[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
Are threats to our power grid real?
A June 2015 study by the Congressional Research Service, which provides policy and legal analysis to U.S. lawmakers, specifically identified some of the malware already being used against American energy companies and highlighted the threat to “take down control systems that operate U.S. power grids, water systems and other critical infrastructure.”
Although ISIS does not currently have the hacking capabilities to cause major damage to our infrastructure, the availability of the malware programs capable of achieving this goal may well soon be available on the black market for purchase.
While countries such as Russia, China or even Iran — which all have the computer capabilities to wreak havoc — have appeared to hesitate to deploy malware in this manner against the United States out of a fear of retaliation, that type of concern may not be present with ISIS.
The same Congressional Research Service study also suggested power companies shift from a defensive mode when assessing cybersecurity threats to an “intrusion detection” model because attackers may gain access to critical systems years before they are detected.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bd3e914160&e=20056c7556
Cybersecurity bill sails through Senate despite tech opposition
The U.S.
Senate approved a controversial cybersecurity bill on Tuesday, despite opposition from major tech companies and privacy advocates who fear it will lead to more of citizens’ private information going to the U.S. government.
The Cybersecurity Information Sharing Act (CISA) (S.754) passed by a vote of 74-21 after a day of debate.
It needed 60 votes to pass.
Its supporters, which include major industry groups and the White House, say the bill and its protections will lead to a better and more coordinated defense against cyberattacks on U.S. businesses and organizations.
But opponents say CISA means more private information being handed over to the government.
The Department of Homeland Security, which is charged with receiving the information from companies, is supposed to anonymize the data, but that hasn’t reduced the criticism from big names including the ACLU, Apple, Google, Facebook, Yahoo, Twitter, Reddit, Yelp and the Wikimedia Foundation.
But despite those claims, many major industry organizations did support the bill for the legal immunity it provides.
The mobile carriers’ lobbying organization, the CTIA, was one of the first to hail passage of CISA on Tuesday evening, saying it “offers a constructive framework for bi-directional information sharing that will strengthen America’s cyber defenses.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=46c2431c04&e=20056c7556
Split between EU privacy watchdogs on Safe Harbor worries business lobby
German data protection authorities’ decision to break ranks with their counterparts in other European Union countries and block alternatives to Safe Harbor has business lobbyists worried.
The striking down of the Safe Harbor data sharing agreement by the European Union’s highest court on Oct. 6 left a legal vacuum that European Commission officials immediately sought to fill with a reminder of the legal alternatives available and promises of coordinated action by national privacy regulators, who responded with their own reassurances on Oct. 16.
But on Monday night, German data protection registrars at the state level called into question many of the points agreed on by the national regulators, and left companies little alternative but to store the data of European citizens in Europe.
There’ll be no data truce in Germany, however.
Hamburg’s data protection registrar will immediately begin auditing German subsidiaries of U.S. companies registered under the Safe Harbor agreement, and it could issue prohibition orders, it warned.
A position paper it published with other state regulators makes clear that they too will block any data transfers they discover are relying on Safe Harbor for their legal justification.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f6a7194567&e=20056c7556
UK firms overconfident over data breach risk, survey finds
Many British businesses have been lulled into a false sense of security when it comes to protecting their critical data from breaches, a new survey has found.
Research conducted by YouGov on behalf of Ilex International found that many firms express high levels of confidence in the defences they have in place, despite the growing threat posed by cyber criminals.
Almost a quarter of IT decision-makers surveyed (24 per cent) described themselves as very confident in their solutions, while a further 59 per cent said they were fairly confident their business is protected against data breaches.
Some of the most common dangers highlighted by larger businesses included insider threats (44 per cent of respondents), employee education (42 per cent), access control (26 per cent) and BYOD or mobile access (24 per cent).
The survey also revealed many businesses may be underestimating their level of risk, as companies in the UK are not required to report security breaches, while in many cases they may not even know they have encountered one.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=754e90df9d&e=20056c7556
The average organization experiences 9 insider threats each month
After analyzing actual cloud usage across over 23 million employees, Skyhigh Networks uncovered how user behaviours put companies at risk and how catching and managing this behaviour can be the proverbial “canary in the coal mine” in reducing the risk of data loss.
– 89.6% of organisations experience at least one insider threat each month – that is up from 85% for the same quarter last year
– 55.6% of organisations experience unusual behaviour by privileged users, such as administrators accessing data they should not, each month
– The average organisation experiences 9.3 insider threats each month.
In order to extfiltrate stolen data from on-premises systems of record, hackers are increasingly turning to public cloud services.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=48dd2b7def&e=20056c7556
Cyber Security Market by Solution – Global Forecast to 2020 – Reportlinker Review
NEW YORK, Oct. 28, 2015 /PRNewswire/ — With the exponential growth and sophistication of cyber-attacks in the last few years, security solutions and services are in demand to protect the huge confidential data of the government, military, public data, Banking Financial Service and Insurance (BFSI), hospitals, and other business.
With regards to this, security solutions such as security intelligence, managed security services, advance threat protection, and incident response are being used for data privacy and for cyber protections.
Of all major technologies, antivirus and antimalware solution is expected to acquire the highest market share during the forecast period owing to the increase in adoption of such solutions by organizations of multiple sizes as well as consumers.
The cyber security market is tending towards maturity in developed regions such as North America and Europe.
However, emerging regions such as Latin America and APAC are rapidly investing in this security market due to emerging issues of major security breaches.
There are numerous drivers to this market and it is considered to be a fast growing market.
Latin America and APAC have seen tremendous economic growth, political transformation, and social change.
Owing to the sophistication of cyber threats, countries in these regions have all updated or launched new national cyber security policies.
Major drivers of this market are the stringent government cyber laws and increasing risk of security threat to the various sectors.
Along with this, cloud computing is also an important driver, which has grabbed the spotlight of the market thereby increasing the threat of data loss and data leakage.
However, cyber talent gap and lack of awareness about the dedicated solutions are the biggest challenge faced by the industry.
The global cyber security market is expected to grow from $106.32 billion in 2015 to $170.21 billion by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8%.
The key players in this market include Booz Allen Hamilton, Cisco, CSC, IBM, Lockheed Martin, Intel Security, Microsoft, Northrop Grumman, Symantec, and Trend Micro
MarketsandMarkets expects the aerospace, defense, and Intelligence vertical to account for the largest market share throughout the forecast period.
The professional approach of cyber criminals, highly interdependent supply chain management, growing cyber-attacks on critical infrastructure of aviation and defense are the main dangers to a nation’s critical networks and supply chains leading to the theft of proprietary data.
Transglobal strategic alliances, proactive measures, substantial investments, technological advancements, along with new legislations are the key factors behind the continual increase in the adoption of cyber security solutions across the aerospace and defense industry.
The other revenue pockets that will witness significant growth in this period are healthcare, telecommunication, and manufacturing.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=47a370ef09&e=20056c7556
Hackers infect MySQL servers with malware for DDoS attacks
Hackers are exploiting SQL injection flaws to infect MySQL database servers with a malware program that’s used to launch distributed denial-of-service (DDoS) attacks.
Security researchers from Symantec found MySQL servers in different countries infected with a malware program dubbed Chikdos that has variants for both Windows and Linux.
This Trojan is not new and was first documented in 2013 by incident responders from the Polish Computer Emergency Response Team (CERT.PL).
At that time the malware was being installed on servers after using brute-force dictionary attacks to guess SSH (Secure Shell) login credentials.
However, the new attacks observed by Symantec abuse the user-defined function (UDF) capability of the MySQL database engine.
UDF allows developers to extend the functionality of MySQL with compiled code.
Symantec believes that attackers exploit SQL injection vulnerabilities in order to inject malicious UDF code in databases.
They then use the DUMP SQL command to save the injected code as a library file that is later executed by the MySQL process.
The Symantec researchers found MySQL servers infected with Chikdos in many countries, including India, China, Brazil, Netherlands, the U.S., South Korea, Mexico, Canada, Italy, Malaysia, Nigeria and Turkey.
The largest concentrations were in India and China, 25 and 15 percent respectively.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=15c93a6bca&e=20056c7556
Ransomware Ranked Number One Mobile Malware Threat
The ping pong debate over whether mobile devices have developed into a truly mainstream cyberattack vector gained a little fodder today with a new report out from Blue Coat that claims an uptick in the number of mobile ransomware attacks in 2015.
This report comes close on the heels of a report earlier this month by IDG and Lookout that claims 74 percent of businesses report having experienced a breach as a result of a mobile issue—be it vulnerable apps, malware hidden in apps, insecure WiFi, or apps prone to information leakage.
According to BlueCoat, the top infection vector this year has by far been pornography, accounting for 36 percent of malicious traffic coming from devices examined by the firm.
On the bright side, malvertising attacks against mobile targets appear to be on the decline, dropping by 20 percent in the past year.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=512265f29e&e=20056c7556
Security Pros Want Automated Security, but Hesitate to Deploy It
While nearly two-thirds of security practitioners consider the analysis of device data for security to be very important to protect their networks, only 36 percent of companies currently use data analytics for defense, according to survey data released by the Ponemon Institute on Oct. 28.
The survey, based on interviews with more than 600 IT security practitioners and sponsored by security-analytics firm Prelert, found that most security experts considered the automated analysis of security data to be very important to detecting future attacks, but that most companies still relied on human analysts to prioritize potential security alerts.
The gap between the perceived usefulness of automated security analysis and the actual deployment of such products suggests that security professionals are worried about the capabilities of existing security-analytics solutions or believe that they are not a target, Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement.
Ninety-two percent of companies currently rely on anti-malware systems to detect and prioritize threats, according to the report.
Other technologies commonly used to prioritize threats include identity and authentication management systems, blacklisting tools and intrusion-prevention systems.
Yet companies are still struggling to collect information from these systems.
If a security-analytics system detects an anomaly, only a third of companies receive an alert within “hours,” according to the Ponemon report.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=99d9a81ec6&e=20056c7556
[Nigeria] What Companies Need To Know About The Cybercrime Act, 2015
The President may on the recommendation of the National Security Adviser, designate certain Computer systems as constituting Critical National Information Infrastructure.
There is the need for all organizations to ensure that their electronic signature is secure and difficult to be forged or cloned.
The law provides that an electronic signature in respect of purchase of goods or online order is binding on the author of such electronic message.
Where the presumed author claims that the signature was forged, he would have to discharge the heavy burden of proving that the signature did not emanate from his computer system or network.
The act has imposed obligations on any person or institution, who operates a computer system/network, whether public or private, to inform the National Computer Emergency Response Team (CERT) of any attacks, intrusions or disruptions liable to hinder the functioning of another computer system or network within (7) Seven days of such occurrence, so that the National CERT can take the necessary measures to tackle the issues.
In the recent past, service providers were ‘lords unto themselves’ and the only redress available to dissatisfied consumers was the termination of their service contracts.
With the enactment of this Act, companies can now hold their internet service providers accountable for poor services under section 29 (1), especially when the monetary value of the loss sustained by the consumer can be quantified and proven.
Companies are now empowered to demand quality from their internet service providers.
Regardless of any contract of employment, all employees must relinquish or surrender all codes and access rights to their employers immediately upon disengagement.
Failure to comply would be presumed as an attempt to hold the employer to ransom and the punishment is 3 years imprisonment or fine of N3 Million or both.
Service Providers are now under the obligation to provide information requested by any law enforcement agencies.
Failure to assist law enforcement agencies attracts a fine of N10 Million.
In addition, the owners of the service-providing company could also be liable for 3 years imprisonment and N7 Million fine.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=219a0e7386&e=20056c7556
What can we expect from 2016? A growth in online extortion, hacktivism and mobile malware
“We anticipate 2016 to be a very significant year for both sides of the cybercrime equation,” said Raimund Genes, CTO, Trend Micro. “Governments and enterprises will begin to see the benefit of cybersecurity foresight, with changes in legislation and the increasing addition of cybersecurity officers within enterprises.
In addition, as users become more aware of online threats, attackers will react by developing sophisticated, personalized schemes to target individuals and corporations alike.”
According to the report, 2016 will also mark a significant turning point for malvertising.
In the U.S. alone, there is a 48 percent increase in users who use ad blocking software, with a 41 percent increase in global use this year.
As a result, advertisers will seek to alter their approach to online ads, and cybercriminals will attempt to find other ways to obtain user information.
Online extortion will be accelerated through the use of psychological analysis and social engineering of prospective victims.
Hacktivists will be driven to expose even more incriminating information, impacting targets, and facilitating secondary infections.
Less than 50 percent of organizations are expected to have cybersecurity experts on staff by the end of 2016.
Legislation will expand to a global cybersecurity defense model, allowing for more successful arrests, prosecution and convictions.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=44ccd91299&e=20056c7556
Solutionary SERT Threat Report: Four Countries Represent Source of 96 Percent of Malware Found in Q3
OMAHA, NE, Oct 29, 2015 (Marketwired via COMTEX) — Solutionary, an NTT Group security company NTT, and the next-generation managed security services provider (MSSP), today announced the results of its Security Engineering Research Team (SERT) Quarterly Threat Report for Q3 2015.
Solutionary SERT performed a broad analysis of the threat landscape, which unearthed several key findings, including 96 percent of the malware detected during Q3 ’15 represented four countries — the U.S., Netherlands, China and Japan.
Readers of the report will also find deeper analysis of the Ashley Madison breach as well as details foreshadowing an increase malware related activity as holiday-themed attack campaigns ramp up in Q4.
— The top four countries (U.S., Netherlands, China and Japan) accounted for over 96 percent of the malware detected during Q3 ’15.
— An increase in reconnaissance activity in Q2 ’15 was followed by an increase in attacks during Q3 ’15.
— Detected attacks jumped nearly 42 percent from what was detected in Q2 ’15, which is typical within the campaigns observed and an expected result as attackers progress through the lifecycle of attack phases.
— Web application attacks took over the top “type of attack” spot with 33 percent of all detected attacks.
— Overall detected malware dropped nearly 40 percent from what was detected in Q2 ’15.
— The Ashley Madison breach included data from as many as 31 million users, with 64 percent of those users from the U.S. (almost 20 million).
— Top five U.S. States in the Ashley Madison breach include California,Texas, New York, Florida and Pennsylvania. California accounted for 12 percent of U.S. records and Florida accounting for highest per-capita
percent at nearly six percent.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2dc0ceb7fb&e=20056c7556
Cybersecurity in the Indian Banking Sector
The RBI governor, Raghuram Rajan, recently announced that the central banking institution is in the process of setting up an Information Technology (IT) subsidiary.
The purpose of this IT subsidiary is to aid the RBI in effectively monitoring and supervising internet-based services offered by banks across the country.
This is a welcome move for the Indian banking sector and its customers who are threatened by systemic vulnerabilities, which enable technology related banking and financial frauds,[1] birthed primarily by the continued migration of services to internet and mobile platforms.
This post examines the need for the announced subsidiary in the context of rising instances of cyber-attacks against the banking sector and proposes possible functions for the dedicated subsidiary to enhance cybersecurity in the rapidly digitizing banking sector.
Currently, phishing, vishing, spyware or malware attacks, keylogging, data theft and other internet-based frauds have been reported to be the most common cyber-attacks against banks and its customers.[3] Despite these threats, there remains continued and even enthusiastic use of innovative, technology-backed financial services such as mobile banking and social media payment systems.
In 2010, the RBI set up a working group to examine issues arising out of IT penetration and use in the banking sector and directed banks to appoint a Chief Information Security Officer (CIO) and a steering committee on information security.
Based on the report of the working group, it also issued a set of guidelines on information security, technology risk management and combating cyber fraud, in 2011.
Unfortunately, these guidelines which were considered minimum best standards and slated to be implemented in a phased manner[5], have not been treated seriously and several banks have failed to implement these guidelines and carry out required cyber due diligence.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b466ac2e4f&e=20056c7556
Operational confusion led to more than 400 critical- to high-risk vulnerabilities persisting on systems at BIS
Failures in communication and a lack of remediation for known cybersecurity flaws pointed to the Bureau of Industry and Security’s continuous monitoring program as being ‘deficient,’ according to a report.
The U.S.
Commerce Department Office of the Inspector General said in a report made publicly available last week that the BIS’s faulty scanning practices — which relied on outdated technology — increased compromise risk.
The OIG further found that BIS did not follow protocol for remediating identified security weaknesses, including failing to fix more than 400 known critical- to high-risk security flaws.
For remediating identified vulnerabilities, BIS failed to correctly identify the employees in charge of patching security systems, which led to the security monitoring and assessment systems containing 70 percent of the more than 400 critical- and high-risk vulnerabilities found on the systems.
OIG also found flaws that it had previously identified in an audit in 2009.
BIS further failed to follow its own plan of action and milestone, or POA&M, system it had set up following the 2009 OIG audit.
BIS was also slow to correct actions they knew to undermine its security posture.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f25cf69f1f&e=20056c7556
Bad News is Good News For Security Budgets But Not Skills
According to the research, CISOs are reporting positive strides in terms of C-Suite support and board-level awareness for cybersecurity.
In fact, 85% reported that upper-level management support has been increasing, and 88% said that their security budgets have increased.
In the words of one CISO in the survey, “Honestly, I have not seen a case where I asked for money and it’s been turned down.”
While growing budgets and senior-level support are a big win, those factors alone aren’t enough to improve security postures.
The great news is that it looks as though these increases are being accompanied by the use of more strategic, risk-based approaches to cybersecurity.
A few years ago, the major driver of security investments was meeting compliance requirements, and investments were made to “check the box.” However, this latest research revealed that CISO’s are now using a more strategic “framework” approach to prioritize risk and investment.
In fact, frameworks ranked as the top approach being used by CISOs for cybersecurity investment.
However, as security budgets grow, so do the number of new and open security staff positions, creating a void that CISOs are struggling to fill.
It’s well known that we as an industry are facing a massive cybersecurity workforce shortage, which is predicted to reach over 1.5 million open and unfilled positions by 2020.
One CISO in the study said he had three open positions that were left unfilled for months, and he had only just found two suitable candidates.
CISOs are increasingly relying on peer networks and third-party data to enhance their threat intelligence.
While service contracts, alternative deployment models and information sharing can help minimize the impact of the skills gap in the near term, we must also focus on building a strong security workforce prepared for the threats that lie ahead.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=610822e3c3&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=91b035007f)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)