[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
I had a request to change the format of the date in the Subject line to make it easier to sort. So I made the change.
* Effectiveness of security training queried as data breaches highlight human failings
* RBI wants overhaul of cyber security in banks
* Organisations should stop playing malware whack-a-mole: FireEye
* Bing offers improved warnings for possible malware and phishing sites
* Is Lloyds Banking Group plc at risk from a cyber attack?
* Honeywell Warns of Increasing Attacks by State-Sponsored Hackers
* SEC takes on cybercrime with new security advisor
* A Cheatsheet That Explains All Those Cyber-Espionage APT Names
* UPDATE 2-Philippine central bank bolsters cyber security, may regulate bitcoin operators
* Security Concerns Continue to Rise with Increased Reliance on EHR
* Debate continues over where CISOs sit in the C-suite
* Industry vs. industry on security
* What is the actual value of a CISO?
* What 17 years as an infosec trainer have taught me
* Enterprises Are Investing in Network Security Analytics
* SWIFT threatens to give insecure banks a slap if they don’t shape up
* How can you be a good security researcher
Effectiveness of security training queried as data breaches highlight human failings
AXELOS warns organisations are putting their reputation, customer trust and competitive advantage at risk by failing to provide relevant and innovative cyber awareness training
Figures obtained from the Information Commissioner’s Office (ICO) have revealed that human error continues to be the main cause of data breaches, with healthcare organisations one of the key groups affected.
The figures, obtained by Egress Software Technologies via a Freedom of Information (FOI) request, show a continual upward curve in reported data breach incidents.
The statistics examined the most recent incidents from 1st January – 31st March 2016, comparing them against the same period in 2014 and 2015.
He said: “This report highlights how many UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with engaging, relevant and innovative cyber awareness learning that will better protect their most valuable or commercially sensitive information and systems.
Our people and their behaviours, not just technology, must sit at the heart of organisational resilience.
The honest and unwitting actions of an individual, regardless of their role or responsibility can all too easily enable a loss of critical information.
According to Wilding, recent AXELOS research published in March showed that only a minority of executives responsible for information security training in organisations with more than 500 employees believe their cyber security training is “very effective”.
While four in 10 (42%) say their training is “very effective” at providing general awareness of information security risks, only just over a quarter (28%) say their efforts are “very effective” at changing behaviour in relation to information security.
He concluded, “The boardroom also needs to appreciate the importance their people can play in better protecting their reputation, competitive advantage and operational continuity.
If company boards are not asking those responsible about the current effectiveness of their awareness learning among their people and what is being done to improve their cyber resilience, then they should be.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7401977085&e=20056c7556
RBI wants overhaul of cyber security in banks
The Reserve Bank of India (RBI) on Thursday directed banks to chalk out cyber security policies, separate from the lenders’ IT policy, “immediately” in view of the rising cybercrimes at banks.
In its cyber security framework for banks, the central bank said the number, frequency and impact of cyberattacks “have increased manifold in the recent past” at banks and other financial institutions, “underlining the urgent need to put in place a robust cyber security/resilience framework at banks and to ensure adequate cyber-security preparedness among banks on a continuous basis.”
RBI said the cyber strategy of banks should be distinct from the broader IT and security policy of the lender and testing for vulnerabilities should be carried out at regular intervals as cyberattacks can occur at any time and in a manner that may not have been anticipated.
The banks also must share the data with the central bank and report promptly about any cyber crime they face, it said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ef35e73be1&e=20056c7556
Organisations should stop playing malware whack-a-mole: FireEye
When it comes to identifying malware infections, organisations tend to stop the fight there, in what Josh Goldfarb, FireEye CTO of emerging technologies, said is a frustrating practice.
According to Goldfarb, what many organisations are doing is re-imaging a laptop or cleaning up the malware, and putting it back into service without foresight to realise it will happen again.
The CTO said those affected are often missing the point and are asking why the same issue keeps happening, and why they are experiencing 10 infected laptops each week, rather than starting at the beginning.
He said it is better to patch or find other ways to control the use of a certain platform that is continuously infected with malware.
Australia lags behind the rest of the western world in terms of awareness, Goldfarb said, noting that businesses are not actively reporting breaches or handling them appropriately.
He added that the culture in the US, Canada, and Western Europe is a little bit more aware of the need for incident response and the need to be prepared.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5669d6698e&e=20056c7556
Bing offers improved warnings for possible malware and phishing sites
“The trick to fishing is making the fly float through the air as if it were alive.
Done right and the hungry trout eyeballing the fly is convinced to take the bait.
It is not a coincidence that criminal activity shares a similar name: phishing.
The bait are fake websites designed to look and feel like the legitimate ones.
These sites catch people by taking advantage of a user’s trust in entering information such as passwords, usernames, and credit cards.”
Bing has refined the generic warning to specifically call out this threat.
When users click a URL suspected of phishing, a warning will appear.
This looks similar to the generic warning except it now warns that the site might steal personal information
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b8b7aa4cb8&e=20056c7556
Is Lloyds Banking Group plc at risk from a cyber attack?
With financial institutions being hacked with increasing frequency, many UK investors will be asking whether Lloyds Banking Group (LSE:LLOY) is at risk of a cyber attack.
Lloyds made the news last year when thieves stole the personal details of thousands of Lloyds Bank customers after a data storage device was removed from a data centre.
With financial institutions being hacked with increasing frequency, many UK investors will be asking whether Lloyds Banking Group (LSE:LLOY) is at risk of a cyber attack.
Lloyds made the news last year when thieves stole the personal details of thousands of Lloyds Bank customers after a data storage device was removed from a data centre.
Mr Rodriguez-Sola stated recently that as a result of greater coordination with law enforcement agencies and the implementation of extra layers of defences, cyber attacks at Lloyds were decreasing as online criminals switched their attention to other less-well-protected industries.
Having said that, cyber threats are becoming increasingly more complex, and for that reason we can’t rule out future attacks at Lloyds or the other UK banks.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b57f1915d7&e=20056c7556
Honeywell Warns of Increasing Attacks by State-Sponsored Hackers
(Bloomberg) — Hackers are increasingly targeting industrial facilities, from oil refineries to nuclear power plants, with sophisticated attacks aimed at capturing data and remotely controlling the sites, according to a Honeywell International Inc. executive.
Honeywell has seen evidence of threats from nation-states and “sponsored attackers” backed by nations in two-thirds of the 30 industrial sectors the company tracks at its Duluth, Georgia-based cyber research lab, according to Eric Knapp, chief cybersecurity engineer at Honeywell Process Solutions.
The unit provides cybersecurity for more than 400 industrial sites worldwide, including oil and gas producers, chemical and power plants, natural gas processors, and mining and water treatment facilities.
Knapp wouldn’t name specific countries but said that the advanced hacking methods being detected are typically associated with nations or groups they sponsor.
A U.S. indictment unsealed in March accused a hacker based in Iran of gaining remote access to a computer controlling a dam in Rye, New York, for about three weeks beginning in 2013, while six other Iranians attacked U.S. banks and companies including the New York Stock Exchange, Nasdaq, Bank of America Corp., JPMorgan Chase & Co. and AT&T Inc.
Iran rejected the accusations.
Companies have built stronger networks around their control systems, making direct access more difficult for hackers.
Instead, attackers craft malware to hit a company’s more vulnerable corporate system and then infect any removable USB drives attached to that network.
The control system’s network, housed separately, is breached when a worker plugs the infected USB drive into it.
“There’s still a need for information to flow between the business and the control system,” Knapp said. “The bad guys know that they need to go in that way so they’re designing their attacks to take advantage of that.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=877acaa5b3&e=20056c7556
SEC takes on cybercrime with new security advisor
The US Securities and Exchange Commission has named Christopher Hetner the senior adviser to the chair, May Jo White, Reuters reported.
The appointment comes two weeks after White told the Reuters Financial Regulation Summit in Washington DC that cyber attacks were the biggest risk facing the financial system, adding that the SEC “can’t do enough” in the cyber-security sector.
Hetner, who currently coordinates cyber-security efforts within the SEC’s office of compliance inspections and examinations, will help address cyber-security policy and assess market risk across the agency.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=61bbb5e260&e=20056c7556
A Cheatsheet That Explains All Those Cyber-Espionage APT Names
In the past, there were some projects, like APTNotes, Cyber Campaigns, and a few others, that tried to put all of these in order.
But there’s now an even better source, organized into a nice and colorful spreadsheet hosted on Google Docs, named APT Groups and Operations.
The spreadsheet was put together by Florian Roth – @cyb3rops, but we did stumble upon it via Krypt3ia’s blog (so thanks, Krypt3ia).
If you ever want to become an infosec ninja, learn it by heart.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=117f24dd04&e=20056c7556
UPDATE 2-Philippine central bank bolsters cyber security, may regulate bitcoin operators
CEBU, Philippines, June 4 (Reuters) – The Philippine central bank is bolstering cyber security surveillance to help boost banks’ defenses and is looking at regulating bitcoin operators to combat money laundering, a senior official said on Saturday.
The Philippine central bank has set up a separate cyber security surveillance division to craft cyber security policies and conduct surveillance work, monitor cyber threats and test the ability of supervised institutions to manage cyber security issues, Nestor Espenilla central bank deputy governor in charge of banking supervision, said in a lecture organized by the bank.
Policymakers were also looking at tightening regulations for remittance companies and money changers, and regulating operators of virtual currencies to boost efforts to combat money laundering, he said.
Users of digital currency bitcoin more than doubled in the Philippines in the first half of last year from a year earlier, Espenilla said, while bitcoin transactions purportedly passing through registered companies in the country range from $2 million to $3 million per month based on available estimates.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=def89f3535&e=20056c7556
Security Concerns Continue to Rise with Increased Reliance on EHR
The rise of electronic health records (EHR) has brought about numerous benefits for both patients and caregivers.
For patients, EHRs have led to improved health care quality (through increased access to patient information and improved support in making health decisions), increased participation in the healthcare process (through higher accuracy and availability), easier access to personal health records (as they are electronic in nature), and more accurate diagnostics and positive health outcomes (through computational analysis of various healthcare factors and ability to personalize treatment).
In addition, patients are saved valuable time at their doctor’s visits, since their medical information can be accessed much quicker than before.
It’s no secret that there are cyber criminals around, and as with any digital information, that the threat of having data stolen is all too real. – See more at: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=742c78ddc9&e=20056c7556
Data breaches in healthcare organizations are continuing to happen, with one study even suggesting that almost 90% of healthcare organizations have been victims of data breaches within the last two years.
These constant threats and challenges, however, further underscore the need for reputable healthcare data management companies who provide high-level security within their data reporting and business analytics programs.
Syntrix Consulting is one such group able to ensure data security in their Epic reporting/consulting solutions and health data management by implementing more than just flawed anti-virus software.
They adhere to industry-wide standards in privacy rules, and utilize effective technical controls (anti-malware, data loss prevention software, two-factor authentication, patch management, disc encryption, as well as logging and monitoring software), through operational controls including security assessments, incident response plans, user awareness and training, information classifications, and more.
The best consulting groups are also able to detect attempted breaches by outside actors, audit individual users of their software and workstations, utilize encryption to disguise data within medical files and employ specific device and media controls to inhibit the accidental leak of private data through reused or reprocessed hardware.
It seems like a lot, but the shifting healthcare cybersecurity landscape needs stringent controls to enable the highest level of user confidence possible.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=22c262b005&e=20056c7556
Debate continues over where CISOs sit in the C-suite
Pundits scrutinizing senior executive dynamics have opined for years about to whom the CISO should report.
Some say the CISO should report to only the CIO because the top security role is inextricably linked to IT.
Others say this is a terrible idea because the CISO’s must lock down the corporate network while the CIO is challenged to innovate.
A CISO panel convened at the MIT Sloan CIO Symposium last month rekindled this longstanding C-suite debate.
MIT professor and panel moderator Stuart Madnick asked the CISOs to whom they believed they should report.
State Street CISO Mark Morrison suggested that the common model of security chiefs reporting to IT leaders is no longer tenable. “I think there needs to be some independence of the CISO from the IT organization,” said Morrison, who provides information security for a financial services company with $30 trillion under custody.
Morrison has dual reporting lines to CIO Antoine Shagoury and the board, whose technology committee he meets with nine times a year, accompanied by the CIO.
Inevitably the board asks Morrison to report on cyber risk, including what additional tools they should invest in to improve protection.
That’s when things start to get dicey as the board asks him if he’s getting enough support and money to do everything he needs to do.
Sitting next to his CIO, “it’s hard to give a very honest answer to that [question],” Morrison said.
Despite all the heady talk about GRC, CISOs still toil in a highly technical role; those who seek and win independence from IT risk sacrificing credibility with their peers.
Shumard and Associates principal consultant Craig Shumard told CIO.com that the CISO is better placed in the IT organization than not because as much as 80 percent of the role is technical in nature.
Indeed, not every CISO on the MIT panel said reporting to IT presents a conflict of interest.
Roota Almeida, head of information security for Delta Dental of New Jersey says she has reported to CIOs in two of her CISO jobs, including her current position.
But she said that organizational culture dictates whether the CISO-CIO reporting structure works. “In a different industry, a different organization, maybe I should be reporting to the chief legal officer,” Almeida said.
With breaches continuing at a rapid clip and the attack surface widening thanks to the Internet of Things, cybersecurity will increasingly be shunted away from IT, predicted R.
David Moon, CEO of incident response consultancy TriPath Media.
He said companies must bolster their defenses without overburdening IT departments.
That creates more opportunities for CISOs to grab governance and operational oversight while freeing the CIO to focus on innovation. “We don’t see a lot of CIOs who want to be responsible for the GPS’ in truck fleets, or smart doors and thermostats,” Moon said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=06b864b1ff&e=20056c7556
Industry vs. industry on security
RESTAURANTS VS.
INSURERS — A little-noticed court ruling this week has ramifications for cyber insurance policyholders and providers, present and future — and, according to attorney Robert Chesler, it might even be the first ruling ever on a cyber insurance policy.
The ruling was a defeat for the P.F.
Chang’s restaurant chain, which lost in its bid to get Chubb/Federal Insurance to pay an additional $2 million on top of the $1.7 million that the insurer had already paid out from a 2014 data breach.
ETAILERS VS.
CREDIT CARD COMPANIES — A simmering feud between retailers and the financial services sector got a little hotter Thursday when the National Retail Federation announced it had asked the FTC to investigate a credit card industry-led security standards organization over antitrust concerns.
UNDER MY UMBRELLA, ELLA, ELLA, EH, EH, EH — The United States and Europe are often at odds on data issues, and they still haven’t come to terms on the Privacy Shield — but U.S. and EU officials did celebrate an agreement Thursday that’s meant to let police and law enforcement agencies more easily exchange data in criminal and terrorist investigations.
LIFE SO CHILL FOR INFOSEC ANALYSTS — The least stressful U.S. job of them all, figures job website CareerCast, is infosecurity analyst.
The site didn’t conduct a poll or anything; it estimated the stress based on a mathematical analysis.
CHINESE HACKERS APPARENTLY TARGETING TAIWANESE POLITICAL PARTY — Hackers have compromised the website of Taiwan’s Democratic Progressive Party in an apparent attempt to gather intel on what’s driving a move away from pro-mainland policies, FireEye says.
NIST GOES FEMA — The National Institute of Standards and Technology is seeking help on a project to aid recovery from destructive malware attacks.
STOP US IF YOU’VE HEARD US BEFORE: ‘LENOVO BLOATWARE … ’ — Top PC maker Lenovo is telling customers to abandon a pre-installed software updater after a critical security report.
Christopher Hetner has been named senior cybersecurity policy adviser to SEC Chair Mary Jo White.
Sarah Geffroy has assumed the title of director of global public policy for AT&T, where she will handle cyber and national security.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ed447796f2&e=20056c7556
What is the actual value of a CISO?
The key value provided by a CISO is the business leadership role that includes the driving of both information technology and security education.
When the CISO does that, the efficacy of information security policies get clearer and the process of moving the workforce to a collaborative engagement toward information security starts.
This collaborative effort not only includes the putting of technological solutions on network nodes or employee devices but also includes training and awareness efforts.
The cost of cybercrime and the real quantified value of the CISO these days is skyrocketing as the cost of data breaches continues to rise.
The recent Ponemon IBM report reveals that breach costs have grown from $5.4 million in 2013 to $6.53 million in 2015, an increase of 21% in only two years.
Constantly updating and maintaining the best line of defense is a complicated, never-ending task, manifested within a blend that would typically include data encryption and protection, event management, intrusion prevention, and employee awareness building.
This requires a high-level executive commitment, expertise and processes.
Correct handling and implementation reduces vulnerabilities, shortens the amount of time threats take to detect, resolves attacks and can save companies millions annually.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f0b8a1a789&e=20056c7556
What 17 years as an infosec trainer have taught me
My ideal class size is 24 students.
Again, empirical data from my past trainings have shown that a class size of 24 contains the right critical mass for meaningful classroom discussions and Q&A sessions, while still maintaining a very good student-to-instructor ratio.
Black Hat is on its way to become a training factory, with many classes now having over 100 students each.
Our Black Hat training features a larger crew, with two teaching assistants to ensure that even a larger class runs smoothly.
A class size beyond 50 just doesn’t work.
The diversity in capabilities becomes too wide and I risk the class being held up for a few insistent stragglers.
I’d rather stick with quality and depth over quantity at this point in my journey.
The other challenge we face is in managing expectations.
It took a couple of years for us to figure out the gaps.
We took great pains to ensure that our syllabus and learning objectives are very clearly communicated in the course description.
For private infosec training, I like to have a conference call with the stakeholders to discuss the topics they want, and then work out the final syllabus after a couple of iterations.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f915c31529&e=20056c7556
Enterprises Are Investing in Network Security Analytics
Based upon lots of qualitative and quantitative research, I’m finding that many large organizations with experienced security teams tend to jump into security analytics by focusing their effort on the network for several reasons:
1. Networks are already instrumented for data collection and analysis.
2. Security analysts tend to have lots of network security analytics experience.
3. Network security analytics can be mapped to APT “kill chains.”
4. Network security analytics can span layer 2 through 7 visibility.
5. Threat intelligence aligns well with network security analytics.
6. Network security analytics provide a bridge between cybersecurity and network operations teams.
As the old security saying goes, “the network doesn’t lie.” Clearly the supply- and demand-side of the cybersecurity industry understand what this means and are busy reacting to this truism.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b0886210a1&e=20056c7556
SWIFT threatens to give insecure banks a slap if they don’t shape up
The SWIFT global payments system has announced it plans to suspend banks with weaker cyber defences until they improve their security.
The threatened sanction follows a run of attacks on international banks over recent weeks, including the $81m mega-heist at the Bangladeshi Central Bank.
SWIFT’s customer security programme will clearly define an operational and security baseline that customers must meet to protect the processing and handling of their SWIFT transactions.
SWIFT will also continue to enhance its own products and services to provide customers with additional protection and detection mechanisms, and in turn help customers to meet these baselines.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d2eefcdf7f&e=20056c7556
How can you be a good security researcher
So you want to be a security researcher.
Security researchers are much in demand these days due the rise in cyber security threats as well as growth in tech companies.
Some of you want to become a security researcher for the fame it offers while others may be in it for the awesome money.
Security researchers need a broad set of skills to investigate a constantly-changing threat landscape.
But if you broaden your spectrum you may end up being a jack of all trades.
Therefore specializing in areas such as reverse engineering or network forensics will boost opportunities for you.
A reader on Quora aptly put the following requirements for becoming a security researcher :
– Firstly, one should know many programming language like Java, Python, Ruby, C and many more.
– Secondly one should have proper knowledge of computer system i.e., operating system and computer networks and how these work.
– Also study the tools and software which check for vulnerabilities.
– Practice!
– Join online courses offering certified hacking courses.
– Read books.
Security research includes a wide spectrum of tasks, says James Treinen, vice president of security research at ProtectWise, developer of a cloud-based platform that uses a virtual camera to record everything on an organization’s network, letting security personnel see threats in real- time.
Remember, a life of a security researcher is hard.
Sometimes they are arrested by police even for reporting flaws or exposing leaks in public.
Other times you may run foul with a particular cyber criminal or hacking group who may dox you, threaten your or hack your accounts.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5e2f3af64d&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=685e3fbca4)
Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)