[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo onto the news:<\/p>\n
Security spending will reach $75.4b worldwide: Gartner
\nWorldwide security spending will reach $75.4 billion this year, a 4.7 percent increase over last year, according to the latest forecast from technology research firm Gartner.
\n“Interest in security technologies is increasingly driven by elements of digital business, particularly cloud, mobile computing, and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks,” Elizabeth Kim, research analyst at Gartner said.
\nAccording to Gartner, increased legislation continues to be a driver for security spending in some countries, suggesting the increase in spending is also driven by government initiatives and the coverage of high-profile data breaches that have been revealed throughout the year.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6cab9f1585&e=20056c7556<\/p>\n
EU-US data-sharing contradicts protection rules and breaches privacy
\nThe advocate general of the European Court of Justice has said the mass transfer of EU user data to the US by companies such as Facebook contradicts EU data protection laws and represents a breach of the fundamental right to privacy.
\nIn a preliminary and non-binding assessment ahead of a full ruling, the Luxembourg court\u2019s advocate general Yves Bot recommended that the court invalidate the existing \u201cSafe Harbour\u201d rules.
\nThe final verdict on this case, expected as early as next month, could have far-reaching consequences for EU-US diplomatic and trade relations, as well as ongoing talks on a transatlantic free-trade agreement.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a87ea8f685&e=20056c7556<\/p>\n
South Korea data breach penalty rules revised to encourage voluntary reporting
\nThe Korean Communications Commission (KCC) recently revised its data breach penalty rules to allow reductions in fines of up to 30% if companies voluntarily report a data breach to the regulator.
\nThe stated objective is to incentivize businesses to come forward of their own accord in relation to data breaches.
\nFollowing the amendment to the Act on the Promotion of Information Communication Network Utilization and Protection of Information which became effective in November 2014, businesses are required to notify customers immediately and report to the KCC within 24 hours in the event of a data breach.
\nThat amendment introduced statutory base fines of up to 3% of a company\u2019s annual revenue and court-sanctioned compensation of up to 3 million Korean won ($2,640) to consumer victims of a data breach, with further compulsory fines of up to 50% of the statutory base fine based on the scale and duration of the breach, and also discretionary adjustments (up or down) of these additional compulsory fines to take account of the seriousness of the breach and the attitude and responsiveness of the company.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=19349ff4f3&e=20056c7556<\/p>\n
The Sweet 16: Data Points Needed for a Cyber Incident Data Repository and High Value Cyber Risk Analysis
\nThe new white paper on Establishing Community-Relevant Data Categories in Support of a Cyber Incident Data Repository is the second in the CIDAWG\u2019s white paper series.
\nIt identifies 16 data categories that would support the kinds of analysis that could help insurers enhance their existing offerings while assisting CISOs, CSOs, and other cybersecurity professionals with their complementary cyber risk mitigation missions.
\nThe white paper builds on the CIDAWG\u2019s previous white paper, released in June, on the Value Proposition for a Cyber Incident Data Repository.
\nConceptually, such a repository would aid insurers in delivering policies, at lower rates, to \u201cbest in class\u201d clients \u2013 thereby contributing to and effectively informing the overall corporate risk management strategies of those clients.
\nSuch a repository also would support a host of advances for cyber risk management professionals generally, including enhanced cyber risk data and trend analysis, bolstered in-house cybersecurity programs, and improved cybersecurity solutions, products and services.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b9f4d93aa3&e=20056c7556<\/p>\n
Security leaders need to explore before they can exploit
\nAs security leaders, how do we earn our position in the executive suite.
\nHow do we ready ourselves for the position?
\nKevin West, CEO of K logix (Twitter, LinkedIn), invests time interviewing and profiling CISOs.
\nHe recently shared some findings in \u201cFeats of Strength\u201d (link to download).
\nSome key findings from the work include:
\n– Most CISOs average 13 months in the role
\n– The bulk of CISOs are in their first \u201cleadership\u201d role
\n– Only 15% of CISOs report to the CEO
\nAs an industry, we\u2019re struggling with the CISO position.
\nWe\u2019re working to define what it is, required competencies , reporting structure, and the like.
\nKevin shared a trait observed in successful CISOs.
\nThey \u201cenable the team to execute on the business plan — with a technical mindset.\u201d
\nA security leader needs to rank assets and efforts to create value.
\nTo protect the right things means knowing what matters.
\nAccurate insights and understanding lead to better decisions.
\nInstead of a call to \u201cthink like an attacker,\u201d act like a leader.
\nEmbark on your own exploration.
\nLearn about your organization and the people that comprise it.
\nExplore how the business works.
\nIdentify protections and areas for improvement.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ab18a162ca&e=20056c7556<\/p>\n
What is domain shadowing and how can enterprises defend against it?
\nAccording to Cisco Talos researchers, domain shadowing is “the process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner.” It is a variant of a fast-flux domain name attack.
\nIn an attack that includes domain shadowing, an attacker will log into the domain register’s website to set up a new subdomain registered to a new server IP address.
\nBy registering many subdomain names and IP addresses, attackers are able to avoid blacklists, but it does not allow attackers to bypass reputation-based filters.
\nDomain shadowing can then be used to embed a DNS name in the malware, which could be used to download the malware from a compromised webhost or dictate where a compromised system should send stolen data.
\nThere are some steps enterprises can take, however.
\nFor example, IP addresses could be checked against a reputation-based blacklist to see if it resolves to multiple names or IP addresses, and then heuristic behavioral analysis could be used to identify which potentially malicious network connections require further investigation.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=f6b4056088&e=20056c7556<\/p>\n
Cyber Security Benchmark Highlights Legacy Product Failures
\nPALO ALTO, Calif., Sept. 23, 2015 \/PRNewswire\/ — In August 2015, with funding support from the US DHS, the Open Web Application Security Project (OWASP) published an open source Benchmark Project on application security accuracy.
\nThe Benchmark Project allows organizations to measure the effectiveness of application security solutions by providing an application with over 21,000 test cases across 11 different attack categories.
\nIt also uses code that looks vulnerable, but isn’t, to check for false alarms.
\nThe new Benchmark Project exposes the failings of the Static Source Code (or SAST) and Dynamic Web Scanning (or DAST) product categories.
\nThe best performing products in those groups scored a discouragingly poor 33% accuracy on the Benchmark, demonstrating that companies relying on them are left vulnerable to hackers.
\nThat’s alarming given the importance of application security, and business dependence on those products.
\n“By understanding what a tool can and cannot do, the OWASP Benchmark Project has the potential to positively stimulate improvements in software security assurance tools,” said Kevin Greene, Program Manager, Cyber Security Division, United States Department of Homeland Security.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8c1fb41211&e=20056c7556<\/p>\n
Ad-Fraud Prevention Firm Starts Ranking Mobile Exchanges by Fraudulent Traffic
\nd-fraud prevention firm Pixalate is hoping to shine a light on the problem with its new Mobile Seller Trust Index, which it describes as an independent, standardized rating system of ad exchanges’ fraud activity.
\nPixalate evaluated more than 125 supply-side platforms.
\nThe 10 exchanges that got the best ratings include Amobee, Rubicon, Big Mobile Group, Millennial Media Exchange and AOL Marketplace.
\nOther exchanges might not be so approving.
\nThe full index, which Pixalate plans to update each month, can be seen here.
\nThe company introduced a similar index for display ad quality in the desktop and mobile web in December.
\nThe need to sort out mobile ad fraud, particularly in apps, is becoming more critical as mobile users and advertiser alike flock to apps.
\nMarketers will spend $20.8 billion to reach consumers via mobile apps in 2015 but only $7.9 billion on mobile browsers, according to projections by eMarketer.
\nWhen mobile spending surpasses desktop advertising next year, eMarketer says, app ad dollars will reach nearly $30 billion, compared with the mobile web’s $10.8 billion.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=2f187b5c52&e=20056c7556<\/p>\n
Facebook launches new ECC key encryption options
\nOn Tuesday, the social media giant announced support for OpenPGP’s standard elliptic curve cryptography (ECC) public keys, including NIST curves P-256, P-384, and P-521.
\nThe public key support builds upon Facebook’s launch of OpenPGP key support in June.
\nThe support permits end-to-end encrypted notification emails to be sent from Facebook to your linked email accounts.
\nFacebook’s additional encryption service offers “high levels of security for relatively smaller key sizes,” according to the tech giant, which also removes some of the complication of using and configuring PGP keys.
\nECC keys, widely adopted in modern cryptography, can now be posted on your profile and Facebook will use them to further encrypt email notifications.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=bb4449b8c9&e=20056c7556<\/p>\n
What Companies Want In A CISO
\nJoyce Brocaglia founder of the Executive Women’s Forum and CEO of Alta Associates joins the Dark Reading News Desk at Black Hat to discuss closing the gender gap in security and what companies are looking for in a chief information security officer.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=adf689ab3a&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=5e349efeef)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage2.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So onto the news: Security spending will reach $75.4b worldwide: Gartner Worldwide security spending will reach $75.4 billion this year, a 4.7 percent increase over last year, according to the latest forecast…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1153","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1153"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1153\/revisions"}],"predecessor-version":[{"id":3640,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1153\/revisions\/3640"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}