A Review of the Best News of the Week on Cybersecurity Management & Strategy

Why Paying to Delete Stolen Data is Bonkers (Krebs on Security, Nov 04 2020)
“Companies hit by ransomware often face a dual threat: Even if they avoid paying the ransom and can restore things from scratch, about half the time the attackers also threaten to release sensitive stolen data unless the victim pays for a promise to have the data deleted. Leaving aside the notion that victims might have any real expectation the attackers will actually destroy the stolen data, new research suggests a fair number of victims who do pay up may see some or all of the stolen data…”

CERT/CC Seeks to Remove Fear Element From Named Vulnerabilities (SecurityWeek, Nov 03 2020)
Most people will immediately recognize CVE-2014-0160 as a vulnerability, but few will know which vulnerability it refers to. Call it Heartbleed, however, and more people will know more about it. That’s the strength of natural language over numbers — humans remember words more easily than numbers.

Security and the One Percent: A Thought Exercise in Estimation and Consequences (TaoSecurity, Oct 31 2020)
There’s a good chance that if you’re reading this post, you’re the member of an exclusive club. I call it the security one percent, or the security 1%. This is shorthand for the assortment of people and organizations who have the personnel, processes, technology, and support to implement somewhat robust digital security programs, especially those with the detection and response capabilities and not just planning and resistance/”prevention” functions.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Ryuk ransomware behind one third of all ransomware attacks in 2020 (Help Net Security, Nov 03 2020)
There’s a growing use of ransomware, encrypted threats and attacks among cybercriminals leveraging non-standard ports, while overall malware volume declined for the third consecutive quarter, SonicWall reveals. “For most of us, 2020 has been the year where we’ve seen economies almost stop, morning commutes end and traditional offices disappear,” said Bill Conner, President and CEO, SonicWall.

The feds just seized Silk Road’s $1 billion stash of bitcoin (Ars Technica, Nov 05 2020)
Forfeiture comes two days after mystery party transferred 69,369 BTC out of wallet.

NSS Labs’ Abrupt Shutdown Leaves Many Unanswered Questions (Dark Reading, Nov 05 2020)
Former execs and employees share some insights into the testing firm’s shutdown. What does it mean for the future of security product testing?

60% of organizations have accelerated their zero trust projects (Help Net Security, Nov 02 2020)
The COVID-19 pandemic has not impacted the adoption of zero trust technology globally, a Pulse Secure report reveals. In fact, 60% of organizations said they have accelerated zero trust implementation during the pandemic. The report surveyed more than 250 technology professionals. The newly published report examines how enterprises are moving forward with zero trust networking initiatives, where they’re being successful in doing so and how COVID-19 has affected…

Guide: 10 critical issues to cover in your vendor security questionnaires (Help Net Security, Nov 01 2020)
In today’s perilous cyber world, companies must carefully check their vendors’ cyber posture, and the initial vetting of any third party typically begins with a comprehensive security questionnaire. But these can be a headache, because many questionnaires include hundreds of questions, and many of them are irrelevant. What are the key questions that must be addressed to determine if vendors have a strong cyber posture?

Zoom Finally Has End-to-End Encryption. Here’s How to Use It (Wired, Nov 02 2020)
You can lock down your meetings like never before—even if you have to give up a few features to do so.

9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time (Dark Reading, Nov 03 2020)
This year has been the ultimate test of business resilience, and if anything is now clear, it’s this: It’s time for security pros to rewrite their playbooks in preparation a more dangerous wave of attacks.

Ransomware Alert as Emotet Detections Surge 1200% (Infosecurity Magazine, Nov 03 2020)
HP Inc data warns of close link to human-operated ransomware threats

Mattel Reveals July Ransomware Attack Impacting Business (Infosecurity Magazine, Nov 04 2020)
Toymaker appears to have escaped serious damage

Ransom Payment No Guarantee Against Doxxing (Dark Reading, Nov 04 2020)
Several organizations that paid a ransom to keep attackers from releasing stolen data saw it leaked anyway, according to Coveware.