A Review of the Best News of the Week on Cybersecurity Management & Strategy

Facebook bug bounty program paid out $880K in 2017 (SC Magazine, Jan 12 2018)
The 2017 number brings the total payout for the six-year program to $6.3 million. Facebook received upwards of 12,000 submissions last year with most of the more than 400 valid submissions coming from researchers in India, the U.S. and Trinidad & Tobago.

NSA Morale (Schneier on Security, Jan 09 2018)
The articles point to many factors: the recent reorganization, low pay, and the various leaks. I have been saying for a while that the Shadow Brokers leaks have been much more damaging to the NSA — both to morale and operating capabilities — than Edward Snowden.

Threat Simulation – How real does it have to be? (Gartner, Jan 09 2018)
Tools that automate exploitation have been around for years; we can mention things like Metasploit, Core Impact, CANVAS and others. Those are tools used by pentesters so they don’t need to rewrite their exploits for each specific condition they find during their test. So what’s different in the new wave of tools?

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Vulnerability Management: The Most Important Security Issue the CISO Doesn’t Own (Dark Reading, Jan 08 2018)
Information security and IT need to team up to make patch management more efficient and effective. Here’s how and why.

CISOs’ Cyber War: How Did We Get Here? (Dark Reading, Jan 09 2018)
We’ve come to accept software vulnerabilities as part of the package, but the question is why? Why are vulnerabilities part of doing business? The simple answer is unavoidable: market pressure.

The Bane of All Security Tests: Acting on Results (Gartner Blog Network, Jan 10 2018)
How do you prioritize this finding vs other security action items?
What is your additional risk due to this finding?
How do you act on this if your existing tools have just been proven to not stop/detect it?

Here’s how, and why, the Spectre and Meltdown patches will hurt performance (Ars Technica, Jan 11 2018)
Now that microcode and patches are starting to ship, a clearer picture is emerging.

Finnish cybersecurity firm detects new Intel security flaw (The Straits Times, Jan 12 2018)
A new security flaw has been found in Intel hardware which could enable hackers to access corporate laptops remotely, Finnish cybersecurity specialist F-Secure…

Encryption an ‘urgent public safety issue,’ FBI chief says (CNET, Jan 11 2018)
The FBI director says his agency was unable to access the contents of nearly 7,800 devices last year, despite legal authority.

Yet Another FBI Proposal for Insecure Communications (Schneier on Security, Jan 11 2018)
Rosenstein is right that many services like Gmail naturally keep plaintext in the cloud. This is something we pointed out in our 2016 paper: “Don’t Panic.” But forcing companies to build an alternate means to access the plaintext that the user can’t control is an enormous vulnerability.

ACLU says House surveillance bill increases likelihood of abuse (SC Magazine, Jan 08 2018)
The bill would let federal agencies, including the FBI, the broad authority to sift without a warrant through data gather under Section 702 for information about Americans, prior to opening an active investigation.

Cybersecurity and the 2017 US National Security Strategy (Schneier on Security, Jan 10 2018)
Commentaries on the 2017 US national security strategy by Michael Sulmeyer and Ben Buchanan….

Elizabeth Warren Wants Companies That Expose Your Data To Hackers To Pay Up (HuffPost, Jan 11 2018)
Equifax would have paid $1.5 billion in penalties for its data breach last summer if this proposed legislation had been in effect.

New NIST Forensic Tests Help Ensure High-Quality Copies of Digital Evidence (Forensic Focus, Jan 11 2018)
Data found on a suspect’s computer, cell phone or tablet can prove to be crucial evidence in a legal case. A new set of software tools developed at the National Institute of Standards and Technology (NIST) aims to make sure this digital evidence will hold up in court.

How to disrupt attacks caused by social engineering (Microsoft Secure, Jan 10 2018)
According to the Verizon data breach investigation report from 2016, 30 percent of phishing emails were opened. It took a recipient an average of only 40 seconds to open the email and an additional 45 seconds to also open the malicious attachment. 89 percent of all phishing emails were sent by organized crime syndicates and 9 percent by state-sponsored threat actors.

Man charged with spying on thousands of Mac users for 13 years (Naked Security – Sophos, Jan 12 2018)
The technical description of the “Fruitfly” malware is spyware – but perhaps the term creepware would be more appropriate.

Cyxtera acquires Immunity Inc. (Help Net Security, Jan 08 2018)
Cyxtera Technologies has entered into a definitive agreement to acquire privately-held Immunity Inc, a provider in offense-oriented systems vulnerability research, exploit development and penetration testing services.

20 Cybersecurity Vendors Getting Venture Capital Love (Dark Reading, Jan 09 2018)
VCs splashed a record $4B in funding in the cybersecurity pool – here are some highlights among the early- to middle-stage startups who snagged big deals last year.

SolarWinds acquires log-monitoring service Loggly (TechCrunch, Jan 08 2018)
SolarWinds, the company behind services like Pingdom, Papertrail and AppOptics, today announced that it has acquired the cloud-based log-monitoring and analytics service Loggly.

Threatcare Acquires Savage Security (Dark Reading, Jan 09 2018)
The deal expands Threatcare’s business beyond its breach and attack simulation platform to include services and applied research.