[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
\nI had a request to change the format of the date in the Subject line to make it easier to sort. So I made the change.<\/p>\n
* 11+ security questions to consider during an IT risk assessment
\n* Payment Card Industry Security Standards Council Releases Payment Application Data Security Standard Version 3.2
\n* Cyberattacks can cripple the construction industry
\n* A Look at Breach Notification Laws Around the World
\n* Huge Data Breach Losses Aren’t Forcing Companies to Bolster Security
\n* IT security skills remain in high demand
\n* Windows 10 Build 14352 lets Windows Insiders run two antivirus programs on their PC
\n* EU member states should stress-test banks\u2019 cyber risks
\n* ITC Launches Investigation Into Chinese Hacking Of U.S. Steel Corp
\n* 48% of respondents\u2019 organisations still lack key cyber security personnel, says DarkMatter poll
\n* SWIFT Eyeing New Tools to Spot Bank Fraud
\n* A Dire Lack of Knowledge about Ransomware Exists Despite Record Number of Infections
\n* Lloyds: cyber attacks down by up to 90pc
\n* Retail Security Risks: 2016 Midyear Roundup
\n* Cybercrime Hit Businesses Hardest in 2015, says IC3 Report
\n* Prioritising threat intelligence
\n* ICIT Explains NIST Guide Impact on Healthcare Cybersecurity
\n* Data security is the most significant risk facing in-house counsel today
\n* How Security And IT Teams Can Get Along: 4 Ways
\n* Got $90,000? A Windows 0-Day Could Be Yours
\n* J.P. Morgan\u2019s CIO on the Bank\u2019s Security Game Plan<\/p>\n
11+ security questions to consider during an IT risk assessment
\nThere is never enough time to consider all the ramifications during an attack.
\nVogel, for example, uses a data breach to point out risks that may be overlooked when scrambling to recover and getting back to normal operating conditions:
\nWhat data is valuable to our consumers and\/or members?
\nWhat would happen if we were [i.e., the organization] in the news for a data breach, even if the data lost was meaningless?
\nWhat legal liability do we have if something happened to the data?<\/p>\n
Questions for board officers and investors:
\nWhat makes our company or service an appealing target for hackers and cybercriminals?
\nWhat is the worst-case scenario; what are our principal assets and “crown jewels” that could be compromised?
\nWhat will be the impact if we are targeted and:
\n– the breach is made public?
\n– data is held for ransom?
\n– our corporate or consumer data is destroyed?
\nIs there a valid business reason for retaining existing information and the collection of new data?
\nWhat are our data minimization and destruction policies and procedures?
\nIs our cyberinsurance coverage adequate.
\nHave we completed a coverage gap analysis, and do we fully understand the exclusions.
\nAre we prepared for regulatory enforcement and lawsuits?
\nHow current, complete, and tested is our data breach incident plan?
\nAre we using industry best practices, and do we adhere to a cybersecurity framework reflecting our current countries of operation and types of business operations?
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b9464e9746&e=20056c7556<\/p>\n
Payment Card Industry Security Standards Council Releases Payment Application Data Security Standard Version 3.2
\nWAKEFIELD, Mass.–(BUSINESS WIRE)–Today the PCI Security Standards Council (PCI SSC) published a new version of its data security standard for payment software, the Payment Application Data Security Standard (PA-DSS) version 3.2.
\nThe Payment Application Data Security Standard is used by payment application vendors to ensure their software products will protect payment card data from theft.
\nMerchants and other businesses globally use \u201cPA-DSS Validated\u201d software to ensure they can safely accept payments, both in-store and online.
\nUsing \u201cPA-DSS Validated\u201d software also supports businesses in their efforts to secure payment card data throughout their systems and networks \u2013\u2013 which is required by the more comprehensive PCI Data Security Standard (PCI DSS).
\nPA-DSS version 3.2 aligns with the recent release of PCI DSS version 3.2, both of which address growing threats to customer payment information.
\nUpdates to standards are based on feedback from the PCI Council\u2019s more than 700 global Participating Organizations, as well as data breach report findings and changes in payment acceptance.
\nKey changes in PA-DSS 3.2 include clarifications to existing requirements and updating requirements to align with PCI DSS v3.2.
\nThe revision also makes updates to the detailed instructions included with vendor products (the \u201cPA-DSS Implementation Guide\u201d), which explain how to configure payment applications properly and in accordance with PCI DSS.
\nThese address procedures for secure installation of software patches and updates, and instructions for protecting cardholder data if using debugging logs for troubleshooting, as these can be exploited during a compromise.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=61a5637afc&e=20056c7556<\/p>\n
Cyberattacks can cripple the construction industry
\nGiven the increasing popularity of practices such as Building Information Modeling, Integrated Project Delivery, and file sharing between participants in a construction project, contractors may be at increased risk of liability in the event of a data breach.
\nA hacker may be able to access architectural designs, including the designs of security systems and features; financial information; confidential project-specific information; and personal information of employees.
\nA construction company can take several steps to mitigate the risk of a cyberattack and\/or data breach.
\nInternally, the contractor should develop and enforce a Written Information Security Program (WISP), which sets forth a protocol for protecting personal and other sensitive information and complying with regulatory requirements.
\nThe Florida Information Protection Act of 2014, Section 501.171 of the Florida Statutes, governs how covered entities (i.e., any commercial entity that acquires, maintains, stores or uses personal information) must prepare for and respond to data breaches.
\nGiven the increasing frequency of cyberattacks and resulting data breaches, contractors and others in the construction industry should be proactive in order to mitigate the attendant risks.
\nA coordinated effort between IT, management, and in-house and outside counsel is key to an effective cyber-defense strategy.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=502ac48db4&e=20056c7556<\/p>\n
A Look at Breach Notification Laws Around the World
\nOn the data breach front, a lot has changed since 2003.
\nTo take stock of the current state of nation’s data breach notification requirements, my colleagues at Information Security Media Group and I have explored efforts in four regions:<\/p>\n
Europe: The EU’s General Data Protection Regulation, which goes into effect in May 2018, includes a number of privacy provisions, including mandatory breach notifications.
\nSome legal experts say the regulation will serve as a model for other countries (see Mandatory Breach Notifications: Europe’s Countdown Begins).
\nUnited States: Some 47 states, three U.S. territories and Washington, D.C., have breach notification laws of varying strength.
\nBut efforts to replace them with a single – and more straightforward – federal law have stumbled, in part because previous efforts would have weakened some states’ current approaches, Eric Chabrow reports (see Single U.S.
\nBreach Notification Law: Stalled).
\nAustralia and New Zealand: Officials in both countries are reviewing mandatory breach notification proposals but have yet to pass any related laws, as Jeremy Kirk reports (see Australia, New Zealand Still Mulling Data Breach Laws).
\nIndia: Lacking any mechanism for enforcing a data breach notification law, experts say it’s unlikely the country will see any related laws anytime soon, Geetha Nandikotkur reports (see Why India is Still Not Ready for Breach, Privacy Laws).<\/p>\n
Today, nearly 90 countries have data protection laws – or relevant court rulings – on the books, ranging from Angola and Argentina to Venezuela and Zimbabwe, according to the law firm DLA Piper.
\nBut many of those countries still don’t require breached organizations to notify either authorities or the individuals whose personal information was exposed in the event of a breach.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=5955598d71&e=20056c7556<\/p>\n
Huge Data Breach Losses Aren’t Forcing Companies to Bolster Security
\nThe cost of even huge data breaches are not enough to convince companies to spend vastly more to bolster IT security, since neither investors nor customers permanently abandon them.
\nIn October 2015, hackers compromised the Website of British telecommunications firm TalkTalk, likely using one of 11 known vulnerabilities in the site to steal the personal details of 157,000 customers, including bank-account information on more than 15,000 people.
\nEarlier this month, the bill for the lapse in security came due: The company saw its profits decline by more than half in the first quarter of 2016.
\nIn its annual report released in February, the company revealed that it lost 95,000 subscribers and attributed more than \u00a355 million (US$80 million) in losses to the hack, including the “exceptional costs of restoring our online capability with enhanced security features, associated IT, incident response and consultancy costs, and free upgrades” that the company offered to retain customers.
\nWhile the sacking of CEOs has certainly drawn the attention of executive teams and boards, the financial penalties of breaches tend to be short-lived and easily subsumed by most large companies.
\nWhen hacker Albert Gonzales stole information on nearly 100 million credit and debit cards from Heartland Payment Systems in 2009, the company lost more than 75 percent of its stock value in three months.
\nYet the price bounced back, and now its stock is up nearly 500 percent since that time.
\nAnd, in spite of the $80 million in losses, TalkTalk’s breach costs only cut into profits and did not result in an overall fiscal-year financial loss for the company.
\nIn fact, the company’s efforts to provide customer incentives resulted in churn reaching an all-time low in the last quarter of 2015.
\nTwo trends, however, will raise the stakes for both breached companies and their victimized customers.
\nFirst, information that is not easily changed or replaced, such as Social Security numbers, is increasingly targeted by hackers.
\nIn 2015, for example, nearly 165 million records containing Social Security numbers were compromised in 338 breaches.
\nThe second trend is that companies are collecting more and different kinds of personal information about their users.
\nFor example, home video cameras frequently connect to a cloud service to store video.
\nAttackers could easily gain information on consumers through a breach of such a service.
\nOther devices that are part of the Internet of things\u2014from heart monitors to GPS-enabled trackers\u2014will only accelerate this trend.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=df02dad055&e=20056c7556<\/p>\n
IT security skills remain in high demand
\nIT security tops the list of the skills that IT decision-makers say they want their team members to have, according to a new report by Global Knowledge, based on input from more than 10,000 IT and business professionals in North America.
\nOther in-demand skills include cloud computing, IT architecture, and network and systems engineering and operations.
\nOne in three IT decision-makers reported having difficulty finding skilled talent to fill cybersecurity positions, while one in five reported difficulty filling cloud-related roles.
\nSixty-two percent of IT decision-makers said their teams currently have measurable skills gaps or will likely have them within the next two years, and 70 percent said the gaps create increased stress on existing employees.
\nThree-fourths of this year\u2019s IT respondents said they use professional development to build new skills, and half said preparing for a career certification or specialist exam is a top motivator.
\nMore than 45 percent of those who did not train in the previous year blamed a lack of funds.
\nIT decision-makers who responded said the lack of training funds is also one of the driving reasons behind skills gaps in IT departments.
\nSeventy percent of application developers use one or more programming languages\u2014six different languages on average.
\nMore than 60 percent of the developers who responded said they use JavaScript, SQL and some version of HTML.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6eb272d22d&e=20056c7556<\/p>\n
Windows 10 Build 14352 lets Windows Insiders run two antivirus programs on their PC
\nIf you install a third-party antivirus program, you can let it run as a real-time defense against all sorts of malware.
\nThe new feature, called Limited Periodic Scanning, allows Windows Defender to run periodically as well.
\nMicrosoft claims to scan 500 million devices each month for malware, and Windows Defender catches malware on 1 to 2 million of those at any given time.
\nHistorically, security experts have warned against running multiple antimalware programs at any one time.
\nIt\u2019s unclear whether Limited Periodic Scanning\u2014which can be toggled off\u2014will cause any additional headaches, or prove to be a good thing.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=071c7226d5&e=20056c7556<\/p>\n
EU member states should stress-test banks\u2019 cyber risks
\nBEIJING, May 28 \u2014 Domestic authorities in European Union member states should stress-test their financial institutions for cyber risks, a top EU supervisor said, saying banks might be required to hold extra capital as a buffer against what is an emerging threat.
\nSpeaking to Reuters in Beijing today, Andrea Enria, chairman of the European Banking Authority (EBA), said cyber security had become an important issue for EU member states.
\nHe called on domestic regulators to stress-test local banks to understand the possible risks.
\n\u201cI would not run a massive cyber-risk attack scenario for 28 member states at the same time,\u201d said Enria. \u201cBut if you ask me would I recommend competent authorities to think more on this and consider running this type of stress test.
\nI would say yes.\u201d
\nThe EBA operates as a pan-EU regulator, writing and coordinating banking rules across the 28-country bloc.
\n\u201cWe are developing guidelines on IT risk, which are under the Pillar 2 framework \u2014 so how to assess cyber risk and how to assess the mitigating measures that banks are putting into place and, if shortcomings are identified, which types of measures supervisors can take under Pillar 2, including additional capital requirements,\u201d said Enria.
\nThe guidelines will be published by the EBA for public consultation later this year, Enria said.
\n\u201cWe are also discussing possible agreements on the regular exchange of information and cooperation at the supervisory level between the European and Chinese authorities,\u201d said Enria. \u2014 Reuters
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b2a793f391&e=20056c7556<\/p>\n
ITC Launches Investigation Into Chinese Hacking Of U.S. Steel Corp
\nThe U.S.
\nInternational Trade Commission has officially started an inquiry into the hacking and theft of trade secrets from United States Steel Corporation (NYSE:X), allegedly by Chinese hackers.
\nChina\u2019s largest steel-producing province has ordered production cuts due to air pollution.
\nU.S. regulators on Thursday officially launched an investigation into complaints by United States Steel Corp. that Chinese competitors stole its secrets and fixed prices, in the latest trade spat between the two countries.
\nThe International Trade Commission said in a statement that it has not made any decisions on the merits of the case.
\nThe commission identified 40 Chinese steel makers and distribution subsidiaries as respondents, including Baosteel Group, Hebei Iron and Steel Group, Wuhan Iron and Steel Co Ltd., Maanshan Iron and Steel Group, Anshan Iron and Steel Group and Jiangsu Shagang Group.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=cc1593163c&e=20056c7556<\/p>\n
48% of respondents\u2019 organisations still lack key cyber security personnel, says DarkMatter poll
\nDarkMatter, an international cyber security firm headquartered in the UAE, has found that 48% of respondents to its DarkMatter Cyber Security Poll say their organisations do not have a senior management executive assigned to oversee cyber security, while 46 per cent of respondents said their organisations did not have a Board-level representative responsible for cyber security.
\nThe statistics are extracted from a poll conducted by DarkMatter during the Gulf Information Security Expo & Conference (GISEC) 2016 held in Dubai, at which the company was the Cyber Security Innovation Partner.
\nDarkMatter was able to poll the answers of over 200 information and communication technology (ICT) visitors present at the event, with the aim of the exercise being to identify attitudes held by enlightened ICT professionals towards the role of cyber security in modern, highly digitised economies, and the state of their organisations\u2019 cyber threat resilience.
\nThe poll identified that 23 per cent of respondents believe that their organisations have been victim to an internal cyber security breach, while 32 per cent believe their organisations have fallen victim to an external attack.
\nThis suggests external threats pose a greater threat to organisations\u2019 digital assets than internal ones, with a further poll result indicating 46 per cent of respondents believe cyber security breaches are most often the result of human factors.
\n34% of respondents said if their organisation was to experience a cyber security incident, they did not believe it possessed sufficient network monitoring capabilities to identify the breach in a timely fashion.
\nFurther, 49 per cent of respondents said they believed cyber security is ultimately the responsibility of the original equipment manufacturer (OEM) more than it is the organisation using it, which is a cause for concern as it may result in companies abdicating the responsibility of actively defending their data assets.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ce37610670&e=20056c7556<\/p>\n
SWIFT Eyeing New Tools to Spot Bank Fraud
\nLondon: The SWIFT secure messaging service, which banks use to transfer money around the world, outlined on Friday areas in which it hopes to improve security, following attacks in which hackers stole millions of dollars from banks in Bangladesh and Ecuador.
\nSWIFT said on Friday it would consult its users, which are also its owners, about new measures, including the potential to develop new tools that could allow it to spot fraudulent payment instructions.
\nIn future it may seek to check inside the messages to ensure payment instructions are consistent with customers’ normal account patterns — akin to the checks retail banks conduct to spot unusual credit card transactions.
\nSWIFT said it will also look into requiring customers to use existing security measures, such as two-factor authentication of payment instructions, which are currently optional on the system.
\nThe group will also look at developing new audit frameworks such that larger banks offering correspondent banking services can confirm that their clients — often in developing countries — have appropriate security measures in place around their SWIFT terminal.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8fdb07adfa&e=20056c7556<\/p>\n
A Dire Lack of Knowledge about Ransomware Exists Despite Record Number of Infections
\nEvidently, because there’s an absence of knowledge about the ransomware kind of malware it explains why numerous PC-operators don’t have an idea of what way it can be tackled.
\nAmong the survey participants, 25% stated that ransomware infection could be best eliminated via taking the PC offline that actually isn’t the real solution.
\nThe group also thought that ransomware didn’t seize credit card information, SSN and bank account details.
\nFurther, even if it encrypted the folders containing the three information stored there, PC-owners could always reach offline sources for recovering the same.
\nNaturally, it’s no wonder that such large number of users become victims of ransomware infections today.
\nThe majority hardly knows anything about it, let alone the way of its prevention as well as remaining safe from the places they get distributed from.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e866bd73a1&e=20056c7556<\/p>\n
Lloyds: cyber attacks down by up to 90pc
\nLloyds Banking Group has seen an 80pc to 90pc drop in cyber attacks as online criminals and fraudsters have switched their attention to other industries.
\nBusiness group TheCityUK warned that 75pc of fraud is now online, often through malicious email scams, indicating the scale of fraud shifting into the digital world.
\nYet Lloyds\u2019 digital boss Miguel-\u00c1ngel Rodr\u00edguez-Sola said there has been a sudden drop in cyber attacks on banks.
\n\u201cThere had been an increase in the UK in terms of cyber attacks, between June and February this year,\u201d he said, noting that denial of service (DDOS) attacks became particularly common.
\n\u201cWe needed to replan our digital development to make sure that we put in new defences, more layers. [The number of attacks] is now one-fifth or one-tenth of what it was last year,\u201d he said.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8f0200d009&e=20056c7556<\/p>\n
Retail Security Risks: 2016 Midyear Roundup
\nThe numbers are in: According to a new BDO report, a possible security breach is the biggest retail security risk, tied for the top spot with \u201cgeneral economic conditions.\u201d
\nAs noted by Graham Cluley, retailers face a particular subset of threats.
\nWhile large-scale distributed denial-of-service (DDoS) attacks often make headlines for their impact on big companies, just 5 percent of retailers come under fire from DDoS salvos.
\nWhy.
\nBecause it\u2019s in the best interest of cybercriminals to keep the flow of transactions moving; shutting down retail sites and network-connected point-of-sale (POS) machines means nothing to steal and no data to compromise.
\nAs 2016 rolls toward its halfway point, what threats are top of mind for retailers.
\nAccording to SC Magazine, POS malware AbaddonPOS is again making the rounds \u2014 aimed specifically at retailers.
\nFirst discovered in October 2015, it takes the form of an email campaign designed to drop TinyLoader and then the malware.
\nThe emails are highly personalized, with recipients\u2019 names, key company details and better-than-average grammar.
\nIn addition, the message displays an active spinner, which is typical of content loading in progress.
\nRetailers also face another problem: perception.
\nAccording to Retail Dive, new research from Tripwire showed a worrisome trend: Companies are overconfident in their ability to detect data breaches.
\nWhile 90 percent of those asked said they could detect a critical data breach in less than a week and 75 percent said they could do it in just 48 hours, only 55 percent of IT pros at firms with more than $100 million in revenue said they checked security compliance \u201cat least weekly.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=91777d2fe4&e=20056c7556<\/p>\n
Cybercrime Hit Businesses Hardest in 2015, says IC3 Report
\nBusinesses were hit hardest by inbox-based scams in 2015 that robbed U.S. companies of $263 million.
\nThe numbers come from the FBI\u2019s recently released 2015 Internet Crime Report that tallies the types of cybercrimes hitting U.S. business and individuals the hardest.
\nAccording to the FBI, its Internet Crime Complaint Center (IC3) received 288,012 complaints last year with total losses of $1.07 billion.
\nBy a longshot, Business Email Compromise (BEC) crimes overshadow all other types of crimes looked at by the FBI in 2015.
\nClassified as BEC, these crimes encompass business hit by inbox-based financially motivated scams based on social engineering and computer intrusion techniques resulting in financial loss via unauthorized transfers of funds.
\n\u201cVictims were instructed through spoofed emails, intercepted facsimiles, or telephone communications to redirect invoice remittance payments,\u201d read the report (PDF).
\nIn 2015, the IC3 received 7,838 BEC complaints with losses of over $263 million, the FBI reported.
\nStates losing the most to Business Email Compromise attacks were California ($64.5M in losses), New York ($23M.5 in losses) and Florida ($19.6M in losses).
\nBut comparing the cost of BEC crimes to the aggregate cost of other crimes, it wasn\u2019t the states with the biggest dollar figure losses that were hit the hardest.
\nFor example, BEC crimes represented 47 percent of all losses to cyber-crime in South Carolina in 2015.
\nThat was followed by Nebraska (45 percent), Michigan (43 percent) and New York (41 percent).
\nPersonal data breach losses hit almost $43 million in 2015 based on about 20,000 complaints.
\nBy contrast, there were nearly 2,500 complaints about corporate data breaches, with total reported losses of $39 million.
\nIdentity theft losses totaled $57 million, and bogus investment scam losses reached $119 million in 2015.
\nExploit-related losses to victims included $1.6 million tied to 2,453 ransomware complaints.
\nPhishing and related email scams to individuals added up to $8 million in losses and malware\/scareware losses to individuals totaled $3 million.
\nLastly, virus losses totaled $1.2 million and DoS attacks were attributed to just under $3 million, according to the FBI\u2019s 2015 Internet Crime Report.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=7a3eea3caa&e=20056c7556<\/p>\n
Prioritising threat intelligence
\nSteven Rogers advises steps that will allow security teams to prioritise threats based on relevant threat intelligence.
\n1. Begin with country blocking.
\nThe OFAC (Office of Foreign Assets Control) list is the best place to start
\n2. Block high-fidelity URL based IOCs (indicators of compromise).
\n3. Block specific malicious domain-based IOCs (indicators of compromise).
\n4. End-user education is a key line of defence.
\n5. \u201cIf you see something say something.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c5c62420ab&e=20056c7556<\/p>\n
ICIT Explains NIST Guide Impact on Healthcare Cybersecurity
\nThe National Institute of Standards and Technology (NIST) recently released its second draft of \u201cSystems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure System\u201d (SP 800-160).
\nIn an effort to help organizations across the board better understand the document, the Institute for Critical Infrastructure Technology (ICIT) published a condensed review of SP 800\u2013160.
\nAccording to ICIT Co-founder and Senior Fellow James Scott explained that the purpose of the condensed review was to highlight key issues for entities and ensure that they comprehend how it can apply to them.
\nit should be looked at as strategies, and more of a checklist or starting point that can be utilized by organizations to introduce a cyber hygienic and security-centric culture.
\nIt can also assist in creating best practices for entities.
\nOne of the main reasons that hospitals and healthcare organizations are highly sought after targets is that their attack surfaces are so massive, according to Scott.
\nIn many cases, those surfaces are also unprotected.
\n\u201cThe sheer liquidity and capitalization that the adversary has on a successful exploit is also a factor,\u201d he said. \u201cBy applying SP800-160, and having a relationship with the device vendor to secure lifecycle security of that device, can help make sure that cybersecurity was taken into consideration before the planning, manufacturing of that device.\u201d
\nAnother key aspect of SP800-160 is informing staff members, he added.
\nEmployees at all levels need to be following proper healthcare cybersecurity guidelines, otherwise the entire organization could be put at risk.
\n\u201cThe good news is, there’s tons of tools and frameworks out there that can help you minimize the attack surface or threat,\u201d Scott maintained. \u201cI think that’s something that from a psychological perspective, might open up individuals\u2019 minds to actually say, \u2018Okay, I’m going to try reading this document.
\nI’m at least going to try.\u2019\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8829add919&e=20056c7556<\/p>\n
Data security is the most significant risk facing in-house counsel today
\nNew research from Kroll Ontrack\u2019s 2016 Corporate Risk survey suggests that in-house counsel perceive their organization\u2019s data as more protected than it really is, with respondents reporting data security as the most significant risk facing modern corporations.
\nIn fact, though 76 percent of the 170 corporate, in-house counsel surveyed believe that effective safeguards are in place protecting their organizations\u2019 intellectual property, the survey found that: 59 percent of the organizations\u2019 data breach or Incident Response (IR) plans are inadequate or non-existent; 41 percent reported that their company\u2019s IR plan is regularly updated and tested and; 20 percent say that they never discuss data security issues with their organization\u2019s head of technology.
\nTom Barce, director of consulting at Kroll Ontrack sat down with Inside Counsel recently to talk to us about these cyber security and data privacy insights.
\nAlthough organizations are making progress, there is still a gap in understanding between in-house counsel and IT.
\nAccording to Barce, many in-house counsel either do not have enough or the right information, or the information they do have is not in a format they can digest.
\nSo, in turn, they do not have a realistic view into the organization\u2019s data management practices.
\nBarce said, \u201cIt boils down to the fact that consumer technology for personal use tends to be nimble and easy.
\nMeanwhile, corporations have to manage much more and that scale can create inefficiencies and frustration with technology.
\nIT leadership needs to strike the right balance to protect the company while empowering individuals.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ebb29ce0b2&e=20056c7556<\/p>\n
How Security And IT Teams Can Get Along: 4 Ways
\nYou\u2019ve heard it all before: there\u2019s a glaring disconnect between the goals of the information security team and the IT group.
\nBut the rapid-fire evolution of both technology and cyberthreats could be just what ultimately unites them.
\n1) Integrate software development and security analysts teams.
\n2) Focus on the right metrics.
\n3) Security teams should operate like a consulting business.
\n4) Decouple security controls from IT technology.
\nSecurity is best known for saying \u201cno,\u201d Boison says.
\nBut it\u2019s time to change the conversation: security prods should think of the IT implications, and IT pros about the security implications.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=05ac41eeea&e=20056c7556<\/p>\n
Got $90,000? A Windows 0-Day Could Be Yours
\nHow much would a cybercriminal, nation state or organized crime group pay for blueprints on how to exploit a serious, currently undocumented, unpatched vulnerability in all versions of Microsoft Windows.
\nThat price probably depends on the power of the exploit and what the market will bear at the time, but here\u2019s a look at one convincing recent exploit sales thread from the cybercrime underworld where the current asking price for a Windows-wide bug that allegedly defeats all of Microsoft\u2019s current security defenses is USD $90,000.
\nThe $90,000 Windows bug that went on sale at the semi-exclusive Russian language cybercrime forum exploit[dot]in earlier this month is in a slightly less serious class of software vulnerability called a \u201clocal privilege escalation\u201d (LPE) bug.
\nThis type of flaw is always going to be used in tandem with anoth<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ] I had a request to change the format of the date in the Subject line to make it easier to sort. So I made the change. * 11+ security questions to consider…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-2490","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2490","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=2490"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2490\/revisions"}],"predecessor-version":[{"id":4977,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2490\/revisions\/4977"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=2490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=2490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=2490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}