A Review of the Best News of the Week on Cybersecurity Management & Strategy

Yahoo Agrees to $80 Million Settlement with Investors (Dark Reading, Mar 08 2018)
Investors alleged that Yahoo intentionally misled them about its cybersecurity practices.

New Job Alert: Virtual CISO (Gartner Blog Network, Feb 28 2018)
For organizations that need to fill the leadership or comply with regulations, but are not in a position to bring in a full-time and costly qualified CISO, the virtual CISO — a combination of staff augmentation, consultant, advisor and strategist, could be an option that provides executive leadership qualities, security program deliverables and oversight that also is privy to your budgetary concerns. But…

Evolving to Security Decision Support: Laying the Foundation (Securosis, Mar 05 2018)
“You have the basic capabilities to make better security decisions. Then the key is to integrate these practices into your day-to-day activities.”

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

The UK and Australian Governments Are Now Monitoring Their Gov Domains on Have I Been Pwned (Troy Hunt, Mar 01 2018)
If I’m honest, I’m constantly surprised by the extent of how far Have I Been Pwned (HIBP) is reaching these days. This is a little project I started whilst killing time in a hotel room in late 2013 after thinking “I wonder if people actually know where their data has been exposed?”

International Women’s Day: Women in security weigh in (SC Magazine, Mar 08 2018)
Women in cybersecurity have accomplished some amazing feats and bringing their talents to bear. The industry still has a long way to go to achieve true diversity, though. Today, SC Media is highlighting women who have made their mark in cybersecurity.

Why Cybersecurity Is About More Than Prevention-Focused Products (Forbes, Mar 05 2018)
Effective threat detection and response requires having dedicated security experts on your IT team who are experienced in forensic analysis and triage. They must be able to diagnose threats and weed out false-positive alerts from ones that require real investigation.

Getting an ROI for Your IoT Cybersecurity Investment (IT Pro, Mar 01 2018)
Why investing in IoT cybersecurity “buckets” is a losing strategy.

More Security Vendors Putting ‘Skin in the Game’ (Dark Reading, Mar 05 2018)
Secure messaging and collaboration provider Wickr now publicly shares security testing details of its software.

Web App Security Firm Netsparker Raises $40 Million (SecurityWeek, Mar 08 2018)
Web application scanner company Netsparker announced on Thursday that it has raised $40 million from San Francisco-based growth and private equity firm Turn/River.

History of the US Army Security Agency (Schneier on Security, Mar 08 2018)
Interesting history of the US Army Security Agency in the early years of Cold War Germany….

McAfee Closes Acquisition of VPN Provider TunnelBear (Dark Reading, Mar 08 2018)
This marks McAfee’s second acquisition since its spinoff from Intel last year.

Tenable Launches Lumin Cyber-Exposure Benchmarking Platform (eWEEK, Mar 09 2018)
New feature on Tenable’s cloud-delivered services platform aims to help organizations better understand and prioritize vulnerabilities.

Penn. AG sues Uber over breach, delayed notification (SC Magazine, Mar 05 2018)
Pennsylvania’s attorney general is suing Uber for delaying disclosure for more than a year of a breach that exposed the personal information, such as driver’s licenses, of 57 million customers and drivers.

Spear phishing campaign against Turkish financial institutions appears tied to North Korea (SC Magazine, Mar 08 2018)
The reputed state-sponsored North Korean hacking group Hidden Cobra has once again been fingered in a malware attack against financial organizations — this time apparently targeting Turkish institutions in a spear phishing campaign in early March.

Pragmatic Security: 20 Signs You Are ‘Boiling the Ocean’ (Dark Reading, Mar 06 2018)
Ocean-boiling is responsible for most of the draconian, nonproductive security policies I’ve witnessed over the course of my career. Here’s why they don’t work.

CERT.org Goes Away, Panic Ensues (Dark Reading, Mar 05 2018)
Turns out the Carnegie Mellon CERT just moved to a newly revamped CMU Software Engineering Institute website.

How to choose a penetration testing service (Help Net Security, Mar 06 2018)
Choosing the same vendor regularly has its apparent pros and cons. The convenience of onboarding, depth of knowledge, and less preparation and planning time are common benefits of staying with a pen testing vendor. However…

Games site customers offered $5 voucher after credit card breach (Naked Security – Sophos, Mar 06 2018)
Games developer Nippon Ichi Software (NIS) has admitted that a recent hack has put some of its customers at risk of credit card fraud.

IT pros don’t learn from cyberattacks, study (SC Magazine, Mar 05 2018)
46 percent of IT professionals don’t change their security strategy after a cyberattack, according to a recent CyberArk survey.

Global security trends for 2018: GDPR, identity and access security (Help Net Security, Mar 07 2018)
Versasec found Europe’s General Data Protection Regulation (GDPR) is impacting security planning around the world, smart card deployment is on the rise, and that many companies continue to rely on the inadequate protection offered by user names and passwords alone.