A Review of the Best News of the Week on Cybersecurity Management & Strategy

The Unsexy Threat to Election Security (Krebs on Security, Jul 25 2019)
Much has been written about the need to further secure our elections, from ensuring the integrity of voting machines to combating fake news. But according to a report quietly issued by a California grand jury this week, more attention needs to be paid to securing social media and email accounts used by election officials at the state and local level.

NSA to establish a defense-minded division named the Cybersecurity Directorate (ZDNet, Jul 23 2019)
The National Security Agency announced today plans to establish a new defense-minded cyber-security division that will focus on defending the US against foreign cyber-threats. This new division, which will be named the Cybersecurity Directorate, will become operational on October 1, later this year.

What You Should Know About the Equifax Data Breach Settlement (Krebs on Security, Jul 22 2019)
Big-three credit bureau Equifax has reportedly agreed to pay at least $650 million to settle lawsuits stemming from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans. Here’s a brief primer that attempts to break down what this settlement means for you, and what it says about the value of your identity.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

States don’t have enough money to secure the 2020 election, new report warns (Washington Post, Jul 18 2019)
States are barreling toward 2020 with major digital weaknesses in their election systems and not enough money to fix them, according to a report out today from four organizations focused on election security.

Hackers Expose Russian FSB Cyberattack Projects (Schneier on Security, Jul 22 2019)
More nation-state activity in cyberspace, this time from Russia: Per the different reports in Russian media, the files indicate that SyTech had worked since 2009 on a multitude of projects since 2009 for FSB unit 71330 and for fellow contractor Quantum.

UK barred from EU cybersecurity meeting: report (Politico, Jul 20 2019)
British officials did not attend discussion about Chinese tech giant Huawei.

Planning a Bug Bounty Program? Follow Shopify’s Example (Dark Reading, Jul 23 2019)
Four years, $1 million in payouts, and the identification of 950 bugs later, Shopify provides an excellent example for organizations looking to launch their own programs.

3 Takeaways from the First American Financial Breach (Dark Reading, Jul 26 2019)
Data leaks from business logic flaws are not well understood and difficult to identify before they reach production environments. Here’s how to find and prevent them.

Louisiana Declares Cybersecurity State of Emergency (Dark Reading, Jul 25 2019)
A series of attacks on school district systems leads the governor to declare the state’s first cybersecurity state of emergency.

Comparing 5G to Wi-Fi 6 from a security perspective (SC Magazine, Jul 22 2019)
Enterprise-grade Wi-Fi systems have proven to be secure for thousands of demanding customers across virtually all industries. With the recent hype around 5G and service providers promoting 5G as an alternative to Wi-Fi in the enterprise, it pays to understand how 5G security stacks up against Wi-Fi security.

How companies that buy cyber liability insurance can ensure they’re really insured (SC Magazine, Jul 23 2019)
Typically, there is a lot of overlap between cyber liability insurance policies. There might be between 50 to 70 questions per policy. Of these, 30 to 40 questions might, for example, be included in every policy, with each policy also including 10 to 20 questions unique to it alone. The system can be tailored so that if the business is shopping around for cyber liability insurance for the first time, all the questions can be included but if it is already using a specific insurance product, the company is just presented with the questions relevant to that policy.

Vigilante Hacker ‘Phineas Fisher’ Denies Working for the Russian Government (VICE, Jul 23 2019)
In a new book, a veteran cybersecurity reporter wrote that the infamous hacker who embarrassed surveillance vendors FinFisher and Hacking Team may be a Russian government agent. We caught up with Phineas Fisher and broke down the evidence.

FormGet Storage Bucket Leaks Passport Scans, Bank Details (Dark Reading, Jul 26 2019)
Exposed files include mortgage and loan information, passport and driver’s license scans, internal corporate files, and shipping labels.

Eight Steps to Migrate Your SIEM (Infosec Island, Jul 22 2019)
The migration of a legacy SIEM entails changes to a wide array of people, process and technology within an organization.

IBM: Breach Costs Impact Firms For Years (Infoscecurity Magazine, Jul 23 2019)
Latest study finds global average for losses creeps up to $3.92m

How to improve the hiring and retaining of infosec professionals? (Help Net Security, Jul 25 2019)
According to Forrester analysts, organizations must adopt more realistic expectations and more effective hiring practices:
-Don’t rely on experience and certifications, but on their ability and motivation to learn.
-Drop default requirements for college degrees (some big companies like Apple and Google already did that).

Intrusion Prevention System market to surpass $8.5 billion by 2025 (Help Net Security, Jul 24 2019)
The Intrusion Prevention System market is forecast to surpass $8.5 billion by 2025, after growing at a CAGR 13.7% during the forecast period 2019-2025, according to IndustryARC.

Fact vs Fiction: The Truth About Breach and Attack Simulation Tools (SecurityWeek, Jul 25 2019)
In 2017, a category called Breach and Attack Simulation (BAS) tools made its first appearance on the Gartner Hype Cycle for Threat-Facing Technologies, positioned as a technology on the rise. Since then, these tools have been…

Decision Fatigue is Real – In Life and In Security (SecurityWeek, Jul 25 2019)
Information overload is real and can have ripple effects. For millennials it can translate into not knowing which career path to take, where to live, how to manage money, even who to marry. For security professionals and the organizations they work for, it can mean missing damaging threats, burnout and turnover. Fortunately, if you start by paring down the amount of data to focus on what is relevant, you can overcome decision fatigue and move forward with confidence.

Facebook’s Ex-Security Chief Details His ‘Observatory’ for Internet Abuse (Wired, Jul 25 2019)
Alex Stamos’ Stanford-based project will try to persuade tech firms to offer academics access to massive troves of user data.