A Review of the Best News of the Week on Cybersecurity Management & Strategy

U.S. manufacturing group hacked by China as trade talks intensified (Reuters, Nov 22 2019)
As trade talks between Washington and Beijing intensified earlier this year, suspected Chinese hackers broke into an industry group for U.S. manufacturers that has helped shape President Donald Trump’s trade policies, according to two people familiar with the matter.

How Iran’s Government Shut Off the Internet (Wired, Nov 17 2019)
After years of centralizing internet control, Iran pulled the plug on connectivity for nearly all of its citizens.

Twitter finally upgrades its 2FA security feature. Mobile number no longer required! (Graham Cluley, Nov 22 2019)
Hundreds of millions of Twitter users now have an improved way to better safeguard their accounts from being compromised.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Hackers helping communities: Leveraging OSINT to find missing persons (Help Net Security, Nov 18 2019)
Trace Labs is a not-for-profit organization that crowdsources open source intelligence (OSINT) to help authorities find missing persons. Comprised of and led by volunteers, Trace Labs partners with other organizations and law enforcement agencies to set up Capture-The-Flag-type contests during which computer enthusiasts, infosec pros, first responders, hackers and private investigators compete by unearthing open source information that can provide leads for law enforcement to pursue.

Want to build a successful SOC? Here’s what you need to know (Help Net Security, Nov 19 2019)
According to Ernst & Young’s Global Information Security Survey 2018-19, the average cost of a data breach is $3.62 million, yet more than half of companies report they have no program (or an obsolete one) for one or more of the following areas: threat intelligence, vulnerability identification, breach detection, incidence response, data protection and identity and access management – disciplines which all originate or are closely tied to the SOC.

Why Were the Russians So Set Against This Hacker Being Extradited? (Krebs on Security, Nov 18 2019)
“What follows are some clues that might explain why the Russians are so eager to reclaim this young man.”

Most Companies Lag Behind ‘1-10-60’ Benchmark for Breach Response (Dark Reading, Nov 19 2019)
Average company needs 162 hours to detect, triage, and contain a breach, according to a new CrowdStrike survey.

DDoS-for-Hire Boss Gets 13 Months Jail Time (Krebs on Security, Nov 20 2019)
“A 21-year-old Illinois man was sentenced last week to 13 months in prison for running multiple DDoS-for-hire services that launched millions of attacks over several years. This individual’s sentencing comes more than five years after KrebsOnSecurity interviewed both the defendant and his father and urged the latter to take a more active interest in his son’s online activities.”

#InfosecNA: The Benefits of Training Employees to Hack (Infosecurity Magazine, Nov 21 2019)
After a co-worker accepts the challenge, he begins a surveillance phase which, depending on how good his opponent is, can last anywhere from a few days to a few months. In one case, with an especially cyber-savvy individual, his usual hunt within social media, inquiries with co-workers, and other tactics failed to produce anything. Even though they had effectively hosted themselves, including paying a service to erase their profile from the internet, he did find evidence of their activity on Amazon which enabled him to craft a phishing attack that eventually proved effective in gaining his ‘victim’s’ credentials.

Buttigieg campaign hires CISO, citing cybersecurity emphasis (POLITICO, Nov 22 2019)
Mick Baccio, the Buttigieg pick for CISO, was branch chief of White House Threat Intelligence.

Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies (VICE, Nov 17 2019)
It’s a reward for hacktivists and criminals who break into capitalist institutions, offered by one of the most infamous hackers of all time.

Offshore Bank Targeted By Phineas Fisher Confirms it Was Hacked (VICE, Nov 18 2019)
“A criminal investigation is ongoing,” the Cayman National Bank from the Isle of Man said in a statement.

Quantum Computing Breakthrough Accelerates the Need for Future-Proofed PKI (Dark Reading, Nov 18 2019)
Public key infrastructure is a foundational security tool that has evolved to become a critical base for future advancements. Today’s generation of PKI can be coupled with quantum-resistant algorithms to extend the lifespan of digital certificates for decades.

Governments Lose Millions to DNS Attacks Each Year (Infosecurity Magazine, Nov 19 2019)
IDC report warns the sector is hardest hit

How to prepare for the U.S. Census to move online (SC Magazine, Nov 19 2019)
History will be made on April 1, 2020. For the first time, the United States Census will offer a full internet response option, in addition to traditional paper responses. The digitization of the census is meant to address the challenges of counting an increasingly large and diverse population, while also complying with strict cost constraints imposed by Congress. But as with most technological breakthroughs, there are plenty of risky implications.

Security Companies and Activists Launch ‘Coalition Against Stalkware’ (VICE, Nov 19 2019)
10 organizations are part of the Coalition, and they have also launched a website to help victims.

Suit against Estée Lauder spotlights 401k Distribution Fraud (The Security Ledger, Nov 19 2019)
A former employee of the New York based cosmetics giant Estée Lauder is suing the company and a third party benefits firm alleging they breached their fiduciary duty to secure her 401k retirement account after $99,000 was fraudulently distributed from the account without her knowledge.

#InfosecNA: How to Communicate Risk and Security to Executives (Infosecurity Magazine, Nov 21 2019)
Security leaders must understand the cost and benefit of their objectives, and frame reporting of results or requests for resources in the context of business executives, Rock continued. He then shared an ‘alignment to value’ diagram that can aid security leaders in achieving this.

French Hospital Crippled by Ransomware (Infosecurity Magazine, Nov 21 2019)
Long delays in patient care at CHU in Rouen

Most Companies Don’t Properly Manage Third-Party Cyber Risk (SecurityWeek, Nov 21 2019)
It’s been established that good cybersecurity requires not just an internal assessment of an organization’s own security practices, but also a close look at the security of the partners that businesses rely upon in today’s modern, interconnected world.