[From the desk of Paul Davis – his opinions and no-one else’s]
\nApart from the reporter’s opinions \ud83d\ude09
\nSo Im going to be working on a table of contents for the top so look out for that. Im the meantime,
\nSo onto the news:<\/p>\n
Combating state-sponsored cyber attacks
\nGovernment enterprises in the UAE can combat state-sponsored cyber-attacks that target sensitive information in various ways, said an industry expert.
\nHere is a more detailed look at what government agencies should do to keep nation-state attackers at bay.
\n– Decrypt and Inspect SSL Traffic
\n– Fortify Web Applications against Attacks
\n– Use Virtual Private Networks (VPNs) to Secure Data
\n– Monitor and Audit Access to Sensitive Data
\n– Train Employees on Security Best Practices
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4e44058fd3&e=20056c7556<\/p>\n
Australian business is \u2018low hanging fruit\u2019 for cybercrime.
\nAccording to Deloitte\u2019s Australian based cyber expert James Nunn-Price and former FBI Cyber expert Mary Galligan now with Deloitte, it\u2019s a whole new ballgame.
\nShe was concerned that there were no mandatory reporting laws and few companies report issues like ransomware to the Australian Federal Police.
\nHer strong message is don\u2019t pay, strengthen your defences, and let someone else be the weak kid on the block.
\nAccess control was another major issue especially in relation to the bring your own device (BYOD) movement that may save companies money in capital expenditure but can open up major security holes.
\nFor example, use of the same password for a BYOD device and a corporate log-in was a major security issue.
\nGalligan spoke on the main issues in cyber security.
\nNunn-Price spoke about Deloitte\u2019s global Cyber Intelligence Centre and how it had become a combined effort across more than 20 such centres to stay ahead of trends.
\nOf course the bigger you are (and that probably describes Deloitte\u2019s client list) the more risk you have and the more you stand to lose.
\nHe was concerned that Australia was one of, if not the, main target in the Asia Pacific region as it was \u2018catching up with the rest of the world.\u2019 Cybercrime knows no geographical boundaries as has protected Australia in the past.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d2f4ac6537&e=20056c7556<\/p>\n
Professor Hay earns $500,000 data security contract
\nThe Defense Advanced Research Projects Agency (DARPA) has awarded Assistant Professor of Computer Science Michael Hay nearly $500,000 to participate in Project Brandeis, a new program that challenges researchers from across the country to develop systems that facilitate data analysis while preserving privacy.
\nHay\u2019s research is part of a $2.8 million team effort led by scientists at UMASS Amherst.
\nIn the months ahead, the team will attempt to build systems that achieve what cryptographers have defined as differential privacy: query results that are statistically true but not precise enough to allows hackers to link real people with otherwise anonymous data points.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=60e29be779&e=20056c7556<\/p>\n
New Govt. Bill To End Secrecy On Big Data Breaches
\nMany Australian companies are failing to report ransomware – which locks users out of their computers until they pay a fee – and instead perpetuate the practice by coughing up the cash, according to financial services firm Deloitte.
\nCERT Australia, the national computer emergency response team and a partner agency in the Canberra-based Australian Cyber Security Centre, says it responded to 11,733 cybercrime incidents in 2014-15.
\nHowever failure to report cybercrime and data breaches may soon no longer be an option for the bigger companies and agencies in Australia, with Federal Parliament due to debate a government bill in coming months that – if passed – would make notifications compulsory for companies with an annual turnover of more than $3 million.
\nThe draft Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 will also apply to any company currently subject to the Privacy Act.
\nSmall businesses at this stage are exempt.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=83dd8d434e&e=20056c7556<\/p>\n
Almost one-half of UK firms still unaware of their obligations under the new EU data protection laws
\nOrganisations should be under no illusion.
\nThe EU General Data Protection Regulation (GDPR), which will come into force in 2018, represents a major change in the way that personal data must be managed for any company that does business in or with the EU.
\nThey will need to make sure they are able to delete all of a consumer’s personal data quickly and completely from their systems on request.
\nThere will also be mandatory reporting of serious data breaches and organisations will be expected to know what data might have been affected – within 24 hours if possible.
\nAnd those firms found to be in breach of the regulation face hefty fines – up to four per cent of global turnover.
\nJust over half said they were aware of the GDPR but only 20 per cent were well prepared.
\nA further 26 per cent said they have just started preparing for the regulation.
\nHowever, a total of 44 per cent were unaware or only vaguely aware of the new rules.
\nThis is in keeping with a recent survey by US consultancy TRUSTe across the US and Europe, which found that half of the companies were still oblivious to the changes.
\ngdpr-fig2A quarter of those polled said they will need to invest in new infrastructure or software to comply with the new rules, especially in areas such as security, data governance and identity and access management.
\nA further 53 per cent said they were unsure whether such investment will be necessary or not.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d72dec8fbd&e=20056c7556<\/p>\n
Top 4 Compliance Mistakes and How to Prevent Them
\nWhat issues can creep up when it comes to industry compliance, and how can enterprises work to solve these problems.
\nHere are three top compliance mistakes companies make.
\n1. Not Fully Understanding Industry Guidelines
\n2. Ineffectively Evaluating Third-Party IT Service Providers
\n3. Placing Too Low a Priority on Physical Security
\n4. Failing to Review Compliance and Protection Processes
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a78fd3ee42&e=20056c7556<\/p>\n
5 reasons you need to hire a Chief Privacy Officer
\nBusinesses are increasingly relying on data, but they’re overlooking another key aspect of data: privacy.
\nIn order to keep up with the growing regulations surrounding data privacy, it may be time to hire a Chief Privacy Officer.
\nA study by cloud-based data protection provider Druva on the “State of Data Privacy in 2015” asked 214 people worldwide at companies with 100 to 5,000 employees how they are tackling data privacy.
\nOf those surveyed, 81 percent reported their business had government privacy compliance and regulation requirements to meet.
\nHowever, 93 percent of companies reported that they found it difficult to ensure data privacy and 71 percent reported challenges with keeping up with regulations and compliance around privacy.
\nHere are five reasons, according to Freji, why you should seriously consider hiring a CPO in the coming year.
\n1. Changing business landscape
\n2. Europe’s General Data Protection Regulation
\n3. Mandated CPO
\n4. Rising number of high-profile breaches
\n5. Avoid a PR nightmare
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0da749af0e&e=20056c7556<\/p>\n
Insurance innovation to battle cyber threats
\nJWK Solicitors, has announced the launch of its \u201cCyber Risk Insurance\u201d service designed to protect businesses against the growing threat of a cyber-attack.
\nGovernment figures also suggest that of the 52 per cent of businesses who believe they have existing cover against a cyber breach, less than 10 per cent actually do.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=597c5e4132&e=20056c7556<\/p>\n
The Cybersecurity Talent You Seek May Be In-House
\nCasey O\u2019Brien, executive director and principal investigator with The National CyberWatch Center, says security managers should tap the talents of network administrators, system administrators, and programmers because they have strong foundational skills in their specialty areas.
\nThe goal of all security programs should be to have that group of experts, like Navy Seals, who can create the playbook, who understand the threat and can put in place the necessary procedures and tools to defend their organizations, says Adam Vincent, CEO of ThreatConnect, developer of a comprehensive threat intelligence platform used in security operation centers globally.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=538f546552&e=20056c7556<\/p>\n
Five rules to conduct a successful cybersecurity RFP
\nLast week was sadly remarkable for the cybersecurity industry: former New York city mayor Rudy Giuliani, compared cybersecurity to cancer, while famous security expert and journalist Brian Krebs pointed to serious problems at Norse Corporation, a prominent cybersecurity startup recently backed by KPMG VC investment of $11.4 million.
\nLast year, many friends of mine – security professionals and managers within different organizations — complained about their disappointments with RFPs for purchasing various cybersecurity products or services.
\nAn open and transparent bid is probably one of the most efficient ways to get the best price\/quality ratio available on the open market.
\nHowever, the invisible hand may not always work properly for the cybersecurity market due to its complexity and dynamically changing environment.
\nNevertheless, a cybersecurity RFP can be successful, if we take into consideration few simple rules:
\n– Make sure that the RFP is aligned with your corporate risk management strategy
\n– Be precise and detailed in every requirement
\n– Request technical demonstration and testing in your own environment
\n– Price shall not outshine the expertise and experience
\n– Don\u2019t forget about Service Level Agreement (SLA)
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ae5a3bb88a&e=20056c7556<\/p>\n
Attackers also spend an average of 70 hours per attack going up against “typical” IT security infrastructure, 147 hours battling “excellent” IT security infrastructure and give up completely after 209 hours.
\nThe majority of cyber attackers are motivated by money, but make less than $15,000 per successful attack, according to a survey of hackers in the U.S., U.K. and Germany released yesterday by the Ponemon Institute.
\nThe average attacker conducts eight attacks per year, only 42 of which are successful.
\nIn addition, only 59 percent of the successful attacks result in any financial payout.
\nThe majority of attackers have increased their use of hacker tools by 18 percent, and 64 percent say that the tools are “highly effective.”
\nOn average, attackers spend $1,367 a year on these tools.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9a9df51c33&e=20056c7556<\/p>\n
Seven security cultures that can help or hurt your organization
\nCulture of Reporting
\nCultures of reporting could be a security silver bullet.
\nIf everyone who identified a security problem reported it, and if the organization investigated and addressed every reported problem, security could change overnight.
\nUnfortunately, this is expensive.
\nSuch cultures tend to exist only in places where lawsuits and losses from whistleblowing have shown fixing problems, even when costly, is inevitably cheaper than ignoring them.
\nAwareness Culture = Informed, engaged people are always valuable, in security or anywhere else.
\nEvidence-based (Security) Management – Evidence-based cultures collect empirical and historical data, analyze them, and make decisions based on the results, even if the results are unexpected or undesirable.
\nFUD-Driven – FUD-driven cultures are the opposite of evidence-based cultures.
\nCult(ure) of Technology – When organizations worship it as the single best security strategy, things go awry.
\nCheckbox Culture – Compliance is not security.
\nCheckbox cultures are taking heat in the wake of big breaches, where the victims looked good on paper but not on the ground.
\nCulture of Arrogance – If a culture of reporting could dramatically improve security, there’s nothing like arrogance to ensure that every objective will be twice as far off, every success is twice as difficult, every failure is twice as painful.
\nIf you see your organization in any of these seven types, consider what it means for your security strategy over the coming year.
\nWill your culture help you.
\nOr does it presage another 12 months of struggle, frustration, and maybe even an incident putting the organization in an increasingly common and unwelcome spotlight?
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c8c042b7ac&e=20056c7556<\/p>\n
Does attribution matter to security leaders?
\nI know I\u2019ve been on both sides of the issue.
\nSometimes the value of a concept — in this case, attribution — is lost in the debate.
\nThen I met Levi Gundert (LinkedIn, Twitter), VP of Information Security Strategy, from Recorded Future. Levi\u2019s career as an information security professional includes unique operational and leadership experience in government (U.S. Secret Service), threat intelligence providers (Team Cymru and Recorded Future), and multi-vertical Fortune 500 enterprises (IBM, Cisco Systems, Union Bank, and Fidelity Investments).<\/p>\n
Our discussion revealed when and how attribution matters. It starts by getting the definition right. You pointed out that the definition of attribution matters. What does a security leader need to consider when it comes to attribution?
\nThe definition is critical. Attribution is often mis-understood to mean the identification of an individual or group with associated real name, address, and other personally identifiable information. In contrast, within a business context, attribution is obtaining general intelligence to address the \u201cwho\u201d and \u201cwhy\u201d of nefarious activity.<\/p>\n
Expand on \u201cmotivation informs methodology.\u201d How does this help a security leader?
\nGeneral attribution informs senior business leaders\u2019 critical decisions, especially during an incident.
\nBeyond crisis moments, security leaders need to effectively communicate general attribution information to help executives and the board meet the daily challenges of information security program resource allocation.<\/p>\n
How important is context?
\nIt\u2019s essential. We\u2019ve been discussing the value of attribution during and after an attack, but it\u2019s also a critical proactive exercise to understand adversaries before they impact the business.
\nThis is one facet of threat intelligence, which is the act of formulating an analysis based on the identification, collection, and enrichment of relevant information.<\/p>\n
Does the board care about attribution. Should they?
\nThe board does care about attribution. They want the full story which includes \u201cwho\u201d and \u201cwhy.\u201d Lacking attribution leaves stakeholders with doubts.<\/p>\n
What does a security leader need to do to get this. What can someone do today to start building the capability — and boost the value of their leadership?
\nObviously the first step is defining the goals and objectives for attribution along with repeatable metrics.<\/p>\n
It\u2019s the TTP identifications that help peer teams within information security.
\nThis type of proactive identification compliments a risk\/audit framework approach because threat actors and their temporal behaviors accelerate the learning cycle.<\/p>\n
Instead of waiting for the next version of ISO 27001 or NIST Cyber Security Framework (CSF) to be released, companies can still map their progress to the framework while also making incremental improvements, especially in the \u201cprevention\u201d and \u201cdetection\u201d framework phases, based on near real-time attacker attribution.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=53563ef8b4&e=20056c7556<\/p>\n
The Future of Security: Isolation
\nWith the latest advances in virtualization technology, the notion of isolation for security control holds tremendous promise.
\nIsolation through virtualization has the wonderful property of being able to effectively block all malware attacks without the need to understand the attack, detect the attack, or recognize the signature of the attack.
\nIsolation through virtualization is much like the \u201cair-gapped network\u201d\u2014the offending malware cannot traverse from one isolation zone to another.
\nIsolation technology makes the most sense in two places: on the client web browser, where 80 percent of the malware is getting into the enterprise; and on the servers in the data center, where the valuable stuff resides.
\nOn the end point, the basic idea is that by using advanced virtualization, we can execute the code of a web page in some type of disposable virtual container.
\nThe challenge to this approach has been to deploy the isolation in a manner that does not interfere with end user devices or behavior.
\nIn the data center, the problem is reversed.
\nAdvanced virtualization technologies are used to insert security controls, such as always-on encryption, seamlessly in between the application\/data and the underlying infrastructure.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=19e90d4293&e=20056c7556<\/p>\n
Inside the new Microsoft Azure security features
\nThe idea of the Microsoft Azure Container Service is to offer a service that leverages Microsoft’s partnerships with Docker and Mesosphere in order to make delivering a production-ready container cluster simple and manageable in the cloud.
\nIt combines open source Mesosphere cluster management — for Apache Mesos and Mesopshere Data Center Operating System — with Docker’s containerization technology.
\nThe Microsoft Azure Security Center is designed to grant cloud administrators a more detailed and manageable view of the security of their Azure resources.
\nImportantly, Azure Security Center will integrate with major security providers such as Check Point, F5 Networks and Cisco.
\nIts main focus will be on security monitoring, policy management and threat detection across an enterprise’s Azure environment.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=628d868777&e=20056c7556<\/p>\n
Deconstructing the emergency incident response process
\nProviders of professional IR services can quickly bring the additional resources and the expertise that companies often need to handle a rapidly unfolding threat.
\nBut there’s a lot you need to do to get the best out of these services, and that begins with a clear understanding of how the emergency incident response process works and what to expect when you hire an IR provider to handle an ongoing crisis.
\nFour tips for getting the most out of your IR provider:
\n– Have a plan
\nIt’s important to have a security incident response plan, exercise it regularly, and have all your partners selected before you actually need any of it, says Christopher Pierson, CSO and general counsel at Viewpost.
\n– Know what to ask
\nMake sure you know what questions to ask before selecting an IR provider, says Sanjeev Sah, director of security and CSO at Texas Children’s Hospital.
\n– Be proactive
\nDon’t wait for an incident to start looking for a third-party IR provider.
\nInstead, hire an IR provider and place them on retainer for when needed.
\n– Be prepared
\nMake sure you have the information your IR provider needs in order to respond to a developing situation.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=190e1a6b11&e=20056c7556<\/p>\n
One-Quarter Of Organizations Do Not Encrypt Sensitive Data
\nResearch by AIIM revealed 26 percent of organizations have suffered customer data loss or exposure over the past year, but 25 percent do not encrypt sensitive data.
\nAIIM\u2019s report Data Privacy \u2013 Living by New Rules states that as a consequence of lost customer or employee data, 10 percent of affected organizations faced fines or regulatory actions, 25 percent experienced a disruption to business, and 18 percent suffered a loss of customer trust.
\nIn addition, 38 percent of the organizations polled reported being highly dependent on sensitive personal data, while 33 percent have some sensitive client data, and 20 percent have just basic HR content.
\nAs previous studies have found, internal threats can be more dangerous than external ones when it comes to data breaches, and the AIIM study found that 47 percent of organizations polled reported a data breach, exposure, or incident in the past year as a result of staff intent (19 percent) or staff negligence (28 percent), while just 13 percent experienced an external hack.
\nOf those polled, 68 percent want governments to encourage stronger, tamper-proof encryption; the survey shows 62 percent do not encrypt email addresses and 25 percent do not encrypt credit card data, while 64 percent claim to encrypt all personally identifiable information (PII) and 75 percent encrypt all sensitive personal data.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4bdca0a2ae&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: ** Subscribe to this list (http:\/\/paulgdavis.us3.list-manage1.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
** Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=b4baeea596)<\/p>\n
** Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s] Apart from the reporter’s opinions \ud83d\ude09 So Im going to be working on a table of contents for the top so look out for that. Im the meantime, So onto the news: Combating state-sponsored cyber attacks Government enterprises…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1193","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1193"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1193\/revisions"}],"predecessor-version":[{"id":3680,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1193\/revisions\/3680"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}