[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
One-Third of DDoS Attacks Accompanied By Network Breach
According to respondents in a survey by Kaspersky Lab, 32% of serious DDoS attacks coincided with a network intrusion.
Although it is hard to trace two different attacks to a single source, survey results provide evidence that DDoS attacks may lead to additional damage, including loss or theft of sensitive data.
Small businesses were most likely to lose data as a result of a DDoS attack—31% of SMBs reported data loss, compared with 22% of enterprises.
While 20% of businesses with 50 or more employees have suffered at least one DDoS attack, with enterprises being the most affected (24%), the small and medium-sized business (SMB) segment should be particularly wary.
The report shows that DDoS is the fourth most expensive type of security breach faced by SMBs.
On average, a DDoS attack costs SMBs more than $50,000 in recovery bills, which is significantly more than the typical costs they face recovering from other types of attack.
Enterprises spend a lot to recover from a third-party failure or cyber-espionage attack, but a typical financial loss for enterprises from a DDoS attack is $417,000, below average compared to recovery from other types of attacks.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a4fba5a948&e=20056c7556
IT metrics for security services
Being analytical engineers, we always like to specify what is being provided (the services), to establish the delivery objectives and targets (the service level objectives), and then to measure (and report on) how well the system worked.
Security overlaps and impacts almost all other IT functions in one way or another, so it is often difficult to separate what the security functions do and what they deliver.
I like to think that metrics are meta-measurements: they specify what is to be measured, what measurement methods are appropriate, and how the measurement is to be captured.
A measurement is an instance of a metric.
Another more general definition is provided here.
A draft document from NIST (National Institute of Standards and Technology) in the USA, Special Publication 500-307, addresses the topic of Cloud Services Metrics Description.
An emerging ISO standard, ISO/IEC 19086-1, which provides a framework and terminology for cloud computing service level agreements, also includes a definition for metrics.
As is illustrated by the diagram above, metrics can be defined at three levels:
– Service elements
– Services
-Solution
In summary, it should now be clear that establishing your own set of security metrics won’t be as easy as it might seem at first!
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b2dfd68e17&e=20056c7556
Cyber-risk Knowledge Gap Widens Between C-Suite and IT
According to Auriga Consulting, the problem starts with the monopolization of the risk management function by IT and security consultants.
According to a survey of large and medium-sized businesses in the UK, board level ownership of cyber risk numbers just 19.4 percent, and only 16.6 percent place cyber risk in the top five on the risk register, despite the severity a realization of cyber risk poses.
This means that communication from the IT team to the board is essential in ensuring that risk is understood, managed and acted upon effectively.
But compounding the problem is poor knowledge transference (especially the aforementioned use of jargon, acronyms and buzzwords).
This misinterpretation of risk is endangering the decision making process and ultimately future economic development.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bd81ce7e1d&e=20056c7556
Windows devices account for 80% of malware infections transmitted via mobile networks
According to a Wednesday report from Alcatel-Lucent’s Motive Security Lab, in June Windows devices accounted for 80% of the infections spotted on hardware that relied on mobile networks for Internet connectivity.
Meanwhile, Android’s share of the total infection count dropped to about 20% after long hovering at the 50% mark.
The data was generated from scans by Alcatel-Lucent’s Motive Security Guardian technology, which is deployed worldwide by both mobile and fixed-line networks, and monitors traffic from more than 100 million devices.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c0ae788bcc&e=20056c7556
SECs 2nd Push on Cyber Security Focuses on Risk Assessment
On Tuesday, September 15th, the SECs Office of Compliance Inspections and Examinations (OCIE) issued a risk alert as they ramp up their second phase of examinations designed to bolster cyber security in the financial industries.
The first phase kicked off in In April 2014, when OCIE published their initial announcement on the program as part of their vision for improving cyber security for the securities and financial markets.
The main topics highlighted in the alert are:
– Governance and Risk Assessment
– Access Rights and Controls
– Data Loss Prevention
– Vendor Management
– Training
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=35e893a020&e=20056c7556
Cloud contracts and security considerations: 5 questions to ask
Researchers at Malwarebytes spotted an email phishing scam on Wednesday that targets Amazon’s UK users.
The emails, purporting to be from Amazon customer service, falsely state that a small number of accounts were breached last month.
The scammers tell the victims they are required to complete a “verification process” or run the risk of having restrictions placed on their account.
Upon clicking the link to verify their accounts, users are redirected to a page designed to mimic the Amazon UK site.
Here victims are instructed to provide login credentials, personal identifiable information, payment card details and security details.
Without a clear understanding of each party’s responsibilities, agencies can find themselves in an unfortunate situation, including having limited access to their own data and little or no recourse for poor performance.
So if your agency is considering moving data to the cloud, here are five things to ask the cloud service provider when evaluating its agreement:
1. Where will the agency’s data reside?
2. Who can access the agency’s data?
3. Does the cloud provider have key certifications?
4. What can an agency expect if there’s a security incident or outage?
5. What protections should an agency request?
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7a6cf9ad98&e=20056c7556
Why Is Endpoint Security Failing?
It should come as no surprise that the next major battle in IT security is focused on endpoints.
Mobility and BYOD have made it possible for users to remotely access just about any business resource.
The adoption of cloud-delivered services enables workloads to move to a shared environment bypassing on-premises, layered security defenses and directly accessible by the mobile workforce.
What can you do to effectively fight the endpoint battle.
Tip #1: Illuminate Hidden Endpoints
Tip #2: Identify Weaknesses
Tip #3: Routinely Check For Compromise
Tip #4: Measure Endpoint Security Effectiveness
Endpoint security assurance is not just about detecting threats, but about building a more effective endpoint security program — one that proactively detects known and unknown endpoints, helps identify what is critically vulnerable to attacks, what weaknesses exist in your environment, and how effective you are at identifying threats and remediating them.
If you are clearly able to answer the question “How secure are we?” and demonstrate this throughout the organization, you are already on your way to a successful endpoint security program.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7401c34657&e=20056c7556
Marketing plus security equals profit – Disney’s anti-counterfeiting strategy
In 2006, Disney had a problem.
Their licensed products were being counterfeited on a massive scale.
They were losing money and junk products were damaging their reputation.
Even worse, licensed products were virtually the only viable product for Disney to sell in China.
Videos were pirated and most TV programming and movies were not allowed.
Their goal was to maximize revenue, not punish pirates.
So, they started a marketing campaign.
Disney put holographic tags on all of their legitimate products and announced a promotion.
Customers could fill out an entry form and provide the holographic “proof of purchase” label for the chance to win big prizes.
While the final effect on piracy is unknown, the program paid for itself.
More legitimate products sold.
Direct relationship opened with a quarter of a million customers.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7c0f61466b&e=20056c7556
Three Ways To Avoid Being Visually Hacked
Visual hacking is the act of viewing or capturing sensitive, confidential or private information for unauthorized use on a device screen, workspace or copier and the like.
The growing sophistication of smartphone cameras and inconspicuous wearable technology is only making visual hacking easier to pull off and harder to detect.
1. Use privacy filters.
3. Secure your workspace.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e61fbe8aa5&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=b264f88ee0)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)