A Review of the Best News of the Week on Cybersecurity Management & Strategy

The FBI Intrusion Notification Program (TaoSecurity, Sep 03 2020)
The FBI intrusion notification program is one of the most important developments in cyber security during the last 15 years. This program achieved mainstream recognition on 24 March 2014 when Ellen Nakashima reported on it for the Washington Post in her story U.S. notified 3,000 companies in 2013 about cyberattacks.

Gartner Predicts 75% of CEOs Will be Personally Liable for Cyber-Physical Security Incidents by 2024 (Gartner, Sep 01 2020)
Liability for cyber-physical security incidents will pierce the corporate veil to personal liability for 75% of CEOs by 2024…

Facebook Announces Formal Vulnerability Disclosure Policy for Third-Party Bugs (Dark Reading, Sep 03 2020)
The social media giant has also launched a new website for sharing information on WhatsApp security.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Twitter Is Letting People Threaten Joe Biden’s Cybersecurity Expert (VICE, Aug 28 2020)
The social media platform says publishing a Google Street View picture of Biden’s cybersecurity expert’s home is not a violation of its anti-doxing and harassment policies.

Why Are There Still So Many Windows 7 Devices? (Dark Reading, Sep 01 2020)
As the FBI warns, devices become more vulnerable to exploitation as time passes, due to a lack of security updates and new, emerging vulnerabilities.

Box security chief: Define your boundaries of trust (SC Media, Aug 31 2020)
Digital transformation can bring new capabilities. But it can also introduce vulnerabilities, requiring security leaders to redefine the “boundaries of trust,” says the global chief information security officer at Box.

CISA: No US Voter Registration Breaches This Year (Infosecurity Magazine, Sep 02 2020)
Agency responds to fake news story in Russian media

The cost of an insider attack is as much as $2 million (Help Net Security, Sep 03 2020)
Employees, whether careless or malicious, can pose a great risk to organizations, a Bitglass survey reveals. 61% of survey respondents reported at least one insider attack over the last 12 months (22% reported at least six separate attacks). Insider threats becoming increasingly challenging Businesses are currently undergoing seismic shifts, including rapid migrations to the cloud and widespread adoptions of remote work and BYOD (bring your own device) policies.

Google Increases Bug Bounty Payouts for Abuse Risk Flaws (SecurityWeek, Sep 02 2020)
Google this week increased the reward amounts paid to researchers for reporting abuse risk as part of its bug bounty program. 

Norway’s parliament struck by hackers (WeLiveSecurity, Sep 03 2020)
Unknown threat actors were able to exfiltrate information from the email accounts of several parliamentarians

2017 Tesla Hack (Schneier on Security, Sep 03 2020)
Interesting story of a class break against the entire Tesla fleet….

From Defense to Offense: Giving CISOs Their Due (Dark Reading, Aug 31 2020)
In today’s unparalleled era of disruption, forward-thinking CISOs can become key to company transformation — but this means resetting relationships with the board and C-suite.

Bring your own PC and SASE security to transform global businesses (Help Net Security, Aug 31 2020)
Bring your own PC (BYOPC) security will reach mainstream adoption in the next two to five years, while it will take five to 10 years for mainstream adoption of secure access service edge (SASE) to take place, according to Gartner. Hype cycle for endpoint security, 2020 “Prior to the COVID-19 pandemic, there was little interest in BYOPC,” said Rob Smith, senior research director at Gartner.

North Korea ATM Hack (Schneier on Security, Sep 01 2020)
“The US Cybersecurity and Infrastructure Security Agency (CISA) published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide: This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber…”

Beware CISOs: attack vectors are coming from inside the house (SC Media, Sep 01 2020)
As employees work beyond an office network, CISOs may lose a lot of the critical visibility into network traffic.

Which cybersecurity failures cost companies the most and which defenses have the highest ROI? (Help Net Security, Sep 03 2020)
Massachusetts Institute of Technology (MIT) scientists have created a cryptographic platform that allows companies to securely share data on cyber attacks they suffered and the monetary cost of their cybersecurity failures without worrying about revealing sensitive information to their competitors or damaging their own reputation. The SCRAM platform allows defenders to learn from past attacks and provides insight into which cyber-risk control areas require additional scrutiny or investment.

The Hidden Costs of Losing Security Talent (Dark Reading, Sep 02 2020)
One person’s exit can set off a chain of costly events.

RedCommander: Open source tool for red teaming exercises (Help Net Security, Sep 03 2020)
GuidePoint Security released a new open source tool that enables a red team to easily build out the necessary infrastructure. The RedCommander tool solves a major challenge for red teams around the installation and operationalization of infrastructure by combining automation scripts and other tools into a deployable package.

Most security leaders feel their programs are mature, but data reveals otherwise (Help Net Security, Sep 02 2020)
84% of security and IT leaders feel their enterprise programs are mature, but a deeper dive reveals a major disconnect between perception and reality, Vulcan Cyber reveals. “We already know most enterprise programs are immature – we see it every day in the field.