[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo onto the news:<\/p>\n
Dutch Data Protection Authority publishes consultation version of guidelines on breach notice law
\nOn the heels of the enactment of the Dutch breach notice law, the Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands.
\nUnder the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to the affected individuals.
\nThis obligation will take effect on January 1, 2016.
\nThe guidelines define a data breach as a security incident that has, or poses a significant risk of having, serious adverse consequences for the protection of personal data.
\nThe CBP has invited interested parties to share their comments on the draft guidelines ultimately by October 19, 2015.
\nThe final version of the guidelines will become effective on January 1, 2016.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=47343d0465&e=20056c7556<\/p>\n
Outsourcing IT Security : A Recipe for Success or Disaster?
\nIs it worth it to let other people manage my sensitive data and give my company a competitive advantage?\u201d
\nAccording to a growing number of companies, the answer is a yes.
\nIT research firm, Computer Economics, recently published a report called \u201cIT Outsourcing Statistics 2015\/2016,\u201d where it has been found that more and more companies are outsourcing their IT functions.
\nWith these tasks being outsourced, the result has been that companies are able to \u201cpreserve capital, reduce costs, improve operational flexibility, increase service levels, reduce management overhead or rapidly deploy new capabilities,\u201d according to the study.Clearly, the outsourcing of these IT tasks have been beneficial to modern companies.
\nYou have to be vigilant in keeping an eye on your outsourced IT security staff.
\nThough they may be contract-bound to keep your data private, in reality, they\u2019ll have little to lose as opposed to your company\u2014in case your data falls into the wrong hands.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=587d381104&e=20056c7556<\/p>\n
Using Tiger Teams during a major incident
\nIn a major incident there are a number of Tiger Teams, up to six, that can be established to assist in resolving incidents.
\nThese are the (Echo\/Delta\/Romeo\/Whisky\/Bravo\/Alpha) teams.
\nWe will briefly describe each of these teams below:
\nThe Echo team is the Escalations Team and is responsible for stakeholder communications and owns the major incident from cradle to grave.
\nThe Delta team is the team responsible for diagnostics and also collaborates with the resources responsible for detection.
\nThe Romeo team executes the repair which includes the recovery (component has been recovered to previous state as listed in CMDB) and restore (normal business operations have resumed).
\nThe Whisky team is responsible for workaround implementation.
\nThe Bravo team is responsible for business continuity and serve the purpose of business resumption in the event of a high level major incident.
\nThe Alpha team is responsible for producing an analysis of the major incident after it has been resolved.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ec63011f3e&e=20056c7556<\/p>\n
Cyber Weapon Market – Global Industry Analysis, Size, Share, Growth, Trends and Forecast 2015 – 2021
\nThe cyber weapon market is anticipated to grow during the forecast period owing to the increasing investment by government and utility organizations to identify zero-day vulnerabilities or exploits in a system or software application.
\nIntelligence agencies, government, and other organizations are increasingly investing in cyber units and other cyber resources to identify zero-day exploits and use them against enemy systems or networks when necessary.
\nAdditionally expansion of traditional arms manufacturing companies such as Lockheed Martin Corporation, BAE Systems and Raytheon Company among others in cybersecurity business is driving the market growth.
\nDemand for advanced cyber warfare techniques is further fueling the growth of this market.
\nFurthermore, growth of cyber weapon market is attributed to the increasing need for security in critical infrastructure and utilities including national defense system, industrial control system and smart power grid among others.
\nThe major factor restraining the growth of this market is due to the rising government regulations on non-proliferation of cyber weapons aimed to restrict usage of cyber weapon to ethical hackers, legal cyber professionals and organizations only.
\nEmergence of cyber as new domain for warfare is paving new opportunities for new and existing players in the market.
\nCyber weapon is considered as complementary to conventional warfare techniques.
\nAdditionally, cost-effectiveness of cyber weapons is leading to reduced funds for military expenses, thus providing new opportunities to players in the cyber weapon market.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=285e38093f&e=20056c7556<\/p>\n
120-day patching gap puts many firms at risk of cyber attack, study shows
\nThe probability of a vulnerability being exploited hits 90% between 40-60 days after discovery, but many firms are taking up to 60 days beyond that to patch, while others are failing to patch at all, a study shows
\nA study by risk and vulnerability software-as-a-service firm Kenna found that, despite the best intentions, most companies take an average of 100-120 days to remediate vulnerabilities.
\nAccording to the report, exploitation is almost guaranteed.
\nThe probability of a vulnerability being exploited hits 90% between 40-60 days after discovery.
\nThis means the length of time a company has to react before attackers strike is within 40-60 days of release for well-known vulnerabilities, the report said, which creates a remediation gap \u2013 or time that a vulnerability is most likely to be exploited before it is closed \u2013 of nearly 60 days.
\nAccording to the study report, non-targeted attacks pose a different challenge to businesses than the more widely publicised advanced persistent threats (APTs).
\nDue to the inability of information security teams to match the pace of automated attacks, a significant gap has appeared in the time that critical vulnerabilities appear and the time it takes for security teams to fix those vulnerabilities, the report concludes.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=59e32a4916&e=20056c7556<\/p>\n
Bank ratings could be cut if cyber defences are weak, S&P warns
\n“We view weak cybersecurity as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades,” the ratings agency said on Tuesday.
\nS&P’s credit analyst Stuart Plesser said banks’ retail presence, the value of the data they hold and their role in the financial system made them “natural targets facing a high threat of cyber-risk” and a successful attack could create reputational risk and “serious monetary and legal damages.”
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=dc4e698bfd&e=20056c7556<\/p>\n
Why Many Organizations Still Don’t Use Threat Intelligence Portals
\nTheir main reasons for not employing threat intel services: 44% say the attacks they’ve experienced thus far haven’t been “serious enough” to warrant using threat intel; 36% say threat intel is too expensive; 36% say it’s “not a good fit” for them; and 24% say they can’t get budget to pay for threat intel.
\nEven so, four out of five respondents in the survey said their organization would indeed use threat intel data if it was available to them.
\nSome more advanced and feature-rich threat intel feeds can cost hundreds of thousands of dollars a year, but there also are free open-source feeds.
\nSome 82% say they would use threat intelligence data if they had the budget for it, the survey found.
\nEven so, 15% say they don’t want to share their threat intelligence information with other organizations.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=5fea3f8739&e=20056c7556<\/p>\n
Best Practices for Cybersecurity Breaches, Incident Response
\nThe PCI Security Standards Council has announced new guidelines to help organizations respond to data breaches.
\n\u201cResponding to a Data Breach: A How-to Guide for Incident Management\u201d provides retailers and service providers with key recommendations so they can be prepared to react quickly if a breach is suspected.
\nIt specifically suggests what they should do to contain damage and launch an effective investigation.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=cd9b140e9c&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=b2f8bfc176)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage2.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So onto the news: Dutch Data Protection Authority publishes consultation version of guidelines on breach notice law On the heels of the enactment of the Dutch breach notice law, the Dutch Data…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1155","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1155"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1155\/revisions"}],"predecessor-version":[{"id":3642,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1155\/revisions\/3642"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}