A Review of the Best News of the Week on Cybersecurity Management & Strategy

A Year Later, Cybercrime Groups Still Rampant on Facebook (Krebs on Security, Apr 08 2019)
“Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members.”

Mysterious Hackers Hid Their Swiss Army Spyware for 5 Years (Wired, Apr 09 2019)
The TajMahal spyware includes more than 80 distinct spy tools, and went undetected for five years.

Hackers attacked California DMV voter registration system marred by bugs, glitches (LA Times, Apr 12 2019)
Programmers warned that the 2018 launch of California’s “motor voter” system could be a debacle, but state officials rolled it out anyway, according to interviews and an exclusive Times review of documents. The launch occurred even after engineers detected signs of an international hacking attempt.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

Nielsen departure could deal a blow to Trump administration’s cybersecurity efforts (Washington Post, Apr 08 2019)
Nielsen made cybersecurity a priority at DHS, frequently describing cyberattacks as a greater danger to the nation than terrorism. She lobbied industry to help government fight digital attacks from China and Russia.

Insights gained from working on more than 750 cybersecurity incidents (Help Net Security, Apr 08 2019)
Now in its fifth consecutive year as the only report of its kind produced by a law firm, the report includes metrics related to key incident response areas of concern for entities of all sizes and across all industries.

Microsoft lets Windows users off the update leash (Naked Security – Sophos, Apr 08 2019)
Microsoft has announced some big changes that will finally give Windows users more control over updates and releases.

Cost of Data Breach in UK Increases More Than 41% in Two Years (SecurityWeek, Apr 08 2019)
Two results stand out in this survey. In general, the number of breaches is down on those from 2018; and the majority of firms have indicated GDPR-motivated security improvements.

With $600 Million Cybersecurity Budget, JPMorgan Chief Endorses AI and Cloud (SecurityWeek, Apr 08 2019)
Cybersecurity, he says, “may very well be the biggest threat to the U.S. financial system;” but he sees hope in the increasing mobilization of both industry and the federal government to combat the threat. The bank spends around $600 million every year on its security efforts, and employs around 3,000 people involved with cybersecurity.

Hey Secret Service: Don’t Plug Suspect USB Sticks into Random Computers (Schneier on Security, Apr 09 2019)
He stated that when another agent put Zhang’s thumb drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich testified.

DHS, FBI say election systems in all 50 states were targeted in 2016 (Ars Technica, Apr 10 2019)
Joint Intelligence Bulletin issued in March says Russian hacking efforts were wide-ranging.

Vendor risk management programs are running harder just to stay in place (Help Net Security, Apr 11 2019)
“The threat landscape is evolving daily, and new risk vectors – from nation state bad actors, data thefts and high-impact cyberattacks to business model viability and regulatory non-compliance – are making comprehensive vendor risk management programs all the more crucial to organizational stability and continuity…”

Google extends its BeyondCorp security model to G Suite (TechCrunch, Apr 10 2019)
BeyondCorp is Google’s model for securing networks not just through VPNs and other endpoint security techniques, but through a model that focuses on context-aware access policies that focus on the user’s identity, hardware and the context of the request. That has been Google’s internal security policy for a while now and over the last few months, it started bringing it to its own customers, too, starting with its Cloud Identity-Aware Proxy, which is now generally available, and its VPC Service Controls.

Motel 6 to pay $12M for sharing guest info with ICE (SC Magazine, Apr 05 2019)
Motel 6 will pay a $12 million settlement to Washington state after employees at several of the chain’s locations shared information – without a warrant – on 80,000 guests in the state with Immigration and Customs Enforcement (ICE) over a two-year period.

UK government proposes sweeping new regulations of online content (Ars Technica, Apr 08 2019)
Companies could face fines if they fail to take down content quickly.

Craigslist Founder Funds Security Toolkit for Journalists, Elections (Dark Reading, Apr 09 2019)
The free tools will be developed by the Global Cyber Alliance to monitor election infrastructure and processes in the runup to the 2020 Presidential election.

Yahoo tries to settle 3-billion-account data breach with $118 million payout (Ars Technica, Apr 10 2019)
Verizon-owned Yahoo boosted offer after judge rejected first settlement.

There are even fewer women in U.S. government cybersecurity than there are globally (Washington Post, Apr 10 2019)
Cybersecurity is notorious for being a male-dominated field. But the U.S. government has an even smaller percentage of women working in cybersecurity jobs than the global average of women working in the field. About 11 percent of U.S. federal, state and local government cybersecurity pros are women, according to data provided to me by (ISC) 2, a nonprofit organization that provides cybersecurity certifications.

When Your Sandbox Fails (Dark Reading, Apr 11 2019)
The sandbox is an important piece of the security stack, but an organization’s entire strategy shouldn’t rely on its ability to detect every threat. Here’s why.

High-rolling hacker jailed after launching malware attacks via porn websites (TechCrunch, Apr 11 2019)
A British man has been jailed for over six years after exploiting ad networks on pornographic websites to spread malware onto innocent users’ computers.