[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]<\/p>\n
* US House of Representatives bans Yahoo Mail and Google App Engine over malware concerns
\n* Symantec’s Cheri McGuire named CISO of Standard Chartered bank
\n* The cyber-security buck should stop with executives, finds survey
\n* A key security takeaway from Walmart’s chip-and-PIN suit against Visa
\n* Vulnerability management trends in Asia Pacific
\n* Five Useful Tips to Build a Successful and Mature Security Operations Center
\n* Why incident response plans fail
\n* Are You Prepared for Your Vendor\u2019s Data Breach?
\n* New FireEye Research Reveals the Impact of High-Profile Security Breaches on U.S. Consumers’ Trust of Brands
\n* 6 privacy landmines and how to avoid stepping on them
\n* Health Care Breaches Common, but Budgets Stay Mostly Flat: Survey
\n* FDIC Calls \u2018Major\u2019 Data Breaches Accidental<\/p>\n
US House of Representatives bans Yahoo Mail and Google App Engine over malware concerns
\nOn April 30, the House\u2019s Technology Service Desk informed users about an increase in ransomware related emails on third-party email services like Yahoo Mail and Gmail.
\nThe ban on Yahoo Mail access suggests that some House of Representatives workers accessed Yahoo mailboxes from their work computers.
\nThis raises the questions: are House workers using Yahoo Mail for official business, and, if they’re not, are they allowed to check their private email accounts on work devices?
\nThis ban appears to be unrelated to the ransomware attacks and is in response to indicators that attackers have been using Google’s platform to host a remote access trojan named BLT since June 2015, unnamed congressional sources told Reuters.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=dc40542b38&e=20056c7556<\/p>\n
Symantec’s Cheri McGuire named CISO of Standard Chartered bank
\nIn her new role, McGuire’s responsibilities will include cyber security governance, strategy, regulatory engagement, policy development, training and awareness, as well as industry stakeholder partnerships.
\nShe will also be accountable for the Bank\u2019s information security monitoring, third party risk management and vulnerability assessments.
\nShe will also become a member of the Bank\u2019s information technology and Operations Management Team.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8ff1a31213&e=20056c7556<\/p>\n
The cyber-security buck should stop with executives, finds survey
\nVMWare presented new research today on the historically distant relationship between the issue of cyber-security, employees and the board.
\n29 percent of both groups believe that the CEO should be responsible for a significant data breach, and 38 percent of office workers and 22 percent of decision-makers believe that the buck should stop with the board following a breach.
\nHowever, research published in conjunction with the Economist Intelligent Unit earlier this year showed that only five percent of corporate leaders put cyber-security at the top of their priorities.
\nThis is not so much a technology problem, but perhaps a psychological, or sociological one.
\nIt’s a question of \u201chow much can people take\u201d.
\nSimply, its about making security as easy as possible for employees.
\nIn the report itself, Joe Baguley, CTO of VMware mentions that, \u201cSecurity is not just about technology.
\nAs the research shows, the decisions and behaviours of people will impact the integrity of a business\u201d.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=2c81962459&e=20056c7556<\/p>\n
A key security takeaway from Walmart’s chip-and-PIN suit against Visa
\nWalmart on Tuesday filed suit against Visa and charged the payment card provider with making it too easy for consumers to avoid some of the security features built into chip-and-PIN cards.
\nWalmart’s suit relates specifically to Visa debit cards and does not involve chip-and-PIN credit cards, which are making a much slower transition into the U.S. market.
\nDespite the implication of the name, chip-and-PIN cards can be configured to work without PINs.
\nAlthough the embedded chips make the cards more secure than those with magnetic stripes, they’re even more secure when used along with PINs.
\nThat’s the crux of Walmart’s lawsuit.
\nThe company says Visa forces it to give customers who use Visa-branded debit cards a choice between verifying purchases with PINs, or with signatures.
\nThe signature option invites fraud, according to Walmart.
\nAnd because Visa debit cards are common, many other retailers are also likely forced to let consumers choose to use lesser payment security measures, Sirota says.
\nThe moral of this story.
\nIf you have a choice between using a PIN or signature to verify your identity when making a purchase, do yourself a favor and choose the former option.
\nSure, it’s yet another number to memorize, but the extra security will be more than worth the trouble if it helps you avoid a migraine associated with payment card fraud.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0e48d9ae27&e=20056c7556<\/p>\n
Vulnerability management trends in Asia Pacific
\nA new study conducted by Forrester Consulting evaluated perceived challenges, drivers and benefits of various vulnerability management strategies and investments based on responses from information security professionals in Australia, China, Japan, New Zealand and Singapore.
\nAccording to survey results, one of the top security priorities of companies is protecting customer data, with a focus on application security, data security and protection of customers\u2019 personal information.
\nDespite their customer focus, only 22 percent of security decision makers performed continuous vulnerability assessments to monitor their environments for new threats.
\nThe majority of respondents (44 percent) conducted scans periodically, while 28 percent performed scans monthly.
\nForty-six percent of survey respondents cited reducing risk and improving security posture as the highest ranking security priority of all strategic IT objectives for companies in the Asia Pacific region.
\nThe potential vulnerabilities of companies are compounded as new technologies and devices are introduced by employees, customers and partners.
\nSuch attacks significantly affect the business, ranging from internal consequences such as decreased productivity (53 percent of respondents said that the impact of this was \u2018severe\u2019 or \u2018very severe\u2019) and increased operational expenses (60 percent) to detriments such as brand damage (51 percent), resulting in lost customer trust (57 percent) and lost revenue (51 percent).
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0f817f5b39&e=20056c7556<\/p>\n
Five Useful Tips to Build a Successful and Mature Security Operations Center
\n1) Know and Set Monitoring Goals
\n2) Find the Right Technical Configurations
\n3) Build the Right Security Operations Team
\n4) Have a Robust Incident Response Process
\n5) Lobby for Help From IT and Other Departments
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9b0ccb69f8&e=20056c7556<\/p>\n
Why incident response plans fail
\nRather than identifying, analyzing and eradicating the threat, organizations can easily become entangled in processes hindering response time and further endangering operations.
\nWhile many industrial organizations have an IR plan in place, very few run through a routine simulation exercise of this plan.
\nSimulated exercises reveal various incorrect assumptions made throughout the IR process and identify gaping holes where there are missing contacts or protocols that are critical for a successful IR program.
\nWhen an incident occurs, key stakeholders want to be aware of what\u2019s happening and how the situation is being addressed.
\nKeeping executives in the know and managing expectations around the line of communication is an important part of an IR plan.
\nThere should be an assigned \u201cincident captain\u201d who can quickly alert the necessary parties and inform them of immediate next steps.
\nWhen it comes to managing suppliers in an IR plan, there are a number of questions or assumptions that should be verified during a simulated exercise.
\nWhat role do your suppliers play in the event of an attack.
\nDo they have a contractual agreement that outlines their role in IR and disclosure around cyber incidents.
\nDo they install software that was purchased from another vendor.
\nDo suppliers know what software you have in operation.
\nDo they run simulated testing of software updates on machines prior to actual implementation?
\nAttacks are part of today\u2019s connected environment, so IR is not as much about the attack but rather resiliency.
\nCybersecurity practices need to be collaborative and open, not only within an organization but across industries.
\nExecutives should be thinking about how they inventory assets and what type of services they would require from manufacturers to deal with a cyber incident.
\nThey must communicate a clear picture to the board of what is required and how this plan will be executed efficiently.
\nRunning through an IR exercise helps raise awareness about cybersecurity within an organization and creates a resilient business culture that is prepared for anything.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=5d576b1348&e=20056c7556<\/p>\n
Are You Prepared for Your Vendor\u2019s Data Breach?
\nEver since the Target and Home Depot breaches were traced to intrusions at their vendors, the management of cybersecurity at third-party vendors has been a focus of companies and regulators.
\nThe FTC has flagged the issue, as has the SEC.
\nThe DoD has imposed strict cybersecurity requirements for contractors that \u201cflow down\u201d to sub-contractors.
\nRevisiting third-party risk management in view of recent cyber attacks presents some important takeaways for companies and vendors to consider:
\n– Collaborate on data security
\n– Be prepared for a breach
\n– Review your contractual terms
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0300348919&e=20056c7556<\/p>\n
New FireEye Research Reveals the Impact of High-Profile Security Breaches on U.S. Consumers’ Trust of Brands
\nMILPITAS, CA–(Marketwired – May 12, 2016) – FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today’s advanced cyber attacks, today released the results of new research that finds high-profile data breaches are negatively impacting consumer trust in major brands.
\nThe FireEye commissioned research — conducted by independent technology market research specialist Vanson Bourne with a survey of 2,000 adults within the U.S. in April 2016 — confirms the rising public concerns of data privacy.
\nFindings revealed that 76 percent of respondents would likely take their business elsewhere due to negligent data handling practices.
\nAdditionally, 75 percent of consumers stated they were likely to stop purchasing from a company if a data breach was found to be linked to the board failing to prioritize cyber security.
\nThe survey findings also highlight the potential long-term financial impact of data breaches on major brands, with 59 percent of consumers warning they would take legal action against companies if a data breach resulted in their personal details being used for criminal purposes. 72 percent of consumers also reported that they will now share fewer personal details with companies, which could hit the revenues of organizations — from social media platforms to search engines — that rely on collecting detailed consumer data for advertisers.
\nOther key findings included the following:<\/p>\n
52 percent of consumers would consider paying more for the same products or services from a provider with better data security
\n54 percent of consumers feel more negatively of organizations breached
\n78 percent of consumers are cautious of organizations’ abilities to keep data safe
\n52 percent of consumers said security is an important or main consideration when buying products and services
\n90 percent of consumers expect to be informed within 24 hours if their service provider had suffered a data breach which could have compromised their data
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d166125d11&e=20056c7556<\/p>\n
6 privacy landmines and how to avoid stepping on them
\nErin Whaley, a partner at the law firm Troutman Sanders, outlined what those are and shared half-a-dozen tips for avoiding them.
\n1) As long as I have cybersecurity insurance I\u2019ll be covered in the event of a breach.
\nIt\u2019s not that simple.
\n2) Our team can handle any incident internally.
\nEven providers who really have the best professionals in the country should seek outside help.
\n3) Social media isn\u2019t a big concern for us. \u201cDo not think social media is not a problem for you,\u201d Whaley contended.
\n4) Business associate agreements are just a form agreement.
\nOur lawyers don\u2019t need to review them.
\nWhaley explained that more BA\u2019s fall into this trap than healthcare providers, there are some hospitals that do as well and for a variety of reasons, most notably that they think BA agreements are similar and they don\u2019t want things held up in legal review.
\n5) As long as I\u2019m HIPAA compliant, I don\u2019t have to worry about other privacy laws. \u201cThat is not true,\u201d Whaley said. “There are other privacy laws.\u201d
\n6) We do a fine job responding to requests from individuals for their records.
\nUpdating this process is not a priority. \u201cYou should go ahead and look at the process for responding to individual requests for records,\u201d Whaley said.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8cbd2413aa&e=20056c7556<\/p>\n
Health Care Breaches Common, but Budgets Stay Mostly Flat: Survey
\nAlmost 90 percent of hospitals and insurers have had a breach in the past two years, but budgets have risen for less than a third of health care organizations.
\nBased on multiple interviews with 91 health insurers and hospitals and 84 business associates, the survey found that 89 percent of health care organizations had a data breach in the past two years, with nearly half having more than five data breaches.
\nWhile most of the breaches were small, encompassing less than 500 records, the average cost of a breach was $2.2 million over two years for health care providers and insurers and more than $1 million for business associates, according to the survey.
\nAs a result of breaches, more than half of all companies have become better at vetting third-party partners, spent more on security technology and focused on employee training.
\nHowever, the demand for security personnel has prevented nearly three-quarters of health care firms from hiring more skilled IT security personnel, the survey found.
\nIn addition, half of respondents did not see any change in budgets, while about 30 percent saw an increase over the past two years.
\nTo a large extent, both seem to lack preparedness.
\nOnly 8 percent of health care organizations conduct vulnerability assessments quarterly, and 25 percent of business associates do so, the survey found.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b783b6877b&e=20056c7556<\/p>\n
FDIC Calls \u2018Major\u2019 Data Breaches Accidental
\nThere is a difference of opinion within the federal government about what counts as a “major” data breach.
\nThe debate over the breadth and depth of the adjective is more than semantic.
\nThe failure of an agency to classify a cyberincident as a “major” one could stall reporting of the incident.
\nFor example, since October 2015, seven Federal Deposit Insurance Corporation employees who retired or moved on to other jobs each took with them 10,000 or more sensitive records inadvertently, according to FDIC Chief Information Officer Lawrence Gross.
\nHe did not categorize any of the losses as a major cyberincident at the time.
\nBut under 2014 cyber reforms, the rules say if agency data remains outside the government\u2019s control for at least eight hours or if the situation involves more than 10,000 records, that agency is dealing with a “major” incident that requires notifying Congress within seven days.
\nGross testified before a House Science Committee panel that he did not believe the breaches merited the “major” label, as defined last October by White House rules, because each worker had been authorized to see the data at issue.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=2d6748e545&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage1.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=a107cc6b71)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage2.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ] * US House of Representatives bans Yahoo Mail and Google App Engine over malware concerns * Symantec’s Cheri McGuire named CISO of Standard Chartered bank * The cyber-security buck should stop with…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1228","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1228"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1228\/revisions"}],"predecessor-version":[{"id":3715,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1228\/revisions\/3715"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}