{"id":1027,"date":"2016-07-08T00:00:00","date_gmt":"2016-07-08T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2016\/07\/08\/it-security-news-2017-07-08\/"},"modified":"2021-12-30T11:38:37","modified_gmt":"2021-12-30T11:38:37","slug":"it-security-news-2017-07-08","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2016\/07\/08\/it-security-news-2017-07-08\/","title":{"rendered":"IT Security News &#8211; 2017-07-08"},"content":{"rendered":"<h2><a id=\"a_toc\">Table of Contents<\/a><\/h2>\n<ul>\n<p>\t\t\t<font color=\"darkblue\"><\/p>\n<li>Commission boosts cybersecurity industry and steps up efforts to tackle cyber-threats <\/li>\n<p><\/font><\/p>\n<p>\t\t\t<font color=\"darkblue\"><\/p>\n<li>Endpoint and Network Security: The rise of \u201cDefense in Depth\u201d <\/li>\n<p><\/font><\/p>\n<p>\t\t\t<font color=\"darkblue\"><\/p>\n<li>EU to invest \u20ac450 million in cybersecurity partnership fund <\/li>\n<p><\/font><\/p>\n<p>\t\t\t<font color=\"darkblue\"><\/p>\n<li>The Information Security Leader, Part 1: Two Distinct Roles, Four Fundamental Questions and Three Persistent Challenges <\/li>\n<p><\/font><\/p>\n<p>\t\t\t<font color=\"darkblue\"><\/p>\n<li>Password Sharing Is a Federal Crime, Appeals Court Rules <\/li>\n<p><\/font><\/p>\n<p>\t\t\t<font color=\"darkblue\"><\/p>\n<li>French internet security report urges use of best practice <\/li>\n<p><\/font><\/p>\n<p>\t\t\t<font color=\"darkblue\"><\/p>\n<li>Meeting the cyberchallenge <\/li>\n<p><\/font><\/p>\n<p>\t\t\t<font color=\"darkblue\"><\/p>\n<li>BT : Industrialisation Of Cybercrime Is Disrupting Digital Enterprises <\/li>\n<p><\/font><\/p>\n<p>\t\t\t<font color=\"darkblue\"><\/p>\n<li>Brian Krebs at TMG Executive Summit: Financial institutions have to empower security leaders <\/li>\n<p><\/font><\/p>\n<p>\t\t\t<font color=\"darkblue\"><\/p>\n<li>Microsoft Cybersecurity Advocates for Coordinated Norms <\/li>\n<p><\/font><\/p>\n<\/ul>\n<p><img decoding=\"async\" height = \"16\" width = \"16\" src=\"http:\/\/europa.eu\/favicon.ico\"><\/img> <b>Commission boosts cybersecurity industry and steps up efforts to tackle cyber-threats<\/b>  <\/p>\n<p>\t \tSince the adoption of the EU Cybersecurity Strategyin 2013, the European Commission has stepped up its efforts to better protect Europeans online.<br \/>It has adopted a set of legislative proposals, in particular on network and information security, earmarked more than \u20ac600 million of EU investment for research and innovation in cybersecurity projects during the 2014-2020 period, and fostered cybersecurity cooperation within the EU and with partners on the global stage.  <br \/>But more work is needed to address the increasing number and complexity of cyber-threats.<br \/>This is why the Commission proposes today a series of measures to reinforce cooperation to secure Europe&#39;s digital economy and society, and to help develop innovative and secure technologies, products and services throughout the EU.  <br \/>The Commission has proposed an action plan to further strengthen Europe\u2019s cyber resilience and its cybersecurity industry.<br \/>This includes measures to:  <br \/>&#8211; Step up cooperationacross Europe  <br \/>&#8211; Support the emerging single market for cybersecurity products and services in the EU  <br \/>&#8211; Establish a contractual public-private partnership (PPP) with industry   <br \/>The EU Cybersecurity Strategy and the forthcoming NIS Directive already lay the groundwork for improved EU-level cooperation and cyber resilience.  <br \/>The forthcoming NIS Directive establishes two coordination mechanisms:<br \/>&#8211;    the Cooperation Group which supports strategic cooperation and exchange of relevant information related to cyber incidents among Member States, and<br \/>&#8211;    the Network of Computer Security Incident Response Teams (so-called CSIRT network) which promotes swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.<br \/>\n\t\t\t<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/europa.eu\/rapid\/press-release_MEMO-16-2322_en.htm\">http:\/\/europa.eu\/rapid\/press-release_MEMO-16-2322_en.htm<\/a><\/b> <\/p>\n<p><img decoding=\"async\" height = \"16\" width = \"16\" src=\"http:\/\/www.information-management.com\/favicon.ico\"><\/img> <b>Endpoint and Network Security: The rise of \u201cDefense in Depth\u201d<\/b>  <\/p>\n<p>\t \tWhile there is an important place for network security \u2013 the simple fact that no system will ever be 100% secure shines light on the need for additional layers of security.<br \/>Often network security solutions are trying to filter dangerous content from reaching vulnerable endpoints, but isn\u2019t it better if we can make the endpoints less vulnerable.<br \/>With this in mind, the best strategy is to build security from the endpoint out &#8211; reducing the attack surface and building defendable infrastructure.  <br \/>While network-based security solutions can attempt to block threats before they hit the endpoint, the major problem with this approach is that companies that rely heavily on network security end up with an \u201ceggshell\u201d security stance \u2013 whereby a system is reliant on a single outer shell to protect all of the organization\u2019s data.  <br \/>The main difficulty faced by detection solutions is the impossible trade-off between security and usability.<br \/>Namely, all threats need to be deeply analyzed, but security teams simply cannot make employees wait while they address these issues, which would reduce productivity and staff morale.  <br \/>Intel Security found that more than 30% of organizations disable network-based security features for this exact reason.<br \/>Malware authors know this, and therefore will create attacks that simply lay dormant for a period of time to bypass the network sandbox.<br \/>This has caused malware to evolve new methods of avoiding networks security products, including:<br \/>\u2022 Delayed onset<br \/>\u2022 Detecting virtualized environment<br \/>\u2022 Checking the number of CPU cores (network sandbox usually only presents one)<br \/>\u2022 Checking if user is real (monitor mouse movement, etc.)<br \/>\u2022 Exploiting the virtual environment to escape  <br \/>The most effective way to complement a strong network defense is by reducing the attack surface of the endpoint.  <br \/>1- Removing administrator privileges  <br \/>2- Application whitelisting  <br \/>3- Sandboxing  <br \/>A bank doesn\u2019t leave the vault door open just because they have a security guard on the door \u2013 they start from the vault and layer security outward.<br \/>If the endpoint isn\u2019t secure, and security admins do not ensure that both systems work in tandem, companies simply risk losing data, intellectual property, resources, money and invaluably, trust \u2013 in other words, everything.<br \/>\n\t\t\t<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.information-management.com\/news\/security\/endpoint-and-network-security-the-rise-of-defense-in-depth-10029240-1.html\">http:\/\/www.information-management.com\/news\/security\/endpoint-and-network-security-the-rise-of-defense-in-depth-10029240-1.html<\/a><\/b> <\/p>\n<p><b>EU to invest \u20ac450 million in cybersecurity partnership fund <\/b> <\/p>\n<p>\t \tThe Commission said that it will invest an initial \u20ac450 million in the partnership and expects organisations including national, regional and local government bodies, research centres and academia to invest three times as much.  <br \/>The partnership will bring companies together for research into cybersecurity solutions for different sectors including energy, health, transport and finance, the Commission said.  <br \/>The Commission will encourage EU countries to make use of cooperation mechanisms which will be established under the new Network and Information Security (NIS) Directive, which is expected to be adopted by the European Parliament this week.<br \/>\n\t\t\t<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.out-law.com\/en\/articles\/2016\/july\/eu-to-invest-450-million-in-cybersecurity-partnership-fund\/\">http:\/\/www.out-law.com\/en\/articles\/2016\/july\/eu-to-invest-450-million-in-cybersecurity-partnership-fund\/<\/a><\/b> <\/p>\n<p><img decoding=\"async\" height = \"16\" width = \"16\" src=\"https:\/\/securityintelligence.com\/favicon.ico\"><\/img> <b>The Information Security Leader, Part 1: Two Distinct Roles, Four Fundamental Questions and Three Persistent Challenges<\/b>  <\/p>\n<p>\t \tThis kernel of wisdom comes from a certain high-tech headhunter in the late 1980s, who passed it on as she was helping her candidates prepare for their next job.<br \/>Twenty years later, it showed up again in \u201cWhat Got You Here Won\u2019t Get You There,\u201d a best-selling business book by Marshall Goldsmith.   <br \/>Two Distinct Roles  <br \/>As recommended in a strategy map for security leaders, successful next-generation CISOs should strive for their information security teams to be perceived by key stakeholders as being strong in both of two distinct roles:   <br \/>&#8211; Subject matter experts  <br \/>&#8211; Trusted advisers  <br \/>Four Fundamental Questions  <br \/>1) What\u2019s the risk?  <br \/>2) What\u2019s the annualized risk in the specific context  <br \/>3) How does an incremental investment quantifiably reduce risk?  <br \/>4) How does one investment compare to another  <br \/>Three Persistent Challenges  <br \/>1) A language challenge  <br \/>2) A measurement challenge  <br \/>3) A communications challenge<br \/>\n\t\t\t<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"https:\/\/securityintelligence.com\/the-information-security-leader-part-1-two-distinct-roles-four-fundamental-questions-and-three-persistent-challenges\/\">https:\/\/securityintelligence.com\/the-information-security-leader-part-1-two-distinct-roles-four-fundamental-questions-and-three-persistent-challenges\/<\/a><\/b> <\/p>\n<p><img decoding=\"async\" height = \"16\" width = \"16\" src=\"http:\/\/motherboard.vice.com\/favicon.ico\"><\/img> <b>Password Sharing Is a Federal Crime, Appeals Court Rules<\/b>  <\/p>\n<p>\t \tOne of the nation\u2019s most powerful appeals courts ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all \u201chacking\u201d law that has been widely used to prosecute behavior that bears no resemblance to hacking.  <br \/>In this particular instance, the conviction of David Nosal, a former employee of Korn\/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal\u2019s use of a former coworker\u2019s password to access one of the firm\u2019s databases was an \u201cunauthorized\u201d use of a computer system under the CFAA.   <br \/>At issue is language in the CFAA that makes it illegal to access a computer system \u201cwithout authorization.\u201d McKeown said that \u201cwithout authorization\u201d is \u201can unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.\u201d The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?<br \/>\n\t\t\t<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/motherboard.vice.com\/read\/password-sharing-is-a-federal-crime\">http:\/\/motherboard.vice.com\/read\/password-sharing-is-a-federal-crime<\/a><\/b> <\/p>\n<p><b>French internet security report urges use of best practice <\/b> <\/p>\n<p>\t \tAn official report on internet security in France has urged all players in the sector to follow best practice recommendations for the BGP, DNS and TLS security protocols.  <br \/>The Resiliance of the French Internet report also encouraged all those in the sector to prepare themselves against the distributed denial-of-service (DDoS) attacks that have been behind some of the higher-profile failures of internet services.  <br \/>The 2015 report, the fifth of its kind, made the following principle recommendations: monitor prefix advertisements, and be prepared to react in case of hijacking; use protocols that support forward secrecy and discontinue the increasingly vulnerable SSLv2 and SHA-1 algorithms; diversify the number of SMTP and DNS servers in order to improve the robustness of the infrastructure; apply best practices to limit the effects of failures and operational errors and pursue the deployment of IPv6, DNSSEC, and RPKI to help develop skills and to anticipate possible operational problems.<br \/>\n\t\t\t<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.telecompaper.com\/news\/french-internet-security-report-urges-use-of-best-practice--1152056\">http:\/\/www.telecompaper.com\/news\/french-internet-security-report-urges-use-of-best-practice&#8211;1152056<\/a><\/b> <\/p>\n<p><img decoding=\"async\" height = \"16\" width = \"16\" src=\"http:\/\/www.washingtontimes.com\/favicon.ico\"><\/img> <b>Meeting the cyberchallenge<\/b>  <\/p>\n<p>\t \tEach year, the United States falls farther behind in educating K-12 students in science, technology, engineering and math (STEM).<br \/>It falls behind in teaching the next generation of technology workers for American companies.<br \/>And it falls behind in instructing cybersecurity professionals who will help protect our country.<br \/>This deficiency puts our national security at greater risk.<br \/>After years of analyzing this challenge, it\u2019s now time for the federal government to act and help address this vulnerability.<br \/>Congress should invest in the future by providing adequate resources for K-12 computer science education for the next fiscal year, especially in this transition period between presidential administrations.  <br \/>In addition, at a time of increasing cyberthreats and greater complexity in cyberwarfare, the nation also needs skilled cybersecurity.<br \/>We now require individuals who can design weapons to support U.S. warfighters and provide cyberdefense for our country\u2019s assets.<br \/>Our cyberstrength relative to that of our nation\u2019s adversaries is too vital to ignore.<br \/>\n\t\t\t<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.washingtontimes.com\/news\/2016\/jul\/4\/meeting-the-cyberchallenge\/\">http:\/\/www.washingtontimes.com\/news\/2016\/jul\/4\/meeting-the-cyberchallenge\/<\/a><\/b> <\/p>\n<p><img decoding=\"async\" height = \"16\" width = \"16\" src=\"http:\/\/www.4-traders.com\/favicon.ico\"><\/img> <b>BT : Industrialisation Of Cybercrime Is Disrupting Digital Enterprises<\/b>  <\/p>\n<p>\t \tDALLAS, July 5, 2016 \/PRNewswire\/ &#8212; Only a fifth of IT decision makers in large multinational corporations are confident that their organisation is fully prepared against the threat of cyber-criminals.<br \/>The vast majority of companies feel constrained by regulation, available resources and a dependence on third parties when responding to attacks, according to new research from BT and KPMG.  <br \/>The report, Taking the Offensive &#8211; Working together to disrupt digital crime finds that, while 94 per cent of IT decision makers are aware that criminal entrepreneurs are blackmailing and bribing employees to gain access to organisations, roughly half (47 per cent) admit that they don&#39;t have a strategy in place to prevent it.  <br \/>The report also finds that 97 per cent of respondents experienced a cyber-attack, with half of them reporting an increase in the last two years.<br \/>At the same time, 91 per cent of respondents believe they face obstacles in defending against digital attack, with many citing regulatory obstacles, and 44 per cent being concerned about the dependence on third parties for aspects of their response.  <br \/>Mark Hughes, CEO Security, BT, said: &quot;The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft.<br \/>The twenty-first century cyber criminal is a ruthless and efficient entrepreneur, supported by a highly developed and rapidly evolving black market.&quot;  <br \/>The BT-KPMG report shows that Chief Digital Risk Officers (CDROs) are now being appointed to hold strategic roles which combine digital expertise with high-level management skills.<br \/>With 26 per cent of respondents confirming that a CDRO has already been appointed, the report&#39;s data suggests that the security role and accountability for it is being re-examined.<br \/>\n\t\t\t<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"http:\/\/www.4-traders.com\/BT-GROUP-PLC-11943\/news\/BT-Industrialisation-Of-Cybercrime-Is-Disrupting-Digital-Enterprises-22632905\/\">http:\/\/www.4-traders.com\/BT-GROUP-PLC-11943\/news\/BT-Industrialisation-Of-Cybercrime-Is-Disrupting-Digital-Enterprises-22632905\/<\/a><\/b> <\/p>\n<p><b>Brian Krebs at TMG Executive Summit: Financial institutions have to empower security leaders <\/b> <\/p>\n<p>\t \tDES MOINES, IA (July 7, 2016) \u2014 TMG Executive Summit keynote speaker Brian Krebs told a room full of credit union and community bank leaders that layers of technology are not enough to stop a data breach.<br \/>Instead, the investigative reporter insisted, security is only as effective as the people managing it for you.  <br \/>\u201cOrganizations buy into the idea that doing security right is layering on the right mix of technology software and services, and that this magic combination will block 99 percent of attacks,\u201d said Krebs, mastermind behind the popular Krebs on Security blog. \u201cIt\u2019s just not true.<br \/>It\u2019s very expensive to do security right, and that\u2019s partly because the actual security of your organization comes from security specialists.\u201d  <br \/>It\u2019s not uncommon, Krebs said, for an organization to look at its event logs for the first time after someone like him gives them a call.<br \/>He devotes a lot of energy to breach notification.<br \/>Comparing the experience of being notified of a breach to the five stages of grief, Krebs says the people he notifies are almost always in denial. \u201cThose with a high degree of security maturity skip through the first stages and go straight to depression,\u201d Krebs said to a roomful of nervous laughter.  <br \/>Phishing, he said, is becoming increasingly sophisticated, even though some cybersecurity experts talk about it as a solved problem.<br \/>Over a span of three weeks, Krebs notified several different companies of phishing threats facing their C-suites.<br \/>He had seen actual communications spoofing CEO email addresses on the dark web.<br \/>No one from any of these vulnerable organizations returned his calls.  <br \/>Krebs concluded his hour-long talk by coming back to his point about the importance of human security leadership.<br \/>The head of security, Krebs advised, should always report to the COO, CEO or the board of directors.<br \/>Organizations with what he calls a high degree of security maturity have created separation between IT and security: \u201cThe surest way to deny your security people any say is to have them report to the head of IT.\u201d<br \/>\n\t\t\t<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"https:\/\/www.cuinsight.com\/press-release\/brian-krebs-tmg-executive-summit-financial-institutions-empower-security-leaders\">https:\/\/www.cuinsight.com\/press-release\/brian-krebs-tmg-executive-summit-financial-institutions-empower-security-leaders<\/a><\/b> <\/p>\n<p><img decoding=\"async\" height = \"16\" width = \"16\" src=\"https:\/\/securityintelligence.com\/favicon.ico\"><\/img> <b>Microsoft Cybersecurity Advocates for Coordinated Norms<\/b>  <\/p>\n<p>\t \tMicrosoft wants new standards for the cybersecurity world, a vision proposed in its recently published paper \u201cFrom Articulation to Implementation: Enabling Progress on Cybersecurity Norms.\u201d   <br \/>Overall, the Microsoft cybersecurity viewpoint emphasizes the need for a consensus across the industry.<br \/>Specifically, the company wants to establish norms regarding the effective disclosure of security issues as well as methods to deal with the attribution of hostile acts directed at software.   <br \/>What Microsoft wants is a \u201ccoordinated disclosure\u201d approach.<br \/>This is a variant of responsible disclosure that also allows disclosure to computer emergency response teams (CERTs) along with the vendor.<br \/>The company believes that public disclosure should only happen after a patch has been issued and believes this should be the new cybersecurity norm.   <br \/>But Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky Lab, may have identified a problem with trying to establish any norms.<br \/>He told SecurityWeek that \u201cthe whole concept of norms assumes that they relate to some homogeneous body guided by the same basic principles.<br \/>That clearly isn\u2019t so in cyberspace.\u201d<br \/>\n\t\t\t<font color=\"blue\"><b>Link:<\/b><\/font> <a href=\"https:\/\/securityintelligence.com\/news\/microsoft-cybersecurity-advocates-for-coordinated-norms\/\">https:\/\/securityintelligence.com\/news\/microsoft-cybersecurity-advocates-for-coordinated-norms\/<\/a><\/b> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Table of Contents Commission boosts cybersecurity industry and steps up efforts to tackle cyber-threats Endpoint and Network Security: The rise of \u201cDefense in Depth\u201d EU to invest \u20ac450 million in cybersecurity partnership fund The Information Security Leader, Part 1: Two Distinct Roles, Four Fundamental Questions and Three Persistent Challenges Password&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1027","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1027","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1027"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1027\/revisions"}],"predecessor-version":[{"id":3514,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1027\/revisions\/3514"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1027"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1027"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1027"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}