[From the desk of Paul Davis – his opinions and no-one else’s Apart from the reporter’s opinions ]
* How EMM Is Evolving Into a Smarter Mobile Business Hub
* GM Invites Hackers to Uncover Cybersecurity Gaps
* The dirty dozen: 12 cloud security threats
* Protect yourself: ‘Phishing’ scams hook 8,000 people per month
* Where hackers learn to be ‘white’
* Cybersecurity pros should beware of exploding job offers
* Organizations Lack Visibility into Application Security
* Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows
* FCC unveils privacy plan to limit how Internet providers can use your data
* Safe Software, Safe Nation campaign launched
* Third party IT data breaches major risk for companies, finds Deloitte
* New PIPEDA Data Breach Regulations Proposed
* Security Researchers Challenge Claims Data Breaches Increasing
* Identity and access management security issues highlighted by Capgemini and RSA research
* Survey Roundup: Confidence Lacking in Third-Party Due Diligence
* Infosec pros point at problem with CVE system, offer alternative
* Corruption: The magnitude of risk
How EMM Is Evolving Into a Smarter Mobile Business Hub
The definition of Enterprise Mobility Management (EMM) is changing as fast as our notion of what mobile is and what it can do for businesses.
At Mobile World Congress (MWC) in Barcelona last week, the question of what EMM means for privacy and security proved to have complex answers for business users and the organizations employing them.
But it’s only one piece of EMM’s larger evolution around truly mobile business.
The AirWatch philosophy feeds into VMware’s push for the “digital workspace” through its Workspace ONE platform, and each EMM provider is targeting that centralized mobile enterprise experience in different ways.
Carl Rodrigues, CEO of SOTI, said the problem of mobility is way bigger than EMM, and explained how SOTI is extending its platform to everything from analytics to the Internet of Things (IoT).
“You need to manage your devices, your software, data, documents, browsing experience, and security; that’s EMM,” said Rodrigues. “But we’re also looking very heavily at business intelligence (BI), which is different for each vertical.
We are providing an open, customizable platform so you can suck out data from our system and pipe it in real time to the appropriate business analytics engine.”
“Data snacking is little pieces of info that, when I’ve got two minutes while I’m pumping gas and I decide to check email, I see this and realize it requires me to do something,” said Brannon. “How do I take advantage of that.
If I’m jumping into another app, if I need to go back to the desktop, I’m not going to complete that task.
I’m going to put it on the to-do list and wait until I get back to the desktop.
I want to take that two minutes of time and be able to finish a task.”
One pronounced app trend is secure browsers.
Apps such as AirWatch Browser, MobileIron’s Web@Work, and SOTI Surf are designed to keep enterprise users within a browsing experience that feels like Chrome or Safari, with deeper security and privacy settings baked in.
SOTI’s Rodrigues explained that SOTI Surf was actually built by using Google’s Chromium open-source web browser code.
The resulting browsing experience feels like Chrome, but with access to a corporate intranet without virtual private network (VPN) login plus added features such as a back-end web crawler to categorize different types of sites.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e6737c095e&e=20056c7556
GM Invites Hackers to Uncover Cybersecurity Gaps
The nation’s largest auto maker on Thursday highlighted a “coordinated disclosure” program it launched earlier this year that invites computer researchers to search for cybersecurity gaps in GM vehicles, websites and software.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fa5281eff9&e=20056c7556
The dirty dozen: 12 cloud security threats
As the RSA Conference last week, the CSA (Cloud Security Alliance) listed the “Treacherous 12,” the top 12 cloud computing threats organizations face in 2016.
The CSA released the report to help both cloud customers and providers focus their defensive efforts.
Threat No. 1: Data breaches
Threat No. 2: Compromised credentials and broken authentication
Threat No. 3: Hacked interfaces and APIs
Threat No. 4: Exploited system vulnerabilities
Threat No. 5: Account hijacking
Threat No. 6: Malicious insiders
Threat No. 7: The APT parasite
Threat No. 8: Permanent data loss
Threat No. 9: Inadequate diligence
Threat No. 10: Cloud service abuses
Threat No. 11: DoS attacks
Threat No. 12: Shared technology, shared dangers
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=edb954a02a&e=20056c7556
Protect yourself: ‘Phishing’ scams hook 8,000 people per month
The data from Action Fraud and the National Fraud Intelligence Bureau shows that nearly 100,000 people reported phishing scams last year.
More than 68 per cent of people who reported a phishing scam said that they received it in the form of an email, while 12.5 per cent said they were contacted by phone and 8.9 per cent of people received a text message.
According to a recent report, it takes cyber criminals an average of just 82 seconds to ensnare a victim with 23 per cent of people likely to open a phishing email.
In the month of December, the most common phishing scam purported to be either from a bank or from HMRC followed by online payment merchants and utility companies.
The top email addresses that people reported to have received emails from were; Do-Not-reply@amazon.co.uk, bt.athome@ecomm.bt.com and PQ8MPY@m.apple.com.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e50a512738&e=20056c7556
Where hackers learn to be ‘white’
Students in Korea University’s cyberdefense department engage in a mock hacking war in the so-called War Room.
The students are divided into hackers and defenders to gain practical experience in cyberwarfare and defense.
All information on the students is confidential. [OH SANG-MIN]
On Feb. 24, 28 students at Korea University gathered in an underground auditorium dressed in gowns and graduation caps.
The university’s graduation ceremony was scheduled for the following day.
These students were getting their own graduation ceremony a day early, and it wasn’t in any way normal.
The 28 were the first graduates of the cyberdefense department at Korea University, which was started by the university and Ministry of National Defense in 2011 to raise a cadre of professionals to fight cyber-terror threats from North Korea and elsewhere.
The graduation was closed to the public to protect the identities of the graduates.
Details about the curriculum are strictly classified.
The courses don’t have names like Cybersecurity 101.
In fact, they are referred to by cryptic numbers such as “17” or “28.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=291306ac29&e=20056c7556
Cybersecurity pros should beware of exploding job offers
If you’re an experienced cybersecurity job-seeker, then you might receive an ‘exploding job offer’ — a phrase used by headhunters and corporate recruiters which refers to a job offer that is retracted if it’s not accepted within a short specified amount of time.
If you’ve never received an exploding job offer — it sounds like this — “We would like to offer you the cyber incident response analyst position but we need an answer within 48 hours.” The recruiter or hiring manager may go on to explain there are other candidates ready to take the position, the start date is in a couple of weeks, and they must have an immediate answer from you.
Hurry-up-and-make-a-decision offers should generally be avoided.
First off, you may be dealing with a situation where someone isn’t being entirely honest with you.
Second, if what they are saying is true – then there are plenty of other jobs out there and you may not be giving yourself enough time to explore them and maximize your worth.
Candidates are in hot demand now and that gives you the luxury of time to carefully examine your next career move – and negotiate a compensation package that is fully commensurate with your background.
Hurry-up-and-make-a-decision offers should generally be avoided.
First off, you may be dealing with a situation where someone isn’t being entirely honest with you.
Second, if what they are saying is true – then there are plenty of other jobs out there and you may not be giving yourself enough time to explore them and maximize your worth.
Candidates are in hot demand now and that gives you the luxury of time to carefully examine your next career move – and negotiate a compensation package that is fully commensurate with your background.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b9213e0b8d&e=20056c7556
Organizations Lack Visibility into Application Security
According to the study titled “How to Make Application Security a Strategically Managed Discipline,” 35 percent of organizations don’t use any major application security testing methods for application vulnerabilities.
Going a step further, 67 percent of organizations reported that that they have no visibility into the overall state of application security.
The rush-to-release mandate in many organizations is one reason why application security is somewhat lacking, the survey found.
Fifty-six percent of respondents noted they are under organizational pressure to release applications quickly.
The DevOps concept, which calls for an integrated development and operations workflow, is rapidly taking hold.
The DevOps model could well hold the key to helping improve application security.
Bringing a greater level of security closer to the DevOps model is key to transforming app security; today’s threat landscape requires security to be ingrained throughout the entire process.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a159076f60&e=20056c7556
Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows
A vast majority of breaches fall below cyber insurance policy deductibles, according to a new study conducted by insurance information and analytics company Advisen and commissioned by ID Experts, a data breach response services company.
Most data breaches are small — consisting of fewer than 500 records lost — and the median data breach is only 100 records, the report says.
But most cyber insurance policies are set up to protect against large data breaches, with 90% of respondents having a deductible that is greater than $10,000 and 48% with a deductible that is over $101,000.
Meantime, more than 70% of respondents use internal resources to manage these smaller breaches.
The study also found that 60% of organizations say that the information technology (IT) department is responsible for managing the data breach response.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9ef77c8dda&e=20056c7556
FCC unveils privacy plan to limit how Internet providers can use your data
The Federal Communications Commission on Thursday unveiled a long-awaited proposal for regulating how broadband Internet service providers can use and share their customers’ information.
The three main components of FCC Chairman Tom Wheeler’s proposed rules—which the commission will consider during its March 31 open meeting—involve ISPs’ use of customer data, their protection of that data from theft, and their obligations in the event of a data breach.
Under the rules, ISPs will be allowed to freely use only the customer data necessary for them to provide or market their services, such as a customer’s address for the purpose of mailing them their monthly Internet bill.
Customers can opt out of a second category of activity, in which their ISP uses their data to market its other services to them or shares that data with its affiliates to let affiliates can market their services.
For example, Verizon could share its home broadband customers’ data with its Verizon Wireless subsidiary to let the wireless division market cellphone service to them.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=19e49e47cc&e=20056c7556
Safe Software, Safe Nation campaign launched
The Thai authorities have joined hands to launch the Safe “Software, Safe Nation” campaign, intended to simultaneoulsy reduce the use of illegal and unlicensed software and address the constantly evolving cyber security threat.
Led by the Economic Crime Division (ECD) police, the campaign was supported by the Department of Intellectual Property and the Association of Thai Software Industry.
Together, these organisations seek to gain greater cooperation from the public sector and private sector to enhance security.
Police will crackdown on corporate users and sellers of illegal software.
Under the campaign, practical advice and international best practices will be provided on how to use and manage software to protect the business community and the general public against malware attacks and other risks.
This campaign will invoke the nation’s shared responsibility in creating a legal and safe cyber environment.
A study by IDC found that there is a strong positive correlation (0.79) between the presence of unlicensed software and the likelihood of encountering malware.
By comparison, the correlation between education and income is 0.77.
Thailand is Asean’s second-riskiest country for cyberattack activity after Indonesia.
Of the 4,300 incidents last year, 35 percent were perpetrated by malicious software code, 26 per cent by fraud and 23 per cent by intrusion.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=99bca67ea9&e=20056c7556
Third party IT data breaches major risk for companies, finds Deloitte
The firm’s 2016 global survey on third party governance and risk management is based on the responses of over 170 senior members of management from a variety of sectors.
Of those organisations which reported experiencing a disruptive incident, 28% said they faced major disruption and 11% experienced a complete third party failure.
Looking at the impact of incidents experienced, Deloitte found that 26.2% resulted in reputational damage; 23% in financial or transaction reporting errors; 23% in noncompliance with regulatory requirements; 20.6% with a breach of customer sensitive data; and 10.3% in loss of business.
With cost savings, followed by quality improvements, cited as the key drivers for using third parties, Deloitte found that 73.9% of respondents believe that third parties will play a highly important, or even critical, role in the year ahead, up from 60.3% a year or more earlier.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fc6146607b&e=20056c7556
New PIPEDA Data Breach Regulations Proposed
On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed.
The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations.
The Digital Privacy Act (also known as Bill S-4), which received Royal Assent on June 18,2015, amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
The amendments made several important changes to PIPEDA, including adding the requirement that private-sector organizations notify Canadians when their personal information has been lost or stolen, and they have been put at risk of harm as a result.
Also added was a requirement to report these potentially harmful data breaches to the Office of the Privacy Commissioner of Canada (“OPC“) (for a more detailed analysis of the changes, see our previous blog post here).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=67d54c0261&e=20056c7556
Security Researchers Challenge Claims Data Breaches Increasing
In April 2015, the U.S.
Department of Energy responded to Freedom of Information Act (FOIA) request from USA Today by releasing information on more than 1,100 cyber-security incidents that occurred over four years.
“People have the perception that cyber-attacks have increased in frequency and magnitude dramatically,” Marshall Kuypers, a Ph.D. candidate in the School of Management Science and Engineering at Stanford University, told eWEEK. “But when we run the numbers, we see this seems to be the result of media attention, not an actual trend.”
Kuypers revealed the analysis in a working paper focused on the Department of Energy data.
The rate of incidents due to a various attack types neither increased nor decreased over time in the government agency’s data set.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6378912abd&e=20056c7556
Identity and access management security issues highlighted by Capgemini and RSA research
Organisations rushing to launch new cloud services are frequently skimping on cybersecurity investment, resulting in significant risks, especially with regard to identity and access management (IAM), according to new research conducted by consulting, technology and outsourcing leader, Capgemini and RSA, the security division of EMC.
Only 26 per cent of C-level executives surveyed said their organisations have the requisite technology in place, although 62 per cent believe that it is very important or critical for their organisations to enable or extend access for users to digital services securely, according to ‘Identity Crisis: How to Balance Digital Transformation and User Security’.
The survey, completed by more than 800 C-level executives in the US, UK, Germany, France, Benelux, Denmark, Sweden, Norway and Finland, found that 85 per cent of respondents believe that it is critical or very critical to onboard the growing number of new services underpinned by cloud technology quickly and efficiently and to ensure that they are supported by IAM.
The survey found that 84 per cent of respondents recognised the need to offer adaptive authentication methods and IDs and organisations are now beginning to increase investment in IAM, with 68 per cent of businesses reporting an increase in their IAM budgets and 28 per cent reporting a strong increase.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dac938949f&e=20056c7556
Survey Roundup: Confidence Lacking in Third-Party Due Diligence
A survey of 267 senior-level corporate compliance officers worldwide by Kroll and Ethisphere Institute found 55% slightly confident and 25% not confident in their ability to catch problems with third-party partners.
Even when third-party due diligence was conducted and problems arose afterward, 48% said due diligence wasn’t comprehensive enough and 42% said issues that were spotted weren’t adequately addressed.
Despite the issues, 48% said their organizations don’t conduct audits of third parties; for those organizations that do, 31% conduct ongoing audits and 30% do so annually, 5% quarterly and 2% semiannually.
One reason for the lack of auditing is a lack of people and budget, said Lee Kirschbaum, president of Kroll Compliance. “It’s a question of finding the people and fighting for budget,” he said.
Compliance needs to “make the case” for why it needs the money to conduct audits and to make sure senior leadership knows it’s “not just about checking the box.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=07d4d92fae&e=20056c7556
Infosec pros point at problem with CVE system, offer alternative
For the last 17 years, the American not-for-profit MITRE Corporation has been editing and maintaining the list of Common Vulnerabilities and Exposures (CVEs).
Researchers who discover vulnerabilities in software usually apply with MITRE to get a CVE number to go along with the bug, so that they are unequivocally identified and, hopefully, addressed by those who need to do so.
But according to a number of researchers, MITRE has lately been doing a lousy job when it comes to assigning these numbers, forcing researchers to do without them or to delay public disclosure of vulnerabilities indefinitely.
The DWF (Distributed Weakness Filing) System uses the same format as CVE for numbering the vulnerabilities.
If a researcher already received a CVE identifier, he or she can map it directly to DWF.
Other ways to get a DWF identifier assigned is to become a DWF Numbering Authority (DNA) and assign it yourself, request a DWF from a DNA, or make a PULL request in GitHub to the DWF Database.
In the meantime, a lively discussion has been going on the oss-sec mailing list, in which several well-known and respected researchers confirmed their problems with getting a CVE issued for their findings, and have been debating the pros and cons of starting a new standard independently of CVE.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6991a7515b&e=20056c7556
Corruption: The magnitude of risk
40 percent of all compliance officers surveyed believe their company’s bribery and corruption risks will increase in 2016, according to a new report by Kroll and the Ethisphere Institute.
One in four of those surveyed expressed no confidence in the ability of their company’s current controls to detect third party violations of anti-corruption laws.
This is a high figure given the increasing number of third party relationships involved in business activities, as well as the large percentage of enforcement actions rooted in payments facilitated through third parties.
On a positive note, the degree of board and senior executive engagement regarding anti-bribery and corruption matters is increasing, with over half of respondents stating that their board of directors plays an active role in program development, and 48 percent saying the same of their CEO.
M&A activity in 2015 reached a record US$3.8 trillion.
Yet, over a quarter of survey respondents stated they do not have anti-corruption measures or programs in place for M&A or other corporate transaction targets.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2557cff3f0&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=7c5d1b2e40)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)