[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* Cybersecurity spending: more does not necessarily mean better
* How to build cybersecurity into outsourcing contracts
* Calgary Emergency Management Agency releases current list of top 10 hazards and risks in Calgary
* New SCAM model to detect phishing attacks
* Dell SecureWorks’ third annual Underground Hacker Report
* Gartner Announces Security & Risk Management Summit 2016
* Cyber Risk 2016 – Comprehensive Overview of the Key Developments in Cyber Security within the Financial Space – Research and Markets
* Google boosts network Safe Browsing with malware, social engineering alerts
* Tripwire Study: Energy Sector Sees Dramatic Rise in Successful Cyber Attacks
* Unsecured Vendor Access Creates the Perfect Storm for Cyber Attacks
* Federal Cybersecurity by the Numbers: The Biggest Spenders and the Biggest Threats
* Important Notice Regarding Amendments to Tennessee’s Breach Notification Statute
* ‘Asleep at the wheel’: cybersecurity experts continue tirade against Hong Kong firms as ransomware attacks proliferate
* ISO to Collect Cyber Insurance Data to Help Mitigate Risk Related to Cybersecurity Attacks
Cybersecurity spending: more does not necessarily mean better
Cybersecurity budgeting should start with a holistic and comprehensive risk assessment.
Once all threats and vulnerabilities are listed and prioritized, companies can proceed to properly managed RFP to select right security controls.
An alarming signal comes from PwC’s State of Cybercrime Survey: almost half (47%) of respondents said that adding new technologies is their main spending priority, higher than all other initiatives.
Only 24% said that cybersecurity strategy redesign is a priority, and as low as 15% see priority in cybersecurity knowledge sharing.
According to EY’s Global Information Security Survey 2015, 69% of respondents say their information security budget needs to rise by up to 50% to protect the company in line with management’s risk tolerance.
At the same time, only 40% of the respondents hold an accurate inventory of their ecosystem (data, network connections, third-party providers), and as few as 34% would rate their security monitoring as mature or very mature.
According to the above-mentioned PwC survey, as many as 91% of the respondents have adopted a risk-based cybersecurity framework, such as ISO 27001 or NIST Cybersecurity Framework.
Therefore, if we don’t want the cybersecurity bubble to burst, we should first think which risk a particular cybersecurity product or solution mitigates, then ask ourselves if all the risks with higher priority have been already addressed, and only after, we should start conducting an RFP to select the most competitive product on the market.
Otherwise, you’re pouring money down the drain.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dcb5984bd2&e=20056c7556
How to build cybersecurity into outsourcing contracts
Any time a company shares data or provides access to third parties, it increases its vulnerability to unauthorized access or breach.
So in today’s IT environment — in which enterprises partner with multiple IT service providers, which in turn may have multiple subcontractors — cyber risks increase exponentially.
CIO.com talked to Roy and Lei Shen, senior associate in the cybersecurity and data privacy practice at Mayer Brown, about the potential impact of security incidents arising from IT outsourcing or cloud computing engagements, the shortcoming of cloud computing contracts with regards to customer cyber risk protection, the key contractual provisions for mitigating these risks in an evolving regulatory landscape, and the importance of ongoing review in this rapidly changing area.
To adequately cover cybersecurity risks, the standard outsourcing contract has to include clear technical and legal compliance requirements and the right for the customer to monitor and otherwise verify the vendor’s compliance with such requirements.
To align incentives, the contract should make the vendor liable for the costs of breaches that it or its subcontractors cause, including the costs of notification, remediation, fines and similar costs.
Well-crafted standard outsourcing agreements should contain these types of protections.
However, the contractual protections are only adequate when combined with effective oversight and enforcement by the customer.
he key contractual provisions to mitigate cyber risk are: (1) the security standards required of the vendor; (2) restrictions on subcontracting; (3) employee related protections, such as background checks and training; (4) security testing; (5) security audits; (6) security incident reporting and investigation; (7) data retention and use restrictions; (8) customer data access rights; and (9) vendor liability for cyber incidents.
The regulatory landscape has evolved and will continue to evolve for the foreseeable future.
Outsourcing agreements should include a requirement that the vendor implement changes as needed to adapt to regulatory changes.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=75fa29755a&e=20056c7556
Calgary Emergency Management Agency releases current list of top 10 hazards and risks in Calgary
Top 10 hazards and risks in Calgary
1) Flood (Overland flooding from extreme rainfalls, high water in the Bow, Elbow Rivers) — 19 per c)nt of mitigation strategy efforts
2) Blizzard/snowstorm (Severe snow, ice emergencies, may also be accompanied by cold temperatures) — 10 per cent.
3) Hail (Severe weather, temperature changes in the height of summer heat) — six per cent.
4) Windstorm (Calgary reports an average of 13 days/year with wind speeds exceeding 63 km/hour) — eight per cent.
5) Infrastructure failure (Failure, malfunction of essential systems) — 11 per cent.
6) Major planned events (Events ranging in size from small protests to festivals involving thousands of participants) — nine per cent.
7) Explosion/fire (Includes residential, commercial and urban forested areas) —13 per cent.
8) Telecommunications failure (Failure, malfunction of telephone, communication systems) — six per cent.
9) Energy supply emergency (May be an emergency on their own or part of another emergency event) — 12 per cent.
10) Rail incident (Includes derailments, collisions and crossing accidents) — six per cent.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e4b4c347dc&e=20056c7556
New SCAM model to detect phishing attacks
The Suspicion, Cognition and Automaticity Model encourages a new approach to training that is based on individual, predictive profiles of computer users
The Suspicion, Cognition and Automaticity Model (SCAM) explains what contributes to the origin of suspicion by accounting for a user’s email habits and two ways of processing information: heuristics, or thumb rules that lead to snap judgments about a message’s content; and a deeper, systematic processing about an email’s content.
A fourth measure—cyber-risk beliefs—taps into the individual’s perception about risks associated with online behaviours, according to Vishwanath.
Vishwanath’s study, which is part of a larger research programme to understand the people-problems of cybersecurity, tested the model by actually simulating different types of phishing attacks on real-world subjects.
The point for Vishwanath is that most anti-phishing measures are trying to stop attacks under the assumption that they know why people fall prey to such attacks, rather than actually figuring out why the attacks are working.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a8daf616b2&e=20056c7556
Dell SecureWorks’ third annual Underground Hacker Report
Today, Dell SecureWorks released its third annual Underground Hacker Markets Report.
For the report, Dell SecureWorks’ security experts tracked hackers on numerous underground hacker forums and marketplaces all over the world, particularly the Russian underground and on English-speaking marketplaces, so as to identify the emerging and current trends on the Deep Web.
Highlights include the following statistics:
• The price for stolen Visa Classic and MasterCard credit cards, with Track 1 and Track 2 data, from New Zealand has increased by $5 to $25
• The price for stolen Premium Visa Classic and MasterCard credit cards, with Track 1 and Track 2 data, from New Zealand has increased for Visa approximately $12 to $35 and for MasterCard the price remains the same at $35
• Stolen bank account credentials, for financial accounts located in New Zealand, cost up to $4,750, for an account with a balance of $62,567
• Hackers are charging up to $129 to hack social media and email accounts, including Gmail and Facebook
• Hackers are offering businesses the opportunity to disrupt their competitors with Distributed Denial of Service (DDoS) attacks, costing $5 per hour, $50 per day, $350 per week or $1,000 per month
• Prices for certain types of malicious software has dropped substantially, eg: a common and popular Remote Access Trojan (RAT) now costs between $5-$10
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c217316fcc&e=20056c7556
Gartner Announces Security & Risk Management Summit 2016
What: Gartner Security & Risk Management Summit 2016
When: June 13-16, 2016
Where: Gaylord National Resort & Convention Center, National Harbor, MD
Hot topics to be covered:
Cybersecurity
Enabling a safer cloud
Mobile security for digital business
Security and risk strategy
Internet of Things, network and endpoint security challenges
Crisis/incident command and management
Regulatory changes on global business operations
Recovery from a targeted cyberattack
Transitioning from recovery to resilience
Governance, risk and compliance
Emerging security technologies
Optimizing security information and event management and threat intelligence tools
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a9534ca188&e=20056c7556
Cyber Risk 2016 – Comprehensive Overview of the Key Developments in Cyber Security within the Financial Space – Research and Markets
Research and Markets has announced the addition of the “Cyber Risk” book to their offering.
Cyber Risk provides readers with a comprehensive overview of the key developments in cyber security within the financial space, enabling them to learn solutions to critical issues and formulate a good practice methodology that ensures they stay ahead of the latest threats.
This multi-contributor book provides readers with a comprehensive overview of the key developments in cyber security within the financial space, enabling them to learn solutions to critical issues and formulate a good practice methodology that ensures they stay ahead of the latest threats.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=075a04e3d8&e=20056c7556
Google boosts network Safe Browsing with malware, social engineering alerts
Google has announced an upgrade for Safe Browsing Alerts which adds information on additional threats to help network administrators protect their users.
In a blog post on Wednesday, Google software engineer Nav Jagpal said that since the tool’s launch, over 22,000 Autonomous System Number (ASN) networks are being monitored and 1,300 network administrators are actively using Google’s software.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=132a86afe3&e=20056c7556
Tripwire Study: Energy Sector Sees Dramatic Rise in Successful Cyber Attacks
Tripwire, Inc., a leading global provider of endpoint detection and response, security and compliance solutions, today announced the results of a study conducted for Tripwire by Dimensional Research.
The study, which was carried out in November 2015, assessed cyber security challenges faced by organizations in the energy sector.
Study respondents included over 150 IT professionals in the energy, utilities, and oil and gas industries.
When asked if their organization had experienced a rise in successful cyber attacks in the last 12 months, seventy-seven percent of the respondents in Tripwire’s study replied, “yes.” In addition, more than two-thirds of the respondents (sixty-eight percent) said the rate of successful cyber attacks had increased by over twenty percent in the last month.
Additional findings from the study include:
Energy executives were more than twice as likely to believe their organization detected every cyber attack (forty-three percent) than nonexecutives (seventeen percent).
In the last 12 months, seventy-eight percent of the respondents said they experienced a cyber attack from an external source, and thirty percent have seen an attack from an inside employee.
Forty-four percent of the respondents indicated they have not gathered enough information to identify the sources of cyber attacks on their organizations.
Nearly one-fourth (twenty-two percent) of the respondents admitted their organizations do not have business processes to identify sensitive and confidential information.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=80d26f625a&e=20056c7556
Unsecured Vendor Access Creates the Perfect Storm for Cyber Attacks
– Groundbreaking Vendor Vulnerability study finds an increasing trust and dependence on third-party vendors with access to IT systems is opening organizations up to cyber-security breaches.
– Sixty four percent of organizations expect to experience a serious information breach this year as a result of vendor activity, according to Vendor Vulnerability research from Bomgar1.
The report uncovered a high level of trust in third-party vendors, but a low level of visibility of vendor access to IT systems. 92 percent of respondents say they trust vendors completely or most of the time, although two-thirds (67 percent) admit they tend to trust vendors too much.
Astonishingly, only 34 percent knew the number of log-ins to their network attributed to third-party vendors, and 69 percent admitted they had definitely or possibly suffered a security breach resulting from vendor access in the past year.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a06810ad52&e=20056c7556
Federal Cybersecurity by the Numbers: The Biggest Spenders and the Biggest Threats
The following charts show how agencies have plugged long-festering critical vulnerabilities, which agencies are ponying up the most cash for IT security and some of the common threats faced across agencies.
First, the good news.
The chart above shows the progress agencies, under orders from the Homeland Security Department, made patching the number of active critical vulnerabilities.
Congress empowered DHS, through 2014 legislation, to issue “binding operational directives” for fixing urgent problems.
DHS first used the authority last spring in the wake of the massive hack of background check records at the Office of Personnel Management.
However, fewer agencies last year received passing grades from their inspectors general, who are responsible for examining agencies’ information security programs.
The chart above shows just one agency — the General Services Administration — scored higher than 90 percent on the assessment.
That’s down from five agencies in the previous year’s report.
The average score of 68 percent is an 8 percent decrease from the last report.
No surprise the Defense Department is far and away the biggest spender on information security — dropping $9.1 billion last year on security tools and services.
The only other agency to crack eight figures was DHS.
It’s not shown on the chart above, but the most frugal agency when it comes to infosec spending was — of all agencies — OPM.
Even with the massive hack last year, the agency spent just $7 million on cybersecurity.
This spending does not encompass all IT spending by an agency.
Instead, it covers spending on things like intrusion prevention tools, cyber threat analysis, employee security testing, identity management tools and incident response services.
As we already noted, federal agencies reported more than 77,000 “cyberincidents” to the U.S.
Computer Emergency Readiness Team last year.
However, that term encompasses a wide variety of activity.
Not all of it is all that nefarious and some incidents don’t really have much to do with computers.
For example, agencies across government reported 12,217 “noncyber” incidents last year, which don’t have anything to do with sophisticated hackers and could simply describe misfiled paperwork.
The chart above shows the number of malware attacks reported by agencies.
Last year, NASA reported more than 1,500 successful downloads of malware that had not been immediately quarantined or wiped out by regular antivirus protection.
In contrast, OPM (not shown in the chart) reported just four successful malware attacks.
Finally, the DHS-run EINSTEIN intrusion-detection and prevention tool picked up more than 2,900 cases of suspicious network activity.
The reported cases are compiled from incident reports automatically generated by EINSTEIN.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=04538adbd7&e=20056c7556
Important Notice Regarding Amendments to Tennessee’s Breach Notification Statute
All companies with Tennessee employees or customers need to revise their data incident policies and procedures.
Tennessee has revised their breach notification statute to remove the encryption safe harbor, which previously obviated the need to notify individuals when encrypted assets containing personal information were lost, stolen or compromised.
Tennessee is the first state in the nation to remove the safe harbor.
The law also amends the statute to clarify when an unauthorized disclosure has occurred.
The amendment now specifies that an “unauthorized person” includes an employee of the organization who is discovered to have obtained personal information and intentionally used it for an unlawful purpose.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7f1beb4592&e=20056c7556
‘Asleep at the wheel’: cybersecurity experts continue tirade against Hong Kong firms as ransomware attacks proliferate
Organisations in Hong Kong are ill-prepared to deal with rising ransomware attacks, cybersecurity experts said this week after scores of incidents were reported to local authorities in the last two months.
At least 40 ransomware attacks have been reported to the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) since February, according to SC Leung, a senior consultant at the body.
He said the number of known incidents is likely to be only a “small fraction” of the total.
Security outfit Fortinet detected almost 24,000 cases of Locky ransomware attempts in Hong Kong in March, four times more than in February, according to the company’s security strategist Jack Chan.
“The management of most Hong Kong organisations, are quite frankly asleep at the wheel, when it comes to cybersecurity, and the enormous level of risk involved,” said Michael Gazeley, CEO of security company Network Box.
“In many cases, companies invest a lot of money in what they think will protect them from attacks, but when they occur they find that they have absolutely no protection at all.”
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=225a627731&e=20056c7556
ISO to Collect Cyber Insurance Data to Help Mitigate Risk Related to Cybersecurity Attacks
JERSEY CITY, N.J., April 6, 2016 – ISO will collect, aggregate, and analyze cyber insurance data to help address a major issue facing today’s cyber insurance market: the need for more detailed underwriting and rating information.
ISO is a Verisk Analytics (Nasdaq:VRSK) business.
ISO is currently collecting premium, exposure, and loss data for cyber liability and first-party coverages written between 2010 and 2014 from insurers that choose to participate.
After ISO aggregates and analyzes the data, it will be available to insurers that submitted data.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=59ecaf7dfe&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=d7b262189c)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)