CISO View – The Week’s Best News – 2019.04.05

A Review of the Best News of the Week on Cybersecurity Management & Strategy

Facebook Boss Calls for Greater Internet Regulation (Infosecurity Magazine, Apr 01 2019)
Zuckerberg pre-empts government intervention with his own suggestions

Towards better vendor security assessments (Dropbox Tech Blog, Apr 01 2019)
“[W]e’re sharing the results of an experiment to improve vendor security assessments—directly codifying reasonable security requirements into our vendor contracts. We’re also sharing our model security legal terms and making them freely available for anyone to use and modify. We hope that more companies adopting this approach will help incentivize vendors to prioritize security and lead to broader security improvements among vendors. Would Dropbox sign these security terms when we are the vendor in question? Of course! We can only demand our vendors commit to a top-tier security posture if we have done the same ourselves.”

Chinese woman arrested with malware-laced thumb drive after illegally entering Mar-a-Lago (SC Magazine, Apr 03 2019)
A Chinese national was arrested after she illegally entered President Trump’s Mar-a-Lago resort in Florida March 30 and was found to be carrying a thumb drive containing malware as well as a laptop, a “hard drive type” device and four cell phones.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

Former NSA spies hacked BBC host, Al Jazeera chairman for UAE (Reuters, Apr 02 2019)
A team of former NSA cyber spies helped the United Arab Emirates break into the iPhones of at least 10 media figures, Reuters finds

NIST cybersecurity resources for smaller businesses (WeLiveSecurity, Apr 04 2019)
How can smaller businesses address their cybersecurity risks without the resources of large organizations?

States spent just a fraction of $380 million in election security money before midterms (Washington Post, Apr 05 2019)
Congress scrambled in early 2018 to deliver a surge in election security money before the midterms. But it turns out that states only spent about 8 percent of the $380 million Congress approved by the time the elections rolled around.

CIOs admit certificate-related outages routinely impact critical business applications and services (Help Net Security, Mar 29 2019)
Certificate-related outages harm the reliability and availability of vital network systems and services while also being extremely difficult to diagnose and remediate. Unfortunately, the vast majority of businesses routinely suffer from these events.

Companies will stop storing data in Australia, Microsoft warns (Naked Security – Sophos, Mar 29 2019)
Australia’s controversial anti-encryption laws came under independent scrutiny this week as tech leaders criticized the proposed rules.

Saudis hacked Jeff Bezos’s personal data, probe finds (SC Magazine, Apr 01 2019)
Saudi Arabia’s government gleaned private information from Amazon CEO Jeff Bezos’s phone, security consultant Gavin de Becker said his investigation into how texts and intimate photos from Bezos’s phone had their way to the National Enquirer discovered.

A v-CISO’s Take on the 5 Issues Facing Cybersecurity (SC Magazine, Apr 01 2019)
In just 20 years, we’ve seen the cybersecurity field grow from virtually non-existent into a $120 billion industry. But no matter how much it grows, it still feels like the bad guys are always two steps ahead. Why? Because our adversaries are, in fact, at an advantage.

Insurance Companies collaborate to offer cybersecurity ratings (SC Magazine, Mar 29 2019)
In a collaborative effort, some of the world’s largest insurers have set out to create a consumer ratings service for the cybersecurity industry. The initiative, launched Tuesday and set to be led by Marsh & McLennan, will attempt to score best products to reduce hacking risks and will create an assessment of the best cybersecurity offerings available to businesses, according to the Wall Street Journal.

Man Behind Fatal ‘Swatting’ Gets 20 Years (Krebs on Security, Mar 29 2019)
“Tyler Barriss, a 26-year-old California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident, has been sentenced to 20 years in federal prison.”

Michigan medical practice folds after ransomware attack (SC Magazine, Apr 02 2019)
A Battle Creek, Mich. medical practice is being forced to shut its doors after cyberattackers wiped out its files when the firm refused to pay a ransom. Brookside ENT and Hearing Center’s Dr. William Scalf told the center was hit with ransomware which locked up its files and presented the practice with a $6,500…

Security Policy Management Firm Tufin Sets Terms for IPO (SecurityWeek, Apr 02 2019)
Tufin, which has been approved for listing on the New York Stock Exchange as TUFN, plans on offering 7,700,000 ordinary shares at $12-14 per share. The company hopes to raise over $100 million and is seeking a valuation of $500 million.

Canadian Police Raid ‘Orcus RAT’ Author (Krebs on Security, Apr 02 2019)
“Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.”

Bayer Confirms Cyber Attack But Says No Data Stolen (SecurityWeek, Apr 04 2019)
German chemicals giant Bayer confirmed Thursday reports it had suffered a hacking attack, but insisted that so far no data appeared to have been stolen.

Organizations still use low levels or no automation of key security and incident response tasks (Help Net Security, Apr 04 2019)
As the study demonstrates, cybersecurity professionals are turning their focus to SOAR in their search for a solution that will not only answer the immediate need to overcome the current resource and skills gap, but also enhance security operations in the years to come.

Addressing the Challenges of Moving Security to the Edge (SecurityWeek, Apr 04 2019)
“the best approach is to develop a comprehensive and adaptable security fabric that can simply be extended to include new network environments without sacrificing any of the functionality and interoperability provided by security devices deployed elsewhere—nor give up any of the visibility and centralized orchestration and control that keeps a comprehensive security strategy manageable and cost effective.”

Facebook Let Dozens of Cybercrime Groups Operate in Plain Sight (Wired, Apr 05 2019)
Who needs the dark web? Researchers found 74 groups offering stolen credit cards and hacking tools with simple Facebook searches.

Unhackable Cryptography? (Schneier on Security, Apr 05 2019)
A recent article overhyped the release of EverCrypt, a cryptography library created using formal methods to prove security against specific attacks.The Quantum magazine article sets off a series of “snake-oil” alarm bells. The author’s Github README is more measured and accurate, and illustrates what a cool project this really is. But it’s not “hacker-proof cryptographic code.”

Share on facebook
Share on twitter
Share on linkedin