A Review of the Best News of the Week on Cybersecurity Management & Strategy

DLA Piper and its insurers clash over multi-million NotPetya payout (Graham Cluley, Mar 25 2019)
Multinational law firm was hit in the crossfire as Russia-backed ransomware spread, and Hiscox is reportedly declining to pay up citing an “act of war”.

Attack Surface Reduction By Dynamic Compilation (Nick Hutton’s Blog, Mar 21 2019)
Lines of code you’ll never use in your environment have no value. Worse than that, they’re just a source of vulnerability. Isn’t it time you evolved?

Norsk Hydro May Have Lost $40M in First Week After Cyberattack (SecurityWeek, Mar 26 2019)
Norwegian aluminum giant Norsk Hydro estimates that it may have lost more than $40 million in the first week following the ransomware attack that disrupted its operations.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

FBI crackdown on DDoS-for-hire sites led to 85% slash in attack sizes (Naked Security – Sophos, Mar 21 2019)
According to a new report, average and maximum DDoS attack sizes decreased by 85.36% and 23.91%.

The death of the VPN – It’s time to say goodbye (SC Magazine, Mar 21 2019)
Zero trust architectures provide an alternative model for access where the users never gain excessive network layer access to a trusted corporate network because there is no trusted corporate network in this architecture. Instead, access decisions are moved up from the network layer to the application layer where much more granular access decisions are made based on a variety of data sources. Access is then mediated on an app-by-app basis predicated on a strong understanding of the user’s Identity and the minimal access required by Identity.

CEOs more likely to receive pay rise after a cyber attack. Wait, what? (Help Net Security, Mar 21 2019)
“In the long run security breaches appear to have a more significant impact on firms’ strategies and policies than their cash flow.”

Insurers Creating a Consumer Ratings Service for Cybersecurity Industry (WSJ, Mar 26 2019)
Some of the world’s biggest insurers plan to work together on an assessment of the best cybersecurity available to businesses, an unusual collaboration that highlights the rising dangers posed by digital hackers.

Trojan Horses for the Mind, Part 2 of Building Impactful Security Awareness Messaging (Infosec Island, Mar 27 2019)
Another reason to use repetition in the awareness context is that you are always battling the “decay of knowledge.” Simply stating something once will not likely have a lasting impact. As a result, your once-per-year training marathons are (sorry to say this) next to useless in shaping behavior. Instead, you need to adopt this mindset: If it is worth saying once, it is worth saying multiple times. If it is worth saying once, it is worth saying multiple times. If it is worth saying once, it is worth saying multiple times…

How to build an effective vulnerability management program (Help Net Security, Mar 26 2019)
CISOs should also be aware that an accurate, context-rich asset inventory can have a tremendous, positive impact on the effectiveness of their vulnerability management program.

Microsoft’s takedown of Iranian fake sites shows ‘creative lawyering,’ experts say (Washington Post, Mar 28 2019)
Instead of just reporting the issue to the FBI and waiting for the government’s help, Microsoft got the legal go-ahead to take action by citing violations of laws that were written long before the modern Internet. In this case, Microsoft argued Phosphorus was violating the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act — both laws from the 1980s. The company also claimed Phosphorus was violating its trademarks because it was using Microsoft product names on its phony websites.

Experts to help boards tackle cybersecurity threats (Help Net Security, Mar 22 2019)
The Cyber Readiness for Boards project, which is jointly funded by the National Cyber Security Centre and the Lloyd’s Register Foundation, has launched to explore the factors shaping UK board decisions around cyber risk and develop interventions to provide guidance and support.

D.C. Attorney General Introduces New Data Security Bill (SecurityWeek, Mar 22 2019)
The attorney general for the District of Columbia, on Thursday announced the introduction of a new bill that aims to expand data breach notification requirements and improve the way personal information is protected by organizations.

Global Security Spend Set to Grow to $133.8 Billion by 2022: IDC (SecurityWeek, Mar 21 2019)
Global spending on security-related hardware software and services will grow at a compound annual growth rate (CAGR) of 9.2% between 2018 and 2022, to a total of $133.8 billion in 2022.

Under Attack: Over Half of SMBs Breached Last Year (Dark Reading, Mar 26 2019)
Many small and midsize businesses work faster and harder than large enterprises, but they’re just as vulnerable to cybercrime.

CFOs and CIOs must collaborate on digital transformation to remain competitive (Help Net Security, Mar 26 2019)
CFOs are shifting their priorities from cutting costs to rapidly investing in technology and data.

Supreme Court allows data breach lawsuit against Zappos to continue (SC Magazine, Mar 26 2019)
The U.S. Supreme Court has rejected an appeal from shoe retailer Zappos to quash a class action lawsuit brought against the company from those who had their PII exposed in that firm’s 2012 data breach. Zappos was attempting to overturn made a decision by a San Francisco-based appeals court…

GAO Finds Deficiencies in Systems for Handling National Debt (Dark Reading, Mar 27 2019)
IT systems at the Bureau of the Fiscal Service and the Federal Reserve Bank show vulnerabilities that could lead them open to exploitation and breach.

Polish Regulator Issues First GDPR Fine (Infosecurity Magazine, Mar 27 2019)
UODO slaps unnamed firm with £187K fine for failing to notify

UConn Health Center hit with $5M suite over breach (SC Magazine, Mar 27 2019)
The University of Connecticut Health Center is being hit with a class action lawsuit over a data breach that exposed 326,000 current and former patients. The lawsuit, which is seeking $5 million in damages, was filed last week on behalf of New London, Conn., resident Yoselin Martinez who alleges the university took months…

Algorithms can now find bugs in computer chips before they are made (Help Net Security, Mar 28 2019)
What’s more important is that they’ve shown that such security holes exist in a much wider spectrum of processors than previously thought, affecting not just high-end processors but even the simple processors that are omnipresent in numerous applications of daily life, such as in the Internet of Things.