A Review of the Best News of the Week on Cybersecurity Management & Strategy

Yahoo to Pay $50M, Other Costs for Massive Security Breach (SecurityWeek, Oct 24 2018)
Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose email addresses and other personal information were stolen as part of the biggest security breach in history.

The Rise of The Virtual Security Officer (SecurityWeek, Oct 23 2018)
The market for virtual security officers is growing. We’ve had virtual chief information security officers for a few years (vCISOs), and we can expect to see virtual data protection officers (vDPOs) in the next few. The demand for both is higher than it has ever been, and it is likely to grow.

Facebook Fined £500K for Cambridge Analytica Failings (Infosecurity Magazine, Oct 25 2018)
The Information Commissioner’s Office (ICO) has issued a rare maximum fine of £500,000 to Facebook for data protection mistakes that led to the Cambridge Analytica scandal.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

Super Micro to Customers: Chinese Spy Chips Story Is Wrong (SecurityWeek, Oct 23 2018)
A Bloomberg article claiming that tiny chips were inserted in Super Micro Computer Inc. equipment “is wrong,” the California-based server manufacturer says.

Cathay Pacific Breach Hits Over 9 Million Customers (Infosecurity Magazine, Oct 25 2018)
Hong Kong airline reportedly sat on info for months

BA Says 185,000 More Customers Affected in Cyber Attack (SecurityWeek, Oct 25 2018)
British Airways owner IAG on Thursday said that a further 185,000 customers may have had their personal details stolen in a cyber attack earlier this year.

DoD Expands Hack the Pentagon Program (Infosecurity Magazine, Oct 24 2018)
The US Department of Defense awards three contracts to grow its crowdsourced digital defense program.

Facebook wants to buy a big cybersecurity company after 2 catastrophic data breaches (Business Insider, Oct 22 2018)
Facebook has assembled a team to scout out big cybersecurity firms to add to its technical expertise…

Understanding SOCs’ 4 Top Deficiencies (Dark Reading, Oct 22 2018)
In most cases, the areas that rankle SANS survey respondents the most about security operations centers can be addressed with the right mix of planning, policies, and procedures.

Why you should take an operational approach to risk management (Help Net Security, Oct 22 2018)
Organizations must move beyond simplistic goals of creating a business continuity plan using legacy business continuity/disaster recovery tools, or demonstrating compliance to a standard or policy using legacy governance, risk management and compliance software tools. Those approaches incorrectly move the focus to, “do we have our plans done?” or create a checklist mentality of, “did we pass the audit?”

Security budgets are rising, but is it enough? (Help Net Security, Oct 22 2018)
While budgets are expected to increase by 19 percent over the next two years, organizations are struggling with a disconnect between security and DevOps and are facing difficulties in determining where to allocate this budget in the face of rapidly evolving infrastructure.

Yale Faces Additional Lawsuit After 2011 Breach (Infosecurity Magazine, Oct 19 2018)
Another victim in a Yale University data breach files a second lawsuit.

Myths of Risk and Cybersecurity Management (Gartner Blog Network, Oct 19 2018)
“I have been researching and thinking about risk and cybersecurity management concepts for the last year or so, and I wanted to share with you some initial conclusions I’ve reached…”

Japan Orders Facebook to Improve Data Protection (SecurityWeek, Oct 22 2018)
The Japanese government on Monday ordered Facebook to improve protection of users’ personal information following data breaches affecting tens of millions of people worldwide.

What Keeps the CISO Awake at Night (Dark Reading, Oct 22 2018)
One of the CISO’s biggest fears is waking up to find their organization in the headlines reporting a security failure – which they do not have under control. Have you ever considered how prepared you are to respond to the question “what have you done about it”?

How to make the CFO your best cybersecurity friend (Help Net Security, Oct 23 2018)
CFO’s would rather see fewer CapEx dollars spent on cyber investments, offset by more dollars spent on qualified professionals and organizational structure to manage those investments. Ultimately, this will yield a higher ROI.

Russia Linked to Triton Industrial Control Malware (Wired, Oct 23 2018)
Like so many other internet misdeeds, the notorious Triton malware appears to have originated in Moscow.

Supermarket told it must compensate 100,000 workers after payroll data deliberately leaked by rogue employee (Graham Cluley, Oct 24 2018)
The UK’s fourth largest supermarket chain, with over 500 stores, had a disgruntled member of staff who had access to sensitive data, such as the payroll information of 100,000 current and former employees.

FBI: Call of Duty gamers helped steal $3.3 million in cryptocurrency hacking scheme (CSO Online, Oct 24 2018)
Members of the theft ring gave him names, phone numbers and other information to allow him to take over cell phones of their victims. He admitted helping take over the phones of more than 100 people, according to the FBI affidavit. Once the group took over a phone, they could hack into a victim’s cryptocurrency account.

Organizations want to threat hunt, but can’t due to lack of time, skills and visibility (Help Net Security, Oct 26 2018)
Fidelis interviewed over 580 security professionals from around the globe to understand how they are shifting their security strategies. In the Fidelis 2018 State of Threat Detection Report, 63 percent of all respondents said they do not currently employ threat hunting or do not know if they do, with just over half (51 percent) of organizations with over 5000 employees stating that they threat hunt.