A Review of the Best News of the Week on Cybersecurity Management & Strategy

Marriott: Data on 500 Million Guests Stolen in 4-Year Breach (Krebs on Security, Nov 30 2018)
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.

First Round of MITRE ATT&CK Evaluations Released – MITRE ATT&CK (Medium, Nov 30 2018)
“We have just published the first seven MITRE ATT&CK™ evaluations on our new website. We have created an open and transparent methodology…”

Propaganda and the Weakening of Trust in Government (Schneier on Security, Nov 27 2018)
“we need to start thinking more systematically about the relationship between democracy and information. Our paper provides one way to do this, highlighting the vulnerabilities of democracy against certain kinds of information attack. More generally, we need to build levees against flooding while shoring up public confidence in voting and other public information systems that are necessary to democracy.”

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

The Origin of the Term Indicators of Compromise (IOCs) (TaoSecurity, Nov 25 2018)
tl;dr Mandiant invented the term indicators of compromise, or IOCs, in 2010, building off the term “indicator,” introduced widely in a detection context by Kevin Mandia, no later than his 2003 incident response book.

Iranians Accused in Cyberattacks, Including One That Hobbled Atlanta (- The New York Times, Nov 29 2018)
The suspects chose targets with the means to pay ransom and a need to put their systems back online quickly, law enforcement officials said.

Uber Fined Nearly $1.2 Million by Dutch, UK Over Data Breach (SecurityWeek, Nov 27 2018)
The ride-hailing service Uber has been fined the equivalent of nearly $1.2 million by British and Dutch authorities for failing to protect customers’ data during a cyberattack in 2016.

The “Typical” Security Engineer: Hiring Myths & Stereotypes (Dark Reading:, Nov 28 2018)
In an environment where talent is scarce, it’s critical that hiring managers remove artificial barriers to those whose mental operating systems are different.

Dell Admits Potential Breach in Early November (, Nov 29 2018)
Attackers may have obtained names, emails and hashed passwords

Deputy AG Rod Rosenstein Is Still Calling for an Encryption Backdoor (Security Latest, Nov 29 2018)
The government has not proposed its own workable solution since the 90s, when its “Clipper chip” backdoor was roundly discredited. Rosenstein did, though, repeat past assertions that unyielding encryption blocks crucial investigative avenues, and potentially endangers public safety.

Transforming into a CISO Security Leader (Dark Reading:, Nov 26 2018)
Are you thinking of changing your career route from techie to CISO? Are you making the right choice? Only you know for sure.

North Korean Hackers Hit Latin American Banks (SecurityWeek, Nov 23 2018)
The North Korean hacking group know as Lazarus recently targeted financial institutions in Latin America, Trend Micro security researchers have discovered.

Edinburgh Napier University Student Named as 2018 Cyber Security Challenge Champion (, Nov 27 2018)
The Cyber Security Challenge has named 19-year-old Edinburgh Napier University student Charlie Hosier as its 2018 champion

Facebook Knew About Russian Activity in 2014: British MP (SecurityWeek, Nov 27 2018)
A British MP on Tuesday claimed Facebook knew about potentially malicious Russian activity in 2014, long before such activity becomes public, during a parliamentary hearing where international lawmakers grilled the company.

German chat site faces fine under GDPR after data breach (WeLiveSecurity, Nov 27 2018)
The country’s first fine under GDPR is lower than might have been expected, however, as the company was acknowledged for its post-incident cooperation and enhanced security measures.

New Hacker Group Behind ‘DNSpionage’ Attacks in Middle East (Dark Reading:, Nov 27 2018)
Motives are not fully clear, though data exfiltration is one possibility, Cisco Talos says.

Data Breach Hits 2.6 Million Atrium Health Patients (SecurityWeek, Nov 28 2018)
Hospital network Atrium Health informed patients on Tuesday that their personal information was compromised following a breach at technology solutions provider AccuDoc.

Google Staff Urge Firm to Drop China Search Plans (, Nov 28 2018)
Employees don’t want to be a part of Dragonfly

C-Suite: GDPR Could Lead to Greater Risk of Breaches (, Nov 28 2018)
German and UK executives vent concern as six-month milestone passes

New Zealand Bars Huawei From Its 5G Network Over Security Fears (WSJ, Nov 29 2018)
Chinese telecom giant Huawei has been blocked from supplying a 5G mobile network in New Zealand, a fresh setback as a U.S. campaign to shun its equipment intensifies.

Dunkin’ Donuts Serves Up Data Breach Alert (Dark Reading:, Nov 29 2018)
Forces potentially affected DD Perks customers to reset their passwords after learning of unauthorized access to their personal data.