A Review of the Best News of the Week on Cybersecurity Management & Strategy

Hackers Steal and Ransom Financial Data Related to Some of the World’s Largest Companies (Motherboard, Apr 30 2019)
The data was stolen from Citycomp, which provides internet infrastructure for dozens of companies including Oracle, Airbus, Toshiba, and Volkswagen.

GE trade secret theft case demonstrates need for document behavior monitoring (Help Net Security, Apr 29 2019)
A former GE engineer and a Chinese national have been formally charged with 14 counts of economic espionage by the U.S. Department of Justice after stealing trade secrets from GE. The indictment describes the calculated theft of sensitive documents related to the proprietary design of GE’s gas and steam turbines.

Here are the 55 things the U.S. government most needs to protect against cyberattacks (The Washington Post, Apr 30 2019)
The Department of Homeland Security is releasing today a list of 55 things the government most needs to protect from digital attacks. The government believes that a cyberattack on any of these government or private sector services or functions could have a “debilitating effect” on national security, the U.S. economy or public health.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

55% of SMBs Would Pay Up Post-Ransomware Attack (Dark Reading, Apr 25 2019)
The number gets even higher among larger SMBs.

US Government halves deadline for applying critical patches to 15 days (Naked Security – Sophos, May 02 2019)
US federal agencies must fix their security bugs twice as quickly under new rules issued by the Department of Homeland Security (DHS).

Credit Union Sues Fintech Giant Fiserv Over Security Claims (Krebs on Security, May 03 2019)
“A Pennsylvania credit union is suing financial industry technology giant Fiserv, alleging that “baffling” security vulnerabilities in the company’s software are “wreaking havoc” on its customers. The credit union said the investigation that fueled the lawsuit was prompted by a 2018 KrebsOnSecurity report about glaring security weaknesses in a Fiserv platform that exposed personal and financial details of customers across hundreds of bank Web sites.”

The leading sources of stress for cybersecurity leaders? Regulation, threats, skills shortage (Help Net Security, Apr 29 2019)
Four in five (82 percent) security leaders across France, Germany and the UK report feeling burned out, whilst just under two-thirds (63 percent) think about leaving the industry or quitting their job (64 percent).

SEC demands better disclosure for cybersecurity incidents and threats (Help Net Security, Apr 30 2019)
One of the highlights of the 2018 guidance is the issue of materiality. In the past, when companies filed disclosures required by the Securities Act of 1933 and the Securities Exchange Act of 1934, they may have disclosed cybersecurity risks and incidents on a periodic basis or when issues became “material”—significant enough to disclose—delaying disclosure when an incident was still under investigation.

Cybersecurity for the Public Interest (Schneier on Security, May 03 2019)
The Crypto Wars have been waging off-and-on for a quarter-century. On one side is law enforcement, which wants to be able to break encryption, to access devices and communications of terrorists and criminals. On the other are almost every cryptographer and computer security expert, repeatedly explaining that there’s no way to provide this capability without also weakening the security of every user of those devices and communications systems.”

ASUS Not Alone in ShadowHammer Supply Chain Attack (Infosecurity Magazine, Apr 25 2019)
Researchers say at least six other organizations were also infiltrated in supply chain attacks.

Towards an Information Operations Kill Chain (Schneier on Security, Apr 26 2019)
On a similar note, it’s time to conceptualize the “information operations kill chain.” Information attacks against democracies, whether they’re attempts to polarize political processes or to increase mistrust in social institutions, also involve a series of steps. And enumerating those steps will clarify possibilities for defense.

Security Experts Unite Over the Right to Repair (Wired, Apr 30 2019)
Securepairs.org is pushing back against a tech industry that wants independent repair legislation to be scary.

A ‘Cyber Event’ Disrupted the Power Grid in California and Wyoming, But Don’t Panic Just Yet (Motherboard, Apr 30 2019)
The Department of Energy says a “cyber event” disrupted operations in California, Wyoming, and Utah last month. But it’s unclear if hackers were behind it.

DHS policies allow unlimited, warrantless device search (Naked Security – Sophos, May 02 2019)
Newly revealed policies show border agents can search devices for pretty much any reason, including if some other agency asked them to.

Norsk Hydro Says Cyber Attack Cost It Around $50 Mln (SecurityWeek, Apr 30 2019)
Global aluminium producer Norsk Hydro on Tuesday put the cost of a cyber attack targeting the Norwegian company in March at around $50 million.

The key lessons of the Triton malware cyberattack you need to learn (ZDNet, Apr 30 2019)
“Network segregation can help you avoid this happening. You should be separating them logically, but also based on criticality and by following industry best practice and industry standards,” Caban explains. “You should also consider directional gateways so it’s not possible to move certain ways.”

UK Defense Secretary Sacked Over Huawei Leak (Infosecurity Magazine, May 02 2019)
Opposition parties are calling for a criminal inquiry after the UK defense secretary was sacked for allegedly leaking news of the government’s decision to allow Huawei to supply parts of its 5G network.

Hackers Had Access to Citrix Network for Five Months (SecurityWeek, May 01 2019)
Software giant Citrix has shared more information about the recent data breach and it appears the hackers had access to the company’s network for roughly five months.

Hacktivists Are on the Rise—but Less Effective Than Ever (Wired, May 02 2019)
Groups like Anonymous are still trying to make waves in Sudan and elsewhere, but the old tools don’t work as well as they used to.

Why Isn’t GDPR Being Enforced? (Schneier on Security, May 02 2019)
Politico has a long article making the case that the lead GDPR regulator, Ireland, has too cozy a relationship with Silicon Valley tech companies to effectively regulate their privacy practices.