[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
Also, would it help to include a table of contents at the beginning of the email? This would make the email message longer, but might make it easier to jump to the sections you are interested in. Send an email to mail@paulgdavis.com if you think it is a good idea.
So onto the news:
Intact Insurance launches commercial drone insurance for small- and medium-sized businesses
Intact Insurance, Canada’s largest home, auto and business insurance company, announced on Monday that it has launched drone insurance for its commercial lines customers.
The unmanned air vehicle (UAV) coverage “caters specifically to small and medium-sized businesses that currently use or plan to use drones to complement their business operations,” Intact Insurance said in a press release.
UAV coverage is the latest addition to the company’s line of products and services that provide “unique solutions which add value to businesses and brokers.” Other recent innovative commercial initiatives launched include its cyber endorsement, which protects businesses against cyber risks and myFleet Solution, a fleet-management insurance solution for businesses with fleets.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c594c35563&e=20056c7556
How email in transit can be intercepted using DNS hijacking
This article looks at how an attacker can intercept and read emails sent from one email provider to another by performing a DNS MX record hijacking attack.
DNS hijacking attacks work as follows.
The attacker poses as or compromises the DNS server used by Alice’s mail server to find out where to deliver Alice’s email to Bob.
Instead of returning the legitimate IP address, the DNS server returns the IP address of a server owned by the attacker, as illustrated in the diagram above.
Alice’s server believes this IP address is the legitimate one for Bob’s server and delivers the email to the rogue server.
The attacker reads the email and to make the attack invisible, forwards the email to the real server.
This shortcoming will eventually be fixed with the deployment of DNSSEC and DANE.
This deployment and other ways to mitigate this type of attack are discussed at the end of this post.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5e738b60a3&e=20056c7556
Hewlett Packard Enterprise Finds Security Operations Centers Lack Maturity and Skilled Professionals in 2016 State of Security Operations Report
Hewlett Packard Enterprise (NYSE: HPE) today published its third annual State of Security Operations Report 2016, highlighting the critical role security operations centers (SOCs) play in protecting today’s digital enterprise.
As organizations face an increasingly volatile threat landscape, the report assesses SOC maturity levels to help organizations improve their security posture and understand the components of a successful security operations organization.
Published by HPE Security Intelligence and Operations Consulting (SIOC), the report examines 114 SOCs in more than 150 assessments around the globe and measures four areas of performance: people, processes, technology and business function.
This year’s report indicates that security operations maturity remains well below optimal levels, with 85 percent of assessed organizations falling below recommended maturity levels.1 While this number is alarmingly high, it accounts for the influx of new SOCs that enterprises are building to address evolving security challenges.
These findings also demonstrate the need for organizations to strike the right performance balance across all areas of the SOC, from the foundation up.
HPE continues to find that the majority of cyber defense organizations’ operations remain below target maturity levels.
A continual focus on mastering the basics and creating a solid foundation of risk identification, incident detection, breach escalation and response is key to effectiveness.
Benefits from advanced analytics capabilities and threat intelligence will only be realized if a strong security operations framework exists.
A single product or service will not provide the protection and operational awareness that organizations need.
Instead, organizations must focus on a continuous investment in their cyber security posture that encompasses people, process, technology and business function to effectively mitigate risks.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=98f9abfa93&e=20056c7556
Verisk Releases Industry’s First Cyber Exposure Data Standard
The Verisk cyber exposure data standard is the first step in the process of managing accumulations of cyber risk and will help create a uniform method for data transfer throughout the industry.
Many of the fields are optional to provide flexibility for companies that collect different types of information or at different levels of detail.
The AIR preparer’s guide will assist companies in collecting and storing the data.
Many client organizations, including companies in the insurance, broker, and reinsurance industry, have reviewed the standard and provided valuable input.
In addition, AIR has developed an SQL implementation to allow organizations to begin to use the standard in their enterprises.
In the coming months, AIR aims to provide SQL scripts that can be used for deterministic scenario analysis and accumulation analysis.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6e9f9567a3&e=20056c7556
Worldwide IT spending outlook for 2016
Worldwide IT spending is forecast to total $3.54 trillion dollars in 2016, just a 0.6 percent increase over 2015 spending of $3.52 trillion dollars, according to Gartner, Inc. 2015 saw the largest U.S. dollar drop in IT spending since Gartner began tracking IT spending. $216 billion dollars less was spent on IT in 2015 than in 2014 and 2014 spending levels won’t be surpassed until 2019.
“The rising U.S. dollar is the villain behind 2015 results,” said John-David Lovelock, research vice president at Gartner. “U.S. multinationals’ revenue faced currency headwinds in 2015.
However, in 2016 those headwinds go away and they can expect an additional 5 percent growth.”
The devices market (PCs, ultramobiles, mobile phones, tablets and printers) is forecast to decline 1.9 percent in 2016.
The combination of economic conditions preventing countries such as Russia, Japan and Brazil from returning to stronger growth, together with a shift in phone spending in emerging markets to lower-cost phones, is overlaid with weak tablet adoption in regions where there was an expectation of growth.
Data center systems’ spending is projected to reach $75 billion in 2016, a 3.0 percent increase from 2015.
The server market is the segment that has seen the largest change since the previous quarter’s forecast.
The server market has seen stronger-than-expected demand from the hyperscale sector, which has lasted longer than expected.
Typically, this segment has spikey demand which lasts for a couple of quarters before moderating.
Demand in this segment is expected to continue to be strong through 2016.
Telecom services spending is projected to decline 1.2 percent in 2016, with spending reaching $1,454 trillion.
The segment will be impacted by the abolition of roaming charges in the European Union and parts of North America.
While this will increase mobile voice and data traffic, it will not be enough to counter the corresponding loss of revenue from lost roaming charges and premiums.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=76ec04caba&e=20056c7556
Behavioral Analytics: The Future of Just-in-Time Awareness Training?
My mom bought a new car the other day and like most new cars today, it comes equipped with all the modern bells and whistles, including driver assistance features.
If she starts wandering out of her lane, beeps and flashing lights direct her to get back in her lane.
Or if she gets too close to the car ahead of her, the car brakes automatically.
Great stuff for those who aren’t always paying close attention, right?
I’d say it’s high time we brought these kinds of features into the information security space, because right now we’re trusting employees to drive our “cars”— or expensive IT infrastructure – and the precious information that flows through it.
The good news is User Behavior Analytics (UBA) tools offer the promise of solving this problem – if they evolve in the right direction.
These tools — which draw information from various other data gathering systems in the market, such as security information and event management (SIEMs), data loss pevention (DLP) systems, etc. — are providing real value in identifying patterns and signs that reveal the presence of bad actors in the IT environment.
Right now, UBA and these other threat detection tools are great at identifying and addressing the symptoms of technical failure (such as system vulnerabilities), but we’ve only just tapped into their capacity to really track and respond to the symptoms associated with human failure.
But this can and I believe will change.
It will start when UBA takes a lesson from phishing simulations.
The information security community loves phishing simulation tools – and why not.
These tools do a great job at identifying employees who put the organization at risk by clicking on (fake) phishing attempts.
Once you know who falls prey to phishing, you can target them with just-in-time education and (ideally) improve their performance and their ability to protect the organization.
It works perfectly – or so say advocates.
Can we “tune” UBA systems to identify these kinds of triggers.
I believe we can.
Pair these risk triggers with a flexible deployment of just-in-time training and you’ve created “lane assistance” warnings for information security, with the added benefit of only training those who need it and not wasting the time of those who don’t.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d7be571627&e=20056c7556
Video: Insurance industry ‘will drag cyber-security into the light’
That’s according to Trey Ford, global security strategist at Rapid7 and a trained pilot, who says that only by forensically investigating all major breaches – in much the same way as the aviation industry learned early in its history to do investigate aircraft crashes – will the IT industry get to grips with its cyber-security problem.
In this exclusive interview, recorded at the London offices of SCMagazineUK.com, Ford explained how this approach helped the aviation industry develop the safety protocols that make flying arguably the safest mode of transport.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a2a7d32b10&e=20056c7556
Only a quarter of cyber security employees say their firm has cyber insurance
Only one-quarter (24 per cent) of UK cyber security professionals say that their firm has cyber insurance, a report by recruiters Harvey Nash has indicated.
Half of around 200 IT security professionals in the UK surveyed by the recruitment firm said that their companies didn’t have cyber insurance, and 26 per cent said that they didn’t know.
When the cyber security professionals who said they didn’t have cyber insurance were asked if they had plans to buy any in the next 12 months – nearly half (46 per cent) said that they didn’t have any plans, while more than one-quarter said that they did (26 per cent) and 28 per cent said they didn’t know.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e2f946f931&e=20056c7556
Survey: 64 percent of IT execs think achieving basic compliance will stop most breaches
In a survey of large enterprises, 64 percent of more than 1,100 senior IT executives believe that simply meeting cybersecurity compliance requirements, as opposed to striving for best practices, is “very” or “extremely” effective at preventing data breaches.
This contradicts many security experts’ warnings that compliance standards do not constitute acceptable levels of cyberthreat prevention.
Additional stats from the survey, detailed in a 2016 “Data Threat Report” issued yesterday by 451 Research and Vormetric, appear to bear out these experts’ concerns.
Indeed, 61 percent of survey-takers confirmed their organization has experienced a breach in the past—22 percent within the past year.
This 61 percent figure represents a three percentage point increase over last year’s version of the survey.
The percentage of execs that cited compliance as highly effective also rose from 58 percent last year.
Bekker suggested that in some cases, the apparent unwillingness to go above and beyond basic compliance is because IT security is a “grudge spend.
It’s not necessarily something a CFO wants to spend their money on.
It’s kind of like life insurance,” said Bekker. “It’s always been tough to get funds allocated to security because it doesn’t necessarily give you a tangible benefit.”
The two most popular incentives for spending on IT security were meeting compliance standards and brand protection (46 percent for both).
Current IT spending priorities tended to lean toward classic, old-school network defenses (e.g. firewalls and intrusion prevention systems), which ranked first among intended spending categories at 48 percent.
Conversely, products that directly mitigate theft of data in motion and at rest, such as encryption and data loss prevention, came in last (40 percent for data-in-motion defenses, 39 percent for data-at-rest defenses).
A surprisingly high 43 percent of respondents claimed to have “complete knowledge” of the locations of their sensitive data.
The report suggests that executives may be “in denial” about just how much sensitive data they have disseminated across their operations.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=83262f66eb&e=20056c7556
Increased risk of cyber breaches boosting forensic data analytics
Cyber breaches and insider threats, which include malicious insiders stealing, manipulating or destroying data, are the fastest-growing risks according to executives, and are driving investment in forensic data analytics (FDA) according to EY’s 2016 Global Forensic Data Analytics Survey, ‘Shifting into high gear: mitigating risks and demonstrating returns’.
Sixty-nine per cent say that they need to do more to improve their current anti-fraud procedures, including the use of FDA tools.
Notably, this figure increased to 74 per cent for the C-suite cohort.
Of those respondents citing regulatory pressure as the reason to improve their procedures, C-suite respondents were found to be the most concerned as regulatory enforcement becomes more rigorous and widespread.
With just 55 per cent saying their FDA spend is sufficient, a drop from 64 per cent in the 2014 survey, it is no surprise that three out of five say they plan to spend more on FDA in the next two years.
Looking at the reasons for increased investment, the survey found that responding to growing cybercrime risks and increased regulatory scrutiny are the top drivers at 53 per cent and 43 per cent, respectively.
How FDA tools are deployed is also changing, with 63 per cent saying they invest at least half their FDA budget on proactive monitoring activities.
In response to increased risks, the use of advanced FDA is becoming mainstream, with new technologies and surveillance monitoring techniques widely used to help companies manage current and emerging fraud and cyber risks.
The rising maturity of corporate FDA efforts is also evident in the growing sophistication in their use of data.
Seventy-five per cent routinely analyse a wide range of structured and unstructured data, enabling them to gain a comprehensive view of their risk environment.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=751f59533c&e=20056c7556
4 essentials to creating a world-class threat intelligence program
Gundert suggests that creating a world-class threat intelligence program requires:
– understanding the business and its strategic assets;
– identifying relevant adversaries and their TTPs;
– working in partnership with larger security organizations; and
– building relevant defensive security controls that increase visibility, reduce risk, and increase profitability.
When all is said and done, Gundert suggests, “The success of a threat intelligence program is dependent on the understanding of business objectives, and building processes that allow the business objectives to be met.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c21c24aaa8&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=baabdb0aed)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)