[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* Cybersecurity has started fighting back against hackers
* Almost One-Third of Cyber Security Professionals Surveyed Admit to Compromising Ethics to Pass Audits
* Not using Adobe’s PDF reader doesn’t mean you’re avoiding PDF malware
* Microsoft Boosts Security in Windows 10 Anniversary Update
* Are You Prepared to Handle the Cost of a Data Breach?
* Top 10 tech for information security in 2016
* Cloud Adopters Balancing Cost Savings, Security
* The transportation industry is increasingly being targeted by hackers
* Only 29% of organisations have a cyber-security expert in their IT dept
* Email Compliance: Act Now, Save Millions – Information Governance Report is a Call to Action
* Why Companies Should Consider Data-Centric Security
* How Google’s head of cybersecurity Gerhard Eschelbeck protects his privacy and fights cyber criminals
* Putting the ‘Secs’ into DevOps
* A Cultural Change: It’s Time to Become a Human Firewall
Cybersecurity has started fighting back against hackers
Lawyers and information security experts — among them Stewart Baker, a Washington-based partner of Steptoe & Johnson and a former National Security Agency general counsel — say the private sector needs leeway to take some matters into its own hands.
But direct attacks, or even a retaliatory “hacking back,” are illegal under the Computer Fraud and Abuse Act of 1986.
And vigilante justice, if not universally repugnant, doesn’t make for good diplomacy.
One recommendation of “An American Strategy for Cyberspace,” a paper published in June by the American Enterprise Institute, is to “empower the private sector to more effectively defend itself” and explore the feasibility of such tactics as turning aside incoming attacks, improving information sharing with government agencies and corporate peers and retrieving stolen information.
It added that “the U.S. should consider reforming the Computer Fraud and Abuse Act to clarify and perhaps in limited ways expand private companies’ ability to engage in active defense.”
“Organizations today require a dynamic solution that hunts for adversaries in real time and eliminates them,” Vikram Desai, security lead of Accenture Analytics has said.
In March the firm announced an alliance with and strategic investment in Endgame, a cybersecurity company that says its systems “allow organizations to move from being the hunted to being the hunter.”
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a530eb8edf&e=20056c7556
Almost One-Third of Cyber Security Professionals Surveyed Admit to Compromising Ethics to Pass Audits
/EINPresswire.com/ — OVERLAND PARK, KS — (Marketwired) — 06/30/16 — A study carried out by security management vendor FireMon at this month’s Infosecurity Europe in London has given brutally honest insight into the immense pressure cyber security professionals are under to carry out their jobs and meet outside regulations.
A staggering 28% admitted to compromising their ethics to pass audits, a figure that is up 6% from five years ago when the same question was posed in a similar survey.
This is likely due to growing network complexity and all of the disparate technology, security and otherwise, used to keep cyber criminals at bay.
When asked if they felt that they spend most of their day fire-fighting rather than doing meaningful security work, 51% of the IT security professionals surveyed agreed.
A further 56% admitted they had added a product purely to meet compliance regulations, even though they knew it offered no other business benefit.
When it comes to demands from the business side, 52% of IT security pros admitted to adding access that they know had decreased their organization’s security posture.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6589421ed2&e=20056c7556
Not using Adobe’s PDF reader doesn’t mean you’re avoiding PDF malware
ThreatPost has the details about the vulnerabilities found in builds 7.3.4.311 and earlier of Foxit Reader and Foxit PhantomPDF…
To exploit the vulnerabilities an attacker could use an image file – either a BMP, TIFF, GIF, or JPEG image – to trigger a read memory past the end of an allocated buffer, or object.
From there, depending on the vulnerability, an attacker could either leverage the vulnerability as is, or use it in conjunction with other vulnerabilities to “execute code in the context of the current process.”
In other words, an attacker could simply send you a boobytrapped PDF file and if you happened to open it in Foxit’s PDF reader – kaboom!
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1041042e27&e=20056c7556
Microsoft Boosts Security in Windows 10 Anniversary Update
When the Windows 10 Anniversary Update arrives Aug 2, it will include several new security features that are designed to protect data belonging to both consumers and enterprises.
Among them is an expansion of Windows Hello’s biometric user authentication capabilities.
Also next month, the update will move Windows Hello’s biometrics components and user biometric data into SystemContainer, a hardened environment reserved for the most sensitive parts of the Windows operating system.
SystemContainer employs Virtualization Based Security (VBS), creating a secure environment by using a processor’s virtualization extensions to isolate running processes.
An improved Windows Defender is on deck, said Lefferts, along with Windows Defender Advanced Threat Protection.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a8e3e478b3&e=20056c7556
Are You Prepared to Handle the Cost of a Data Breach?
Cyberattacks in the Asia-Pacific region are rising at a particularly high rate.
Is your defense in place.
The Ponemon Institute’s “2016 Cost of Data Breach Study: Global Analysis,” which was sponsored by IBM, answers these questions and many more.
It is fascinating to see findings of the global data breach report.
Some key takeaways included:
* Health care experienced the most expensive per-record cost of a data breach compared to other industries at $355 per record.
* About 48 percent of data breaches were caused by malicious attacks from people both inside and outside of the organization.
* Nearly 25 percent of breaches were associated with human error.
* The single biggest factor in reducing the cost of a data breach was having an incident response team in place, which decreased the cost by nearly $400,000.
Analyzing the costs with which these Asia-Pacific organizations were faced led to some interesting findings:
* The cost of a data breach is steadily increasing. In India, the average total cost of a data breach increased from 88.5 million Indian rupees in 2015 to 97.3 million rupees in 2016 — a 10 percent spike.
* Australia, however, bucked the trend, with the cost of data breach falling marginally from $2.8 million in 2015 to $2.6 million in 2016
* ertain industries have higher breach costs In India, financial institutions, services, and industrial and technology companies had a per-capita cost well above the mean.
* Malicious or criminal attacks were the primary root causes of data breaches.
* More than 41 percent of companies experienced a data breach as the result of malicious or criminal attacks.
* Industries with higher breach costs are more vulnerable to churn.
* There is a silver lining: Steps can be taken to reduce the cost of a data breach.
Here are the top five factors that can help decrease the cost:
– Having an incident response team;
– Extensive use of encryption;
– Participation in threat sharing;
– Employee security awareness and training; and
– Appointing a CISO.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6640a4ae49&e=20056c7556
Top 10 tech for information security in 2016
“Information security teams and infrastructure must adapt to support emerging digital business requirements, and simultaneously deal with the increasingly advanced threat environment,” said Neil MacDonald, VP and Gartner Fellow Emeritus.
Gartner identified the top 10 technologies for information security and their implications for security organizations in 2016.
First, Cloud Access Security Brokers, which provide information security professionals with a critical control point for the secure and compliant use of cloud services across multiple cloud providers.
econd, Endpoint Detection and Response (EDR) solutions, which are expanding quickly in response to the need for more effective endpoint protection and the emerging imperative to detect potential breaches and react faster.
Third, Nonsignature Approaches for Endpoint Prevention, which augment traditional signature-based approaches, including memory protection and exploit prevention that prevent the common ways that malware gets onto systems, and machine learning-based malware prevention using mathematical models as an alternative to signatures for malware identification and blocking.
Fourth, User and Entity Behavioral Analytics that enable broad-scope security analytics, much like security information and event management (SIEM) enables broad-scope security monitoring.
Fifth, Microsegmentation and Flow Visibility, to address the problem of attackers gaining a foothold in enterprise systems, following which they typically can move unimpeded laterally (“east/west”) to other systems.
Sixth, Security Testing for DevOps (DevSecOps).
Seventh, Intelligence-Driven Security Operations Center Orchestration Solutions that are built for intelligence, and used to inform every aspect of security operations.
Eighth, Remote Browser to address most attacks that start by targeting end-users with malware delivered via email, URLs or malicious websites.
Ninth, Deception technologies that are defined by the use of deceits and/or tricks designed to thwart, or throw off, an attacker’s cognitive processes, disrupt an attacker’s automation tools, delay an attacker’s activities or disrupt breach progression.
And tenth, Pervasive Trust Services that are designed to scale and support the needs of billions of devices, many with limited processing capability.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0bd7572450&e=20056c7556
Cloud Adopters Balancing Cost Savings, Security
Cloud security vendors are betting that more enterprises are looking to outsource their security operations just as they have turned over management of parts of their IT infrastructure to public cloud suppliers.
A new study released this week by a cloud security-as-a-service vendor finds that about half of those surveyed are investing more in security operations after adopting cloud computing.
A separate survey also released this week concludes that IT managers are still struggling with the tradeoffs between cost savings and security concerns as they shift to the cloud.
That tension is among the reasons why more enterprises are embracing hybrid cloud infrastructure.
Among the reasons for outsourcing security operations is the difficulty of recruiting cloud security experts along with a shortage of technical resources needed to run an in-house security operations center, the company argues.
A hefty 79 percent of respondents responsible for cloud security said they welcome outside help in running cloud security operations.
The Forrester survey also found that IT administrators are turning to outside help for capabilities like threat intelligence analysis (83 percent) as they seek to develop real-time threat detection capabilities.
Also cited were assistance for securing public clouds (80 percent), overall security operations (77 percent), network security along with data privacy and regulatory compliance (both 76 percent).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d1ff9d5ad2&e=20056c7556
The transportation industry is increasingly being targeted by hackers
The report, Security Trends in the Transportation Industry, published by IBM this week confirms that cybercriminals are targeting the systems used in the industry, this means that trains, planes, and automobiles are under incessant attacks.
“According to the 2015 version of the “Transportation Systems Sector-Specific Plan,” the transportation sector is increasingly vulnerable to cyberthreats as a result of “the growing reliance on cyber-based control, navigation, tracking, positioning and communications systems, as well as the ease with which malicious actors can exploit cyber systems serving transportation.”” states the analysis published by IBM.
Giving a close look to the techniques adopted by attackers we note that denial of service attacks and malicious attachments and links accounted for over 44 percent of the attacks targeting organization in the sector between March 1, 2015 and May 15, 2016.
Giving a close look to the techniques adopted by attackers we note that denial of service attacks and malicious attachments and links accounted for over 44 percent of the attacks targeting organization in the sector between March 1, 2015 and May 15, 2016.
IBM experts also warn about terrorism the threat, sabotage and the theft of data that could be used in terrorist attacks remain main concerns of the experts.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9b64fab3d7&e=20056c7556
Only 29% of organisations have a cyber-security expert in their IT dept
Spiceworks polled more than 600 IT professionals in the UK and US to see if they’re adequately countering the rapidly growing levels of cyber-attacks.
It was found that 29 percent of organisations have a cyber-security expert working in the IT department, and only seven percent have an expert in another department or on the executive team.
Almost a quarter (23 percent) of organisations pay outside security experts to help protect their environments and fill the knowledge gap.
A concerning 55 percent of organisations don’t have regular access to any IT security experts at all, internal or third-party.
Cyber-security is a priority for 73 percent of CIOs and senior IT leaders, followed by 56 percent of CTOs and 54 percent of CEOs.
Less than 50 percent said cyber-security is a priority for their CFO, COO or CMO.
Yet most organisations (80 percent) experienced at least one security incident last year.
More than 80 percent of IT pros are confident in their ability to respond to cyber-attacks on laptops, desktops and servers.
They are also relatively certain that they are capable of securing and protecting storage devices and networking hardware (72 percent).
They are less confident in their ability to respond to cyber-attacks on tablets (58 percent), smartphones (52 percent), cloud services (44 percent) and IoT devices (36 percent).
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=99c47f2627&e=20056c7556
Email Compliance: Act Now, Save Millions – Information Governance Report is a Call to Action
On 17 May 2016, harmon.ie in collaboration with Gimmal issued a survey report entitled “The One Email You Can’t Ignore: The Risks and Business Impact of Failing to Treat Emails as Records” (“Report”).
This Report provides insight into the key challenges that businesses face in managing email records.
The findings are based on feedback from over one hundred information governance leaders from different industries.
Email Records: Classification and Legal Considerations
In determining whether an incoming or outgoing email is a business record, the following should be considered:
– Is there a legal obligation to retain the email?
– Is there any evidentiary reason to retain a email (i.e. possible audit, investigation, litigation)?
– Does the email form part of a contract, transaction or business decision?
Non-compliant businesses expose themselves to potential financial loss, legal risks, and loss of reputation.
According to the Report, nearly a quarter of information governance specialists indicated that their organizations experienced the negative impact of litigation, potential litigation or regulatory sanctions due to an inability to produce relevant records.
In 2015, Scottrade was fined US $2.6 million because it was unable to produce important emails for audit purposes.
Additionally, nearly one-third of information governance specialists forecasted financial risk for their organizations at US $5 million and over a half indicated US $1 million for email records non-compliance.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fdb26f3e99&e=20056c7556
Why Companies Should Consider Data-Centric Security
During my trip to the Enfuse 2016 conference in May, I had a conversation with Paul Shomo, senior technical manager, Strategic Partnerships with Guidance Software.
One of the things we talked about was the importance of companies taking a more data-centric approach to information security.
When we think about breaches, Shomo explained, malware and how it breaks through the network is what often comes to mind.
To that end, social engineering is the primary tool for injecting malware.
Hackers rely on the vulnerabilities of humans and software systems to break through the perimeter quickly, which gives them the ability to move around the network with ease.
Shomo also believes that we don’t pay enough attention to data-centric concerns, like where to find the data and how many endpoints have access to it.
All endpoints tend to be treated exactly the same and this creates security risks.
Too many information security professionals can’t tell you where sensitive data is stored or accessed, and that is often caused by organizational separations, where different departments are communicating with each other.
Shomo admits that data-centric security can be tricky because it involves the coordination between so many departments and there will always be privacy and legal issues to take into consideration.
Knowing where data is stored is the first step.
The second step is figuring out how to share all this information with security professionals.
They may only have bits and pieces of information about the data, including the endpoints where it is accessed and who has access.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dd361c1e6d&e=20056c7556
How Google’s head of cybersecurity Gerhard Eschelbeck protects his privacy and fights cyber criminals
Mr Eschelbeck, who leads a 600-strong team that protects users from hackers, spammers and spies, says the most critical step for everyone to take is to stay on top of software updates.
“The biggest compromises that have happened over the past six to nine months often happened in an un-patched device that had a security vulnerability, and the patches weren’t applied fast enough,” he told Fairfax Media.
Since taking the reins in 2014, Mr Eschelbeck says he’s most proud of developing the Security Key, a slim USB device a user inserts into a port to log into Google’s sites such as Gmail as part of two-factor authentication.
He said passwords were the “weakest link” in online security and hopes to see the Security Key go mainstream in the next three years.
He said Facebook boss Mark Zuckerberg’s extra layer of security – he was caught last week with his laptop’s webcam and microphone covered with tape – wasn’t necessary, at least for him.
“I don’t do that.
It depends on personal choice and preference, but I don’t feel it’s necessary [because of the other precautions I take],” he said.
So how does Mr Eschelbeck, whose official title is Vice president of security and privacy engineering, protect his privacy.
There are three practices he “religiously” follows.
1) He never misses a security patch
2) He has strong and unique passwords
3) He uses a Security Key
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=97405dc43e&e=20056c7556
Putting the ‘Secs’ into DevOps
Matthew Pendlebury, a senior security consultant at MWR InfoSecurity thinks that there’s not enough Sec (security) in DevOps.
Indeed, he feels there’s a pressing need for DevOps to become DevSecOps… or at least for DevOps to gain a better grasp of Sec.
“Software security activities are spread throughout the development lifecycle and this is no different with DevOps.
Security starts as a set of requirements that need to be satisfied and in many cases these can be tested by code.
DevOps has a strong focus on using CI/CD for performing testing and validation activities.
This compressed lifecycle leaves little time in for conventional manual testing of routine deployments, for either quality or security purposes, so testing is heavily automated,” asserts Pendlebury.
Pendlebury continues, “Automated security testing is an effective approach to accelerate development, however it is not a silver bullet, and security still needs to be considered throughout the software lifecycle.
It still holds that the earlier that a security problem is recognised, the quicker and cheaper it is to remedy.
In DevOps teams as well as conventional development models the usual approaches to this are to educate developers about the security domain, give them techniques they can use such as threat modelling and embed knowledgeable security champions into teams to provide depth.”
“There is already a growing movement called DevSecOps which seeks to push the agenda of security in a developer operations environment.
It may be that the more established DevOps term gradually absorbs security considerations, indeed vendors such as Puppet are actively pushing this.
Whichever term dominates, pushing security into DevOps processes is clearly the future,” he concludes.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=25dc69b270&e=20056c7556
A Cultural Change: It’s Time to Become a Human Firewall
A good first step in becoming a human firewall is thinking differently about technology by shifting your thinking to “distrust” the technology that you use instead of inherently trusting it.
An example is the “Cloud” – so many companies and individuals are using Cloud services, such as iCloud, Dropbox, Google Drive, etc., and many users are unaware of what the cloud is let alone differences in services.
Several companies offer Cloud based services pre-installed on many machines we use every day; despite the ease of use, users are not required to use this technology.
A next step is to always think “Security-First” when using any technology.
First, understand the purpose of the technology you want to use.
Is it “necessary” to use it?
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5c3816af35&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=387a502aa6)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)