines will be published by the EBA for public consultation later this year, Enria said.
“We are also discussing possible agreements on the regular exchange of information and cooperation at the supervisory level between the European and Chinese authorities,” said Enria. — Reuters
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b2a793f391&e=20056c7556
ITC Launches Investigation Into Chinese Hacking Of U.S. Steel Corp
The U.S.
International Trade Commission has officially started an inquiry into the hacking and theft of trade secrets from United States Steel Corporation (NYSE:X), allegedly by Chinese hackers.
China’s largest steel-producing province has ordered production cuts due to air pollution.
U.S. regulators on Thursday officially launched an investigation into complaints by United States Steel Corp. that Chinese competitors stole its secrets and fixed prices, in the latest trade spat between the two countries.
The International Trade Commission said in a statement that it has not made any decisions on the merits of the case.
The commission identified 40 Chinese steel makers and distribution subsidiaries as respondents, including Baosteel Group, Hebei Iron and Steel Group, Wuhan Iron and Steel Co Ltd., Maanshan Iron and Steel Group, Anshan Iron and Steel Group and Jiangsu Shagang Group.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cc1593163c&e=20056c7556
48% of respondents’ organisations still lack key cyber security personnel, says DarkMatter poll
DarkMatter, an international cyber security firm headquartered in the UAE, has found that 48% of respondents to its DarkMatter Cyber Security Poll say their organisations do not have a senior management executive assigned to oversee cyber security, while 46 per cent of respondents said their organisations did not have a Board-level representative responsible for cyber security.
The statistics are extracted from a poll conducted by DarkMatter during the Gulf Information Security Expo & Conference (GISEC) 2016 held in Dubai, at which the company was the Cyber Security Innovation Partner.
DarkMatter was able to poll the answers of over 200 information and communication technology (ICT) visitors present at the event, with the aim of the exercise being to identify attitudes held by enlightened ICT professionals towards the role of cyber security in modern, highly digitised economies, and the state of their organisations’ cyber threat resilience.
The poll identified that 23 per cent of respondents believe that their organisations have been victim to an internal cyber security breach, while 32 per cent believe their organisations have fallen victim to an external attack.
This suggests external threats pose a greater threat to organisations’ digital assets than internal ones, with a further poll result indicating 46 per cent of respondents believe cyber security breaches are most often the result of human factors.
34% of respondents said if their organisation was to experience a cyber security incident, they did not believe it possessed sufficient network monitoring capabilities to identify the breach in a timely fashion.
Further, 49 per cent of respondents said they believed cyber security is ultimately the responsibility of the original equipment manufacturer (OEM) more than it is the organisation using it, which is a cause for concern as it may result in companies abdicating the responsibility of actively defending their data assets.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ce37610670&e=20056c7556
SWIFT Eyeing New Tools to Spot Bank Fraud
London: The SWIFT secure messaging service, which banks use to transfer money around the world, outlined on Friday areas in which it hopes to improve security, following attacks in which hackers stole millions of dollars from banks in Bangladesh and Ecuador.
SWIFT said on Friday it would consult its users, which are also its owners, about new measures, including the potential to develop new tools that could allow it to spot fraudulent payment instructions.
In future it may seek to check inside the messages to ensure payment instructions are consistent with customers’ normal account patterns — akin to the checks retail banks conduct to spot unusual credit card transactions.
SWIFT said it will also look into requiring customers to use existing security measures, such as two-factor authentication of payment instructions, which are currently optional on the system.
The group will also look at developing new audit frameworks such that larger banks offering correspondent banking services can confirm that their clients — often in developing countries — have appropriate security measures in place around their SWIFT terminal.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8fdb07adfa&e=20056c7556
A Dire Lack of Knowledge about Ransomware Exists Despite Record Number of Infections
Evidently, because there’s an absence of knowledge about the ransomware kind of malware it explains why numerous PC-operators don’t have an idea of what way it can be tackled.
Among the survey participants, 25% stated that ransomware infection could be best eliminated via taking the PC offline that actually isn’t the real solution.
The group also thought that ransomware didn’t seize credit card information, SSN and bank account details.
Further, even if it encrypted the folders containing the three information stored there, PC-owners could always reach offline sources for recovering the same.
Naturally, it’s no wonder that such large number of users become victims of ransomware infections today.
The majority hardly knows anything about it, let alone the way of its prevention as well as remaining safe from the places they get distributed from.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e866bd73a1&e=20056c7556
Lloyds: cyber attacks down by up to 90pc
Lloyds Banking Group has seen an 80pc to 90pc drop in cyber attacks as online criminals and fraudsters have switched their attention to other industries.
Business group TheCityUK warned that 75pc of fraud is now online, often through malicious email scams, indicating the scale of fraud shifting into the digital world.
Yet Lloyds’ digital boss Miguel-Ángel Rodríguez-Sola said there has been a sudden drop in cyber attacks on banks.
“There had been an increase in the UK in terms of cyber attacks, between June and February this year,” he said, noting that denial of service (DDOS) attacks became particularly common.
“We needed to replan our digital development to make sure that we put in new defences, more layers. [The number of attacks] is now one-fifth or one-tenth of what it was last year,” he said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8f0200d009&e=20056c7556
Retail Security Risks: 2016 Midyear Roundup
The numbers are in: According to a new BDO report, a possible security breach is the biggest retail security risk, tied for the top spot with “general economic conditions.”
As noted by Graham Cluley, retailers face a particular subset of threats.
While large-scale distributed denial-of-service (DDoS) attacks often make headlines for their impact on big companies, just 5 percent of retailers come under fire from DDoS salvos.
Why.
Because it’s in the best interest of cybercriminals to keep the flow of transactions moving; shutting down retail sites and network-connected point-of-sale (POS) machines means nothing to steal and no data to compromise.
As 2016 rolls toward its halfway point, what threats are top of mind for retailers.
According to SC Magazine, POS malware AbaddonPOS is again making the rounds — aimed specifically at retailers.
First discovered in October 2015, it takes the form of an email campaign designed to drop TinyLoader and then the malware.
The emails are highly personalized, with recipients’ names, key company details and better-than-average grammar.
In addition, the message displays an active spinner, which is typical of content loading in progress.
Retailers also face another problem: perception.
According to Retail Dive, new research from Tripwire showed a worrisome trend: Companies are overconfident in their ability to detect data breaches.
While 90 percent of those asked said they could detect a critical data breach in less than a week and 75 percent said they could do it in just 48 hours, only 55 percent of IT pros at firms with more than $100 million in revenue said they checked security compliance “at least weekly.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=91777d2fe4&e=20056c7556
Cybercrime Hit Businesses Hardest in 2015, says IC3 Report
Businesses were hit hardest by inbox-based scams in 2015 that robbed U.S. companies of $263 million.
The numbers come from the FBI’s recently released 2015 Internet Crime Report that tallies the types of cybercrimes hitting U.S. business and individuals the hardest.
According to the FBI, its Internet Crime Complaint Center (IC3) received 288,012 complaints last year with total losses of $1.07 billion.
By a longshot, Business Email Compromise (BEC) crimes overshadow all other types of crimes looked at by the FBI in 2015.
Classified as BEC, these crimes encompass business hit by inbox-based financially motivated scams based on social engineering and computer intrusion techniques resulting in financial loss via unauthorized transfers of funds.
“Victims were instructed through spoofed emails, intercepted facsimiles, or telephone communications to redirect invoice remittance payments,” read the report (PDF).
In 2015, the IC3 received 7,838 BEC complaints with losses of over $263 million, the FBI reported.
States losing the most to Business Email Compromise attacks were California ($64.5M in losses), New York ($23M.5 in losses) and Florida ($19.6M in losses).
But comparing the cost of BEC crimes to the aggregate cost of other crimes, it wasn’t the states with the biggest dollar figure losses that were hit the hardest.
For example, BEC crimes represented 47 percent of all losses to cyber-crime in South Carolina in 2015.
That was followed by Nebraska (45 percent), Michigan (43 percent) and New York (41 percent).
Personal data breach losses hit almost $43 million in 2015 based on about 20,000 complaints.
By contrast, there were nearly 2,500 complaints about corporate data breaches, with total reported losses of $39 million.
Identity theft losses totaled $57 million, and bogus investment scam losses reached $119 million in 2015.
Exploit-related losses to victims included $1.6 million tied to 2,453 ransomware complaints.
Phishing and related email scams to individuals added up to $8 million in losses and malware/scareware losses to individuals totaled $3 million.
Lastly, virus losses totaled $1.2 million and DoS attacks were attributed to just under $3 million, according to the FBI’s 2015 Internet Crime Report.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7a3eea3caa&e=20056c7556
Prioritising threat intelligence
Steven Rogers advises steps that will allow security teams to prioritise threats based on relevant threat intelligence.
1. Begin with country blocking.
The OFAC (Office of Foreign Assets Control) list is the best place to start
2. Block high-fidelity URL based IOCs (indicators of compromise).
3. Block specific malicious domain-based IOCs (indicators of compromise).
4. End-user education is a key line of defence.
5. “If you see something say something.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c5c62420ab&e=20056c7556
ICIT Explains NIST Guide Impact on Healthcare Cybersecurity
The National Institute of Standards and Technology (NIST) recently released its second draft of “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure System” (SP 800-160).
In an effort to help organizations across the board better understand the document, the Institute for Critical Infrastructure Technology (ICIT) published a condensed review of SP 800–160.
According to ICIT Co-founder and Senior Fellow James Scott explained that the purpose of the condensed review was to highlight key issues for entities and ensure that they comprehend how it can apply to them.
it should be looked at as strategies, and more of a checklist or starting point that can be utilized by organizations to introduce a cyber hygienic and security-centric culture.
It can also assist in creating best practices for entities.
One of the main reasons that hospitals and healthcare organizations are highly sought after targets is that their attack surfaces are so massive, according to Scott.
In many cases, those surfaces are also unprotected.
“The sheer liquidity and capitalization that the adversary has on a successful exploit is also a factor,” he said. “By applying SP800-160, and having a relationship with the device vendor to secure lifecycle security of that device, can help make sure that cybersecurity was taken into consideration before the planning, manufacturing of that device.”
Another key aspect of SP800-160 is informing staff members, he added.
Employees at all levels need to be following proper healthcare cybersecurity guidelines, otherwise the entire organization could be put at risk.
“The good news is, there’s tons of tools and frameworks out there that can help you minimize the attack surface or threat,” Scott maintained. “I think that’s something that from a psychological perspective, might open up individuals’ minds to actually say, ‘Okay, I’m going to try reading this document.
I’m at least going to try.’”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8829add919&e=20056c7556
Data security is the most significant risk facing in-house counsel today
New research from Kroll Ontrack’s 2016 Corporate Risk survey suggests that in-house counsel perceive their organization’s data as more protected than it really is, with respondents reporting data security as the most significant risk facing modern corporations.
In fact, though 76 percent of the 170 corporate, in-house counsel surveyed believe that effective safeguards are in place protecting their organizations’ intellectual property, the survey found that: 59 percent of the organizations’ data breach or Incident Response (IR) plans are inadequate or non-existent; 41 percent reported that their company’s IR plan is regularly updated and tested and; 20 percent say that they never discuss data security issues with their organization’s head of technology.
Tom Barce, director of consulting at Kroll Ontrack sat down with Inside Counsel recently to talk to us about these cyber security and data privacy insights.
Although organizations are making progress, there is still a gap in understanding between in-house counsel and IT.
According to Barce, many in-house counsel either do not have enough or the right information, or the information they do have is not in a format they can digest.
So, in turn, they do not have a realistic view into the organization’s data management practices.
Barce said, “It boils down to the fact that consumer technology for personal use tends to be nimble and easy.
Meanwhile, corporations have to manage much more and that scale can create inefficiencies and frustration with technology.
IT leadership needs to strike the right balance to protect the company while empowering individuals.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ebb29ce0b2&e=20056c7556
How Security And IT Teams Can Get Along: 4 Ways
You’ve heard it all before: there’s a glaring disconnect between the goals of the information security team and the IT group.
But the rapid-fire evolution of both technology and cyberthreats could be just what ultimately unites them.
1) Integrate software development and security analysts teams.
2) Focus on the right metrics.
3) Security teams should operate like a consulting business.
4) Decouple security controls from IT technology.
Security is best known for saying “no,” Boison says.
But it’s time to change the conversation: security prods should think of the IT implications, and IT pros about the security implications.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=05ac41eeea&e=20056c7556
Got $90,000? A Windows 0-Day Could Be Yours
How much would a cybercriminal, nation state or organized crime group pay for blueprints on how to exploit a serious, currently undocumented, unpatched vulnerability in all versions of Microsoft Windows.
That price probably depends on the power of the exploit and what the market will bear at the time, but here’s a look at one convincing recent exploit sales thread from the cybercrime underworld where the current asking price for a Windows-wide bug that allegedly defeats all of Microsoft’s current security defenses is USD $90,000.
The $90,000 Windows bug that went on sale at the semi-exclusive Russian language cybercrime forum exploit[dot]in earlier this month is in a slightly less serious class of software vulnerability called a “local privilege escalation” (LPE) bug.
This type of flaw is always going to be used in tandem with anoth