A Review of the Best News of the Week on Cybersecurity Management & Strategy

Twitter employees were spear-phished over the phone (Help Net Security, Jul 31 2020)
“The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” Twitter explained.

“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.”

Thinking of a Cybersecurity Career? Read This (Krebs on Security, Jul 24 2020)
“Thousand of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills. Here’s a look at a recent survey that identified some of the bigger skills gaps, and some thoughts about how those seeking a career in these fields can better stand out from the crowd.”

EU Sanctions on Russian, Chinese ‘Cyber Attackers’ (SecurityWeek, Jul 30 2020)
The European Union imposed its first ever sanctions against alleged cyber attackers on Thursday, targeting Russian and Chinese individuals and a specialist unit of Moscow’s GRU military intelligence agency.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~15,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

The average total cost of a data breach declined, but costs increased for many organizations (Help Net Security, Jul 30 2020)
Data breaches cost companies $3.86 million per breach on average, and compromised employee accounts are the most expensive root cause. Based on in-depth analysis of data breaches experienced by over 500 organizations worldwide, 80% of these incidents resulted in the exposure of customers’ personally identifiable information (PII). Out of all types of data exposed in these breaches, customer PII was also the costliest to businesses.

Is Your Chip Card Secure? Much Depends on Where You Bank (Krebs on Security, Jul 30 2020)
“Chip-based credit and debit cards are designed to make it infeasible for skimming devices or malware to clone your card when you pay for something by dipping the chip instead of swiping the stripe. But a recent series of malware attacks on U.S.-based merchants suggest thieves are exploiting weaknesses in how certain financial institutions have implemented the technology to sidestep key chip card security features and effectively create usable, counterfeit cards.”

Quantum Loop: US Unveils Blueprint for ‘Virtually Unhackable’ Internet (SecurityWeek, Jul 24 2020)
US officials and scientists have begun laying the groundwork for a more secure “virtually unhackable” internet based on quantum computing technology.

A vigilante is sabotaging the Emotet botnet by replacing malware payloads with GIFs (ZDNet, Jul 27 2020)
Emotet botnet activity goes down as Emotet admins are wrestling with a vigilante for control over parts of their infrastructure.

NIST selects algorithms to form a post-quantum cryptography standard (Help Net Security, Jul 27 2020)
The race to protect sensitive electronic information against the threat of quantum computers has entered the home stretch. Post-quantum cryptography standard After spending more than three years examining new approaches to encryption and data protection that could defeat an assault from a quantum computer, the National Institute of Standards and Technology (NIST) has winnowed the 69 submissions it initially received down to a final group of 15.

How to tailor SASE to your enterprise (Network World Security, Jul 27 2020)
Businesses considering the secure access service edge (SASE) model need to understand that there are numerous ways to implement it that can be tailored to their future needs and the realities of their legacy networks. As defined by Gartner, which coined the term, SASE calls for security to be built in as part of the network and delivered as a cloud service, but that might not fit the circumstances faced by all enterprises.

How to Decipher InfoSec Job Titles’ Mysteries (Dark Reading:, Jul 29 2020)
Figuring out which cybersecurity job you want — or are qualified for — can be difficult when words have no consistent meaning in the industry.

Vatican Infiltrated by Chinese Hackers Ahead of Sensitive Talks (, Jul 29 2020)
The Vatican has allegedly been targeted by a Chinese state-sponsored group in the last three months

Operators of VHD Ransomware Unveiled (, Jul 28 2020)
State-sponsored threat group is big-game hunting with VHD ransomware

Accountability Concerns Main Reason Security Pros Want to Quit (, Jul 28 2020)
Survey finds lack of executive accountability is main reason security pros want to quit

No More Ransom Initiative Reflects on Achievements on Fourth Anniversary (, Jul 28 2020)
No More Ransom has prevented an estimated $632m reaching criminals

5 traits all the best CISOs have (SC Media, Jul 29 2020)
As someone regularly hired to lead red-team engagements that hack into Fortune 500 organizations, I’ve had the opportunity to work with – and go up against – many different types of security leaders. Some are technical, others thrive on adrenaline. Some dig deep into the weeds, and still others prefer the C-suite.

11 Security Tools to Expect at the Black Hat USA 2020 Arsenal Virtual Event (Dark Reading:, Jul 29 2020)
More than 130 security researchers and developers are ready to showcase their work.

Businesses are preparing for a cloud-based approach to applications (Help Net Security, Jul 29 2020)
While most enterprises are committed to modernizing their application software portfolios, there are still myriad challenges to overcome and improvements to be made, according to a survey conducted by Hanover Research. According to the report, application development functions have a full agenda for the next 12 months, with the majority seeking improvements in speed, quality and security to ensure continued competitiveness.

Dussmann Group Data Leaked After Ransomware Attack (, Jul 30 2020)
German giant admits attack targeted subsidiary

Future Bright for CISOs Despite Budget and Transformation Challenges, Say Security Leaders (, Jul 31 2020)
The best CISOs are in a place where they are business leaders

How to make security simple for IT users (SC Media, Jul 31 2020)
Companies could make corporate IT environments a lot safer from external threats if those pesky humans would stop clicking on so many sketchy links. Or sharing passwords. Or using bad passwords. Or finding loopholes in the corporate security policy. Users tend to carry their fair share of blame for data loss and cyberattacks.