A Review of the Best News of the Week on Cybersecurity Management & Strategy
This is the biggest problem with cybersecurity research (The Washington Post, Apr 18 2019)
Want to know the most effective ways businesses defend themselves against hacking? Good luck.
How Not to Acknowledge a Data Breach (Krebs on Security, Apr 17 2019)
“I’m not a huge fan of stories about stories, or those that explore the ins and outs of reporting a breach. But occasionally I feel obligated to publish such accounts when companies respond to a breach report in such a way that it’s crystal clear they wouldn’t know what to do with a data breach if it bit them in the nose, let alone festered unmolested in some dark corner of their operations.”
‘WannaCry Hero’ Marcus Hutchins Pleads Guilty to Making Banking Malware (Motherboard, Apr 19 2019)
The researcher who helped stop the WannaCry ransomware pleaded guilty to two counts of hacking for writing banking malware in 2014.
Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.
Federal CISO floats potential for new supply chain regs (FCW, Apr 16 2019)
Federal Chief Information Security Officer Grant Schneider questioned whether the U.S. government and suppliers have even worked out a successful model to weigh security risks in purchasing and acquisition. Such a model, he said, would naturally lead individuals, the private sector and federal agencies to discriminate against low-cost, low-security parts and components in favor of costlier, more secure ones.
A “Department of Cybersecurity” (Schneier on Security, Apr 17 2019)
“Presidential candidate John Delaney has announced a plan to create a Department of Cybersecurity. I have long been in favor of a new federal agency to deal with Internet — and especially Internet of Things — security. The devil is in the details, of course, and it’s really easy to get this wrong.”
Documenting Breaches With H Diagrams (Nick Hutton’s Blog, Apr 17 2019)
The value of Feynman’s diagrams was that they simplified complex equations. Not only did his doodles convey helpful information, they were derived from real theories about the way particles interact. They were rooted in measurable, observable phenomena. How can we make our breach diagrams more than just doodles, more than just simplified infographics or timelines? How can they become a tool as well as a visual representation?
Selecting Enterprise Email Security: Introduction (Securosis Blog, Apr 23 2019)
“We can joke a bit about the Groundhog Day nature of email security, but let’s acknowledge that the industry’s made progress. Email providers (including Microsoft and Google) take security far more seriously, bundling detection capabilities into their base email SaaS offerings. Although not the best (we’ll dig into that later in this series), but we prefer even mediocre security built-in to none at all.”
Another European manufacturer crippled by ransomware (Help Net Security, Apr 25 2019)
Aebi Schmidt, a Switzerland-based manufacturer and provider of municipal and agriculture machinery, has apparently been hit by ransomware. What happened? “Due to an IT system failure, the Aebi Schmidt Group can temporarily neither receive nor send emails,” the company announced on Thursday.
DNS over HTTPS is coming whether ISPs and governments like it or not (Naked Security – Sophos, Apr 24 2019)
DNS over HTTPS (DoH), backed by Google, Mozilla and Cloudflare, is about to make web surveillance a lot more difficult.
Hacking Team’s New Owner: ‘We’re Starting From Scratch’ (Motherboard, Apr 18 2019)
The head of Memento Labs, the new company that acquired infamous spyware vendor Hacking Team, admitted there’s a lot to do to recover after the 2015 breach and the damage to its reputation. But he believes it can compete against market leaders NSO Group.
Why a hacking operation by a proto-state in Ukraine could spell trouble for the U.S. (The Washington Post, Apr 17 2019)
The Luhansk People’s Republic, a region that has claimed independence from Ukraine with the backing of Russia’s military, isn’t recognized by the United States, the European Union or NATO. But it has a hacking army and it’s targeting the Ukrainian government and military, according to new research from the cybersecurity company FireEye.
One hundred percent of endpoint security tools eventually fail (Help Net Security, Apr 18 2019)
The complexity of endpoint device controls creates a false sense of security among organizations while, in reality, causing security gaps and significant risks due to regular and reliable tool failure. Staggering findings on endpoint security degradation include:
– 42 percent of all endpoints are unprotected at any given time
– Two percent of endpoint agents fail per week, meaning 100 percent of endpoint security tools eventually fail — no tool is immune
…
Two Charged with Economic Espionage, GE Trade Secret Theft (Dark Reading, Apr 24 2019)
A US national and Chinese national have been charged with conspiring to steal General Electric’s trade secrets surrounding turbine technologies.
Who’s Behind the RevCode WebMonitor RAT? (Krebs on Security, Apr 22 2019)
“The owner of a Swedish company behind a popular remote administration tool (RAT) implicated in thousands of malware attacks shares the same name as a Swedish man who pleaded guilty in 2015 to co-creating the Blackshades RAT, a similar product that was used to infect more than half a million computers with malware, KrebsOnSecurity has learned.”
Ramblings of a Recovering Academic on the So-Called Lack of Security Talent (Dark Reading, Apr 25 2019)
Hiring for security is difficult, as many surveys show. But what the research doesn’t explain is the “why” – and a lack of talent may not be the sole reason.
Symantec joins the DIB CS program to share threat information between DOD and industry (Help Net Security, Apr 23 2019)
Symantec announced it has become a member of the United States’ Department of Defense’s (DOD) Defense Industrial Base (DIB) Cybersecurity (CS) program.
Indeed.com: Slight Dip in Clicks on US Cybersecurity Job Listings (Dark Reading, Apr 25 2019)
Meanwhile, most of the highest-paying positions pay more than $100K, according to new analysis from the job posting site.
Malware attack rains on Weather Channel’s parade, disrupts live broadcast (SC Magazine, Apr 18 2019)
The Weather Channel is blaming a “malicious software” attack for knocking its live morning broadcast off the air for approximately one hour and 39 minutes.
Fortinet Settles Whistleblower Case for $545,000 (SecurityWeek, Apr 17 2019)
The lawsuit alleged that Fortinet had supplied mislabeled goods manufactured by countries including China, falsely representing the goods were in compliance with the U.S Trade Agreements Act (TAA).
The Cybersecurity Automation Paradox (Dark Reading, Apr 18 2019)
Recent studies show that before automation can reduce the burden on understaffed cybersecurity teams, they need to bring in enough automation skills to run the tools.