A Review of the Best News of the Week on Cybersecurity Management & Strategy

4 Years After Target, the Little Guy is the Target (Krebs on Security, Dec 28 2017)
Dec. 18 marked the fourth anniversary of this site breaking the news about a breach at Target involving some 40 million customer credit and debit cards. It has been fascinating in the years since that epic intrusion to see how organized cyber thieves have shifted from targeting big box retailers to hacking a broad swath of small to mid-sized merchants that accept credit cards.

SEC Plans Cybersecurity Guidance Refresh: What to Expect (BankInfoSecurity, Dec 29 2017)
The U.S. Securities and Exchange Commission is planning to update its 6-year-old cybersecurity guidance for how publicly traded firms report data breaches…

Post-Quantum Algorithms (Schneier on Security, Dec 27 2017)
NIST has organized a competition for public-key algorithms secure against a quantum computer. It recently published all of its Round 1 submissions. (Details of the NIST efforts and a timeline are linked.)


Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report


Facebook action hints at western retaliation over WannaCry attack (The Guardian, Dec 26 2017)
Site deletes accounts linked to Lazarus Group, hackers associated with North Korea that UK and US blame for ransomware

CISOs Play Rising Role In Business (Dark Reading, Dec 26 2017)
CISO hiring trends show more external hires, longer tenures, and an increase in MBAs as tech pros are required to understand the business.

Skyrocketing Bitcoin Fees Hit Carders in Wallet (Krebs on Security, Dec 26 2017)
Critics of unregulated virtual currencies like Bitcoin have long argued that the core utility of these payment systems lies in facilitating illicit commerce, such as buying drugs or stolen credit cards and identities. But recent spikes in the price of Bitcoin — and the fees associated with moving funds into and out of it — have conspired to make Bitcoin a less useful and desirable payment method for many crooks engaged in these activities.

The Section 702 Surveillance Debate Has Taken Place in the Dark (Wired, Dec 23 2017)
Several of the programs Snowden revealed are authorized under Section 702 of the Foreign Intelligence Surveillance Amendments Act. The 2008 law was scheduled to sunset on December 31, but in a last-ditch effort Thursday, Congress extend its authority through January 19. The Trump administration, meanwhile, believes that the authorization doesn’t really expire until April, leaving lawmakers several months to either reform or strengthen the provision. Hanging in the balance is the legal framework the government largely relies on to conduct mass surveillance of foreigners, and Americans who communicate with them.

The Coolest Hacks of 2017 (Dark Reading, Dec 27 2017)
Robots, voting machines, machine learning, and the wind were among the hacks security researchers pulled off this year.

2017 Mergers & Acquisitions (SC Magazine, Dec 22 2017)
January 23 – IBM Security acquires Agile 3 Solutions
January 31 – Radware acquires Seculert
February 7 – Malwarebytes acquires Saferbytes…and more

What is cyber security? How to build a cyber security strategy (CSO Online, Dec 27 2017)
Organizations face many threats to their information systems and data. Understanding all the basic elements to cyber security is the first step to meeting those threats.

NAIC Adopts Model Law on Cybersecurity: Will States Adopt It? (The Legal Intelligencer, Dec 27 2017)
National Association of Insurance Commissioners (NAIC) formally approved the Insurance Data Security Model Law (model law). The NAIC is a standard setting and regulatory support organization consisting of the top insurance regulators from the 50 states, District of Columbia, and five U.S. territories.

The economics of cybersecurity (SC Magazine, Dec 27 2017)
A few examples of how states and national task forces are banking on cybersecurity initiatives.

Cyber legislation is teed up for action in 2018, if Congress can find the time (Washington Examiner, Dec 27 2017)
Congress faces a compressed election-year calendar, although data-breach legislation seems likely to get attention starting this winter.

Threat modeling: A critical, yet underused, element of cybersecurity risk analysis (TechRepublic, Dec 29 2017)
How likely is that a hacker will try to steal your business or personal data? The threat modeling approach to security risk assessment is one way to find out.