A Review of the Best News of the Week on CISO Views

Whole Foods Market investigating payment card breach (CSO Online Salted Hash, Sep 28 2017)
Supermarket chain says taprooms and full table-service restaurants are the source of unauthorized card access.

Source: Deloitte Breach Affected All Company Email, Admin Accounts (Krebs on Security, Sep 25 2017)
Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.

Broadening HSTS to secure more of the Web (Google Online Security Blog, Sep 27 2017)
Google announces that they are beginning to use the HTTPS Strict Transport Security (HSTS) preload list in a new and more impactful way. The HSTS preload list is built in to all major browsers (Chrome, Firefox, Safari, Internet Explorer/Edge, and Opera). It consists of a list of hostnames for which browsers automatically enforce HTTPS-secured connections.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Tracking phones without a warrant ruled unconstitutional (Naked Security – Sophos, Sep 22 2017)
Stingray use without a warrant violates 4th Amendment’.

Stepping up protection with intelligent security (Microsoft Secure Blog, Sep 25 2017)
At their Ignite conference, Microsoft talks about their built-in security capabilities. These span areas across: Protecting at the front door, Protecting data anywhere, Achieving data security compliance objectives, Detecting and recovering from attacks, and Managing the security tool set.

How Belgium deals with credit without Equifax, Experian, and TransUnion (Yahoo Finance, Sep 26 2017)
Belgium has a different system of credit reporting that uses a public registry instead of private credit companies like Equifax, Experian, and TransUnion. Belgium’s solution has been its own public credit bureau, housed at the National Bank of Belgium, the country’s central bank.

Another thug learns that SWATting Brian Krebs is a bad idea (Naked Security – Sophos, Sep 26 2017)
Things have not gone well for Krebs’ tormentors…

Equifax C.E.O. Richard Smith Is Out After Huge Data Breach (The New York Times, Sep 26 2017)
Mr. Smith faced intense criticism for a data breach that exposed the personal information of up to 143 million people, as well as Equifax’s response to the crisis.

The Curse of A Black MSSP (Gartner Blog Network, Sep 25 2017)
I think I accidentaly discoverd a new curse, The Curse of a Black MSSP. In recent weeks I’ve spoken to several organizations who has fallen to this particular affliction.

Improving cybersecurity governance in the boardroom (CSO Online, Sep 27 2017)
To tackle increasing data threats, companies need to put cybersecurity at the very heart of the business.

MACH37 Announces the Fall 2017 Class of Cybersecurity Startups (Mach 37 Press, Sep 27 2017)
MACH37 announces 6 startups participating in its Fall program

Here’s the Latest About What the SEC Hackers Stole (Fortune, Sep 27 2017)
Hackers breached the U.S. Securities and Exchange Commission’s computer system last year by taking advantage of companies that used authentic financial data when they were testing the agency’s corporate filing system, according to sources familiar with the matter.

Should CISOs join CEOs in the C-suite? (CSO Online, Sep 27 2017)
Chief information security officers (CISOs) are a unique C-level breed. Historically, they’ve been two-steps removed from CEOs, reporting to CIOs. But the times are a changin’ for CISOs, and they are starting to receive C-suite invitations.

How the Value Outweighs the Cost of Security (Security Intelligence, Sep 27 2017)
Regardless of a company’s size, the value of building a strong security posture will always outweigh the cost of security.

Which security investments make a difference? (Help Net Security, Sep 27 2017)
The costly consequences businesses are suffering highlights the growing importance of strategically planning and closely monitoring security investments.

First Female White House CIO on Cybersecurity Talent (Huffington Post, Sep 27 2017)
Many hiring managers are leaving women and minority candidates on the sidelines by chasing the same resumes, the same degrees and the same alphabet soup of certifications in qualified candidates.

CISOs Offer Soup-to-Nuts C-Suite Strategy (Dark Reading, Sep 29 2017)
Chief information security officers from Dell, RCB Bank and other organizations share what it takes to become a security exec, sit in the C-Suite, and keep the job.

Key Security Innovations Focus on Policy and Tech (Dark Reading, Sep 28 2017)
Members of the New York Cyber Task Force (NYCTF) argue strategic innovations have been as important, if not more so, than technical advancements for improving cybersecurity. The group released a report following two years of examining ways to improve security defense.

Cyber Criminals Win Playing the Insider Game (FireEye Executive Perspective, Sep 19 2017)
Insider stock trading is commonly associated with employees at an organization who have access to privileged information. In recent years, that privileged information has entered the crosshairs of cyber criminals seeking to gain a competitive edge in stock trading.

Only 45% of organizations have a structured plan for GDPR compliance – Help Net Security (Help Net Security, Sep 29 2017)
Only 45% of organizations have a structured plan in place for compliance and 58% indicate that they are not fully aware of noncompliance consequences.