A Review of the Best News of the Week on Cybersecurity Management & Strategy

What is Threat Modeling and GitHub’s Process (The GitHub Blog, Sep 10 2020)
Using Microsoft’s Threat Modeling Tool or OWASP’s Threat Dragon to bring security and engineering teams together to discuss systems. Generating action items that improve security.

China Launches Initiative for Global Data Security Issues (SecurityWeek, Sep 08 2020)
China has launched an initiative to address global data security issues, a countermove to the U.S. “clean network” program that is aimed at discouraging other countries from using Chinese technology.

Hacker-for-hire groups profit by commoditizing APT tactics (SC Media, Sep 09 2020)
In the span of just over three months, researchers have exposed three mercenary, “hacker-for-hire” groups engaging in industrial espionage and stealing corporate secrets for profit.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

The FBI botched its DNC hack warning in 2016—but says it won’t next time (Ars Technica, Sep 07 2020)
The bureau says it has revamped its process for warning hacking victims.

Cybersecurity after COVID-19: Securing orgs against the new threat landscape (Help Net Security, Sep 08 2020)
Picture this: An email comes through, offering new COVID-19 workplace safety protocols, and an employee, worn down by the events of the day or feeling anxious about their safety, clicks through. In a matter of seconds, the attacker enters the network. Factor in a sea of newly remote workers and overloaded security teams, and it’s easy to see how COVID-19 has been a boon for cybercriminals.

Newcastle Uni Ransomware Attack Will “Take Weeks” to Mitigate (Infosecurity Magazine, Sep 08 2020)
Leading UK university appears to have been hit by DoppelPaymer group

U.S. Unveils Cybersecurity Policies for Space Systems (SecurityWeek, Sep 08 2020)
A presidential memorandum made public on Friday by the White House details the cybersecurity principles that should govern space systems.

More on NIST’s Post-Quantum Cryptography (Schneier on Security, Sep 08 2020)
“Back in July, NIST selected third-round algorithms for its post-quantum cryptography standard. Recently, Daniel Apon of NIST gave a talk detailing the selection criteria. Interesting stuff. NOTE: We’re in the process of moving this blog to WordPress. Comments will be disabled until the move it complete.”

Threat gardening: What CISOs can learn from ‘mystery seeds’ (SC Media, Sep 08 2020)
In July, thousands of Americans started to complain about unsolicited packages of seeds mailed from China. And despite not knowing exactly what the seeds were, and holding suspicions that something nefarious was afoot, many recipients planted them. The parallels between the mystery seeds and phishing attacks are unmistakable and can serve as a cautionary tale…

Multiparty Encryption Allows Companies to Solve Security-Data Conundrum (Dark Reading, Sep 09 2020)
An interdisciplinary research team constructs a way for companies to share breach data without revealing specific details that could exposes businesses to legal risk.

Researchers develop secure multi-user quantum communication network (Help Net Security, Sep 07 2020)
The world is one step closer to having a totally secure internet and an answer to the growing threat of cyber-attacks, thanks to a team of international scientists who have created a multi-user quantum communication network which could transform how we communicate online.

Online voting vendor Voatz urges Supreme Court to limit security research (Ars Technica, Sep 08 2020)
Unauthorized security research can “cause harmful effects” Voatz says in baffling brief.

SMBs Invest in Cybersecurity Budget and Firewall Technology (Infosecurity Magazine, Sep 08 2020)
SMBs are proactively putting tools in place to combat attacks whilst working with limited security budgets

Almost a Quarter of UK Work Computers Lack Adequate Security Software (Infosecurity Magazine, Sep 08 2020)
Research finds UK orgs risk exposing corporate devices to cyber-threats

VPNs: The Cyber Elephant in the Room (Dark Reading, Sep 08 2020)
While virtual private networks once boosted security, their current design doesn’t fulfill the evolving requirements of today’s modern enterprise.

How Self-Doubt Can Keep Your Security Team Sharp (SecurityWeek, Sep 09 2020)
 A Healthy Sense of Self-Doubt Can Go a Long Way Towards Avoiding False Negatives

Legality of Security Research to be Decided in US Supreme Court Case (Dark Reading, Sep 09 2020)
A ruling that a police officer’s personal use of a law enforcement database is “hacking” has security researchers worried for the future.

Secureworks to Buy Delve Laboratories for Vulnerability Management (Dark Reading, Sep 09 2020)
Delve’s automated vulnerability platform provides insight on high-risk vulnerabilities across an organization’s network, endpoints, and cloud.

How can the C-suite support CISOs in improving cybersecurity? (Help Net Security, Sep 10 2020)
Among the individuals charged with protecting and improving a company’s cybersecurity, the CISO is typically seen as the executive for the job. That said, the shift to widespread remote work has made a compelling case for the need to bring security within the remit of other departments.