CISO View

CISO View – The Week’s Best News – 2020.01.17

2020-01-17 by Lucas Samaras

A Review of the Best News of the Week on Cybersecurity Management & Strategy

2017 Data Breach Will Cost Equifax at Least $1.38 Billion (Dark Reading, Jan 15 2020)
Company agrees to set aside a minimum of $380.5 million as breach compensation and spend another $1 billion on transforming its information security over the next five years. The 147 million US consumers affected by the breach have one week from today to file a claim.

Fancy Bear’ Targets Ukrainian Oil Firm Burisma in Phishing Attack (Dark Reading, Jan 14 2020)
The oil & gas company is at the heart of the ongoing US presidential impeachment case.

A case for establishing a common weakness enumeration for hardware security (Help Net Security, Jan 13 2020)
Due to these missing reference materials for hardware vulnerabilities in the CWE, researchers do not have the same standard taxonomy that would enable them to share information and techniques with one another. If we expect hardware vendors and their partners to collectively deliver more secure solutions, we must have a common language for discussing hardware security vulnerabilities.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Microsoft to Officially End Support for Windows 7, Server 2008 (Dark Reading, Jan 13 2020)
Windows 7 and Server 2008 will continue to work after Jan. 14, 2020, but will no longer receive security updates.

#THIREurope: How Target Improved its Threat Hunting Capabilities (Infosecurity Magazine, Jan 13 2020)
Program focus – change focus to align with what Target needed the program to do
Operational consistency – so they know how things are running
Hunt topic strategy – to gain a layer of strategy on top of hunting

Christmas Ransomware Attack Hit New York Airport Servers (SecurityWeek, Jan 10 2020)
An upstate New York airport and its computer management provider were attacked by ransomware over Christmas, officials said.

Dustman Attack Underscores Iran’s Cyber Capabilities (Dark Reading, Jan 14 2020)
For nearly six months, an attack group linked to Iran reportedly had access to the network of Bahrain’s national oil company, Bapco, before it executed a destructive payload.

What Questions Should I Keep in Mind to Improve My Security Metrics? (Dark Reading, Jan 13 2020)
If you can answer these six questions, you’ll be off to a great start.

Website Collecting Australian Fire Donations Hit by Magecart (Dark Reading, Jan 13 2020)
The attack may have compromised donors’ payment information.

Five Key Cyber-Attack Trends for This Year (Infosec Island, Jan 14 2020)
Every single smart device within an IoT ecosystem, for example, is ultimately interacting with an API. And far less bandwidth is needed to attack APIs, and they can rapidly become hugely disruptive bottlenecks.

TSA Desires “Cybersecurity by Design” (Infosecurity Magazine, Jan 13 2020)
US Transport Security Administration wants cybersecurity factored into new technology

Cloudflare Rethinks How to Secure Employee Experience (IT Pro, Jan 13 2020)
Cloudflare for Teams provides fast, secure employee access to internal apps, web browsing and collaboration with dispersed team members.

Resilient Governance for Boards of Directors: Considerations for Effective Oversight of Cyber Risk – CLTC UC Berkeley Center for Long-Term Cybersecurity (Berkeley, Jan 15 2020)
A new report from CLTC and Booz Allen Hamilton provides a framework to help boards of directors approach cybersecurity governance and oversight

Pete Buttigieg’s Campaign Cybersecurity Chief Resigns (WSJ, Jan 16 2020)
The cybersecurity chief for Democratic candidate for president Pete Buttigieg’s campaign has resigned, as concerns mount about attempts by foreign governments and hackers to interfere in the 2020 election.

NY Fed Reveals Implications of Cyberattack on US Financial System (Dark Reading, Jan 16 2020)
A “pre-mortem analysis” sheds light on the potential destruction of a cyberattack against major US banks.

Why Firewalls Aren’t Going Anywhere (Dark Reading, Jan 15 2020)
Written off multiple times as obsolete, firewalls continue to elude demise by adding features and ensuring that VPNs keep humming.

Bill for New Orleans Cyber-Attack $7m and Rising (Infosecurity Magazine, Jan 16 2020)
Cyber-attack on New Orleans will cost the city over $7m to fix

Hackers Earn $275,000 for Vulnerabilities in U.S. Army Systems (SecurityWeek, Jan 17 2020)
A total of 146 valid vulnerabilities were reported as part of the second Hack the Army bug bounty program, and more than $275,000 were paid in rewards.

Cloudflare Announces Free Security Services for Political Campaigns (SecurityWeek, Jan 17 2020)
Security and web performance company Cloudflare has announced a suite of services for the cyber-protection of political campaigns in the United States and worldwide.

Whatever Happened to Anonymous? (VICE, Jan 16 2020)
It was once the hacking bogeyman, but now it seems no more.

CISO View – The Week’s Best News – 2020.01.10

2020-01-10 by Lucas Samaras

A Review of the Best News of the Week on Cybersecurity Management & Strategy

New SHA-1 Attack (Schneier on Security, Jan 08 2020)
“There’s a new, practical, collision attack against SHA-1: In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1”

Hackers claiming to be from Iran deface U.S. gov’t website (SC Magazine, Jan 06 2020)
The hackers defaced the Federal Depository Library Program, fdlp.gov, website with a picture of bleeding Trump as he’s being punched in the face

The Hidden Cost of Ransomware: Wholesale Password Theft (Krebs on Security, Jan 06 2020)
“Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. But all too often, ransomware victims fail to grasp that the crooks behind these attacks can and frequently do siphon every single password stored on each infected endpoint. The result of this oversight may offer attackers a way back into the affected organization, access to financial and healthcare accounts, or — worse yet — key tools for attacking the victim’s various business partners and clients.”

Share today’s post on Twitter Facebook LinkedIn

New Standards Set to Reshape Future of Email Security (Dark Reading, Jan 07 2020)
Emerging specs and protocols expected to make the simple act of opening an email a less risky proposition

Tricky Phish Angles for Persistence, Not Passwords (Krebs on Security, Jan 07 2020)
“Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password.”

Lawsuit Filed Against LifeLabs Over Data Breach (Infosecurity Magazine, Jan 06 2020)
A class-action lawsuit has been filed against LifeLabs following a data breach

City of Las Vegas said it successfully avoided devastating cyber-attack (ZDNet, Jan 10 2020)
Security breach took place on January 7, but the city said it detected the intrusion in time to prevent any damage.

Chicago Healthcare Provider Reports Data Breach (Infosecurity Magazine, Jan 02 2020)
Data of nearly 13,000 people possibly exposed in Sinai Health System breach

Breach of email accounts impacts 50,000 patients of Minnesota hospital (SC Magazine, Jan 07 2020)
Minnesota-based hospital operator Alomere Health this month began notifying patients of a data breach affecting 49,351 individuals, after a malicious actor gained access to two employee email accounts in late October and early November.

New Iranian data wiper malware hits Bapco, Bahrain’s national oil company (ZDNet, Jan 10 2020)
Saudi Arabia’s cyber-security agency spots new Dustman data-wiping malware.

How Cybersecurity’s Metrics of Misery Fail to Describe Cybercrime Pain (Dark Reading, Jan 02 2020)
Dollars lost and data records exposed are valuable measurements, but the true pain of a cybersecurity incident goes far beyond that. We asked infosec pros how they put words to the pain they feel when their defenses fall apart.

Continental Drift: Is Digital Sovereignty Splitting Global Data Centers? (Dark Reading, Jan 03 2020)
The recent proposal by Germany, backed by France, to fuse the infrastructures of Europe’s cloud providers could challenge every data center storing a European’s data.

DHS finds no tampering of Durham County election devices (SC Magazine, Jan 02 2020)
The Department of Homeland Security’s CISA Hunt and Incident Response Team (HIRT) found no direct malicious activity affecting the ePollbook laptops used in certain Durham County, N.C., precincts during the 2016 election.

It’s Time for the C Suite and Boards to Truly Engage in Third-Party Cyber Risk Management (SecurityWeek, Jan 02 2020)
global consulting firm Protiviti recently found a high correlation between board involvement and highly mature vendor risk management (VRM) systems.

Austria’s Foreign Ministry Hit by Cyber-Attack (Infosecurity Magazine, Jan 06 2020)
State-sponsored threat actor may be responsible for cyber-attack on Austria

Insight Partners Acquires IoT Security Firm Armis at $1.1 Billion Valuation (SecurityWeek, Jan 06 2020)
Venture Capital and private equity investment firm Insight Partners has agreed to acquire IoT security firm Armis in a cash deal valuing the firm at $1.1 billion.

Chinese Cyber-Espionage Group Targeted NGOs for Years (SecurityWeek, Jan 08 2020)
A cyber-espionage group supposedly linked to the Chinese government is targeting non-governmental organizations (NGOs) in South and East Asia, Secureworks has revealed.

15% of Ransomware Victims Paid Ransom in 2019, Quadrupling 2018 (Dark Reading, Jan 09 2020)
Increasing sophistication of ransomware attacks might be forcing victims to open their wallets.

Accenture to Acquire Symantec’s Cyber Security Services Business (Infosecurity Magazine, Jan 09 2020)
Symantec’s cybersecurity arm to be acquired by Accenture Security

CISO View – The Week’s Best News – 2020.01.03

2020-01-03 by Lucas Samaras

A Review of the Best News of the Week on Cybersecurity Management & Strategy

UN backs Russia on internet convention, alarming rights advocates (Yahoo News, Dec 28 2019)
The United Nations on Friday approved a Russian-led bid that aims to create a new convention on cybercrime, alarming rights groups and Western powers that fear a bid to restrict online freedom. The General Assembly approved the resolution sponsored by Russia and backed by China, which would set up a

Wawa Facing Lawsuits Over Data Breach at All of its Stores (SecurityWeek, Dec 28 2019)
The Wawa convenience store chain is facing a wave of lawsuits over a data breach that affected its 850 locations along the East Coast.

2020 Predictions: Technology (SC Magazine, Dec 30 2019)
MITRE ATT&CK will become the go-to framework and common vocabulary for every SOC. For organizations required to have the most aggressive stances on security, such as financial services and healthcare, ATT&CK is already the go-to framework. In 2020, it will become a basis of conversation for security operations center (SOC) teams in other industries, including retail and manufacturing, as they mature their security postures.

Share today’s post on Twitter Facebook LinkedIn

6 CISO New Year’s Resolutions for 2020 (Dark Reading, Dec 30 2019)
We asked chief information security officers how they plan to get their infosec departments in shape next year.

Hacking School Surveillance Systems (Schneier on Security, Dec 30 2019)
“Lance Vick suggesting that students hack their schools’ surveillance systems.

“This is an ethical minefield that I feel students would be well within their rights to challenge, and if needed, undermine,” he said.

Of course, there are a lot more laws in place against this sort of thing than there were in — say — the 1980s, but it’s still worth thinking about.”

Two-Thirds of Security Pros Ready to or Already Volunteer Their Services (Dark Reading, Dec 27 2019)
Majority of survey respondents seek to share their security expertise with causes they care about.

How Should My Security Department Begin Future-Proofing for Quantum Computing? (Dark Reading, Dec 27 2019)
Knowing where your digital certificates are is just the start.

Planning for 2020? Here are 3 cybersecurity trends to look out for (Help Net Security, Dec 30 2019)
From the rise in investor focus on cybersecurity issues to diversifying of cyber insurance, there are three critical security trends cyber professionals should be prepared to address if they want a successful — and secure — 2020.

Ransomware shuts down The Heritage Company (SC Magazine, Dec 27 2019)
The telemarketing firm The Heritage Company has become the latest ransomware victim to shut down, at least temporarily, its operations even after making a ransom payment to its attackers. Company CEO Sandra Franecke broke the news in a letter to her 300 employees that the 61-year-old firm would suspend activities.

White House Expands Use of Cyber Weapons but Stays Secretive on Policies (WSJ, Dec 30 2019)
Lawmakers are demanding more information about the guidelines the military uses to launch offensive operations in cyberspace. The White House has kept the cyber directive largely under wraps.

Mean Time to Hardening: The Next-Gen Security Metric (Threatpost, Dec 31 2019)
Given that the average time to weaponizing a new bug is seven days, you effectively have 72 hours to harden your systems before you will see new exploits.

Cybercrime’s Most Lucrative Careers (Dark Reading, Dec 31 2019)
Crime pays. Really well. Here’s a look at just how much a cybercriminal can earn in a month.

Feds: No Evidence Hackers Disrupted North Carolina Voting (SecurityWeek, Dec 30 2019)
A federal investigation didn’t turn up any evidence that cyber attacks were responsible for computer errors that disrupted voting in a North Carolina county in 2016, according to a report issued Monday.

The Most Dangerous People on the Internet This Decade (Wired, Dec 31 2019)
In the early aughts the internet was less dangerous than it was disruptive. That’s changed.

Why CMO Should Know About Cybersecurity? (CISO Magazine, Dec 26 2019)
Apart from configuring cybersecurity measures, the Chief Marketing Officer (CMO) needs to be responsible for taking up cybersecurity practices within their organization. Cybersecurity breaches often coincide with the fact that the CMO is not well-prepared or aware of the whole functionality of cybersecurity.

CISO View – The Week’s Best News – 2019.12.27

2019-12-27 by Lucas Samaras

A Review of the Best News of the Week on Cybersecurity Management & Strategy

Wawa Stores Plagued by Malware Since March (Infosecurity Magazine, Dec 20 2019)
Malware has been stealing credit card info from Wawa customers for 9 months

F5 Pays $1 Billion for Shape (Dark Reading, Dec 20 2019)
The acquisition adds fraud detection and prevention to the application delivery company’s tool collection.

Cybersecurity Experts Are Leaving the Federal Government. That’s a Problem. (NY Times, Dec 20 2019)
Cybersecurity Experts Are Leaving the Federal Government. That’s a Problem. The New York Times

Share today’s post on Twitter Facebook LinkedIn

Zynga Breach Hit 173 Million Accounts (Infosecurity Magazine, Dec 23 2019)
September incident compromised emails and logins

The Worst Hacks of the Decade (Wired, Dec 23 2019)
Over the last decade, hacking became less of a novelty and more of a fact of life for billions of people around the world. Regular people lost control of their data, faced invasive surveillance from repressive regimes, had their identities stolen, realized a stranger was lurking on their Netflix account, dealt with government-imposed internet blackouts, or, for the first time ever, literally found themselves caught in the middle of a destructive cyberwar.

2020 & Beyond: The Evolution of Cybersecurity (Dark Reading, Dec 23 2019)
As new technologies disrupt the industry, remember that security is a process, not a goal. Educate yourself on how you can best secure your corner of the Web.

New Orleans to Boost Cyber Insurance to $10M Post-Ransomware (Dark Reading, Dec 20 2019)
Mayor LaToya Cantrell anticipates the recent cyberattack to exceed its current $3 million cyber insurance policy.

Patch Management: How to Prioritize an Underserved Vulnerability (Dark Reading, Dec 19 2019)
Why is one of the biggest problems in cybersecurity also one that CISOs largely ignore? Here are three reasons and a road map to a modern approach.

7 signs your cybersecurity is doomed to fail in 2020 (Help Net Security, Dec 20 2019)
While most enterprises have come to terms with the fact that a security incident is not a factor of “if,” but rather “when,” many are still struggling to translate this into the right security architecture and mindset. FireEye’s Cyber Trendscape 2020 report found that the majority (51%) of organizations do not believe they are ready or would respond well to a cyberattack or data breach.

2020 Predictions: Ransomware (SC Magazine, Dec 23 2019)
Refusing to pay can cost even more as Norwegian aluminum maker Norsk Hydro learned when they spent $58m in the first half of 2019 to remediate the ransomware attack they experienced in March. The company’s Q1 profit also fell 82% due to production downtime caused by the attack.

2019 Mergers and acquisitions (SC Magazine, Dec 20 2019)
A list of some of the 2019 transactions

CISO View – The Week’s Best News – 2019.12.20

2019-12-20 by Lucas Samaras

A Review of the Best News of the Week on Cybersecurity Management & Strategy

Web Hosting Firm Slapped With $10 Million GDPR Fine (SecurityWeek, Dec 16 2019)
The investigation commenced following a complaint from a customer whose personal mobile phone number was given by 1&1’s customer helpline to a former life partner in 2018. Since the former partner already knew a lot of details, the helpline provided the phone number after being given the complainant’s name and date of birth. According to BfDI, this was insufficient ‘access control’ for access to personal data.

New Orleans Scrambles to Respond to Ransomware Attack (Infosecurity Magazine, Dec 16 2019)
Louisiana city the latest in long line to suffer this year

Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up (Krebs on Security, Dec 16 2019)
“As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of acquiescing to their tormentors.”

Share today’s post on Twitter Facebook LinkedIn

Large Hospital System Hit by Ransomware Attack (SecurityWeek, Dec 14 2019)
New Jersey’s largest hospital system said Friday that a ransomware attack last week disrupted its computer network and that it paid a ransom to stop it.

Report on 537 Anti-Drone Systems Shows How Wild the Market Has Become (VICE, Dec 13 2019)
From jamming rifles to ground installations that fire nets, a new report lays out the expansive Wild West of anti-drone tech.

Financial Services Breaches Less Common, More Damaging, Than Those in Other Sectors (Dark Reading, Dec 16 2019)
While far less common than breaches in other industry sectors, financial services breaches were more than twice as expensive, per record exposed, than the average for tech businesses.

Ransomware ‘Crisis’ in US Schools: More Than 1,000 Hit So Far in 2019 (Dark Reading, Dec 16 2019)
Meanwhile, the mayor of the city of New Orleans says no ransom money demands were made as her city struggles to recover from a major ransomware attack launched last week.

Why Enterprises Buy Cybersecurity ‘Ferraris’ (Dark Reading, Dec 16 2019)
You wouldn’t purchase an expensive sports car if you couldn’t use it properly. So, why make a pricey security investment before knowing it fits into your ecosystem?

How Breach & Attack Simulation Can Improve Your Security Strategy (eWEEK, Dec 16 2019)
Join Sean Michael Kerner and Gus Evangelakos of XM Cyber, as they discuss how businesses can use breach and attack simulation to improve security, help meet compliance requirements, and secure cloud and hybrid environments.

The privacy and security trends that will shape 2020 (Help Net Security, Dec 16 2019)
The rollout of 5G will further accelerate the proliferation of IoT technology as manufacturers rush to produce low-cost devices with integrated connectivity. All Mobile Network Operators (MNOs) are keen to adopt 5G, with IoT and Enterprise services being primary drivers, providing operators with access to new revenue opportunities from new services and applications.

Most security pros admit to accidental internal breaches at their organization (Help Net Security, Dec 16 2019)
44% percent of executives believe employees have erroneously exposed personally identifiable information (PII) or business-sensitive information using their company email account.

Russian hacker who allegedly exploited accounting software to steal $1.5 million to plead guilty (CyberScoop, Dec 17 2019)
Anton Bogdanov, known online as “Kusok,” has been charged with computer intrusion, aggravated identity theft and related charges.

How to Manage API Security (Dark Reading, Dec 17 2019)
Protecting the places where application services meet is critical for protecting enterprise IT. Here’s what security pros need to know about “the invisible glue” that keeps apps talking to each other.

Senate passes $1.4 trillion spending bill, includes $25 million for election security (SC Magazine, Dec 17 2019)
The Senate today passed the sweeping $1.4 trillion National Defense Authorization Act (NDAA) for Fiscal Year 2020, which includes a number of security measures and appropriates $425 million in funding for election security, though it stopped short of requiring post-election audits for states not using paper ballots and safeguards against foreign interference in U.S. elections.

Why the U.S. government needs you to hack it (Fast Company, Dec 19 2019)
White hat hackers are crucial to security because they can expose vulnerabilities before scammers can exploit them.

Your First Month as a CISO: Forming an Information Security Program (Dark Reading, Dec 18 2019)
It’s easy to get overwhelmed in your new position, but these tips and resources will help you get started.

Cybersecurity a Growing Concern for America’s Corporate Lawyers (Infosecurity Magazine, Dec 19 2019)
Corporate counsel increasingly worried about risk of cybersecurity disputes