A Review of the Best News of the Week on Cybersecurity Management & Strategy

Spectre and Meltdown: what you need to know (Google Online Security Blog, Jan 03 2018)
With all the security predictions for 2018, nobody predicted that Google’s Project Zero team would discover serious security flaws caused by “speculative execution,” a technique used by most modern processors (CPUs) to optimize performance.

More details about mitigations for the CPU Speculative Execution issue (Google Online Security Blog, Jan 04 2018)
“Yesterday, Google’s Project Zero team posted detailed technical information on three variants of a new security issue involving speculative execution on many modern CPUs. Today, we’d like to share some more information about our mitigations and performance.”

Meltdown and Spectre Side-Channel Vulnerability Guidance (US-CERT, Jan 05 2018)
CERT lists available advisories and patches. Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Reading privileged memory with a side-channel (Google Project Zero, Jan 05 2018)
For those interested in the technical details of the Meltdown and Spectre flaws…

CISO 2.0: Where You Need to Be (Recorded Future, Dec 21 2017)
It’s very easy to fall into a kind of myopic view of cybersecurity — one that heavily embraces the sexier “cyber” elements in lieu of the not-so-sexy (even mundane) practical components of an information security program.

CISOs should examine commercial SOAPA offerings in 2018 (CSO Online, Jan 04 2018)
Leading vendors are putting together proprietary security operations and analytics platform architecture (SOAPA) solutions. CISOs should establish an evaluation team tasked with looking for viable options.

21st Century Oncology Faces $2.3M HIPAA Settlement Cost after Breach (Dark Reading, Dec 29 2017)
Company to pay US Department of Health and Human Services over potential HIPAA violations after patient medical data was stolen by cyberthieves.

How DHS Protects Federal Networks by Breaking into Them (FedTech, Jan 03 2018)
The Department of Homeland Security’s National Cybersecurity Assessments and Technical Services team is beefing up its role in securing federal IT and critical infrastructure.

3 Resolutions to Turn GRC Failure Into IRM Success (Gartner Blog Network, Jan 03 2018)
As we begin the new year, many of our clients are searching for ways to turn their failures with Governance, Risk and Compliance (GRC) technology into successful Integrated Risk Management…

Why a controversial cybersecurity prediction about IDS from 2003 is still relevant (CSO Online, Jan 03 2018)
The complicating factors that prompted a technology analyst to label the market as obsolete 14 years ago still persist today; it remains a rallying cry for greater security innovation.

Barracuda Hooks PhishLine in Social Engineering Security Acquisition (Dark Reading, Jan 03 2018)
Barracuda plans to use PhishLine’s user awareness training to protect against targeted email-based attacks.

The Argument for Risk-Based Security (Dark Reading, Jan 02 2018)
A scanner can identify a vulnerability, but only a deep understanding of cyber exposure will tell you about the seriousness of that risk. Here’s how and why.

IP address errors lead to wrongful arrests (Naked Security – Sophos, Jan 02 2018)
It’s not just typos that result in errors tracing an IP number back to a residential address

Uber’s Biggest Mistake: It Wasn’t Paying Ransom (Dark Reading, Jan 04 2018)
Rather than scrambling to deal with attacks after the fact, companies need to focus on improving detection capabilities with tools that help them work within data laws, not outside of them.

Inside McAfee’s Acquisition of Skyhigh Networks (SecurityWeek, Jan 05 2018)
“McAfee’s strategy,” he said, “is all about security from the device to the cloud, and supporting organizational defense with all the information that comes from both of those places. McAfee currently has a very strong set of technologies on the endpoint, on the devices — but what the Skyhigh acquisition does is provide a very powerful control point in the cloud for a wide range of cloud security use cases.”

Federal DMARC Adoption Report, Secure your Email (Agari, Jan 03 2018)
68% of all Federal domains lack a DMARC policy, leaving their citizens and agencies open to email cyber attacks.

Serial Swatter “SWAuTistic” Bragged He Hit 100 Schools, 10 Homes (Krebs on Security, Jan 02 2018)
The individual who allegedly made a fake emergency call to Kansas police last week that summoned them to shoot and kill an unarmed local man has claimed credit for raising dozens of these dangerous false alarms — calling in bogus hostage situations and bomb threats at roughly 100 schools and at least 10 residences.