[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo onto the news:<\/p>\n
Analyzing Spear Phishing Attacks
\nIn this post, we recommend defenses and key performance indicators for Phase 3:Analyze.
\nOnce an attack is detected, it needs to be analyzed to determine the best mitigation strategy.
\nThe objective of the Analyze phase is to quickly establish sufficient threat context to drive the appropriate next action.
\nTo manage the Analyze phase and assess effectiveness, consider the following key performance indicators.
\nTime-to-assess
\nTime-to-context
\nCompleteness of context
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=2f97768238&e=20056c7556<\/p>\n
The Cyber Hunting Maturity Model
\nMany organizations are quickly discovering that threat hunting is the next step in the evolution of the modern SOC, but remain unsure of how to start hunting or how far along they are in developing their own hunt capabilities.
\nHow can you quantify where your organization stands on the road to effective hunting.
\nWith a general model that can map hunting maturity across any organization.
\nWith that definition of hunting in mind, let’s consider what makes a good hunting program.
\nThere are three factors to consider when judging an organization’s hunting ability: the quality and quantity of the data they collect for hunting, the tools they provide to access and analyze the data, and the skills of the analysts who actually use the data and the tools to find security incidents.
\nThe Hunting Maturity Model, developed by Sqrrl’s security architect and hunter David Bianco, describes five levels of organizational hunting capability, ranging from HMM0 (the least capable) to HMM4 (the most).
\nLet’s examine each level in detail….
\nCISOs that hear that their organization needs to “get a hunt team” may legitimately be convinced that an active detection strategy is the right move, and yet still be confused about how to describe what a hunt team’s capability should actually be.
\nA maturity model will ideally help anyone thinking of getting into hunting get a good idea of what an appropriate initial capability would be.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c10d19d8b9&e=20056c7556<\/p>\n
Introduction to Web fraud detection systems
\nMany organizations are quickly discovering that threat hunting is the next step in the evolution of the modern SOC, but remain unsure of how to start hunting or how far along they are in developing their own hunt capabilities.
\nHow can you quantify where your organization stands on the road to effective hunting.
\nWith a general model that can map hunting maturity across any organization.
\nWith that definition of hunting in mind, let’s consider what makes a good hunting program.
\nThere are three factors to consider when judging an organization’s hunting ability: the quality and quantity of the data they collect for hunting, the tools they provide to access and analyze the data, and the skills of the analysts who actually use the data and the tools to find security incidents.
\nThe Hunting Maturity Model, developed by Sqrrl’s security architect and hunter David Bianco, describes five levels of organizational hunting capability, ranging from HMM0 (the least capable) to HMM4 (the most).
\nLet’s examine each level in detail.
\nCISOs that hear that their organization needs to “get a hunt team” may legitimately be convinced that an active detection strategy is the right move, and yet still be confused about how to describe what a hunt team’s capability should actually be.
\nA maturity model will ideally help anyone thinking of getting into hunting get a good idea of what an appropriate initial capability would be.
\nWeb fraud detection systems typically focus on new account origination, account takeover and payment fraud.
\nWith account takeover and new account origination fraud detection, organizations attempt to root out unauthorized or fraudulent users posing as legitimate users.
\nPayment fraud detection involves determining whether purchases are being or have been made with stolen payment cards.
\nSome vendors also offer fraud intelligence services, authentication, malware detection (such as man-in-the-browser infections on computers and mobile devices) and secure clients, as well as managed services in which the vendor is primarily responsible for monitoring and taking action on instances of fraud.
\nWeb fraud detection software (or cloud-based service) runs background processes that scan transactions and score them based on the possibility of fraud.
\nTo detect fraud, vendors typically use a predictive behavioral scoring model, in which an account holder’s behavior is the predominant criteria, or a rule-based system that uses pattern recognition.
\nSome products or services use both types of scoring models.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=3b85cf3cb6&e=20056c7556<\/p>\n
Best CISO\/CSO Award Goes to SecureWorld National Advisory Council Member
\nViewpost North America announced that its Chief Security Officer, Christopher Pierson, has been named recipient of the Best CISO\/CSO Award presented by FireEye, Inc.
\nOver the past four years, Pierson and his team have designed and implemented cybersecurity and compliance programs with a B2B-focused approach to earn the trust and goodwill of its customers and partners.
\nPierson also serves as an appointed member of the Department of Homeland Security\u2019s Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittees, is a Distinguished Fellow of the Ponemon Institute, and serves as a member of the National Advisory Board of SecureWorld.
\nPrior to joining Viewpost in 2012, he was the SVP, Chief Privacy Officer for the Royal Bank of Scotland\u2019s U.S. banking operations.
\nViewpost and Pierson are no strangers to recognition for their diligent implementation of cybersecurity measures and programs.
\nEarlier this year, Viewpost was named winner of the 2015 CSO50 Award in recognition of the robust security built into its network architecture at the guidance of Pierson\u2019s team.
\nThe annual award by IDG\u2019s CSO recognizes the 50 security projects and initiatives that have delivered the most groundbreaking business value through the innovative application of risk and security concepts and technologies.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6f2c8974dd&e=20056c7556<\/p>\n
Oracle points patching firehose at 154 vulnerabilities
\nSysadmins forced by circumstance or folly to support Java can get busy again, with 25 fixes for the product among the Scarlet Letter’s regular patch notice.
\nThe good news is that Oracle says none of the vulnerabilities in its mammoth bug-splat had been exploited as of 19 October.
\nThe fixes to Java SE and Java SE Embedded cover vulnerabilities in the CORBA (Common Object Request Broker Architecture), Remote Method Invocation (Java RMI), Java FX, serialisation, 2D, Java API for XML Processing (JAXP), Java Generic Security Services (JGSS), security and deployment sub-components, as well as various library flaws.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=2fc01892b8&e=20056c7556<\/p>\n
Tripwire Releases IP Expo Survey on Supply Chain Cyber Security
\nAccording to Tripwire\u2019s survey, 63 percent of the respondents said their organisation would refuse to use partners and suppliers that failed to meet their IT security standards.
\nDespite these concerns, only 53 percent of the respondents require partners and suppliers to pass security audits.
\ndditional survey findings included:
\n– 62 percent of the respondents said they are required to meet their customers\u2019 security standards, and 63 percent believe their customers would lose confidence in them if one of them suffered a serious data breach.
\n– 46 percent of respondents said they would lose contracts and be fined by a regulator or government agency if one of their partners or suppliers suffered from a serious data breach.
\n– 22 percent of respondents said their organisations do not have the resources to check supplier contracts and ensure they meet their businesses security requirements.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9689e1702f&e=20056c7556<\/p>\n
Federal Government Announces New HIPAA Privacy Audits for Companies That Handle Healthcare Data
\nHere’s some news for companies that have to comply with the privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”).
\nThe U.S.
\nDepartment of Health and Human Services (“HHS”) has announced plans to begin auditing compliance in early 2016.
\nThe announcement of a new, permanent audit program follows criticism from the HHS Office of Inspector General (“OIG”) in two reports examining HIPAA enforcement.
\nOIG expressed the need for a permanent audit program, noting that “[w]ithout fully implementing such a program, OCR [the HHS Office of Civil Rights] cannot proactively identify covered entities that are noncompliant with the privacy standard.” Currently, HHS relies primarily on complaints or tips, and voluntary disclosures of data breaches, as the bases for investigating alleged HIPAA violations.
\nOCR indicated that it will target high-risk areas and entities which have consistently been non-compliant, and include both onsite visits and remote desk reviews.
\nThe audits will also include both covered entities and their business associates.
\nWith the audits expected to begin in early 2016, covered entities and their business associates should consider reviewing and following the HIPAA Audit Program Protocol, which addresses privacy, security, and breach notification.
\nHHS is in the process of updating the protocol, and you may keep up with new developments here.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=21b72a484f&e=20056c7556<\/p>\n
Australia: Metadata retention commences, but breach notification is delayed
\nOn 13 October 2015, substantial amendments to the Australian Telecommunications (Interception and Access) Act 1979 (Cth) (TIA) took effect to introduce a new metadata retention scheme into the TIA.
\nThis scheme requires telecommunications carriers and internet service providers (telcos) operating in Australia to maintain records of certain telecommunications data, known as \u2018metadata\u2019, for a period of two years.
\nUnder the metadata retention scheme, the metadata to be kept includes:
\n– subscriber or account-holder details;
\n– the source of the communication (whether it is an account, service or device);
\n– the destination of the communication (whether it is an account, service or device);
\n– the date, time and duration of the communication or connection;
\n– the type of communication (voice, SMS, email, instant message, forum post or social media) and the type of service used (such as ADSL, Wi-Fi, VoIP or a 3G or 4G telecommunications network); and
\n– the location of the equipment or device at the start and end of the communication (such as a mobile tower or Wi-Fi hotspot).
\nUnder the scheme, metadata is required to be retained so that law enforcement and security agencies can access this data for law enforcement and security purposes (which they can do without needing to first obtain a warrant).
\nIn the case of metadata relating to journalists, a specific \u2018journalist information warrant\u2019 must be obtained before an agency can access metadata about a journalist.
\nOnce mandatory data breach notification does become law, and there now seems little doubt this will occur during the course of the next year or so, it will put a whole new spin on privacy reform.
\nThere will be nowhere to hide in the case of a serious privacy breach, with the very real prospect of a costly class action following the breach.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=46a1b6975e&e=20056c7556<\/p>\n
Employee activities that every security team should monitor
\nIT security professionals typically have no visibility into what users are actually doing once logged in, but instead are drowning in log data that tells them just about everything else about their environments.
\nOrganizations are rightly concerned about this lack of oversight.
\nA recent study by the Ponemon Institute and ObserveIT found that 71 percent of more than 600 security practitioners discovered major deficiencies in their monitoring of users and their application usage.
\nThe survey also uncovered three types of business applications that are the top sources of risk for insider threat:
\n– Ecommerce
\n– Financial
\n– CRM
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a4d5f45fdd&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=07261213f9)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage1.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So onto the news: Analyzing Spear Phishing Attacks In this post, we recommend defenses and key performance indicators for Phase 3:Analyze. Once an attack is detected, it needs to be analyzed to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1162","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1162"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1162\/revisions"}],"predecessor-version":[{"id":3649,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1162\/revisions\/3649"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}