A Review of the Best News of the Week on Cybersecurity Management & Strategy

NY Investigates Exposure of 885 Million Mortgage Documents (Krebs on Security, May 31 2019)
“New York regulators are investigating a weakness that exposed 885 million mortgage records at First American Financial Corp. [NYSE:FAF] as the first test of the state’s strict new cybersecurity regulation. That measure, which went into effect in March 2019 and is considered among the toughest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.”

Alex Stamos on Content Moderation and Security (Schneier on Security, May 29 2019)
Really interesting talk by former Facebook CISO Alex Stamos about the problems inherent in content moderation by social media platforms. Well worth watching….

Security pros divided over NSA’s responsibility for Baltimore hack (The Washington Post, May 28 2019)
Many security researchers, however, say the real problem isn’t with the NSA. They say that hacking victims like Baltimore still haven’t taken sufficient measures against EternalBlue two years after it first leaked — and aren’t using a software patch released by Microsoft to to protect themselves

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Federal cybersecurity agency on the way? (CSO Online, May 28 2019)
As human activity migrates into the online space, keeping the bad guys from mucking it all up becomes paramount. Does that mean it’s time for a federal cybersecurity agency?

FireEye Buys Verodin for $250 Million (Dark Reading, May 28 2019)
Acquisition of security instrumentation firm will add more than $70 million to 2020 billing, FireEye estimates.

Flipboard Confirms Two Hacks, Prompts Password Resets (Dark Reading, May 29 2019)
The company reports two incidents affected a subset of its users and is resetting passwords for involved accounts.

Threat Intelligence Firm Recorded Future Acquired for $780 Million (SecurityWeek, May 30 2019)
Threat intelligence provider Recorded Future announced on Thursday that Insight Partners has agreed to acquire a controlling interest in the company,  in addition to the minority stake previously owned by Insight. The all-cash transaction values Recorded Future at more than $780 million.

The aftermath of a data breach: A personal story (WeLiveSecurity, May 30 2019)
Criminals used my account to launder credit card transactions into cash, at least where the company transacted with was willing to refund

Know Your Limitations (TaoSecurity, May 29 2019)
“here I argue that if you are unable to securely operate information technology that matters, then you should not be supporting that IT.”

Japan to Restrict Foreign Tech Investment on Security Fears (Information Security, May 28 2019)
The Japanese government is set to restrict foreign ownership of domestic firms in key tech areas on national security grounds, in a move which echoes America’s recent attempts to restrict Chinese companies.

US Senate passes anti-robocalling bill (Naked Security – Sophos, May 28 2019)
The TRACED Act was a slam dunk in the Senate, where it passed with an overwhelming 97-1 vote.

Selecting Enterprise Email Security: the Buying Process (Securosis Blog, May 28 2019)
“To wrap up this series we will bring you through a process of narrowing down the shortlist and then testing products and/or services in play. With email it’s less subjective because malicious email is… well, malicious. But given the challenges of policy management at scale (discussed in our last post), you’ll want to ensure a capable UX and sufficient reporting capabilities as well.”

Democratic base fired up by effort to ban Internet-connected voting machines (The Washington Post, May 30 2019)
As the 2020 election approaches, voting security groups are trying to rally the public behind an effort to ban Internet connections from U.S. voting machines that could be hacked by Russia and other foreign adversaries.

Majority of CISOs plan to ask for an increase in cybersecurity investment (Help Net Security, May 30 2019)
Most CISOs of financial institutions (73 percent) plan to ask their organization’s CFO for an increase in cybersecurity investments in the next year, according to the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium dedicated to reducing cyber-risk in the global financial system.

Structural integrity: Quantifying risk with security measurement (Help Net Security, May 29 2019)
how a winning security metrics strategy aligns with the business’ goals and objectives and lay out the framework to develop the metrics strategy.

Analysis Shows Poor GDPR Compliance in European Websites (SecurityWeek, May 30 2019)
Marking the one-year anniversary of GDPR coming into force (May 25, 2018), a web-scanning service has analyzed the visible GDPR compliance of the 100 most popular websites in each of the 28 European member states. The scan is non-intrusive. As a result, it cannot say that an organization is compliant (non-compliance can occur deep in the system), but it can say if an organization is not compliant simply by examining the parts that are visible over the internet.

Canada Uses Civil Anti-Spam Law in Bid to Fine Malware Purveyors (Krebs on Security, May 30 2019)
“Canadian government regulators are using the country’s powerful new anti-spam law to pursue hefty fines of up to a million dollars against Canadian citizens suspected of helping to spread malicious software.”

Fraudulent Academic Papers (Schneier on Security, May 30 2019)
“The trends fostering fake news are more general, though, and we need to start thinking about how it could affect different areas of our lives. In particular, I worry about how it will affect academia. In addition to fake news, I worry about fake research.”

Enterprise cybersecurity startup BlueVoyant raises $82.5M at a $430M+ valuation (TechCrunch, May 30 2019)
New York startup called BlueVoyant — which provides managed security, professional services and, most recently, threat intelligence — has picked up $82.5 million in a Series B round of funding at a valuation in excess of $430 million.

Foreign spies may be hiding in your VPN, warns DHS (Naked Security – Sophos, May 31 2019)
Many people do trust their VPN provider. A lot. Unfortunately, some of them shouldn’t, going by what a Department of Homeland Security (DHS) higher-up recently said.