[From the desk of Paul Davis – his opinions and no-one else’s ]
Phew, RSA is over.
* Trillium Mutual Launches Data Breach and Cyber Coverage for Agriculture and Commercial Lines
* European Commission presents EU-US Privacy Shield
* CISOs Still Frozen Out of the Boardroom
* Sweden no longer on high terror threat alert
* A major red flag about security could threaten the entire IoT
* Is your Security Awareness Program Culturally Sensitive? (And does it matter?)
* Belden : 4 Ways to Ensure Network Physical Security
* Just One Quarter of UK Directors Report Cybercrime
* How email continues to grow and thrive
* Abu Dhabi gears up for cyber crime summit
* Cybersecurity no longer merger afterthought
* Security Think Tank: Access control is key to protecting against cyber attacks
* How hackers attacked Ukraine’s power grid: Implications for Industrial IoT security
* Using Converged Architecture for Disaster Recovery
* Vigilant Cybersecurity Requires a Security Operations Center
* DHS preps final RFP for NextGen security operations
* How does the security operations center fit in SDN?
* SC Magazine Survey Shows Network Visibility as a Top Priority for Security Professionals
* Opinion: Cybersecurity needs less talk, more action
* Top Three Security Themes at RSA Conference 2016 (Video)
* Espionage Malware, Watering Hole Attacks Target Diplomats – See more at: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fd3ce4e06e&e=20056c7556
* Five Tips for the Future Federal CISO
* Spamhaus Presents: The World’s Worst Top Level Domains
* Apple users hit with first ‘ransomware’ attack on Macs over weekend
* The incident response process is on the clock
* Financial industry target in 10 data breach scenarios
* Make threat intelligence meaningful: A 4-point plan
* Review: Becoming a Global Chief Security Executive Officer
* Security Training for Developers Failing to Keep Up With Threats
Trillium Mutual Launches Data Breach and Cyber Coverage for Agriculture and Commercial Lines
March 3, 2016, LISTOWEL ON, – Trillium Mutual Insurance Company is pleased to announce that it has partnered with The Boiler Inspection and Insurance Company of Canada (HSB BI&I) to launch two new products designed specifically for small to medium sized commercial and agricultural operations.
Data Compromise Coverage helps businesses notify and assist affected individuals following a breach of personally identifying information.
This coverage provides indemnity for first party expenses as well as third party costs of defence, settlement and judgement.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9513b42436&e=20056c7556
European Commission presents EU-US Privacy Shield
The European Commission – the executive body of the European Union – issued the legal texts that will put in place the EU-US Privacy Shield, a new framework for protecting the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.
The new framework reflects the requirements set by the European Court of Justice in its ruling from 6 October 2015.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=16444e7141&e=20056c7556
CISOs Still Frozen Out of the Boardroom
According to a study by ISACA and RSA Conference, 82% of cybersecurity and information security professionals polled in the survey report that their board of directors is concerned or very concerned about cybersecurity, but only one in seven (14%) CISOs reports to the CEO.
This gap between belief and actions at the highest levels of management is playing out in an environment where 74% of security professionals expect a cyber-attack in 2016 and 30% experience phishing attacks every day, according to the ISACA/RSA Conference State of Cybersecurity study.
“While there are signs that C-level executives increasingly understand the importance of cybersecurity, there are still opportunities for improvement,” said Jennifer Lawinski, editor-in-chief, RSA Conference. “The majority of CISOs still report to CIOs, which shows cybersecurity is viewed as a technical rather than business issue.
This survey highlights the discrepancy to provide an opportunity for growth for the infosec community in the future.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6865349a59&e=20056c7556
Sweden no longer on high terror threat alert
Sweden’s Security Service said it had decided to move the country back down to a lower threat level after consulting with the country’s military and intelligence agencies.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9daec29252&e=20056c7556
A major red flag about security could threaten the entire IoT
AT&T’s Cybersecurity Insights Report, which included a survey of more than 5,000 enterprises worldwide, found that 85% of enterprises are in the process of or are planning to deploy IoT devices, but only 10% feel confident that they can secure those devices against hackers.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2a0509ea6c&e=20056c7556
Is your Security Awareness Program Culturally Sensitive? (And does it matter?)
A security awareness program is probably the first line of defense against modern threats to IT systems and company data.
Although more and more advanced technical measures must always be in place to ensure the detection and, if possible, the prevention of intrusions, it is extremely important for businesses to make sure employees are aware of possible threats and of how some of their actions could result in severe vulnerabilities for their employer.
An organization’s security culture depends on the identification of proper ICT policies based on risk assessment and management, and in taking a holistic view that includes communicating and holding accountable everyone for procedures in place across the organization; it needs to ensure that all essential personnel are aware of how to avoid security-related incidents, as new threats and vulnerabilities, data breaches as well as attack patterns trends are always emerging.
It is important for everyone in the business to understand their roles and responsibilities in such situations that often require them to make good judgment decisions quickly.
They shall know what to do and what actions to take when a security incident does happen, but they should also be able to recognize signs that something is not right.
Therefore, investing in security awareness training is worth the time and money, as it mainly helps to do just that to reduce risk and prevent material losses.
All users can become human-centric controls for an effective defense thanks to consistent “security awareness training (SAT),” which can be achieved through both formal and informal programs, that educate every staff members in the workplace to understand the ICT risks and make better security decisions.
Being culturally sensitive doesn’t mean simply translating content into the local language, but it means to recognize what issues are important to the groups targeted and on what issues or information could a possible intruder leverage to solicit information from employees.
In fact, for example, as spear phishing techniques become more advanced, and intruders become smarter in crafting realistic e-mails, they could exploit the eagerness of some employees to respond quickly to a customer inquiry or to comply immediately with a request from an official.
In some countries, privacy laws might be stricter, and a request for personal information would quickly flag a potential problem while in other nations, a request coming from a colleague even of the most sensitive nature would be honored without questions.
The study by the Center for Information Systems and Technology, Claremont Graduate University shows that “Increasing globalization trends and the decreasing costs of technologies and communication make global expansion a viable solution for many information technology (IT) organizations.
It is crucial for companies with multiple worldwide locations to take an intercultural perspective to address employee needs and attitudes towards information security (InfoSec) training programs and compliance with InfoSec best practices.
If cultural differences are well understood in advance, the organization can tailor its security training to increase comprehension and adoption by a global workforce.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f3e3f71cf9&e=20056c7556
Belden : 4 Ways to Ensure Network Physical Security
In this blog post, we outline ways to secure your network by ensuring data center physical security.
In the future, watch for blogs about logical network security, as well as a blog about the structured cabling necessary to support data center and network physical security.
Protect the Perimeter
Control Access to the Facility
Monitor the Entire Site
Provide Security at the Cabinet Level
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3b3a7c3389&e=20056c7556
Just One Quarter of UK Directors Report Cybercrime
The UK’s businesses are massively under-reporting cybercrime and are woefully inequipped to deal with attacks despite being aware of the risks, according to a new Institute of Directors (IoD) study.
The research, culled from interviews with nearly 1000 IoD members, revealed that just 28% have reported an incident to the police despite half (49%) of attacks resulting in disruption to the business.
Some 91% said cybersecurity is important but only half (57%) have a formal plan in place to defend against attacks; a similar number (49%) said they provide awareness training to staff and just one fifth have taken out cyber insurance.
A disappointing 68% of IoD members interviewed said they’d never heard of the government’s national fraud and cybercrime reporting center Action Fraud.
In fact, even the IoD report erroneously refers to the center as ‘Action Fraud Aware.’
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=074cac5ccd&e=20056c7556
How email continues to grow and thrive
Email has been with us for about 45 years, since the first such electronic message was sent in 1971.
The death of email was first predicted in 1989.
Last year, Swinburne University launched the first national survey of 1,000 people about their email use.
Far from being in its death throes, what we found is that email dominates the workplace and, perhaps surprisingly, still rates against social media as a platform for personal communication.
Eight in ten of employed Australians generally have separate accounts for work and personal use.
Despite this, nearly four in ten people said they do send some personal emails from their work account.
Nearly a half of those in the workforce check their email every hour or more often while a further 45% check several times a day.
Email and face-to-face talking are in close competition as the most frequently used mode of communication at work, with 84.1% using email “often or quite often” compared to 85.6% for face-to-face.
In our survey, 56% of people felt their employer should not have the right to access their email accounts.
While 41.3% of respondents felt concerned about email privacy and security only 13% used encryption software.
But it’s not all about workplace surveillance.
Email is still a key method to keep in touch with friends and family with 66% using it for this purpose and nearly a half sharing photographs via email.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2a0f4647e3&e=20056c7556
Abu Dhabi gears up for cyber crime summit
The 6th International Cyber Crime Conference will launch on March 16 at Abu Dhabi National Exhibition Centre, said organisers of the International Exhibition of National Security and Resilience (ISNR) Abu Dhabi 2016.
Organized by the UAE Ministry of Interior and the Institute of Training and Judicial Studies, the event will run until March 17.
The conference will bring together members of the judiciary, police and security agencies, university professors and law students, information technology, and legal advisers across government and non-government agencies, public and private technical institutions, and community organizations.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ab4a3bb788&e=20056c7556
Cybersecurity no longer merger afterthought
As little as four years ago, only about a third of companies considered cybersecurity when planning a merger.
Today, that percentage has flipped.
“It’s absolutely a risk that people are talking about,” said Stephen Boyer, CTO and co-founder at security vendor BitSight Technologies
In fact, unless a breach involved personally identifiable information, a company may not have had to report it at all.
It “would be nuts” to rely just on public reports, Pescatore said.
“They send audit teams in for finance, and they should send audit teams in for security as well,” he said.
One common mistake with a merger is to handle the cybersecurity via a checklist, said JB Rambaud, managing director at risk management consulting firm Stroz Friedberg, LLC.
The due diligence team needs to have the expertise to be able to delve into the small details, he added. “This is too material to be skipped over.”
In the lead-up to a merger as well as during and immediately afterwards, employees will expect to get questions and communications from people they don’t know, including auditors, consultants, and employees at the other company.
Privileged users in particular should expect to get targeted, sophisticated attacks, said Pescatore.
Odds are that the cybersecurity insurance policies at the two merging companies are not the same.
In fact, some companies don’t have any cyberinsurance in place at all, said SANS Institute’s Pescatore.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1cdbdf1696&e=20056c7556
Security Think Tank: Access control is key to protecting against cyber attacks
Relevant certifications (ISO 27001, ISO 27018, PCI DSS, and so on) of internal systems for third parties should be leveraged, with consideration given to techniques such as software-defined networks to segment supplier access.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7908964b23&e=20056c7556
How hackers attacked Ukraine’s power grid: Implications for Industrial IoT security
The initial breach of the Ukraine power grid was — as so often in cyberattacks — down to the human factor: spear-phishing and social engineering were used to gain entry to the network.
Once inside, the attackers exploited the fact that operational systems — the ones that controlled the power grid — were connected to regular IT systems.
The Ukraine attacks show how vulnerable the industrial control systems in the IIoT can be — but how widespread is the problem.
The annual reports from ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) give a good indication of recent trends in the US.
In the 2015 financial year (October 2014-September 2015), ICS-CERT responded to 295 reported incidents, up from 245 the previous year and more than six times as many as were reported back in 2010:
ICS-CERT said that “there were insufficient forensic artifacts to definitively identify an initial infection vector” in 38 percent of last year’s incidents, with spear-phishing the most prevalent identifiable initial infection vector:
The survey canvassed 314 organisations worldwide, 78 percent of which were in the US.
Headline findings were:
32 percent indicated that their control system assets or networks had been infiltrated at some point
34 percent of those infiltrated believed their systems had been breached more than twice in the previous 12 months
15 percent reported requiring more than a month to detect a breach
44 percent were unable to identify the source of the infiltration
42 percent saw external actors as the number-one threat vector
There’s certainly no place for a head-in-the-sand attitude, as Alert Logic’s Cassidy points out: “Unfortunately, manufacturing environments, because of the nature of their business, do tend to be an easier target because they’re not normally the types of organisations that have seen threat activity.
For that reason, you can get too complacent in an organisation like that and think, ‘it won’t happen to me’.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=93822d72cb&e=20056c7556
Using Converged Architecture for Disaster Recovery
Despite the importance of efficient, effective, affordable, compliant disaster recovery tools and practices, many companies are falling short.
Consider these statistics:
22% of organizations still use tape and offsite storage as their primary disaster recovery methods
3 out of 4 businesses get a failing grade for disaster recovery
The average cost of one hour of downtime is $84,000
The average time to recover after a disaster is 18.5 hours
Instead of traditional disaster recovery strategies, which include labor-intensive offsite tape or disk storage that require complex synchronization processes with a secondary site, the converged way is simpler.
For one thing, it typically includes replications and snapshots, features that enable these systems to access copies of critical virtual machines over to the remote location.
It also reduces the number of separate pieces and processes involved, simplifying installation, configuration and ongoing management.
In addition, hyperconverged infrastructures are modular, so companies can start out small and grow by adding additional appliances.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=88f075bc0e&e=20056c7556
Vigilant Cybersecurity Requires a Security Operations Center
To combat the new cyber attack methods, companies need to invest in a security operations center (SOC).
A SOC is a team of people whose sole mission is to review alerts and analyze logs and is critical to ensuring that a company has a comprehensive view of cybersecurity.
A proper SOC can answer the question, “Am I safe?” It ensures that all your security systems are operating at peak performance.
When a company does get breached, which his inevitable, the SOC can identify the breach, help remediate, and ensure that the breach is confirmed as fixed.
No organization that cares about it’s IT infrastructure should be without a SOC.
There are alternatives to the do it yourself approach.
You can hire a managed security service provider (MSSP) to manage a SIEM for you, but all you have done is moved the work and effort of DIY to a third party who does not know your business.
All the same challenges remain.
Most MSSPs require a significant up-front free or a long-term commitment because the start-up costs are the same as DIY.
SOC-as-a-service is a better option than an MSSP.
A SOC, staffed with security experts, includes automation technologies, forensic tools and robust processes to detect, identify and respond to cyber threats.
With the many options out in the market today, the following service features are what differentiates a best in class service.
Dedicated security engineer
Fast deployments without significant resource requirements
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=45b96fd8db&e=20056c7556
DHS preps final RFP for NextGen security operations
The final request for proposals for a new contract to support the Department of Homeland Security’s internal security operations will be here in March, according to procurement officials.
The Next Generation Security Operations Center (NextGen SOC) contract will give the DHS CISO access to cybersecurity support services, with a focus on securing the networks at the Office of the CIO, National Protection and Programs Directorate and Science and Technology Directorate, among others.
The final contract will have a ceiling of $395 million over seven years, with a base of one year and six additional one-year options.
Individual task orders will range from a minimum of $1,000 to a maximum of $10 million.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7308511a93&e=20056c7556
How does the security operations center fit in SDN?
Software-defined networking promises to ease and speed change in the network, especially the data center network.
That’s good for company agility and making sure the network can keep up with the pace of change the business can set.
But it could be bad for risk management and security if it is not done right.
The security operations center therefore needs to get into the SDN act from day one.
So it may be with SDN, if IT is not careful.
This will not be on the actual security side — network engineers and admins will be able to recreate and even improve on protections they have in place now.
It will be on the security operations side that IT has to be careful.
Because the engineers are changing how they control and structure the network, security and network operations teams will need to make sure that their monitoring tools can see and accurately portray the new lay of the land.
If virtual overlay networks are creating new security zones, for example, or tunneling through existing ones, then the security operations center must be able to see and report on activity within and across those zones as needed.
This is true both for active operational monitoring and for testing and auditing.
These are early days for SDN, however.
There is still time for those exploring SDN deployment to make sure their security operations teams are involved in the process of selecting tools and platforms and in planning the implementation.
To do otherwise would be courting disaster.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=292e57a3a4&e=20056c7556
SC Magazine Survey Shows Network Visibility as a Top Priority for Security Professionals
SANTA CLARA, Calif., March 2, 2016 /PRNewswire/ — Gigamon Inc. (NYSE: GIMO), the leader in traffic visibility solutions, today announced that a survey conducted by SC Magazine has found that the majority of respondents are investing in security beyond the traditional perimeter, with network visibility as a top priority.
Highlights from the survey included:
Firewalls top this list (83%) followed closely by intrusion prevention and detection systems (77%), and network visibility (67%) as the third highest security priority.
More than half of the respondents either know for certain they have been a victim of a targeted attack or advanced persistent threat, or are unsure if they have suffered a data breach.
Network visibility is credited with detecting the most breaches at 50%; far fewer attribute discovery to forensic investigation (28%), or contact by an affected party (15%), third party (4%), or attacker (3%).
Of those who acknowledged a breach, over a third said the breach took ‘weeks to months’ to discover or were challenged to identify a time window.
User behavior dominated responses to this question with nearly one third of respondents citing user error as the biggest security challenge, followed by BYOD/BYOA (14%), mobile devices (13%), and rate of change in environment and poor security hygiene (both at 10%).
Respondents list a variety of culprits for breaches, including social engineering (28%), advanced malware (29%), software vulnerabilities such as an unpatched application (24%), or a combination of these (34%).
30% deem insight into encrypted traffic as the most useful application for network visibility.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=323adf248e&e=20056c7556
Opinion: Cybersecurity needs less talk, more action
We’ve grown accustomed to a steady flow of bad cybersecurity news.
Scarcely a month goes by without another massive data breach, but they attract less attention as they grow more common.
At this year’s RSA Conference, the world’s largest annual cybersecurity industry gathering, industry professionals regularly challenge one another to think different and innovate in order to conquer a new world of worries.
It’s good, if sometimes predictable, rhetoric.
First, we can take more action in the area of threat intelligence sharing.
We have a great pilot program in the two-year-old Cyber Threat Alliance (CTA), where competitors pool resources to analyze threat intelligence.
The CTA’s first successful campaign was waged against CryptoWall v.3, a family of ransomware that cost innocent users $325 million last year.
On a second front, we can take action right now to improve our labor force pipeline.
Neither cybersecurity businesses nor governments invest enough in recruiting talented young people.
The US today lacks more than 200,000 qualified security pros, and we’re approaching a cybersecurity talent shortage of 2 million people worldwide.
“Action speaks louder than words,” said Mark Twain wryly, “but not nearly as often.” The cybersecurity industry has long talked a good game.
This is our year to act – to take feasible, collaborative steps.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=af74386d4d&e=20056c7556
Top Three Security Themes at RSA Conference 2016 (Video)
Malware proliferation and the new deception detection technology he likens to “sandboxing on steroids.”
Security Costs are escalating.
Organizations once spent about three percent of its IT budget on security; now that number is about eight times more.
But money doesn’t create a silver bullet fix.
Cyber Education and the lack thereof.
Humans remain the weakest link for every organization.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4c6b50a111&e=20056c7556
Espionage Malware, Watering Hole Attacks Target Diplomats – See more at: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f903809eac&e=20056c7556
Diplomats and military personnel in India have been victimized in targeted espionage attacks that use a number of means of infection including phishing and watering hole sites. – See more at: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=07110b9be5&e=20056c7556
Researchers at Proofpoint this week published a report on Operation Transparent Tribe, which was ongoing as of Feb. 11 when Proofpoint uncovered live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan.
Proofpoint found IP addresses in Pakistan involved in the attacks, which involved an elaborate network of watering hole websites and multiple phishing email campaigns. – See more at: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6cbdfafcc7&e=20056c7556
The sustained campaign’s goal, Proofpoint said, was designed to allow attackers to drop a remote access Trojan it calls MSIL/Crimson.
The Trojan had a variety of data exfiltration functions, including access to laptop cameras, screen capture functionality and keylogging. – See more at: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ba25abffc5&e=20056c7556
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e0ea3fafef&e=20056c7556
Five Tips for the Future Federal CISO
The White House is looking to hire its first-ever chief information security officer (CISO).
There’s little doubt that appointing a Federal CISO is a long overdue response to a recurring problem: the inability to properly secure government systems and sensitive data.
The list of government agencies experiencing security failures is lengthy, from the Office of Personnel Management attacks in 2013 and 2014, to the State Department email system in 2014, to the latest attack on Department of Justice and Homeland Security computer systems.
But filling this role will be no easy task, especially considering the current IT security skills gap facing the industry.
A CISO must take a holistic approach to managing a security team, creating an atmosphere that challenges and recognizes the security team while taking stock of the skills and the tools they have at their disposal.
What would my advice be to the person who ultimately lands this job.
Here are five things to consider:
– Be a technologist.
– Be a futurist.
– Be a realist.
– Be vigilant.
– Be humble.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1b84b82b73&e=20056c7556
Spamhaus Presents: The World’s Worst Top Level Domains
The Spamhaus Project has added a new list to its Top-10 Worst pages, this time for Top Level Domains (TLDs).
This domain data is designed to complement the recent additions to our IP address data announced in a previous news blog.
Unsurprisingly, most of the TLDs listed on this page are the ‘new gTLDs’ recently introduced by ICANN; this is largely the result of a combination of factors:
o body of legacy good reputation from old customers with legitimate domains long since registered
anti-abuse mechanisms freshly deployed and still not up to the task
promotional sales offering domains for very cheap prices, or even free, attracting bulk registrations of throw-away resources
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=55c1cd84d3&e=20056c7556
Apple users hit with first ‘ransomware’ attack on Macs over weekend
Apple Inc customers were targeted by hackers over the weekend in the first campaign against Macintosh computers using a pernicious type of software known as ransomware, researchers with Palo Alto Networks Inc told Reuters on Sunday.
Palo Alto Threat Intelligence Director Ryan Olson said the “KeRanger” malware, which appeared on Friday, was the first functioning ransomware attacking Apple’s Mac computers.
An Apple representative said the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs.
The representative said he could not immediately provide other details.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=22af5b296c&e=20056c7556
The incident response process is on the clock
The Verizon 2015 Data Breach Investigations Report compiled 79,790 security incidents (small, large and unknown) and 2,122 confirmed data breaches across organizations in 61 countries.
The “defender-detection deficit” in the incident response process between the time of compromise and discovery is one of the primary challenges facing the industry, according to the authors.
In 60% of the reported cases, the compromise by attackers occurred within minutes, while defenders failed to detect compromises within the same time frame.
However, 2014 showed the smallest deficit (See: The Defender-Detection Deficit).
The total number of malware events across organizations for the reported period was 170 million, or five malware events per second.
And that’s only malware.
“Focus tools and process efforts on three incident response gaps: time to detect, time to confirm and time to respond or fix,” says Anton Chuvakin, research vice president in Gartner’s GTP security and risk management group.
Many companies become aware of a security event but take hours or days to perform triage and finally remediate it.
The incident response process can vary based on the security incident, which may involve malware breach and containment, DDoS attacks, or information disclosure.
With or without internal resources, every incident response process should have a trigger point to call in an IR or forensics firm, managed security services provider (MSSP) or system integrator’s IR team, according to Gartner. “Some incidents will exceed your capabilities and you should plan for external help,” says Chuvakin.
Many companies have moved away from “formal” forensics that requires extensive documentation, training and specialized tools, according to Zeltser, in favor of live analysis in order to return to normal business operations as soon as possible.
Organizations also need to be ready for a reality that was once unthinkable: “Your IR effort will fail to get the attacker off your network,” asserts Chuvakin. “You can get into a ‘hand-to-hand com