[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* Physical Security Systems Enable Compliance To HIPAA And Other Privacy Laws
* “We just call it security”: Symantec’s global CSO on merging cyber, physical and employee security
* Energy Sector and Domestic Economy are Especially Vulnerable to Cyber AttacksBy: Ken Silverstein
* More and more organisations falling prey to cyber attacks: Report
* Why Chief Information Security Officers Need Their Own Cockpits
* India security market is on pace to grow 10.6% in 2016, Gartner says
* Cybercrime and cyberwar: A spotter’s guide to the groups that are out to get you
* HOLIDAY IN CAMBODIA FOR A YEAR AND A HALF IF YOU BREACH AN ASIA PACIFIC NETWORK
* Nokia malware report shows surge in mobile device infections in 2016
* 3 Golden Rules For Managing Third-Party Security Risk
Physical Security Systems Enable Compliance To HIPAA And Other Privacy Laws
Physical security systems can play a big role in helping to keep patient information safe and private, as required by various laws.
For example, AMAG has developed new capabilities within its Symmetry family of products that allow healthcare institutes to demonstrate their compliance with HIPAA.
Compliance reporting is a key area and has been a focus for AMAG, says Dave Ella, Vice President of Product Marketing, AMAG Technology.
Hospitals and healthcare facilities install AMAG’s Symmetry access control system and Symmetry CompleteView Video Management to manage and control access and provide HIPAA compliance throughout their buildings and campuses.
Security plan policies and procedures need to protect a healthcare facility, says Ella.
Automatically reviewing access permissions for employees, contractors and visitors on a regular basis is a key aspect of the plan, and AMAG’s Symmetry CONNECT product is designed for that purpose.
Also, capabilities within the system make documentation of adds and changes to the security system more straightforward.
They include the ability to add drawings, documents and notes to any device within the system.
Other entities that set security guidelines include the Joint Commission accreditation and certification body, which has oversight for physical building security, water, safety, fire, and other security processes; and the Det Norske Veritas (DNV), an independent foundation that works with healthcare authorities and providers to manage risk and improve healthcare delivery.
Today’s access control platforms enable hospitals to improve risk management and comply with new legislation or regulatory requirements.
For instance, HIPAA imposes strict requirements for accessing medical records, which may necessitate the use of a smart card to enter secure areas or to access IT networks that store patient information.
With video surveillance, cameras must be positioned in such a way that they don’t violate HIPAA laws, says Ouellette.
If a camera is pointed to a computer screen or something else that contains a patient’s PII, there must be an option to draw a privacy window within the frame so that a patient’s sensitive information isn’t easily accessed or compromised.
Faced with a number of local, state and national regulatory guidelines, security directors within healthcare facilities must be able to improve hospital security and insulate the organization from potential liability claims, says Kyle Cusson, Business Development Manager, Healthcare, Pelco by Schneider Electric. “That means implementing a surveillance system that allows multiagency cooperation and response,” he says. “Keeping all of this in mind, having a video surveillance system that integrates with the necessary emergency and fire alarm systems, access control and other systems can promote an institution’s compliance with regulatory agencies by providing proof that the organization’s assets are safe and secured.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3af8d613b1&e=20056c7556
“We just call it security”: Symantec’s global CSO on merging cyber, physical and employee security
Cyber security, physical security and employee safety are as one for Symantec.
As Fitzgerald puts it: “We just call it security”.
The result is hugely beneficial for employees in times of need.
But it’s proved a win for Fitzgerald and his team too.
Symantec has turned facilities managers, security guards and receptionists into bona fide members of its security team.
Their physical presence means cyber security messages can be better communicated.
Bringing cyber, employee and physical security together is a growing trend in Silicon Valley, Fitzgerald says.
That trend is taking hold in Australia too.
Darren Kane, CSO of NBN Co is responsible for the security of facilities and personnel as well as information systems.
Vodafone Australia’s recently appoint CSO, Peter Tari, has a remit to secure not just the company’s data but its assets and personnel as well.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fdbd635128&e=20056c7556
Energy Sector and Domestic Economy are Especially Vulnerable to Cyber AttacksBy: Ken Silverstein
In testimony before the US Congress, Energy Secretary Ernest Moniz said that cyber threats and natural disasters could seriously put the electric grid at risk and has thus listed some measures to mitigate disruptions and the economic harm that would flow from that.
Generally speaking, he said that the country needs emergency response systems that kick in when fuel supplies are threatened and that the infrastructure needs to be modernized to sustain systemic shocks.
“(T)here should be no doubt in our minds that there are nation-states and groups that have the capability to enter our systems …and to shut down…our ability to operate our basic infrastructures…whether its generating power, moving water and fuel,” Moniz said during his testimony, quoting the commander of U.S.
Cyber Command and Director, andNational Security Agency.
He goes on to discuss how natural disasters can impede the flow of electricity and economics, saying how our infrastructure is all linked.
Hurricanes Katrina and Rita, for example, knocked out 85,000 utility poles, 800 distribution stations and thousands of miles of transmission lines.
What to do.
For their part, utilities are already required under the Energy Policy Act of 2005 to certify with the Federal Energy Regulatory Commission that they have developed robust systems that can continue to generate and deliver power if attacked.
To comply, they are describing their potential risks based on historical accounts.
Meantime, nuclear operators have their own separate requirements that they follow and that they report to the Nuclear Regulatory Commission.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b8a9e037fb&e=20056c7556
More and more organisations falling prey to cyber attacks: Report
Nearly 80 per cent of organisations in North America and Europe were victims of cyber attacks last year and nearly half of cyber attacks used malware hidden in encrypted traffic to evade detection, a report said on Wednesday.
The encryption technology that is crucial to protecting sensitive data in transit such as web transactions, emails and mobile apps, can allow malware hiding inside that encrypted traffic to pass uninspected through an organisation’s security framework.
The report by US-based security company A10 Networks in partnership with Ponemon Institute surveyed 1,023 IT and IT security practitioners in North America and Europe, highlighting the challenges these professionals face in preventing and detecting cyber attacks.
A surprising outcome of the growing use of encryption technology is an increase in cyber attacks, it found.
“Instead of focusing on doing everything right 100 per cent of the time, IT leaders can be more effective by doing a few things very strategically with the best technology available,” said Chase Cunningham, Director, Cyber Operations, A10 Networks, in a statement.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ea198facc4&e=20056c7556
Why Chief Information Security Officers Need Their Own Cockpits
To overcome the latest cyber security challenges and implement a risk-based approach to cyber security, CISOs need a fully equipped cockpit.
They not only need dashboards to understand the company’s current state of affairs but also the levers and switches to take action to reduce risk.
They need to see threats coming from outside criminals, internal employees and third party vendors, and marry those threats with associated vulnerabilities that may lead to a compromise of their most valued assets.
They must facilitate the communication between incident responders and line-of-business application owners to ensure that the most severe alerts are on the top of the priority list for investigation and that the most critical vulnerabilities within their most valued assets are patched first.
CISOs must report their progress and challenges to the board of directors in a language they can understand and present metrics that center around impact to the business.
A pilot’s cockpit includes features such as dashboards, communication controls, levers, warning lights, windshields and automation.
A CISO’s cockpit must contain the same types of tools in order to reduce cyber risk in a traceable, measurable and truthful fashion.
Without one, they will be flying blind, seeing fragmented pieces of their cyber risk landscape and unable to decipher threats and vulnerabilities that truly elevate cyber risks to their most precious cargo.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0c3eb2c351&e=20056c7556
India security market is on pace to grow 10.6% in 2016, Gartner says
CHENNAI: Enterprise security spending (hardware, software and services) in India is on pace to reach $1.12 billion in 2016, up 10.6% from $1.01 billion in 2015, according to Gartner.
Security spending will continue to grow in 2017 when revenue is projected to reach $1.24 billion.
Security services (that include consulting, implementation, support and managed security services) revenue accounted for 61% of this total revenue in 2015, and this proportion will increase to 66% by 2020.
Key security initiatives for a majority of organisations in 2016 include security operations, incident response network and data centre security, identity governance and administration, mobile and cloud security governance, advanced threat defense, application security, security policy and programme development and governance, risk and compliance (GRC).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e046cf0207&e=20056c7556
Cybercrime and cyberwar: A spotter’s guide to the groups that are out to get you
“Now the focus is almost entirely focused on a some kind of pay-off,” says David Emm, principal security researcher at Kaspersky Lab.
“The bulk of cybercrime is the equivalent of real-world opportunist thieves,” says Emm.
These are the crooks you’re most likely to come across, or at least feel the impact of, as an individual — the petty criminals of the online world.
They may spew out spam or offer access to a botnet for others to run denial-of-services attacks, or attempt to fool you into an advance-fee scams where the unwary are promised a big payday in return for paying (often a substantial) sum of money up-front.
“The twenty-first century digital criminal is best characterised as a ruthlessly efficient entrepreneur or CEO, operating in a highly developed and rapidly evolving dark market…they are a CEO without the constraints of regulation or morals,” warned a recent report from KPMG and BT entitled Taking the Offensive.
These may be individuals or groups driven by a particular agenda — perhaps a particular issue or a broader campaign.
Unlike most cybercriminals, hacktivists aren’t out to make money from their exploits, rather to embarrass an organisation or individual and generate publicity.
This means their targets may be different: rather than a company’s accounts system or customer database, they may well want to access embarrassing emails from the CEO or other company officials.
Despite the hype, the threat from cyber terrorism remains low, largely because these groups lack the skills, money and infrastructure to develop and deploy effective cyber weapons, which only the largest nations can hope to build. “Terrorist sympathizers will probably conduct low-level cyber attacks on behalf of terrorist groups and attract attention of the media, which might exaggerate the capabilities and threat posed by these actors,” said US director of national intelligence James Clapper in his assessment of worldwide cyber threats in September last year.
While standard criminality accounts for the vast majority of cyber threats, the use of the web by state-sponsored hackers has been widely publicised in recent years.
Much of this takes the form of cyber espionage — attempts to steal data on government personnel or on expensive defence projects.
Governments will spend millions on developing all-but-undetectable ways of sneaking onto the systems of other nations — or those of defence contractors or critical national infrastructure — and these projects may take years of development.
“There’s been an awful lot more issues being driven from insiders of late.
One of the challenges is that when people think cyber they automatically think external,” says KPMG’s Quigley.
Confidential company documents stored on shared drives and weak internal controls on who can access data mean that the disgruntled or greedy insider could still be one of the biggest risks to businesses. “They should have insiders much higher on the radar than they do,” Quigley warns.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ce7a414f71&e=20056c7556
HOLIDAY IN CAMBODIA FOR A YEAR AND A HALF IF YOU BREACH AN ASIA PACIFIC NETWORK
The report, titled M-Trends 2016: Asian Pacific, is the first M-Trends report put out by Mandiant (owned by FireEye Inc.) that focuses solely on the APAC region.
The report is broadly consistent with a recent RSA Security LLC report that found that 75 percent of respondents worldwide faced significant cybersecurity risk, but it found the APAC plus Japan region as the second most prepared of the three regions surveyed.
One of the more stunning findings is that the median time it takes APAC organizations to even discover an attack is nearly a year and half (520 days), while the global median is 146 days.
The region is also 80 percent more likely to be the target of cyberattacks than other parts of the world, according to the report.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b0fbc65895&e=20056c7556
Nokia malware report shows surge in mobile device infections in 2016
ESPOO, Finland, Sept. 1, 2016 /PRNewswire/ — Nokia today issued the Nokia Threat Intelligence Report – H1 2016, revealing a sharp rise in the occurrence of smartphone malware infections in the first half of the year.
Issued twice per year, the report examines general trends and statistics for malware infections in devices connected through mobile and fixed networks.
Key findings of the latest Nokia Threat Intelligence Report include:
* 96-percent surge in smartphone infections: The average smartphone infection rate increased 96 percent in the first half of 2016, compared to the second half of 2015 (0.49 percent vs 0.25 percent).
* New all-time high: In April 2016, mobile infections hit an all-time high, with 1.06 percent of devices infected by a range of malware, including ransomware, spyphone applications, SMS Trojans, personal information theft and aggressive adware.
* One out of 120 smartphones infected: In April, one out of every 120 smartphones had some type of malware infection.
* Android OS hit hardest: Android smartphones were the most targeted mobile platform, accounting for 74 percent of all malware infections compared to Window/PC systems (22 percent), and other platforms, including iOS devices (4 percent).
* 75 percent jump in malware samples: The number of infected Android apps in Nokia’s malware database soared 75 percent, from 5.1 million in December 2015 to 8.9 million in July 2016.
* Mobile game infections detected within hours: Downloaded mobile applications are a key conduit for malware attacks.
* The Nokia Threat Intelligence Lab detected infected copies of an extremely popular mobile game within hours after they were posted on untrusted third-party download sites.
* More sophisticated malware: Malware is becoming increasingly more sophisticated, as new variations attempt to root the phone in order to provide complete control and establish a permanent presence on the device.
* Top three mobile threats: The top three mobile malware threats were Uapush.A, Kasandra.B and SMSTracker, together accounting for 47 percent of all infections.
* Fixed residential network infections rise: The overall monthly infection rate in residential fixed broadband networks reached an average of 12 percent in the first half of 2016, compared to 11 percent in late 2015, primarily due to an increase in moderate threat level adware.
* These infections are mostly due to malware on Windows PCs and laptops in the home, but also include infections on smartphones using home WiFi.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6a3b8c43ff&e=20056c7556
3 Golden Rules For Managing Third-Party Security Risk
Rule 1: know where your data sets are, which vendors have access to the data, and what privacy and security measures are in place.
Companies can significantly reduce their risk of a catastrophic breach by staying a step ahead of the bad guys.
The best data security approach includes rigorous risk assessment, prudent planning, consistent internal policies, and regular tracking and review of data access by your vendors and their vendor chain.
It is possible to do this well.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=64267c902c&e=20056c7556
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=572cbee44c)
Update subscription preferences (http://paulgdavis.us3.list-manage2.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)
============================================================
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()