[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]<\/p>\n
* 2016: The year of application layer security in public clouds
\n* Dangerous open-source bugs lurk inside most commercial apps
\n* The critical first hours of a data breach: What to do when your business has been hacked
\n* What’s Next For Network Security
\n* Why Physical Security Professionals Need to Get to Grips with Cyber Security
\n* Now experts say don\u2019t change your password! Security services say workers may be safer from hackers if they keep the same login
\n* Online transaction fraud to reach $25 billion by 2020
\n* Microsoft publishes Security Intelligence Report, including cloud data for the first time
\n* American Bar Association releases cyber insurance guide for lawyers
\n* Microsoft: 2015’s Most Popular Exploit Was a Vulnerability Discovered in 2010<\/p>\n
2016: The year of application layer security in public clouds
\nOur State of the Cloud Survey estimates that 93 per cent of respondents are adopting cloud \u2013 88 per cent are using public cloud, 63 per cent using private cloud, and 58 per cent using both.
\n\u2018Hybrid Cloud\u2019 will mean cloud computing resources are interoperable with all technologies, hardware, providers, and geographies.
\nDevelopers of the world will be free to build applications without any thought to the underlying architecture.
\nSecurity focus shifts from the datacentre to just the data
\nAs data platforms modernise, security will evolve as well.
\nNo longer will organisations just build massive walls around a corporate datacentre to keep out all potential attackers.
\nThe limitations of the physical network architectures will be magnified once enterprises see the difference between an underlay for bulk transport and an overlay for application specific use-case tuning.
\nThe glaring security holes in physical networks once obfuscated will reveal themselves.
\nThe collision between the cloud way and the physical datacentre way will be violent.
\nThe concept of an on-premise datacentre will change in 2016 both in how it will be built and how it will be consumed.
\nThose with groups already working in the cloud will easily transition to a more flexible and efficient environment.
\nIt may be called private cloud or software-defined datacentre, but the name won\u2019t matter.
\nThe question for 2017 is \u2018when will the traditional physical datacentre way become extinct?\u2019
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6506de72fb&e=20056c7556<\/p>\n
Dangerous open-source bugs lurk inside most commercial apps
\nThe security of open-source components is a blind spot that’s leaving businesses exposed to dozens of very old bugs, security firm Black Duck Software contends in a new report, based on open-source security work it’s conducted.
\nIBM recently tapped Black Duck Software for its IBM Security AppScan to scan and map out potentially vulnerable open-source components in use.
\nThe report summarizes a review of 200 commercial applications it reviewed for customers in the six months to March.
\nThe firm finds that the average commercial application consists of over 100 open-source components.
\nHowever, at the beginning of an audit customers are only aware of about half of these.
\nIndeed, the report finds that 67 percent of commercial applications contain vulnerable open-source components and that each application, on average, has five vulnerable components that contain multiple individual vulnerabilities.
\nAccording to the firm’s numbers, each application has 22.5 individual vulnerabilities across different components.
\nBlack Duck Software product strategy VP Mike Pittenger said the problem isn’t the use of open source but rather the lack of visibility in its use and a lack of awareness of new vulnerabilities.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b69d5cf9bb&e=20056c7556<\/p>\n
The critical first hours of a data breach: What to do when your business has been hacked
\nFirstly, a data breach costs money – \u00a31.2m on average according to the Risk:Value report from NTT Com Security.
\nBrand reputation also takes a huge hit from a data breach, you only need look at the impact of the TalkTalk data breach – over 100,000 customers and \u00a360m lost.
\nThe name of the data breach response game is protection – protect your assets, brand, reputation, customers and long-term future.
\nFollowing a data breach you must lock down your systems.
\nAfter having quarantined the vulnerability, it is imperative that you find out if the attackers have any other paths into your systems – the ‘three pronged attack’ is becoming more and more popular among hackers, as Laurance Dine Managing Principal of investigative response at Verizon Enterprise Solutions told CBR:
\nRussell Kempley, Head of Cyber Technical Services at BAE Systems, advises implementing the following procedure:
\n1- Assign an incident co-ordinator who can liaise with investigation teams and management
\n2- Ensure evidence is being captured and preserved – logs should be collected from key devices and extra logging enabled if the attack is ongoing.
\nCompromised assets should be isolated from the network if appropriate to the type of threat and business impact.
\n3- Conduct an initial assessment to identify actual or potential business impacts; this informs the response strategy and what the key outstanding questions are
\n4- Call in specialist investigation support to help get accurate answers quickly and guide the business through the recovery.
\nThe UK Government \/ CESG has a scheme to certify incident response specialists so that you can choose a firm with confidence.
\n5- Take action, inform management and other stakeholders and seek advice from legal and communications teams.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=59ce80c491&e=20056c7556<\/p>\n
What’s Next For Network Security
\nLAS VEGAS \u2013 Interop 2016 \u2013 Network security as we know it ultimately will operate hand in hand with software-defined networking (SDN) and virtualization, security experts here said.
\nBut a software-defined network architecture comes with some security risks of its own.
\nIt leaves organizations open to internal distributed denial-of-service (DDoS) attacks, says Camp, who in a presentation here tomorrow will show how malware can enter virtual environments.
\nIt\u2019s possible to hack a virtual machine and basically \u201cblow up that whole box and the network with it,\u201d he says.
\n\u201cYou can take the first few digits of a MAC address and … know it\u2019s a VM,\u201d he says. \u201cYou can take that VM and pop it and do resource-exhaustion\u201d and use that to DDoS the SDN.
\nThat would be an ironic twist, of course, since SDN can be used to mitigate external DDoS attacks.
\nThe best bet for protection would be to incorporate network defenses within those same boxes, Camp and other experts say.
\n\u201cSecurity is really just another part of the infrastructure, and a fundamental\u201d part of a software-defined security framework, he said.
\nBut firewall, IDS\/IPS, and other hardware-based platforms aren\u2019t going anywhere any time soon.
\nA virtual firewall would sit on a virtual switch like other network functions, and provide better visibility into network traffic, he says. \u201cAnd because it\u2019s in a VM, it\u2019s easier to scale, too.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e47236a7ba&e=20056c7556<\/p>\n
Why Physical Security Professionals Need to Get to Grips with Cyber Security
\n\u2018Stop thinking cyber security is an IT problem, because it\u2019s not; it\u2019s a business problem\u2019, advised industry expert, Mike Gillespie, at a recent NSI Summit.
\nA couple of examples\u2026<\/p>\n
Number one: Last year, news broke that hundreds of CCTV systems were live-streaming content across the internet.
\nNearly all of those systems, Mike explained, had been compromised because an installer had not changed the default username and password.<\/p>\n
Number two: Mike identified a server on a client\u2019s network, but couldn\u2019t find it using schematics.
\nThe IT manager claimed to know nothing about it and, on paper, it didn\u2019t exist.
\nEventually, the Facilities Manager admitted he had added it to the system, without communicating the change or being aware of the threat.
\nThe key advice for attendees at the NSI Installer Summit was \u2018stop thinking \u201cI\u2019m not a big corporate, this doesn\u2019t matter to me\u201d\u2019.
\nThis is impacting real, physical environments and it has the potential to cause widespread chaos.
\nIt\u2019s not just the lazy hackers who are after us, but also well-resourced, capable people \u2013 sometimes state-sponsored, sometimes terrorists.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=fbaf839da4&e=20056c7556<\/p>\n
Now experts say don\u2019t change your password! Security services say workers may be safer from hackers if they keep the same login
\nIn a new briefing to Whitehall, power stations, banks and the public sector, cyber experts at CESG \u2013 the information security arm of intelligence agency GCHQ \u2013 concluded: \u2018It\u2019s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack.\u2019
\nThe advice continues: \u2018Most password policies insist that we have to keep changing them.
\nAnd when forced to change one, the chances are that the new password will be similar to the old one.
\n‘Attackers can exploit this\u2026New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out\u2026CESG now recommends organisations do not force regular password expiry.\u2019
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c76b0db6ea&e=20056c7556<\/p>\n
Online transaction fraud to reach $25 billion by 2020
\nOnline transaction fraud is expected to reach $25.6 billion by 2020, up from $10.7 billion last year, according to Juniper Research.
\nThis means that by the end of the decade, $4 in every $1,000 of online payments will be fraudulent.
\nThe new study identified 3 hot areas for online fraud:
\neRetail (65% of fraud by value in 2020 \u2013 $16.6 billion)
\nBanking (27% \u2013 $6.9 billion)
\nAirline ticketing (6% \u2013 $1.5 billion).
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=1c9e55579d&e=20056c7556<\/p>\n
Microsoft publishes Security Intelligence Report, including cloud data for the first time
\nMicrosoft has published its latest biannual Security Intelligence Report (SIR), covering the second half of 2015.
\nThe SIR “analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide.”
\nThis report, its twentieth in the last ten years, includes security data from the Microsoft cloud for the first time, which the company says “reveals how we are leveraging an intelligent security graph to inform how we protect endpoints, better detect attacks and accelerate our response, to help protect our customers.”
\nrom a sensor network made up of hundreds of millions of systems running Microsoft anti-malware software, the data shows us that:
\nThe number of systems that encountered malware in 2015 increased in the second half of the year.
\nThe worldwide encounter rate increased to 20.5% by the end of 2015, an increase of 5.5% from six months earlier.
\nThe locations with the highest encounter rates were Pakistan, Indonesia, the Palestinian territories, Bangladesh, and Nepal which all had encounter rates above 50%.
\nExploit kits accounted for four of the 10 most commonly encountered exploits during the second half of 2015.
\nThe Angler exploit kit was the most commonly encountered exploit kit family.
\nAlthough ransomware had relatively low encounter rates (worldwide ER for ransomware in the first quarter of 2015 was 0.35 percent and 0.16 percent in the second quarter), its use in ransomware-as-a-service kits and targeted attacks is increasing.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=1c76e4ce5c&e=20056c7556<\/p>\n
American Bar Association releases cyber insurance guide for lawyers
\nThe American Bar Association’s Standing Committee on Lawyers’ Professional Liability on Thursday introduced a guide for attorneys on cyber liability risk and insurance.
\nTopics in the guide, \u201cProtecting Against Cyber Threats: A Lawyer’s Guide to Choosing a Cyber-Liability Insurance Policy,\u201d include why law firms should purchase cyber liability insurance, understanding the coverage, how to prevent coverage gaps and the importance of breach response, among others.
\nThe guide also includes a list of cyber liability insurers that insure law firms and their contact information.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=fc1424a516&e=20056c7556 (http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=66ace926d6&e=20056c7556)<\/p>\n
Microsoft: 2015’s Most Popular Exploit Was a Vulnerability Discovered in 2010
\nAccording to Microsoft’s security team and data from its anti-malware products, during 2015, the most popular security exploit was CVE-2010-2568, a vulnerability discovered in 2010 and also used in the infamous Stuxnet attacks.
\nCVE-2010-2568 is a security bug found in older versions of the Windows Shell and affects Microsoft’s Windows 7, Vista, XP, Server 2008 and Server 2003 operating systems.
\nThe vulnerability allows an attacker to deploy LNK or PIF files on an affected system and then execute code on the user’s computer, effectively taking over the device.
\nThe report also highlights positive findings, the company revealing that the number of users that employ real-time security software is growing.
\nAccording to the company, the needle has moved from 74.3 percent to 77.1 percent during all last year.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b4e9c7996e&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=e9dcbe007a)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ] * 2016: The year of application layer security in public clouds * Dangerous open-source bugs lurk inside most commercial apps * The critical first hours of a data breach: What to do…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1226","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1226"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1226\/revisions"}],"predecessor-version":[{"id":3713,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1226\/revisions\/3713"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}