[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nAlso, would it help to include a table of contents at the beginning of the email? This would make the email message longer, but might make it easier to jump to the sections you are interested in. Send an email to mail@paulgdavis.com if you think it is a good idea.
\nSo onto the news:<\/p>\n
New European police centre to fight terrorism
\nA new European counter-terrorism centre opening this month will improve information-sharing among national police forces whose performance is under scrutiny after the jihadist attacks in Paris in November, the director of Europol has told AFP.
\nAlthough the creation of the centre was announced seven months before the Paris attacks, the coordinated shootings and suicide bombings in the French capital by a team mainly based in neighboring Belgium have given the 28-country project new impetus.
\nThe centre at Europol’s headquarters in the Hague will also monitor the way in which Islamic State (IS) and other extremist groups “are abusing the Internet and social media, in particular for their propaganda and recruitment purposes,” he added.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=310db3cdcd&e=20056c7556<\/p>\n
Cost of data breach investigations might rise in light of US case against IT security company, says expert
\nCyber liability specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said the threat of legal action could result in IT security companies taking longer to carry out investigative work they have been contracted to undertake in the aftermath of a data breach.
\nBirdsey was commenting after Affinity Gaming, a casino operator in the US, launched legal action against IT security company Trustwave.
\nAffinity Gaming has claimed that Trustwave had made false representations about the security of data on Affinity Gaming’s systems.
\nBirdsey said that the US case might encourage IT security companies to take steps to minimise their liability.
\n“This might include amending letters of engagement to address the new threat of legal action against them,” Birdsey said. “They could also seek to revise contractual terms on limitations and exclusions in an attempt to avoid liability for losses stemming from any gaps that are later found in their work or findings.”
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=407ec77d27&e=20056c7556<\/p>\n
Securing our smart infrastructure
\nIn recent months, two major cyber security breaches have come to light.
\nOne, the website of the Indian Space Agency\u2019s commercial arm, Antrix Corporation, was hacked.
\nThe hackers succeeded in defacing the homepage with an article about 300 kids from Cape Town getting American Major League jerseys at cheap prices from China.
\nAnd, second, the Oil and Natural Gas Corporation Ltd (ONGC) is alleged to have lost R197 crore after cyber criminals duplicated the public sector firm\u2019s official e-mail address with minor changes and used it to convince a Saudi Arabia-based client, Aramco, to transfer payments to their account.
\nBoth of these incidents are a grim reminder to the government as well as businesses that a lot needs to be done when it comes to cyber security in the country.
\nWith government embarking on the creation of digital highway and building of smart cities, cyber vulnerabilities need to be reduced and ensured that hackers are unable to use same digital highway and smart platform to steal vital information.
\nUnfortunately, the under reporting of cyber security incidents is a norm these days.
\nGlobally, security companies are witnessing subdued demand for anti-virus solutions, leading to enhance focus on enterprise market.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=eaf30307ab&e=20056c7556<\/p>\n
No One Knows How Much Cybercrime Really Costs
\n\u201cMany of the private-sector reports are basically marketing brochures from organizations with a strong interest in scaremongering,\u201d says Ross Anderson, a professor of security engineering at the University of Cambridge.
\nAnd law enforcement agencies and police don\u2019t have good statistics on the incidence and costs of cybercrime because they have not updated their operations for the Internet era as well as criminals have, he says.
\nA European Union research project recently concluded that a lack of clear figures on costs was preventing companies as well as governments and law enforcement from making good decisions about security.
\nAnderson and colleagues at Cambridge are in the process of setting up a new research center that could help clear up that confusion.
\nThe Cambridge Cloud Cybercrime Center will operate as a kind of clearinghouse for data from major companies\u2014data that can be mined to discover the patterns of criminal activity. \u201cWe\u2019ve got to be able to measure cybercrime to be effective in doing anything about it,\u201d says Anderson.
\nTalks are under way with Google, Yahoo, and others interested in donating data.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=479008bf88&e=20056c7556<\/p>\n
CISOs should take security training seriously
\nA once-a-year, classroom-based approach may be traditional, with security updates and warnings posted on walls and the Intranet, but it is also a sign of a tick-box, compliance-driven approach to security.
\nIt is often done to appease industry regulators, PCI and data protection authorities, and the training can offer relatively basic \u2013 arguably condescending- advice.
\nBut times are changing.
\nThe threat landscape is growing with the arrival of millions of mobiles and wearables, each with their own IP address, while organized crime and nation-state APT groups are looking at new ways of compromising victims.
\nFrom exploit kits and Trojans to ransomware, phishing and social engineering scams \u2013 the criminal game has moved on.
\nOne study, commissioned by ClubCISO last year, found that 21 percent of CISOs had \u2018never\u2019 given security training, with a further 21 percent indicating that they only did so when new staff joined the company.
\nThirty-seven percent said they carried out training on an annual basis and another 21 percent agreed that this was carried out \u201cfrequently\u201d.
\nIt is clear that establishing a positive training program must start with board backing.
\nThe experts are mixed on the new trend for \u2018gamifying\u2019 training, though.
\nSjouwerman says that phishing games between departments can drive lower click rates, but Wood stresses that it must not be a gimmick, and must be joined up with an existing program.
\nStarnes, who urges CISOs to establish KPIs to establish training effectiveness, adds: \u201cThere cannot be a culture of blame.
\nI would rather have someone recognize they have made a mistake and notify security.
\nIf they do not notify security because they are concerned they may be punished, your awareness program has failed at the worst possible time.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ef5c16c7b8&e=20056c7556<\/p>\n
\u200bVital OpenSSL patch coming
\nSo, when Mark Cox, senior director of Red Hat product security and a founding OpenSSL member, writes the “OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2f and 1.0.1r, [which] will fix two security defects, one of ‘high’ severity affecting 1.0.2 releases, and one ‘low’ severity affecting all releases”, I pay attention.
\nA high severity OpenSSL bug is defined as including “issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable.
\nThese issues will be kept private and will trigger a new release of all supported versions.” This is not as bad as a critical hole but I’ll be updating my servers as soon as the patches are available.
\nThe patches will be made available on 28th January between approximately 1 PM and 5 PM, Coordinated Universal Time (UTC).
\nSources at Canonical, Red Hat, and SUSE tell me that they’ll make these patches available on their Linux distributions on the same day.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=efd1b4ca10&e=20056c7556<\/p>\n
APAC Banks Say They are Most at Risk from Data Breaches at Large Retailers and Telcos in 2016 Read more at http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=057b65c950&e=20056c7556
\nFICO Survey: 100 percent of respondents say data breaches in other industries will harm financial institutions this year
\n38 percent of respondents ranked large retailers as being at the greatest risk for a data breach in 2016, with another 35 percent of respondents choosing telecommunications companies.
\nBy contrast small business (25 percent) and healthcare (22 percent) were voted as the industries least likely to be at risk of a data breach in 2016.
\n100 percent of respondents said data breaches in other industries will impact financial institutions
\n72 percent of respondents see a significant rise in the volume of threats from mobile commerce and mobile-first consumers in APAC, with another 22 percent expecting a modest increase.
\nAPAC fraud executives were also asked which factors might inhibit their own organization’s ability to stop a data breach. 24 percent nominated low security awareness amongst employees as the number-one factor, with another 21 percent saying a lack of budget was to blame. 40 percent ranked too many siloed operations as their number-two issue.
\nRead more at http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=2b31f0231f&e=20056c7556
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=18828db314&e=20056c7556<\/p>\n
EU Parliament Panel OKs Network Security Directive
\nJan. 14 \u2014 Web services that are established in European Union member states, including Amazon.com Inc. and Google Inc., would be required to submit their cybersecurity procedures to the oversight of EU national authorities under a proposed directive approved by the European Parliament’s Internal Market Committee Jan. 14.
\nThe directive, formally known as the Network and Information Security (NIS) Directive, would require EU countries to identify critical service providers that could fall victim to cyberattacks, and to then validate the companies’ cybersecurity measures.
\nThe directive would also create a reporting obligation, under which critical service providers would be obliged to notify the authorities of serious cyberattacks on their networks.
\nThe directive would cover attacks on systems, rather than data breaches.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ffbec0c191&e=20056c7556<\/p>\n
65% Say Cloud As Secure As On-Premises
\nAnother is a just-released report from the Cloud Security Alliance (CSA), “The Cloud Balancing Act for IT: Between Promise and Peril,” which says 64.9% of security officers and IT managers think the cloud is at least as secure as their on-premises software.
\nSecurity of data in the cloud is still a major concern, though: Some 67.8% said that they were concerned they couldn’t enforce their own security policies in the cloud, and 61.2% said that they remained concerned about meeting compliance requirements.
\nOf the 64.9% who say the cloud is at least as secure as on-premises software, 47.1% say cloud security is equal to and 17.8% say it’s better than what they have on premises.
\nPerhaps the most surprising conclusion to come out of it was the revelation that 24.6% of respondents said they’d rather pay a ransom to hackers than face the consequences of a successful attack on their systems.
\nFourteen percent said they would pay as much as $1 million to get an intruder threat or data-ransom problem to go away.
\nTwo-thirds of organizations concerned about data security have a CISO, while only 50% of those less concerned about security have one.
\nAccording to the report, the largest barriers to detecting data loss in the cloud included: lack of skilled security professionals to maximize full value of new technologies (surveyed at 30.7%), lack of internal strategy to operationalize threat intelligence data (at 26.5%), lack of budget to acquire new technologies that detect cloud breaches (at 22.9%), and lack of actionable analytics around threat intelligence data (at 19.9%).
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6bcd5bad4b&e=20056c7556<\/p>\n
‘Artisanal spam’ fashions emails in a new kind of cyberattack
\na new kind of attack, so-called “artisanal spam,” targets smaller groups with painstakingly crafted messages, with the aim of breaking through spam-filtering algorithms and achieving a higher rate of success.
\nPatrick Peterson, CEO of U.S. cyber-security firm Agari Data, says his company started noticing the attacks between six and nine months ago.
\nSince then, he estimates, these kinds of attacks have numbered “in the low hundreds,” although he notes that it can be hard to track such relatively small attacks.
\nThis new method of spamming, said Peterson, is more likely to slip through the spam filters built into most email clients, and more likely to get criminals what they want \u2014 account credentials like usernames and passwords, as well as potential targets for malware attacks.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=40dac0ec2c&e=20056c7556<\/p>\n
New Rhode Island Law Protects Victims of Businesses\u2019 Data Breaches in 2016
\nTo ensure that Rhode Islanders are adequately protected, the Rhode Island General Assembly has recently enacted legislation addressing data breaches.
\nThe Identity Theft Protection Act of 2015 (the \u201c2015 Act\u201d), which will go into effect in June 2016, repeals and replaces a 2005 breach notification law and contains a number of key provisions.
\nThe 2015 Act clarifies uncertainties that have resulted from prior identity theft laws and expands the protections afforded to Rhode Island residents, including imposing specific notification requirements on companies in the event of the breach.
\nUnder the 2015 Act, persons (including individuals and businesses), municipal agencies, and state agencies must protect the personal information of Rhode Island residents that they store, collect, process, maintain, acquire, use, own or license.
\nA resident\u2019s \u201cpersonal information\u201d is defined broadly and includes: social security number; driver license number; account number, credit or debit card numbers, with any required code or password that would permit access to an individual\u2019s financial account; medical and health insurance information; and email addresses with any required code or password that would permit access to an individual\u2019s personal, medical, insurance or financial account.
\nThe 2015 Act also expands protection to paper records and unencrypted electronic information.
\nThe 2015 Act requires that the listed entities handling residents\u2019 personal information must implement a \u201crisk-based information security program which contains reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected.\u201d Personal information must be destroyed in a secure manner and should not be retained for any longer than necessary or the period of time required by law.
\nThe 2015 Act also imposes civil penalties for violations of up to $100 or $200 per record, depending on whether the disclosure or breach was reckless or knowing and willful.
\nHowever, unlike the previous legislation, the 2015 Act does not cap the total amount of penalties.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0aa01a6c51&e=20056c7556<\/p>\n
Amazon Certificate Manager Brings Free SSL Certs to AWS Users
\nThe company announced late last week that it launched a certificate manager to expedite the process of securing SSL\/TLS certificates for customers looking to add HTTPS to their sites or apps.
\nJeff Barr, Chief Evangelist for Amazon Web Services, discussed the move in a blog post last week.
\nBarr claims the manager will provision SSL certificates verified by Amazon\u2019s certificate authority (CA) and Amazon Trust Services (ATS) for free.
\nFor the time being only customers who use Amazon Web Services Elastic Load Balancing or its content delivery network, Amazon CloudFront, can apply for certificates.
\nThe move follows in the footsteps of the Let\u2019s Encrypt initiative, a free certification authority that the Electronic Frontier Foundation, Mozilla, and a handful of other tech companies got off the ground last year.
\nCloudflare rolled out a similar initiative a few years back, providing SSL certs to its customers and accepting HTTPS connections for most of their domains.
\nIn Amazon Web Services\u2019 Certificate Manager: User Guide (.PDF) \u2013 published last week \u2013 the company made it clear that it can fail requests for ACM certificates if the domain is believed to contain malware or phishing content, but it doesn\u2019t state how active it will be when it comes to patrolling the sites it grants these free certificates to.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e365c39a82&e=20056c7556<\/p>\n
The Tor Project Raises $200K Through Crowdfunding
\nOver $205,000 was raised from more than 5,200 donors.
\nContributions were made from personalities such as Laura Poitras, the Citizen Four director; Shari Steele, former EFF executive director; Alison Macrina, the founder and director of the Library Freedom Project; and Tor Project co-founder Roger Dingledine.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=1e9ec76248&e=20056c7556<\/p>\n
UpGuard, Formerly ScriptRock, Unveils First FICO-Like Score for Cybersecurity and Compliance
\nMOUNTAIN VIEW, CA — (Marketwired) — 01\/26\/16 — UpGuard (www.upguard.com), formerly ScriptRock (www.scriptrock.com), today unveiled its Cybersecurity Threat Assessment Report (CSTAR), the industry’s first and only comprehensive and actionable cybersecurity preparedness score for enterprises.
\nUpGuard’s CSTAR is a FICO-like score that allows businesses to measurably understand the risk of data breaches and unplanned outages due to misconfigurations and software vulnerabilities, while also offering insurance carriers a new standard by which to more effectively assess risk and compliance profiles.
\nUpGuard’s expertise in configuration anomaly and vulnerability detection allows for a complete picture of an organization’s cybersecurity preparedness.
\nAn organization’s CSTAR represents a company’s aptitude in the areas of compliance, integrity and security across all servers, network devices and cloud applications.
\nUpGuard customers can trace changes in their CSTAR evaluation down to the smallest building blocks of information technology and use the full report to then remediate potential risks, creating a safer environment for customer data and lowering insurance costs.
\nThousands of customers worldwide already use UpGuard’s technology to validate mission-critical infrastructure and continuously detect potential risks.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=15a3e53e39&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage2.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=d6d4d72937)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage1.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 Also, would it help to include a table of contents at the beginning of the email? This would make the email message longer, but might make it easier to jump to the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1191","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1191","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1191"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1191\/revisions"}],"predecessor-version":[{"id":3678,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1191\/revisions\/3678"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}