[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* Cyber terrorism big fear for developers
* Japan to Form New Cybersecurity Agency to Protect Its Critical Infrastructure
* 5 Minute Application Security Dynamic Testing Scenarios
* How to get senior management to support cyber security collaboration [Video]
* Managing Accepted Vulnerabilities [White paper]
* Is predictive analytics really a game changer?
* Hackers stole millions in third attack on global banking system
* Microsoft Malware Protection Center answers questions about ransomware
* SOURCE 2016: It’s behavior, not names, that gives attackers away
* Illinois Makes Extensive Changes to Data Breach Notification Law
* Five Signs the CISO Who Got You Here Isn’t the Best One to Get You There
* Vendors experience disruption with growing cloud security market
* Cyber security in the fourth industrial revolution
* Boston BSides needs more space to grow
Cyber terrorism big fear for developers
CYBER terrorism is the biggest threat faced by software developers across Europe, the Middle East and Africa (EMEA) according to a new report.
Its EMEA Development Survey found 38.4 per cent of developers rate it their biggest threat followed by cyber theft (29.8 per cent) and cyber espionage (21.4 per cent).
Cyber espionage in some ways is related to both cyber theft and cyber terrorism, but the company said it was distinguished from them in that it involved the theft of sensitive, classified, or proprietary information, rather than theft of money or deliberate sabotage.
“Only 30 per cent of these developers say their company has a formal security policy in place that is adhered to across departments, and that’s very concerning when you think about the other 70 per cent.”
Almost a third of them (31 per cent) believed the biggest trouble spot for security lay in the software or firmware used for interconnected devices.
Exposing data to mobile devices was cited as a major security threat by 22 per cent, followed by transmitting data through a network or cloud (16.7 per cent).
The physical security of devices was lower down the list with just 13.8 per cent of developers expressing their concern.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=aa7cd5286b&e=20056c7556
Japan to Form New Cybersecurity Agency to Protect Its Critical Infrastructure
The Japanese government has unveiled plans to create a new agency tasked with protecting the country’s critical infrastructure prior to hosting the 2020 Tokyo Olympics.
Currently named the “Industrial Cybersecurity Promotion Agency” (ICPA), the envisaged public-private sector body would lead the development of human resources, including recruiting “white hat hackers” and conducting research.
The agency will reportedly be separated into two main divisions—research and active response.
Protected bodies will include entities in the electricity, gas, petroleum and chemical facilities sectors, the report said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6e889ea8a8&e=20056c7556
5 Minute Application Security Dynamic Testing Scenarios
Dynamic Testing engagements encompass a wide range of application security tests, attack vectors, penetration testing tools, and generally require a fairly broad knowledge of web-based technologies, network infrastructure, transport protocols, and development frameworks.
Applications are usually treated as a “black box” where the tester would be attacking as an “outsider” with little to no knowledge about the underlying code, architecture, or security controls that are in place.
Because of this environment, these types of engagements will challenge the resourcefulness, ingenuity, and creativity of Application Security test engineers.
The process of Dynamic Testing involves broad and detailed attacks which actively try to bypass client or server side controls, attack and test the robustness of authentication logic, session management, access controls, data stores, backend components, and involve custom crafted attacks for SQL Injection, Cross-Site Scripting, and other high impact vulnerabilities.
The scope of such comprehensive testing can be overwhelming and even unrealistic at times depending on the budget and time constraints for a given project.
That being said, there are some Dynamic Testing test case scenarios where a small amount of time and effort is required to execute them, but they can yield very important vulnerability information and may even help prioritize and guide subsequent testing for more efficient and productive test results.
Listed below are a few of these ‘5 Minute Application Security Dynamic Testing Scenarios’…
– Test for missing Cookie Secure Flag
– Test for missing Default Error Pages
– Test for missing Cookie Http Only Flag
– Test for Missing X-Frame-Options header
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6a40e74f6a&e=20056c7556
How to get senior management to support cyber security collaboration [Video]
Speaking at The European Information Security Summit 2016, he cited an IBM study that showed that while more than half of CEOs said they should be sharing, 70 per cent of them said they do not want to share.
They need to better understand the issue, he said.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3c9dbbeb36&e=20056c7556
Managing Accepted Vulnerabilities [White paper]
Every day a new vulnerability is discovered in a piece of code or software and shortly aften/vards the news of a new virus, malware, or hack is being used to exploit the vulnerability.
Deploying vulnerability scanners that receive automatic definition updates and performing daily scanning against all devices in the inventory system will notify of new vulnerabilities found and provide a recommended remediation solution.
A remediation could be adjusting the configuration in the system, implementing an additional control, applying a missing patch to a device or application, or an upgrade to a new version is required to resolve the vulnerability (CIS, 2015).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b88f43327e&e=20056c7556
Is predictive analytics really a game changer?
The report, by the non-profit industry group (ISC)2, suggested overall that government is still struggling with cybersecurity and how to effectively protect its networks, systems and data.
Critical offices in many agencies, which by now should understand security imperatives, still aren’t on board.
The report itself pointed out that the predictive analytics hype generated by the security industry could be behind that response.
No security solution today is complete without at least some mention of a powerful analytics engine at the heart of it that will help the user get ahead of the bad guys and the threats they pose.
So is predictive analytics really the game changer many seem to think it is, or at least could be.
It seems likely to be a part of the security toolkit, and possibly even a vital part.
But given the way the threat industry has managed to twist and morph itself around defenses so far, it’s unlikely to be the answer.
Unfortunately, even for it to get that far, government organizations need to get much more serious about their security overall.
On that issue, at least, the (ISC)2 report seems to be certain: The situation is depressingly bad.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8428f01873&e=20056c7556
Hackers stole millions in third attack on global banking system
The methods used by hackers to attack banks in Vietnam and Bangladesh appear to have been deployed over a year ago in a heist in Ecuador.
The January 2015 attack on Banco del Austro is described in a lawsuit filed by the bank in a New York federal court.
It ended with thieves transferring $12 million to accounts in Hong Kong, Dubai, New York and Los Angeles, according to court documents.
The existence of the lawsuit was first reported Friday by the Wall Street Journal, just one week after global banking communications network SWIFT instructed clients to secure their local computer networks.
A SWIFT spokeswoman said Friday that the network had not been made aware of the Banco del Austro incident.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3a23d07f16&e=20056c7556
Microsoft Malware Protection Center answers questions about ransomware
As the Windows operating system currently claims a 88.77% desktop operating system market share (via NetMarketShare), Microsoft obviously has to take malware protection very seriously.
This week, a new blog post by the Microsoft Malware Protection Center is explaining how users can protect themselves against ransomware.
To help users avoiding ransomware attacks, Microsoft has shared a few prevention measures that you can see below:
Keep your operating System and antivirus solution up-to-date.
Beware of phishing emails, spams, and clicking malicious attachment.
Regularly back-up your files in external storage or in the cloud.
Disable the loading of macros in your Office programs.
Disable your Remote Desktop feature whenever possible.
Use two factor authentication.
Use a safe and password-protected internet connection.
Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.).
For Windows 8.1 and Windows 10 users specifically, the Microsoft Malware Protection Center is also recommending the following measures …
In Windows 10 and Windows 8.1 …
n Windows 7 and Windows Vista …
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=17cc085ab1&e=20056c7556
SOURCE 2016: It’s behavior, not names, that gives attackers away
When it comes to Internet threats, the correct response to the Shakespearean question, “What’s in a name?” ought to be “Who cares?” according to Mike Banic.
“The important thing is to look at what a threat is doing, not what it is,” he told an audience at SOURCE Boston 2016 this week, in a talk titled, “Understanding Attackers’ Use of Covert Communications.”
“There seems to be a lot of pride in naming threats,” he said, “but a lot of them behave in similar ways, and you don’t need a signature to recognize that.
The IP address and the URL may change, but the fundamental behavior will not.”
Banic, vice president of marketing at Vectra Networks, one of about three dozen presenters at the annual event, said given the reality that “the perimeter is really porous,” effective security means being able to detect when an attacker is on the inside.
But, Banic said, attackers inevitably create behavior patterns that can be detected through the use of machine learning algorithms.
He invoked the declaration of the iconic investigator, Sherlock Holmes: “While the individual man is an insoluble puzzle, in the aggregate he becomes mathematical certainty.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a7f2552fed&e=20056c7556
Illinois Makes Extensive Changes to Data Breach Notification Law
On May 6, 2016, Illinois Governor Bruce Rauner signed HB1260, which significantly updates the state’s Personal Information Protection Act.
The changes take effect on January 1, 2017.
When the new law becomes effective, Illinois’ data breach notification statute will include one of the broader definitions of the information which, if breached, will trigger notification to individuals.
Starting in 2017, the definition of personal information in the Act will include an individual’s full name, or first initial and last name in combination with their health insurance policy number or subscriber identification number, or any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, “including such information provided to a website or mobile application.” Illinois is the first state to expressly include medical information provided to a website or mobile application in the definition of information triggering breach notification, but it is unclear whether calling out the method of providing medical information in the statute will impact a company’s notice obligations.
A company that has been provided medical information, by whatever means, is likely to be required to notify affected individuals if that information is compromised.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=43cced56a6&e=20056c7556
Five Signs the CISO Who Got You Here Isn’t the Best One to Get You There
As boards and top executives come to terms with their responsibilities regarding cyber risks, attention is increasingly being directed at the leadership qualities of chief information security officers (CISOs).
To get a handle on cyber risks, board directors and executive management have to rely on CISOs to evaluate, quantify and communicate — perhaps even translate — the various cyberthreats into tangible figures for management to act on.
Here are five characterizations of CISOs that could be wrong for the organization from a cybersecurity risk perspective.
– The Technologist
– The Low-Level Manager
– The Yearly Visitor
– The Scarecrow
– The Subordinate of the CIO
As has been said repeatedly, security is no longer an IT problem — assuming it ever was.
For 2016 and beyond, board directors and top leadership need a CISO who is a true partner.
For the CISO, this means:
– Balancing Risks and the Business
– Aligning With the C-Suite
– Moving Toward Cyber Resilience
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3093c96c4f&e=20056c7556
Vendors experience disruption with growing cloud security market
With increasing threats from hackers, cloud security providers are under immense pressure.
Few of the security providers are either broke or exited their businesses.
Misha Govshteyn, Chief Strategy Officer & Co-Founder of Alert Logic, said, ‘We’re seeing a changing of the guard in security business.
Cloud is sucking a lot of oxygen in the growth of traditional security vendors.’ A lot of security vendors have been affected by growing security threats.
A bunch of vendors is not the only group that has been affected by cloud services.
Security teams are also experiencing disruption. ‘It’s getting more complicated to insert security into the right place,’ said Govshteyn. ‘Most security deployments aren’t automated yet.
Most security products don’t have APIs.
They don’t have ways to automate them….
It’s all at odds with the cloud.’
A report published on the cloud security market states that the market would reach $8.9 billion (£6bn) by 2020 and expected to register a CAGR of 23.5 per cent from 2015 to 2020.
Analysts studying the industry have presented an extensive analysis of changing market dynamics, detailed segmentation, value chain analysis of key manufacturers, and competitive scenario.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=36a60d6803&e=20056c7556
Cyber security in the fourth industrial revolution
The fourth industrial revolution –involving the hyper-connected world of people; processes; data, and things – is set to create unprecedented value for business, individuals and industries at large.
With an estimated 50 billion devices connected to the internet by 2020, Terry Greer-King, director of cyber security for Cisco – UKI & Africa, discusses cybercrime in the fourth industrial revolution.
Cisco’s latest survey reveals that since using predictive maintenance, 87% of senior manufacturing decision makers in more than 13 countries saw a positive impact on overall equipment effectiveness.
Cisco’s latest Digital Readiness Index – which surveys organisations and their ability to move fast with digital infrastructure investments – has revealed that 42% of UK businesses state security as their biggest challenge.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=39fea6e582&e=20056c7556
Boston BSides needs more space to grow
The conference this weekend at Microsoft’s New England Research and Development (NERD) Center in Cambridge, Mass., was full to capacity with about 400 people attending – the NERD limit, says Daniel Reich, one of the show’s organizers.
He says the organizers had to turn away about 100 others who wanted to attend, and after reading surveys by attendees and comments on Twitter, they may be looking for a larger venue for next year.
This includes possibly reaching out to co-locate with other Boston area groups such as BeaCon, OWASP and SOURCE Boston.
Boston BSides is also considering becoming a legal non-profit to help with handling its finances.
The hands-on training was new this year and the two full-day classes – Advanced Web Hacking and Introduction to Hardware Hacking – sold out almost immediately, he says.
Potential speakers submitted 51 proposals for just 18 slots.
A committee winnowed them down to 27 that they felt really ought to be accepted, and faced a painful process cutting the final nine, he says.
A half-day session on testing physical security presented by Keith Pachulsk delved into how to try to penetrate facilities in an effort to gain access to IT infrastructure, personnel and other assets.
He does tis on behalf of clients who want their facilities and security measures tested, and he went into how to do this safely, which involved avoiding the very real possibility of violence by the clients’ security teams.
He talked about how to get into buildings, move around them without detection once you are in and tapping IT networks.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3e5cb7f363&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage2.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=3b5064e018)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)