A Review of the Best News of the Week on Cybersecurity Management & Strategy

Why the DNC Thought a Phishing Test Was a Real Attack (Wired, Aug 23 2018)
The Democratic National Committee now says a fraudulent voter data website it found was evidence of an unauthorized test organized by Michigan Democrats.

T-Mobile Data Breach Hits Over 2 Million Customers (SecurityWeek, Aug 24 2018)
T-Mobile revealed late on Thursday that the personal details of “a small percentage” of customers were exposed after hackers gained access to its systems.

Experts Urge Rapid Patching of ‘Struts’ Bug (Krebs on Security, Aug 23 2018)
“In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw — in a Web component known as Apache Struts — led to a breach that exposed personal data on 147 million Americans. Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside.”

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Leaker of Secret Report on Russian Hacking Gets 5 Years (SecurityWeek, Aug 24 2018)
A former government contractor who pleaded guilty to mailing a classified U.S. report to a news organization was sentenced to more than five years in prison Thursday as part of a deal with prosecutors, who called it the longest sentence ever imposed for a federal crime involving leaks to the news media.

Google employees protest work on censored search engine for China (Naked Security – Sophos, Aug 20 2018)
Hundreds signed a letter raising concerns about the moral and ethical issues of Google helping China with its censorship.

China Believes Its Cyber Capabilities Lag Behind US: Pentagon (SecurityWeek, Aug 20 2018)
China believes its cyberwarfare capabilities lag behind the United States, but it’s working on closing the gap, according to the U.S. Department of Defense (DOD).

Microsoft Disrupts Election-Related Domains Used by Russian Hackers (SecurityWeek, Aug 21 2018)
Microsoft on Monday announced that it took control of several domains associated with a notorious Russia-linked threat actor. The names of the domains suggest the hackers may have been using them in campaigns related to the upcoming midterm elections in the United States.

How to Gauge the Effectiveness of Security Awareness Programs (Dark Reading, Aug 21 2018)
If you spend $10,000 on an awareness program and expect it to completely stop tens of millions of dollars in losses, you are a fool. If $10,000 prevents $100,000 in loss, that’s a 10-fold ROI.

The Untold Story of NotPetya, the Most Devastating Cyberattack in History (Wired, Aug 22 2018)
Crippled ports. Paralyzed corporations. Frozen government agencies. How a single piece of code crashed the world.

A Bot Panic Hits Amazon Mechanical Turk (Wired, Aug 17 2018)
Concerned social scientists turned their analytical skills onto one of their most widely used research tools this week: Amazon’s Mechanical Turk.

Augusta Health Center Reveals Historic Breach (Infoseurity Magazine, Aug 21 2018)
September 2017 phishing attack may have compromised data on 400K patients

Hacking Elections: Georgia’s Midterm Electronic Voting in the Dock (SecurityWeek, Aug 21 2018)
The security of electronic voting and the direct-recording election (DRE) voting machines used has been questioned for years. The upcoming U.S. midterm elections in November, coupled with the attempted Russian meddling in the 2016 presidential election, have made this a current and major concern for many in the security industry and beyond. Now it has gone to court.

Proving ROI: How a Security Road Map Can Sway the C-Suite (Dark Reading, Aug 21 2018)
When executives are constantly trying to cut the fat, CISOs need to develop a flexible structure to improve baseline assessments and target goals, tactics, and capabilities. Here’s how.

DMARC Use is Growing, But Difficult to Configure Correctly and Completely (SecurityWeek, Aug 22 2018)
Every single service that sends emails must be found and included, and the policy must be set to enforced. DMARC, using SPF or DKIM authentication, aligns the stated sender with the actual source. If the alignment fails, the domain owner can choose between doing nothing (let it go through anyway), send it to a spam folder, or delete it. The mail gateway performing the checks then reports the results to the domain owner or a designated agent.

Does Vulnerability Assessment Even Matter? (Gartner Blog Network, Aug 22 2018)
A few days ago I met somebody who holds a fairly fatalistic view of Vulnerability Assessment (VA) and, to a lesser extent, broader Vulnerability Management (VM) as well. In fact, this person believed that VA is an utterly pointless endeavor. After all, they said, you can be:
-Not patched and hacked
-Patched and not hacked
-Not patched and not hacked [because there are so many vulnerabilities out there]
-Patched and still hacked [via social engineering, phishing, zero day or an asset not covered by your VM program]

Data Privacy Careers Are Helping to Close the IT Gender Gap (Dark Reading, Aug 20 2018)
There are three main reasons why the field has been more welcoming for women. Can other tech areas step up?

James Mickens on the Current State of Computer Security (Schneier on Security, Aug 20 2018)
James Mickens gave an excellent keynote at the USENIX Security Conference last week, talking about the social aspects of security — racism, sexism, etc. — and the problems with machine learning and the Internet. Worth watching….

Microsoft Launches Free Security Services for U.S. Political Groups (eWEEK, Aug 21 2018)
Citing attacks on the U.S. general election and the French presidential election, Microsoft President Brad Smith announces shuttering of Russian disinformation sites and the launch a suite of free security services for U.S. political organizations.

FBI Probes Computer Hacks in California House Campaigns (SecurityWeek, Aug 21 2018)
The FBI launched investigations after two Southern California Democratic U.S. House candidates were targeted by computer hackers, though it’s unclear whether politics had anything to do with the attacks.

New Insurance Product Adds Coverage for Cryptomining Malware Losses (Dark Reading, Aug 22 2018)
Product also covers all forms of illicit use of business services, including toll fraud and unauthorized use of cloud services.