The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. The Pentagon is Publishing Foreign Nation-State Malware (Schneier on Security, Nov 09 2018)
The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that’s used by security pros and antivirus/malware detection engines to gain a better understanding of the threat landscape.

2. Most IT Security Pros Underestimate Phishing Risks (Infosecurity Magazine, Nov 08 2018)
Targeted phishing attacks have expanded into ads as well as coming in through search results, pop-ups, social media, IM and chat applications, rogue browser extensions and apps.

3. Bug Bounty Hunter Ran ISP Doxing Service (Krebs on Security, Nov 09 2018)
“A Connecticut man who’s earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their Web sites secretly operated a service that leveraged these same flaws to sell their customers’ personal data, KrebsOnSecurity has learned.”


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.


*AI, IoT, & Mobile Security*
4. Google’s data charts path to avoiding malware on Android (WeLiveSecurity, Nov 12 2018)
How much higher are the odds that your device will be exposed to malware if you download apps from outside Google Play or if you use one of Android’s older versions? Google has the numbers

5. New IoT Security Regulations (Schneier on Security, Nov 13 2018)
Right now, we have a market failure. Because the courts have traditionally not held software manufacturers liable for vulnerabilities, and because consumers don’t have the expertise to differentiate between a secure product and an insecure one, manufacturers have prioritized low prices, getting devices out on the market quickly and additional features over security.

6. Gartner Lists Top 10 Strategic IoT Technologies, Trends Through 2023 (eWEEK, Nov 07 2018)
Gartner’s list of the 10 most strategic IoT technologies and trends that it expects will enable new revenue streams and business models during the next five years.

*Cloud Security, DevOps, AppSec*
7. Three of the Most Crucial Sections of the DevSecOps Roadmap (DisruptOPS, Nov 08 2018)
“As Rich Mogull says, Cloud Security starts with architecture and ends with automation. Our DevSecOps roadmap adheres to this guidance. This post will dig into the three sections of the roadmap at a high level. Then we’ll follow up with additional posts to delve into each aspect of the roadmap.”

8. Amazon Web Services launches second GovCloud Region in the United States (Help Net Security, Nov 13 2018)
With the launch of the AWS GovCloud (US-East) Region, AWS now provides 57 Availability Zones across 19 geographic regions globally with another 12 Availability Zones and four regions coming online in Bahrain, Hong Kong SAR, South Africa, and Sweden between the end of 2018 and the first half of 2020.

9. A simpler way to assess the network exposure of EC2 instances: AWS releases new network reachability assessments in Amazon Inspector (AWS Security Blog, Nov 09 2018)
AWS recently released the Network Reachability rules package in Amazon Inspector, the automated security assessment service that enables you to understand and improve the security and compliance of applications deployed on AWS.

*Identity Mgt & Web Fraud*
10. Chip Cards Fail to Reduce Credit Card Fraud in the US (Schneier on Security, Nov 15 2018)
A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals.

11. A new Venezuelan ID, created with China’s ZTE, tracks citizen behavior (Reuters, Nov 14 2018)
Chinese telecoms giant ZTE is helping Venezuela build a system that monitors citizen behavior through a new identification card. The “fatherland card,” already used by the government to track voting, worries many in Venezuela and beyond.

12. Mozilla’s ‘Privacy Not Included’ Gift Report Highlights Security Concerns (Wired, Nov 14 2018)
In its second annual “Privacy Not Included” guide, the nonprofit highlights internet-connected items that value your privacy—and the ones that may not.

*CISO View*
13. The US Didn’t Sign the Paris Call for Trust and Security in Cyberspace (Wired, Nov 12 2018)
Corporations have taken the lead over nations on governing the internet: The initiative might not have counted the US as a signatory, but did include Microsoft, Facebook, Google, and others.

14. Something You Probably Should Include When Building Your Next Threat Models (DisruptOps, Nov 13 2018)
“One thing that quickly stood out is that nearly none of the threat modeling documentation or tools I’ve seen covers the CI/CD pipeline. This. Is. A. Problem. Include your pipeline in your threat models.”

15. What Ever Happened to GRC? (Gartner Blog Network, Nov 12 2018)
In our ongoing coverage of Integrated Risk Management (IRM) technology and service providers, the relevance and frequency of client inquiry related to Governance, Risk & Compliance (GRC) continues to decline.