[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* The Anatomy of a CISO: A breakdown of today’s top security leaders
* Without information security processes, you are flying blind
* Malvertising Thrives in ‘Shady’ Parts of Highly-Automated Ad Networks
* Sneakier Cyber Attacks: Is Your Company Protected Against the Latest Threats?
* Should Ransomware Attacks Be Considered Breaches?
* DDoS attacks – Can hosting providers step up their game?
* The 5 Pillars Of Cybersecurity In Financial Services
* Ransomware Epidemic Prompts FBI Guidance
* Tennessee Amends Breach Notification Law to Cover Breaches of Encrypted Information
* Giving Customers Control: FCC Confronts Internet Service Providers with Privacy Rules
* NIST security standard to protect credit cards, health information
* Five Ways to Improve Security and Increase Collaboration
* Five Ways to Improve Security and Increase Collaboration
* PhishMe April Cybercrime Alert: Ransomware Attacks Expected to Increase
* A NIST guide tells enterprises how to secure email systems
* DISA Releases Update to DoD CIO’s Cloud Security Guide for Service Providers
* Security, Cloud Computing Remain CIO Budget Priorities: Report
* What’s driving cyber spending in the federal market?
The Anatomy of a CISO: A breakdown of today’s top security leaders
What does the typical Fortune 100 CISO look like.
Digital Guardian researched the top security leaders at F100 companies to get a better idea – here’s what they found.
[Fun infographic]
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1592614d59&e=20056c7556
Without information security processes, you are flying blind
The aim of the Security Analogies Project is to help spread the message of information security and its importance in the modern world.
By drawing parallels between what people already know, or find interesting and how these relate to information security, the industry can increase understanding and support across the whole of society.
As for me, I find that the world of aviation lends itself to many information security analogies.
While Rapp’s analysis is written by a pilot for pilots, there is a lot in it that is highly relevant for IT and information security professionals.
Particularly around complacency and human error.
So what does all this mean for information security.
The ability to have a comprehensive set of information security processes can be of great benefit.
Enterprises may want to consider developing a catalog of security processes.
By formalizing information security processes, some of the benefits that can be obtained include:
process improvement and optimization
easier continuity of operations in the event of turnover
can reduce redundancy
ability to audit security tasks
Creating a process framework doesn’t mean simply writing a set of processes and then just dumping them on the corporate Intranet.
Ultimately creating a security process catalog is about efficiencies.
The worst thing you can do is make process formalization becoming the end-goal, rather than have it being the means to your effective information security program.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=689940b193&e=20056c7556
Malvertising Thrives in ‘Shady’ Parts of Highly-Automated Ad Networks
For two days in mid-March, visitors to major news and information sites—such as the New York Times, Newsweek, The Hill and the Weather Network—may have been redirected to Web servers that attempted to infect visitors’ systems with a variant of the Angler exploit kit and, ultimately, ransomware.
So far, the impact of the attack is unknown, but a single antivirus vendor, Trend Micro, recorded 41,000 infection attempts among its users between March 12 and 14.
The attack hit visitors to AOL, the BBC, NFL, The Hill, Newsweek, the New York Times, MSN, Realtor.com, The Weather Network and the Xfinity portal, according to Malwarebytes, an endpoint security firm.
Another attack used ads on the site of a major British newspaper, The Daily Mail, to attempt to infect visitors the same week, but was likely part of a different campaign, the firm stated.
Norman Guadagno, chief evangelist for data-backup and security firm Carbonite and a former ad agency representative, also argued that the complexity makes malvertising a tough problem to solve.
Every day, advertising networks deliver some 314 billion ad impressions to Website visitors, according to Guadagno, citing numbers from the Goodway Group, an online marketer.
In a recent study of one malvertising campaign, Malwarebytes found that attackers used targeted ads to focus on certain segments of the consumer marketplace and have started adding code to their ad banners that fingerprint the targeted computer, determining its operating system, browser and what security software it may be running, according to the firm.
Malvertising underscores the security problems in the advertising ecosystem posed by the inconsistent vetting of third-party content suppliers.
While users are the ultimate victims, there is very little they can do to force publishers and advertising networks to insure that their content is non-malicious.
However, users can harden their systems and treat with suspicion any odd Website behavior, Trend Micro’s Budd said.
Endpoint security software—whether an antimalware program, a network-based service such as OpenDNS, or an application firewall such as Little Snitch—can help catch malvertising before it infects a system.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8e8398226b&e=20056c7556
Sneakier Cyber Attacks: Is Your Company Protected Against the Latest Threats?
We asked Sri Sridharan, managing director and chief operating officer of the Florida Center for Cybersecurity—a shared resource for research, education and outreach—to share his insights into the newest breeds of threats and best practices for protecting valuable business resources.
Sridharan says hackers and cybercriminals are becoming increasingly sophisticated in their approaches to penetrating systems, and that experts from the center are tracking many emerging threats.
The first is jailbreaking the cloud.
The surge in cloud storage use is making the cloud an obvious and hugely appealing target for cybercriminals.
Second, Sridharan says he’s also starting to see more ransomware attacks.
A third trend is more sophisticated types of phishing, such as targeted “spear fishing” emails that appear to come from a known individual.
A fourth trend is headless worms, which feature malicious code that targets “headless” devices such as smartwatches, smartphones, fitness trackers and medical devices.
The fifth trend is ghostware and blastware, both new forms of malware.
Ghostware penetrates a system, steals information and then erases any tracks.
Blastware is designed to automatically destroy or disable a system if detected, and it can destroy critical infrastructure.
Do vulnerability testing.
Have a qualified, independent third party do a vulnerability assessment and penetration testing.
Sridharan explains that an assessment will generate a checklist that will be prioritized based on the how damaging the vulnerability is.
Small- to medium-sized businesses are especially vulnerable to cybercrime because there isn’t enough talent to go around.
And recruiting and retaining dedicated security staff is expensive.
Sridharan says the skills gap is one reason many businesses are turning to managed cloud service providers, or CSPs. “CSPs invest a lot of money to stay up to date on cybersecurity.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b32531ba87&e=20056c7556
Should Ransomware Attacks Be Considered Breaches?
As healthcare organizations increasingly face ransomware attacks that denies them access to their data, are these incidents breaches that they must report to the HHS Office for Civil Rights?
That’s a question that federal regulators and healthcare industry stakeholders must start answering, says David Holtzman, vice president of compliance strategies and security firm CynergisTek and a former OCR official.
David Harlow, principal at The Harlow Group, a healthcare law and consulting firm, agrees that ransomware attacks could be seen as a non-reportable event.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1598e552f2&e=20056c7556
DDoS attacks – Can hosting providers step up their game?
With the internet having reached its mid-20s, it’s about time for some maturity to enter the arena when it comes to solving this problem.
While we may never be able to fully attribute the blame for why DDoS still causes millions in damage every year, we do need to question the role that service providers have in mitigating the threat.
The responsibility in many cases lies with hosting providers and ISPs – something I explain to consultants with a simple analogy:
The responsibility in many cases lies with hosting providers and ISPs
If a hosting provider isn’t providing effective DDoS mitigation as a part of its service offering they may send useless and potentially harmful traffic across their customers’ networks.
If folks refuse to pay the water company for contaminated water, why are so many companies paying for a similar situation with their hosting and service providers?
If purpose-built technology is laid out at ISPs’ peering points, DDoS traffic is halted before it can enter their networks.
This is effectively shutting the door on the DDoS traffic, while leaving a window open for the legitimate user traffic to still get in.
For security staff and service administrators, this means no more calls in the middle of the night, no more downtime and most importantly, no more victims of DDoS attacks.
A case in point is SdV Plurimédia, a French hosting provider.
It handles huge amounts of traffic and, like any other hosting provider, experiences DDoS attacks at speeds capable of derailing their networks.
SdV Plurimédia guarantees customers 24/7 operability; a risky promise if DDoS attacks are a persistent concern.
If you opt for a company that does offer security as a service, you’ll be saved a lot of the expensive call-outs, downtime and loss of customers that tend to go hand in hand with the DDoS attacks which negligent providers allow to run their course.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=709d558953&e=20056c7556
The 5 Pillars Of Cybersecurity In Financial Services
We’ve found financial services to be one of the best performing sectors in terms of cybersecurity.
Pillar #1: You have to meet the expectations of regulations (and beyond).
Pillar #2: You must have vigilance in your cybersecurity execution.
Pillar #3: You must excel at detection and recovery.
Pillar #4: You need to manage risk in the third-party ecosystem.
Pillar #5: You should consider information sharing.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0df9fb9be2&e=20056c7556
Ransomware Epidemic Prompts FBI Guidance
The FBI offered new guidance about mitigating the risks of ransomware in a podcast last week.
It noted that ransomware is evolving, increasingly targeting businesses rather than consumers.
And it warned against paying ransoms.
In addition to the guidance, the FBI also issued an alert about a new type of ransomware known as MSIL/Samas, which encrypts entire networks, rather than data linked to one computer, according to Reuters.
And Kellermann says some endpoint security solutions can prove helpful in preventing malware infections. “But backing up drives daily and better URL filtering is tantamount to success in preventing an infection,” he says.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a4442331f7&e=20056c7556
Tennessee Amends Breach Notification Law to Cover Breaches of Encrypted Information
Last week, Tennessee Governor Bill Haslam (R) signed S.B. 2005 into law, amending Tennessee’s breach notification law to broaden the scope of information covered and require quicker notifications of the state’s residents.
Most notably, when the amendments enter into force on July 1, 2016, Tennessee will become the only U.S. state that could require notification of affected individuals following breaches of encrypted information.
The amendments will also require businesses to notify Tennessee residents within 45 days after the business discovers the breach.
Tennessee also joins a growing trend of states that have recently amended their breach notification laws to establish explicit deadlines for notifying affected state residents.
While the 45-day deadline implemented by S.B. 2005 mirrors requirements found in several other states, these amendments go further than many other states by not including any language that extends this 45-day deadline if necessary to investigate a breach or restore the security of the breached system.
The only circumstances under which the deadline can be extended is if law enforcement decides that providing notifications will impede a criminal investigation.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a9b6c5fc5d&e=20056c7556
Giving Customers Control: FCC Confronts Internet Service Providers with Privacy Rules
The Federal Communications Commission (“FCC”) voted yesterday to propose new privacy rules for broadband Internet Service Providers (“ISPs”) a mere three weeks after Chairman Tom Wheeler proposed them.
The proposed privacy rules, which are intended to give customers more control over their personal data, will now be released for public comment.
Currently, no enforceable privacy rules exist for broadband networks.
Under the proposed privacy rules, consumers are given increased choice, transparency and security with respect to how their personal information is used and shared by their broadband service provider.
According to the FCC proposal fact sheet, ISPs will not be prohibited “from using or sharing customer data, for any purpose.” Rather, the proposed privacy rules obligate ISPs to offer choices to consumers to opt-in or opt-out in certain instances.
Under the proposal, ISPs will be permitted to use customer data necessary to provide its services and for marketing the service the customer purchased.
Unless a customer affirmatively opts-out, a broadband provider, under the new rules, may use a customer’s data to market other communications-related services and share that data with affiliates who provide such services.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5356c727f7&e=20056c7556
NIST security standard to protect credit cards, health information
The publication addresses a longstanding issue in many software packages that handle financial data and other forms of sensitive information: How do you transform a string of digits such as a credit card number so that it is indecipherable to hackers, but still has the same length and look—in other words, preserves the format—of the original number, as the software expects?
NIST Special Publication (SP) 800-38G specifies two techniques for “format-preserving encryption,” or FPE.
According to author Morris Dworkin, the new techniques are more suitable for this purpose than NIST’s previously approved encryption methods, which were designed only for binary data – the frequently lengthy strings of 1s and 0s used by computers.
But because financial software – used in card readers and billing, for example – often expects a credit card number to be the typical 16 digits long, encountering a lengthier encrypted number might cause problems in the software.
The new FPE method works on both binary and conventional (decimal) numbers—in fact, sequences created from any “alphabet” of symbols—and it produces a result with the same length as the original.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=32d95f9278&e=20056c7556
Five Ways to Improve Security and Increase Collaboration
Today, cybersecurity is the new black.
Security incidents have become one of the unfortunate realities of business, and there is a heightened sense of awareness that pervades both businesses and consumers daily.
As security veterans, we have learned a lot over the years and have wisdom to share that can help others learn from our mistakes.
– Give Them a Door to Knock On
– Talk It Out
– It Takes a Village
– Sharing is Caring
– Grill Your Partners
You might have noticed a running theme – communication, communication, communication.
It used to be that the security community functioned in silos – there was competition between groups and little to no mutual understanding.
Today, there is an unprecedented level of cooperation around security, and as a result, there is greater understanding and education across the board.
For security rookies this is a gift.
As long as we continue this extended dialogue and share information with one another, we can all be better at our jobs – and help make everyone else safer because of it.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2212e6e419&e=20056c7556
Five Ways to Improve Security and Increase Collaboration
The cyber insurance market in Singapore is forecast to grow by 50 per cent this year as more businesses look to mitigate the high reputational and financial risks associated with cyber breaches, according to AIG Asia Pacific Insurance Pte.
Ltd.
“While cyber attacks grow in size, volume and sophistication, defensive methods and technologies have not seen a corresponding evolution, potentially costing businesses millions in the event of a cyber breach,” says AIG Singapore’s Head of Financial Lines, Lai Yen Yen.
Research undertaken by AIG revealed that two-thirds of public companies in Asia surveyed acknowledged cyber insurance to be increasingly important in the future, although only nine per cent of these companies were covered by cyber insurance.
AIG Singapore expects strong demand for cyber insurance to continue from finance and technology companies, and new demand to emerge from healthcare companies.
The insurer also forecasts cyber risks in 2016 to range from both internal and external factors, including lack of data encryption, increased use of malware, and outsourcing to third party providers.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d6b3915674&e=20056c7556
PhishMe April Cybercrime Alert: Ransomware Attacks Expected to Increase
LEESBURG, VA — (Marketwired) — 03/31/16 — PhishMe Inc., the leading provider of human phishing defense solutions, today released its April Cybercrime Alert, warning all organizations that its threat researchers expect ransomware attacks to increase as cybercriminals become increasingly aware that:
Ransomware is readily-available and changes faster than detection technologies can respond
In most cases, paying the ransom is the only way to free hostage data and systems
Recent successful ransom situations will only encourage more attempts
Cryptocurrencies such as Bitcoin can be used to force untraceable ransom payments
Humans are widely susceptible to phishing, the most commonly used ransomware attack vector
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8e27bceddb&e=20056c7556
A NIST guide tells enterprises how to secure email systems
For the first time in a decade, the US National Institute of Standards and Technology (NIST) has updated its secure email guide.
The last effort of the NIST Agency in the development of email security guidelines is dated 2007 when it published the NIST SP 800-45, Version 2 – Guidelines on Electronic Mail Security.
Organizations need to make sure any email sent by third parties will pass SPF checks, the verification is simple because the enterprise administrator should include the IP addresses of third-party senders in the enterprise SPF policy statement RR.
The NIST guide is out for public comment until May 1st, I suggest you to read it.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=798a692afe&e=20056c7556
DISA Releases Update to DoD CIO’s Cloud Security Guide for Service Providers
The Defense Information Systems Agency has published an updated version of the Cloud Computing Security Requirements Guide by the Defense Department chief information officer in response to feedback from industry and mission partners.
DISA said Monday the CC SRG v1r2 release also includes a revision history and a comment matrix, which work to facilitate understanding of the changes among cloud service providers and enable them to provide immediate feedback.
The update applies feedback to CC SRG v1r1 document released in January and provides guidance on DoD security objectives to CSPs that provide cloud computing technologies and services to the department, DISA said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8ac507c46e&e=20056c7556
Security, Cloud Computing Remain CIO Budget Priorities: Report
IT budget growth is being revised downward by CIOs, but at the same time cloud computing has increased as a driver of IT spending, according to a CIO Survey released this week by Nomura.
CIOs expect IT spending to increase 1.2 percent in 2016, after predicting a 3.1 percent increase in the fall.
Nomura surveyed 50 CIOs in the US in March, mostly at small and medium-sized business, about their expected IT spending, following a similar survey in October.
It found that while security remains the top driver of IT spending, 62 percent said cloud computing is driving IT spending, up 10 percent from October, surpassing big data analytics (60 percent) for second most common driver.
Data sprawl was named a spending driver by 18 percent of those surveyed, an increase of 12 percent, making it the one factor increasing IT spending more than cloud computing.
That pair of increases also suggests that the scalability of cloud resources is a growing motivation for CIOs to migrate workloads to the cloud.
Beginning Sync AdSlot mrec_content for Ad unit dcknowledge.home ### size: [[300,250]] End AdSlot mrec_content
SaaS deployments are also expected to rise, from 33 percent of applications to 56 percent in 2021, and Workday is expected to be the short term winner, receiving more revenue from 56 percent of respondents in 2016 than in 2015, just ahead of Salesforce (52 percent).
Other IT software vendors expected to take a significantly bigger share of IT budgets include Proofpoint, Palo Alto Networks, VMware, Microsoft FireEye, NetSuite, and F5.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0a835f6d6a&e=20056c7556
What’s driving cyber spending in the federal market?
For cybersecurity companies mapping out federal sales strategies in 2016 and beyond, it’s important to understand the nature and extent of the threat landscape that will influence buying decisions.
And what’s driving those decisions today more than anything is the velocity by which the cyber threat is expanding as well as the ways in which government systems and networks become vulnerable.
Good cyber hygiene and best practices only go so far though, and stated priorities from the fiscal 2016 and 2017 budgets reflect an emphasis on fortifying IT ecosystems (both high-value assets and enterprise architectures) with built-in security.
Let’s examine the major trends and drivers affecting cybersecurity procurement in the government, and the unique challenges facing civilian and defense sectors.
Department of Homeland Security
Einstein is one of the key pillars of the White House’s Cybersecurity Strategy and Implementation Plan, which calls for expanding the latest iteration, Einstein 3A, to all civilian agencies.
Adoption of Einstein 3A has been slow at best and because Einstein 3A is signature-based, meaning it blocks threats based on known identifiers, it’s inherently limited due to rapidly evolving threats.
As the gatekeeper for the .gov domain, DHS needs a lot of help from industry with defensive technologies that are more reactive and predictive.
Veterans Affairs
One of the biggest cybersecurity steps for the Department of Veteran’s Affairs is the establishment of the Enterprise Cybersecurity Team.
The two main focuses for 2016 and beyond are medical cyber and privacy.
Vendors selling security tools geared towards protecting networked medical devices will find a receptive ear in the VA.
Justice Department
According to Department of Justice budget documents, the top cybersecurity priorities for fiscal 2017 and the foreseeable future are addressing insider threats and Advanced Persistent Threat Defense.
There continues to be a consolidation at the Office of the Chief Information Officer for certain types of product buys, particularly cybersecurity.
Vendors should target the headquarter’ s CIO and, of course, the FBI.
Within the FBI, the Information Assurance Division and the Enterprise Security Operations Center, both in the office of the CIO, are good starting points.
Commerce Department
This year’s focus is mostly on network management and firewalls.
In addition, the Census Bureau will also have new on-premises infrastructure and applications that need to be secured as it prepares for Census 2020.
Navy
The biggest pockets for Navy cyber spending are in NextGen (NGEN) and Consolidated Afloat Networks and Enterprise Services (CANES), the Navy’s ashore and afloat networks respectively.
HP runs NGEN, while seven different companies operate under the CANES IDIQ to equip Navy ships with one secure network.
This is an example of a common theme within DOD where you can find significant cybersecurity funding nested within major infrastructure programs.
Defense Information Systems Agency
For DISA, the emphasis is on getting vulnerabilities out of its inventory, many of which are DOD-wide systems and enterprise services.
Army
The biggest cyber gaps it is trying to close, and where it needs help from industry, are solutions around increasing network visibility and cyber threat awareness for battlefield commanders, continuous monitoring, and risk assessment.
Air Force
A big priority in 2016 and 2017 will be fusing together cyber and intelligence.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e3768c016a&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=6b666a308e)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)