A Review of the Best News of the Week on Cybersecurity Management & Strategy

A Military Camera Said ‘Made in U.S.A.’ The Screen Was in Chinese. (The New York Times, Nov 07 2019)
The surveillance equipment was actually manufactured in China, raising concerns that Beijing could have used it for spying, prosecutors said.

Tipped off by an NSA breach, researchers discover new APT hacking group (Ars Technica, Nov 05 2019)
With a tip that came from one of the biggest breaches in US National Security Agency history, researchers have discovered a new hacking group that infected targets with a previously unknown piece of advanced malware. Dubbed DarkUniverse, the group is probably tied to ItaDuke, a group that has actively targeted Uyghur and Tibetans since 2013.

A Cybersecurity Firm’s Sharp Rise and Stunning Collapse (The New Yorker, Nov 05 2019)
Tiversa dominated an emerging online market—before it was accused of fraud, extortion, and manipulating the federal government.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

A VPN service that gets around the Great Firewall of China legally (Network World Security, Nov 04 2019)
Teridion’s SD-WAN service for China complies with government restrictions on IPSec traffic leaving the country yet supports broadband IPSec WAN interfaces for international businesses with branches in China.

Who is responsible for Active Directory security within your organization? (Help Net Security, Nov 06 2019)
Ransomware attacks are just one of the many types of attacks that rely on compromising the Active Directory, which is sometimes forgotten as an element of an organization’s IT security.

Of organizations which have an Active Directory, the survey data shows that responsibility for Active Directory security is split between functions, with 27% of those IT professionals reporting that responsibility lies with the IT team, and 19% stating that the security team holds responsibility for Active Directory security.

Seven Security Strategies, Summarized (TaoSecurity, Nov 06 2019)
In the interest of capturing the thought, and not in the interest of thinking too deeply or comprehensively (at least right now), I offer seven security strategies, summarized.

Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks (Krebs on Security, Nov 07 2019)
“Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts, a new study posits. Health industry experts say the findings should prompt a larger review of how security — or the lack thereof — may be impacting patient outcomes.”

Companies should disclose cybersecurity risk management efforts (Help Net Security, Nov 04 2019)
Research finds that when one company experiences a cybersecurity breach, other companies in the same field also become less attractive to investors. However, companies that are open about their cybersecurity risk management fare significantly better than peers that don’t disclose their cybersecurity efforts.

#ISC2Congress: The Truth Behind the Lack of Women in Cybersecurity (Infosecurity Magazine, Nov 01 2019)
Cybersecurity professionals speaking at the (ISC)² Security Congress held in Florida this week revealed that talented women are taking their skills elsewhere because cybersecurity made them feel unwelcome.

Spanish companies’ networks shut down as result of ransomware (Ars Technica, Nov 04 2019)
Apparent BitPaymer variant strikes major IT consulting company, radio network.

How HR and IT Can Partner to Improve Cybersecurity (Dark Reading, Nov 04 2019)
With their lens into the human side of business, human resources can be an effective partner is the effort to train employees on awareness and keep an organization secure.

Details of Attack on Electric Utility Emerge (Dark Reading, Nov 01 2019)
An unpatched vulnerability in sPower’s Cisco firewalls was the target of the attack, which, although affecting communications within the grid, did not cause service interruptions to any customers.

NCR Barred Mint, QuickBooks from Banking Platform During Account Takeover Storm (Krebs on Security, Nov 03 2019)
“Banking industry giant NCR Corp. [NYSE: NCR] late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight, an online banking platform used by hundreds of financial institutions.”

Key predictions that will impact CIOs and IT pros over the next five years (Help Net Security, Nov 06 2019)
Time for action is growing short for CIOs in the digital era. Many continue to struggle with siloed digital transformation initiatives, leaving them adrift and buffeted by competition and market forces.

Mozilla says ISPs are lying to Congress about encrypted DNS (Naked Security – Sophos, Nov 06 2019)
Mozilla on Friday posted a letter urging Congress to take the broadband industry’s lobbying against encrypted DNS within Firefox and Chrome with a grain of salt.

The Future of Cyber Through the Eyes of an Intelligence Firm (SecurityWeek, Nov 06 2019)
If there are two clear themes to Booz Allen’s future expectations in cyber (PDF), they are that evolving technology will lead to evolving threats, and that geopolitical tensions will expand the operations of nation state activity and make the world an even more dangerous place.

Capital One Senior Security Officer Being Moved to New Role (WSJ, Nov 08 2019)
Capital One Financial is moving its chief information security officer out of the role in the wake of the bank’s massive data breach.

To Prove Cybersecurity’s Worth, Create a Cyber Balance Sheet (Dark Reading, Nov 07 2019)
How tying and measuring security investments to business impacts can elevate executives’ understanding and commitment to cyber-risk reduction.

How much do data breaches affect stock prices? (WeLiveSecurity, Nov 07 2019)
A study looks at just how badly the news of a data breach impacts the company’s share price, revealing some surprising findings