A Review of the Best News of the Week on Cybersecurity Management & Strategy

#BHUSA: Five Years of Google Project Zero Should Influence Similar Groups (Infosecurity Magazine, Aug 08 2019)
He explained that the research includes: 54% manual review, 37% fuzzing, and 8% other types of testing. He also said that part of performing vulnerability research is what new methodologies you can create that the researchers did not have access to previously, and by “writing an exploit, you’re walking in the shoes of an attacker.” The development of an exploit requires five steps

Symantec sells its name and enterprise security business to Broadcom (Help Net Security, Aug 09 2019)
Symantec announced it has entered into a definitive agreement to sell its Enterprise Security assets, which include the Symantec name, to semiconductor giant Broadcom, for $10.7 billion in cash.

‘NULL’ license plate gets security researcher $12K in tickets (Naked Security – Sophos, Aug 15 2019)
The vanity plate sounded good in theory: maybe it would make his plate invisible to ALPR systems?!

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Why The FBI Arrested the Hacker Who Saved the World From WannaCry (VICE, Aug 08 2019)
He stopped a global ransomware heist, but the feds just wanted to flip him.

DEF CON Voting Village: It’s About ‘Risk’ (Dark Reading, Aug 12 2019)
DHS, security experts worry about nation-state or other actors waging a disruptive or other attack on the 2020 election to sow distrust of the election process.

iNSYNQ Ransom Attack Began With Phishing Email (Krebs on Security, Aug 09 2019)
“A ransomware outbreak that hit QuickBooks cloud hosting firm iNSYNQ in mid-July appears to have started with an email phishing attack that snared an employee working in sales for the company, KrebsOnSecurity has learned. It also looks like the intruders spent roughly ten days rooting around iNSYNQ’s internal network to properly stage things before unleashing the ransomware. iNSYNQ ultimately declined to pay the ransom demand, and it is still working to completely restore customer access to files.”

Woman accused of Capital One hack had stolen data from 30 companies, authorities say (Ars Technica, Aug 14 2019)
Thompson threatened "suicide by cop" and to shoot up a Silicon Valley office.

North Korean Cyber Ops Reportedly Stole $2B to Fund Weapons Programs (Dark Reading, Aug 07 2019)
Unlike many nations, North Korea often engages in cyber operations to generate much-needed cash for the country’s coffers. In that respect, its hackers have been extremely successful.

Choice Hotels Breach: Hackers Leave Ransom Note For 700K Records (Infosecurity Magazine, Aug 15 2019)
Third party exposed hotel chain’s data in MongoDB instance

How Behavioral Data Shaped a Security Training Makeover (Dark Reading, Aug 08 2019)
Their first step was to create a list of desired employee behaviors: handle sensitive data, patch, increase reporting, and use multifactor authentication and VPNs, said Elevate co-founder Masha Sedova. “If you had a magic wand, what would your employees be doing right now?” Sedova asked the audience. “These end up actually being mindsets; they’re not things you can measure in a tangible way.” This “master list” became a bank of open-ended behaviors they wanted to see.

New Vulnerability Risk Model Promises More-Efficient Security (Dark Reading, Aug 09 2019)
The Exploit Prediction Scoring System (EPSS) uses more than a dozen different factors in a model to predict the likelihood that a particular vulnerability will be exploited, and therefore should be given a higher remediation priority. Those factors include things like the CVE, CVSS score, exploits shown in proof-of-concepts, exploits in the wild, and tags for operating systems, vendors, and other variables.

FireEye Identifies Prolific Chinese Cyber-Threat Group (Infosecurity Magazine, Aug 08 2019)
APT41 has targeted various industries across multiple jurisdictions.

#BHUSA: Need For Technologists to Be Recognized and Empowered (Infosecurity Magazine, Aug 08 2019)
Francois said that there is a need to better prove the capabilities of technologists who serve the public interest. Schneier said: “We are seeing a lot more groups trying to bridge technology and policy and especially our area of tech security. Some is for fame and glory, some is for funding. Technologists want to do collaboration.”

CafePress Slammed After Major Breach Affecting 23 Million (Infosecurity Magazine, Aug 08 2019)
Exposed data included unique email addresses and passwords

#BSidesLV: I Am The Cavalry Reflect on Six Years of Achievement, More to Accomplish (Infosecurity Magazine, Aug 06 2019)
I Am the Cavalry reflect on six years of achievement and contemplate next steps

Cybersecurity staffers needed, no experience required (SC Magazine, Aug 07 2019)
The industry-wide shortage of trained cybersecurity personnel is not a new story, but Trustwave has begun to take a new approach to find not only trained cybersecurity staffers, but also those with no training or computer skills at all.

BA Under Fire For Leaking Passenger Info in Links (Infosecurity Magazine, Aug 14 2019)
Check-in links contained sensitive unencrypted details

#DEFCON: How the US’s CISA Works to Improve Election Security (Infosecurity Magazine, Aug 13 2019)
Members of NCATS outlined their mission and their challenges for election security.

Desjardins breach cost $53 million in Q2 (SC Magazine, Aug 13 2019)
A breach that exposed personally identifiable information (PII) on 2.9 million Desjardins customers cost the Canadian credit union $53 million in Q2.

Myers-Briggs Study Examines Employee Personality Traits and Cyber Behaviors (SecurityWeek, Aug 14 2019)
The study is a work in progress, but is already showing results. “For example,” said the company, “those with a preference for Introversion had a significantly higher score on Proactive security awareness than those with a preference for Extraversion.”