A Review of the Best News of the Week on Cybersecurity Management & Strategy

In a first, U.S. blames Russia for cyber attacks on energy grid (Reuters, Mar 15 2018)
The Trump administration on Thursday blamed the Russian government for a campaign of cyber attacks stretching back at least two years that targeted the U.S. power grid, marking the first time the United States has publicly accused Moscow of hacking into American energy infrastructure.

Former Equifax CIO Charged With Insider Trading (SecurityWeek, Mar 14 2018)
The United States Securities and Exchange Commission (SEC) said it has charged Jun Ying, former chief information officer (CIO) of a business unit of Equifax, with insider trading in connection with the massive data breach disclosed in late 2017 that put millions of customers at risk.

Binance offers $250,000 for info about hackers who targeted its users (Help Net Security, Mar 12 2018)
Binance, the popular Chinese cryptocurrency exchange with a focus on crypto-to-crypto trading, has put a $250,000 bounty on the heads of the hackers who tried to pull off a heist earlier this month by compromising user accounts.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

The Disclosure of AMD’s Chip Flaws is Shrouded in Shadiness (PCMag, Mar 14 2018)
An Israeli security firm is facing some backlash for the way it disclosed 13 security vulnerabilities it allegedly found in AMD chips.

YouTube Will Link Directly to Wikipedia to Fight Conspiracy Theories (Wired, Mar 13 2018)
After a series of scandals related to misinformation, YouTube CEO Susan Wojcicki announced the company would begin directing users to sources like Wikipedia.

A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try. (New York Times, Mar 16 2018)
Petrochemical companies were hit by a series of cyberassaults last year. The worst of them, against a widely used safety system, could have set off an explosion.

Who Is Afraid of More Spams and Scams? (Krebs on Security, Mar 16 2018)
Security researchers who rely on data included in Web site domain name records to combat spammers and scammers will likely lose access to that information for at least six months starting at the end of May 2018, under a new proposal that seeks to bring the system in line with new European privacy laws. The result, some experts warn, will likely mean more spams and scams landing in your inbox.

Does a Hacker Hero Always Have to Have a Past? (NYMag, Mar 16 2018)
Marcus Hutchins single-handedly stopped one of the most dangerous cyberattacks ever. Then the FBI arrested him.

What CISOs Should Know About Quantum Computing (Dark Reading, Mar 13 2018)
As quantum computing approaches real-world viability, it also poses a huge threat to today’s encryption measures.

Palo Alto Networks to Acquire CIA-Backed Cloud Security Firm Evident.io for $300 Million (SecurityWeek, Mar 14 2018)
Pleasanton, Calif.-based Evident.io’s flagship Evident Security Platform (ESP) helps customers reduce cloud security risk by minimizing the attack surface and improving overall security posture. ESP can continuously monitor AWS and Microsoft Azure deployments, identify and assess security risks, provide security teams with remediation guidance, along with providing security auditing and compliance reporting by analyzing configurations of services and account settings against security and compliance controls.

Two New Papers on the Encryption Debate (Schneier on Security, Mar 12 2018)
Seems like everyone is writing about encryption and backdoors this season.
“Policy Approaches to the Encryption Debate,” R Street Policy Study #133, by Charles Duan, Arthur Rizer, Zach Graves and Mike Godwin.
“Encryption Policy in Democratic Regimes,” East West Institute.

77% of Businesses Lack Proper Incident Response Plans (Dark Reading, Mar 14 2018)
New research shows security leaders have false confidence in their ability to respond to security incidents.

Who owns identity and access management? (CSO Online, Mar 13 2018)
Traditionally, security was not only the owner of such data, but much like a slow network connection to a stock trader, security is often also a bottleneck to business agility. These delays lead to adversarial relationships between security and the business that grow into mistrust, shadow IT, and an ultimate lack of governance as the business starts swiping their credit cards into online services.

Minority Cyber-Pros Are Better Educated but Paid Less (Infosecurity Magazine, Mar 15 2018)
Minority representation is higher than in the broader workforce, but these pros are disproportionately found in non-management roles.

Increasing Board Accountability and Expertise Is Critical to Security and Risk Management (Infosec Island, Mar 09 2018)
The Board of Directors (BoD) is ultimately responsible for the future of their company. Shareholders expect that the companies they have invested in will follow through on specific, well-informed plans to mitigate risk in every form.

Privacy Laws and Cybersecurity Sleuthing: When Worlds Collide (IBM Security Intelligence, Mar 12 2018)
WHOIS data isn’t going away — don’t panic — but there are uncertainties about its future and how it will be impacted by cybersecurity privacy laws, such as the EU’s General Data Protection Regulation.

A Secure Enterprise Starts with a Cyber-Aware Staff (Dark Reading, Mar 14 2018)
An attack doesn’t have to be super high-tech to cause a lot of damage. Make sure your employees know how to spot an old-fashioned phishing campaign.

Judge rules U.S. breach victims can sue Yahoo (SC Magazine, Mar 13 2018)
A federal judge in California Friday ruled Yahoo must face many of the claims brought against the firm in a lawsuit over the company’s massive data breaches.

India’s cyber security chief avoids netbanking (Times of India, Mar 16 2018)
India News: Even as the government promotes more digital transactions, the country’s cyber security chief Gulshan Rai said on Thursday he rarely does any internet

Centering Your Security Strategy on Leadership, Resilience and Fundamentals (Infosec Island, Mar 16 2018)
Companies that prioritize well-equipped security programs and widespread security awareness are more prepared to grow, innovate and compete.