A Review of the Best News of the Week on Cybersecurity Management & Strategy

Uber Fined $148m for Breach Cover-Up (Infosecurity Magazine, Sep 27 2018)
A heavy price tag for Uber’s data breach mismanagement

14 years prison for man who helped hackers evade detection by anti-virus software (Graham Cluley, Sep 25 2018)
Bondars (also known by his online nickname of “Borland”) worked in conjunction with co-conspirator Jurijs “Garrik” Martisevs on the notorious Scan4You website. Scan4You allowed criminals – for a monthly fee – to upload their latest malware to receive a report on whether any of a wide range of anti-virus products would detect it as malicious.

Domain flub leaves 30 million customers high and dry (Naked Security – Sophos, Sep 26 2018)
Zoho’s CEO begged for help on Twitter after his domain registrar effectively took the company offline, stranding millions of users.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Tencent engineer attending cybersecurity event fined for hotel WiFi hacking (Yahoo News Singapore, Sep 24 2018)
While attending a cybersecurity conference in Singapore, a Chinese national decided to hack into the WiFi of the hotel he was staying in. Zheng Dutao, a 23-year-old security engineer with Chinese internet giant Tencent Holdings, was curious to find any vulnerabilities in the WiFi server…

Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data (Elie Bursztein (Google), Sep 23 2018)
We examine the comprehension of 551 participants on the risks of data breaches and their sentiment towards potential remediation steps. In the second survey, we ask 10,212 participants to rate their level of comfort towards eight different scenarios that capture real-world examples of security practitioners, researchers, journalists, and commercial entities investigating leaked data.

The state of network security in organizations with 1000+ employees (Help Net Security, Sep 27 2018)
The research also pinpointed some of the differences. As noted before, large organizations generally do not have a much larger security team that mid-sized ones.

Variations in State Data Breach Disclosure Laws Complicate Compliance (Infosec Island, Sep 26 2018)
In some states, companies must report breaches to the Attorney General’s Office even if only one record is breached. In other states, reporting does not apply unless a minimum number of records —250, 500 or 1000 — is breached.

Hacking Back: Simply a Bad Idea (Dark Reading, Sep 24 2018)
While the concept may sound appealing, it’s rife with drawbacks and dangers.

Most enterprises now running Windows 10, security hygiene no longer optional (Help Net Security, Sep 27 2018)
For the first time in the survey’s history, the majority (57%) of respondents reported that their organizations are running most of their computers on Windows 10.

Senate Committee Approves Several Cybersecurity Bills (SecurityWeek, Sep 27 2018)
The U.S. Senate Committee on Homeland Security and Governmental Affairs on Wednesday voted to approve several cybersecurity bills, including ones related to incident response, supply chain security, the government’s cyber workforce, and safeguarding federal information systems.

How organizations overcome cybersecurity hiring challenges (Help Net Security, Sep 24 2018)
The data is based on a survey of 250 U.S. cybersecurity professionals with oversight of hiring and managing security departments, who say their organization does an adequate job of ensuring it has enough cybersecurity expertise on staff.

How companies view their cyber exposure, and how they deal with it (Help Net Security, Sep 24 2018)
The 2018 Travelers Risk Index found cyber risks are the No. 2 concern across all business sizes and industries, and the percentage of businesses reporting they have been the victim of a cyber attack has doubled.

White House Issues National Cyber Strategy (Infosecurity Magazine, Sep 21 2018)
President Trump released aggressive plans for nation cyber defense

Facebook faces sanctions if it drags its feet on data transparency (Naked Security – Sophos, Sep 24 2018)
The European Commission (EC) has had it up to here with Facebook dragging its feet on providing more information about what it does with users’ data and is ready to slap it upside the head with sanctions…

Fault-Tolerant Method Used for Security Purposes in New Framework (Dark Reading, Sep 25 2018)
A young company has a new patent for using fault tolerance techniques to protect against malware infection in applications.

Ex-NSA Developer Gets 5 1/2-Year Prison Sentence (Dark Reading, Sep 25 2018)
Nghia Hoang Pho, who illegally took home classified NSA information, also sentenced to three years of supervised release after prison term.

Testing Firm NSS Labs Declares War on Antivirus Industry (SecurityWeek, Sep 25 2018)
NSS Labs claims that AMTSO has organized a conspiracy against the EPP product testing industry – and specifically NSS Labs – to prevent independent testing of EPP products.

New tactics subvert traditional security measures and strike organizations of all sizes (Help Net Security, Sep 26 2018)
Among the notable findings in the report is the end of the traditional killchain, with 88 percent of killchain attacks now gaining efficiency and speed by combining what was formerly the first five phases—”recon,” “weaponization,” “delivery,” “exploitation” and “installation”—into a single action.

Full compliance with the PCI DSS drops for the first time in six years (Help Net Security, Sep 26 2018)
After documenting improvements in Payment Card Industry Data Security Standard (PCI DSS) compliance over the past six years (2010 – 2016), Verizon’s 2018 Payment Security Report (PSR) now reveals a concerning downward trend with companies failing compliance assessments and perhaps, more importantly, not maintaining – full compliance.

Despite BOD 18-01, Fed Agencies Not at 100% HTTPS (Infosecurity Magazine, Sep 26 2018)
Federal agencies have yet to improve the way they handle machine identities, says Venafi.