[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]<\/p>\n
* IT Professionals Underestimate Impact of Business Partner Security
\n* Is ransomware considered a health data breach under HIPAA?
\n* Cyber crime: 11,997 cases of credit card, net banking frauds during April-December [India]
\n* 7 ways to enlist employees in the war on cybercrime
\n* Rip up the script when assembling a modern security team
\n* IMG GlobalSecur Announces Key Travel Security App Informational Article
\n* Mining company’s data is more valuable than gold
\n* DHS seeks better private-public sharing of cyber threat information
\n* The inherent problems of the detection paradigm
\n* $81 Million Cyberheist Underscores Need for Blockchain Security
\n* The Evolution of Scoring Security Vulnerabilities<\/p>\n
IT Professionals Underestimate Impact of Business Partner Security
\nAccording to a new study, 81 percent of IT professionals are confident in their ability to protect sensitive customer data.
\nHowever, this assurance does not extend to their organization\u2019s business partners.
\nNearly half (forty-seven percent) of the respondents are not confident in the security of their business partners and suppliers.
\nAdditional findings from the study include:
\n\u2022 While ninety-five percent of respondents believe a supplier or partner security breach could expose valuable data, sixty-one percent said they were unconcerned or have bigger concerns.
\n\u2022 Less than half (forty-four percent) said their organizations require partners and suppliers to pass security audits before they sign a contract with them.
\n\u2022 Thirty-four percent use partners and suppliers that fail to meet their security standards.
\n\u2022 A quarter (twenty-five percent) admitted their organizations do not evaluate whether suppliers met their security requirements.
\n\u2022 Half said they make exceptions or offer different standards for some partners.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e500591973&e=20056c7556<\/p>\n
Is ransomware considered a health data breach under HIPAA?
\nDan Munro, author at Forbes, and Jack Danahy, author at HealthIT Security, recently a look at what qualifies a ransomware attack as a data breach under HIPAA.
\n\u201cRansomware does represent a new legal ambiguity to the federal legislation known as HIPAA, which was designed to protect patients against the loss, theft or breach of their protected health information (PHI),\u201d according to Monro. \u201cIn some ransomware cases\u2013-depending on the actual type of ransomware\u2013-PHI is never accessed, so there is technically no breach of PHI data.\u201d
\nDanahy had a different way of seeing the potential of ransomware attacks and believes they do indeed qualify as a breach under HIPAA. \u201cOver 100 of the disclosed breaches, representing hundreds of thousands of records, were reported because a system that contained PHI came under the control of a criminal,\u201d wrote Danahy . \u201cThere is no need to verify that the information stolen in this manner is ever accessed or used; the existence of this important information in the hands of a criminal is enough of a threat that it must be reported.\u201d
\nHe argues that even if PHI is sometimes never accessed, just the fact that it came under the control of a criminal is cause enough for it to be considered a breach by HIPAA.
\nDanahy defines ransomware as the system being accessed, along with the PHI they contain, by someone who is not the healthcare provider and HIPAA must disclose the breach as a result of the loss of security.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=dc1ad8b7b9&e=20056c7556<\/p>\n
Cyber crime: 11,997 cases of credit card, net banking frauds during April-December [India]
\nAs per the data made available by the Reserve Bank of India, 13,083 and 11,997 cases related to ATM\/credit\/debit cards and net banking frauds were reported by the banks during 2014-15 and 2015-16 (up to December 2015), respectively, Communications and IT Minister Ravi Shankar Prasad said in a written reply to Rajya Sabha.
\nBesides, 44,679 and 49,455 cyber security incidents including phishing, scanning, malicious code, website intrusion, denial of service etc were reported during the year 2014 and 2015, respectively, as per the information reported to and tracked by Indian Computer Emergency Response Team (CERT-In).
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=29e8480a19&e=20056c7556<\/p>\n
7 ways to enlist employees in the war on cybercrime
\nCorporate hacking attacks continue to wreak havoc on businesses worldwide.
\nIn the past few years, data breaches at companies like Sony, Target, Home Depot, eBay and JPMorgan have resulted in hundreds of millions of compromised accounts and the theft of sensitive credit card, personal identity and Social Security information.
\nThe truth is, hackers target companies of all sizes.
\nIT professionals at small to midsized companies are aware of the dangers and take measures to protect their company\u2019s data.
\nBut company security is only as strong as its weakest link, and all too often, employees are the weak link because of poor cyber security practices.
\nHere are seven ways to help them improve:
\n– Require the use of strong passwords
\n– Mandate use of a different password for each secure site and frequent changes
\n– Make sure mobile phones and tablets are password or PIN protected
\n– Help employees avoid falling for phishing scams
\n– Require logoff when employees leave devices unattended in the office
\n– Consider deploying a password management system
\n– Provide employees with cyber safety classes
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=32c8384e22&e=20056c7556<\/p>\n
Rip up the script when assembling a modern security team
\nOrganizations have to rethink what components are key to a security team if they hope to stay ahead of attackers.
\nFrom my experience, the modern security team needs a few essential characteristics in addition to advanced technology.
\n1) Diversity is a secret weapon
\nlook for people who have worked in different companies and industries and have experience fighting a variety of threat vectors.
\nIdeally, your team will include someone with either a military or government background.
\nThey\u2019ll have a completely different way of looking at security, forcing your company out of its comfort zone.
\n2) Security requires stamina
\nAnalysts need to endure these deceptive tactics and understand that defeating attackers may take longer than they anticipate.
\n3) See something, say something
\nPeople shouldn\u2019t be afraid to be bold and speak out when there\u2019s a security problem, even if that means notifying executives about a breach.
\nDon\u2019t follow the same playbook
\nGood security teams aren\u2019t just composed of people who\u2019ve spent their career protecting corporate networks or can quickly resolve a security issue.
\nThe backgrounds of the people on your security team and how they approach problems are just as important as the technology your business uses to defeat attackers.
\nDiscarding the playbook you typically use when forming a security team will improve your company\u2019s defenses.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=f1c7ec5c1b&e=20056c7556<\/p>\n
IMG GlobalSecur Announces Key Travel Security App Informational Article
\nIMG GlobalSecur, a leading international security consulting firm, is proud to announce an important post to its FoneTrac blog explaining why travel safety apps for smartphones such as the iPhone or Android should not be considered only for youth travelers.
\nManagers of corporate travel for large organizations may not realize how convenient yet important a travel safety app can be in the corporate environment.
\nTo date, most travel safety apps have focused on the youth market and have been low in value.
\nThey have been either free or very low cost, with very limited functionality.
\nA common scenario is an app that, when accessed, can alert friends and family that a person is being mugged.
\nThe ironic and possibly tragic problem here is that the friends and family may be thousands of miles away and unable to render any timely assistance.
\nThe informative, new blog post lays out an explanation of why business travelers also need a travel safety app.
\nIt is meant so that a corporate travel manager has a handy explanation and justification that he or she can take to upper management to justify the expense of empowering business executive and key employees with a state-of-the-art travel safety app.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e4fa8fb1a7&e=20056c7556<\/p>\n
Mining company’s data is more valuable than gold
\nHackers posted employee data and private documents belonging to Goldcorp, a publicly listed gold-mining company, on a paste site, according to a report in the Daily Dot.
\nThe massive data dump includes a wealth of employee and company data, including payroll information (including W-2 and T4 forms), bank account, wire transfer, and market securities information.
\nThe sample of data on the paste site \u2013 which contained the equivalent of 14.8 gigabytes of data \u2013 included budget documents from the past four years, emails about compensation, proprietary information, bank account information, budget information, employee directories and contact information (including employee names, titles, office locations, cell phone numbers, and email addresses).
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8698536daf&e=20056c7556<\/p>\n
DHS seeks better private-public sharing of cyber threat information
\nThe Department of Homeland Security wants private-sector companies to get under the agency\u2019s information-sharing umbrella in order to better manage and mitigate cyber risks to critical infrastructure.
\nSuzanne Spaulding, the Under Secretary of DHS\u2019 National Protection and Programs Directorate, told audiences at Wednesday\u2019s MetricStream GRC Summit that industry\u2019s sharing of cyber threat information with DHS creates a \u201cnetwork of networks\u201d that reduces the risk of another major data breach, like the 2013 Target breach that affected more than 40 million customers.
\nWith cybersecurity threats on the rise, Spaulding said her team has broadened its purview on national security infrastructure threats to include more than just bridges, roads and buildings.
\nSpaulding also touted the agency\u2019s success with its Enhanced Cybersecurity Services (ECS) program, which provides guidance to industry\u2019s sharing of cyber threat indicators with DHS\u2019 National Cybersecurity and Communications Integration Center (NCCIC).
\n\u201cAt DHS NPPD we try to add value.
\nThreat is one of the areas that I think the private sector most looks to the government for help.
\nAnd so we try to provide context at sort of the strategic level,\u201d Spaulding said.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d2e24e6088&e=20056c7556<\/p>\n
The inherent problems of the detection paradigm
\nSykipot attacks, which targeted telecommunications companies, governmental agencies and other industrial sectors in the U.S. and UK.
\nSykipot began its operation around 2006, and for a number of years collected sensitive and confidential information and exfiltrated it out of the targeted organizations.
\nArmed with several exploits, including Adobe Acrobat, Microsoft Office and Internet Explorer 0-day exploits, Sykipot successfully evaded the existing NIDS and HIDS systems and was only discovered in 2011.
\nClearly, NIDS and HIDS are failing to combat advanced type of attacks, regardless of the amount of effort and resources put in.
\nThe detection paradigm as a whole suffers from several inherent weaknesses, which adversaries frequently exploit:
\n– Attacker already in: Many detection systems, especially HIDS, assume that the attacker already has an initial foothold in the system.
\n– “White\u201d listing: Whitelisting is another Achilles\u2019s heel of detection systems.
\nNaturally, many HIDS manage a list of \u201cgood\u201d processes which are permitted to perform their activities freely.
\n– The false-negative trap: Many of the techniques employed by NIDS and HIDS are statistically-based rather than rule-based.
\nConsequentially, HIDS vendors try to avoid false alarms as much as possible -using thresholds.
\nThe undetectable: Some \u2018malicious\u2019 activities are simply impossible to detect.
\n– The damage already done: In many cases, detection occurs late in the timeline of the attack, after the damage has already occurred.
\nTo overcome these limitations, a new paradigm is required.
\nIn contrast to NIDS and HIDS, Moving Target Defense (MTD) doesn\u2019t try to detect the enemy.
\nInstead, it attempts to prevent the enemy from entering in the first place.
\nUnder the MTD model, there is no monitoring, no detection rules, no signatures and no heuristics.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ee5ccebf35&e=20056c7556<\/p>\n
$81 Million Cyberheist Underscores Need for Blockchain Security
\nInvestigators at BAE Systems, a U.K.-based defense contractor, believe the attackers hacked into the Society for Worldwide Interbank Financial Telecommunication (SWIFT) financial platform that provides the heart of the global financial system, Reuters reported.
\nFinancial institutions are investigating the use of blockchain technology for the efficiencies in areas such as transfers, authentication and remittances.
\nThese institutions should also consider blockchain\u2019s security capabilities.
\nBy deploying blockchain security, financial institutions would gain the critical benefit of improved security while also setting the foundation for serving the millions of unbanked, another critical need the legacy financial infrastructure has failed to address.
\nGuardtime, a cybersecurity solutions collective, is an example of how blockchain security solutions are being applied to critical infrastructure, CCN reported.
\nGuardtime is developing measures to protect and safeguard critical infrastructure in the U.K. such as nuclear power stations, the electricity grid and flood defense systems.
\nSWIFT, meanwhile, is issuing a software update to assist customers in improving security and to identify inconsistencies in local database records.
\nSWIFT could release more updates as it discovers more about the attack and other threats, according to Deteran.
\nThe key defense against such attacks is for users to deploy \u201cappropriate security measures\u201d in their local environments, Deteran said.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=22ab437e6f&e=20056c7556<\/p>\n
The Evolution of Scoring Security Vulnerabilities
\nThe Common Vulnerability Scoring System (CVSS), which is used by many in the industry as a standard way to assess and score security vulnerabilities, is evolving to a new version known as CVSSv3.
\nThese changes addressed some of the challenges that existed in CVSSv2; CVSSv3 analyzes the scope of a vulnerability and identifies the privileges an attacker needs to exploit it.
\nThe enhancements to CVSS will allow vendors, such as Cisco, to better analyze security vulnerability impact.
\nThe changes will also more clearly define the urgency of responding to the vulnerability for our customers.
\nThe following study reviews the difference in scores when a vulnerability is assessed using CVSSv2 vs.
\nCVSSv3.
\nThe stakeholders at FIRST have done a great job in this new version of the standard addressing some of the challenges faced with its predecessor (CVSSv2).
\nAs more organizations begin to adopt this new standard in their processes for evaluating vulnerabilities, there will be some visible changes in disclosure trends overall.
\nThe most notable is an increase in the total number of higher-rated vulnerabilities.
\nThis increase occurs because the metrics changes in the new system.
\nAs the threat landscape evolves, there are more cases where an increased sense of urgency is needed in customers\u2019 responses.
\nThis study analyzed the difference between CVSS version 2 and version 3 scores.
\nThis study uses CVSSv2 and CVSSv3 scores provided by the National Vulnerability Database (NVD).
\nA total of 745 vulnerabilities were analyzed, and each vulnerability is identified by a Common Vulnerabilities and Exposures (CVE) identifier.
\nAll the vulnerabilities were disclosed in 2016.
\nThe CVSS enhancements mean that we will see more vulnerabilities being rated as high or critical throughout the security industry.
\nYou may ask yourself, was the industry analyzing and scoring the risk of vulnerabilities incorrectly or are we inflating the scores now.
\nThe answer lies in the fact that threats to security are evolving and advancing all the time.
\nThreat types that were once a potential inconvenience could now have a greater impact on an organization.
\nOur assessments of such threats and the appropriate level of response also needed to evolve.
\nThe stakeholders at FIRST have done a great job in this new CVSS version to address some of the challenges we faced with its predecessor (CVSSv2).
\nThe new enhancements allow incident response, IT security, and cyber security teams to analyze the impact of security vulnerabilities to determine the urgency of response.
\nCisco PSIRT will continue to adapt to enable our customers to assess and mitigate any risks in their networks quickly.
\nOur mission is to do the right thing quickly, and to keep our customers protected.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=2af5e2e922&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=2b4c395259)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage1.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ] * IT Professionals Underestimate Impact of Business Partner Security * Is ransomware considered a health data breach under HIPAA? * Cyber crime: 11,997 cases of credit card, net banking frauds during April-December…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1225","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1225"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1225\/revisions"}],"predecessor-version":[{"id":3712,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1225\/revisions\/3712"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}