A Review of the Best News of the Week on Cybersecurity Management & Strategy

The US Didn’t Sign the Paris Call for Trust and Security in Cyberspace (Wired, Nov 12 2018)
Corporations have taken the lead over nations on governing the internet: The initiative might not have counted the US as a signatory, but did include Microsoft, Facebook, Google, and others.

Something You Probably Should Include When Building Your Next Threat Models (DisruptOps, Nov 13 2018)
“One thing that quickly stood out is that nearly none of the threat modeling documentation or tools I’ve seen covers the CI/CD pipeline. This. Is. A. Problem. Include your pipeline in your threat models.”

What Ever Happened to GRC? (Gartner Blog Network, Nov 12 2018)
In our ongoing coverage of Integrated Risk Management (IRM) technology and service providers, the relevance and frequency of client inquiry related to Governance, Risk & Compliance (GRC) continues to decline.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

Narrow gap between CEO, CIO and CISO roles means companies are struggling to secure digital assets (Help Net Security, Nov 13 2018)
At a global level, 22 per cent of respondents believe the CIO is ‘ultimately responsible’ for managing security, compared to one in five (20 per cent) for the CEO and 19 per cent for the CISO. In the UK, fewer respondents point to the CIO (19 per cent) and CISO (18 per cent) while the CEO gets the biggest vote at 21 per cent.

DARPA’s Hail Mary Plan to Restart a Hacked US Electric Grid (Wired, Nov 14 2018)
On tiny Plum Island, DARPA stages a real-life blackout to put its grid recovery tools to the test.

Getting to Know Magecart: An Inside Look at 7 Groups (Dark Reading, Nov 13 2018)
A new report spills the details on Magecart, the criminal groups driving it, and ongoing attacks targeting low- and high-profile victims.

Law firms are increasingly investing in cybersecurity programs (Help Net Security, Nov 15 2018)
Less than half of law firms are implementing some of the top-weighted cybersecurity protocols – these being multi factor authentication (47%), 3rd party risk assessment (37%), having the proper security executive (34%), and SOC monitoring (24%).

SAM nabs $12M for cybersecurity aimed at home routers and devices connected to them (TechCrunch, Nov 14 2018)
A wave of security startups have built solutions for enterprises that are meeting the challenges of “consumerization”, where IT organizations are tasked with securing a range of devices and apps — some brought in by employees, not issued by IT — that are on the organization’s networks.

More Than 50% of Free Mobile VPN Apps Have Chinese Ties (Dark Reading, Nov 15 2018)
This story is about a researcher who published an Oracle zero-day because Oracle has a history of harassing researchers and ignoring vulnerabilities.

Nordstrom Quick to Tell Employees of a Data Breach (Infosecurity Magazine, Nov 13 2018)
After a data breach was detected at Nordstrom, co-president Blake Nordstrom contacted employees.

Oracle and “Responsible Disclosure” (Schneier on Security, Nov 14 2018)
This story is about a researcher who published an Oracle zero-day because Oracle has a history of harassing researchers and ignoring vulnerabilities.

CARTA’: A New Tool in the Breach Prevention Toolbox (Dark Reading, Nov 12 2018)
Gartner’s continuous adaptive risk and trust assessment for averting a data breach addresses the shortcomings of static security programs.

Implications of the EU NIS Directive for the industrial sector (Help Net Security, Nov 12 2018)
The law lists 14 cybersecurity principles that form the objectives of NIS, but each member country must develop its own regulations to achieve them. Here are some of NIS’ best practices and guidelines complying with the legislation.

Phishing Training is a Tool, Not a Solution (SecurityWeek, Nov 12 2018)
If You Find Yourself Frequently Blaming Users for Successful Attacks, You Know Your Security is Not Working

Empathy: The Next Killer App for Cybersecurity? (Dark Reading, Nov 13 2018)
The toughest security problems involve people not technology. Here’s how to motivate your frontline employees all the way from the service desk to the corner office.

Japan Cyber Minister Says He Has Never Used a Computer (Dark Reading, Nov 15 2018)
Yoshitaka Sakurada, who recently took on the role after a cabinet shuffling, says it’s up to the government to deal with it.

OPM Still Failing on Security After 2015 Breach (Infosecurity Magazine, Nov 15 2018)
GAO report claims over a third of recommendations have not been enacted

US Panel Warns Against Government Purchase of Chinese Tech (SecurityWeek, Nov 14 2018)
A congressional advisory panel says the purchase of internet-linked devices manufactured in China leaves the United States vulnerable to security breaches that could put critical infrastructure at risk.

HITRUST Common Security Framework – Improving Cyber Resilience? (SecurityWeek, Nov 14 2018)
Healthcare organizations must recognize that HIPAA and HITRUST CSF compliance does not guarantee their systems are adequately protected from threats. These guidelines represent a minimum barrier to entry for attackers.

Congress Passes Bill to Create New Federal Cybersecurity Agency (Dark Reading, Nov 15 2018)
Cybersecurity and Infrastructure Security Agency Act now headed to President Trump for signing into law.