[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo onto the news:<\/p>\n
PCI Encryption Standard Updated<\/p>\n
The PCI Security Standards Council has released version 2 of its PCI Point-to-Point Encryption Solution Requirements and Testing Procedures.<\/p>\n
The standard is designed to help merchants and technology providers determine how encryption can complement compliance with the PCI Data Security Standard, and ultimately improve card security.<\/p>\n
Unlike the PCI-DSS, compliance with the PCI encryption standard is not mandatory for merchants or vendors, says Jeremy King, international director of the PCI Security Standards Council, in an interview with Information Security Media Group. The encryption standard is a complementary standard, he explains.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=223092b5f8&e=20056c7556<\/p>\n
Burying your head in the sand: a good security strategy for ostriches, not organisations<\/p>\n
[A] new Quocirca report shows that the more visibility businesses have into these new security threats, the more concerned about them they become. \u2018Master of Machines II: Conquering complexity with operational intelligence\u2019 asked European organisations about their top technology concerns, and their ability to capture machine data.<\/p>\n
Some of the top concerns \u2013 such as down time and managing data chaos \u2013 were reduced with greater operational intelligence. The odd one out is security. Companies with higher levels of operational intelligence (the ability to draw intelligence from machine data) are actually more concerned about security threats.<\/p>\n
Those with the maximum level of operational intelligence had an average concern rating of 3.88 for security. The average for the research was 2.58. Those with very low operational intelligence, rated security 2.09, suggesting that perhaps they have their heads in the sand.<\/p>\n
Organisations need to be taking an analytics-based approach if they are to establish what \u2018normal\u2019 looks like and stand a chance at identifying the very faint fingerprints of an advanced threat.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=43262d9de8&e=20056c7556<\/p>\n
Spiceworks Hit By Security Vulnerability<\/p>\n
Austin-based IT management software developer Spiceworks, said Wednesday that its users discovered a security vulnerability in its latest, desktop software, which resulted in disabling a feature and a security patch. According to Spiceworks, the vulnerablity–in its Spiceworks 7.4 Desktop application–had the potential to put users at risk, but that the security issue only hit sixty instllations, none of which appear to have been exploited.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=08254883ba&e=20056c7556<\/p>\n
Information Warfare: Duqu Lives<\/p>\n
July 4, 2015: A respected Russian Internet security firm (Kapersky) recently revealed that it had found new spyware software in three hotels used by delegates to negotiations with Iran over sanctions and the Iranian nuclear weapons program. The spyware was described as a much improved version of Duqu and that Israel was probably behind this. Israel denied any involvement but this is actually an old story. In 2012 Internet security researchers accused Israel of a similar stunt when new spyware was found throughout the Middle East. Similar to Stuxnet and Duqu (both created by a joint U.S.-Israeli effort for use against Iran), the new spyware was called Gauss, and it was used to monitor Hezbollah (an Iran backed Lebanese terrorist group) financial activity. Gauss was apparently unleashed in 2011, and had already done its job by the time it was discovered.<\/p>\n
The 2015 version is called Duqu 2.0 and it is much improved over the 2011 original. Duqu 2.0 uses a new communications system making it very difficult (and often impossible) to determine where it is sending data and getting orders from. Duqu 2.0 also hides itself much more efficiently, making it more difficult to detect and remove. Duqu 2.0 uses more powerful encryption, making it more difficult to even examine portions of it that are captured. Duqu 2.0 uses all of this, especially the stealth, to compromise entire networks, including routers and \u201csmart\u201d devices (like printers) attached to the network. This makes it much more difficult to remove because parts of Duqu 2.0 are all over an infected network and well hidden. Clean out one server and surviving Duqu 2.0 components will note this and quietly re-infect the \u201ccleaned\u201d computer or server.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=fe85ce641f&e=20056c7556<\/p>\n
PWC – State of Security Compliance<\/p>\n
With risk and regulation increasing, and change accelerating, it\u2019s harder than ever for companies to meet baseline compliance requirements. All business functions are being impacted by not only regulatory change but significant change to the competitive, political, and economic environment, but in our 2015 survey, we have seen only incremental change in the compliance function. According to PwC\u2019s 18th Annual Global CEO survey, 54% of CEOs are entering or considering entering new sectors. Combine this with the 78% of CEOs that are concerned about the impact of regulation on their business and the time for the Chief Compliance Officer to elevate the profile of the compliance function is now. Compliance officers need to engage with leadership to minimize the impacts of regulatory pressures on the achievement of strategic goals\u2026.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0e3d4d8870&e=20056c7556<\/p>\n
Middle-manager inaction the weak link in enterprise cyber-security<\/p>\n
Lethargic, narrow-minded middle-managers are among the biggest remaining obstacles to consolidating enterprise cyber-security, an industry expert has warned.<\/p>\n
Speaking at the CBI Cyber Security Conference 2015 in central London this week, Martin Smith MBE, chairman and founder of The Security Company, and of the Security Awareness Special Interest Group, said that in many corporate hierarchies the importance of cyber-security safeguards was now understood by directors, senior executives and increasingly by rank-and-file IT system users.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=81c0c3d6ea&e=20056c7556<\/p>\n
China tightens grip over the Internet with new security law<\/p>\n
On Wednesday, China’s legislature passed the national security law, which covers a wide range of areas including military defense, food safety, and the technology sector.<\/p>\n
A full text of the law’s final draft has yet to be released, but it calls for better cybersecurity, according to a report from China’s state-controlled Xinhua News Agency. The country’s key information systems and data will also be made “secure and controllable” under the law.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6690442e7a&e=20056c7556<\/p>\n
The top three banking malware families<\/p>\n
SecurityScorecard sinkholes found 11,952 infections affecting 4,702 organizations and identified the top banking malware families to be Dridex, Bebloh and TinyBanker… The top three banking malware families being captured are all direct variants of Zeus, or mimic Zeus-like functionalities. These malware attacks are the preferred method of obtaining stolen credentials, especially when traditional attacks on web applications or network-based attacks are being monitored by internal security teams.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=7f69cf5c44&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If someone forwarded this email to you and you want to be added in,
\nplease click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage1.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=ccbd64a075)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So onto the news: PCI Encryption Standard Updated The PCI Security Standards Council has released version 2 of its PCI Point-to-Point Encryption Solution Requirements and Testing Procedures. The standard is designed to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1108","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1108","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1108"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1108\/revisions"}],"predecessor-version":[{"id":3595,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1108\/revisions\/3595"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}