The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Have Network, Need Network Security Monitoring (TaoSecurity, Oct 25 2018)
We may be in a golden age of endpoint visibility, but closure of those platforms will end the endpoint’s viability as a source of security logging. So long as there are networks, we will need network security monitoring.

2. China’s Hacking of the Border Gateway Protocol (Schneier on Security, Oct 24 2018)
BGP hacking is how large intelligence agencies manipulate Internet routing to make certain traffic easier to intercept. The NSA calls it “network shaping” or “traffic shaping.”

3. British Airways: 185K Affected in Second Data Breach (Dark Reading, Oct 26 2018)
The carrier discovered another breach while investigating its largest-ever data breach, disclosed in September.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

*AI, IoT, & Mobile Security*
4. Cell Phone Security and Heads of State (Schneier on Security, Oct 30 2018)
There are two basic places to eavesdrop on pretty much any communications system: at the end points and during transmission. This means that a cell phone attacker can either compromise one of the two phones or eavesdrop on the cellular network. Both approaches have their benefits and drawbacks.

5. The Enduring Password Conundrum (SecurityWeek, Oct 24 2018)
Earlier this month, the State of California made headlines by passing legislation that will require hardware manufacturers to implement unique hardcoded passwords for every connected device they produce and force users to change it upon first use. The bill, which takes effect in January 2020, renewed the debate surrounding our continued reliance on passwords as the primary method for access control and authentication.

6. The AI Cold War That Could Doom Us All (Wired, Oct 25 2018)
Artificial intelligence could be the ultimate authoritarian tool. But one thing’s for sure: Charging into an AI arms race against China is a huge mistake.

*Cloud Security, DevOps, AppSec*
7. The hybrid cloud market just got a heck of a lot more compelling (TechCrunch, Oct 30 2018)
Let’s start with a basic premise that the vast majority of the world’s workloads remain in private data centers. Cloud infrastructure vendors are working hard to shift those workloads, but technology always moves a lot slower than we think. That is the lens through which many cloud companies operate.

8. IBM to buy Red Hat for $34B in cash and debt, taking a bigger leap into hybrid cloud (TechCrunch, Oct 29 2018)
“IBM will become the world’s number-one hybrid cloud provider, offering companies the only open cloud solution that will unlock the full value of the cloud for their businesses.”

9. Cloudera and Hortonworks Merge (Securosis, Oct 25 2018)
“I can confirm we see the same lack of interest in deployment of Hadoop to the cloud, the same use of S3 as a storage medium when Hadoop is used atop Infrastructure as a Service (IaaS), and the same developer-driven selection of whatever platform is easiest to use and deploy on.”

*Identity Mgt & Web Fraud*
10. ID Systems Throughout the 50 States (Schneier on Security, Oct 31 2018)
Jim Harper at CATO has a good survey of state ID systems in the US….

11. How Do You Fight a $12B Fraud Problem? One Scammer at a Time (Krebs on Security, Oct 29 2018)
“The fraudsters behind the often laughable Nigerian prince email scams have long since branched out into far more serious and lucrative forms of fraud, including account takeovers, phishing, dating scams, and malware deployment. Combating such a multifarious menace can seem daunting, and it calls for concerted efforts to tackle the problem from many different angles. This post examines the work of a large, private group of volunteers dedicated to doing just that.”

12. Passcodes are protected by Fifth Amendment, says court (Naked Security – Sophos, Nov 01 2018)
The government isn’t really after the password, after all; it’s after any potential evidence it protects. In other words: fishing expedition.

*CISO View*
13. Equifax Has Chosen Experian. Wait, What? (Krebs on Security, Nov 01 2018)
“A year after offering free credit monitoring to all Americans on account of its massive data breach that exposed the personal information of nearly 148 million people, Equifax now says it has chosen to extend the offer by turning to a credit monitoring service offered by a top competitor — Experian. And to do that, it will soon be sharing with Experian contact information that affected consumers gave to Equifax in order to sign up for the service.”

14. States Average a C- in Election Security (Infosecurity Magazine, Oct 31 2018)
Results of the Election Cybersecurity Scorecard, published by the Center for Strategic & International Studies (CSIS), found that states average a C- in election security.

15. 2019 Planning Guide for Security and Risk Management (Gartner Blog Network, Oct 30 2018)
“Security teams find it difficult to keep up with change, especially because the vendor security solution landscape has become hard to decipher. Technical professionals must understand these trends in order to continue practicing strong planning and execution of security initiatives in 2019.”