[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo onto the news:<\/p>\n
The SWAMP helps keep hackers at bay<\/p>\n
The SWAMP, the Software Assurance Marketplace, gives developers a chance to run their software programs through a series of tools that can root out potential pitfalls \u2014 small gaffes that may cause hiccups in the way a program runs or bigger gaps that could let hackers wriggle in.<\/p>\n
The SWAMP has collected nearly a dozen tools, so far, used to identify software problems. The SWAMP\u2019s staff doesn\u2019t develop the security programs, but gathers them, offering a selection that can root out glitches in a variety of programming languages. They are all available, for free, to the public; even consumers can use them to make sure the apps they use are secure.<\/p>\n
Lloyd, at Redox, depends on open-source software. \u201cA person in one part of the world can write code that\u2019s supposed to do something. Someone in another part of the world can use it and assume it works,\u201d said Lloyd. It does work, 99 percent of the time, he added<\/p>\n
Lloyd said Redox can\u2019t use the SWAMP \u2014 at least, not yet \u2014 because it doesn\u2019t support the programming language the startup uses. (So far, C; C++; Java; Python and Ruby are covered; Javascript and PHP are coming.) So to prevent holes in its programs, Redox does its own extensive testing and has others review its work, he said. \u201cIt\u2019s baked into every development task that we do,\u201d he said.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=807c2b1b4d&e=20056c7556<\/p>\n
Vendor risk management: a weak link in many organizations<\/p>\n
The outsourcing of critical services to third parties requires a robust vendor risk management program and stringent oversight, yet the results of a new study suggest that many companies may be underperforming in these areas. Organizations must make improvements to their risk management programs in order to keep pace with the latest risks and challenges, according to the 2015 Vendor Risk Management Benchmark Study, released by the Shared Assessments Program and Protiviti.<\/p>\n
During the one-year period in between the 2014 and 2015 surveys, there was an epidemic of cybersecurity breaches, the February 2014 release of the NIST Cybersecurity Framework, and more oversight of IT security risk programs in general by both boards of directors and regulators. This increased regulatory focus on third-party risks means that organizations are now more aware of their own program’s strengths and weaknesses, particularly at the C-suite and board level. With greater clarity about what is required to minimize and mitigate cybersecurity risks, many respondents may have rated their capabilities lower even in the face of process improvements in their firms, and may also be setting a higher bar for what they deem to be mature levels of vendor risk management.<\/p>\n
Vendor risk management programs require more substantive advances. The overall maturity rating for program governance in this year’s survey (2.7 on a 5-point scale \u2013 below the \u2018fully defined and established\u2019 maturity level) should serve as a wake-up call that deeper changes are needed that reach into organizational culture and individual behavior, especially for financial institutions that are striving to satisfy the US \u2018Getting to Strong\u2019 regulatory mantra.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d0cfe7a7c4&e=20056c7556<\/p>\n
The ticking time-bomb at the heart of our big banks’ computer systems<\/p>\n
Last year banks in Europe spent an estimated \u00a340 billion on IT but only \u00a37bn of that was investment in new systems: the remaining \u00a333bn was spent patching and maintaining increasingly creaky and fragmented legacy systems.<\/p>\n
A report by Deloitte from as far back as 2008 said that “many banks have now reached a tipping point where the cost and risk of doing nothing outweighs the cost and risk of taking action”. And yet, seven years on, little has since changed.<\/p>\n
The reluctance of the old world retail banks to grasp the nettle of investment in new core systems is now giving the new challenger banks – who can launch with brand new, more reliable software – the opportunity to grow market share (see panel).<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=cb0bb5c323&e=20056c7556<\/p>\n
The Need for a Threat Intelligence Maturity Model \u2013 Pt 1<\/p>\n
Last year, we started working on what we are calling a Threat Intelligence Maturity Model (TIMM). We recognize that while threat intelligence holds tremendous value in facing a changing threat landscape, most struggle with being able to leverage it proactively. There are no current standards for gauging how effective threat intelligence functions are, and how well those functions are integrating with other areas of their cybersecurity capabilities and the business. As such, many early adopters are stuck in a reactive state (at best), are struggling in determining what their future state should be, and cannot articulate why it is important. This is an issue that needs to be solved in order to fully harness the power of threat intelligence \u2013 and one that needs to be solved before mass market adoption occurs.<\/p>\n
At the core, we feel threat intelligence maturity can be divided into organizational and functional maturity.<\/p>\n
Organizational maturity is a way of looking at what resources and organizational structures are in place to fully support the integration of threat intelligence.<\/p>\n
Functional maturity can measure how organizations actually apply threat intelligence, in ways that enhance their ability to protect themselves within the threat landscape.<\/p>\n
In this blog series, we will walk through our vision for the TIMM concept as it applies to organizational maturity \u2013 with the goal of establishing a threat intelligence team in your security operations. We will also work through our concepts around functional maturity to support the mission of integrating cyber threat intelligence into the \u201cSecurity Monitoring\u201d domain.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=7999ff318e&e=20056c7556<\/p>\n
Threat intelligence survey: 43 percent only share info internally<\/p>\n
While 43 percent of security professionals said that they only share information about threats they discover at work internally, a much larger showing, 81 percent, called for more government-to-private sector sharing, a new survey said.<\/p>\n
More than 300 security practitioners participated in the survey, which was conducted by AlienVault at the Infosecurity Europe 2015 conference in London last month. According to the company, the survey was carried out to \u201cpaint a picture of how threat intelligence is obtained, utilized and shared,\u201d the report [PDF], released Tuesday, said.<\/p>\n
While 43 percent of respondents said they shared threat intelligence only within the organization, 40.2 percent said they would share such information with \u201ctrusted peers\u201d or the \u201cclosed community.\u201d Around 20 percent of participants said they shared threat intelligence with the government sector, and only 7.6 percent (25 respondents) said they publicly shared threat intelligence.<\/p>\n
Though only 67 respondents (20.4 percent) said they shared threat intelligence with the government, 266 respondents (81.1 percent) felt that the government should share more threat intelligence with the private sector, the survey noted.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=04814313e8&e=20056c7556<\/p>\n
Adobe to patch second Hacking Team Flash zero-day bug<\/p>\n
Adobe next week will patch a second zero-day vulnerability found in the leaked documents from the Hacking Team, a controversial Italian company that sells surveillance software and exploits to governments.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=cc4d15c08e&e=20056c7556<\/p>\n
It obligates essential institutions to immediately notify severe cyber attacks on their systems or networks to the Federal Office of Information Security (BSI), based in Bonn.<\/p>\n
German hospitals, water utilities, telecommunications and other essential providers will face fines of up to 100,000 euros if they failed to meet minimum information security standards under legislation finalized on Friday.<\/p>\n
The law passed its final hurdle in the upper house of the German parliament, the Bundesrat, comprising delegates from Germany’s 16 L\u00e4nder or regional states.<\/p>\n
It obligates essential institutions to immediately notify severe cyber attacks on their systems or networks to the Federal Office of Information Security (BSI), based in Bonn.<\/p>\n
These entities or firms are also required to obtain BSI clearance that their operations comply with minimum security standards.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4f29c75d79&e=20056c7556<\/p>\n
VMware patches vulnerabilities in Workstation, Player, Fusion and Horizon View Client<\/p>\n
The flaws could lead to code execution, privilege escalation and denial-of-service.<\/p>\n
To address the code execution issue, VMware released Workstation 11.1.1 and 10.0.6; VMware Player 7.1.1 and 6.0.6; and Horizon Client for Windows 3.4.0, 3.2.1 and 5.4.2 (with local mode). The company also fixed the separate denial-of-service issue in VMware Workstation 10.0.5 and VMware Player 6.0.6 for all platforms and Fusion 7.0.1 and 6.0.6 for OS X.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0bf7215d67&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If someone forwarded this email to you and you want to be added in,
\nplease click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage2.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage1.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=8ac5774b90)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So onto the news: The SWAMP helps keep hackers at bay The SWAMP, the Software Assurance Marketplace, gives developers a chance to run their software programs through a series of tools that…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1112","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1112"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1112\/revisions"}],"predecessor-version":[{"id":3599,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1112\/revisions\/3599"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}