[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo onto the news:<\/p>\n
Why Internet of Things will change cybersecurity forever: Gartner
\nOver 20 percent of enterprises will have digital security services devoted to protecting business initiatives using devices and services in the Internet of Things (IoT) by year end 2017, according to Gartner, Inc.
\nGartner defines digital security as the risk-driven expansion and extension of current security risk practices that protect digital assets of all forms in the digital business and ensures that relationships among those assets can be trusted.
\n\u201cGovernance, management and operations of security functions will need to be significant to accommodate expanded responsibilities, similar to the ways that bring your own device (BYOD), mobile and cloud computing delivery have required changes – but on a much larger scale and in greater breadth,\u201d said Ramamoorthy. \u201cIT will learn much from its operational technology (OT) predecessors in handling this new environment.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8da5da23dc&e=20056c7556<\/p>\n
The myth of the cybersecurity skills shortage
\nEveryone seems to think that there\u2019s a lack of qualified security professionals, and that the reason is that there aren\u2019t enough people entering the field with the required skills.
\nThere is a fallacy behind that thinking, though.
\nPeople think that security is a stand-alone discipline, but it is actually a discipline within the computer field.
\nTreating it otherwise is a mistake.
\nsecurity positions are not entry-level positions, and if you treat them as such, you will have terrible security.
\nThe best security practitioners have experience in the technology and processes that they are supposed to secure.
\nIf you are not an experienced developer, you do not have the standing to tell people how to secure the code they write.
\nIf you have no experience as a system administrator, you cannot maintain the security of a system.
\nIf you have no experience as an administrator, you cannot secure a database.
\nIf you have no experience in designing a network, you cannot competently design a secure network.
\nSecurity professionals are developed over time, just as happens with experts in every profession, including all of the other disciplines within the computer profession
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=aebf72d1de&e=20056c7556<\/p>\n
Netflix Sleepy Puppy XSS flaw detection tool goes open source
\nOn Monday, Netflix team members Scott Behrens and Patrick Kelley revealed the open source release of the firm’s cross-site scripting (XSS) payload management framework.
\nDubbed Sleepy Puppy, Netflix says the tool goes beyond only testing main applications for XSS flaws and also encompasses scans for secondary applications which may provide the conduit for XSS security flaw exploit.
\nIn other words, Sleepy Puppy keeps an eye out for XSS payloads which may be injected within primary applications — but not trigger an alert — before shifting to a secondary area and executing.
\nThe Netflix team call this “delayed” XSS testing.
\nSleepy Puppy is designed to simplify the process of capturing, managing, and tracking XSS propagation over periods of time and testing sessions.
\nThe configurable tool leverages an assessment model to categorize XSS strings and injections and allows users to subscribe to email notifications when delayed cross-site scripting events are triggered.
\nSleepy Puppy comes with a number of payloads, as well as an API for users who wish to develop plugins to support scanners such as Burp or Zap.
\nSleepy Puppy, available from the Netflix Open Source website, comes with built-in payloads, PuppyScripts and a default assessment scheme.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6f10984e45&e=20056c7556<\/p>\n
Extent of data breaches in pharmaceutical sector revealed
\nThe Crown Records Management Survey revealed:
\n– 60% of IT decision makers in the pharmaceutical sector said their company had lost important data
\n– 12% had done so between seven and nine times \u2013 and 8% between 13 and 15 times
\n– 24% reported their company had suffered a hack
\nAnn Sellar, Business Development Manager at Crown Records Management, a global information management expert, said, \u201cThese survey results should be a wake-up call for UK businesses, and especially those in the pharmaceutical sector, because the importance of protecting customer data is higher than ever.
\nNot only because of potential fines for data breaches (which will soon increase when the EU General Data Protection Regulation is ratified) but also because of growing public awareness.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=582b8b81e4&e=20056c7556<\/p>\n
When a Security Policy Creates More Problems Than It Solves
\nSecurity policies can create a dangerous false sense of security and can end up being used against you in a court of law.
\nLooking at this from the plaintiff\u2019s perspective in the case of a data breach, it won\u2019t take much for lawyers, forensics analysts and expert witnesses to show that due care was indeed not taking place in the enforcement of policies and the ongoing management of security.
\nThat\u2019s already happened in some bigger cases, and it\u2019s certainly playing out in others right now.
\nNow that it\u2019s confirmed that the Federal Trade Commision (FTC) has the authority to go after companies due to lax security, this issue could get really big really fast.
\nAnyone can document anything they want in a policy involving things such as passwords, full-disk encryption for laptops, bring-your-own-device (BYOD) rules, etc.
\nBut it literally means nothing when these policies are not enforced, which is often the case.
\nRather than it being the oft-cited \u201cglitch\u201d causing problems, the breaches we hear about are a breakdown in information security management somewhere along the way.
\nWe know that talk is cheap in many aspects of business, but I can think of no place where it\u2019s more evident than in information security.
\nWe\u2019re seeing this very issue play out in the courts today.
\nIt\u2019s time to start unchecking those boxes and do what\u2019s right before a third-party expert or analyst calls it out and you\u2019re forced to act.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=684f8550b8&e=20056c7556<\/p>\n
Ransomware jumps 127%, IoT malware on rise too: McAfee
\nThe security firm attributes the increase to fast-growing new families such as CTB-Locker, CryptoWall, and others.
\nIn Q2, the total number of mobile malware samples grew 17 percent.
\nBut mobile malware infection rates declined about 1 percent per region this quarter.
\nThe trend of decreasing botnet-generated spam volume continued through Q2, the report said, as the Kelihos botnet remained inactive.
\nSlenfbot again claims the top rank, followed closely by Gamut, with Cutwail rounding out the top three.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6be8afbf65&e=20056c7556<\/p>\n
MEPs clash over renewed calls for a European Intelligence Agency
\nThe failed terrorist attack on the Amsterdam-Paris Thalys has prompted the outspoken group leader of the Alliance of Liberals and Democrats for Europe, Guy Verhofstadt, to reiterate his demand for a European Intelligence Agency.
\nHowever, European officials urged caution against overreaction.
\nCommission transport spokesman, Jakub Adamowicz, highlighted the costs and logistical problems associated with tighter security.
\nHe suggested a “hyperactive” response may prove “counterproductive.”
\nEurosceptic MEPs have also rejected demands for a European Intelligence Agency, arguing security services are the prerogative of member states.
\nMeanwhile Charles Michel, the Belgian Prime Minister, has gone further, urging policymakers to consider reintroducing identity and luggage inspections across international train routes.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0d3183087e&e=20056c7556<\/p>\n
CTF players versus professional penetration testers
\nAccording to ISACA\u2019s State of Cybersecurity: Implications for 2015 report, 72.33% of respondents said that the biggest skill gap in today\u2019s security professionals is ability to understand the business.
\nAnother interesting fact from the survey is that the majority of respondents found that less than 25% of applicants were qualified for a cybersecurity position.
\nThese numbers highlight a very serious gap between people looking for an infosec job and modern businesses.
\nActually, a similar gap exists between CTF contests and professional penetration testing.
\nEven at famous CTF events, usually organized in parallel with various conferences, many CTF players are students or have just started their first infosec job.
\nSadly, quite often prominent teams of young but talented players fail to participate in a CTF due to the high price of travel and the events being held in venues they simply cannot afford.
\nA CTF player can also bring some useful insights to your team and a vision from a different angle that others will probably not have.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=f2f229e1a0&e=20056c7556<\/p>\n
Have you ever considered a people-centric security strategy?
\nPCS is a strategic approach to information security that emphasises individual accountability and trust, and de-emphasises restrictive, preventive security controls.
\n\u201cPCS represents a major departure from conventional security strategies, but reflects the reality that current security approaches are increasingly difficult to manage in a digital environment,\u201d saidTom Scholtz, vice president and Gartner Fellow.
\nSome of you may have tried implementing a people-centric security (PCS) strategy and faced opposition from some business leaders and security and risk professionals.
\nBut, how would they react now if they knew that by 2019, digital business adoption will compel 30 percent of organisations to implement PCS strategies \u2013 up from less than 5 percent in 2014?
\nThe trust-based security strategy empowered decision makers within the enterprise\u2019s subsidiaries to make their own risk-based decisions.
\nIn essence, it was up to the subsidiaries to make most security control decisions, with appropriate support and guidance from group\u2019s IT team.
\nThis enabled a more collaborative approach that is much more aligned with the organisation\u2019s culture to minimise risk and maximise the use of a wide variety of IT services.
\nThis was in stark contrast to the previous policy-based dictatorial approach.
\nOverall, security and risk leaders must carefully consider whether PCS is appropriate for their organization and ensure that the appropriate enterprise environment exists for PCS.
\nPCS is not a tool for initiating cultural change.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=802175cc9b&e=20056c7556<\/p>\n
Getting Out: Data Exfiltration Gets Sophisticated
\nAttackers don\u2019t have any trouble breaking into corporate networks.
\nAccording to a new McAfee Labs and Intel Security report, cybercrime has in fact become an industry unto itself, with suppliers, markets, service providers and even trading systems.
\nWhat\u2019s more, companies often lag behind when it comes to applying security updates and ensuring that users follow password security protocols.
\nAlso of interest is the increasing criminal focus on mobile and IoT-connected devices, which are prime targets for compromise not as end goals, but a way to access higher-value data assets.
\nAttackers have mastered the art of getting in.
\nRather than fight the losing battle of open doors, enterprises are better served looking for ways to keep data at home and malicious actors trapped on the wrong side of the wall.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6d26a16e89&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If someone forwarded this email to you and you want to be added in,
\nplease click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage1.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=e1f0458236)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So onto the news: Why Internet of Things will change cybersecurity forever: Gartner Over 20 percent of enterprises will have digital security services devoted to protecting business initiatives using devices and services…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1141","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1141"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1141\/revisions"}],"predecessor-version":[{"id":3628,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1141\/revisions\/3628"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}