[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
I had a request to change the format of the date in the Subject line to make it easier to sort. So I made the change.
* The cyber security index is developed by the Estonian e-GovernanceAcademy
* 10 Sea-Changing IT Security Trends Of The Last 10 Years
* Hackers are bombarding the Fed, and have broken in 50 times over the last 4 years
* Tom Hardy reveals his extreme cyber-security measures as he admits to ‘getting hacked all the time’
* How ‘Agile’ Changed Security At Dun & Bradstreet
* Tricks that ransomware uses to fool you [Slideshow]
* Shoring up trucking’s cyber defenses
* Software security podcast library
* TAG hosts first Malware Summit
* Fighting terrorism: share criminal records of non-EU nationals, too, urge MEPs
* Researchers spot 35-fold increase in newly observed ransomware domains
* CIOs, CISOs share advice on selling cybersecurity to the C-suite
* Improving software security through a data-driven security model
* Cyber Security Vulnerabilities Of FTSE 100 Companies Exposed – Threat Intelligence Report From Anomali Pinpoints Significant Security Exposures In The UK’s100 Largest Companies
* Data storage legal knowledge in decline, says survey
* Research Spotlight: ROPMEMU – A Framework for the Analysis of Complex Code-Reuse Attacks
* Infographic – Deep web illegal activity exceeds approximately $100,000,000
The cyber security index is developed by the Estonian e-GovernanceAcademy
The e-GovernanceAcademy presented the National Cyber Security Index (NCSI) at the Tallinn e-Governance Conference on 31 May.
The index measures the level of cyber security of countries and defines the fields for the development of cyber security.
It also gives an overview of the preparedness of countries to prevent cyber attacks and crime, and to manage them.
The index can be viewed online at nsci.ega.ee.
The leader of the team that developed the index is Head of National Cyber Security Domain Raul Rikk, who says that the index is a web-based platform that is being further developed in association with other countries. “Every country that joins the index increases its value and our joint security,” said Raul Rikk.
The index consists of 12 main indicators, which are divided into four groups: 1) General Cyber Security Indicators, 2) Baseline Cyber Security Indicators, 3) Incident and Crisis Management Indicators, and 4) International Incident Indicators.
The 12 main indicators have several sub-indicators and aspects that can be measured in points.
The highest possible point score is 100.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1a2772c606&e=20056c7556
10 Sea-Changing IT Security Trends Of The Last 10 Years
Like generals fighting a losing battle, security thought leaders and professionals have been forced to change strategies many time over the last decade, often in response to technological and strategic advancements developed by the attackers.
While IT itself has evolved quickly, the pace of new security threats has continued to move at even faster speeds, often leaving defenders in firefights that change almost daily.
And defense strategies that were once fundamental to the security industry are now being constantly challenged – if not outright rejected — by the thinkers who once promoted them.
In this feature, we take a look at some of the fundamental sea changes that have occurred over the last 10 years.
Perhaps a look at where we’ve been will give us a hint at where we’re going – or at least prepare us for more change in the future.
– From Sentries To Detectives
– The Shrinking Skills Pool
– The Erosion Of Layered Security
– Cybercrime Boom
– Security Goes Public
– Out Of The Data Center And Into The Boardroom
– The War Between The States
– Hacktivism Becomes A Thing
– Blacklisting Blacklisting
– Encryption Gets Both Good And Bad Names
Today’s behavior-based solutions may give way to some new generation of technology.
The current emphasis on forensics and incident response may give way to a new set of prevention tools.
The current emphasis on cyber risk might be offset by a new class of cyber insurance.
Your guess is as good as ours.
The one thing that we know for sure is that, when it comes to security, the only constant is change.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9d3f7b3dd0&e=20056c7556
Hackers are bombarding the Fed, and have broken in 50 times over the last 4 years
WASHINGTON (Reuters) – The U.S.
Federal Reserve detected more than 50 cyber breaches between 2011 and 2015, with several incidents described internally as “espionage,” according to Fed records.
The central bank’s staff suspected hackers or spies in many of the incidents, the records show.
The Fed’s computer systems play a critical role in global banking and hold confidential information on discussions about monetary policy that drives financial markets.
The records represent only a slice of all cyber attacks on the Fed because they include only cases involving the Washington-based Board of Governors, a federal agency that is subject to public records laws.
Reuters did not have access to reports by local cybersecurity teams at the central bank’s 12 privately owned regional branches.
Hacking attempts were cited in 140 of the 310 reports provided by the Fed’s board.
In some reports, the incidents were not classified in any way.
In eight information breaches between 2011 and 2013 — a time when the Fed’s trading desk was buying massive amounts of bonds — Fed staff wrote that the cases involved “malicious code,” referring to software used by hackers.
In all, the Fed’s national team of cybersecurity experts, which operates mostly out of New Jersey, identified 51 cases of “information disclosure” involving the Fed’s board.
Separate reports showed a local team at the board registered four such incidents.
Security analysts said foreign governments could stand to gain from inside Fed information.
China and Russia, for instance, are major players in the $13.8 trillion federal debt market where Fed policy plays a big role in setting interest rates.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1fa1fad16a&e=20056c7556
Tom Hardy reveals his extreme cyber-security measures as he admits to ‘getting hacked all the time’
Mad Max: Fury Road actor Tom Hardy admitted his family “get hacked all the time” as he revealed how far he goes to avoid the fate of fellow Oscar nominee Jennifer Lawrence.
The 38-year-old, who has two children, revealed he uses ”burner” phones – cheap, pre-paid mobiles that he bins after use – and “private offline servers” for emails as “anyone I’m related to” becomes a target.
He spoke at the launch of Sirin Labs’ Android “military grade” encrypted £11,400 Solarin phone alongside his The Revenant co-star Leonardo DiCaprio.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5f57feaaad&e=20056c7556
How ‘Agile’ Changed Security At Dun & Bradstreet
Chief Security Officer Jon Rose shares the whys and wherefores of integrating agile software development methodology into a traditional security environment.
In this wide-ranging cybersecurity expert interview, Bishop Fox Partner Vincent Liu chats with the CSO of Dun & Bradstreet, Jon Rose.
The two discuss the commercialization of security, the road to becoming a CSO, and how Agile helped his security team take control of day-to-day activities and better manage priorities.
We excerpt highlights below.
You can read the entire interview here.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=756ea3bdca&e=20056c7556
Tricks that ransomware uses to fool you [Slideshow]
Jigsaw= Deleting files at regular intervals to increase the urgency to pay ransom faster.
Petya= Encrypting entire drives, Petya ransomware encrypts Master File Table.
RansomWeb, Kimcilware= Encrypting web servers data.
DMA Locker, Locky, Cerber and CryptoFortress= Encrypting data on network drives, even on those that are not mapped.
Maktub= Maktub ransomware compresses files first is to speed up the encryption process.
Not safe in the cloud= Deleting or overwriting cloud backups.
SimpleLocker= Targeting non-Windows platforms.
Cerber= Using the computer speaker to speak audio messages to the victim.
Tox= Ransomware as a service is a model offered on underground forums networks.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=663821183c&e=20056c7556
Shoring up trucking’s cyber defenses
According to a recent survey of 200 IT professionals conducted by research firm IDG Connect on behalf of security software firm PC Pitstop, some 46% said their organizations experienced malware attacks that severely affected their operations – despite 88% them spending over $100,000 a year on data security, with 39% spending over $500,000 annually.
IDG’s poll also found that few of the organizations participating in the survey rely on a single data security product as a foundation for their cyber defenses.
Most supplement endpoint security solutions – typically those from Microsoft (57%), McAfee (51%) and Symantec (46%) – with additional network appliances (82%), email appliances (56%) and DDoS protection solutions (55%).
Something to think about as trucking – as well as the rest of the business world – is poised to become only more and more digitized down the road.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=20342459e1&e=20056c7556
Software security podcast library
McGraw hosts this monthly podcast, interviewing various information security practitioners, experts and commentators about software security and other top issues in the world of infosec.
SearchSecurity.com is pleased to partner with Gary McGraw to feature his monthly Silver Bullet software security podcasts, which discusses best practices in software security.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6eba795041&e=20056c7556
TAG hosts first Malware Summit
Earlier today, TAG held its first Malware Summit in New York City, bringing together a small group of industry leaders to discuss the current state of – and solutions to – malware and malvertising in digital advertising. (A nice article on the Summit and TAG’s work in this area ran in AdAge today.)
While the discussions at the Summit were confidential, attendees heard introductory remarks from AppNexus co-founder Brian O’Kelley and an analysis of the current state of malware from The Media Trust CEO Chris Olson.
In addition to learning from one another, attendees also had the opportunity to review case studies on companies in other industries who have faced similar threats.
Beyond that intra-industry engagement, the Summit also facilitated a dialogue with representatives from the U.S.
Department of Homeland Security, FBI, and Department of Justice.
These relationships will be critical in our fight against malware to ensure that our industry can share information with the relevant law enforcement authorities and bring the criminals profiting from malware to justice.
Coming out of the Summit, the TAG Malware Working Group plans to work quickly toward an information-sharing infrastructure and set of best practices that will allow the industry to take an aggressive role in fighting malware.
Later this year, TAG plans to unveil the results of that work and begin to offer companies a TAG anti-malware seal if they comply with those standards.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f623325687&e=20056c7556
Fighting terrorism: share criminal records of non-EU nationals, too, urge MEPs
The European Criminal Records Information System (ECRIS), which EU countries use to exchange information on the criminal convictions of EU citizens, should be extended to include non-EU nationals, Civil Liberties Committee MEPs said on Monday.
MEPs also want the system to be used to check the criminal records of people seeking to work with children.
“We need to restore public confidence that we are able to monitor who comes into the EU, and to find people who could represent a threat.
Checking people against our existing criminal records databases, and making exchanging that information much easier, will go a long way towards showing that we can find those people who mean us harm, amongst the vast majority who do not”, said Parliament’s lead MEP on the file Timothy Kirkhope (ECR, UK).following the vote.
MEPs also stress that member states should be able to use the ECRIS system to pass on information relating to terrorist offences or serious crime received bilaterally from a third country.
Furthermore, they want the EU’s police cooperation agency Europol and border agency Frontex to be able to access the database, upon request and case by case, to perform their tasks.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a828779d41&e=20056c7556
Researchers spot 35-fold increase in newly observed ransomware domains
Infoblox researchers spotted a record 35-fold increase in newly observed ransomware domains compared to Q4 2015 based on its DNS (domain name system) Threat Index.
Infloblox did not give an exact number to reflect the increase, but said its index tracks the creation of malicious DNS infrastructures, through both registration of new domains and hijacking of previously legitimate domains or hosts, and has a baseline of 100 but hit an all time high of 137 in Q1 2016, according to the Infoblox DNS Threat Index Q1 Report.
The report also found the U.S. is still the top host for newly created malware and accounts for 41 percent of malicious domain observations.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c2f1747b83&e=20056c7556
CIOs, CISOs share advice on selling cybersecurity to the C-suite
Speak their language.
Don’t talk too deeply about technology.
But also remember to pitch the innovative ways that investing in security can improve the business, executives from Henry Ford, NIST, PwC, Texas Children’s and others advise.
When UC Irvine Health CIO Chuck Podesta needed a bigger security budget he walked the hospital’s chief executive through a typical data breach or loss scenario.
The last bullet point: CEO apologizes to the public.
Ronald Ross, a fellow and computer scientist at the National Institute of Standards and Technology offered advice that infosec professionals can take to the boardroom: It’s always less expensive to invest in security than it is to clean up after data breaches and, what’s more, it’s not always possible to calculate the price of fixing things gone awry.
It can also help to explain that security is basic risk management, including expenditure, insurance, regulatory compliance, all the things companies do to mitigate risk, said Lisa Gallagher, a managing director at PwC.
CIOs and CISOs understand they are going to shoulder the burden of ensuring everyone is on the same page.
Just don’t neglect innovation.
Instead, consider this: With security in place, healthcare organizations can try new apps quickly, literally conducting limited pilot deployments in minutes, instead of taking a year or more testing the app’s security before getting started.
“The biggest cost of not having security is not that you pay for data breaches, it’s that you’re not able to innovate,” said Mohit Tiwari, assistant professor of electrical and computer engineering at the University of Texas at Austin. “Innovation speed is slow and that’s the biggest problem.”
Perhaps the most potent selling point: Healthcare organizations that don’t effectively manage the basics cannot win in the evolving threat landscape.
And he likened information security to the phrase “sharks and glaciers” because those are both most dangerous beneath the surface, unseen, until the strike hits and the damage is inflicted.
“Cybersecurity needs to flow up and down the organization,” Ross explained. ‘The C-suite has to understand in the core that cyber is critical to the organizations survival in the world we live in today.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c606a58467&e=20056c7556
Improving software security through a data-driven security model
The current software security models, policies, mechanisms, and means of assurance are a relic of the times when software began being developed, and have not evolved along with it, says Google researcher Úlfar Erlingsson.
Practical security of computer users has, therefore, worsened, even as a plethora of computer security mechanisms have been introduced time and time again.
Erlingsson proposes a new data-driven software security model to improve user and system security.
“Permit only executions that historical evidence shows to be common enough, unless given explicit, special permission.”
Erlingsson is aware that there may be obstacles to implementing it, and that it hinges on the efficient monitoring of how software is behaving, and that monitoring this behavior should be executed without intruding on users’ privacy.
In his paper, he also details examples of how Google has already managed to successfully perform and/or implement all three of these steps.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a8308c9147&e=20056c7556
Cyber Security Vulnerabilities Of FTSE 100 Companies Exposed – Threat Intelligence Report From Anomali Pinpoints Significant Security Exposures In The UK’s100 Largest Companies
Anomali, provider of market-leading threat intelligence platforms, has today revealed the prevalence of suspicious brand spoofing and mass compromised credential exposures of the Financial Times Stock Exchange 100 (FTSE 100).
Over the last three months, eighty one companies in the FTSE 100 had potentially malicious domain registrations against them, enabling cyber criminals to create dummy websites that can be used to trick users into supplying private data.
The report also discovered that 5,275 employee email and clear text password combinations from FTSE 100 companies were found on a number of sites from which they can be stolen, publicly published or sold.
The report, The FTSE 100: Targeted Brand Attacks and Mass Credential Exposures, reveals the total number of detected malicious domain names registered was 527 over the last three months, an average of five per company.
These are instances in which a cyber attacker has created a domain name that is only slightly different from a company’s official domain name…
Additionally, the report discovered:
Most of the suspicious domains were registered using a Chinese address.
The second most were from the US and the third most were from Panama.
The vertical hardest hit with suspicious domain registrations is financial services with 376, followed by retail at 175 and critical infrastructure at 75
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5555da480e&e=20056c7556
Data storage legal knowledge in decline, says survey
A declining number of C-suite executives are aware of the laws around storing confidential data, according to a survey.
Little more than half of executives (52 per cent) questioned in this year’s Shred-it Security Tracker claimed to be ‘very aware’ of the legal requirements concerning the storage and disposal of confidential data, compared with 67 per cent last year.
Only 46 per cent of C-suite executives were aware there was a financial cost associated with a data breach.
Thirty nine per cent of respondents from large organisations said that additional legislation would put pressure on their organisation to change their information security policies.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=40ef49b6b9&e=20056c7556
Research Spotlight: ROPMEMU – A Framework for the Analysis of Complex Code-Reuse Attacks
Attacks have grown more and more complex over the years.
The evolution of the threat landscape has demonstrated this where adversaries have had to modify their tactics to bypass mitigations and compromise systems in response to better mitigations.
Code-reuse attacks, such as return-oriented programming (ROP), are part of this evolution and currently present a challenge to defenders as it is an area of research that has not been studied in depth.
Today, Talos releases ROPMEMU, a framework to analyze complex code-reuse attacks.
In this blog post, we will identify and discuss the challenges and importance of reverse engineering these code-reuse instances.
We will also present the techniques and the components of the framework to dissect these attacks and simplify analysis.
Code-reuse attacks are not new or novel.
They’ve been around since 1997 when the first ret2libc attack was demonstrated.
Since then, adversaries have been moving towards code-reuse attacks as code injection scenarios have gotten much more difficult to successfully leverage due to the increasing number of software and hardware mitigations.
Improved defenses have resulted in more complex attacks being developed to bypass them.
In recent years, malware writers have also started to adopt return-oriented programming (ROP) paradigms to hide malicious functionality and hinder analysis.
For readers who are not familiar with ROP and want to learn more, we invite you to please read Shacham’s formulation.
Code-reuse attacks are not new or novel.
They’ve been around since 1997 when the first ret2libc attack was demonstrated.
Since then, adversaries have been moving towards code-reuse attacks as code injection scenarios have gotten much more difficult to successfully leverage due to the increasing number of software and hardware mitigations.
Improved defenses have resulted in more complex attacks being developed to bypass them.
In recent years, malware writers have also started to adopt return-oriented programming (ROP) paradigms to hide malicious functionality and hinder analysis.
For readers who are not familiar with ROP and want to learn more, we invite you to please read Shacham’s formulation.
ROPMEMU is the first step in enabling the automated analysis of code-reuse attacks.
As this is an ongoing area of research and ROPMEMU is research prototype, it does lack some functionality to operate on generic inputs and to cope with all possible code-reuse instances.
However, we believe it can be a valuable tool during investigations dealing with such threats as we continue to research and develop this framework further.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fd45c3332a&e=20056c7556
Infographic – Deep web illegal activity exceeds approximately $100,000,000
A recent survey conducted by the U.S. government found that over half of all American internet users have cut back on their online activity due to cyber security concerns.
In particular, many of these concerns related to identity theft as tens of millions of people have lost private information over the past few years.
The infographic shared below, which was created by Norwich University’s Online Masters Degree in Information Assurance program, highlights deep web crime and identity theft by noting a number of astonishing statistics, such as that the yearly revenue of deep web illegal activity exceeds approximately $100,000,000.
For more information, check out the full visual resource below.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2d55655503&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=f7278b2269)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)