[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* 10 Tips On Keeping Your Mobile Device Safe While Traveling
* 6 security advances worth celebrating
* Why We Should Score Data Breaches
* Axing Boss Is Data Breach Response Last Resort
* CounterTack’s Mike Davis Highlights Cybersecurity Trends
* Cognitive Risk Framework for Cybersecurity, Part 2
* Closing the insider threat loop with authority
* Kaspersky Lab Survey Reveals the Financial Impact of the IT Security Talent Shortage
* AWS allows enterprises to bring their encryption keys
10 Tips On Keeping Your Mobile Device Safe While Traveling
1) Lock your mobile device with a strong password or use biometric protection
2) Keep your software updated
3) Due diligence on Apps
4) Set up a PIN
5) Disable Bluetooth for pairing devices
6) Beware of faux towers
7) Turn off Wifi
8) Turn on Find My Phone and remote wiping
9) Turn off location tracking
10) Turn off cookies and autofill
Last words of advice: Do pack a good and secure roaming SIM for your travels.
Forbesfone not only ensures safe mobile connections, but also offers the lowest roaming rates worldwide.
Add the fact that it covers more than 200 destinations, and you have yourself a proper Swiss Army knife for your mobile needs.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=89bcfa6e3b&e=20056c7556
6 security advances worth celebrating
Security is slowly moving in the right direction.
We have lots to be thankful for.
1) Broad solutions versus whack-a-mole
2)Faster patching
3) More default encryption
4) Least-privilege religion
5) More bounties
6) Stronger authentication
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=55b7dca863&e=20056c7556
Why We Should Score Data Breaches
The Anthem breach (announced early in 2015) affected about 80 million Americans and remains the largest data breach (so far) in healthcare.
As a company, however, Anthem lost no revenue or profits, their stock price wasn’t affected and they lost no customers.
Whatever the cost was to Anthem–like most organizations in healthcare–it’s relatively easy to simply pass any financial liability on to all of us in the form of higher premiums.
The message that sends to the industry is crystal clear.
There’s very little financial consequence to data breaches in healthcare.
I was meeting with Jeff Williams at Black Hat when I saw the headline announcing the breach at Banner Health, and I asked him for his thoughts.
We’re a country obsessed with metrics, but breach disclosures are almost always a lawyerly exercise in obfuscation and misdirection.
Some types of breaches require “disclosure,” but we never find out anything that would enable people to make informed decisions about whether their data is safe enough.
All we typically hear or read is that the organization “takes their customer data very seriously.” We need a system for scoring data breaches and corporate response across key variables as a critical and tangible way to change the dynamic quickly after an announcement.
Actually applying an independent score to a data breach could be an effective way to accelerate the path to remediation and restoring trust.
Jeff’s been in the security industry for more than 20 years (and he just happens to have a JD from Georgetown) so he’s very well versed in industrial-sized security challenges.
As soon as he suggested the idea, I couldn’t help but wonder why it hasn’t been implemented–and then also what a scorecard would look like.
Jeff offered this draft:
* Tone
* Timeline
* Scope
* Size
* Root Cause
* Discovery
* Remedy
* Future
* Blame
* Oddities
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a8e2c5b0c5&e=20056c7556
Axing Boss Is Data Breach Response Last Resort
Aug. 9 — Scapegoating the boss over a cybersecurity incident that compromises customer data or reveals unsavory internal communications usually isn’t the first option in a breach response.
The termination or resignation of a top executive in response to a data breach incident is “the exception, not the rule,” Leigh Nakanishi, senior vice president of Data Security and Privacy at public relations company Edelman, told Bloomberg BNA.
DataGravity Inc.
Chief Information Security Officer Andrew Hay said that a company executive may be more vulnerable to termination if doing so makes sense in a company’s “risk equation.”
The most important factor in an executive’s post-data breach vulnerability is the type of information revealed, Nakanishi told Bloomberg BNA.
Whether an executive was negligent or failed to meet minimum data security requirements and whether the initial incident response was properly executed are also important factors in deciding whether to sever ties with an organization leader, he said.
Nakanishi agreed that the responsibility to prevent and respond to data breaches shouldn’t fall just on the CISO.
Companies should have a team of executives in charge of cybersecurity, each with different roles and responsibilities, he said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6a42bf371a&e=20056c7556
CounterTack’s Mike Davis Highlights Cybersecurity Trends
CHANNEL PARTNERS EVOLUTION — As large enterprises have become smarter in defending against cyberattacks, criminals have increasingly turned their attention to small and medium-size businesses, an expert noted Monday during Channel Partners Evolution.
About a third of attacks are against SMBs, said Mike Davis of CounterTack.
He described common ways that customers get hacked by cybersecurity scoundrels and highlighted the costs for the victims.
CounterTack’s Mike Davis
CounterTack’s Mike Davis
Davis said a data breach will cost a small business a whopping $300,000 on average.
Just retaining an expert to review systems and determine how the attacker penetrated a system costs a minimum of $100,000, noted Davis, the CTO of CounterTack, which provides behavior-based detection, analysis and response technology.
Commenting on data breaches, Davis observed the majority involve weak, default or stolen passwords.
He recommended using longer passwords, such as your favorite quote from a movie.
Part of Davis’ talk addressed misconceptions around cybersecurity.
For instance, he noted credit cards are fairly well protected, while thieves today are targeting email addresses because they hold valuable information concerning one’s identity and may be linked to other services such as a person’s social media accounts.
On the black market, a person’s credit card information is only worth $1.50, while medical records are valued at $50, he noted.
Davis addressed fears over the security of mobile devices.
He said a 2015 study indicated that only .015 percent of U.S. mobile devices were infected with malware, a figure he described as “so small it doesn’t matter.” However, mobile security is more prominent in places like Asia and Russia, he cautioned.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9995c33bec&e=20056c7556
Cognitive Risk Framework for Cybersecurity, Part 2
In part 1 of this series, I introduced the reasoning for developing a bridge from existing IT and risk frameworks to the next generation of risk management based on cognitive.
These concepts are no longer theoretical and, in fact, are evolving faster than most IT security and risk professionals appreciate.
In part 2, I introduce the pillars of a cognitive risk framework for cybersecurity that make this program operational.
The pillars represent existing technology and concepts that are increasingly being adopted by technology firms, government agencies, computer scientists and industries as diverse as health care, biotechnology, financial services and many others.
The following is an abbreviated version of the cognitive risk framework for cybersecurity (CRFC) that will be published later this year.
A cognitive risk framework is fundamental to the integration of existing internal controls, risk management practice, cognitive security technology and the people who are responsible for executing on the program components that make up enterprise risk management.
Cognitive risk fills the missing gap in today’s cybersecurity program that fails to fully incorporate how to address the “softest target,” the human mind.
A functioning cognitive risk framework for cybersecurity provides guidance for the development of a CogSec response that is three-dimensional instead of a one-dimensional defensive posture.
The first step in the transition to a CRFC is to develop an organizational Cognitive Map.
A Cognitive Map is one of many tools risk professionals must use to expand discussions on risk and form agreements for enhanced techniques in cybersecurity.
Poor communications about risk are more common than not without a structured way to put risks in context to account for a diversity of risk perceptions.
Organizations rarely openly discuss these differences or even understand they exist until a major risk event forces the issue onto the table.
Some refer to this exercise as forming a “risk appetite,” but again this term is vague and doesn’t fully develop a full range of ways individuals experience risk.
Researchers now recognize diverse views of risks as relevant from the nonscientist, who views risks subjectively, whereas scientists evaluate adverse events as the probability and consequences of risks.
echniques for reconciling these differences create a forum that leads to better discussions about risk.
A Cognitive Risk Framework for Cybersecurity, or any other risk, requires a clear understanding and agreement on the role(s) of data management
The goal of a cognitive risk framework is needed to advance risk management in the same way economists deconstructed the “rational man” theory.
The CRFC guiding principles expand the language of risk with concepts from behavioral science to build a bridge connecting decision science, technology and risk management.
The CRFC program components include five pillars:
– Intentional Controls Design
– Cognitive Informatics Security (Security Informatics)
– Cognitive Risk Governance
– Cybersecurity Intelligence & Active Defense Strategies
– Legal “Best Efforts” Considerations in Cyberspace
A cognitive risk framework for cybersecurity represents an opportunity to accelerate advances in cybersecurity and enterprise risk management simultaneously.
A convergence of technology, data science, behavioral research and computing power are no longer wishful thinking about the future.
The future is here but in order to fully harness the power of these technologies and the benefits possible IT security professionals and risk managers, in general, need a guidepost for comprehensive change.
The cognitive risk framework for cybersecurity is the first of many advances that will change how organizations manage risk now and in the future in fundamental and profound ways few have dared to imagine.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c2f3211919&e=20056c7556
Closing the insider threat loop with authority
The major problem is that, without authority, your response to any threat will not be agile or strong enough to stop or prevent the incident.
Authority to act is an essential element of success.
Conversely, lack of authority leads to confusion, disorganization, and failure.
I have quoted Sun Tzu before, so pardon the repetition, but he has much to add to this discussion. “When the general is weak and without authority; when his orders are not clear and distinct; when there are no fixed duties assigned to officers and men, and the ranks are formed in a slovenly haphazard manner, the result is utter disorganization.”
The National Insider Threat Task Force issued some basic rules for establishing effective insider threat programs.
Three initial tasks were deemed as requirements:
– Establish a policy signed by the organization head
– Appoint a senior executive with responsibility
– Put out a plan of actions.
By withholding authority, senior leaders also often fall into the trap of attempting to manage matters that are beyond their ability or capacity to successfully handle.
Too often, I had to wait for my senior to return from leave or heard he was “too busy” to chat about something that was incredibly timely and important.
When establishing an insider threat program, consider that Authority is one of the three “As” of success.
Without authority, your organization will not be successful countering threats, setting you up for failure and leaving you open to successful attacks.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2472907069&e=20056c7556
Kaspersky Lab Survey Reveals the Financial Impact of the IT Security Talent Shortage
WOBURN, Mass.–(BUSINESS WIRE)–Kaspersky Lab today released its 2016 Corporate IT Security Risks survey1 which found that large businesses with a small amount of full-time security experts pay almost three times more to recover from a cyberattack than those businesses with in-house expertise.
The research shows that large businesses hiring outside help pay between $1.2M – $1.47M to recover from a cybersecurity incident, compare to those large businesses who have in-house skilled IT security experts to handle a crisis who pay between $100K – $500K.
This is due to a significant amount of recovery costs going toward additional staff wages to hire external expert help – on average costing $14K for SMBs and $126K for enterprises.
Surprisingly, nearly half (48 percent) of businesses admit there is a talent shortage and a growing demand for more specialists (46 percent).
Proactively hiring new staff to employ experts before an incident, rather than bringing them in to pick up the pieces, significantly lowers the average IT costs and helps better protect the business.
Overall, 68.5 percent of companies expect an increase in the number of full-time security experts, with 18.9 percent expecting a significant increase in headcount.
Higher education is an important part of fulfilling such a demand, but this is also a call for a change within the security industry itself.
One of the solutions is to aid universities with relevant experience.
Another very important long-term solution is to adapt R&D efforts towards the effective sharing of intelligence with corporate customers in the form of threat data feeds, security training, and services.
A proper combination of security solutions and intelligence is what allows corporate security teams to spend less time and money on regular cybersecurity incidents and focus on strategic security development and advanced threats.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a18b952e6b&e=20056c7556
AWS allows enterprises to bring their encryption keys
The ability to bring your own keys to the cloud is an important cloud security feature, and it is encouraging to see Amazon Web Services add this capability to its Key Management Service (KMS).”Customers tell us that local control over the generation and storage of keys would help them meet their security and compliance requirements in order to run their most sensitive workloads in the cloud.
In order to support this important use case, I am happy to announce that you can now bring your own keys to KMS,” Jeff Barr, AWS chief evangelist, wrote in a blog post.
The import process can be initiated from the AWS Management Console or AWS command-line interface or by making calls to the KMS API.
The process requires customers to initially wrap the local key with a KMS-generated public key so that secret keys are not transmitted in the open, Barr said.
The public key is unique to the customer’s AWS account, and KMS automatically creates a CloudWatch metric to track when the key is set to expire.
Customers can create notification alerts as a reminder to reimport the key, for example.
Detailed auditing information is available via AWS CloudTrail.
Since Google Compute Engine automatically encrypts all data at rest, users provide a Customer-Supplied Encryption Key (CSEK) to protect the Google-generated keys employed for data encryption.
This method lets customers control data encryption in the cloud via an internally generated key without changing Google’s automatic processes.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6c3783fff3&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage2.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=76b9c0a787)
Update subscription preferences (http://paulgdavis.us3.list-manage2.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)