[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* MEPs back sharing airline data to ‘fight terrorism’
* Cybersecurity of critical infrastructure is a ‘mess’ and nations must cooperate to fix it, warns Eugene Kaspersky
* Newark police: Cyberattack disrupted some computer systems
* How to get the most out of your security investment
* UEBA is only one piece of the cyber risk management puzzle
* IRS Chief: Agency Faces Loss of Key InfoSec Personnel
* SANS to Host First-Ever Salt Lake City, Utah Information Security Training Event
* Software tools and services used to achieve ISO 27001
* New Research From SANS And DomainTools Reveals Shift Towards Threat Hunting Model And ‘Work Smarter Not Harder’ Approach To Security
* 3 steps to embracing NIST 800 security controls
* Ottawa open for comments on proposed breach notification regulations
MEPs back sharing airline data to ‘fight terrorism’
The European Commission first proposed the so-called Passenger Name Record in 2011.
It marks a five-year battle to get the legislation approved, having being held up over privacy concerns.
The so-called Passenger Name Record was approved by 416 votes for, to 179 votes against, with nine abstentions.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d784182792&e=20056c7556
Cybersecurity of critical infrastructure is a ‘mess’ and nations must cooperate to fix it, warns Eugene Kaspersky
The European Commission first proposed the so-called Passenger Name Record in 2011.
It marks a five-year battle to get the legislation approved, having being held up over privacy concerns.
The so-called Passenger Name Record was approved by 416 votes for, to 179 votes against, with nine abstentions.
Kaspersky urged governments to do more to combat the threats hackers pose to power-grids, turbines, reactors and other essential facilities.
Kaspersky pointed out how, when it comes to ensuring buildings are physically secure, there are regulations which must be adhered to, but that there isn’t anything of this kind for cybersecurity at all, not even for critical infrastructure.
Speaking at the same event, Cevn Vibert, industrial control security evangelist at industrial IT provider SolutionsPT, argued that governments do understand the challenges surrounding securing critical infrastructure, but rather the problem is they don’t know how to implement the changes.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9e11c1259d&e=20056c7556
Newark police: Cyberattack disrupted some computer systems
But they say the attack didn’t disrupt the delivery of emergency services.
And there’s no indication that any information stored on the affected servers was compromised.
Acting Public Safety Director Anthony Ambrose told NJ.com (http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3707a9ba1b&e=20056c7556) that department staffers couldn’t access the various systems while crews worked to clear servers of a virus implanted during the attack.
The virus temporarily locked down the servers, blocking access to the program used to track and analyze crime data and another used to dispatch police and emergency officers.
A backup system was used for dispatch services.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cb5be642cb&e=20056c7556
How to get the most out of your security investment
All too often organisations look to resolve security issues by simply purchasing more expensive security products, without ensuring the solution can evolve with the company.
However, misconfigured or poorly set up security tools do not offer increased security, rather, they can lead to increased vulnerability.
-Build a long-term plan for your security investment
-Find the best security solution for your company
-Continue to analyse and improve
-How to respond to a security breach: Plan,do, check, act
-Let go of your ego
-Figure out what went wrong
-Eliminate the problem
-Test, test, test
Erdal has found that Data Loss Prevention solutions (DLP) offer valuable information if breaches occur, which normally doesn’t happen if policies are properly built.
The available reports provide details like confidential data transfers that took place, from which computers, at what time and the exact transferred content.
Once IT Administrators or security staff analyse these reports, they can address the issue by restricting data transfers for the problematic users, they can even use the reports as proof in court or they can take further measures depending on the vulnerability.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=220a212dad&e=20056c7556
UEBA is only one piece of the cyber risk management puzzle
Even “at the front”, UEBA is only a threat detection tool.
It uncovers individuals or technologies that are exhibiting unusual behavior but it doesn’t take into account greater context like the business context of the user’s activities, associated vulnerabilities, indicators of attack, value of the assets at risk or the probability of an attack.
By itself, UEBA output lacks situational awareness, and still leaves SOC analysts with the task of figuring out if the events are truly problematic or not.
If the behavior, though unusual, is justified, then it is a false positive.
If the threat is to corporate information that wouldn’t impact the business if it were compromised, it’s a real threat, but only worth chasing down after higher priority threats have been mitigated.
For example, let’s say through UEBA software, it is identified that an employee on the finance team is logging into a human resources application that he typically would not log into.
UEBA is only informing the incident responder of a potential threat.
The SOC will have to review the activity, determine if it is legitimate, if not, check if the user has access privileges to access sensitive information in the application, see if their laptop has a compromise that may indicate a compromised account and then make what is at best a not so educated guess that will often result in inaccurate handling.
Just as important, the SOC analyst will likely do all of their homework and handle the incident appropriately, but without the right context they may have wasted a lot of time chasing down a threat that of low importance relative to others in the environment.
A true “inside-out” approach to cyber risk management begins with an understanding of the business impact of losing certain information assets.
The information assets that, if compromised, would create the most damage are the information CISOs, line-of-business and application owners, SOC investigators, boards of directors and everyone else within the company should focus on protecting the most.
They should determine where those assets are located, how they may be attacked, if they are vulnerable to those attacks and the probability of it all happening.
Once that contextualized information is determined, everyone within the company can prioritize their efforts to minimize cyber risk.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2b10d8367b&e=20056c7556
IRS Chief: Agency Faces Loss of Key InfoSec Personnel
“The loss of streamlined critical pay authority has created major challenges to our ability to retain employees with the necessary high-caliber expertise,” IRS Commissioner John Koskinen testified at an April 12 hearing on cybersecurity and protecting taxpayer information held by the Senate Finance Committee.
He said the agency’s top cybersecurity expert recruited through the program recently left. “In fact, out of the many expert leaders and IT executives hired under critical pay authority, there are only 10 IT experts remaining at the IRS, and we anticipate there will be no staff left under critical pay authority by this time next year.”
The lapsed law, which expired in September 2013, allowed the IRS to pay more than usual to hire up to 40 individuals for positions requiring extremely high-level expertise, including information security.
Among those recruits: IRS Chief Technology Officer Terence Milholland, who served as executive vice president and CTO at card issuer Visa International when recruited 8½ years ago and is leaving the agency later this year.
“When it comes to blocking hackers, Congress has done next to nothing while the IRS loses its ability to hire the experts who can keep taxpayer information safe,” Wyden said. “If you’re a top-notch tech expert, you’re already taking a pay cut to work in public service.
Now, without what’s called streamlined critical pay authority, it can take four to six months to bring a new hire on board at the IRS.
So let’s be clear: Taxpayer information is under assault every day, but the IRS does not have the legal authority it needs from Congress to build a cybersecurity team that can beat back the crooks.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8ba3527010&e=20056c7556
SANS to Host First-Ever Salt Lake City, Utah Information Security Training Event
BETHESDA, Md., April 14, 2016 /PRNewswire-USNewswire/ — SANS Institute, the global leader in information security training, today announced its first-ever Salt Lake City, Utah training event.
Scheduled for June 27 through July 2, SANS Salt Lake City 2016 will feature InfoSec courses focused on traditional information security, digital forensics and industrial control systems (ICS) security.
Developer and management courses will be offered in addition to bonus evening sessions covering some of today’s most complex security issues.
Included among the courses offered at SANS Salt Lake City are the popular SEC504: Hacker Tools, Techniques, Exploits and Incident Handling course and the FOR508: Advanced Digital Forensics and Incident Response.
SANS will also offer its ICS410: ICS/SCADA Security Essentials course.
In addition to helping InfoSec professionals greatly sharpen and expand their skills, some of these courses will also help with DoD 8570 and GIAC approved certification exam preparation.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0bd03e366e&e=20056c7556
Software tools and services used to achieve ISO 27001
Many organizations are unsure of what’s available to help them implement and get certified in quick time, so CertiKit summarized the most common areas of the ISO 27001 standard where software tools and services come in handy.
How many of these software tools and services you decide to use depends on your budget, timescales and how secure you want to be.
The infographic below will help you to choose wisely in order to achieve ISO 27001.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0214020067&e=20056c7556
New Research From SANS And DomainTools Reveals Shift Towards Threat Hunting Model And ‘Work Smarter Not Harder’ Approach To Security
SEATTLE, April 14, 2016 /PRNewswire/ — DomainTools, the leader in domain and DNS-based cyber threat intelligence, today announced the results of the first annual Threat Hunting: Open Season on the Adversary Survey, conducted by the SANS Institute.
The research revealed that 85 percent of enterprises have already adopted some form of Threat Hunting to aggressively track and eliminate cyber adversaries as early as possible.
This proactive “Threat Hunting Model” leverages existing tools combined with human intervention to strengthen the security posture of the organization.
According to the survey, adopters of this model reported positive results, with 74 percent citing reduced attack surfaces, 59 percent experiencing faster speed and accuracy of responses, and 52 percent finding previously undetected threats in their networks.
Additional key findings from the SANS report include:
The top seven data sets that support threat hunting are: IP addresses, network artifacts and patterns, DNS activity, host artifacts and patterns, file monitoring, user behavior and analytics, and software baseline monitoring.
86 percent of respondents said the most common trigger for launching a hunt is an anomaly or anything that deviates from normal network behavior.
Only 23 percent of businesses have hunting processes that are invisible to attackers, meaning the majority of organizations are at risk from exposing internal hunting TTPs in a way that benefits the atta
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=714ec982a9&e=20056c7556
3 steps to embracing NIST 800 security controls
NIST 800-53, in particular, lays out recommended policies and procedures covering access control, incident response, business continuity, disaster recoverability and about a dozen more key areas.
Here are three key lessons I learned along the way:
1. Top management commitment is absolutely crucial
Seek senior-level buy-in at the start, and take steps to reinforce it as you go.
Without senior executives fully on board, any wonderful new security policies and procedures you come up with will languish on your hard drive.
2. You can’t do it all, so do what you can
NIST 800-53 very extensively outlines how to establish baseline infosec controls based on an organizational assessment of risk.
Common sense tells you that controls must be in place to have any effect.
Creating policy for which you lack the manpower and resources to enforce is a recipe for futility.
To account for this, we engaged our subject matter experts in a triaging process.
3. Be wary of the butterfly effect
An insect flapping its wings in China can trigger a tornado in Florida.
Creating new polices can trigger new responsibilities and intensify pressure on existing resources.
It is vital to get buy-in, not just from top management, but especially from mid-level management, on whose shoulders a new tier specified responsibilities will likely fall.
Our goal is to use the NIST controls not just to tighten security, but to free up our organization so it’s more productive.
Thus our mantra has become “enabling the business securely.” We express this often.
Transparency and teamwork are the result.
Meanwhile, this continual feedback loop is helping us keep our NIST controls alive and vital.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6e16956654&e=20056c7556
Ottawa open for comments on proposed breach notification regulations
It’s long been known that for many pieces of federal and provincial legislation, the regulations cabinet approves — but the wording of the law can have as much if not more impact on organizations.
It’s particularly true with the mandatory data breach notification and reporting regulations Ottawa is about to write for organizations that fall under the Personal Information Protection and Electronic Documents Act (PIPEDA).
Last month Innovation, Science and Economic Development Canada issued a 26-page discussion paper outlining issues and asking for answers to 26 questions that will help the government frame the regulations.
Organizations have until the end of May to reply.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dec168b864&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=f052dd3b32)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)