A Review of the Best News of the Week on Cybersecurity Management & Strategy

NSA on the Future of National Cybersecurity (Schneier on Security, Oct 01 2019)
Glenn Gerstell, the General Counsel of the NSA, wrote a long and interesting op-ed for the New York Times where he outlined a long list of cyber risks facing the US.

China’s New Cybersecurity Program: NO Place to Hide (China Law Blog, Sep 30 2019)
This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government.

38% of the Fortune 500 do not have a CISO (Help Net Security, Oct 01 2019)
38% of the 2019 Fortune 500 do not have a chief information security officer (CISO).
Of this 38%, only 16% have another executive that is listed as responsible for cybersecurity strategy, such as a vice president of security.
Of the 62% that do have a CISO, only 4% have them listed on their company leadership pages.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Interview With the Guy Who Tried to Frame Me for Heroin Possession (Krebs on Security, Sep 25 2019)
“In April 2013, I received via U.S. mail more than a gram of pure heroin as part of a scheme to get me arrested for drug possession. But the plan failed and the Ukrainian mastermind behind it soon after was imprisoned for unrelated cybercrime offenses. That individual recently gave his first interview since finishing his jail time here in the states, and he’s shared some select (if often abrasive and coarse) details on how he got into cybercrime and why. Below are a few translated excerpts.”

Airbus Suppliers Hit in State-Sponsored Attack (Infosecurity Magazine, Sep 30 2019)
China suspected of stealing aviation secrets

Dunkin’ Sued for Keeping Data Breach Secret (Infosecurity Magazine, Sep 27 2019)
State of New York accuses donut chain of failing to protect customers

What’s Missing from Nearly Every Security Approach (eWEEK, Sep 26 2019)
Normally, Krebs said, there’s plenty of time for an organization to find and neutralize an attacker that’s found his/her way into your systems, if only the organization knows to look. So why don’t they? Two reasons: people and policy. It takes trained staff to catch what the technology solutions miss, and “we don’t have enough people,” Krebs said.

How long before quantum computers break encryption? (Help Net Security, Sep 30 2019)
The short answer is, nobody knows. That’s not for lack of trying. The American National Standards Institute (ANSI) formed a dedicated working group just to try to reach a number. The industry’s best guess is about a decade, maybe more, maybe less. Not exactly what you want to hear if you’re trying figure out how to replace the encryption schemes used for everything from email to the world’s banking systems.

Senate Passes Ransomware Law (Infosecurity Magazine, Sep 30 2019)
DHS will be required to provide assistance to organizations

Cyber-Harassment Expert Wins MacArthur Genius Grant (Infosecurity Magazine, Sep 27 2019)
Professor of law awarded $625,000 to propose cyber-harassment reforms

GAO Says Electric Grid Cybersecurity Risks Only Partially Assessed (SecurityWeek, Sep 27 2019)
A new report from the United States Government Accountability Office (GAO) shows that the Department of Energy (DOE) has yet to fully analyze the electric grid cybersecurity risks.

The CrowdStrike Conspiracy: Here’s Why Trump Keeps Referencing The Cybersecurity Firm (Forbes, Sep 26 2019)
as Vice reported, turning over the physical server isn’t necessary (or the usual procedure) for forensic analyses, and it isn’t as useful as a copy of what was on the server at the time, which CrowdStrike provided to the FBI. And independent security experts and U.S. intelligence agencies confirmed that Russia was behind the hack, using Crowdstrike’s evidence and more than what was found on one server.

Threat Spotlight: Inefficient incident response (Barracuda, Oct 01 2019)
In a recent survey, Barracuda researchers found that, on average, a business takes three and a half hours (212 minutes) to remediate an attack. In fact, 11% of organizations spend more than six hours on investigation and remediation.

Baltimore Reportedly Had No Data Backup Process for Many Systems (Dark Reading, Sep 30 2019)
City lost key data in a ransomware attack earlier this year that’s already cost more than $18.2 million in recovery and related expenses.

Why big ISPs aren’t happy about Google’s plans for encrypted DNS (Ars Technica, Sep 30 2019)
DNS over HTTPS will make it harder for ISPs to monitor or modify DNS queries.

Danish company Demant expects to suffer huge losses due to cyber attack (Help Net Security, Oct 01 2019)
Danish hearing health care company Demant has estimated it will lose between $80 and $95 million due to a recent “cyber-crime” attack.

Senate Passes DHS Cyber Hunt and Incident Response Teams Act (SecurityWeek, Oct 01 2019)
The United States Senate recently passed the DHS Cyber Hunt and Incident Response Teams Act, a piece of legislation that instructs the DHS to help organizations protect themselves against cyber threats and respond to incidents.

America Launches New Cybersecurity Directorate (Infosecurity Magazine, Oct 02 2019)
The Cybersecurity Directorate has been created to unify the efforts of the NSA’s existing foreign intelligence and cyber-defense missions. The new organization will bring the Agency’s threat detection, future-technologies, and cyber-defense personnel together under one roof for the very first time.

Hacking back may be less risky than we thought (Washington Post, Oct 02 2019)
The United States has historically been wary of punching back in cyberspace, fearing that a digital conflict could rapidly escalate to rockets and bombs. But those concerns may be overblown. A pair of recent studies has found it’s extremely rare for nations to ratchet up a cyber conflict, let alone escalate it to a conventional military exchange, and that the U.S. public may put extra pressure on leaders not to let a cyber conflict get out of hand.

49% of infosec pros are awake at night worrying about their organization’s cybersecurity (Help Net Security, Oct 02 2019)
Six in every ten businesses have experienced a breach in either in the last three years. At least a third of infosec professionals (36%) whose employers had not recently been a victim of a cyber attack also believe that it is likely that they are currently facing one without knowing about it.