A Review of the Best News of the Week on Cybersecurity Management & Strategy

New NSA cyber lead says agency must share more info about digital threats (Washington Post, Sep 05 2019)
The NSA is the U.S. government’s premier digital spying agency and it has a well-earned reputation for keeping secrets. But the agency needs to stop keeping so many things confidential and classified if it wants to protect the nation from cyberattacks.

#GartnerSEC: Maersk CISO Outlines Lessons Learned From NotPetya Attack (Infosecurity Magazine, Sep 10 2019)
We were the collateral victim of a state-sponsored attack and look what it did, so if you are trying to build a company to stop 100% of state-sponsored weapons, forget it. If you adopt a strategy around that, you will fail.

On Cybersecurity Insurance (Schneier on Security, Sep 10 2019)
Good paper on cybersecurity insurance: both the history and the promise for the future. From the conclusion: Policy makers have long held high hopes for cyber insurance as a tool for improving security. Unfortunately, the available evidence so far should give policymakers pause. Cyber insurance appears to be a weak form of governance at present.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Ping Identity launches initial public offering of its common stock (Help Net Security, Sep 09 2019)
Ping Identity is offering 12,500,000 shares of its common stock pursuant to a registration statement on Form S-1 filed with the Securities and Exchange Commission (the “SEC”).

#GartnerSEC: Maersk’s Adam Banks Reflects on NotPetya Response and Recovery (Infosecurity Magazine, Sep 10 2019)
“I didn’t go home for 70 days,” Banks said, as he worked tirelessly with the rest of the business to respond and recover. In the first one to three days of the outbreak of NotPetya, Maersk:

#GartnerSEC: 2019 Projects Should Include Incident Response, BEC and Container Security (Infosecurity Magazine, Sep 10 2019)
The need for phishing training, automated security scanning and micro-segmentation have been replaced by container security, incident response and business email compromise technology in the top ten security projects for the year.

Secret Service Investigates Breach at U.S. Govt IT Contractor (Krebs on Security, Sep 09 2019)
“The U.S. Secret Service is investigating a breach at a Virginia-based government technology contractor that saw access to several of its systems put up for sale in the cybercrime underground, KrebsOnSecurity has learned. The contractor claims the access being auctioned off was to old test systems that do not have direct connections to its government partner networks.”

The Doghouse: Crown Sterling (Schneier on Security, Sep 05 2019)
A decade ago, the Doghouse was a regular feature in both my email newsletter Crypto-Gram and my blog. In it, I would call out particularly egregious — and amusing — examples of cryptographic “snake oil.”

I dropped it both because it stopped being fun and because almost everyone converged on standard cryptographic libraries, which meant standard non-snake-oil cryptography. But every so often, a new company comes along that is so ridiculous, so nonsensical, so bizarre, that there is nothing to do but call it out.

Crown Sterling is complete and utter snake oil.

How counties are war-gaming Election Day cyberattacks (Washington Post, Sep 11 2019)
If Russian hackers seek to disrupt the 2020 election, it will be county election officials on the front lines. And some are diving in to war games so they can be ready for anything Moscow or another U.S. adversary can throw at them.

#GartnerSEC: Questions Your Board Will Ask About Security (Infosecurity Magazine, Sep 11 2019)
He said: “We feel that in a couple of years, your performance as security and risk leaders will be on demonstrating value at enterprise risk level.” This is because the board care about three things:

US city balks at paying $5.3 million ransomware demand (Naked Security – Sophos, Sep 09 2019)
The attack quickly encrypted 158 workstations – and would have been worse had it struck later in the working day.

Texas Refuses to Pay $2.5M in Massive Ransomware Attack (Dark Reading, Sep 09 2019)
The ransomware campaign affected 22 local governments, none of which have paid the attackers’ $2.5 million ransom demand.

The DEA Didn’t Buy Malware From Israel’s Controversial NSO Group Because It Was Too Expensive (VICE, Sep 11 2019)
Emails between the DEA and NSO obtained by Motherboard explain why the DEA didn’t purchase the company’s malware in 2014.

#GartnerSEC: Hiring Strategies Do Not Consider Future Digital Trends (Infosecurity Magazine, Sep 09 2019)
Consider looking forward, rather than at what is needed now, in your hiring efforts

Stop Using CVSS to Score Risk (SecurityWeek, Sep 10 2019)
The mechanics of prioritizing one vulnerability’s business risk over another has always been fraught with concern. What began as securing business applications and infrastructure from full-disclosure bugs a couple of decades ago, has grown to encompass vaguely referenced flaws in insulin-pumps and fly-by-wire aircraft with lives potentially hanging in the balance.

Tighter control over IT asset management: The key to securing your enterprise (SC Magazine, Sep 11 2019)
Recent evidence of the new BlueKeep Windows vulnerability is an excellent and scary example of the need for enterprises to have thorough, accurate and current visibility into all the devices in use by their employees and contractors. Here’s a scenario that could happen: Joe Smith decides to work at home one night and rather than…

Wikipedia Gets $2.5m Donation to Boost Cybersecurity (Infosecurity Magazine, Sep 12 2019)
Wikipedia Gets $2.5m Donation to Boost Cybersecurity  Infosecurity MagazineCraigslist founder boosts non-profit’s efforts to recover from DDoS.

Mountain View cybersecurity giant Symantec begins layoffs (SF Chronicle, Sep 11 2019)
Cybersecurity company Symantec is cutting 152 jobs at its Mountain View headquarters and 18 in San Francisco, along with 36 in Culver City (Los Angeles County), a California filing revealed, giving a sense of planned job cuts’ local impact.

Cloudflare says it may have violated US law ahead of IPO (Business Insider, Sep 11 2019)
Cybersecurity company Cloudflare is about to become public company, possibly as soon as this week, and there are indicators that investors are ready to buy in. However, the company also quietly updated its S-1 filing to go public to disclose that it may have broken the law in ways including including selling its services to terrorists, to narcotics traffickers, and to governments being sanctioned by the US.

Fed Kaspersky Ban Made Permanent by New Rules (Dark Reading, Sep 11 2019)
A new set of regulations converts the government ban on using Kaspersky products from a temporary rule to one that’s permanent.