A Review of the Best News of the Week on Cybersecurity Management & Strategy

Huge Survey of Firmware Finds No Security Gains in 15 Years (The Security Ledger, Aug 15 2019)
A survey of more than 6,000 firmware images spanning more than a decade finds no improvement in firmware security and lax security standards for the software running connected devices by Linksys, N…

VMware Plans $2.1bn Carbon Black Acquisition (Infosecurity Magazine, Aug 23 2019)
Carbon Black will become VMware’s Security Business Unit

Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards (Krebs on Security, Aug 22 2019)
“On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Multiple sources now tell KrebsOnSecurity that the card data came from compromised gas pumps, coffee shops and restaurants operated by Hy-Vee, an Iowa-based company that operates a chain of more than 245 supermarkets throughout the Midwestern United States.”

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

68% of Companies Say Red Teaming Beats Blue Teaming (Dark Reading, Aug 15 2019)
The majority of organizations surveyed find red team exercises more effective than blue team testing, research shows.

Kentucky official says counties can’t upgrade cybersecurity because they’re ‘severely under resourced’ (CNN, Aug 15 2019)
A top Kentucky election official said Thursday that counties there are “severely under resourced,” affecting their abilities to provide adequate cybersecurity. “Most of us cannot compel our local election jurisdictions to update their equipment,” said Jared Dearing, executive director of the Kentucky State Board of Elections, before an Elections Assistance Commission panel in Silver Spring.

How Huawei helped extend China’s repressive view of Internet freedom to African nations (The Washington Post, Aug 15 2019)
U.S. officials who argue Huawei can’t be trusted to play a major role in building global 5G telecommunications networks got another boost Wednesday when the Wall Street Journal reported that the Chinese telecom company helped two African governments spy on dissidents.

Court orders Georgia to replace DRE voting machines with paper ballot systems by 2020 presidential primary (SC Magazine, Aug 16 2019)
While a U.S. District Court judge has rebuffed attempts to move Georgia’s fall municipal elections to paper ballots, she did order the state to replace its direct recording electronic (DRE) voting machines with paper ballot systems by its March 24 presidential primary.

We Asked Def Con Attendees Why People Are Still Getting Hacked (VICE, Aug 16 2019)
The cybersecurity industry is worth billions of dollars, and tens of thousands of people attend Black Hat and Def Con every year. So, are we getting any safer?

Badge life: The story behind DEFCON’s hackable crystal electronic badge (Ars Technica, Aug 21 2019)
Original DEFCON hackable badge creator Joe “Kingpin” Grand gives Ars the story behind his comeback.

Vast majority of newly registered domains are malicious (SC Magazine, Aug 22 2019)
Newly registered domains (NRDs) are created at the astounding rate of about 200,000 every day and a recent report indicates that 70 percent of these are malicious or suspicious and used for a wide range of nefarious activities.

Ping Identity files for $100M IPO on Nasdaq to trade as ‘PING’ (TechCrunch, Aug 23 2019)
Some eight months after it was reported that Ping Identity’s owners Vista Equity had hired bankers to explore a public listing, today Ping Identity took the plunge: the Colorado-based online ID management company has filed an S-1 form indicating that it plans to raise up to $100 million in an IPO on the Nasdaq exchange under the ticker “Ping.”

How to build a successful offensive security research team (SC Magazine, Aug 19 2019)
Like any other highly-complex, multi-faceted process, managing an offensive security research group carries with it a unique set of challenges. Many of these involve bringing in the right talent, supporting their growth and getting individual researchers to work together as a unit.

The Freakonomics of malware: What security leaders can learn by studying incentives (SC Magazine, Aug 16 2019)
One need look no further for an object lesson in the law of unintended consequences than the rise of cryptocurrencies in general and Bitcoin specifically. It’s often forgotten that Bitcoin was initially designed as an incentive lever for the blockchain itself as a means to encourage early community stakeholders to perform the critical Proof of Work calculations required to validate and maintain the blockchain itself.

UK Boardrooms Falling Short on Cyber Expertise (Infosecurity Magazine, Aug 21 2019)
Most believe security concerns are holding back growth, according to EY

China is Spying on Cancer Research (Infosecurity Magazine, Aug 21 2019)
A FireEye report finds evidence of Chinese APTs spying on medical research.

Massive MoviePass database found exposed on public server (Naked Security – Sophos, Aug 22 2019)
Tens of thousands of records with financial data were left in plaintext in a database that wasn’t protected with a password.

Quantum computing: The new moonshot in the cyber space race (Help Net Security, Aug 23 2019)
In 2016, China launched Micius, the world’s first quantum communications enabled satellite. For some, that launch eerily echoed the launch of the Soviet Union’s Sputnik satellite in 1957, which caught the United States off guard and spurred a decades-long contest to regain and maintain global technological and military supremacy.

IT Teams Urged Not to Prioritize Patches Using CVSS (Infosecurity Magazine, Aug 22 2019)
Risk-based tools and separate teams the key to faster response

L.A. County voting system pits cybersecurity vs. disability advocates (The Washington Post, Aug 21 2019)
The L.A. system, which was custom-built over roughly a decade for $250 million, is a ballot-marking device (BMD), which means a machine marks the votes rather than the voter marking them directly. That makes it far more accessible for people with disabilities but also worries some cybersecurity hawks who say voters are unlikely to verify everything is entered correctly on those computer-marked ballots – leaving room for a hacker to change votes and maybe alter the outcome of a tight race