A Review of the Best News of the Week on Cybersecurity Management & Strategy

773M Password ‘Megabreach’ is Years Old (Krebs on Security, Jan 17 2019)
“…in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.”

The American Military Sucks at Cybersecurity (Motherboard, Jan 15 2019)
A new report from US military watchdogs outlines hundreds of cybersecurity vulnerabilities.

Prices for Zero-Day Exploits Are Rising (Schneier on Security, Jan 17 2019)
“There is no doubt that the U.S. Government could openly corner the world vulnerability market,” said Geer, “that is, we buy them all and we make them all public. Simply announce ‘Show us a competing bid, and we’ll give you [10 times more].’

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

Zurich Rejects Mondelez’ $100 Million NotPetya Insurance Claim Citing ‘Act of War’ (SecurityWeek, Jan 14 2019)
In October 2018, Mondelez International filed suit against Zurich American Insurance Company. At stake is a $100 million insurance claim for damage caused by NotPetya.

Huawei fires company exec arrested in Poland for spying (SC Magazine, Jan 14 2019)
Chinese telecom manufacturer Huawei has fired a company executive who had been arrested in Poland on charges of spying for China. Weijing Wang, a Chinese citizen, was a director of sales for Huawei. The company said he was fired for bringing disrespect to Huawei, CNN reported.

New Magecart Group Hits Hundreds of Sites Via Supply Chain (Infosecurity Magazine, Jan 16 2019)
This firm is Adverline, a French advertising agency. The attackers are said to have compromised a content delivery network for ads run by the company to include a stager containing the skimmer code.

Courts Hand Down Hard Jail Time for DDoS (Krebs on Security, Jan 14 2019)
“On Friday, a 34-year-old Connecticut man received a whopping 10-year prison sentence for carrying out distributed denial-of-service (DDoS) attacks against a number of hospitals in 2014. Also last week, a 30-year-old in the United Kingdom was sentenced to 32 months in jail for using an army of hacked devices to crash large portions of Liberia’s Internet access in 2016.”

Alex Stamos on Content Moderation and Security (Schneier on Security, Jan 15 2019)
“Former Facebook CISO Alex Stamos argues that increasing political pressure on social media platforms to moderate content will give them a pretext to turn all end-to-end crypto off — which would be more profitable for them and bad for society.”

Oklahoma Data Leak Compromises Years of FBI Data (Dark Reading, Jan 16 2019)
The Oklahoma Securities Commission accidentally leaked 3 TB of information, including data on years of FBI investigations.

You Want Network Segmentation, But You Need Zero Trust (Palo Alto Networks Blog, Jan 17 2019)
“In this blog series, I’ve been giving sufficient commentary on Zero Trust in order to dispel much of the mythology that has started to surround the topic recently. I talked about the fundamental issues with the failed trust model and how trust is a vulnerability. Then, I provided clarity as to what Zero Trust is (and isn’t). And most recently, I reviewed the concept of a “protect surface”. Now, I want to talk about the concept of a Segmentation Gateway (SG) – the technology that protects the protect surface.”

Six Steps to Segmentation in a Perimeterless World (SecurityWeek, Jan 17 2019)
Setting Objectives and Having a Clear Roadmap is the Best Path to a Successful Network Segmentation Journey

DoJ Prepping Criminal Probe of Huawei IP Theft: Report (Infosecurity Magazine, Jan 18 2019)
Case linked to 2014 theft of T-Mobile tech

Two charged with hacking company filings out of SEC’s EDGAR system (Naked Security – Sophos, Jan 17 2019)
They’re charged with phishing and inflicting malware to get into the EDGAR filing system, stealing thousands of filings, and selling access.

West African banks targeted in multi-wave attack (SC Magazine, Jan 17 2019)
In a somewhat unusual step cybercriminals are targeting banks in several western African nations using off the shelf malware to gain entry, gain persistence and exfiltrate data along with “living off the land” tactics.

Evaluating the GCHQ Exceptional Access Proposal (Schneier on Security, Jan 18 2019)
The so-called Crypto Wars have been going on for 25 years now. Basically, the FBI — and some of their peer agencies in the UK, Australia, and elsewhere — argue that the pervasive use of civilian encryption is hampering their ability to solve crimes and that they need the tech companies to make their systems susceptible to government eavesdropping.

SCOTUS Says Suit Over Fiat-Chrysler Hack Can Move Forward (Dark Reading, Jan 11 2019)
A class-action suit over a 2015 attack demonstration against a Jeep Cherokee can move forward, US Supreme Court rules.

Iranian actors possibly behind DNS attack: FireEye (SC Magazine, Jan 11 2019)
A tentative connection has been made to Iranian-inspired actors for a wave of DNS attack being conducted against targets in Middle East and North Africa, Europe and North America. FireEye’s Mandiant Incident Response and Intelligence teams tempered its belief that Iran is behind the attacks noting work continues on attribution, but enough evidence exists…

Are You Listening to Your Kill Chain? (Dark Reading, Jan 16 2019)
“The cyber kill chain (CKC) is a great framework to start organizing network and application defenses. I like this version of the framework because it provides a little more detail on containing an attack than most others.”

Singapore Imposes $740,000 Fines Over Major Cyber Attack (SecurityWeek, Jan 16 2019)
Singapore’s privacy watchdog Tuesday imposed fines of Sg$1 million ($740,000) on a healthcare provider and an IT agency over a cyber-attack that saw health records of about quarter of the population stolen.

Facebook Faces Action From German Watchdog (Dark Reading, Jan 14 2019)
German antitrust regulators prepare to require changes from Facebook regarding privacy and personal information.