[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]<\/p>\n
* Cybersecurity\u200b has started fighting back against hackers
\n* Almost One-Third of Cyber Security Professionals Surveyed Admit to Compromising Ethics to Pass Audits
\n* Not using Adobe’s PDF reader doesn’t mean you’re avoiding PDF malware
\n* Microsoft Boosts Security in Windows 10 Anniversary Update
\n* Are You Prepared to Handle the Cost of a Data Breach?
\n* Top 10 tech for information security in 2016
\n* Cloud Adopters Balancing Cost Savings, Security
\n* The transportation industry is increasingly being targeted by hackers
\n* Only 29% of organisations have a cyber-security expert in their IT dept
\n* Email Compliance: Act Now, Save Millions – Information Governance Report is a Call to Action
\n* Why Companies Should Consider Data-Centric Security
\n* How Google’s head of cybersecurity Gerhard Eschelbeck protects his privacy and fights cyber criminals
\n* Putting the ‘Secs’ into DevOps
\n* A Cultural Change: It\u2019s Time to Become a Human Firewall<\/p>\n
Cybersecurity\u200b has started fighting back against hackers
\nLawyers and information security experts \u2014 among them Stewart Baker, a Washington-based partner of Steptoe & Johnson and a former National Security Agency general counsel \u2014 say the private sector needs leeway to take some matters into its own hands.
\nBut direct attacks, or even a retaliatory \u201chacking back,\u201d are illegal under the Computer Fraud and Abuse Act of 1986.
\nAnd vigilante justice, if not universally repugnant, doesn\u2019t make for good diplomacy.
\nOne recommendation of \u201cAn American Strategy for Cyberspace,\u201d a paper published in June by the American Enterprise Institute, is to \u201cempower the private sector to more effectively defend itself\u201d and explore the feasibility of such tactics as turning aside incoming attacks, improving information sharing with government agencies and corporate peers and retrieving stolen information.
\nIt added that \u201cthe U.S. should consider reforming the Computer Fraud and Abuse Act to clarify and perhaps in limited ways expand private companies\u2019 ability to engage in active defense.\u201d
\n\u201cOrganizations today require a dynamic solution that hunts for adversaries in real time and eliminates them,\u201d Vikram Desai, security lead of Accenture Analytics has said.
\nIn March the firm announced an alliance with and strategic investment in Endgame, a cybersecurity company that says its systems \u201callow organizations to move from being the hunted to being the hunter.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a530eb8edf&e=20056c7556<\/p>\n
Almost One-Third of Cyber Security Professionals Surveyed Admit to Compromising Ethics to Pass Audits
\n\/EINPresswire.com\/ — OVERLAND PARK, KS — (Marketwired) — 06\/30\/16 — A study carried out by security management vendor FireMon at this month’s Infosecurity Europe in London has given brutally honest insight into the immense pressure cyber security professionals are under to carry out their jobs and meet outside regulations.
\nA staggering 28% admitted to compromising their ethics to pass audits, a figure that is up 6% from five years ago when the same question was posed in a similar survey.
\nThis is likely due to growing network complexity and all of the disparate technology, security and otherwise, used to keep cyber criminals at bay.
\nWhen asked if they felt that they spend most of their day fire-fighting rather than doing meaningful security work, 51% of the IT security professionals surveyed agreed.
\nA further 56% admitted they had added a product purely to meet compliance regulations, even though they knew it offered no other business benefit.
\nWhen it comes to demands from the business side, 52% of IT security pros admitted to adding access that they know had decreased their organization’s security posture.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6589421ed2&e=20056c7556<\/p>\n
Not using Adobe’s PDF reader doesn’t mean you’re avoiding PDF malware
\nThreatPost has the details about the vulnerabilities found in builds 7.3.4.311 and earlier of Foxit Reader and Foxit PhantomPDF…
\nTo exploit the vulnerabilities an attacker could use an image file \u2013 either a BMP, TIFF, GIF, or JPEG image \u2013 to trigger a read memory past the end of an allocated buffer, or object.
\nFrom there, depending on the vulnerability, an attacker could either leverage the vulnerability as is, or use it in conjunction with other vulnerabilities to “execute code in the context of the current process.”
\nIn other words, an attacker could simply send you a boobytrapped PDF file and if you happened to open it in Foxit’s PDF reader – kaboom!
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=1041042e27&e=20056c7556<\/p>\n
Microsoft Boosts Security in Windows 10 Anniversary Update
\nWhen the Windows 10 Anniversary Update arrives Aug 2, it will include several new security features that are designed to protect data belonging to both consumers and enterprises.
\nAmong them is an expansion of Windows Hello’s biometric user authentication capabilities.
\nAlso next month, the update will move Windows Hello’s biometrics components and user biometric data into SystemContainer, a hardened environment reserved for the most sensitive parts of the Windows operating system.
\nSystemContainer employs Virtualization Based Security (VBS), creating a secure environment by using a processor’s virtualization extensions to isolate running processes.
\nAn improved Windows Defender is on deck, said Lefferts, along with Windows Defender Advanced Threat Protection.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a8e3e478b3&e=20056c7556<\/p>\n
Are You Prepared to Handle the Cost of a Data Breach?
\nCyberattacks in the Asia-Pacific region are rising at a particularly high rate.
\nIs your defense in place.
\nThe Ponemon Institute\u2019s \u201c2016 Cost of Data Breach Study: Global Analysis,\u201d which was sponsored by IBM, answers these questions and many more.
\nIt is fascinating to see findings of the global data breach report.
\nSome key takeaways included:
\n* Health care experienced the most expensive per-record cost of a data breach compared to other industries at $355 per record.
\n* About 48 percent of data breaches were caused by malicious attacks from people both inside and outside of the organization.
\n* Nearly 25 percent of breaches were associated with human error.
\n* The single biggest factor in reducing the cost of a data breach was having an incident response team in place, which decreased the cost by nearly $400,000.<\/p>\n
Analyzing the costs with which these Asia-Pacific organizations were faced led to some interesting findings:
\n* The cost of a data breach is steadily increasing. In India, the average total cost of a data breach increased from 88.5 million Indian rupees in 2015 to 97.3 million rupees in 2016 \u2014 a 10 percent spike.
\n* Australia, however, bucked the trend, with the cost of data breach falling marginally from $2.8 million in 2015 to $2.6 million in 2016
\n* ertain industries have higher breach costs In India, financial institutions, services, and industrial and technology companies had a per-capita cost well above the mean.
\n* Malicious or criminal attacks were the primary root causes of data breaches.
\n* More than 41 percent of companies experienced a data breach as the result of malicious or criminal attacks.
\n* Industries with higher breach costs are more vulnerable to churn.
\n* There is a silver lining: Steps can be taken to reduce the cost of a data breach.<\/p>\n
Here are the top five factors that can help decrease the cost:
\n– Having an incident response team;
\n– Extensive use of encryption;
\n– Participation in threat sharing;
\n– Employee security awareness and training; and
\n– Appointing a CISO.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6640a4ae49&e=20056c7556<\/p>\n
Top 10 tech for information security in 2016
\n“Information security teams and infrastructure must adapt to support emerging digital business requirements, and simultaneously deal with the increasingly advanced threat environment,” said Neil MacDonald, VP and Gartner Fellow Emeritus.
\nGartner identified the top 10 technologies for information security and their implications for security organizations in 2016.
\nFirst, Cloud Access Security Brokers, which provide information security professionals with a critical control point for the secure and compliant use of cloud services across multiple cloud providers.
\necond, Endpoint Detection and Response (EDR) solutions, which are expanding quickly in response to the need for more effective endpoint protection and the emerging imperative to detect potential breaches and react faster.
\nThird, Nonsignature Approaches for Endpoint Prevention, which augment traditional signature-based approaches, including memory protection and exploit prevention that prevent the common ways that malware gets onto systems, and machine learning-based malware prevention using mathematical models as an alternative to signatures for malware identification and blocking.
\nFourth, User and Entity Behavioral Analytics that enable broad-scope security analytics, much like security information and event management (SIEM) enables broad-scope security monitoring.
\nFifth, Microsegmentation and Flow Visibility, to address the problem of attackers gaining a foothold in enterprise systems, following which they typically can move unimpeded laterally (“east\/west”) to other systems.
\nSixth, Security Testing for DevOps (DevSecOps).
\nSeventh, Intelligence-Driven Security Operations Center Orchestration Solutions that are built for intelligence, and used to inform every aspect of security operations.
\nEighth, Remote Browser to address most attacks that start by targeting end-users with malware delivered via email, URLs or malicious websites.
\nNinth, Deception technologies that are defined by the use of deceits and\/or tricks designed to thwart, or throw off, an attacker’s cognitive processes, disrupt an attacker’s automation tools, delay an attacker’s activities or disrupt breach progression.
\nAnd tenth, Pervasive Trust Services that are designed to scale and support the needs of billions of devices, many with limited processing capability.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0bd7572450&e=20056c7556<\/p>\n
Cloud Adopters Balancing Cost Savings, Security
\nCloud security vendors are betting that more enterprises are looking to outsource their security operations just as they have turned over management of parts of their IT infrastructure to public cloud suppliers.
\nA new study released this week by a cloud security-as-a-service vendor finds that about half of those surveyed are investing more in security operations after adopting cloud computing.
\nA separate survey also released this week concludes that IT managers are still struggling with the tradeoffs between cost savings and security concerns as they shift to the cloud.
\nThat tension is among the reasons why more enterprises are embracing hybrid cloud infrastructure.
\nAmong the reasons for outsourcing security operations is the difficulty of recruiting cloud security experts along with a shortage of technical resources needed to run an in-house security operations center, the company argues.
\nA hefty 79 percent of respondents responsible for cloud security said they welcome outside help in running cloud security operations.
\nThe Forrester survey also found that IT administrators are turning to outside help for capabilities like threat intelligence analysis (83 percent) as they seek to develop real-time threat detection capabilities.
\nAlso cited were assistance for securing public clouds (80 percent), overall security operations (77 percent), network security along with data privacy and regulatory compliance (both 76 percent).
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d1ff9d5ad2&e=20056c7556<\/p>\n
The transportation industry is increasingly being targeted by hackers
\nThe report, Security Trends in the Transportation Industry, published by IBM this week confirms that cybercriminals are targeting the systems used in the industry, this means that trains, planes, and automobiles are under incessant attacks.
\n\u201cAccording to the 2015 version of the \u201cTransportation Systems Sector-Specific Plan,\u201d the transportation sector is increasingly vulnerable to cyberthreats as a result of \u201cthe growing reliance on cyber-based control, navigation, tracking, positioning and communications systems, as well as the ease with which malicious actors can exploit cyber systems serving transportation.\u201d\u201d states the analysis published by IBM.
\nGiving a close look to the techniques adopted by attackers we note that denial of service attacks and malicious attachments and links accounted for over 44 percent of the attacks targeting organization in the sector between March 1, 2015 and May 15, 2016.
\nGiving a close look to the techniques adopted by attackers we note that denial of service attacks and malicious attachments and links accounted for over 44 percent of the attacks targeting organization in the sector between March 1, 2015 and May 15, 2016.
\nIBM experts also warn about terrorism the threat, sabotage and the theft of data that could be used in terrorist attacks remain main concerns of the experts.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9b64fab3d7&e=20056c7556<\/p>\n
Only 29% of organisations have a cyber-security expert in their IT dept
\nSpiceworks polled more than 600 IT professionals in the UK and US to see if they’re adequately countering the rapidly growing levels of cyber-attacks.
\nIt was found that 29 percent of organisations have a cyber-security expert working in the IT department, and only seven percent have an expert in another department or on the executive team.
\nAlmost a quarter (23 percent) of organisations pay outside security experts to help protect their environments and fill the knowledge gap.
\nA concerning 55 percent of organisations don’t have regular access to any IT security experts at all, internal or third-party.
\nCyber-security is a priority for 73 percent of CIOs and senior IT leaders, followed by 56 percent of CTOs and 54 percent of CEOs.
\nLess than 50 percent said cyber-security is a priority for their CFO, COO or CMO.
\nYet most organisations (80 percent) experienced at least one security incident last year.
\nMore than 80 percent of IT pros are confident in their ability to respond to cyber-attacks on laptops, desktops and servers.
\nThey are also relatively certain that they are capable of securing and protecting storage devices and networking hardware (72 percent).
\nThey are less confident in their ability to respond to cyber-attacks on tablets (58 percent), smartphones (52 percent), cloud services (44 percent) and IoT devices (36 percent).
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=99c47f2627&e=20056c7556<\/p>\n
Email Compliance: Act Now, Save Millions – Information Governance Report is a Call to Action
\nOn 17 May 2016, harmon.ie in collaboration with Gimmal issued a survey report entitled “The One Email You Can\u2019t Ignore: The Risks and Business Impact of Failing to Treat Emails as Records” (“Report”).
\nThis Report provides insight into the key challenges that businesses face in managing email records.
\nThe findings are based on feedback from over one hundred information governance leaders from different industries.
\nEmail Records: Classification and Legal Considerations
\nIn determining whether an incoming or outgoing email is a business record, the following should be considered:
\n– Is there a legal obligation to retain the email?
\n– Is there any evidentiary reason to retain a email (i.e. possible audit, investigation, litigation)?
\n– Does the email form part of a contract, transaction or business decision?
\nNon-compliant businesses expose themselves to potential financial loss, legal risks, and loss of reputation.
\nAccording to the Report, nearly a quarter of information governance specialists indicated that their organizations experienced the negative impact of litigation, potential litigation or regulatory sanctions due to an inability to produce relevant records.
\nIn 2015, Scottrade was fined US $2.6 million because it was unable to produce important emails for audit purposes.
\nAdditionally, nearly one-third of information governance specialists forecasted financial risk for their organizations at US $5 million and over a half indicated US $1 million for email records non-compliance.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=fdb26f3e99&e=20056c7556<\/p>\n
Why Companies Should Consider Data-Centric Security
\nDuring my trip to the Enfuse 2016 conference in May, I had a conversation with Paul Shomo, senior technical manager, Strategic Partnerships with Guidance Software.
\nOne of the things we talked about was the importance of companies taking a more data-centric approach to information security.
\nWhen we think about breaches, Shomo explained, malware and how it breaks through the network is what often comes to mind.
\nTo that end, social engineering is the primary tool for injecting malware.
\nHackers rely on the vulnerabilities of humans and software systems to break through the perimeter quickly, which gives them the ability to move around the network with ease.
\nShomo also believes that we don\u2019t pay enough attention to data-centric concerns, like where to find the data and how many endpoints have access to it.
\nAll endpoints tend to be treated exactly the same and this creates security risks.
\nToo many information security professionals can\u2019t tell you where sensitive data is stored or accessed, and that is often caused by organizational separations, where different departments are communicating with each other.
\nShomo admits that data-centric security can be tricky because it involves the coordination between so many departments and there will always be privacy and legal issues to take into consideration.
\nKnowing where data is stored is the first step.
\nThe second step is figuring out how to share all this information with security professionals.
\nThey may only have bits and pieces of information about the data, including the endpoints where it is accessed and who has access.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=dd361c1e6d&e=20056c7556<\/p>\n
How Google’s head of cybersecurity Gerhard Eschelbeck protects his privacy and fights cyber criminals
\nMr Eschelbeck, who leads a 600-strong team that protects users from hackers, spammers and spies, says the most critical step for everyone to take is to stay on top of software updates.
\n“The biggest compromises that have happened over the past six to nine months often happened in an un-patched device that had a security vulnerability, and the patches weren’t applied fast enough,” he told Fairfax Media.
\nSince taking the reins in 2014, Mr Eschelbeck says he’s most proud of developing the Security Key, a slim USB device a user inserts into a port to log into Google’s sites such as Gmail as part of two-factor authentication.
\nHe said passwords were the “weakest link” in online security and hopes to see the Security Key go mainstream in the next three years.
\nHe said Facebook boss Mark Zuckerberg’s extra layer of security – he was caught last week with his laptop’s webcam and microphone covered with tape – wasn’t necessary, at least for him.
\n“I don’t do that.
\nIt depends on personal choice and preference, but I don’t feel it’s necessary [because of the other precautions I take],” he said.
\nSo how does Mr Eschelbeck, whose official title is Vice president of security and privacy engineering, protect his privacy.
\nThere are three practices he “religiously” follows.
\n1) He never misses a security patch
\n2) He has strong and unique passwords
\n3) He uses a Security Key
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=97405dc43e&e=20056c7556<\/p>\n
Putting the ‘Secs’ into DevOps
\nMatthew Pendlebury, a senior security consultant at MWR InfoSecurity thinks that there\u2019s not enough Sec (security) in DevOps.
\nIndeed, he feels there\u2019s a pressing need for DevOps to become DevSecOps\u2026 or at least for DevOps to gain a better grasp of Sec.<\/p>\n
\u201cSoftware security activities are spread throughout the development lifecycle and this is no different with DevOps.
\nSecurity starts as a set of requirements that need to be satisfied and in many cases these can be tested by code.
\nDevOps has a strong focus on using CI\/CD for performing testing and validation activities.
\nThis compressed lifecycle leaves little time in for conventional manual testing of routine deployments, for either quality or security purposes, so testing is heavily automated,\u201d asserts Pendlebury.<\/p>\n
Pendlebury continues, \u201cAutomated security testing is an effective approach to accelerate development, however it is not a silver bullet, and security still needs to be considered throughout the software lifecycle.
\nIt still holds that the earlier that a security problem is recognised, the quicker and cheaper it is to remedy.
\nIn DevOps teams as well as conventional development models the usual approaches to this are to educate developers about the security domain, give them techniques they can use such as threat modelling and embed knowledgeable security champions into teams to provide depth.\u201d
\n\u201cThere is already a growing movement called DevSecOps which seeks to push the agenda of security in a developer operations environment.
\nIt may be that the more established DevOps term gradually absorbs security considerations, indeed vendors such as Puppet are actively pushing this.
\nWhichever term dominates, pushing security into DevOps processes is clearly the future,\u201d he concludes.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=25dc69b270&e=20056c7556<\/p>\n
A Cultural Change: It\u2019s Time to Become a Human Firewall
\nA good first step in becoming a human firewall is thinking differently about technology by shifting your thinking to \u201cdistrust\u201d the technology that you use instead of inherently trusting it.
\nAn example is the \u201cCloud\u201d \u2013 so many companies and individuals are using Cloud services, such as iCloud, Dropbox, Google Drive, etc., and many users are unaware of what the cloud is let alone differences in services.
\nSeveral companies offer Cloud based services pre-installed on many machines we use every day; despite the ease of use, users are not required to use this technology.
\nA next step is to always think \u201cSecurity-First\u201d when using any technology.
\nFirst, understand the purpose of the technology you want to use.
\nIs it \u201cnecessary\u201d to use it?
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=5c3816af35&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=387a502aa6)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ] * Cybersecurity\u200b has started fighting back against hackers * Almost One-Third of Cyber Security Professionals Surveyed Admit to Compromising Ethics to Pass Audits * Not using Adobe’s PDF reader doesn’t mean you’re…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1244","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1244"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1244\/revisions"}],"predecessor-version":[{"id":3731,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1244\/revisions\/3731"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}