A Review of the Best News of the Week on CISO Views

Mr Robot season 3 episode Eps3.0_Power-Saver-Mode.H – the security review (Naked Security – Sophos, Oct 12 2017)
We take a look at the security concepts in the Mr Robot season 3 premiere.

Israel hacked Kaspersky, then tipped the NSA that its tools had been breached (Washington Post, Oct 12 2017)
The Russian cybersecurity firm is in the spotlight because of suspicions its products facilitate espionage.

Equifax Credit Assistance Site Served Spyware (Krebs on Security, Oct 12 2017)
Big-three consumer credit bureau Equifax says it has removed third-party code from its credit report assistance Web site that prompted visitors to download malicious software disguised as an update for Adobe’s Flash Player software.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

My Big Fat Data Breach Cost Post, Part II (Varonis Blog, Oct 09 2017)
As a single number, the average is not the best way to understand a dataset. Breach cost averages are no exception! And when that dataset is skewed or “heavy tailed”, the average is even less meaningful. Regression Are Better

The Reason Business Doesn’t Take InfoSec Seriously (danielmiessler.com, Oct 08 2017)
The reason information security is not taken seriously by the board room and other senior executives is because we cannot translate risk into financial terms.

FERC terminates inquiry on cybersecurity controls for grid control centers (Utility Dive, Oct 06 2017)
FERC said comments it received indicated that current cybersecurity measures provide sufficient protection from cyberattacks and that some of the proposed modifications could pose operational risks.

Disqus breach exposed info on 17.5M between 2007-2012 (SC Magazine, Oct 10 2017)
A snapshot taken on the company’s 2012 database included user names, sign-up and last login dates and email addresses in plain text as well as passwords hashed using SHA1 with a salt for approximately one-third of users.

Global Tech Market Will Grow By 4% In 2018, Reaching $3 Trillion (Forrester Blogs, Oct 11 2017)
Forrester’s has published its mid-year global tech market outlook for 2017 and 2018 (see “Midyear Global Tech Market Outlook For 2017 To 2018”). In constant currencies, they project that global purchases of technology software, hardware, and services by businesses and governments will grow by 3.4% in 2017, and by 4% in 2018.

The Race to Secure Voting Tech Gets an Urgent Jumpstart (Wired, Oct 10 2017)
The full report is out from this summer’s Defcon voting machine hack. And while there’s been some progress in securing America’s elections, experts fear it’s not coming fast enough.

Accenture inadvertently exposes highly sensitive corporate, client data online (Help Net Security, Oct 12 2017)
Corporate consulting giant Accenture left bucketloads of sensitive corporate and client data exposed online for anyone to access.

Deloitte Hack Compromised Government Emails (CIO Today, Oct 12 2017)
The hack into the accountancy giant Deloitte compromised a server that contained the emails of an estimated 350 clients, including four US government departments, the United Nations and some of the world’s biggest multinationals, the Guardian has been told.

Symantec Won’t Allow Third-Party Government Reviews Of Its Security Software (CRN, Oct 12 2017)
The move comes as competitors in the security space – including Kaspersky Lab and HPE – face backlash for their reported cooperation with third-party government reviews.

How to engage with the C-suite on cyber risk management, part 2 (CSO Online, Oct 10 2017)
How to engage with the C-suite on cyber risk management, part 2: qualify threats and prioritize risks.

Equifax Proves the CISOs Right (CSO Online, Oct 09 2017)
Are we witnessing a tipping point for an archaic cybersecurity framework based on SSNs?

How To Test Your MSSP/MDR? (Gartner Blog Network, Oct 11 2017)
“If you really knew how to test an MSSP properly, you likely didn’t need an MSSP.”

Hogan Orders Improved Maryland Cybersecurity Plan (Government Technology, Oct 06 2017)
Maryland Govenor Larry Hogan issued an executive order Thursday instructing his Office of Homeland Security to implement an updated cybersecurity plan to ensure the state is prepared for current threats of electronic mischief.

Securing the Mergers and Acquisition Process With Trusted Access (The Duo Blog, Oct 11 2017)
Most CIOs and CISOs assume the immediate IT need is to merge the networks so that members of each organization can freely access any company applications necessary for business operations. But connecting the networks of two different companies without a concerted effort to understand all the risks and mitigate them as appropriate can have disastrous consequences, including exposing sensitive data to unauthorized individuals. It can also result in potential data theft or a data breach.

Deputy Attorney General Rod Rosenstein Remarks on Encryption (Lawfare (blog), Oct 10 2017)
Our challenge extends far beyond the new technologies that our adversaries use to conduct new types of attacks. Our investigators and prosecutors already face a range of cyber issues that undermine the rule of law.

Akamai Acquires Nominum (Dark Reading, Oct 11 2017)
Purchase of DNS and enterprise cybersecurity solutions company is designed to bolster Akamai’s offering to telecom carriers.

Cybersecurity’s ‘Broken’ Hiring Process (Dark Reading, Oct 11 2017)
New study shows the majority of cybersecurity positions get filled at salaries above the original compensation cap, while jobs sit unfilled an average of six months.

Online school wants to train arts students in cybersecurity (New Scientist, Oct 13 2017)
Studying music? Good news, you may have the skills to work in cybersecurity. An online training platform launching next week in the UK

Why these cybersecurity researchers are automating vulnerability assessments (TechRepublic, Oct 12 2017)
System complexity is preventing humans alone from finding vulnerabilities, so researchers in the UK and at CMU are working to automate an online cybersecurity system support service to help analysts.

Security No. 1 Inhibitor to Microsoft Office 365 Adoption (Dark Reading, Oct 12 2017)
More businesses are switching to Office 365 despite fear of social engineering and ransomware attacks, but some remain wary.

How to survive the worsening cyber threat landscape (CSO Online, Oct 13 2017)
“Whether you look at breaches, whether you look at criminal activity, whether you look at nation-state activity, or even the sanctity of our elections, we’ve got to worry.”

The security tech stack is out of control, here is what to do about it (CSO Online, Oct 11 2017)
The importance of taking a multi-layered approach for CISOs to keep attacks at bay, combining prevention with detecting and acting upon suspicious activity as it is happening.