A Review of the Best News of the Week on Cybersecurity Management & Strategy

Huawei and Supply Chain Security – The Great Geopolitical Debate (SecurityWeek, Jan 27 2020)
With No Proof That China’s Huawei is Malicious, The Potential for Abuse Remains

Vulnerability Reward Program: 2019 Year in Review (Google Online Security Blog, Jan 29 2020)
“2019 has been another record-breaking year for us, thanks to our researchers! We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year.”

RSA Conference announces finalists for Innovation Sandbox Contest 2020 (Help Net Security, Jan 29 2020)
RSA Conference announced the 10 finalists for its Innovation Sandbox Contest 2020. The competition calls on the most promising young companies in cybersecurity to showcase their transformative technologies to a panel of judges and live audience at RSA Conference 2020 in San Francisco.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Average Ransomware Payments More Than Doubled in Q4 2019 (Dark Reading, Jan 27 2020)
Ransomware attackers collected an average of around $84,000 from victim organizations, up from $41,000 in Q3 of 2018, Coveware says.

How to Get the Most Out of Your Security Metrics (Dark Reading, Jan 27 2020)
People presented with a massive list of objectives often are overwhelmed to the point that no action is taken, or too few actions are taken to make a difference. Instead, presenting people with a list of specific actions to take first, next, and last, and specifying how these actions will directly affect business operations, lets people take action and feel a level of accomplishment.

US Rolls Out New Bill to Reform NSA Surveillance (Infosecurity Magazine, Jan 27 2020)
New US bill could end mass surveillance of phone records by the NSA

US Space Industry to Launch Cybersecurity Portal (Infosecurity Magazine, Jan 27 2020)
Space ISAC cybersecurity information-sharing portal planned for spring 2020

The Dearth of Skilled Cybersecurity Personnel (SC Magazine, Jan 27 2020)
A report coming out of Australia found that 88 percent of IT decision makers believe there is a shortage of cyber security skills, within their own organization, but also nationally.

Okta Businesses @ Work 2020 | Technology Industry Trend Report (Okta, Jan 28 2020)
An in-depth look into how organizations and people work today — exploring workforces and customers, and the applications and services they use to be productive.

Stopping the Press: New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator (The Citizen Lab, Jan 29 2020)
New York Times journalist Ben Hubbard was targeted with NSO Group’s Pegasus spyware via a June 2018 SMS message promising details about “Ben Hubbard and the story of the Saudi Royal Family.” The SMS contained a hyperlink to a website used by a Pegasus operator that we call KINGDOM. We have linked KINGDOM to Saudi Arabia.

Someone Tried to Hack My Phone. Technology Researchers Accused Saudi Arabia. (The New York Times, Jan 29 2020)
From a suspicious text message I received, technology researchers concluded that hackers working for Saudi Arabia had targeted my phone with powerful Israeli software.

Most AV vendors will continue to support their products under Windows 7 (Help Net Security, Jan 29 2020)
Businesses of all sizes can still pay to receive extended security updates (ESUs) to keep their systems secure while they plan their upgrade, but home users don’t have that option.

OurMine hackers intercept NFL teams’ social media accounts (SC Magazine, Jan 28 2020)
Over a dozen NFL teams may want to consider hiring a cyber defensive coordinator after their Twitter, Instagram and Facebook accounts were reportedly hijacked and defaced on Sunday and Monday by the mischievous OurMine hacker group, which has emerged from hibernation.

Wawa Breach May Have Compromised More Than 30 Million Payment Cards (Krebs on Security, Jan 28 2020)
“In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.”

New York wants to ban taxpayer-funded ransomware payments (Naked Security – Sophos, Jan 27 2020)
One of the proposed bills would set up a $5m fund to help small towns upgrade their systems and bolster their security.

Let’s make ransomware MORE illegal, says Maryland (Naked Security – Sophos, Jan 29 2020)
… with a clumsily worded proposed bill that wouldn’t protect researchers.

Top 10 policy trends to watch for globally in 2020 (Help Net Security, Jan 26 2020)
AI regulation taking shape in the EU and the U.S.
EU-based Digital Services Act (DSA) as the newest power grab since the GDPR
New wave of tech protectionism in Europe
China as a supply chain liability; other Asian nations filling in
Spectrum sharing likely to become more mainstream with 5G
5G security to take an important position with shift to control functions
U.S. privacy laws taking bipartisan note from California’s CCPA
Data sharing regs to heat up, as balance with innovation becomes more critical
IoTs, SIMs and eSIMs: who’s responsible for setting regulation?
Rise of ‘green’ technology policy: another balancing act with industry emissions vs. the industry’s potential ability to solve climate change

Tampa Bay Times hit by Ryuk, new variant of stealer aimed at gov’t, finance (SC Magazine, Jan 27 2020)
On the heels of a Ryuk ransomware attack on the Tampa Bay Times, researchers reported a new variant of the Ryuk stealer being aimed at government, financial and law enforcement targets.

2019 saw more data breaches, fewer sensitive records exposed (Help Net Security, Jan 29 2020)
According to a new Identity Theft Resource Center report, the number of U.S. data breaches tracked in 2019 (1,473) increased 17 percent from the total number of breaches reported in 2018 (1,257). However, 2019 saw 164,683,455 sensitive records exposed, a 65 percent decrease from 2018 (471,225,862). The 2018 Marriott data breach exposed 383 million records alone, significantly skewing the data.

Cyber-Attack on US Water Company Causes Network Outage (Infosecurity Magazine, Jan 29 2020)
500,000 customers affected by cyber-attack on Greenville Water