A Review of the Best News of the Week on Cybersecurity Management & Strategy

A Cisco Router Bug Has Massive Global Implications (Wired, May 13 2019)
Researchers have discovered a way to break one of Cisco’s most critical security features, which puts countless networks at potential risk.

Feds charge Chinese national in 2015 breach of health insurer Anthem (Ars Technica, May 09 2019)
Federal prosecutors have indicted a Chinese national they say carried out sophisticated network intrusions on four US companies, including one on health insurer Anthem that stole personal information belonging to close to 80 million people.

Another Intel Chip Flaw (Schneier on Security, May 16 2019)
Remember the Spectre and Meltdown attacks from last year? They were a new class of attacks against complex CPUs, finding subliminal channels in optimization techniques that allow hackers to steal information. Since their discovery, researchers have found additional similar vulnerabilities. A whole bunch more have just been discovered.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

Nasdaq Lawsuit Over Cybersecurity ETF Fees Goes to Trial (WSJ, May 13 2019)
Nasdaq’s lawsuit accusing a New Jersey company of stealing more than $1 billion in exchange-traded funds is set to come to trial Monday in New York.

Social Engineering Slams the C-Suite: Verizon DBIR (Dark Reading, May 08 2019)
Criminals are also going after cloud-based email accounts, according to Verizon’s ‘2019 Data Breach Investigations Report.’

Micro-Segmentation: A Solid Security Requirement in a Turbulent Environment (Infosecurity Magazine, May 10 2019)
While the demand for micro-segmentation is solid and clear, the compute environment of the enterprise is constantly changing and still going to change: moving from traditional virtualization (circa 2005) to SDN (the 2010’s) to public clouds, multi-clouds, micro services and back to a managed version of everything running inside each company’s own data center, managed by cloud providers. So how do you implement micro-segmentation in such a world?

Trump makes boldest strike yet to bar Chinese tech from U.S. (The Washington Post, May 16 2019)
The Trump administration took its most aggressive action to date Wednesday to bar Chinese companies from access to Americans’ sensitive data and digital systems.

Anti-virus vendors named in Fxmsp’s alleged source code breach respond (SC Magazine, May 14 2019)
McAfee, Symantec and Trend Micro are reportedly the anti-virus companies whose source code the cybercriminal group Fxmsp claims to have stolen. Comments issued by the vendors minimized the threat, although Trend Micro did confirm that a breach had occurred.

Baltimore Ransomware Attack Takes Strange Twist (Dark Reading, May 14 2019)
Tweet suggests possible screenshot of stolen city documents and credentials in the wake of attack that took down city servers last week.

Two Ransomware Recovery Firms Typically Pay Hackers (Dark Reading, May 15 2019)
Companies promising the safe return of data sans ransom payment secretly pass Bitcoin to attackers and charge clients added fees.

Equifax Says Cybersecurity Breach Has Cost $1.4 Billion (WABE, May 11 2019)
Equifax Says Cybersecurity Breach Has Cost $1.4 Billion  WABE 90.1 FMEquifax, the Atlanta credit bureau, revealed in its earnings release Friday that dealing with its 2017 cybersecurity incident has cost about $1.4 billion plus legal …

How Open Testing Standards Can Improve Security (Dark Reading, May 13 2019)
When creating security metrics, it’s critical that test methodologies cover multiple scenarios to ensure that devices perform as expected in all environments.

What CISOs should focus on when deciding on a strategy (Help Net Security, May 13 2019)
Most of these a CISO wants to witness trending down:
-The incidents/time
– The cost/incident
– The time to incident detection
– The time to incident close
– The number and severity of compliance audit findings (if there are no legal compliance requirements, audits can be made with a framework such as the NIST Cybersecurity Framework or CIS Critical Controls in mind)
– The number of risk management and compliance audit corrective actions.

3 months, 1900 reported breaches, 1.9 billion records exposed (Help Net Security, May 09 2019)
There were 1,903 publicly disclosed data compromise events in the first three months of the year, exposing over 1.9 billion records, according to Risk Based Security.

Symantec CEO Quits Unexpectedly, Stock Sinks After Missing Estimates (SecurityWeek, May 10 2019)
Symantec on Thursday announced that it appointed board member Richard Hill as interim chief executive officer and president after Greg Clark stepped down.

Selecting Enterprise Email Security: Detection Matters (Securosis Blog, May 09 2019)
As you are considering upgrading technologies to address these email threats, let’s focus on detection – the cornerstone of any email security strategy. To improve detection we need to address issues on multiple fronts.

GAO Makes Recommendations to Improve Security of Taxpayer Data (SecurityWeek, May 13 2019)
What it does not do, and currently believes it cannot do, is protect the information that is held by third-party tax preparers before it reaches the IRS. During 2018, 80.3 million tax returns were prepared and filed electronically in this manner, with a further 55.2 million prepared via tax preparation software.

Trump officials and lawmakers say China is the problem not Huawei (The Washington Post, May 15 2019)
If Huawei gains a foothold in U.S. allies’ 5G networks, the Chinese government could force the company to send software updates to spy on Western companies or sabotage critical infrastructure, Chris Krebs, director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, warned lawmakers during a Senate Judiciary Committee hearing Tuesday.

Crowdstrike files to go public — lost $140 million on $250 million in revenue last year (CNBC, May 14 2019)
In the year that ended on Jan. 31, Crowdstrike had a net loss of $140 million, while revenue more than doubled to $249.8 million, according to the company’s prospectus. A majority of the company’s sales comes through subscriptions sold to over 2,500 companies.

Migrating from Your SIEM to a New One (Gartner Blog Network, May 13 2019)
“Many years ago, in 2011, I wrote this blog post on SIEM migration, called “How to Replace a SIEM?” I was a consultant at that time and I helped some organizations to get rid of their dying SIEM products and to deploy new ones. Of course, in 2011 we had dying MARS (yup, that’s the one that can “mitigate” by messing up your router configs) and now we have … ahem … other products in focus …”