A Review of the Best News of the Week on Cybersecurity Management & Strategy

15,000+ RSAC Speaking Submissions: How The World Talks Security (RSA Conference, Mar 28 2018)
The report titled “Striking Security Gold” mines a decade’s worth (~15,000) of Call for Paper (CFP) submissions from 2009 to the upcoming 2018 conference.

Under Armour says unauthorized third party accessed 150M MyFitnessPal accounts (SC Magazine, Mar 29 2018)
The affected data included usernames, email addresses and hashed passwords.

Facebook and Cambridge Analytica (Schneier on Security, Mar 29 2018)
But for every article about Facebook’s creepy stalker behavior, thousands of other companies are breathing a collective sigh of relief that it’s Facebook and not them in the spotlight. Because while Facebook is one of the biggest players in this space, there are thousands of other companies that spy on and manipulate us for profit.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Analysis of 560 incidents demonstrates need for cyber resilience (Help Net Security, Mar 28 2018)
The report shows that phishing remained the leading cause of incidents at 34 percent, followed by network intrusions at 19 percent, inadvertent disclosure (such as an employee mistake) at 17 percent and stolen or lost devices/records at 11 percent. A new category this year is system misconfiguration, which reflects instances where unauthorized individuals gain access to data stored in the cloud because permissions were set to “public” instead of “private,” and was responsible for six percent of incidents.

The Next Cold War Is Here, and It’s All About Data (Wired, Mar 28 2018)
The General Data Protection Regulation coming to Europe this spring emphasizes how different societies value personal data and privacy.

My next start-up, Bit Discovery (Jeremiah Grossman, Mar 27 2018)
The biggest and most important unsolved problem in Information Security, arguably all of IT, is asset inventory. Rather, the lack of an up-to-date asset inventory that includes all websites, servers, databases, desktops, laptops, data, and so on. Strange as it sounds, the vast majority of organizations with more than even a handful of websites simply do not know what they are, where they are, what they do, or who is responsible for them.

Boeing Computers Hit by WannaCry (Infosecurity Magazine, Mar 29 2018)
Aerospace giant’s South Carolina facility gets a nasty surprise

Legal Departments Struggle with GDPR Role (Infosecurity Magazine, Mar 28 2018)
About half (48%) of legal team respondents in a recent survey claim GDPR is not applicable to their organization.

Omitting the “o” in .com Could Be Costly (Krebs on Security, Mar 29 2018)
Take care when typing a domain name into a browser address bar, because it’s far too easy to fat-finger a key and wind up somewhere you don’t want to go. For example, if you try to visit some of the most popular destinations on the Web but omit the “o” in .com (and type .cm instead), there’s a good chance your browser will be bombarded with malware alerts and other misleading messages — potentially even causing your computer to lock up completely. As it happens, many of these domains appear tied to a marketing company whose CEO is a convicted felon and once self-proclaimed “Spam King.”

New York City is launching public cybersecurity tools to keep residents from getting hacked (TechCrunch, Mar 30 2018)
When it launches this summer, New York residents will be able to download a free app called NYC Secure. The app will alert smartphone users to potential threats on their devices and offer tips for how to stay secure, “such as disconnecting from a malicious Wi-Fi network, navigating away from a compromised website, or uninstalling a malicious app.”

Netflix, Dropbox promise not to sue security researchers, with caveats (Help Net Security, Mar 23 2018)
Netflix and Dropbox have both noted recently that they won’t sue security researchers who find and disclose vulnerabilities in their products. The only caveat is: the researchers must conduct the research in line with their vulnerability disclosure policy and bug bounty program guidelines.

Automating Ethics for Cybersecurity (Dark Reading, Mar 28 2018)
Having a code of ethics and enforcing it are two different things.

Bad Microsoft Meltdown Patch Made Some Windows Systems Less Secure (Threatpost, Mar 28 2018)
Researcher Ulf Frisk has created a proof-of-concept exploit demonstrating that Microsoft’s January Patch Tuesday update made security matters worse when it comes to memory vulnerabilities associated with Intel’s CPU bug Meltdown.

Organizations blame legacy antivirus protection for failed ransomware prevention (Help Net Security, Mar 29 2018)
More than half (53 percent) of U.S. organizations that were infected with ransomware blamed legacy antivirus protection for failing to prevent the attack, according to SentinelOne. Nearly 7 out of 10 of these companies have replaced legacy AV with next-gen endpoint protection to prevent future ransomware infections.

7 points CEOs need to know about Spectre and Meltdown (SC Magazine, Mar 29 2018)
Use these talking points to get your top management up-to-speed on the disturbing chip design flaw.

The Risk of the “Risk Bias” (Gartner Blog Network, Mar 27 2018)
“No one ever got fired for buying IBM” is a phrase we’ve all heard. Today, that might change to a variety of other leading vendors. It’s often the legitimate reason that newer vendors bring up when talking about their growth challenges. Effectively many organizations have a risk bias when it comes to projects—-they prefer the safer route, even if the rewards may not be as great.

DoJ Indicts 9 Iranians for Hacking into Hundreds of Universities, FERC, Dept. of Labor, Others (Dark Reading, Mar 23 2018)
Suspects were operating on behalf of Iranian government and the Iranian Revolutionary Guard, US officials said.

Security industry reacts to UK police cyber-crime budget revelations (SC Magazine, Mar 23 2018)
As UK police forces are revealed to have spent just £1.3 million on cyber-crime training in the last three years, security industry response is damning.

San Diego Sues Experian Over ID Theft Service (Krebs on Security, Mar 23 2018)
The City of San Diego, Calif. is suing consumer credit bureau Experian, alleging that a data breach first reported by KrebsOnSecurity in 2013 affected more than a quarter-million people in San Diego but that Experian never alerted affected consumers as required under California law.

Illinois sues Facebook, Cambridge Analytica for privacy violations (SC Magazine, Mar 27 2018)
Even a public apology and a pledge to regain public trust by implementing greater privacy protections aren’t enough to fend off a probes by the Federal Trade Commission (FTC) and the Massachusetts Attorney General – and now a lawsuit by the state of Illinois filed over the weekend.