[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]<\/p>\n
* Threats on the Horizon for Tomorrow\u2019s Global Security Landscape
\n* The Next Frontier of Malware – Hardware
\n* Swift warns banks of malware threat
\n* Survey: Retail IT Professionals Confidence in Cyber Security Capabilities Increase as Data Breaches Rise
\n* Verizon: Bad Guys Still Phishing for Data
\n* Email ‘most popular phishing tool’
\n* Investment grows as DDoS attacks become sophisticated
\n* MSSPs: The Pros and Cons of Outsourcing Network Security
\n* Multi-Factor Authentication Heads PCI’s List of Changes
\n* Jones Day, K&L Gates Bulk Up Cybersecurity Practices
\n* Be Prepared: How Proactivity Improves Cybersecurity Defense
\n* What did we learn from BT\u2019s 2016 CIO Report?
\n* Top 10 web hacking techniques of 2015<\/p>\n
Threats on the Horizon for Tomorrow\u2019s Global Security Landscape
\nAt the Information Security Forum, we recently released Threat Horizon 2018, the latest in our annual series of reports which provide businesses a forward-looking view of the increasing threats in today\u2019s always-on, interconnected world.
\nIn Threat Horizon 2018, we highlighted the top three emerging threat themes, as determined by our research, to information security over the next two years.
\nOver the next two years, technology will increasingly become an integral part of everyday life in modern society, both at a business and a personal level.
\nOrganizations will seek to maximize efficiency and effectiveness through improved connectivity.
\nHowever, with these benefits will come associated threats in an expanded and more complex security threat landscape highlighted by the growth of the Internet of Things (IoT).
\nDealing with cyber-attacks and avoiding data breaches is enough to keep most organizations busy, but this will become even more challenging as established methods of information risk management are eroded or compromised by a variety of (usually non-malicious) actors.
\nGovernments around the world will take an even greater interest in scrutinizing both new and existing technology products and services used by their citizens.
\nThey will begin to adopt a more intrusive approach in dealing with organizations that handle personal information, especially major technology companies.
\nThese governments will justify their activities on the grounds of regulating disruptive business models and organized crime.
\nHowever, their efforts in combating international crime \u2013 where many think they should be concentrating their resources \u2013 will fall significantly short of the expectation of many organizations.
\nInformation security professionals are facing increasingly complex threats, some new and others familiar but evolving.
\nTheir primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ba11989fd2&e=20056c7556<\/p>\n
The Next Frontier of Malware – Hardware
\nAs recently as two years ago, there has been some rumoured issues related to malware and viruses that get into USB-based hardware devices and can possibly be running from those devices to either steal data or become a launching pad once connected to a device to penetrate deeper that system or the network that it is connected to.
\nThe most dangerous part about this flavour of Malware is that it likely cannot be detected.
\nLikely can\u2019t be put there except through some physical means of implantation and would be equally difficult to remove from the device once it is infected \u2013 if it is even possible to remove at all.
\nThe reality is that this exploit works exceeding well and is nearly impossible to detect or thwart through our current set of tools.
\nAnti-malware products will need to re-think some of their approaches to detecting hardware embedded malware.
\nPayloads for these exploits could be adapted to much more damaging variants beyond just data siphoning.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4fff80c6a8&e=20056c7556<\/p>\n
Swift warns banks of malware threat
\nInterbank payment network Swift is warning banks to beware of a new breed of malware that acts to hide fraudulent transactions on local client interface devices and may have been successfully exploited by the unknown hackers who recently stole $81 million from Bangladesh Bank.
\nResearchers at BAE System now claim that after gaining administrative rights at Bangladesh Bank, the hackers installed a piece of malware named evtdiag.exe which shielded the attackers by changing information on transfer requests made via Swift on the client interface used by the bank to track information about transfer requests.
\nWhile the malware appears to have compromised code on a Swift-supplied interface device, Swift maintains that banks’ must take all necessary precautions to lock down their own systems.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d4e9924424&e=20056c7556<\/p>\n
Survey: Retail IT Professionals Confidence in Cyber Security Capabilities Increase as Data Breaches Rise
\nTripwire, Inc., a leading global provider of end point protection, security and compliance solutions, today announced the results of its 2016 retail cyber security survey.
\nConducted by Dimensional Research, the survey evaluated the attitudes of over 200 IT professionals in the retail sector and compared their responses to a similar survey Tripwire conducted in 2014.
\n\u201cUnfortunately, these results indicate that we can expect retail breach activity to continue in the future,\u201d said Tim Erlin, director of IT security and risk strategy. \u201cThe increase in confidence connected with speed of breach detection is particularly surprising, especially in combination with partial implementation of detection tools.
\nTogether these results indicate while retail organizations might feel better about their cyber security capabilities, there\u2019s still a long way to go to close the gap between initial compromise and detection.\u201d
\nSeventy-five percent of the 2016 respondents believed they could detect a breach within 48 hours, compared with forty-two percent in 2014.
\nRetail data breaches involving personally identifiable information (PII) have more than doubled since 2014.
\nWhen asked if a data breach occurred at their organization where PII was stolen or accessed by intruders, one-third (thirty-three percent) of the respondents said, \u201cyes,\u201d compared with fourteen percent in 2014.
\nImplementation of breach detection technology has remained flat.
\nIn both 2014 and 2016, fifty-nine percent of the respondents said their breach detection products were only partially or marginally implemented.
\nCompanies with larger revenues monitor configuration parameters on critical payment assets less frequently.
\nSixty-five percent of respondents working for organizations with revenues of less than $100 million check their compliance at least weekly, and only fifty-five percent of respondents with revenues of more than $100 million answered similarly.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=97884ae52b&e=20056c7556<\/p>\n
Verizon: Bad Guys Still Phishing for Data
\nMarc Pitler, principal author of the 2016 DBIR, Verizon’s annual look at the global landscape of security threats, points to one stark statistic: More than 63% of all data breaches involved weak, lost or stolen credentials.
\nThat’s one of the main reasons Verizon Communications Inc. (NYSE: VZ) continues to tout multi-factor authentication as a key to lowering security risks.
\nPitler authored this year’s report with considerable humor — and you can check it out here — and refers to it as a “scouting report” for those attempting to thwart attacks.
\nHe calls things such as phishing emails “the number one play in the bad guy’s playbook,” because they lead to significant data breaches.
\nThe percentage of users clicking on the corrupted links in phishing emails actually rose slightly from 11% to 13% and while that is not a statistically significant increase, it is a reflection of why phishing remains a tried and true method of attacking networks.
\nOnce an individual takes the bait, things happen quickly.
\nInfiltration of a network happens in minutes more than 80% of the time, but often discovery of the breach is measured in days, and that detection deficit is getting worse. “If — and some have called ‘if’ the biggest word in the language — there\u2019s any good news, it’s that the number of breaches staying open months or more continues to decline slightly,” Pitler writes in the report.
\nThis year’s numbers were influenced by one large attack, known as Dridex, which was a very large botnet targeting bank credentials, he notes.
\nIt produced a treasure trove of information.
\n“With better network segmentation and stronger authentication through your internal network, we can limit damage,” Pitler says. “Now we can click in a response plan — who clicked, let’s quarantine that device, find out exactly what has been done, what communications inbound and outbound have happened, and really try to break the chain before the real impact occurs where significant data is exfiltrated from the organization.”
\nPitler says mobile devices are not yet a major source of threats, but are still something being watched carefully.
\nAnd as the Internet of Things brings many low-level devices onto the network, those are also being scrutinized.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=bf1f5d2158&e=20056c7556<\/p>\n
Email ‘most popular phishing tool’
\nThe online crime groups were shunning mobiles and newer technologies in favour of phishing campaigns, said the report from Verizon.
\nAlmost 90% of the incidents involved attempts to steal cash, it said.
\nAbout 30% of phishing emails had been opened by people in targeted organisations in 2015, said the report, up from 23% in 2014.
\nAnd, of the scam emails opened, about 13% had been able to launch malware because staff had run the attachments they had carried.
\nStatistics gathered for the Verizon report suggest 84% of the organisations questioned took weeks to spot that criminals had won access to internal systems.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ec5d008fb3&e=20056c7556<\/p>\n
Investment grows as DDoS attacks become sophisticated
\nA new report by real-time information services provider Neustar, entitled The Threatscape Widens: DDoS Aggression and the Evolution of IoT Risks, released this month, says it\u2019s no longer the question \u2018if\u2019 or \u2018when\u2019 a company will be DDoSed \u2013 it\u2019s how often and how long will it last.
\nAccording to the report, 73 per cent of companies were attacked in 2015, with 82 per cent of those attacked suffering multiple attacks.
\nOut of that number, 45 per cent said they were attacked six times, or more.
\nIn EMEA, 47 per cent of companies were attacked at least five times.
\nIt also suggests that DDoSing is not its own purpose \u2013 it\u2019s a means to an end, in many cases.
\nMore than half of companies (57 per cent) said a DDoS attack is usually followed by data theft, which can be customer data, financial or intellectual property.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a3a6f2a6c3&e=20056c7556<\/p>\n
MSSPs: The Pros and Cons of Outsourcing Network Security
\nIf you\u2019re already outsourcing functions such as customer support, web design, or manufacturing, the advantages of outsourcing security might seem familiar to you.
\nThese are some of the key benefits to having a managed provider take care of your cyber security needs:
\n– Cost Savings
\n– Security Expertise
\n– All-Encompassing Customer Support
\nMSSP Disadvantages Boil Down to Increased Risk
\n– Before diving into the risks associated with hiring an MSSP, it\u2019s important to understand that MSSPs do not completely eliminate your security costs\u2014for example, you\u2019ll still need an in-house CISO for the MSSP to report to and coordinate with.
\nMSSPs offer security expertise; but they are meant to supplement your own security team, not replace it.
\n– One disadvantage that keeps companies from outsourcing their security functions is the risk of letting someone take care of their sensitive data.
\n– At least when security is in-house, you can take it on yourself to guarantee customer data protection, which leads to another risk-related MSSP disadvantage\u2014a lack of control.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d972c43789&e=20056c7556<\/p>\n
Multi-Factor Authentication Heads PCI’s List of Changes
\nThe PCI Security Standards council will deliver its 3.2 data security standard version, effective April 28, strengthening rules for data access, providing criteria for ongoing compliance programs, and reminding merchants and network operators to continue to migrate to a more secure Web protocol, or Transport Layer Security.
\nThe multi-factor requirement is the biggest change in the PCI DSS 3.2, said PCI chief technology officer Troy Leach.
\nPCI recommends that organizations review how they manage access to their cardholder data environment and review the current administrator roles to identify where the new requirement will require changes to authentication.
\nVersion 3.2 also calls for new criteria titled Designated Entities Supplemental Validation, designed to help service providers maintain security programs through effective compliance oversight, proper scoping of an environment, and assuring effective alerts are in place in critical security controls.
\nAn organization is required to undergo an assessment of these validation processes only if instructed to do so by an acquirer or payment brand.
\nEven if not mandatory, the PCI council suggests organizations study these security practices, especially new requirements for service providers.
\nThose requirements include a third party provider maintaining a documented description of the cryptographic architecture and reporting on failures of critical security control systems.
\nIn addition, a new requirement calls for executive management to establish responsibility for protection of cardholder data and the PCI compliance program.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=41e264bb5c&e=20056c7556<\/p>\n
Jones Day, K&L Gates Bulk Up Cybersecurity Practices
\nAs cyberthreats and data protection settle into the forefront of general counsel minds, two leading Am Law 100 firms are bolstering their cybersecurity practices with a pair of recent hires.
\nOn Monday, Jones Day announced its addition of former Hunton & Williams counsel J\u00f6rg Hladjk in Brussels, where he will lead his new firm\u2019s cybersecurity, privacy and data protection practice.
\nAlso switching shingles this month is Steven Caponi, the former head of Blank Rome\u2019s cybersecurity and data privacy group, who has joined K&L Gates as a partner in Wilmington, Delaware.
\nCaponi, who advises executives and boards of directors on corporate governance issues related to cyberthreats, previously served as administrative partner for Blank Rome\u2019s operations in Delaware.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=cb9e22a18f&e=20056c7556<\/p>\n
Be Prepared: How Proactivity Improves Cybersecurity Defense
\nWhen responding to an incident, there is always extreme pressure to gather and process digital evidence before it is no longer available or has been modified.
\nAs illustrated in the KPMG 2015 Global CEO Outlook report, half of chief executive officers polled said their organizations are either not prepared or only partially prepared to deal with a major cyber-attack.
\nOne reason these executives gave for this lack of preparedness was because too much attention is being spent on preventing attacks, and not enough on protection and response actions.
\nHere are five examples of how to shift from a reactive to proactive cyber preparedness model through the process of Digital Forensic Readiness.
\n-Maintain a business-centric focus
\n-Don\u2019t reinvent the wheel
\n-Security intelligence goes beyond threats
\n-Keep tabs on external relationships
\n-Understand costs and benefits
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=f23a31bf8e&e=20056c7556<\/p>\n
What did we learn from BT\u2019s 2016 CIO Report?
\nOffice worker sitting on rooftop in cityBT has recently released its 2016\u2019s CIO report, dissecting the challenges and opportunities available for enterprise organizations, and the CIO, following the mainstream adoption of disruptive digital technologies.
\nHere, we\u2019ve detailed a few of the lessons learnt from the 2016 report:
\n– Security is now being dealt with
\nThe report highlights 33% of respondents believe the transition through to cloud computing will act as a catalyst to improve security throughout the organization.
\nIt would appear the implementation of cloud is forcing enterprise to deal with security \u2013 it is no longer a subject which can be put off for another day.
\n– Cloud is no longer a choice
\n65% of respondents stated their current infrastructures are struggling to deal with the rapid adoption of digital technologies.
\nThere are still challenges to the adoption of a cloud model (security, legacy systems, time constraints and budget), though the CIO\u2019s in questions realize cloud is no longer an option to become more successful, but a necessity to remain relevant.
\n– The CIO role has changed and there\u2019s no going back
\nA successful CIO will be able to bridge the gap between IT and the rest of the business, becoming more of a businessman as opposed to a technologist.
\nThe disruptive nature of digital technologies ensure CIO\u2019s now have to be driven by flexibility, adaptive to new ideas, understanding of agile models and more receptive to alternative trends.
\nThis could be seen as quite a shift in what would be the current perception of a CIO.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=089aeefe1b&e=20056c7556<\/p>\n
Top 10 web hacking techniques of 2015
\nAfter receiving 39 submissions detailing hacking techniques discovered in 2015, the following hacks were voted into the top 10 spaces:<\/p>\n
FREAK (Factoring Attack on RSA-Export Keys)
\nLogJam
\nWeb Timing Attacks Made Practical
\nEvading All* WAF XSS Filters
\nAbusing CDN\u2019s with SSRF Flash and DNS
\nIllusoryTLS
\nExploiting XXE in File Parsing Functionality
\nAbusing XLST for Practical Attacks
\nMagic Hashes
\nHunting Asynchronous Vulnerabilities
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d5adcea7e7&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=e00a959b29)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ] * Threats on the Horizon for Tomorrow\u2019s Global Security Landscape * The Next Frontier of Malware – Hardware * Swift warns banks of malware threat * Survey: Retail IT Professionals Confidence in…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1223","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1223"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1223\/revisions"}],"predecessor-version":[{"id":3710,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1223\/revisions\/3710"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}