CISO View – The Week’s Best News – 2018.12.21

A Review of the Best News of the Week on Cybersecurity Management & Strategy

US ballistic missile systems have very poor cyber-security (ZDNet, Dec 18 2018)
DOD report finds no antivirus, no data encryption, no multifactor authentication.

A Chief Security Concern for Executive Teams (Krebs on Security, Dec 18 2018)
Virtually all companies like to say they take their customers’ privacy and security seriously, make it a top priority, blah blah. But you’d be forgiven if you couldn’t tell this by studying the executive leadership page of each company’s Web site. That’s because very few of the world’s biggest companies list any security executives in their highest ranks. Even among top tech firms, less than half list a chief technology officer (CTO). This post explores some reasons why this is the case, and why it can’t change fast enough.

No Evidence’ of Huawei Spying, Says German IT Watchdog (SecurityWeek, Dec 17 2018)
Germany’s IT watchdog has expressed scepticism about calls for a boycott of Chinese telecoms giant Huawei, saying it has seen no evidence the firm could use its equipment to spy for Beijing, news weekly Spiegel reported Friday.


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.


Despite Breaches, Many Organizations Struggle to Quantify Cyber-Risks to Business (Dark Reading, Dec 13 2018)
Enterprises are struggling with familiar old security challenges as a result, new survey shows.

Czech Warning Over Huawei, ZTE Security ‘Threat’ (SecurityWeek, Dec 18 2018)
A Czech cyber-security agency on Monday warned against using the software and hardware of China’s Huawei and ZTE companies, saying they posed a threat to state security.

IRM Is Essential for Digital Transformation Success (Gartner Blog Network, Dec 18 2018)
Digital risk management (DRM) technology integrates the management of risks of digital business components — such as cloud, mobile, social and big data — and third-party technologies, such as artificial intelligence and machine learning, operational technology (OT), and the Internet of Things (IoT).

Hacked European Cables Reveal a World of Anxiety About Trump, Russia and Iran (The New York Times, Dec 19 2018)
The cables quote China’s president calling America a bully, show concerns about Russian nuclear weapons in Crimea and detail the White House walking back President Trump’s words.

Target targeted: Five years on from a breach that shook the cybersecurity industry (WeLiveSecurity, Dec 18 2018)
In December 2013 news broke that Target suffered a breach that forced consumers and the cybersecurity community to question the security practices of retailers

The year ahead: More breaches, bolstered regulation and the rise of AI (Help Net Security, Dec 17 2018)
Having your head in the cloud(s) when it comes to managing risk: McKinsey reports that, by 2020, organizations will be spending more than six times on cloud-specific products than they do on general IT services; and according to a survey by LogicMonitor, up to 83% of all enterprise workloads will be in the cloud around that same time.

Conflicted External Auditors at Heart of Equifax Data Breach (Infosec Island, Dec 13 2018)
Equifax hired financial auditors and IT security auditors from different divisions of Ernst & Young, creating conflicts of interest that may have disincentivized both auditing teams from reporting problems that eventually led to the company’s 2017 data breach.

Twitter Warns of Possible State-Sponsored Attack (SecurityWeek, Dec 18 2018)
While investigating an information disclosure flaw affecting one of its support forms, Twitter discovered a possible attack coming from IP addresses that may be linked to state-sponsored actors.

Our 2018 Update for “Endpoint Detection and Response Architecture and Operations Practices” Publishes (Gartner Blog Network, Dec 14 2018)
“This combination of EDR and advanced anti-malware [from one vendor] is so pervasive that many Gartner clients conflate the two tools, treating EDR as synonymous with advanced machine learning-type anti-malware. This is incorrect. EDR and EPP (including advanced anti-malware) are still two separate pieces of technology that happen to be found very commonly in the same product and platform.”

Teaching Cybersecurity Policy (Schneier on Security, Dec 18 2018)
Peter Swire proposes a a pedagogic framework for teaching cybersecurity policy. Specifically, he makes real the old joke about adding levels to the OSI networking stack: an organizational layer, a government layer, and an international layer.

Quarter of Healthcare Organizations Hit by Ransomware in Past Year: Study (SecurityWeek, Dec 19 2018)
One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over the past year, a new Kaspersky Lab survey reveals.

NASA Notifies Employees of Data Breach (SecurityWeek, Dec 19 2018)
Social security numbers and other personal information belonging to employees of the U.S. National Aeronautics and Space Administration (NASA) may have been stolen after at least one of the agency’s servers was breached.

Congressional Report on the 2017 Equifax Data Breach (Schneier on Security, Dec 19 2018)
“The US House of Representatives Committee on Oversight and Government Reform has just released a comprehensive report on the 2017 Equifax hack. It’s a great piece of writing, with a detailed timeline, root cause analysis, and lessons learned. Lance Spitzner also commented on this.”

The Origin of the Quote “There Are Two Types of Companies” (TaoSecurity, Dec 18 2018)
There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.

This Cybersecurity Firm Listens to the Background ‘Noise’ of the Internet (Motherboard, Dec 17 2018)
The internet is a bustling place, with hackers constantly firing exploits against whoever they can. Cybersecurity firm GreyNoise is trying to filter out some of that noise.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn