[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
\nAnd so, now the news<\/p>\n
* Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity
\n* Global Cost of Cybercrime Predicted to Hit $6 Trillion Annually By 2021, Study Says
\n* Got big data? The Cloud Security Alliance offers up 100 best practices
\n* Privacy Shield data-transfer agreement now covers 200 companies
\n* Security must be top of the manufacturing agenda
\n* Security Conferences Abound: Which Should You Attend?
\n* Fueling secure technology adoption in banks through a robust cyber security framework[India]
\n* The Hidden Dangers Of ‘Bring Your Own Body’
\n* Vulnerability Spotlight: Multiple DOS Vulnerabilities Within Kaspersky Internet Security Suite
\n* Cyberthreats Targeting the Factory Floor
\n* Don\u2019t Get Stranded without a Data Security Action Plan<\/p>\n
Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity
\nOn Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information.
\nAccording to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an attacker infiltrated the e-retailer\u2019s website.
\nNearly one year later, the e-retailer\u2019s merchant bank notified it that fraudulent charges were appearing on customers\u2019 credit card accounts.
\nThe e-retailer then hired a cybersecurity firm to conduct a forensic investigation, and the malware was discovered and removed from the e-retailer\u2019s website.
\nBesides the obvious lesson of complying with state data breach notification laws where applicable, the other important lesson is that companies must carefully evaluate how they market the privacy and security of their e-commerce platforms.
\nFederal and state agencies, like the Federal Trade Commission (FTC) and state attorneys general, have increased their scrutiny of companies\u2019 privacy and cybersecurity representations.
\nRegulators will also scrutinize companies\u2019 actual cybersecurity practices.
\nThe FTC has offered some practical advice to guide companies in this regard, some of which we have previously discussed here and here.
\nBottom line: Companies should prioritize cybersecurity and treat it as an investment rather than a cost.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=eaa5d53c74&e=20056c7556<\/p>\n
Global Cost of Cybercrime Predicted to Hit $6 Trillion Annually By 2021, Study Says
\nA report out by Cybersecurity Ventures predicts global annual cybercrime costs will grow to $6 trillion by 2021.
\nWhile a $6 trillion estimate might be a little high, \u201ca trillion dollars plus is a real possibility,\u201d says Larry Ponemon, chairman and founder of the Ponemon Institute.
\nThough this isn\u2019t a number he saw coming down the pipeline. \u201cIf you asked me five or six years ago, I\u2019d fall over,\u201d he says.
\nThe predicted cybercrime cost takes into account all damages associated with cybercrime including: damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
\nIt does not include the cost incurred for unreported crimes.
\nThe Cybersecurty Ventures report, which is a compilation of cybercrime statistics from the last year, also predicts that the world\u2019s cyberattack surface will grow an order of magnitude larger between now and 2021.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8135e719b1&e=20056c7556<\/p>\n
Got big data? The Cloud Security Alliance offers up 100 best practices
\nFor companies working with distributed programming frameworks such as Apache Hadoop, for example, the CSA recommends using Kerberos authentication or an equivalent to help establish trust.
\nCompanies that use nonrelational data stores such as NoSQL databases, meanwhile, are hampered by the fact that such products typically include few robust embedded security features, the report’s authors say.
\nFor that reason, they suggest using strong encryption methods such as the Advanced Encryption Standard (AES), RSA, or Secure Hash Algorithm 2 (SHA-256) for data at rest.
\nAlso included in the report are suggestions for real-time security and compliance monitoring, privacy-preserving analytics, data provenance, cryptographic techniques, and more.
\nThe handbook is now available as a free download.
\nMarket researcher Gartner, meanwhile, predicts that the improper use of big data analytics will cause half of all business to experience ethics violations by 2018.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b776006a33&e=20056c7556<\/p>\n
Privacy Shield data-transfer agreement now covers 200 companies
\nCompanies must register with the International Trade Administration of the U.S.
\nDepartment of Commerce to be covered.
\nIt’s a self-certification process, so the ITA is only checking that the forms are filled in correctly, not that companies are necessarily complying with all 13,894 words of the rules.
\nThe Privacy Shield rules are needed to ensure that EU citizens’ personal information is afforded the same legal protection in the U.S. as required under EU law.
\nThere are now 200 companies standing behind Privacy Shield, the framework agreement allowing businesses to process the personal information of European Union citizens on servers in the U.S.
\nSome 5,534 organizations signed up to Safe Harbor before the court ruling came, with the certification status still listed as “current” for 3,375 of them.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a336598627&e=20056c7556<\/p>\n
Security must be top of the manufacturing agenda
\nIn order for manufacturers to be fully prepared, embedding security within manufacturing technology at the point of origin and ensuring end-user environments are as secure as possible would be the most effective methods to ensure such vulnerabilities are significantly mitigated.
\nAs these systems have been traditionally isolated from office network environments and the internet through air-gapping, it is evident that industrial hardware and software was not designed with security in mind, rather, it was intended to function within a closed environment.
\nWithin modern industries, however, we see an increased demand for real time data and remote access services.
\nPreviously separate systems are now interconnected with other company networks, exposing the hardware, services and protocols to attackers.
\nThe popularity of WirelessHART products show a significant shift among manufacturers to integrate and utilise networked technology to increase efficiencies within their businesses.
\nThe benefits of this technology are undeniable, allowing manufacturers with legacy systems to swiftly and cheaply upgrade their existing systems to a level of productivity arguably comparable to fully digital environments.
\nFor a business to fully secure its industrial environment, the education of staff on security best practices must become an essential element of day-to-day activities.
\nA focussed approach to training and awareness enables staff to better understand the threats that affect their work environments \u2013 it is therefore essential for all personnel to fully understand the security risks relevant to their duties, thus minimising the risks associated with a successful cyber-attack.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0c63e3e517&e=20056c7556<\/p>\n
Security Conferences Abound: Which Should You Attend?
\nThere is normally a hiatus in security conferences between September and February that allows those of us who have been drinking from the fire hose to stop and take a breath.
\nThis breathing space permits us to implement, adjust, engage and otherwise ensure we are where we need to be with respect to securing our data, our clients\u2019 data and our customers\u2019 data.
\nThe hiatus also gives us the opportunity to decide which security conferences will give us the biggest bang for our buck in terms of education and industry awareness in the coming year.
\nShmooCon 2017 is a three-day security conference taking place in Washington, D.C. in January 2017.
\nThe format lends itself to those engaged in maintaining and breaking cybersecurity devices, network and appliances.
\nThe Cyber Threat Intelligence Summit is a two-day security conference hosted by the SANS Institute in Arlington, Virginia.
\nFour days of training seminars and classes will precede the conference in late January 2017.
\nThe RSA Conference is the largest of all the security conferences, to be held in San Francisco in mid-February 2017.
\nIn the run up to the conference, we will see major vendors release a plethora of new studies and product announcements.
\nThen there\u2019s a multitude of agnostic and vendor-driven training forums. Many will find the enormous expo areas an excellent means by which to learn about solutions from vendors and receive some introductory training on these tools.
\nThe International Association of Privacy Professionals (IAPP) hosts a variety of global conferences focused on educating attendees on the broad topic of privacy.
\nInterConnect is IBM\u2019s premier annual conference for security, cloud and mobile.
\nThe 2017 event is scheduled for mid-March in Las Vegas and will once again feature more than 2,000 sessions, ranging from deep-dive technical demonstrations to business content to hands-on labs and workshops.
\nInfoSec World is a security conference and expo scheduled to take place in ChampionsGate, Florida, in April 2017.
\nThe conference will feature security practitioners who speak from experience on the real-world challenges companies are facing today.
\nThe international Forum of Incident Response and Security Teams (FIRST) Conference will take place in San Juan, Puerto Rico, in June 2017. Those involved in incident response at the national, local or enterprise level will benefit from attending.
\nThe Black Hat security conferences are held in Las Vegas each summer and elsewhere in the world (in Asia and Europe) at varying times. According to the organizers, more than two-thirds of attendees are information security professionals with the CISSP distinction. The conference is light on vendor displays and heavy on practical demonstrations of new exploits and discoveries, so it\u2019s definitely a worthwhile event for security professionals and those IT workers on the ground.
\nDEF CON takes place annually in Las Vegas, and the next conference will occur in late July 2017.
\nThe organizers bill the conference as \u201cthe hacking conference,\u201d and past attendees will certainly attest to the veracity of this claim.
\nWhile the aforementioned security conferences are by no means all-inclusive, they are always on this writer\u2019s calendar for consideration.
\nThey should be on yours as well.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=160547c7a5&e=20056c7556<\/p>\n
Fueling secure technology adoption in banks through a robust cyber security framework[India]
\nThe threat landscape is evolving and in light of increased adoption of technology by banks as a part of the country\u2019s move towards a cashless economy, Reserve Bank of India (RBI) has recently mandated the creation of a Cyber Security Framework to fortify the security postures at banks.
\nBanks are now mandated to formulate a Cyber Crisis Management Plan (CCMP) which will address the aspects of detection, response, recovery and containment.
\nSecurity is becoming a part of boardroom agenda across organizations and as rightly recognized by RBI, security should not be an IT-only concern.
\nReiterating the key role of the CISO in bridging business needs with IT needs, cybersecurity policies should be distinct from an organization\u2019s broader IT policy specifically highlighting the risks from cyber threats and the measures for mitigation.
\nThe information centric model should include envisioning the information infrastructure, information intelligence, and information governance.
\nFollowing the advisory by RBI, banks have undergone gap assessments as the initial step and would have submitted the analysis by July 31.
\nThe roadmap to achieve an all-inclusive cybersecurity infrastructure is going to be perplexing where banks will face challenges pertaining to implementation, costs, investments, organizational arrangements and so on.
\nHowever, the goal once achieved, will be a huge leap towards a robust, secure banking ecosystem.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c328b15467&e=20056c7556<\/p>\n
The Hidden Dangers Of ‘Bring Your Own Body’
\n1) Who, exactly, has ownership of this data?
\n2) How should the business manage this data?
\nThere may not be that much biometric data currently in the average enterprise, but its use is on the rise.
\nBoth the private and public sectors probably (and legally) have some of your biometric data right now.
\nIf you\u2019ve ever worked for a government-affiliated organization and achieved any type of security clearance, it has your fingerprint data.
\nIf you have a US driver\u2019s license — even if you have no criminal record — there\u2019s a good chance that the FBI is already analyzing your photo for a facial-recognition database.
\nThe information that HR departments handle on a regular basis — Social Security numbers, home addresses, health insurance details, tax information, etc. — all pose threats to privacy and security that are practically incomparable to traditionally stolen data types such as credit card numbers.
\nThe key objective for the immediate future is to determine what\u2019s within the realm of control, and how security can be strengthened for the locations where there is most likely to be sensitive items.
\nThis relatively simple task today will be important for the future, regardless of how common biometric data becomes in business.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d5e397bb4e&e=20056c7556<\/p>\n
Vulnerability Spotlight: Multiple DOS Vulnerabilities Within Kaspersky Internet Security Suite
\nTalos has discovered multiple vulnerabilities in Kaspersky\u2019s Internet Security product which can be used by an attacker to cause a local denial of service attack or to leak memory from any machine running Kaspersky Internet Security software.
\nThe vulnerabilities affect Kaspersky Internet Security 16.0.0, KLIF driver version 10.0.0.1532, but may affect other versions of the software too.
\nSince anti-virus software runs with low level privileges on any system, vulnerabilities in these software are potentially very interesting for attackers.
\nAlthough these vulnerabilities are not particularly severe, administrators should be aware that security systems can be used by threat actors as part of an attack, and keep such systems fully patched.
\nVulnerabilities discovered by Piotr Bania and Marcin \u2018Icewall\u2019 Noga of Cisco Talos.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b74e7d4d83&e=20056c7556<\/p>\n
Cyberthreats Targeting the Factory Floor
\nCyberattacks targeting manufacturing companies are on the rise, according to a recent report from IBM X-Force Research\u2019s 2016 Cyber Security Intelligence Index.
\nThe report noted that the sector is the second most-attacked industry behind healthcare.
\nAutomotive manufacturers were the top targets for criminals, accounting for almost 30% of all cyberattacks in 2015, while chemical companies were attackers\u2019 second-favorite targets.
\nMost manufacturing companies are behind the curve on security.
\nThe Sikich report noted that only 33% of the manufacturers it surveyed were performing annual penetration testing within their IT groups.
\nWhen it comes to ICS networks even less is being done to secure them.
\nBecause of lax security standards, manufacturers are leaving themselves exposed at every point of their networks.
\nOne of the biggest security challenges manufacturers face is dealing with the variety of different communication protocols used in ICS networks.
\nStandard data plane protocols like Modbus and DNP3 are used by HMI\/SCADA\/DCS applications to communicate physical measurements and process parameters such as current temperature, current pressure, valve status, etc.
\nMeanwhile, the control plane protocols \u2014 which are used to configure automation controllers, update their logic, make code changes, download firmware, etc. \u2014 are proprietary and vendor-specific.
\nEach vendor uses its own implementation of the IEC-61131 Standard for Programmable Controllers.
\nThese implementations are rarely documented, making it very difficult to monitor critical activities.
\nContrary to popular belief, this is not extremely difficult.
\nOnce inside the network, an attacker can easily download control logic to an industrial controller or change its configuration.
\nSince these actions are executed using proprietary vendor-specific protocols, there is no standard way to monitor these control plane activities.
\nAs a result, changes made by an attacker can go unnoticed until damage starts to occur.
\nGaining visibility into ICS networks is the first step in being able to protect them from cyberthreats.
\nDiscovering all assets, especially industrial controllers, is critical.
\nThis includes maintaining a reliable inventory of configurations, logic, code and firmware versions for each controller.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=65611db562&e=20056c7556<\/p>\n
Don\u2019t Get Stranded without a Data Security Action Plan
\nNavigating this increasingly complex maze of requirements from different states while simultaneously combatting data breaches is not an easy task.
\nThat\u2019s why it\u2019s critical for healthcare providers to prepare a comprehensive data security action plan by following these five steps:
\n1) Benchmark to identify vulnerabilities
\n2) Adopt a consistent security posture
\n3) Evaluate and manage third-party relationships
\n4) Gain a full understanding of all state and federal regulations
\n5) Implement a communications strategy to protect your reputation
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b9ce4b3006&e=20056c7556
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage2.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=ea42da8dc8)
\nUpdate subscription preferences (http:\/\/paulgdavis.us3.list-manage1.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)
\n============================================================<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.] And so, now the news * Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity * Global Cost of Cybercrime Predicted to Hit $6 Trillion Annually…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1256","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1256","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1256"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1256\/revisions"}],"predecessor-version":[{"id":3743,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1256\/revisions\/3743"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1256"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1256"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}