CISO View – The Week’s Best News – 2018.04.20

A Review of the Best News of the Week on Cybersecurity Management & Strategy

#RSAC: Microsoft President Calls for Governments to Form Digital Geneva Convention (Infosecurity Magazine, Apr 17 2018)
Brad Smith, President at Microsoft, told the audience that it is the industry’s responsibility to push the governments of the world towards a new digital Geneva Convention. He outlined six commitments that would make up a Digital Geneva Convention.

NSA reveals how it beats 0-days (Naked Security – Sophos, Apr 19 2018)
Exploits and vulnerabilities are weaponized against us 24 hours after release, says technical director.

NIST releases Cybersecurity Framework 1.1 (Help Net Security, Apr 19 2018)
The US Commerce Department’s National Institute of Standards and Technology (NIST) has announced at RSA Conference 2018 the release of version 1.1 of its popular Framework for Improving Critical Infrastructure Cybersecurity, more widely known as the Cybersecurity Framework.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

The DMCA and its Chilling Effects on Research (Schneier on Security, Apr 16 2018)
The Center for Democracy and Technology has a good summary of the current state of the DMCA’s chilling effects on security research.

The Teens Who Hacked Microsoft’s Videogame Empire—And Went Too Far (Wired, Apr 17 2018)
Among those involved in David Pokora’s so-called Xbox Underground, one would become an informant, one would become a fugitive, and one would end up dead.

Towards Risk-Based Vulnerability Management (Gartner Blog Network, Apr 15 2018)
As developers and operations teams evolve into DevOps, the combined groups lack a single view of vulnerabilities across the “full stack”of the application. There’s no basis for shared prioritization of potential security problems, or prioritization of fixes.

Facebook, Microsoft, and 32 other tech firms sign cybersecurity pledge (VentureBeat, Apr 17 2018)
Facebook, Microsoft, and 32 other technology companies have pledged to protect their customers from cyberattacks and committed to not help governments advance their cyber warfare efforts.

RSA Security President Ghai Details Cyber-Security Silver Linings (eWEEK, Apr 18 2018)
“Cyber-security is getting better, not worse,” Ghai said. “Here’s what I propose we do with our time. Let’s not talk about the hackers’ advantages—they can do that in their own conference. Let’s talk about our advantages.”

The Role of KPIs in Incident Response (Dark Reading, Apr 18 2018)
Using KPIs can have a positive impact on the tactical and strategic functions of a security operations program.

Chase initiative to identify insider threats devolved into spying operation (SC Magazine, Apr 20 2018)
After bank executives discovered that the Cavicchia had gone “rogue,” crossing privacy boundaries and his operation was spying on him, the program was yanked.

#RSAC: DHS Secretary Discusses Strategies for a New Age of Security (Infosecurity Magazine, Apr 17 2018)
Kirstjen Nielsen talks DHS strategies to protect citizens and organizations from cyber-attacks, breaches and cybercrime

Cyber War Game Shows How Federal Agencies Disagree on Incident Response (Dark Reading, Apr 18 2018)
Former officials at DHS, DOJ, and DOD diverge on issues of attribution and defining what constitutes an act of cyber war.

To Cyber or Not the Cyber, That is the RSAC Talk Analysis (Flying Penguin, Apr 19 2018)
Trends going up? GDPR, Ransomware, Financial Gain and Extortion. Big Data exploded up and then trends down over the last five years. Trends going down? BYOD, SOX, GRC, Hacktivism, Targeted Attack, Endpoint, Mobile Device, Audit, PCI-DSS, APT, Spam…

Trump Administration Cyber Czar Rob Joyce to Return to the NSA (Dark Reading, Apr 17 2018)
First year of Trump White House’s cybersecurity policy mostly followed in the footsteps of the Obama administration.

U.S. Energy Department Offers $25 Million for Cybersecurity Tech (SecurityWeek, Apr 16 2018)
The United States Department of Energy (DOE) on Monday announced that it’s prepared to award up to $25 million for the research and development of technologies designed to protect the country’s energy infrastructure against cyber threats.

Inside the 2018 RSA Conference Security Operations Center (eWEEK, Apr 18 2018)
How do you do security incident investigations at the world’s largest security conference?

IT Managers Lack Visibility into Almost Half of Network Traffic (Infosecurity Magazine, Apr 18 2018)
Nearly a quarter of IT managers are blind to as much as 70% of their network traffic.

4 open-source Mitre ATT&CK test tools compared (CSO Online, Apr 12 2018)
Any of these tools from Endgame, Red Canary, Mitre, and Uber will get your red team and pentesters started with Mitre’s ATT&CK framework.

Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training (Dark Reading, Apr 19 2018)
Invest in more expensive security technology, ask security pros to work longer hours, offer them more money, even train non-cyber employees to do some of the security tasks – those are all methods organizations use to address their shortage of skilled security staff.

TaskRabbit Takes Site Offline After Security Incident (Infosecurity Magazine, Apr 18 2018)
IKEA-owned marketplace tells users to change passwords

Share on facebook
Share on twitter
Share on linkedin