[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]<\/p>\n
* Cyber terrorism big fear for developers
\n* Japan to Form New Cybersecurity Agency to Protect Its Critical Infrastructure
\n* 5 Minute Application Security Dynamic Testing Scenarios
\n* How to get senior management to support cyber security collaboration [Video]
\n* Managing Accepted Vulnerabilities [White paper]
\n* Is predictive analytics really a game changer?
\n* Hackers stole millions in third attack on global banking system
\n* Microsoft Malware Protection Center answers questions about ransomware
\n* SOURCE 2016: It’s behavior, not names, that gives attackers away
\n* Illinois Makes Extensive Changes to Data Breach Notification Law
\n* Five Signs the CISO Who Got You Here Isn\u2019t the Best One to Get You There
\n* Vendors experience disruption with growing cloud security market
\n* Cyber security in the fourth industrial revolution
\n* Boston BSides needs more space to grow<\/p>\n
Cyber terrorism big fear for developers
\nCYBER terrorism is the biggest threat faced by software developers across Europe, the Middle East and Africa (EMEA) according to a new report.
\nIts EMEA Development Survey found 38.4 per cent of developers rate it their biggest threat followed by cyber theft (29.8 per cent) and cyber espionage (21.4 per cent).
\nCyber espionage in some ways is related to both cyber theft and cyber terrorism, but the company said it was distinguished from them in that it involved the theft of sensitive, classified, or proprietary information, rather than theft of money or deliberate sabotage.
\n\u201cOnly 30 per cent of these developers say their company has a formal security policy in place that is adhered to across departments, and that\u2019s very concerning when you think about the other 70 per cent.\u201d
\nAlmost a third of them (31 per cent) believed the biggest trouble spot for security lay in the software or firmware used for interconnected devices.
\nExposing data to mobile devices was cited as a major security threat by 22 per cent, followed by transmitting data through a network or cloud (16.7 per cent).
\nThe physical security of devices was lower down the list with just 13.8 per cent of developers expressing their concern.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=aa7cd5286b&e=20056c7556<\/p>\n
Japan to Form New Cybersecurity Agency to Protect Its Critical Infrastructure
\nThe Japanese government has unveiled plans to create a new agency tasked with protecting the country\u2019s critical infrastructure prior to hosting the 2020 Tokyo Olympics.
\nCurrently named the \u201cIndustrial Cybersecurity Promotion Agency\u201d (ICPA), the envisaged public-private sector body would lead the development of human resources, including recruiting \u201cwhite hat hackers\u201d and conducting research.
\nThe agency will reportedly be separated into two main divisions\u2014research and active response.
\nProtected bodies will include entities in the electricity, gas, petroleum and chemical facilities sectors, the report said.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6e889ea8a8&e=20056c7556<\/p>\n
5 Minute Application Security Dynamic Testing Scenarios
\nDynamic Testing engagements encompass a wide range of application security tests, attack vectors, penetration testing tools, and generally require a fairly broad knowledge of web-based technologies, network infrastructure, transport protocols, and development frameworks.
\nApplications are usually treated as a \u201cblack box\u201d where the tester would be attacking as an \u201coutsider\u201d with little to no knowledge about the underlying code, architecture, or security controls that are in place.
\nBecause of this environment, these types of engagements will challenge the resourcefulness, ingenuity, and creativity of Application Security test engineers.
\nThe process of Dynamic Testing involves broad and detailed attacks which actively try to bypass client or server side controls, attack and test the robustness of authentication logic, session management, access controls, data stores, backend components, and involve custom crafted attacks for SQL Injection, Cross-Site Scripting, and other high impact vulnerabilities.
\nThe scope of such comprehensive testing can be overwhelming and even unrealistic at times depending on the budget and time constraints for a given project.
\nThat being said, there are some Dynamic Testing test case scenarios where a small amount of time and effort is required to execute them, but they can yield very important vulnerability information and may even help prioritize and guide subsequent testing for more efficient and productive test results.
\nListed below are a few of these \u20185 Minute Application Security Dynamic Testing Scenarios\u2019\u2026
\n– Test for missing Cookie Secure Flag
\n– Test for missing Default Error Pages
\n– Test for missing Cookie Http Only Flag
\n– Test for Missing X-Frame-Options header
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6a40e74f6a&e=20056c7556<\/p>\n
How to get senior management to support cyber security collaboration [Video]
\nSpeaking at The European Information Security Summit 2016, he cited an IBM study that showed that while more than half of CEOs said they should be sharing, 70 per cent of them said they do not want to share.
\nThey need to better understand the issue, he said.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=3c9dbbeb36&e=20056c7556<\/p>\n
Managing Accepted Vulnerabilities [White paper]
\nEvery day a new vulnerability is discovered in a piece of code or software and shortly aften\/vards the news of a new virus, malware, or hack is being used to exploit the vulnerability.
\nDeploying vulnerability scanners that receive automatic definition updates and performing daily scanning against all devices in the inventory system will notify of new vulnerabilities found and provide a recommended remediation solution.
\nA remediation could be adjusting the configuration in the system, implementing an additional control, applying a missing patch to a device or application, or an upgrade to a new version is required to resolve the vulnerability (CIS, 2015).
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b88f43327e&e=20056c7556<\/p>\n
Is predictive analytics really a game changer?
\nThe report, by the non-profit industry group (ISC)2, suggested overall that government is still struggling with cybersecurity and how to effectively protect its networks, systems and data.
\nCritical offices in many agencies, which by now should understand security imperatives, still aren\u2019t on board.
\nThe report itself pointed out that the predictive analytics hype generated by the security industry could be behind that response.
\nNo security solution today is complete without at least some mention of a powerful analytics engine at the heart of it that will help the user get ahead of the bad guys and the threats they pose.
\nSo is predictive analytics really the game changer many seem to think it is, or at least could be.
\nIt seems likely to be a part of the security toolkit, and possibly even a vital part.
\nBut given the way the threat industry has managed to twist and morph itself around defenses so far, it\u2019s unlikely to be the answer.
\nUnfortunately, even for it to get that far, government organizations need to get much more serious about their security overall.
\nOn that issue, at least, the (ISC)2 report seems to be certain: The situation is depressingly bad.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8428f01873&e=20056c7556<\/p>\n
Hackers stole millions in third attack on global banking system
\nThe methods used by hackers to attack banks in Vietnam and Bangladesh appear to have been deployed over a year ago in a heist in Ecuador.
\nThe January 2015 attack on Banco del Austro is described in a lawsuit filed by the bank in a New York federal court.
\nIt ended with thieves transferring $12 million to accounts in Hong Kong, Dubai, New York and Los Angeles, according to court documents.
\nThe existence of the lawsuit was first reported Friday by the Wall Street Journal, just one week after global banking communications network SWIFT instructed clients to secure their local computer networks.
\nA SWIFT spokeswoman said Friday that the network had not been made aware of the Banco del Austro incident.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=3a23d07f16&e=20056c7556<\/p>\n
Microsoft Malware Protection Center answers questions about ransomware
\nAs the Windows operating system currently claims a 88.77% desktop operating system market share (via NetMarketShare), Microsoft obviously has to take malware protection very seriously.
\nThis week, a new blog post by the Microsoft Malware Protection Center is explaining how users can protect themselves against ransomware.
\nTo help users avoiding ransomware attacks, Microsoft has shared a few prevention measures that you can see below:
\nKeep your operating System and antivirus solution up-to-date.
\nBeware of phishing emails, spams, and clicking malicious attachment.
\nRegularly back-up your files in external storage or in the cloud.
\nDisable the loading of macros in your Office programs.
\nDisable your Remote Desktop feature whenever possible.
\nUse two factor authentication.
\nUse a safe and password-protected internet connection.
\nAvoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.).<\/p>\n
For Windows 8.1 and Windows 10 users specifically, the Microsoft Malware Protection Center is also recommending the following measures …
\nIn Windows 10 and Windows 8.1 …
\nn Windows 7 and Windows Vista …
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=17cc085ab1&e=20056c7556<\/p>\n
SOURCE 2016: It’s behavior, not names, that gives attackers away
\nWhen it comes to Internet threats, the correct response to the Shakespearean question, \u201cWhat\u2019s in a name?\u201d ought to be \u201cWho cares?\u201d according to Mike Banic.
\n\u201cThe important thing is to look at what a threat is doing, not what it is,\u201d he told an audience at SOURCE Boston 2016 this week, in a talk titled, \u201cUnderstanding Attackers\u2019 Use of Covert Communications.\u201d
\n\u201cThere seems to be a lot of pride in naming threats,\u201d he said, \u201cbut a lot of them behave in similar ways, and you don\u2019t need a signature to recognize that.
\nThe IP address and the URL may change, but the fundamental behavior will not.\u201d
\nBanic, vice president of marketing at Vectra Networks, one of about three dozen presenters at the annual event, said given the reality that \u201cthe perimeter is really porous,\u201d effective security means being able to detect when an attacker is on the inside.
\nBut, Banic said, attackers inevitably create behavior patterns that can be detected through the use of machine learning algorithms.
\nHe invoked the declaration of the iconic investigator, Sherlock Holmes: \u201cWhile the individual man is an insoluble puzzle, in the aggregate he becomes mathematical certainty.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a7f2552fed&e=20056c7556<\/p>\n
Illinois Makes Extensive Changes to Data Breach Notification Law
\nOn May 6, 2016, Illinois Governor Bruce Rauner signed HB1260, which significantly updates the state\u2019s Personal Information Protection Act.
\nThe changes take effect on January 1, 2017.
\nWhen the new law becomes effective, Illinois\u2019 data breach notification statute will include one of the broader definitions of the information which, if breached, will trigger notification to individuals.
\nStarting in 2017, the definition of personal information in the Act will include an individual\u2019s full name, or first initial and last name in combination with their health insurance policy number or subscriber identification number, or any information regarding an individual\u2019s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, \u201cincluding such information provided to a website or mobile application.\u201d Illinois is the first state to expressly include medical information provided to a website or mobile application in the definition of information triggering breach notification, but it is unclear whether calling out the method of providing medical information in the statute will impact a company\u2019s notice obligations.
\nA company that has been provided medical information, by whatever means, is likely to be required to notify affected individuals if that information is compromised.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=43cced56a6&e=20056c7556<\/p>\n
Five Signs the CISO Who Got You Here Isn\u2019t the Best One to Get You There
\nAs boards and top executives come to terms with their responsibilities regarding cyber risks, attention is increasingly being directed at the leadership qualities of chief information security officers (CISOs).
\nTo get a handle on cyber risks, board directors and executive management have to rely on CISOs to evaluate, quantify and communicate \u2014 perhaps even translate \u2014 the various cyberthreats into tangible figures for management to act on.
\nHere are five characterizations of CISOs that could be wrong for the organization from a cybersecurity risk perspective.
\n– The Technologist
\n– The Low-Level Manager
\n– The Yearly Visitor
\n– The Scarecrow
\n– The Subordinate of the CIO<\/p>\n
As has been said repeatedly, security is no longer an IT problem \u2014 assuming it ever was.
\nFor 2016 and beyond, board directors and top leadership need a CISO who is a true partner.
\nFor the CISO, this means:
\n– Balancing Risks and the Business
\n– Aligning With the C-Suite
\n– Moving Toward Cyber Resilience
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=3093c96c4f&e=20056c7556<\/p>\n
Vendors experience disruption with growing cloud security market
\nWith increasing threats from hackers, cloud security providers are under immense pressure.
\nFew of the security providers are either broke or exited their businesses.
\nMisha Govshteyn, Chief Strategy Officer & Co-Founder of Alert Logic, said, \u2018We\u2019re seeing a changing of the guard in security business.
\nCloud is sucking a lot of oxygen in the growth of traditional security vendors.\u2019 A lot of security vendors have been affected by growing security threats.
\nA bunch of vendors is not the only group that has been affected by cloud services.
\nSecurity teams are also experiencing disruption. \u2018It\u2019s getting more complicated to insert security into the right place,\u2019 said Govshteyn. \u2018Most security deployments aren\u2019t automated yet.
\nMost security products don\u2019t have APIs.
\nThey don\u2019t have ways to automate them\u2026.
\nIt\u2019s all at odds with the cloud.\u2019
\nA report published on the cloud security market states that the market would reach $8.9 billion (\u00a36bn) by 2020 and expected to register a CAGR of 23.5 per cent from 2015 to 2020.
\nAnalysts studying the industry have presented an extensive analysis of changing market dynamics, detailed segmentation, value chain analysis of key manufacturers, and competitive scenario.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=36a60d6803&e=20056c7556<\/p>\n
Cyber security in the fourth industrial revolution
\nThe fourth industrial revolution \u2013involving the hyper-connected world of people; processes; data, and things \u2013 is set to create unprecedented value for business, individuals and industries at large.<\/p>\n
With an estimated 50 billion devices connected to the internet by 2020, Terry Greer-King, director of cyber security for Cisco – UKI & Africa, discusses cybercrime in the fourth industrial revolution.<\/p>\n
Cisco\u2019s latest survey reveals that since using predictive maintenance, 87% of senior manufacturing decision makers in more than 13 countries saw a positive impact on overall equipment effectiveness.
\nCisco\u2019s latest Digital Readiness Index \u2013 which surveys organisations and their ability to move fast with digital infrastructure investments \u2013 has revealed that 42% of UK businesses state security as their biggest challenge.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=39fea6e582&e=20056c7556<\/p>\n
Boston BSides needs more space to grow
\nThe conference this weekend at Microsoft\u2019s New England Research and Development (NERD) Center in Cambridge, Mass., was full to capacity with about 400 people attending \u2013 the NERD limit, says Daniel Reich, one of the show\u2019s organizers.
\nHe says the organizers had to turn away about 100 others who wanted to attend, and after reading surveys by attendees and comments on Twitter, they may be looking for a larger venue for next year.
\nThis includes possibly reaching out to co-locate with other Boston area groups such as BeaCon, OWASP and SOURCE Boston.
\nBoston BSides is also considering becoming a legal non-profit to help with handling its finances.
\nThe hands-on training was new this year and the two full-day classes \u2013 Advanced Web Hacking and Introduction to Hardware Hacking – sold out almost immediately, he says.
\nPotential speakers submitted 51 proposals for just 18 slots.
\nA committee winnowed them down to 27 that they felt really ought to be accepted, and faced a painful process cutting the final nine, he says.
\nA half-day session on testing physical security presented by Keith Pachulsk delved into how to try to penetrate facilities in an effort to gain access to IT infrastructure, personnel and other assets.
\nHe does tis on behalf of clients who want their facilities and security measures tested, and he went into how to do this safely, which involved avoiding the very real possibility of violence by the clients\u2019 security teams.
\nHe talked about how to get into buildings, move around them without detection once you are in and tapping IT networks.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=3e5cb7f363&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage2.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=3b5064e018)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ] * Cyber terrorism big fear for developers * Japan to Form New Cybersecurity Agency to Protect Its Critical Infrastructure * 5 Minute Application Security Dynamic Testing Scenarios * How to get senior…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1229","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1229","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1229"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1229\/revisions"}],"predecessor-version":[{"id":3716,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1229\/revisions\/3716"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}