[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
Analyzing Spear Phishing Attacks
In this post, we recommend defenses and key performance indicators for Phase 3:Analyze.
Once an attack is detected, it needs to be analyzed to determine the best mitigation strategy.
The objective of the Analyze phase is to quickly establish sufficient threat context to drive the appropriate next action.
To manage the Analyze phase and assess effectiveness, consider the following key performance indicators.
Time-to-assess
Time-to-context
Completeness of context
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2f97768238&e=20056c7556
The Cyber Hunting Maturity Model
Many organizations are quickly discovering that threat hunting is the next step in the evolution of the modern SOC, but remain unsure of how to start hunting or how far along they are in developing their own hunt capabilities.
How can you quantify where your organization stands on the road to effective hunting.
With a general model that can map hunting maturity across any organization.
With that definition of hunting in mind, let’s consider what makes a good hunting program.
There are three factors to consider when judging an organization’s hunting ability: the quality and quantity of the data they collect for hunting, the tools they provide to access and analyze the data, and the skills of the analysts who actually use the data and the tools to find security incidents.
The Hunting Maturity Model, developed by Sqrrl’s security architect and hunter David Bianco, describes five levels of organizational hunting capability, ranging from HMM0 (the least capable) to HMM4 (the most).
Let’s examine each level in detail….
CISOs that hear that their organization needs to “get a hunt team” may legitimately be convinced that an active detection strategy is the right move, and yet still be confused about how to describe what a hunt team’s capability should actually be.
A maturity model will ideally help anyone thinking of getting into hunting get a good idea of what an appropriate initial capability would be.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c10d19d8b9&e=20056c7556
Introduction to Web fraud detection systems
Many organizations are quickly discovering that threat hunting is the next step in the evolution of the modern SOC, but remain unsure of how to start hunting or how far along they are in developing their own hunt capabilities.
How can you quantify where your organization stands on the road to effective hunting.
With a general model that can map hunting maturity across any organization.
With that definition of hunting in mind, let’s consider what makes a good hunting program.
There are three factors to consider when judging an organization’s hunting ability: the quality and quantity of the data they collect for hunting, the tools they provide to access and analyze the data, and the skills of the analysts who actually use the data and the tools to find security incidents.
The Hunting Maturity Model, developed by Sqrrl’s security architect and hunter David Bianco, describes five levels of organizational hunting capability, ranging from HMM0 (the least capable) to HMM4 (the most).
Let’s examine each level in detail.
CISOs that hear that their organization needs to “get a hunt team” may legitimately be convinced that an active detection strategy is the right move, and yet still be confused about how to describe what a hunt team’s capability should actually be.
A maturity model will ideally help anyone thinking of getting into hunting get a good idea of what an appropriate initial capability would be.
Web fraud detection systems typically focus on new account origination, account takeover and payment fraud.
With account takeover and new account origination fraud detection, organizations attempt to root out unauthorized or fraudulent users posing as legitimate users.
Payment fraud detection involves determining whether purchases are being or have been made with stolen payment cards.
Some vendors also offer fraud intelligence services, authentication, malware detection (such as man-in-the-browser infections on computers and mobile devices) and secure clients, as well as managed services in which the vendor is primarily responsible for monitoring and taking action on instances of fraud.
Web fraud detection software (or cloud-based service) runs background processes that scan transactions and score them based on the possibility of fraud.
To detect fraud, vendors typically use a predictive behavioral scoring model, in which an account holder’s behavior is the predominant criteria, or a rule-based system that uses pattern recognition.
Some products or services use both types of scoring models.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3b85cf3cb6&e=20056c7556
Best CISO/CSO Award Goes to SecureWorld National Advisory Council Member
Viewpost North America announced that its Chief Security Officer, Christopher Pierson, has been named recipient of the Best CISO/CSO Award presented by FireEye, Inc.
Over the past four years, Pierson and his team have designed and implemented cybersecurity and compliance programs with a B2B-focused approach to earn the trust and goodwill of its customers and partners.
Pierson also serves as an appointed member of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittees, is a Distinguished Fellow of the Ponemon Institute, and serves as a member of the National Advisory Board of SecureWorld.
Prior to joining Viewpost in 2012, he was the SVP, Chief Privacy Officer for the Royal Bank of Scotland’s U.S. banking operations.
Viewpost and Pierson are no strangers to recognition for their diligent implementation of cybersecurity measures and programs.
Earlier this year, Viewpost was named winner of the 2015 CSO50 Award in recognition of the robust security built into its network architecture at the guidance of Pierson’s team.
The annual award by IDG’s CSO recognizes the 50 security projects and initiatives that have delivered the most groundbreaking business value through the innovative application of risk and security concepts and technologies.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6f2c8974dd&e=20056c7556
Oracle points patching firehose at 154 vulnerabilities
Sysadmins forced by circumstance or folly to support Java can get busy again, with 25 fixes for the product among the Scarlet Letter’s regular patch notice.
The good news is that Oracle says none of the vulnerabilities in its mammoth bug-splat had been exploited as of 19 October.
The fixes to Java SE and Java SE Embedded cover vulnerabilities in the CORBA (Common Object Request Broker Architecture), Remote Method Invocation (Java RMI), Java FX, serialisation, 2D, Java API for XML Processing (JAXP), Java Generic Security Services (JGSS), security and deployment sub-components, as well as various library flaws.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2fc01892b8&e=20056c7556
Tripwire Releases IP Expo Survey on Supply Chain Cyber Security
According to Tripwire’s survey, 63 percent of the respondents said their organisation would refuse to use partners and suppliers that failed to meet their IT security standards.
Despite these concerns, only 53 percent of the respondents require partners and suppliers to pass security audits.
dditional survey findings included:
– 62 percent of the respondents said they are required to meet their customers’ security standards, and 63 percent believe their customers would lose confidence in them if one of them suffered a serious data breach.
– 46 percent of respondents said they would lose contracts and be fined by a regulator or government agency if one of their partners or suppliers suffered from a serious data breach.
– 22 percent of respondents said their organisations do not have the resources to check supplier contracts and ensure they meet their businesses security requirements.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9689e1702f&e=20056c7556
Federal Government Announces New HIPAA Privacy Audits for Companies That Handle Healthcare Data
Here’s some news for companies that have to comply with the privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”).
The U.S.
Department of Health and Human Services (“HHS”) has announced plans to begin auditing compliance in early 2016.
The announcement of a new, permanent audit program follows criticism from the HHS Office of Inspector General (“OIG”) in two reports examining HIPAA enforcement.
OIG expressed the need for a permanent audit program, noting that “[w]ithout fully implementing such a program, OCR [the HHS Office of Civil Rights] cannot proactively identify covered entities that are noncompliant with the privacy standard.” Currently, HHS relies primarily on complaints or tips, and voluntary disclosures of data breaches, as the bases for investigating alleged HIPAA violations.
OCR indicated that it will target high-risk areas and entities which have consistently been non-compliant, and include both onsite visits and remote desk reviews.
The audits will also include both covered entities and their business associates.
With the audits expected to begin in early 2016, covered entities and their business associates should consider reviewing and following the HIPAA Audit Program Protocol, which addresses privacy, security, and breach notification.
HHS is in the process of updating the protocol, and you may keep up with new developments here.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=21b72a484f&e=20056c7556
Australia: Metadata retention commences, but breach notification is delayed
On 13 October 2015, substantial amendments to the Australian Telecommunications (Interception and Access) Act 1979 (Cth) (TIA) took effect to introduce a new metadata retention scheme into the TIA.
This scheme requires telecommunications carriers and internet service providers (telcos) operating in Australia to maintain records of certain telecommunications data, known as ‘metadata’, for a period of two years.
Under the metadata retention scheme, the metadata to be kept includes:
– subscriber or account-holder details;
– the source of the communication (whether it is an account, service or device);
– the destination of the communication (whether it is an account, service or device);
– the date, time and duration of the communication or connection;
– the type of communication (voice, SMS, email, instant message, forum post or social media) and the type of service used (such as ADSL, Wi-Fi, VoIP or a 3G or 4G telecommunications network); and
– the location of the equipment or device at the start and end of the communication (such as a mobile tower or Wi-Fi hotspot).
Under the scheme, metadata is required to be retained so that law enforcement and security agencies can access this data for law enforcement and security purposes (which they can do without needing to first obtain a warrant).
In the case of metadata relating to journalists, a specific ‘journalist information warrant’ must be obtained before an agency can access metadata about a journalist.
Once mandatory data breach notification does become law, and there now seems little doubt this will occur during the course of the next year or so, it will put a whole new spin on privacy reform.
There will be nowhere to hide in the case of a serious privacy breach, with the very real prospect of a costly class action following the breach.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=46a1b6975e&e=20056c7556
Employee activities that every security team should monitor
IT security professionals typically have no visibility into what users are actually doing once logged in, but instead are drowning in log data that tells them just about everything else about their environments.
Organizations are rightly concerned about this lack of oversight.
A recent study by the Ponemon Institute and ObserveIT found that 71 percent of more than 600 security practitioners discovered major deficiencies in their monitoring of users and their application usage.
The survey also uncovered three types of business applications that are the top sources of risk for insider threat:
– Ecommerce
– Financial
– CRM
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a4d5f45fdd&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=07261213f9)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)