[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
\nAnd so, now the news<\/p>\n
* 10 Tips On Keeping Your Mobile Device Safe While Traveling
\n* 6 security advances worth celebrating
\n* Why We Should Score Data Breaches
\n* Axing Boss Is Data Breach Response Last Resort
\n* CounterTack’s Mike Davis Highlights Cybersecurity Trends
\n* Cognitive Risk Framework for Cybersecurity, Part 2
\n* Closing the insider threat loop with authority
\n* Kaspersky Lab Survey Reveals the Financial Impact of the IT Security Talent Shortage
\n* AWS allows enterprises to bring their encryption keys<\/p>\n
10 Tips On Keeping Your Mobile Device Safe While Traveling
\n1) Lock your mobile device with a strong password or use biometric protection
\n2) Keep your software updated
\n3) Due diligence on Apps
\n4) Set up a PIN
\n5) Disable Bluetooth for pairing devices
\n6) Beware of faux towers
\n7) Turn off Wifi
\n8) Turn on Find My Phone and remote wiping
\n9) Turn off location tracking
\n10) Turn off cookies and autofill
\nLast words of advice: Do pack a good and secure roaming SIM for your travels.
\nForbesfone not only ensures safe mobile connections, but also offers the lowest roaming rates worldwide.
\nAdd the fact that it covers more than 200 destinations, and you have yourself a proper Swiss Army knife for your mobile needs.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=89bcfa6e3b&e=20056c7556<\/p>\n
6 security advances worth celebrating
\nSecurity is slowly moving in the right direction.
\nWe have lots to be thankful for.
\n1) Broad solutions versus whack-a-mole
\n2)Faster patching
\n3) More default encryption
\n4) Least-privilege religion
\n5) More bounties
\n6) Stronger authentication
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=55b7dca863&e=20056c7556<\/p>\n
Why We Should Score Data Breaches
\nThe Anthem breach (announced early in 2015) affected about 80 million Americans and remains the largest data breach (so far) in healthcare.
\nAs a company, however, Anthem lost no revenue or profits, their stock price wasn\u2019t affected and they lost no customers.
\nWhatever the cost was to Anthem\u2013like most organizations in healthcare\u2013it\u2019s relatively easy to simply pass any financial liability on to all of us in the form of higher premiums.
\nThe message that sends to the industry is crystal clear.
\nThere\u2019s very little financial consequence to data breaches in healthcare.
\nI was meeting with Jeff Williams at Black Hat when I saw the headline announcing the breach at Banner Health, and I asked him for his thoughts.<\/p>\n
We\u2019re a country obsessed with metrics, but breach disclosures are almost always a lawyerly exercise in obfuscation and misdirection.
\nSome types of breaches require \u201cdisclosure,\u201d but we never find out anything that would enable people to make informed decisions about whether their data is safe enough.
\nAll we typically hear or read is that the organization \u201ctakes their customer data very seriously.\u201d We need a system for scoring data breaches and corporate response across key variables as a critical and tangible way to change the dynamic quickly after an announcement.
\nActually applying an independent score to a data breach could be an effective way to accelerate the path to remediation and restoring trust.
\nJeff\u2019s been in the security industry for more than 20 years (and he just happens to have a JD from Georgetown) so he\u2019s very well versed in industrial-sized security challenges.
\nAs soon as he suggested the idea, I couldn\u2019t help but wonder why it hasn\u2019t been implemented\u2013and then also what a scorecard would look like.
\nJeff offered this draft:
\n* Tone
\n* Timeline
\n* Scope
\n* Size
\n* Root Cause
\n* Discovery
\n* Remedy
\n* Future
\n* Blame
\n* Oddities<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a8e2c5b0c5&e=20056c7556<\/p>\n
Axing Boss Is Data Breach Response Last Resort
\nAug. 9 \u2014 Scapegoating the boss over a cybersecurity incident that compromises customer data or reveals unsavory internal communications usually isn’t the first option in a breach response.
\nThe termination or resignation of a top executive in response to a data breach incident is \u201cthe exception, not the rule,\u201d Leigh Nakanishi, senior vice president of Data Security and Privacy at public relations company Edelman, told Bloomberg BNA.
\nDataGravity Inc.
\nChief Information Security Officer Andrew Hay said that a company executive may be more vulnerable to termination if doing so makes sense in a company’s \u201crisk equation.\u201d
\nThe most important factor in an executive’s post-data breach vulnerability is the type of information revealed, Nakanishi told Bloomberg BNA.
\nWhether an executive was negligent or failed to meet minimum data security requirements and whether the initial incident response was properly executed are also important factors in deciding whether to sever ties with an organization leader, he said.
\nNakanishi agreed that the responsibility to prevent and respond to data breaches shouldn’t fall just on the CISO.
\nCompanies should have a team of executives in charge of cybersecurity, each with different roles and responsibilities, he said.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6a42bf371a&e=20056c7556<\/p>\n
CounterTack’s Mike Davis Highlights Cybersecurity Trends
\nCHANNEL PARTNERS EVOLUTION \u2014 As large enterprises have become smarter in defending against cyberattacks, criminals have increasingly turned their attention to small and medium-size businesses, an expert noted Monday during Channel Partners Evolution.
\nAbout a third of attacks are against SMBs, said Mike Davis of CounterTack.
\nHe described common ways that customers get hacked by cybersecurity scoundrels and highlighted the costs for the victims.
\nCounterTack’s Mike Davis
\nCounterTack’s Mike Davis
\nDavis said a data breach will cost a small business a whopping $300,000 on average.
\nJust retaining an expert to review systems and determine how the attacker penetrated a system costs a minimum of $100,000, noted Davis, the CTO of CounterTack, which provides behavior-based detection, analysis and response technology.
\nCommenting on data breaches, Davis observed the majority involve weak, default or stolen passwords.
\nHe recommended using longer passwords, such as your favorite quote from a movie.
\nPart of Davis\u2019 talk addressed misconceptions around cybersecurity.
\nFor instance, he noted credit cards are fairly well protected, while thieves today are targeting email addresses because they hold valuable information concerning one\u2019s identity and may be linked to other services such as a person\u2019s social media accounts.
\nOn the black market, a person\u2019s credit card information is only worth $1.50, while medical records are valued at $50, he noted.
\nDavis addressed fears over the security of mobile devices.
\nHe said a 2015 study indicated that only .015 percent of U.S. mobile devices were infected with malware, a figure he described as \u201cso small it doesn\u2019t matter.” However, mobile security is more prominent in places like Asia and Russia, he cautioned.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9995c33bec&e=20056c7556<\/p>\n
Cognitive Risk Framework for Cybersecurity, Part 2
\nIn part 1 of this series, I introduced the reasoning for developing a bridge from existing IT and risk frameworks to the next generation of risk management based on cognitive.
\nThese concepts are no longer theoretical and, in fact, are evolving faster than most IT security and risk professionals appreciate.
\nIn part 2, I introduce the pillars of a cognitive risk framework for cybersecurity that make this program operational.
\nThe pillars represent existing technology and concepts that are increasingly being adopted by technology firms, government agencies, computer scientists and industries as diverse as health care, biotechnology, financial services and many others.
\nThe following is an abbreviated version of the cognitive risk framework for cybersecurity (CRFC) that will be published later this year.
\nA cognitive risk framework is fundamental to the integration of existing internal controls, risk management practice, cognitive security technology and the people who are responsible for executing on the program components that make up enterprise risk management.
\nCognitive risk fills the missing gap in today\u2019s cybersecurity program that fails to fully incorporate how to address the \u201csoftest target,\u201d the human mind.
\nA functioning cognitive risk framework for cybersecurity provides guidance for the development of a CogSec response that is three-dimensional instead of a one-dimensional defensive posture.
\nThe first step in the transition to a CRFC is to develop an organizational Cognitive Map.
\nA Cognitive Map is one of many tools risk professionals must use to expand discussions on risk and form agreements for enhanced techniques in cybersecurity.
\nPoor communications about risk are more common than not without a structured way to put risks in context to account for a diversity of risk perceptions.
\nOrganizations rarely openly discuss these differences or even understand they exist until a major risk event forces the issue onto the table.
\nSome refer to this exercise as forming a \u201crisk appetite,\u201d but again this term is vague and doesn\u2019t fully develop a full range of ways individuals experience risk.
\nResearchers now recognize diverse views of risks as relevant from the nonscientist, who views risks subjectively, whereas scientists evaluate adverse events as the probability and consequences of risks.
\nechniques for reconciling these differences create a forum that leads to better discussions about risk.
\nA Cognitive Risk Framework for Cybersecurity, or any other risk, requires a clear understanding and agreement on the role(s) of data management
\nThe goal of a cognitive risk framework is needed to advance risk management in the same way economists deconstructed the \u201crational man\u201d theory.
\nThe CRFC guiding principles expand the language of risk with concepts from behavioral science to build a bridge connecting decision science, technology and risk management.
\nThe CRFC program components include five pillars:
\n– Intentional Controls Design
\n– Cognitive Informatics Security (Security Informatics)
\n– Cognitive Risk Governance
\n– Cybersecurity Intelligence & Active Defense Strategies
\n– Legal \u201cBest Efforts\u201d Considerations in Cyberspace
\nA cognitive risk framework for cybersecurity represents an opportunity to accelerate advances in cybersecurity and enterprise risk management simultaneously.
\nA convergence of technology, data science, behavioral research and computing power are no longer wishful thinking about the future.
\nThe future is here but in order to fully harness the power of these technologies and the benefits possible IT security professionals and risk managers, in general, need a guidepost for comprehensive change.
\nThe cognitive risk framework for cybersecurity is the first of many advances that will change how organizations manage risk now and in the future in fundamental and profound ways few have dared to imagine.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c2f3211919&e=20056c7556<\/p>\n
Closing the insider threat loop with authority
\nThe major problem is that, without authority, your response to any threat will not be agile or strong enough to stop or prevent the incident.
\nAuthority to act is an essential element of success.
\nConversely, lack of authority leads to confusion, disorganization, and failure.
\nI have quoted Sun Tzu before, so pardon the repetition, but he has much to add to this discussion. \u201cWhen the general is weak and without authority; when his orders are not clear and distinct; when there are no fixed duties assigned to officers and men, and the ranks are formed in a slovenly haphazard manner, the result is utter disorganization.\u201d
\nThe National Insider Threat Task Force issued some basic rules for establishing effective insider threat programs.
\nThree initial tasks were deemed as requirements:
\n– Establish a policy signed by the organization head
\n– Appoint a senior executive with responsibility
\n– Put out a plan of actions.
\nBy withholding authority, senior leaders also often fall into the trap of attempting to manage matters that are beyond their ability or capacity to successfully handle.
\nToo often, I had to wait for my senior to return from leave or heard he was \u201ctoo busy\u201d to chat about something that was incredibly timely and important.
\nWhen establishing an insider threat program, consider that Authority is one of the three \u201cAs\u201d of success.
\nWithout authority, your organization will not be successful countering threats, setting you up for failure and leaving you open to successful attacks.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=2472907069&e=20056c7556<\/p>\n
Kaspersky Lab Survey Reveals the Financial Impact of the IT Security Talent Shortage
\nWOBURN, Mass.–(BUSINESS WIRE)–Kaspersky Lab today released its 2016 Corporate IT Security Risks survey1 which found that large businesses with a small amount of full-time security experts pay almost three times more to recover from a cyberattack than those businesses with in-house expertise.
\nThe research shows that large businesses hiring outside help pay between $1.2M – $1.47M to recover from a cybersecurity incident, compare to those large businesses who have in-house skilled IT security experts to handle a crisis who pay between $100K – $500K.
\nThis is due to a significant amount of recovery costs going toward additional staff wages to hire external expert help \u2013 on average costing $14K for SMBs and $126K for enterprises.
\nSurprisingly, nearly half (48 percent) of businesses admit there is a talent shortage and a growing demand for more specialists (46 percent).
\nProactively hiring new staff to employ experts before an incident, rather than bringing them in to pick up the pieces, significantly lowers the average IT costs and helps better protect the business.
\nOverall, 68.5 percent of companies expect an increase in the number of full-time security experts, with 18.9 percent expecting a significant increase in headcount.
\nHigher education is an important part of fulfilling such a demand, but this is also a call for a change within the security industry itself.
\nOne of the solutions is to aid universities with relevant experience.
\nAnother very important long-term solution is to adapt R&D efforts towards the effective sharing of intelligence with corporate customers in the form of threat data feeds, security training, and services.
\nA proper combination of security solutions and intelligence is what allows corporate security teams to spend less time and money on regular cybersecurity incidents and focus on strategic security development and advanced threats.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a18b952e6b&e=20056c7556<\/p>\n
AWS allows enterprises to bring their encryption keys
\nThe ability to bring your own keys to the cloud is an important cloud security feature, and it is encouraging to see Amazon Web Services add this capability to its Key Management Service (KMS).\u201dCustomers tell us that local control over the generation and storage of keys would help them meet their security and compliance requirements in order to run their most sensitive workloads in the cloud.
\nIn order to support this important use case, I am happy to announce that you can now bring your own keys to KMS,\u201d Jeff Barr, AWS chief evangelist, wrote in a blog post.
\nThe import process can be initiated from the AWS Management Console or AWS command-line interface or by making calls to the KMS API.
\nThe process requires customers to initially wrap the local key with a KMS-generated public key so that secret keys are not transmitted in the open, Barr said.
\nThe public key is unique to the customer\u2019s AWS account, and KMS automatically creates a CloudWatch metric to track when the key is set to expire.
\nCustomers can create notification alerts as a reminder to reimport the key, for example.
\nDetailed auditing information is available via AWS CloudTrail.
\nSince Google Compute Engine automatically encrypts all data at rest, users provide a Customer-Supplied Encryption Key (CSEK) to protect the Google-generated keys employed for data encryption.
\nThis method lets customers control data encryption in the cloud via an internally generated key without changing Google\u2019s automatic processes.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6c3783fff3&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage2.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=76b9c0a787)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage2.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.] And so, now the news * 10 Tips On Keeping Your Mobile Device Safe While Traveling * 6 security advances worth celebrating * Why We Should Score Data…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1252","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1252","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1252"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1252\/revisions"}],"predecessor-version":[{"id":3739,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1252\/revisions\/3739"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}