[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
**
————————————————————
**
————————————————————
* GSMA outlines thoroughly sensible IoT security rules
* New Trustwave Report: Cybersecurity Pros Face Increased Pressures
* Why SMBs should build a threat intelligence program — no tech investment required
* Infosec pros still pressured to release unsecure projects: Survey
* 5 Big Incident Response Mistakes
* Time to rethink your approach to security budgeting
* CERT Bulgaria Registered 737 Cyber Incidents in 2015
* Marsh names former U.K. intelligence director as cyber risk adviser
* Interview with Troels Oerting on cybersecurity in modern organizations
* Terrorism key security threat facing Singapore
* The Phishie Awards: (Dis)Honoring The Best Of The Worst Phishing Attacks
* Tripwire Study: IT Professionals Overconfident in Cyber Attack Detection
* How to build secure supply chains: 3 key steps
GSMA outlines thoroughly sensible IoT security rules
About time: the GSM Association has released a bunch of guidelines to try and address the chronic insecurity of the Internet of Things.
The group has put together documents for the three key segments (as it sees the IoT market anyhow): telecommunication carriers, service operators, and device manufacturers.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cc493cd884&e=20056c7556
New Trustwave Report: Cybersecurity Pros Face Increased Pressures
CHICAGO, IL – TrustwaveÂŽ today released the 2016 Security Pressures Report, based on a survey of 1,414 in-house information security professionals, which shows a rise in both the current and expected pressures in the career field and offers ways for security professionals globally to mitigate the increasing tensions.
In addition to providing year-over-year comparisons of 2014 and 2015, the third-annual report adds previously unmeasured insight related to cybersecurity pressures including new data and regional viewpoints.
In addition to respondents from the United States, Canada and the United Kingdom, the 2016 report features 398 Asia Pacific respondents from Australia and Singapore and adds new questions that address the timing of increased pressure, job security, and specific security threats that pose the greatest challenges to security practitioners.
Key findings from the 2016 Security Pressures Report from Trustwave include:
Under pressure: 63% of information security professionals felt more pressure to secure their organizations in 2015 compared to the previous 12 months, and 65% expect to feel additional pressure this year.
Those numbers grew 9% and 8%, respectively, compared to last year.
Skills gap: Shortage of security expertise has climbed from the eighth-biggest operational pressure facing security pros to the third-biggest, behind advanced security threats and adoption of emerging technologies.
Board burden: 40% of respondents feel the most pressure in relation to their security program either directly before or after a company board meeting – 1% higher than how they feel after a major data breach hits the headlines.
Detection trumps prevention: The largest security responsibilities facing 54% of respondents are related to detection of vulnerabilities, malware and compromised systems.
Moved to managed: The number of respondents who either already partner or plan to partner with managed security services providers has climbed from 78% to 86%.
Empty promises: Pressure to select security technologies containing all of the latest features has jumped from 67% to 74% among respondents, but having the proper resources to put them to use has fallen from 71% to 69%.
Data and DDoS gloom: Customer data theft and intellectual property theft remain the top two worrying outcomes following an attack or data breach, but a disabled corporate website is the biggest riser (from 7% to 13%).
Demand outpacing supply: Respondents wishing to quadruple their staff from its current size has risen from 24% to 29%.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ff2d0b1ff0&e=20056c7556
Why SMBs should build a threat intelligence program — no tech investment required
“Contrary to popular narrative, I believe it makes a lot of sense for small information security programs to build a threat intelligence capacity,” mentions Swanson in this Swannysec blog post. “While this may not be a popular opinion, I know smaller operations can benefit from a right-sized threat intelligence program because I’m in the process of building one currently and there have been tangible results.”
“Anyone interested in threat intel should start by seeking out and reading published threat reports from companies such as FireEye, Palo Alto, or Symantec,” suggests Swanson. “A large repository of these reports can be located on GitHub.”
The next step, according to Swanson, would be introducing low-effort and low investment automation to process the freely available threat intelligence.
However, before even considering any form of automation, Swanson feels the following must be considered.
No matter how empowering machine learning is humans need to be part of the equation. “No automated system is going to make any amount of threat intelligence magically useful without people making informed decisions about the data as it relates to the security and risk posture of the organization,” explains Swanson.
With threat data coming in and being analyzed, the next step is developing a plan based on information gleaned from the threat intelligence.
Besides external threat intel, Swanson suggests data mining all possible internal sources for actionable intelligence.
Swanson cautions to start small, “Generate top ten lists of exploits, malware, brute-force attempts, etc. and start to observe trends in those reports.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=12fd4da89a&e=20056c7556
Infosec pros still pressured to release unsecure projects: Survey
Despite an increase in the number of data breaches last year infosec pros say they continue to be pressured by the business side to release projects that arenât fully secure, according to an international survey.
The survey, paid for by Trustwave, showed that 77 per cent of respondents in five countries â and 71 per cent of Canadians â felt either frequent or periodic pressure to roll out IT projects that werenât security ready.
The good news is that the majority agreed it was once or twice rather than frequently.
However, if a bug slips by that could be once too many.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=615dd5c21c&e=20056c7556
5 Big Incident Response Mistakes
While the initial breach itself tends to draw the most attention, how an organization responds to the incident shapes the eventual scope and damage of the attack.
Not having a formal plan and being unprepared are just two of the mistakes that organizations make.
Here are some of the others:
1) Responding before understanding the full scope of the breach.
2) Not communicating effectively.
3) Not getting legal involved early.
4) Tipping your hand.
5) Using an improperly staffed response team.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=57b3809549&e=20056c7556
Time to rethink your approach to security budgeting
Some healthcare security budgets are increasing at a modest pace according to Forrester; 16% of the IT budget compared with 19% across all industries.
However, there are still many other healthcare security budgets that appear to get trivial increases, and, in some cases, a reduction in security-related expenditures.
Increases in the accompanying chart are not exceptionally large.
According to Forrester, almost 30% of the healthcare security budget consists of staffing and maintenance costs with staffing representing almost 14% and maintenance of existing on-premises security technology representing approximately 15%.
But scarce security skills in the labor pool are ongoing challenges for all healthcare organizations.
This not only raises the cost of staffing but also restricts efficiency.
To reduce both staffing and maintenance costs, Forrester recommends that healthcare organizations consider increasing the adoption of managed security or security-as-a-service.
They contend that security is a critical function, but not all of it needs to be delivered in-house.
Security spending in the healthcare industry can vary widely, as does the efficiency and cost-effectiveness of that spending.
Healthcare organizations can guide their budgets for optimal outcomes by thinking through and answering the types of functions and activities that it should own and the staff skills to hire vs. outsource.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1b6d12d5df&e=20056c7556
CERT Bulgaria Registered 737 Cyber Incidents in 2015
A total of 737 cyber incidents were registered at the websites of central and local government authorities and other institutions in Bulgaria last year, according to the National Computer Security Incidents Response Team (CERT Bulgaria).
The largest number of those incidents involved malicious code (294), followed by fraud (105), offensive content (100), attempted unauthorized intrusion (65), reaping information (26), and intrusions (10).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3c764f7915&e=20056c7556
Marsh names former U.K. intelligence director as cyber risk adviser
Marsh L.L.C. on Thursday said it has appointed Sir Iain Lobban, the former director of the U.K.
Government Communications Headquarters, the country’s security and intelligence organization, as senior adviser on cyber risk.
In his newly created role, Mr.
Lobban âwill provide strategic advice as Marsh works with governments, regulators and clients on how best to address the growing threat of cyber risk,â Marsh said in a statement.
He will report to Mark Weil, Marsh’s CEO of U.K. and Ireland.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e59636b54b&e=20056c7556
Interview with Troels Oerting on cybersecurity in modern organizations
The role of the chief information security officer (CISO) has profoundly changed over the years, from IT security management to high-level risk management.
Today Troels Oerting is the Chief Information Security Officer (CISO) at Barclays, I consider him a Master, in my opinion, only a few professionals have had its experience in cyber security, Troels is the incarnation of the modern CISO.
n the past, which is not so long ago, I believe that the CISO role was considered to be a technical role.
The profile should be technical and it would often report to the Operations & Technology chief in any bigger organisation.
The role was rather reactive and aiming at âtickingâ boxes in auditors control schemes based on various vulnerabilities.
I think you will find that there is a growing understanding for the fact that the CISO role is not a tech role but a wider business role.
When we, in Barclays, assess the threat we first identify our Adversaries.
Who are they.
We have intrusion attempts from Nation States, Organised cybercriminal networks and hacktivists.
Next in our assessment is to have a look at the Intent of each of the Adversaries.
am never satisfied if we have losses.
Regardless if it is losses of sensitive data, money or other valuables in our digital repository.
I think that the executive management already have a full understanding of digital security.
I believe that trust is key, and we will be measured by our customers, society and regulators if we can keep their trust.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7a05e3df17&e=20056c7556
Terrorism key security threat facing Singapore
Terrorism is the “most significant” security threat facing the Republic today, the Ministry of Home Affairs (MHA) said yesterday, even as it reassured Singaporeans that the overall crime rate here remains low.
The ministry also highlighted trends of crime statistics which are set to be released by law enforcement agencies over the next few days.
The overall crime rate remains low although there was a slight increase from 2014, fuelled by a sharp increase in online crime – such as scams – which has persisted since 2013.
Almost all other types of crime have fallen.
Violent property offences and housebreaking are at their lowest levels in 20 years, while unlicensed moneylending harassment hit a 10-year low.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9dca7c68e6&e=20056c7556
The Phishie Awards: (Dis)Honoring The Best Of The Worst Phishing Attacks
You invest in the slickest, smartest, security gear.
The latest in threat intelligence, behavior analysis, and every other cutting-edge tech that widened your eyes on the trade show floor.
It’s excellent, exciting, expensive…and useless against a top-notch social engineer.
These days, the social engineer’s favorite tool isn’t the smile; it’s the humble phishing message.
Read on to see which attack campaigns and categories earn the dubious honor of winning one of the coveted Phishie Awards.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2cc937427d&e=20056c7556
Tripwire Study: IT Professionals Overconfident in Cyber Attack Detection
Tripwire, Inc., a leading global provider of endpoint detection and response, security and compliance solutions, today announced the results of an extensive study conducted by Dimensional Research on behalf of Tripwire.
The study evaluated the confidence of IT professionals regarding the efficacy of seven key security controls that must be in place to quickly detect a cyber attack in progress.
Study respondents included 763 IT professionals from retail, energy, financial services and public sector organizations in the U.S.
The majority of the respondents displayed high levels of confidence in their ability to detect a data breach even though they were unsure how long it would take automated tools to discover key indicators of compromise.
For example, when asked how long it would take automated tools to detect unauthorized configuration changes to an endpoint on their organizationsâ networks, 67 percent only had a general idea, were unsure or did not use automated tools.
However, when asked how long it would take to detect a configuration change to an endpoint on their organizationsâ networks, 71 percent believed it would happen within minutes or hours.
Configuration changes are a hallmark of malicious covert activity.
Forty-eight percent of energy and health care respondents said they had the lowest percentage of successful patches in a typical patch cycle, with a success rate of less than 80 percent.
Nearly two-thirds (62 percent) of respondents were unsure how long it would take for automated tools to generate an alert if they detected an unauthorized device on the network, while 87 percent believed it would happen within hours.
Nearly half (48 percent) of respondents working for federal government organizations said not all detected vulnerabilities are remediated within 15 to 30 days.
Forty-two percent of midmarket organizations do not detect all attempts to access files on local systems or network-accessible file shares by users who do not have the appropriate privileges.
Sixty-one percent of respondents working in the financial services sector said their automated tools do not pick up all the information necessary to identify the locations, departments and other critical details about unauthorized configuration changes to endpoint devices.
Only 23 percent of respondents said that 90 percent of the hardware assets on their organizationsâ networks are automatically discovered.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e8c582cb48&e=20056c7556
How to build secure supply chains: 3 key steps
The solution is not to build stronger firewalls, as one might think.
Even the Great Wall of China was breached â and, besides, firewalls inhibit the kind of seamless interaction on which collaborative supply chains depend.
The better approach is for supply chains to adopt an approach that addresses the challenge holistically, and is agile enough to respond to an ever-changing threat landscape.
The key here is to address security in terms not just of technology but also in terms of people and processes.
This approach is critical because it allows supply chain companies to look at their risks properly.
1) Define the ecosystem.
Companies need to define who their partners are in the supply chain, and categorise them by importance.
2) Identify the primary contacts within each partner company as well as their location â and make sure everybody in your company has this information.
3) Establish controls and guidelines for each business partner/category of business partner.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=806c37480d&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=5fb2014fff)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)