CISO View – The Week’s Best News – 2018.12.14

A Review of the Best News of the Week on Cybersecurity Management & Strategy

Scanning for Flaws, Scoring for Security (Krebs on Security, Dec 12 2018)
“Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late.”

Unencrypted medical data leads to 12-state litigation (Naked Security – Sophos, Dec 07 2018)
The Attorneys general of 12 states are suing an e-record provider who lost 3.9 million personal healthcare records in 2015.

7 Lessons from Marriott Starwood breach and what Mueller teaches us (Gartner Blog Network gbn-feed – Gartner Blog Network, Dec 10 2018)
Here are the lessons that stand out to me from the Marriott/Starwood breach

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

UK Spy Agency Joins NSA in Sharing Zero-Day Disclosure Process (SecurityWeek, Dec 06 2018)
GCHQ Joins the NSA in Publishing its Vulnerabilities Equities Process

Google CEO Faces House Grilling on Breach, China Censorship (SecurityWeek, Dec 11 2018)
Google’s CEO faces a grilling from U.S. lawmakers on how the web search giant handled an alarming data breach and whether it may bend to Chinese government censorship demands.

House Report Says Equifax Breach Was Preventable (, Dec 11 2018)
The Committee on Oversight and Government Reform says Equifax did not do enough to prevent massive data breach.

House Releases Cybersecurity Strategies Report (SecurityWeek, Dec 11 2018)
The U.S. House of Representatives’ Committee on Energy and Commerce has released a report identifying strategies for the prevention and mitigation of cybersecurity incidents.

How Internet Savvy are Your Leaders? (Krebs on Security, Dec 10 2018)
“Back in April 2015, I tweeted about receiving a letter via snail mail suggesting the search engine rankings for a domain registered in my name would suffer if I didn’t pay a bill for some kind of dubious-looking service I’d never heard of. But it wasn’t until the past week that it become clear how many organizations — including towns, cities and political campaigns — actually have fallen for this brazen scam.”

Bomb Threat Hoaxer, DDos Boss Gets 3 Years (Krebs on Security, Dec 07 2018)
“The alleged ringleader of a gang of cyber hooligans that made bomb threats against hundreds of schools and launched debilitating denial-of-service attacks against Web sites (including KrebsOnSecurity on multiple occasions) has been sentenced to three years in a U.K. prison, and faces the possibility of additional charges from U.S.-based law enforcement officials.”

Getting ROI From a Security Advisory Board That Works: Part 2 (SecurityWeek, Dec 10 2018)
In this first part of this series, I talked about why a Security Advisory Board (SAB) is worth the time and effort. Now, it is time to dive into the details of how to actually make one work.

How Well Is Your Organization Investing Its Cybersecurity Dollars? (Dark Reading:, Dec 11 2018)
The principles, methods, and tools for performing good risk measurement already exist and are being used successfully by organizations today. They take some effort — and are totally worth it.

CISO challenges and the path to cutting edge security (Help Net Security, Dec 11 2018)
Zane Lackey is the co-founder and CSO at Signal Sciences, and the author of Building a Modern Security Program (O’Reilly Media). In this interview with Help Net Security he discusses CISO challenges, cloud security strategies, next-gen security, and much more.

High profile incidents and new technologies drive cybersecurity M&A to record highs (Help Net Security, Dec 11 2018)
The Cybersecurity M&A Market Report from international technology mergers and acquisitions advisors, Hampleton Partners, outlines how high profile hacks, the global digitisation of business and new regulations are driving record transaction volumes and valuations, with 141 completed transactions by October this year, surpassing 2016 and 2017 levels.

Quarter of NHS Trusts Have No Security Pros (, Dec 11 2018)
RedScan FOI results reveal worrying skills shortages

Italian Oil Services Company Saipem Hit by Cyberattack (SecurityWeek, Dec 11 2018)
Italian oil and gas services company Saipem reported on Monday that some of its servers were hit by a cyberattack.

Russian Critical Infrastructure Targeted by Profit-Driven Cybercriminals (SecurityWeek, Dec 11 2018)
Several critical infrastructure organizations in Russia have been targeted by hackers believed to be financially-motivated cybercriminals rather than state-sponsored cyberspies.

Tor Project Releases Financial Documents (SecurityWeek, Dec 10 2018)
The Tor Project, the organization behind the Tor anonymity network, has published financial documents for the past two years, and while they show that its revenue has increased significantly, it’s still small compared to the budgets of potential adversaries.

Trump Claims Progress with China as Negotiators Talk Trade (- The New York Times, Dec 12 2018)
A telephone call between top negotiators comes despite concern over the arrest of an executive from the Chinese company Huawei.

Bug Hunting Is Cybersecurity’s Skill of the Future (, Dec 12 2018)
80% of security researchers say that hunting skills helped land them a job.

If China Hacked Marriott, 2014 Marked a Full-on Assault (Security Latest, Dec 12 2018)
It increasingly appears that China was behind the Marriott hack, making 2014 a landmark year in cyberattacks against the US.

Share on facebook
Share on twitter
Share on linkedin