A Review of the Best News of the Week on Cybersecurity Management & Strategy

When Security Takes a Backseat to Productivity (Krebs on Security, Jun 17 2020)
“The CIA acknowledged its security processes were so “woefully lax” that the agency probably would never have known about the data theft had Wikileaks not published the stolen documents online. What kind of security failures created an environment that allegedly allowed a former CIA employee to exfiltrate so much sensitive data? Here are a few, in no particular order:

Failing to rapidly detect security incidents.
Failing to act on warning signs about potentially risky employees.
Moving too slowly to enact key security safeguards.
A lack of user activity monitoring or robust server audit capability.
No effective removable media controls.
No single person empowered to ensure IT systems are built and maintained securely throughout their lifecycle.
Historical data available to all users indefinitely.”

Three years after WannaCry, what have we learned? (Help Net Security, Jun 15 2020)
Three years ago, the WannaCry ransomware worm wreaked havoc on hundreds of thousands of organizations worldwide, ranging from hospitals that had to pause urgent operations to multinational delivery services that were forced to halt the transportation of goods. In fact, experts claim business interruption costs from the notorious ransomware attack topped off at about $8 billion. As cybersecurity practitioners, we all remember where we were when we first heard about WannaCry. We remember the knot

U.S. Officials ‘Alarmed’ by Zoom Cooperation With China (SecurityWeek, Jun 15 2020)
United States House representatives last week sent a letter to Zoom to demand explanation for the communication platform’s decision to close the accounts of U.S.-based Chinese activists.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Examining the US Cyber Budget (Schneier on Security, Jun 15 2020)
“Jason Healey takes a detailed look at the US federal cybersecurity budget and reaches an important conclusion: the US keeps saying that we need to prioritize defense, but in fact we prioritize attack. To its credit, this budget does reveal an overall growth in cybersecurity funding of about 5 percent above the fiscal 2019 estimate. However, federal cybersecurity spending on…”

Amid pressure, Zoom will end-to-end encrypt all calls, free or paid (Ars Technica, Jun 17 2020)
Bowing to critics, Zoom will offer E2EE if non-paying customers register an account.

Knoxville Pulls IT Systems Offline Following Ransomware Attack (Dark Reading, Jun 12 2020)
Knoxville’s government took its network offline and turned off infected servers and workstations after a ransomware attack this week.

Congress wants to know who is using spyware against the US (Naked Security – Sophos, Jun 15 2020)
A 2021 intelligence funding draft bill mandates a report on surveillance vendors and which countries or other actors are using spyware.

Bank Card “Master Key” Stolen (Schneier on Security, Jun 17 2020)
“South Africa’s Postbank experienced a catastrophic security failure. The bank’s master PIN key was stolen, forcing it to cancel and replace 12 million bank cards. The breach resulted from the printing of the bank’s encrypted master key in plain, unencrypted digital language at the Postbank’s old data centre in the Pretoria city centre. According to a number of internal Postbank…”

CISO Dialogue: How to Optimize Your Security Budget (Dark Reading, Jun 18 2020)
CISOs are never going to have all the finances they want. Hard choices must be made. The CISO of Amazon Prime Video discusses his approaches to a slimmed-down budget.

Lazarus Group May Have Been Behind 2019 Attacks on European Targets (Dark Reading, Jun 17 2020)
Telemetry hints that the North Korean actor was behind major cyber-espionage campaign focused on military and aerospace companies, ESET says.

What’s Anonymous Up to Now? (Dark Reading, Jun 17 2020)
The hacker group recently took credit for two high-profile incidents — but its actions aren’t quite the same as they once were, some say.

Building relationships: The key to becoming a true cybersecurity leader (Help Net Security, Jun 18 2020)
Slowly but surely, organizations are starting to view information security as a business problem, not an IT problem, and as everybody’s responsibility. “The CISO role is evolving to be less technical and more business-centric and, in many organizations, the CISO no longer reports to the CIO or CTO, but rather to the CEO or Board of Directors. As a result, many more business decisions are made with security [and privacy] in mind,” says Naomi Buckwalter,

How do I select a security awareness solution for my business? (Help Net Security, Jun 18 2020)
“Great security awareness training, that is part of a healthy cyber security culture and that is aimed at encouraging positive security behaviours, is essential. The problem is that awareness-raising training has a history of being dry, dull, technically-focused and ineffective,” Dr. Jessica Barker, Co-CEO of Cygenta, told us in a recent interview. In order to select the right security awareness solution for your business, you need to think about a number of factors.

Because IT security and the C-suite are misaligned, digital transformation increases cyber risk (Help Net Security, Jun 17 2020)
While digital transformation is understood to be critical, its rapid adoption, as seen with cloud providers, IoT and shadow IT, is creating significant cyber risk for most organizations. Today, these vulnerabilities are only exacerbated by misalignment between IT security professionals and the C-suite.

Avon cosmetics suffers “cyber incident” – but was it ransomware? (Naked Security – Sophos, Jun 17 2020)
Ah for the bad old days when a ransomware attack was simply that: a ransomware attack, beginning, middle and end.

Healthcare CISOs Share COVID-19 Response Stories (Dark Reading, Jun 18 2020)
Cybersecurity leaders discussed the threats and challenges that arose during the pandemic, and how they responded, during a virtual roundtable.

60% of Businesses Plan to Spend More on Cyber Insurance (Dark Reading, Jun 18 2020)
New data reveals 65% of SMEs plan to invest more in cyber insurance, compared with 58% of large enterprises.

Defending Your Budget: How to Show ROI of Cybersecurity Investments (SecurityWeek, Jun 18 2020)
For those of us who work in cybersecurity, the term “Return on Investment” (ROI) has no doubt made for awkward conversations. The solutions we work with have a return, but one that is commonly only evident during a malware attack or after a data breach has been thwarted. 

New Hacking-for-Hire Company in India (Schneier on Security, Jun 19 2020)
“Citizen Lab has a new report on Dark Basin, a large hacking-for-hire company in India. Key Findings: Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries.”