[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]<\/p>\n
* Commission boosts cybersecurity industry and steps up efforts to tackle cyber-threats
\n* Endpoint and Network Security: The rise of \u201cDefense in Depth\u201d
\n* EU to invest \u20ac450 million in cybersecurity partnership fund
\n* The Information Security Leader, Part 1: Two Distinct Roles, Four Fundamental Questions and Three Persistent Challenges
\n* Password Sharing Is a Federal Crime, Appeals Court Rules
\n* French internet security report urges use of best practice
\n* Meeting the cyberchallenge
\n* BT : Industrialisation Of Cybercrime Is Disrupting Digital Enterprises
\n* Brian Krebs at TMG Executive Summit: Financial institutions have to empower security leaders
\n* Microsoft Cybersecurity Advocates for Coordinated Norms<\/p>\n
Commission boosts cybersecurity industry and steps up efforts to tackle cyber-threats
\nSince the adoption of the EU Cybersecurity Strategyin 2013, the European Commission has stepped up its efforts to better protect Europeans online.
\nIt has adopted a set of legislative proposals, in particular on network and information security, earmarked more than \u20ac600 million of EU investment for research and innovation in cybersecurity projects during the 2014-2020 period, and fostered cybersecurity cooperation within the EU and with partners on the global stage.
\nBut more work is needed to address the increasing number and complexity of cyber-threats.
\nThis is why the Commission proposes today a series of measures to reinforce cooperation to secure Europe’s digital economy and society, and to help develop innovative and secure technologies, products and services throughout the EU.
\nThe Commission has proposed an action plan to further strengthen Europe\u2019s cyber resilience and its cybersecurity industry.
\nThis includes measures to:
\n– Step up cooperationacross Europe
\n– Support the emerging single market for cybersecurity products and services in the EU
\n– Establish a contractual public-private partnership (PPP) with industry
\nThe EU Cybersecurity Strategy and the forthcoming NIS Directive already lay the groundwork for improved EU-level cooperation and cyber resilience.
\nThe forthcoming NIS Directive establishes two coordination mechanisms:
\n– the Cooperation Group which supports strategic cooperation and exchange of relevant information related to cyber incidents among Member States, and
\n– the Network of Computer Security Incident Response Teams (so-called CSIRT network) which promotes swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9823d928fe&e=20056c7556<\/p>\n
Endpoint and Network Security: The rise of \u201cDefense in Depth\u201d
\nWhile there is an important place for network security \u2013 the simple fact that no system will ever be 100% secure shines light on the need for additional layers of security.
\nOften network security solutions are trying to filter dangerous content from reaching vulnerable endpoints, but isn\u2019t it better if we can make the endpoints less vulnerable.
\nWith this in mind, the best strategy is to build security from the endpoint out – reducing the attack surface and building defendable infrastructure.
\nWhile network-based security solutions can attempt to block threats before they hit the endpoint, the major problem with this approach is that companies that rely heavily on network security end up with an \u201ceggshell\u201d security stance \u2013 whereby a system is reliant on a single outer shell to protect all of the organization\u2019s data.
\nThe main difficulty faced by detection solutions is the impossible trade-off between security and usability.
\nNamely, all threats need to be deeply analyzed, but security teams simply cannot make employees wait while they address these issues, which would reduce productivity and staff morale.
\nIntel Security found that more than 30% of organizations disable network-based security features for this exact reason.
\nMalware authors know this, and therefore will create attacks that simply lay dormant for a period of time to bypass the network sandbox.
\nThis has caused malware to evolve new methods of avoiding networks security products, including:
\n\u2022 Delayed onset
\n\u2022 Detecting virtualized environment
\n\u2022 Checking the number of CPU cores (network sandbox usually only presents one)
\n\u2022 Checking if user is real (monitor mouse movement, etc.)
\n\u2022 Exploiting the virtual environment to escape
\nThe most effective way to complement a strong network defense is by reducing the attack surface of the endpoint.
\n1- Removing administrator privileges
\n2- Application whitelisting
\n3- Sandboxing
\nA bank doesn\u2019t leave the vault door open just because they have a security guard on the door \u2013 they start from the vault and layer security outward.
\nIf the endpoint isn\u2019t secure, and security admins do not ensure that both systems work in tandem, companies simply risk losing data, intellectual property, resources, money and invaluably, trust \u2013 in other words, everything.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=519219ad99&e=20056c7556<\/p>\n
EU to invest \u20ac450 million in cybersecurity partnership fund
\nThe Commission said that it will invest an initial \u20ac450 million in the partnership and expects organisations including national, regional and local government bodies, research centres and academia to invest three times as much.
\nThe partnership will bring companies together for research into cybersecurity solutions for different sectors including energy, health, transport and finance, the Commission said.
\nThe Commission will encourage EU countries to make use of cooperation mechanisms which will be established under the new Network and Information Security (NIS) Directive, which is expected to be adopted by the European Parliament this week.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4d3404a93b&e=20056c7556<\/p>\n
The Information Security Leader, Part 1: Two Distinct Roles, Four Fundamental Questions and Three Persistent Challenges
\nThis kernel of wisdom comes from a certain high-tech headhunter in the late 1980s, who passed it on as she was helping her candidates prepare for their next job.
\nTwenty years later, it showed up again in \u201cWhat Got You Here Won\u2019t Get You There,\u201d a best-selling business book by Marshall Goldsmith.
\nTwo Distinct Roles
\nAs recommended in a strategy map for security leaders, successful next-generation CISOs should strive for their information security teams to be perceived by key stakeholders as being strong in both of two distinct roles:
\n– Subject matter experts
\n– Trusted advisers
\nFour Fundamental Questions
\n1) What\u2019s the risk?
\n2) What\u2019s the annualized risk in the specific context
\n3) How does an incremental investment quantifiably reduce risk?
\n4) How does one investment compare to another
\nThree Persistent Challenges
\n1) A language challenge
\n2) A measurement challenge
\n3) A communications challenge
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d1434f054a&e=20056c7556<\/p>\n
Password Sharing Is a Federal Crime, Appeals Court Rules
\nOne of the nation\u2019s most powerful appeals courts ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all \u201chacking\u201d law that has been widely used to prosecute behavior that bears no resemblance to hacking.
\nIn this particular instance, the conviction of David Nosal, a former employee of Korn\/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal\u2019s use of a former coworker\u2019s password to access one of the firm\u2019s databases was an \u201cunauthorized\u201d use of a computer system under the CFAA.
\nAt issue is language in the CFAA that makes it illegal to access a computer system \u201cwithout authorization.\u201d McKeown said that \u201cwithout authorization\u201d is \u201can unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.\u201d The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ffdc867375&e=20056c7556<\/p>\n
French internet security report urges use of best practice
\nAn official report on internet security in France has urged all players in the sector to follow best practice recommendations for the BGP, DNS and TLS security protocols.
\nThe Resiliance of the French Internet report also encouraged all those in the sector to prepare themselves against the distributed denial-of-service (DDoS) attacks that have been behind some of the higher-profile failures of internet services.
\nThe 2015 report, the fifth of its kind, made the following principle recommendations: monitor prefix advertisements, and be prepared to react in case of hijacking; use protocols that support forward secrecy and discontinue the increasingly vulnerable SSLv2 and SHA-1 algorithms; diversify the number of SMTP and DNS servers in order to improve the robustness of the infrastructure; apply best practices to limit the effects of failures and operational errors and pursue the deployment of IPv6, DNSSEC, and RPKI to help develop skills and to anticipate possible operational problems.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=275d75f75f&e=20056c7556<\/p>\n
Meeting the cyberchallenge
\nEach year, the United States falls farther behind in educating K-12 students in science, technology, engineering and math (STEM).
\nIt falls behind in teaching the next generation of technology workers for American companies.
\nAnd it falls behind in instructing cybersecurity professionals who will help protect our country.
\nThis deficiency puts our national security at greater risk.
\nAfter years of analyzing this challenge, it\u2019s now time for the federal government to act and help address this vulnerability.
\nCongress should invest in the future by providing adequate resources for K-12 computer science education for the next fiscal year, especially in this transition period between presidential administrations.
\nIn addition, at a time of increasing cyberthreats and greater complexity in cyberwarfare, the nation also needs skilled cybersecurity.
\nWe now require individuals who can design weapons to support U.S. warfighters and provide cyberdefense for our country\u2019s assets.
\nOur cyberstrength relative to that of our nation\u2019s adversaries is too vital to ignore.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=1350a4e35d&e=20056c7556<\/p>\n
BT : Industrialisation Of Cybercrime Is Disrupting Digital Enterprises
\nDALLAS, July 5, 2016 \/PRNewswire\/ — Only a fifth of IT decision makers in large multinational corporations are confident that their organisation is fully prepared against the threat of cyber-criminals.
\nThe vast majority of companies feel constrained by regulation, available resources and a dependence on third parties when responding to attacks, according to new research from BT and KPMG.
\nThe report, Taking the Offensive – Working together to disrupt digital crime finds that, while 94 per cent of IT decision makers are aware that criminal entrepreneurs are blackmailing and bribing employees to gain access to organisations, roughly half (47 per cent) admit that they don’t have a strategy in place to prevent it.
\nThe report also finds that 97 per cent of respondents experienced a cyber-attack, with half of them reporting an increase in the last two years.
\nAt the same time, 91 per cent of respondents believe they face obstacles in defending against digital attack, with many citing regulatory obstacles, and 44 per cent being concerned about the dependence on third parties for aspects of their response.
\nMark Hughes, CEO Security, BT, said: “The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft.
\nThe twenty-first century cyber criminal is a ruthless and efficient entrepreneur, supported by a highly developed and rapidly evolving black market.”
\nThe BT-KPMG report shows that Chief Digital Risk Officers (CDROs) are now being appointed to hold strategic roles which combine digital expertise with high-level management skills.
\nWith 26 per cent of respondents confirming that a CDRO has already been appointed, the report’s data suggests that the security role and accountability for it is being re-examined.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8827529093&e=20056c7556<\/p>\n
Brian Krebs at TMG Executive Summit: Financial institutions have to empower security leaders
\nDES MOINES, IA (July 7, 2016) \u2014 TMG Executive Summit keynote speaker Brian Krebs told a room full of credit union and community bank leaders that layers of technology are not enough to stop a data breach.
\nInstead, the investigative reporter insisted, security is only as effective as the people managing it for you.
\n\u201cOrganizations buy into the idea that doing security right is layering on the right mix of technology software and services, and that this magic combination will block 99 percent of attacks,\u201d said Krebs, mastermind behind the popular Krebs on Security blog. \u201cIt\u2019s just not true.
\nIt\u2019s very expensive to do security right, and that\u2019s partly because the actual security of your organization comes from security specialists.\u201d
\nIt\u2019s not uncommon, Krebs said, for an organization to look at its event logs for the first time after someone like him gives them a call.
\nHe devotes a lot of energy to breach notification.
\nComparing the experience of being notified of a breach to the five stages of grief, Krebs says the people he notifies are almost always in denial. \u201cThose with a high degree of security maturity skip through the first stages and go straight to depression,\u201d Krebs said to a roomful of nervous laughter.
\nPhishing, he said, is becoming increasingly sophisticated, even though some cybersecurity experts talk about it as a solved problem.
\nOver a span of three weeks, Krebs notified several different companies of phishing threats facing their C-suites.
\nHe had seen actual communications spoofing CEO email addresses on the dark web.
\nNo one from any of these vulnerable organizations returned his calls.
\nKrebs concluded his hour-long talk by coming back to his point about the importance of human security leadership.
\nThe head of security, Krebs advised, should always report to the COO, CEO or the board of directors.
\nOrganizations with what he calls a high degree of security maturity have created separation between IT and security: \u201cThe surest way to deny your security people any say is to have them report to the head of IT.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d1029393bc&e=20056c7556<\/p>\n
Microsoft Cybersecurity Advocates for Coordinated Norms
\nMicrosoft wants new standards for the cybersecurity world, a vision proposed in its recently published paper \u201cFrom Articulation to Implementation: Enabling Progress on Cybersecurity Norms.\u201d
\nOverall, the Microsoft cybersecurity viewpoint emphasizes the need for a consensus across the industry.
\nSpecifically, the company wants to establish norms regarding the effective disclosure of security issues as well as methods to deal with the attribution of hostile acts directed at software.
\nWhat Microsoft wants is a \u201ccoordinated disclosure\u201d approach.
\nThis is a variant of responsible disclosure that also allows disclosure to computer emergency response teams (CERTs) along with the vendor.
\nThe company believes that public disclosure should only happen after a patch has been issued and believes this should be the new cybersecurity norm.
\nBut Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky Lab, may have identified a problem with trying to establish any norms.
\nHe told SecurityWeek that \u201cthe whole concept of norms assumes that they relate to some homogeneous body guided by the same basic principles.
\nThat clearly isn\u2019t so in cyberspace.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=accd74d5c5&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=f9e771096e)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ] * Commission boosts cybersecurity industry and steps up efforts to tackle cyber-threats * Endpoint and Network Security: The rise of \u201cDefense in Depth\u201d * EU to invest \u20ac450 million in cybersecurity partnership…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1245","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1245"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1245\/revisions"}],"predecessor-version":[{"id":3732,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1245\/revisions\/3732"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}