A Review of the Best News of the Week on Cybersecurity Management & Strategy
COVID-19 ‘Breach Bubble’ Waiting to Pop? (Krebs on Security, Jun 30 2020)
The COVID-19 pandemic has made it harder for banks to trace the source of payment card data stolen from smaller, hacked online merchants. On the plus side, months of quarantine have massively decreased demand for account information that thieves buy and use to create physical counterfeit credit cards. But fraud experts say recent developments suggest both trends are about to change — and likely for the worse.
UCSF paid $1.4 million ransom in NetWalker attack (SC Media, Jun 29 2020)
The University of California, San Francisco (UCSF) ponied up $1.4 million to hackers to retrieve data encrypted during a NetWalker ransomware attack disclosed in early June. “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,”…
The Security Value of Inefficiency (Schneier on Security, Jul 02 2020)
“For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that’s a good thing. Running just at the margins is efficient. A single just-in-time global supply chain is efficient. Consolidation is efficient. And that’s all profitable. Inefficiency, on the other hand, is waste. Extra inventory is inefficient. Overcapacity is inefficient.”
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Salesforce Ventures Investment Values Tanium at $9 Billion (SecurityWeek, Jun 26 2020)
Tanium and Salesforce have come together in a strategic relationship to help solve one of today’s most compelling and urgent problems: how does security manage a workforce that has migrated from in-house company desktops to remote personal devices.
How You Can Write Better Threat Reports (Lenny Zeltser, Jul 01 2020)
Writing about cybersecurity threats, such as phishing campaigns, malware infections, and attack groups, is challenging for many reasons. How should you decide what details to include? How can you persuade the readers that your analysis is sound? How might you address the needs of multiple audiences?
Is America Still Number One At Hacking? A Discussion (VICE, Jul 02 2020)
Wasn’t so long ago the Snowden leaks showed the world the NSA hacked everything in sight, with impunity. But what about now?
Union Pacific tracks cyber risk via its own probability modeling methodology (SC Media, Jun 26 2020)
Rick Holmes, assistant VP and CISO at Union Pacific Railroad, detailed at InfoSec World 2020 how the transportation giant incorporates cybersecurity risk into its larger enterprise risk management process in order to help senior executives estimate losses caused by potential cyber incidents and make better decisions on where to invest in defenses.
The Communication Imperative for CISOs (SecurityWeek, Jun 29 2020)
One of the potential upsides for security leaders as a result of the COVID-19 pandemic, is a renewed focus on cybersecurity and business resiliency. Seemingly overnight, your expertise, resourcefulness and dedication became recognized as integral to shifting your business to become distributed and digital. Now’s the time to take advantage of all the attention and step up your communications skills…
Russian Cybercrime Boss Burkov Gets 9 Years (Krebs on Security, Jun 27 2020)
A well-connected Russian hacker once described as “an asset of supreme importance” to Moscow was sentenced on Friday to nine years in a U.S. prison after pleading guilty to running a site that sold stolen payment card data, and to administering a highly secretive crime forum that counted among its members some of the most elite Russian cybercrooks.
The Unintended Harms of Cybersecurity (Schneier on Security, Jun 26 2020)
Well-meaning cybersecurity risk owners will deploy countermeasures (technologies or procedures) to manage risks to their services or systems. In some cases, those countermeasures will produce unintended consequences, which must then be addressed. Unintended consequences can potentially induce harm, adversely affecting user behaviour, user inclusion, or the infrastructure itself (including other services or countermeasures).
Businesses Lack a Workable Ransomware Recovery Strategy (Infosecurity Magazine, Jun 30 2020)
39% of organizations unaware of their ransomware strategy
Australia Ramps Up Cyber Spending After State-Backed Attacks (SecurityWeek, Jun 30 2020)
Australia unveiled the "largest-ever" boost in cybersecurity spending Tuesday, days after Prime Minister Scott Morrison spoke out about a wave of state-sponsored attacks suspected to have been carried out by China.
Profile of the Post-Pandemic CISO (Dark Reading, Jun 30 2020)
Projects that were high priorities before the COVID-19 outbreak have taken a back seat to new business needs. For security leaders that has meant new responsibilities that could very well stick around in the pandemic’s aftermath.
Organizations need an agile response to unexpected risks (Help Net Security, Jun 30 2020)
The average $5 billion company incurs delays of roughly 5 weeks per year in new product launches due to missed risks, with a $99 million opportunity cost, according to Gartner. Opportunity costs from missing risks A survey of more than 382 strategic initiative leaders quantified the cost of missing risks in strategic initiatives. For an average $5 billion revenue company it amounts to $99 million annually in opportunity cost from delayed new product launches alone.
Today’s Interdependent Workplace Requires the Zero Trust Model (SC Media, Jul 01 2020)
The Zero Trust security framework turns 10 years old this year. It started as a simple concept: treat every user and all packets the same, as untrusted and potentially malicious. According to Forrester Research, which created the Zero Trust model, it has evolved from a focus on firewalls and data isolation to becoming …
Adopting more tools doesn’t necessarily improve security response efforts (Help Net Security, Jul 02 2020)
While organizations have slowly improved in their ability to plan for, detect and respond to cyberattacks over the past five years, their ability to contain an attack has declined by 13% during this same period, IBM reveals. The global survey conducted by Ponemon Institute found that respondents’ security response efforts were hindered by the use of too many security tools, as well as a lack of specific playbooks for common attack types.
CIOs are apprehensive about interruptions due to expired machine identities (Help Net Security, Jul 01 2020)
TLS certificates act as machine identities, safeguarding the flow of sensitive data to trusted machines. With the acceleration of digital transformation, the number of machine identities is skyrocketing. At the same time, cybercriminals are targeting machine identities, including TLS keys and certificates, and their capabilities, such as the encrypted traffic they enable, to use in attacks, according to Venafi. The study evaluated the opinions of 550 CIOs from the United States, United Kingdom,
Security Analysts Disproportionate in their Investigation of Malware (Infosecurity Magazine, Jul 02 2020)
The amount of requests to investigate Backdoors and Droppers does not correspond with their use
Zoom Got Big Fast. Then Videobombers Made It Rework Security (SecurityWeek, Jul 02 2020)
Back in March as the coronavirus pandemic gathered steam in the U.S., a largely unheralded video-conferencing service suddenly found itself in the spotlight.
Ransomware Gangs Don’t Need PR Help (Krebs on Security, Jul 01 2020)
We’ve seen an ugly trend recently of tech news stories and cybersecurity firms trumpeting claims of ransomware attacks on companies large and small, apparently based on little more than the say-so of the ransomware gangs themselves. Such coverage is potentially quite harmful and plays deftly into the hands of organized crime.