A Review of the Best News of the Week on Cybersecurity Management & Strategy

Vladimir Putin signs sweeping Internet-censorship bills (Ars Technica, Mar 18 2019)
President Vladimir Putin has tightened his grip on the Russian Internet Monday, signing two censorship bills into law. One bans “fake news” while the other makes it illegal to insult public officials.

Improve cybersecurity program reporting with time-based metrics (SC Magazine, Mar 18 2019)
Since we know that security isn’t truly a zero-sum game, instead of focusing on the raw numbers or the volume of work being done, prioritize quickly addressing vulnerabilities as they’re discovered. The speed of attacks and compromises continues to increase as more computing resources become available to attackers, and strong defense-in-depth programs help in slowing down the attack chain and gives defenders more time to respond. How quickly your teams respond to threats is a powerful metric that can provide executives with a more realistic understanding of the progress of the security program’s efforts.

Norsk Hydro cyber attack: What happened? (Help Net Security, Mar 20 2019)
“Hydro subject to cyber-attack,” warned Oslo-headquartered Norsk Hydro ASA, one of the world’s biggest aluminum producers, on Tuesday. According to the company’s CFO Eivind Kallevik, the “root of the problem” is ransomware and the Norwegian National Security Authority confirmed the ransomware in question is LockerGoga.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

Gargantuan Gnosticplayers breach swells to 863 million records (Naked Security – Sophos, Mar 19 2019)
Another 26m records stolen from another six online companies brings this hacker’s total number of records to 863m from 38 websites.

Quantum computing will break your encryption in a few years (Network World Security, Mar 20 2019)
It’s verticals like the automotive industry and the infrastructure sector that have to worry, Lucier said. Anything with a long service life and anything that’s expensive to repair and replace is potentially vulnerable. That’s not to say that it’s time to rip-and-replace immediately. Standards bodies are expected to approve quantum-safe encryption algorithms at around the same time experts are predicting that quantum-powered decryption threatens modern security, so a hybrid approach is possible.

An Argument that Cybersecurity Is Basically Okay (Schneier on Security, Mar 20 2019)
There is a rising tide of security breaches. There is an even faster rising tide of hysteria over the ostensible reason for these breaches, namely the deficient state of our information infrastructure. Yet the world is doing remarkably well overall, and has not suffered any of the oft-threatened giant digital catastrophes. This continuing general progress of society suggests that cyber security is not very important.

Only 28% of Gov.uk Domains Support DMARC (Infosecurity Magazine, Mar 19 2019)
Egress warns of security gap as old GSI domains are switched off

Beto O’Rourke was teen hacker in Cult of the Dead Cow (SC Magazine, Mar 18 2019)
Democrat Beto O’Rourke, who just raked in $6.1 million in campaign donations in the first 24 hours after kicking off his presidential bid, as a teenager was a member of the Cult of the Dead Cow, an old (relatively speaking) and well-known hacking group, whose activities compelled Microsoft to boost the security of Windows.

Elsevier exposes users’ emails and passwords online (Naked Security – Sophos, Mar 20 2019)
The science publisher is blaming a misconfigured server that exposed a constant stream of its users’ credentials.

Just One Third of UK’s Small Firms Have Security Strategy (Infosecurity Magazine, Mar 18 2019)
New study aims to raise SMB awareness this week

Zillow sued for $60 million after mansion listing hijacked (Graham Cluley, Mar 15 2019)
Using a fake mobile phone number and a Chinese IP address they were able to waltz past Zillow’s security questions – successfully convincing the site that they were the genuine owner. And what did they do with all that power? They posted a history of recent (bogus) sales for the property for up to $60 million *less* than the genuine owner is asking.

Crowdsourced vs. Traditional Pen Testing (Dark Reading, Mar 19 2019)
A side-by-side comparison of key test features and when best to apply them based on the constraints within your budget and environment.

The modern threat landscape and expanding CISO challenges (Help Net Security, Mar 19 2019)
Prior to starting Signal Sciences, its founders were running security at Etsy, and growing frustrated with existing legacy technology. So they built their own. For this interview with Andrew Peterson, CEO at Signal Sciences, we dig deep into hot topics such as modern CISO challenges and application security visibility.

Dragos acquires NexDefense, provides free asset identification tools (Help Net Security, Mar 18 2019)
As part of this announcement, the company also introduced today Dragos Community Tools, a set of free assessment tools to help organizations of all sizes around the globe forge the path forward towards comprehensive ICS security.

Reports: Israeli officials’ devices hacked; data possessed by Iran (SC Magazine, Mar 18 2019)
Hackers stole information from former Israeli prime minister Ehud Barak’s computer and phone months ago and sold it to Iran, according to multiple news outlets, citing a TV report by Israel’s Channel 12 this past weekend.

Slack Introduces Enterprise Key Management Tool (SecurityWeek, Mar 18 2019)
Slack on Monday announced the introduction of Enterprise Key Management, an Enterprise Grid add-on feature that gives customers complete control over their encryption keys.

Orange County hit and taken offline with ransomware (SC Magazine, Mar 19 2019)
The Orange County, N.C., government was knocked offline by a ransomware attack early Monday morning. County officials discovered files were being encrypted and shut down its entire network in an effort to stop the malware from spreading, effectively shutting down online access to most county services, according to a statement.

Stealing Corporate Funds Still Top Goal of Messaging Attacks (Dark Reading, Mar 19 2019)
Cybercriminals focus on collecting credentials, blackmailing users with fake sextortion scams, and convincing privileged employees to transfer cash. The latter still causes the most damage, and some signs suggest it is moving to mobile.

A network is only as strong as its weakest shard (Help Net Security, Mar 20 2019)
The term sharding, which means horizontal partitioning, is used to describe a method for dividing a database in such a way that data can be accessed and analyzed much faster in horizontal pieces, instead of a single, large database. Existing blockchain solutions that employ sharding work with the notion that having an entire network of machines to reach consensus, where each machine has to do the same amount of work, can be time-consuming and costly. So, they shard the consensus, thus splitting the network into halves, quarters and eighths.

Unsurprisingly, only 14% of companies are compliant with CCPA (Help Net Security, Mar 20 2019)
With less than 10 months before the California Consumer Privacy Act (CCPA) goes into effect, only 14% of companies are compliant with CCPA and 44% have not yet started the implementation process.