[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo onto the news:<\/p>\n
Strengthening IIROC-Regulated Firms\u2019 Risk Management – IIROC Publishes Resources To Help Dealers Increase Cybersecurity Preparednes
\nThe Investment Industry Regulatory Organization of Canada (IIROC) today published two resources to help IIROC-regulated firms protect themselves and their clients against cyber threats and attacks.
\nThe Cybersecurity Best Practices Guide provides an enterprise-wide risk-based framework of industry standards and best practices that IIROC-regulated firms can apply to heighten awareness and manage cyber risks in an evolving environment.
\nThe Cyber Incident Management Planning Guide is a complementary tool for firms to prepare effective response plans for cyber threats and attacks.
\nThese resources were produced by a leading security consulting firm, engaged by IIROC, which has worked with other Canadian financial services regulators on cybersecurity matters.
\nThis initiative follows from previous work IIROC conducted including a survey of its membership, a table-top exercise, as well as input from industry representatives.
\nIIROC also reviewed approaches used by other domestic and global financial services regulators.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e25b1d26a7&e=20056c7556<\/p>\n
Blue Ridge\u00ae Networks and Venture Group Enterprises (VGE) Launch Sales of AppGuard\u00ae Business
\nThe biggest challenge in starting the conversation about the need for a SOC is justifying the cost to people who don’t understand the threat landscape or the value of being proactive rather than reactive about security.
\nAccording to the 2015 Verizon Data Breach Investigation Report, “In 60% of cases, attackers are able to compromise an organization within minutes,” and “75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours).” Waiting to react to a breach until after damage has been done will most likely lead to an extremely costly recovery.
\nWe have all seen in the news the amount of money lost from data breaches.
\nShowcasing a few data breach examples from a source such as DataLossDB will surely make your point.
\nStep 1: Planning the SOC
\nSteps 2\u20133: Designing and Building the SOC
\nStep 4: Operating the SOC
\nStep 5: Reviewing the SOC
\nWith all these requirements, it is easy to see why SOCs might fail to fulfill their initial promise.
\nNo SOC is perfect, but a healthy SOC can evolve for the better.
\nEfforts to maintain, review, and improve your SOC are fundamental to its long-term viability.
\nRemember, running a SOC is a journey, not a destination.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=3bfab542bd&e=20056c7556<\/p>\n
Cloud-Trust\u2014a Security Assessment Model for Infrastructure as a Service (IaaS) Clouds
\n[Publication] The vulnerability of Cloud Computing Systems (CCSs) to Advanced Persistent Threats (APTs) is a significant concern to government and industry.
\nWe present a cloud architecture reference model that incorporates a wide range of security controls and best practices, and a cloud security assessment model \u2013 Cloud-Trust \u2013 that estimates high level security metrics to quantify the degree of confidentiality and integrity offered by a CCS or cloud service provider (CSP).
\nCloud-Trust is used to assess the security level of four multi-tenant IaaS cloud architectures equipped with alternative cloud security controls and to show the probability of CCS penetration (high value data compromise) is high if a minimal set of security controls are implemented.
\nCCS penetration probability drops substantially if a cloud defense in depth security architecture is adopted that protects virtual machine (VM) images at rest, strengthens CSP and cloud tenant system administrator access controls, and which employs other network security controls to minimize cloud network surveillance and discovery of live VMs.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b156abb3de&e=20056c7556<\/p>\n
How fake users are impacting business \u2026 and your wallet
\nAccording to \u201cThe Fraud Report: How Fake Users are Impacting Business,\u201d [PDF] a study released by TeleSign, a mobile identity solutions company, and the Ponemon Institute, a research institute, 82 percent of companies struggle with fake users.
\nThey surveyed 584 U.S. and 414 U.K. individuals who are involved in the registration, use or management of user accounts.
\nAverage value of user base of the respondents: $117 million.
\nThat’s a lot of big targets for hackers to go after.
\nAnd they’re doing, well, everything.
\nAccording to the study, 30 percent of fake users are there to spam real site users.
\nTwenty-seven percent want to steal confidential information; 14 percent are after social engineering, 10 percent want information for phishing, six percent are hoping to take over an account, four percent want to create both chaos and disruption and credit card fraud, and three percent want to create fake reviews.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=35ec6347ca&e=20056c7556<\/p>\n
Microsoft now taking on Man in the Middle ad injection and browser hijacking
\nMicrosoft has decided that enough is enough and they are now focused on giving users back full control over their system.
\nThe way they will do this is through their Adware objective criteria and the way their anti malware products identify and remove unwanted and malicious software.
\nYesterday, Microsoft added a new criteria that will be used to identify these man in the middle attacks and any software violating this criteria will be added to their malware definitions with settings to detect and remove the offending software.
\nMicrosoft will begin removing any software programs that violate the above criteria on 31 March 2016.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=30f187606f&e=20056c7556<\/p>\n
I\u2019m Yelling Tinba! Trojan Sets Sights on Singapore Banks for Holiday Season
\nIBM X-Force malware researchers have uncovered an aggressive malware campaign targeting banks in Asia.
\nThe campaign, which uses the Tinba v3 banking Trojan to infect potential victims, has its sights set on business and corporate accounts held with nine major bank brands in Singapore.
\nWhile other countries are also targeted, the amount of Singaporean bank brands on the malware gang\u2019s list top the chart.
\nThe country accounts for more than one-third of all targeted brands.
\nTinba\u2019s most common infection method is through the Angler exploit kit, with users lured via malvertising campaigns.
\nThis infection approach is especially insidious because it can compromise popular, legitimate websites and serve poisoned ads.
\nThe infection itself is a drive-by download that takes place automatically and without the user ever seeing it occur.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ef68616b07&e=20056c7556<\/p>\n
NEW DELHI: Dirty streets aren’t the only thing the Narendra Modi government hopes to clean up. After ‘Swachh Bharat’ campaign, the Indian government plans to ensure the cleanliness in the online world too, with a ‘Digital Swachhata Kendra’ or cyber hygiene centre, for analysis of malware and botnet
\nNEW DELHI: Dirty streets aren’t the only thing the Narendra Modi government hopes to clean up.
\nAfter ‘Swachh Bharat’ campaign, the Indian government plans to ensure the cleanliness in the online world too, with a ‘Digital Swachhata Kendra’ or cyber hygiene centre, for analysis of malware and botnets that affect networks and systems.
\n“The pilot project is going on, and subject to approvals from the (IT) minister, we want to call it the Digital Swachhata Kendra,” a senior official of the Indian Computer Emergency Response Team (CERT-In) told ET.
\nThe malware analysis and botnet cleaning centre was announced earlier this year, with an outlay of Rs 100 crore, and is being implemented by CERT-In as part of Digital India.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9209792b7c&e=20056c7556<\/p>\n
Threats targeting operational technology in critical infrastructures highlight the need for Industrial Control Systems Security, according to Frost & Sullivan
\nSINGAPORE, Dec. 23, 2015 \/PRNewswire\/ — In line with the Industry 4.0 Mega Trend, diverse industries have accelerated the adoption of Internet of Things (IoT).
\nIndustry players have been exploring ways to enhance their efficiency and competitiveness by harnessing the benefits of IoT and standardizing protocols relating to Internet Protocol (IP).
\nThis movement toward digital transformation in manufacturing, utilities, transportation, and grids has highlighted the need for industrial control systems (ICS) security during the design phase.
\nNew analysis from Frost & Sullivan, Asia-Pacific Industrial Control Systems Security Market [http:\/\/www.frost.com\/sublib\/display-report.do?id=P8A5-01-00-00-00&src=PR] (http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=16e3416770&e=20056c7556 [http:\/\/www.frost.com\/sublib\/display-report.do?id=P8A5-01-00-00-00&src=PR]), finds that the market earned revenues of US$162.9 million in 2014 and estimates this to reach US$1.18 billion in 2019.
\nThe study provides detailed threat analysis, market forecasts from 2014 to 2019, as well as identifying the drivers and restraints.
\nIn response to customers’ concerns, ICS security vendors are working on technologies that can be implemented without affecting the availability of existing equipment or workstations.
\nMeanwhile, industries are becoming increasingly aware of the cyber attacks affecting plants’ uptime.
\nIt has been observed that some energy plants in Asia Pacific understand the potential cyber threats to their operations and have encouraged them to comply with ICS security guidelines such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC-CIP) or National Institute of Standards and Technology (NIST).
\nGovernments in Asia-Pacific are also expected to give priority to security and mandate or recommend effective cyber security measures for their critical infrastructure.
\nFor instance, the Japanese Government has been proactive in promoting ICS security.
\nIt established the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), which, in turn, established the Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR) Council to facilitate information sharing among critical infrastructure verticals.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=88d2eeb523&e=20056c7556<\/p>\n
New Hunting Grounds for Hackers in 2016
\nWatchGuard\u00ae Technologies, a leader in multi-function firewalls, revealed its full list of 10 new information security predictions for 2016.
\nWatchGuard\u2019s security research highlights new and emerging threat trends that include: advanced ransomware moving on to alternate platforms; an increase in targeted iOS attacks; and a new hunting ground for criminals to find data that leads to identity theft.
\nRansomware Reaches New Platforms:
\nSocial Engineering Keeps People as Your Biggest Threat:
\nSMB Security Breaches Go Back to Basics:
\nMalware on iOS Will Rise:
\nMalvertising Increases by Leveraging Encryption:
\nAutomation Brings Security to the Next Level:
\nCyber Criminals Go Back to School to Get Data:
\nHijacked Firmware Attacks the Internet of Things:
\nWireless \u201cEase-of-Use\u201d Features Expose the Next Big Wireless Flaw:
\nHacktivists Hijack Broadcast Media:
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=de3621f615&e=20056c7556<\/p>\n
Hyatt hotel chain warns customers to check accounts after malware discovery sparks hacking fears
\nThe Hyatt hotels chain has warned customers to check their accounts for unauthorized charges after finding a malicious software in its IT systems.
\nThe Hyatt hotels chain has warned customers to check their accounts for unauthorized charges after finding a malicious software in its IT systems.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=7ec44226d9&e=20056c7556<\/p>\n
Rely on cloud security policy — not tools — to protect AWS
\nAWS boosted its security management offerings at re:Invent, but the cloud provider’s shared responsibility model means developers must be attentive and implement policies.
\nAt AWS re:Invent 2015, the cloud provider announced two new security services and improved security on an existing product.
\nThe AWS Web Application Firewall is a new tool that’s useful, but hardly groundbreaking; the other two products squarely tackled the problem of overly complex security administration.
\nThese new services complement AWS Trusted Advisor, which analyzes an environment to identify ways to improve performance, security and reliability to reduce cost.
\nAmazon Inspector audits security compliance by comparing the configuration of server instances, networks and storage against a knowledge base of hundreds of rules, looking for violations of best practices and standards like PCI DSS.
\nThese include potential issues like allowing remote root logins, unpatched software with known vulnerabilities or leaving network ports unnecessarily open.
\nInspector generates a prioritized report of each violation and suggests remediation steps.
\nAWS Config Rules is an improvement to AWS Config, which adds templates and guidelines using a mix of prebuilt AWS best practices and a user’s custom rules to flag errors in provisioning and configuring resources.
\nThe service continuously monitors the environment to ensure resources remain compliant.
\nExample rules include mandating that volumes are encrypted, all Elastic Compute Cloud instances are tagged properly and that CloudTrail is enabled on all resources to log API calls.
\nOne of the major announcements out of Microsoft’s AzureCon event was Azure Security Center, a service that consolidates security management and monitoring under a single portal.
\nFor example, admins can quickly see if VM images and configurations are up to date, configured according to predefined standards or Microsoft guidelines and running necessary security software.
\nFrom the same portal, admins can also check on network and database settings like ensuring that virtual networks are members of the correct security groups and have properly set access control lists or whether SQL databases are encrypted.
\nSecurity Center also draws upon threat intelligence data Microsoft collects from all Azure deployments and notifies customers of unusual or threatening activity.
\nFor example, Microsoft has built a reputation database of known bad sites, such as those part of botnet control networks.
\nAlthough not as ambitious as its competitors’ new services, Google has recently automated a key security task, vulnerability scanning, for its platform as a service App Engine customers.
\nThe company’s Security Scanner “\u2026 crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible,” according to company documentation.
\nSecurity Scanner can detect the following vulnerabilities: XSS cross-site scripting), Flash injection, mixed content — fetching unencrypted HTTP content on an SSL HTTPS page — and usage of insecure JavaScript libraries.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9981133e40&e=20056c7556<\/p>\n
Yahoo will now tell you if your account is attacked by government hackers
\nYahoo has announced in a blog post that it will warn users if it thinks their accounts are being attacked by state-sponsored hackers. (We saw the news over on ZDNet.)
\nYahoo joins a number of other tech companies aking similar measures as privacy issues becoming increasingly front-and-centre: Facebook, Google and Twitter all warn you if they think you’re being targeted.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=73a79675fd&e=20056c7556<\/p>\n
Panda Security: New Malware Hit 230,000 Per Day in 2015
\nNew malware will grow exponentially in 2016, with cyber-criminals increasingly taking to JavaScript and PowerShell to launch successful attacks against their victims, according to Panda Security.
\nIt warned of an increase in infections via JavaScript and Windows admin tool PowerShell.
\nPanda\u2019s prediction of an exponential rise in new malware is not quite in line with the predictions of some of its rivals, who see malware growth slowing.
\nElsewhere, Panda predicted mobile and Internet of Things devices would be increasingly under fire next year.
\nWhen it comes to Android, cyber-criminals are likely to launch more threats designed to root the device\u2014making it almost impossible for AV tools to stop.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=f90871ece7&e=20056c7556<\/p>\n
Java plug-in malware alert to be issued by Oracle
\nMillions of Java users are to be warned that they could be exposed to malware as a result of a flaw that existed in the software’s update tool.
\nIts distributor Oracle has agreed to issue an alert on both social media and its own site following an investigation by the US’s Federal Trade Commission.
\n“The security issues allowed hackers to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive information,” the FTC said.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e752a8aa0c&e=20056c7556<\/p>\n
[Imperva] Botnet trafffic in 2015 – the invisible force that wants to eat the Internet
\n[Imperva] Millions of Java users are to be warned that they could be exposed to malware as a result of a flaw that existed in the software’s update tool.
\nIts distributor Oracle has agreed to issue an alert on both social media and its own site following an investigation by the US’s Federal Trade Commission.
\n“The security issues allowed hackers to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive information,” the FTC said.
\nThe firm’s figures for 2015 (measured between July and October on websites using the firm’s security) found that roughly half of all traffic was generated by automated bots, both good ones such as search engine spiders (19.5 percent) and bad ones such as spam engines and pricing scrapers as well as DDoS traffic (29 percent).
\nOnly a fraction over half was initiated by a person clicking a mouse.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=dddcfce12f&e=20056c7556<\/p>\n
Four Security Issues All Business Contracts Should Address
\nA recent lawsuit provides a nice case study for how businesses\u2019 contracts can play a critical role in their cybersecurity strategy.
\nBefore the court is this question: Who was responsible for maintaining cybersecurity safeguards for a bank\u2019s website, the bank or the company that designed and hosted the website?
\nThe dispute in Travelers Casualty and Surety Co. of America v.
\nIgnition Studio, Inc. reveals that their contract did not address several important cybersecurity issues.
\nThis case began with Alpine Bank, a financial institution, hiring Ignition Studio, a professional website design company, to design and host its website.
\nIgnition Studio designed and, apparently, hosted the website for Alpine Bank.
\nSome time later, hackers attacked the website and caused a data breach that caused Alpine Bank to incur $154,711.34 in expenses to comply with its data breach response obligations.
\nAlpine Bank made an insurance claim to Travelers.
\nTravelers paid the claim and then sued Ignition Studio to recover the amount of the losses.
\nTravelers\u2019 Complaint alleged causes of action based on negligence and breach of contract.
\nFour Basic Cybersecurity Issues Today\u2019s Business Contracts Should Address
\n– What cybersecurity standards apply to the project.
\nAre there specific regulatory or industry standards governing either party, or other unique circumstances, that require certain cybersecurity standards?
\nWhat are each of the parties\u2019 responsibilities for taking steps to ensure that the project is protected by adequate cybersecurity safeguards.
\nWhat steps will be taken.
\nHow will they be implemented?
\n– What procedures are in place for verifying, whether by audit or otherwise, that the agreed upon cybersecurity safeguards are being used.
\nWhat are the remedies if they are not?
\n– What are the parties\u2019 requirements for notifying each other in the event of an incident.
\nIf one occurs, what are their respective obligations?
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4042ce0f2e&e=20056c7556<\/p>\n
Highlights of Europe\u2019s New Global Data Protection Law
\nAfter nearly four years of amendments and negotiations, the European Parliament, Council of the European Union and European Commission reached a political agreement on the proposed General Data Protection Regulation (GDPR) on December 15, 2015.
\nPending a legal-linguistic review of the texts and final votes from the European Parliament and Council, the GDPR will be published in the Official Journal of the European Union and will take effect two years after such publication (expected Spring 2018).
\nThis will change not only how Europe regulates personal data but how we as a global society regulate the Internet.
\nAdditionally, the GDPR introduces significant penalties for breaches of the GDPR: up to 4 percent of an entity\u2019s total worldwide annual revenue.
\nPenalties will apply to all data processing by an establishment in Europe, regardless of where that processing takes place.
\nIf an entity is established outside of Europe, the GDPR will apply to that entity if the entity is (1) offering goods or services in Europe (including free services); or (2) monitoring behavior in Europe.
\nMonitoring behavior may be broadly applied to include ordinary web analytics on any website, thereby bringing many websites potentially within the scope of the GDPR.
\nOther notable changes include the following:
\n– Harmonized Law.
\n– Broad Definition of Personal Data.
\n– Two Kinds of Consent.
\n– Children.
\n– No More Registration.
\n– Data Protection Officers.
\n– Data Protection Impact Assessments.
\n– Accountability and Records.
\n– One-Stop Shop and the European Data Protection Board.
\n– Broad Enforcement Rights.
\n– Quasi Class Actions.
\n– Profiling.
\n– Data Breach Notification.
\n– New Individual Rights.
\n– Data Protection by Design and by Default.
\n– Obligations on Processors.
\n– Restrictions on Data Transfers.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=16e0c02d46&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=335b06bf26)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage1.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So onto the news: Strengthening IIROC-Regulated Firms\u2019 Risk Management – IIROC Publishes Resources To Help Dealers Increase Cybersecurity Preparednes The Investment Industry Regulatory Organization of Canada (IIROC) today published two resources to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1181","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1181","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1181"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1181\/revisions"}],"predecessor-version":[{"id":3668,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1181\/revisions\/3668"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1181"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}