[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* IT Professionals Underestimate Impact of Business Partner Security
* Is ransomware considered a health data breach under HIPAA?
* Cyber crime: 11,997 cases of credit card, net banking frauds during April-December [India]
* 7 ways to enlist employees in the war on cybercrime
* Rip up the script when assembling a modern security team
* IMG GlobalSecur Announces Key Travel Security App Informational Article
* Mining company’s data is more valuable than gold
* DHS seeks better private-public sharing of cyber threat information
* The inherent problems of the detection paradigm
* $81 Million Cyberheist Underscores Need for Blockchain Security
* The Evolution of Scoring Security Vulnerabilities
IT Professionals Underestimate Impact of Business Partner Security
According to a new study, 81 percent of IT professionals are confident in their ability to protect sensitive customer data.
However, this assurance does not extend to their organization’s business partners.
Nearly half (forty-seven percent) of the respondents are not confident in the security of their business partners and suppliers.
Additional findings from the study include:
• While ninety-five percent of respondents believe a supplier or partner security breach could expose valuable data, sixty-one percent said they were unconcerned or have bigger concerns.
• Less than half (forty-four percent) said their organizations require partners and suppliers to pass security audits before they sign a contract with them.
• Thirty-four percent use partners and suppliers that fail to meet their security standards.
• A quarter (twenty-five percent) admitted their organizations do not evaluate whether suppliers met their security requirements.
• Half said they make exceptions or offer different standards for some partners.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e500591973&e=20056c7556
Is ransomware considered a health data breach under HIPAA?
Dan Munro, author at Forbes, and Jack Danahy, author at HealthIT Security, recently a look at what qualifies a ransomware attack as a data breach under HIPAA.
“Ransomware does represent a new legal ambiguity to the federal legislation known as HIPAA, which was designed to protect patients against the loss, theft or breach of their protected health information (PHI),” according to Monro. “In some ransomware cases–-depending on the actual type of ransomware–-PHI is never accessed, so there is technically no breach of PHI data.”
Danahy had a different way of seeing the potential of ransomware attacks and believes they do indeed qualify as a breach under HIPAA. “Over 100 of the disclosed breaches, representing hundreds of thousands of records, were reported because a system that contained PHI came under the control of a criminal,” wrote Danahy . “There is no need to verify that the information stolen in this manner is ever accessed or used; the existence of this important information in the hands of a criminal is enough of a threat that it must be reported.”
He argues that even if PHI is sometimes never accessed, just the fact that it came under the control of a criminal is cause enough for it to be considered a breach by HIPAA.
Danahy defines ransomware as the system being accessed, along with the PHI they contain, by someone who is not the healthcare provider and HIPAA must disclose the breach as a result of the loss of security.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dc1ad8b7b9&e=20056c7556
Cyber crime: 11,997 cases of credit card, net banking frauds during April-December [India]
As per the data made available by the Reserve Bank of India, 13,083 and 11,997 cases related to ATM/credit/debit cards and net banking frauds were reported by the banks during 2014-15 and 2015-16 (up to December 2015), respectively, Communications and IT Minister Ravi Shankar Prasad said in a written reply to Rajya Sabha.
Besides, 44,679 and 49,455 cyber security incidents including phishing, scanning, malicious code, website intrusion, denial of service etc were reported during the year 2014 and 2015, respectively, as per the information reported to and tracked by Indian Computer Emergency Response Team (CERT-In).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=29e8480a19&e=20056c7556
7 ways to enlist employees in the war on cybercrime
Corporate hacking attacks continue to wreak havoc on businesses worldwide.
In the past few years, data breaches at companies like Sony, Target, Home Depot, eBay and JPMorgan have resulted in hundreds of millions of compromised accounts and the theft of sensitive credit card, personal identity and Social Security information.
The truth is, hackers target companies of all sizes.
IT professionals at small to midsized companies are aware of the dangers and take measures to protect their company’s data.
But company security is only as strong as its weakest link, and all too often, employees are the weak link because of poor cyber security practices.
Here are seven ways to help them improve:
– Require the use of strong passwords
– Mandate use of a different password for each secure site and frequent changes
– Make sure mobile phones and tablets are password or PIN protected
– Help employees avoid falling for phishing scams
– Require logoff when employees leave devices unattended in the office
– Consider deploying a password management system
– Provide employees with cyber safety classes
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=32c8384e22&e=20056c7556
Rip up the script when assembling a modern security team
Organizations have to rethink what components are key to a security team if they hope to stay ahead of attackers.
From my experience, the modern security team needs a few essential characteristics in addition to advanced technology.
1) Diversity is a secret weapon
look for people who have worked in different companies and industries and have experience fighting a variety of threat vectors.
Ideally, your team will include someone with either a military or government background.
They’ll have a completely different way of looking at security, forcing your company out of its comfort zone.
2) Security requires stamina
Analysts need to endure these deceptive tactics and understand that defeating attackers may take longer than they anticipate.
3) See something, say something
People shouldn’t be afraid to be bold and speak out when there’s a security problem, even if that means notifying executives about a breach.
Don’t follow the same playbook
Good security teams aren’t just composed of people who’ve spent their career protecting corporate networks or can quickly resolve a security issue.
The backgrounds of the people on your security team and how they approach problems are just as important as the technology your business uses to defeat attackers.
Discarding the playbook you typically use when forming a security team will improve your company’s defenses.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f1c7ec5c1b&e=20056c7556
IMG GlobalSecur Announces Key Travel Security App Informational Article
IMG GlobalSecur, a leading international security consulting firm, is proud to announce an important post to its FoneTrac blog explaining why travel safety apps for smartphones such as the iPhone or Android should not be considered only for youth travelers.
Managers of corporate travel for large organizations may not realize how convenient yet important a travel safety app can be in the corporate environment.
To date, most travel safety apps have focused on the youth market and have been low in value.
They have been either free or very low cost, with very limited functionality.
A common scenario is an app that, when accessed, can alert friends and family that a person is being mugged.
The ironic and possibly tragic problem here is that the friends and family may be thousands of miles away and unable to render any timely assistance.
The informative, new blog post lays out an explanation of why business travelers also need a travel safety app.
It is meant so that a corporate travel manager has a handy explanation and justification that he or she can take to upper management to justify the expense of empowering business executive and key employees with a state-of-the-art travel safety app.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e4fa8fb1a7&e=20056c7556
Mining company’s data is more valuable than gold
Hackers posted employee data and private documents belonging to Goldcorp, a publicly listed gold-mining company, on a paste site, according to a report in the Daily Dot.
The massive data dump includes a wealth of employee and company data, including payroll information (including W-2 and T4 forms), bank account, wire transfer, and market securities information.
The sample of data on the paste site – which contained the equivalent of 14.8 gigabytes of data – included budget documents from the past four years, emails about compensation, proprietary information, bank account information, budget information, employee directories and contact information (including employee names, titles, office locations, cell phone numbers, and email addresses).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8698536daf&e=20056c7556
DHS seeks better private-public sharing of cyber threat information
The Department of Homeland Security wants private-sector companies to get under the agency’s information-sharing umbrella in order to better manage and mitigate cyber risks to critical infrastructure.
Suzanne Spaulding, the Under Secretary of DHS’ National Protection and Programs Directorate, told audiences at Wednesday’s MetricStream GRC Summit that industry’s sharing of cyber threat information with DHS creates a “network of networks” that reduces the risk of another major data breach, like the 2013 Target breach that affected more than 40 million customers.
With cybersecurity threats on the rise, Spaulding said her team has broadened its purview on national security infrastructure threats to include more than just bridges, roads and buildings.
Spaulding also touted the agency’s success with its Enhanced Cybersecurity Services (ECS) program, which provides guidance to industry’s sharing of cyber threat indicators with DHS’ National Cybersecurity and Communications Integration Center (NCCIC).
“At DHS NPPD we try to add value.
Threat is one of the areas that I think the private sector most looks to the government for help.
And so we try to provide context at sort of the strategic level,” Spaulding said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d2e24e6088&e=20056c7556
The inherent problems of the detection paradigm
Sykipot attacks, which targeted telecommunications companies, governmental agencies and other industrial sectors in the U.S. and UK.
Sykipot began its operation around 2006, and for a number of years collected sensitive and confidential information and exfiltrated it out of the targeted organizations.
Armed with several exploits, including Adobe Acrobat, Microsoft Office and Internet Explorer 0-day exploits, Sykipot successfully evaded the existing NIDS and HIDS systems and was only discovered in 2011.
Clearly, NIDS and HIDS are failing to combat advanced type of attacks, regardless of the amount of effort and resources put in.
The detection paradigm as a whole suffers from several inherent weaknesses, which adversaries frequently exploit:
– Attacker already in: Many detection systems, especially HIDS, assume that the attacker already has an initial foothold in the system.
– “White” listing: Whitelisting is another Achilles’s heel of detection systems.
Naturally, many HIDS manage a list of “good” processes which are permitted to perform their activities freely.
– The false-negative trap: Many of the techniques employed by NIDS and HIDS are statistically-based rather than rule-based.
Consequentially, HIDS vendors try to avoid false alarms as much as possible -using thresholds.
The undetectable: Some ‘malicious’ activities are simply impossible to detect.
– The damage already done: In many cases, detection occurs late in the timeline of the attack, after the damage has already occurred.
To overcome these limitations, a new paradigm is required.
In contrast to NIDS and HIDS, Moving Target Defense (MTD) doesn’t try to detect the enemy.
Instead, it attempts to prevent the enemy from entering in the first place.
Under the MTD model, there is no monitoring, no detection rules, no signatures and no heuristics.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ee5ccebf35&e=20056c7556
$81 Million Cyberheist Underscores Need for Blockchain Security
Investigators at BAE Systems, a U.K.-based defense contractor, believe the attackers hacked into the Society for Worldwide Interbank Financial Telecommunication (SWIFT) financial platform that provides the heart of the global financial system, Reuters reported.
Financial institutions are investigating the use of blockchain technology for the efficiencies in areas such as transfers, authentication and remittances.
These institutions should also consider blockchain’s security capabilities.
By deploying blockchain security, financial institutions would gain the critical benefit of improved security while also setting the foundation for serving the millions of unbanked, another critical need the legacy financial infrastructure has failed to address.
Guardtime, a cybersecurity solutions collective, is an example of how blockchain security solutions are being applied to critical infrastructure, CCN reported.
Guardtime is developing measures to protect and safeguard critical infrastructure in the U.K. such as nuclear power stations, the electricity grid and flood defense systems.
SWIFT, meanwhile, is issuing a software update to assist customers in improving security and to identify inconsistencies in local database records.
SWIFT could release more updates as it discovers more about the attack and other threats, according to Deteran.
The key defense against such attacks is for users to deploy “appropriate security measures” in their local environments, Deteran said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=22ab437e6f&e=20056c7556
The Evolution of Scoring Security Vulnerabilities
The Common Vulnerability Scoring System (CVSS), which is used by many in the industry as a standard way to assess and score security vulnerabilities, is evolving to a new version known as CVSSv3.
These changes addressed some of the challenges that existed in CVSSv2; CVSSv3 analyzes the scope of a vulnerability and identifies the privileges an attacker needs to exploit it.
The enhancements to CVSS will allow vendors, such as Cisco, to better analyze security vulnerability impact.
The changes will also more clearly define the urgency of responding to the vulnerability for our customers.
The following study reviews the difference in scores when a vulnerability is assessed using CVSSv2 vs.
CVSSv3.
The stakeholders at FIRST have done a great job in this new version of the standard addressing some of the challenges faced with its predecessor (CVSSv2).
As more organizations begin to adopt this new standard in their processes for evaluating vulnerabilities, there will be some visible changes in disclosure trends overall.
The most notable is an increase in the total number of higher-rated vulnerabilities.
This increase occurs because the metrics changes in the new system.
As the threat landscape evolves, there are more cases where an increased sense of urgency is needed in customers’ responses.
This study analyzed the difference between CVSS version 2 and version 3 scores.
This study uses CVSSv2 and CVSSv3 scores provided by the National Vulnerability Database (NVD).
A total of 745 vulnerabilities were analyzed, and each vulnerability is identified by a Common Vulnerabilities and Exposures (CVE) identifier.
All the vulnerabilities were disclosed in 2016.
The CVSS enhancements mean that we will see more vulnerabilities being rated as high or critical throughout the security industry.
You may ask yourself, was the industry analyzing and scoring the risk of vulnerabilities incorrectly or are we inflating the scores now.
The answer lies in the fact that threats to security are evolving and advancing all the time.
Threat types that were once a potential inconvenience could now have a greater impact on an organization.
Our assessments of such threats and the appropriate level of response also needed to evolve.
The stakeholders at FIRST have done a great job in this new CVSS version to address some of the challenges we faced with its predecessor (CVSSv2).
The new enhancements allow incident response, IT security, and cyber security teams to analyze the impact of security vulnerabilities to determine the urgency of response.
Cisco PSIRT will continue to adapt to enable our customers to assess and mitigate any risks in their networks quickly.
Our mission is to do the right thing quickly, and to keep our customers protected.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2af5e2e922&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=2b4c395259)
Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)