[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
A Guide on 5 Common Twitter Scams
it is important to understand what the most common types of social media scams consist of and what platforms they tend to target.
We begin with a guide on five common Twitter scams.
SCAM #1: MONEY-BASED SCHEMES
SCAM #2: BOT SPAM
SCAM #3: PAY-FOR-FOLLOWER PLOYS
SCAM #4: ILLEGITIMATE DMS
SCAM #5: WORMS
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bba4c9ed04&e=20056c7556
Majority of Companies Use Risk-Based Cybersecurity Framework
Nearly all companies surveyed in the recent PwC Global State of Information Security Survey 2016 – 91 percent – reported that they follow a risk-based cybersecurity framework.
For example, PwC found that 65 percent of respondents collaborate with others to improve cybersecurity, while 54 percent have a CISO leading their information security program.
âThe two most frequently implemented guidelines are ISO 27001 and the US National Institute of Standards and Technology (NIST) Cybersecurity Framework,â explained the reportâs authors. âThese guidelines enable organizations to identify and prioritize risks, gauge the maturity of their cybersecurity practices and better communicate internally and externally.â
The survey also showed that there was an increase in collaboration when it comes to cybersecurity measures.
Specifically, 65 percent of respondents said they collaborate to improve cybersecurity and reduce cyber-risks, an increase from the 50 percent who reported collaboration in 2013.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2addd45284&e=20056c7556
Vulnerability Management Program Best Practices â Part 1
There are four stages to a vulnerability management program:
1) The process that determines the criticality of the asset, the owners of the assets and the frequency of scanning, as well as establishes timelines for remediation;
2) The discovery and inventory of assets on the network;
3) The discovery of vulnerabilities on the discovered assets; and
4) The reporting and remediation of discovered vulnerabilities.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c7bb4e6ab1&e=20056c7556
Microsoft Device Guard tackles Windows 10 malware
The endpoint is once again at the center of the information security war.
Malware infections are a daily occurrence and tie up vital resources as security teams battle to keep networks safe from malicious code.
Windows 10 Enterprise introduces various security innovations, such as Windows Hello multifactor biometric authentication and Microsoft Passport, which now fully supports the FIDO (Fast Identity Online) Alliance standards.
The key security control to prevent malicious code from permanently compromising Windows 10 devices, however, is Microsoft Device Guard, which protects the core kernel from malware.
Windows security professionals should be aware of how this new security technology works and where enterprises can best deploy it to defend against Windows 10 malware and today’s cyberattacks.
Microsoft Device Guard combines hardware and software security features to restrict the Windows 10 Enterprise operating system to run only code signed by trusted parties, as defined in the enterprise’s code integrity policy.
In-house as well as third-party-developed applications that haven’t been cryptographically signed, can be authenticated using a certificate that chains up to Microsoft without the need to repackage the application.
Only an updated policy signed by a trusted signer can change a device’s application control policy, making it a big improvement from AppLocker, which could be accessed by attackers with administrative privileges.
Device Guard works by leveraging the IOMMU (InputâOutput Memory Management Unit) features in a device’s processor and motherboard chipset to isolate itself from the rest of Windows.
This virtualization-assisted security leverages a new Hyper-V component called Virtual Secure Mode (VSM), which is a protected VM that sits directly on the hypervisor and is separated from the Windows 10 kernel.
When a device starts, the Universal Extensible Firmware Interface (UEFI) Secure Boot ensures Windows boot components start before anything else to prevent boot kits from executing.
Next, the Hyper-V virtualization-based security (VBS) services fire up, isolating core Windows services that are critical to the security and integrity of the operating system.
This isolation protects the kernel, privileged drivers and system defenses like antimalware programs, by preventing malware from running early in the boot process, or in the kernel after startup.
The trusted platform module (TPM), an isolated hardware component that protects sensitive data such as user credentials and certificates, also starts.
The TPM can store the proof that a system booted securely, which can be used to validate the integrity of a device before allowing it to connect to a network.
Microsoft Device Guard doesn’t mean the end of Windows 10 malware, but it raises the competency barrier required by hackers looking to install malicious code.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=980f126833&e=20056c7556
83% of InfoSec Pros Think (Another) Successful Cyberattack On Critical Infrastructure Likely In 2016
Most respondents (62.88%) were against the government having encryption backdoors and most (58.87%) said they believe privacy is being compromised in the effort to create stronger cybersecurity regulation.
Nevertheless, more than half (56.78%) were in favor of the Cybersecurity Act of 2015 (formerly known as the Cybersecurity Information Sharing Act of 2015) — which has had its own share of criticisms from privacy advocates.
On the other hand, they weren’t as ready to share information themselves; only 30.62 percent said they expected their organizations would voluntarily share information if they experienced a breach.
Responses were very mixed as it related to the European Union’s striking down of Safe Harbor, the data transfer agreement that had, for the past 15 years, allowed multinational organizations to store Europeansâ data in the United States if the companies agree to comply with Europeâs data privacy laws.
Respondents expect the cybersecurity skills shortage to continue in 2016.
While 45.06 percent plan to hire more staff and expect it will be difficult to find skilled candidates, only 2.65 percent plan to hire more staff and expect it will be easy.
Most respondents (62.88%) were against the government having encryption backdoors and most (58.87%) said they believe privacy is being compromised in the effort to create stronger cybersecurity regulation.
Nevertheless, more than half (56.78%) were in favor of the Cybersecurity Act of 2015 (formerly known as the Cybersecurity Information Sharing Act of 2015) — which has had its own share of criticisms from privacy advocates.
On the other hand, they weren’t as ready to share information themselves; only 30.62 percent said they expected their organizations would voluntarily share information if they experienced a breach.
Responses were very mixed as it related to the European Union’s striking down of Safe Harbor, the data transfer agreement that had, for the past 15 years, allowed multinational organizations to store Europeansâ data in the United States if the companies agree to comply with Europeâs data privacy laws.
Respondents expect the cybersecurity skills shortage to continue in 2016.
While 45.06 percent plan to hire more staff and expect it will be difficult to find skilled candidates, only 2.65 percent plan to hire more staff and expect it will be easy.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=107cb39bc1&e=20056c7556
The Four Big Problems With Security Metrics
More than 8 out of 10 respondents in an April 2014 survey of nearly 600 IT and security professional conducted by the Ponemon Institute on behalf of FireMon said that it is important to have metrics that are aligned with business goals.
But 43 percent said the metrics that are actually used today do little to convey the true state of security in an organization while 11 percent said they were unsure how effective their metrics were.
Metrics report activity, not outcomes
Sacrificing Detail For Simplicity
Metrics That Are Useful To Security Pros Are Too Complicated For Management
Viewing Metrics As An Exact Science
Management executives want security organizations to tell them precisely what is going on in language they can understand, Bruce from Resilient says. âThe most competent way to converse with them is to describe the nature of the problem and to make clear that it not an exact science.â
It is important to convey the nature of the risks that all organizations face including the potential for cyberattacks and to explain that there are ways to control and mitigate such attacks he says.
More than 8 out of 10 respondents in an April 2014 survey of nearly 600 IT and security professional conducted by the Ponemon Institute on behalf of FireMon said that it is important to have metrics that are aligned with business goals.
But 43 percent said the metrics that are actually used today do little to convey the true state of security in an organization while 11 percent said they were unsure how effective their metrics were.
Metrics report activity, not outcomes
Sacrificing Detail For Simplicity
Metrics That Are Useful To Security Pros Are Too Complicated For Management
Viewing Metrics As An Exact Science
Management executives want security organizations to tell them precisely what is going on in language they can understand, Bruce from Resilient says. âThe most competent way to converse with them is to describe the nature of the problem and to make clear that it not an exact science.â
It is important to convey the nature of the risks that all organizations face including the potential for cyberattacks and to explain that there are ways to control and mitigate such attacks he says.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8225b38bec&e=20056c7556
Four tips for enabling better collaboration
The Ponemon Institute last September conducted a survey sponsored by Resilient Systems of over 600 IT and IT security professionals.
The results revealed a disturbing lack of collaboration on security issues across departments and lines of business at many organizations.
A mere 15 percent of the respondents described the collaboration as excellent while 32 percent described it as poor or non-existent.
The remaining 53 percent cited it as being adequate but in need of improvement.
Make Someone Accountable For Security
Enable Better Collaboration Across LOBs And Departments.
Communicate Security Issues More Effectively
Use The Right Metrics
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=129006c0c9&e=20056c7556
What cybersecurity spending strategies will best help enterprises?
According to a recent PricewaterhouseCoopers study, while SMBs spend nearly 15% of their IT budgets on security, large companies spend only 11%.
Both numbers represent an increase from a few years ago.
Given that, how should CISOs best strategically take advantage of increases in cybersecurity spending?
But the better question is what do you need.
First, you need to determine the total cost of ownership (TCO) for establishing the right complement of resources — people and technology.
The formula for TCO includes a junction of TCT, TCR and TCM.
We all want to have the resources necessary to meet and stay ahead of risks.
But how much of that budget is truly necessary?
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=12ddf453b7&e=20056c7556
Top 10 Influencers in Banking InfoSec
Each of these influencers for 2016 has made a substantial impact.
Their influence ranges from shaping security enhancements and innovations for payments to providing regulations and enforcement to assist breach prevention and data protection.
Some influencers have shined a spotlight on growing cyberthreats and information security gaps.
Others have helped identify new opportunities for innovation.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2fe75611fd&e=20056c7556
Europol Announces DD4BC Arrests
European police have arrested a “main target” as part of a previously undisclosed law enforcement effort, dubbed Operation Pleiades, against the distributed denial-of-service attack gang called DD4BC.
Authorities say that while the group initially ran Bitcoin extortion campaigns that primarily targeted the online gambling sector, it’s since broadened its activities to focus on numerous high-profile organizations, including businesses in the financial services and entertainment sectors.
Individual ransom demands the group has made – at least ones which have come to light – typically demand 100 bitcoins ($45,000), security experts say.
But on Jan. 12, the association of European police agencies, known as Europol, announced that its European Cybercrime Center, EC3, helped coordinate an operation that resulted in the arrest of a main target and another suspect.
As part of the operation, which occurred last month – from Dec. 15 to 16 – police also searched multiple properties and seized “an extensive amount of evidence,” much of which is no doubt now being subjected to digital forensic analysis.
“This type of extortion attack has become a well-established criminal enterprise and has affected thousands of victims globally, with the number of unreported incidents believed to be much higher,” Europol says. “The absence of reporting by private companies and individuals poses particular difficulties in law enforcement’s efforts to prosecute these cyber threats.”
European police have arrested a “main target” as part of a previously undisclosed law enforcement effort, dubbed Operation Pleiades, against the distributed denial-of-service attack gang called DD4BC.
Authorities say that while the group initially ran Bitcoin extortion campaigns that primarily targeted the online gambling sector, it’s since broadened its activities to focus on numerous high-profile organizations, including businesses in the financial services and entertainment sectors.
Individual ransom demands the group has made – at least ones which have come to light – typically demand 100 bitcoins ($45,000), security experts say.
But on Jan. 12, the association of European police agencies, known as Europol, announced that its European Cybercrime Center, EC3, helped coordinate an operation that resulted in the arrest of a main target and another suspect.
As part of the operation, which occurred last month – from Dec. 15 to 16 – police also searched multiple properties and seized “an extensive amount of evidence,” much of which is no doubt now being subjected to digital forensic analysis.
“This type of extortion attack has become a well-established criminal enterprise and has affected thousands of victims globally, with the number of unreported incidents believed to be much higher,” Europol says. “The absence of reporting by private companies and individuals poses particular difficulties in law enforcement’s efforts to prosecute these cyber threats.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fe28abb530&e=20056c7556
Patient Data Must Be Encrypted, Not âCamouflagedâ, as Per FTC Settlement
The FTC recently announced a $250,000 settlement with Henry Schein Practice Solutions, Inc. (âHenry Scheinâ) for falsely advertising that the software it marketed to dental practices provided âindustry-standard encryption of sensitive patient informationâ and âwould protect patient dataâ as required by HIPAA.
In fact, according to the FTCâs Complaint, the software (called âDentrix G5â) actually used a data protection tool Henry Schein knew was âless secure and more vulnerable than widely-used, industry-standard encryption algorithms, such as Advanced Encryption Standard (âAESâ) encryption.â The Complaint states that Henry Schein was aware that the Department of Health and Human Services (âHHSâ) directs health care providers to guidance promulgated by the National Institute of Standards and Technology (âNISTâ), which recommends AES encryption to protect patient data.
Alas, the admission that the product provided mere âdata maskingâ or âcamouflagingâ rather than encryption was, apparently, too little and too late to avoid the FTC enforcement action and ensuing settlement payment and negative publicity.
Though no data breach was alleged to have occurred, the damage had been done by the âfalse or misleadingâ claims already made by Henry Schein.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9c0294d038&e=20056c7556
Singapore most targeted by banking Trojans in 2015
Singapore has been ranked as the top country worldwide for financial malware attacks among cybercriminals with the highest risk of users’ computers around the world being infected by banking Trojans, according to a Kaspersky Security Bulletin Overall Statistics Report for 2015.
Among all Kaspersky Lab users attacked by malware in Singapore, 11.6 percent were targeted at least once by banking Trojans throughout the year.
Austria and Switzerland came in second at 10.6 percent, while Hong Kong – the only other country in the Asia Pacific region – ranked eighth at nine percent.
The report also highlighted that for the first time ever, mobile financial threats were found to be among the top 10 malicious programmes designed to steal money.
Two families of mobile banking Trojans, namely Faketoken and Marcher, were included in 2015’s top 10 banking Trojans.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c8ac4e4685&e=20056c7556
The Incident Response âFab Fiveâ
CISOs should consider and coordinate incident detection and response in five areas: hosts, networks, threat intelligence, user behavior monitoring, and process automation.
Based upon lots of discussions with cybersecurity professionals and a review of industry research, Iâve come up with a concept I call the incident response âfab five.â Enterprise organizations with the most efficient and effective incident detection and response, tend to establish best practice and synchronization in 5 distinct areas
Many organizations continue to back-end IR processes with SIEM tools (i.e.
IBM QRadar, LogRhythm, Splunk, etc.). In many cases, SOC teams are highly-skilled with these tools and often use them to aggregate IR data, triage events, and train junior analysts.
To improve IR in 2016, CISOs should make sure that they have a strategy for coordination and progress in all 5 areas.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bc16656384&e=20056c7556
Cloud Security Alliance Summit 2016 Set to Kick Off RSA Conference with “Cloudifying Information Security”
SAN FRANCISCO, Jan. 11, 2016 /PRNewswire-USNewswire/ — RSA Conference 2016 — The Cloud Security Alliance (CSA) today announced its preliminary agenda for CSA Summit 2016, a full-day event being held at the RSA Conference on Monday, February 29. This year’s featured keynote will be presented by Robert Herjavec, CEO of the Herjavec Group and star of ABC’s Shark Tank, speaking on Entrepreneurship in Information Security. Luis A.
Aguilar, former Commissioner with the U.S.
Securities and Exchange Commission, will also serve as a featured keynote at the event.
This year’s Summit has been expanded to a full-day event and is expected to draw more than 1,100 attendees.
Paragraph before: As the information security industry is rapidly being transformed into solutions delivered by and for cloud computing, this year’s CSA Summit 2016 will focus on sharing progress enterprises have made in shifting to cloud computing and key emerging trends in information security. World leading security organizations and cloud providers, including experts from Google, Microsoft, Intel, Dropbox, Cisco and next generation cloud security companies will discuss global governance, the latest threats, best practices and security innovations;In addition to the presentations, the CSA will also release new research and updates on cloud assessment tools during the Summit.
As the information security industry is rapidly being transformed into solutions delivered by and for cloud computing, this year’s CSA Summit 2016 will focus on sharing progress enterprises have made in shifting to cloud computing and key emerging trends in information security; World leading security organizations and cloud providers, including experts from Google, Microsoft, Intel, Dropbox, Cisco and next generation cloud security companies will discuss global governance, the latest threats, best practices and security innovations.
In addition to the presentations, the CSA will also release new research and updates on cloud assessment tools during the Summit.
Attendance to the event is open and free to any individuals registered as an RSA conference delegate or with an RSA Expo pass. Individuals wishing to attend this event must indicate so during registration. Seating is limited and the event does reach capacity each year.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=aaf31742f2&e=20056c7556
“Cybersecurity Misconduct Expected to Result in Increased Penalties for Employees”
HERNDON, Va., Jan. 12, 2016 /PRNewswire-USNewswire/ — The focus on insider threats will increase and corporations will begin to penalize employees who misinterpret security policies and procedures, according to a new survey of corporate information security practitioners.
The survey titled, Defending Data: Turning Cybersecurity Inside Out With Corporate Leadership Perspectives on Reshaping Our Information Protection Practices, was conducted by Ari Kaplan Advisors and published by global security intelligence and information management technology company Nuix.
Insider Threat Programs and Policies Will Become Enforceable by Courts
Based on the findings, Nuix predicts that corporations without an insider threat program or policy in place, approximately 33% of respondents, may be legally forced to implement one.
The majority of survey respondents, a resounding 93% of those surveyed, said people were the biggest weakness in information security, ahead of technology and processes.
“There’s a recognition now that everyone is responsible for cybersecurity, not just those working in IT,” said one respondent.
For this reason, Nuix predicts that corporations will begin to penalize employees who “misunderstand, misinterpret, or miscalculate longstanding security policies and procedures.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9aba17fced&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=d47608209c)
** Update subscription preferences (http://paulgdavis.us3.list-manage2.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)