CISO View

CISO View – The Week’s Best News – 2019.10.11

2019-10-11 by Lucas Samaras

A Review of the Best News of the Week on Cybersecurity Management & Strategy

The Same Old Encryption Debate Has a New Target: Facebook (Wired, Oct 03 2019)
Attorney general William Barr seems eager to reignite the encryption wars, starting with the social media giant.

Russian Secret Weapon Against U.S. 2020 Election Revealed In New Cyberwarfare Report (Forbes, Oct 08 2019)
A terrifying new report maps out Russia’s full cyberwarfare ecosystem, an attack structure designed to be “almost impossible” to defend against.

Credit Info Exposed in TransUnion Data Security Incident (BleepingComputer, Oct 10 2019)
Using a credential stuffing attack, an unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Alabama Hospital System Halts Admissions Amid Malware Attack (SecurityWeek, Oct 03 2019)
A hospital system that serves a large part of rural west Alabama temporarily quit accepting new patients after a ransomware attack crippled some of its computer systems Tuesday.

Small businesses increasingly a target for cybercriminals (AP, Oct 08 2019)
While small and mid-sized businesses are increasingly targets for cybercriminals, companies are struggling to devote enough resources to protect their technology from attack.

Health, personal data of 1 million New Zealanders exposed in series of intrusions (SC Magazine, Oct 09 2019)

The medical and personal information of about 1 million people was exposed after a breach of Tū Ora Compass Health, a primary health organization (PHO) located in New Zealand.

10 Steps to Assess SOC Maturity in SMBs (Dark Reading, Oct 07 2019)
Facing a system and organization controls audit doesn’t have to be stressful for small and midsize businesses if they follow these guidelines.

Nearly 70 US Government Organizations Hit by Ransomware Since January (Infosecurity Magazine, Oct 03 2019)
Government entities, schools, and healthcare providers are the main focus of this year’s US ransomware attacks

U.S. and Baltic States sign Energy Partnership Deal against cyber-attacks (CISO MAG, Oct 08 2019)
The United States and Baltic states recently signed an energy partnership agreement to protect the Baltic energy grid from cyber-attacks.

Unmask cybercriminals through identity attribution (Help Net Security, Oct 08 2019)
Part of taking action, however, requires knowing who the bad actor is in the first place; in other words, attributing and uncovering the identities of cyber adversaries.

Internal user mistakes create large percentage of cybersecurity incidents (Help Net Security, Oct 08 2019)
Internal user mistakes created the largest percentage of cybersecurity incidents over the past twelve months (80%), followed by exposures caused by poor network system or application security (36%), and external threat actors infiltrating the organization’s network or systems (31%), SolarWinds research reveals.

Class-Action Lawsuit Filed Against CafePress Following Data Breach (Infosecurity Magazine, Oct 07 2019)
CafePress is accused of allowing a breach by failing to update flawed security software

Magecart Group Tied to Cobalt Hackers (SecurityWeek, Oct 07 2019)
Security researchers were able to link one of the hacking groups operating under the Magecart umbrella to the infamous threat actor known as the Cobalt Group.

A Roundtable of Hackers Dissects ‘Mr. Robot’ Season 4 Episode 1: ‘Unauthorized’ (VICE, Oct 07 2019)
Technologists, hackers, and journalists recap the much-awaited fourth season opener of the realistic hacking show.

The lack of cybersecurity talent is ‘a national security threat,’ says DHS official (TechCrunch, Oct 03 2019)
The lack of cybersecurity talent is ‘a national security threat,’ says DHS official TechCrunch

New US-UK Agreement Speeds Law Enforcement’s Access to User Data (SecurityWeek, Oct 08 2019)
The United States and the United Kingdom have signed an agreement designed to help law enforcement agencies gain faster access to data related to serious crimes. This is the first such agreement based on the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, which was enacted into U.S. federal law on March 23, 2018.

Winning the security fight: Tips for organizations and CISOs (Help Net Security, Oct 09 2019)
If you ask Matthew Rosenquist, a former Cybersecurity Strategist for Intel (now independent), overcoming denial of risk, employing the right cybersecurity leader, and defining clear goals are the three most critical objectives for avoiding a negative outcome.

Digital transformation requires an aggressive approach to security (Help Net Security, Oct 09 2019)
Professionals don’t have a full picture about what tools are used in their organization. Beyond network and vulnerability scanning, respondents were asked about 10 other tool categories, and the lack of related knowledge is striking. For example, 25% do not know if their organization is using interactive application security testing (IAST), while 19% don’t know if they are using software composition analysis (SCA) or cloud middleware.

DHS seeks subpoena powers to identify vulnerable systems – TechCrunch (TechCrunch, Oct 10 2019)
Homeland Security’s cybersecurity division is pushing to change the law that would allow it to demand information from internet providers that would identify the owners of vulnerable systems, TechCrunch has learned.

A Realistic Threat Model for the Masses (Dark Reading, Oct 09 2019)
For many people, overly restrictive advice about passwords and other security practices is doing more harm than good. Here’s why.

CISO View – The Week’s Best News – 2019.10.04

2019-10-04 by Lucas Samaras

A Review of the Best News of the Week on Cybersecurity Management & Strategy

NSA on the Future of National Cybersecurity (Schneier on Security, Oct 01 2019)
Glenn Gerstell, the General Counsel of the NSA, wrote a long and interesting op-ed for the New York Times where he outlined a long list of cyber risks facing the US.

China’s New Cybersecurity Program: NO Place to Hide (China Law Blog, Sep 30 2019)
This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government.

38% of the Fortune 500 do not have a CISO (Help Net Security, Oct 01 2019)
38% of the 2019 Fortune 500 do not have a chief information security officer (CISO).
Of this 38%, only 16% have another executive that is listed as responsible for cybersecurity strategy, such as a vice president of security.
Of the 62% that do have a CISO, only 4% have them listed on their company leadership pages.

Share today’s post on Twitter Facebook LinkedIn

Interview With the Guy Who Tried to Frame Me for Heroin Possession (Krebs on Security, Sep 25 2019)
“In April 2013, I received via U.S. mail more than a gram of pure heroin as part of a scheme to get me arrested for drug possession. But the plan failed and the Ukrainian mastermind behind it soon after was imprisoned for unrelated cybercrime offenses. That individual recently gave his first interview since finishing his jail time here in the states, and he’s shared some select (if often abrasive and coarse) details on how he got into cybercrime and why. Below are a few translated excerpts.”

Airbus Suppliers Hit in State-Sponsored Attack (Infosecurity Magazine, Sep 30 2019)
China suspected of stealing aviation secrets

Dunkin’ Sued for Keeping Data Breach Secret (Infosecurity Magazine, Sep 27 2019)
State of New York accuses donut chain of failing to protect customers

What’s Missing from Nearly Every Security Approach (eWEEK, Sep 26 2019)
Normally, Krebs said, there’s plenty of time for an organization to find and neutralize an attacker that’s found his/her way into your systems, if only the organization knows to look. So why don’t they? Two reasons: people and policy. It takes trained staff to catch what the technology solutions miss, and “we don’t have enough people,” Krebs said.

How long before quantum computers break encryption? (Help Net Security, Sep 30 2019)
The short answer is, nobody knows. That’s not for lack of trying. The American National Standards Institute (ANSI) formed a dedicated working group just to try to reach a number. The industry’s best guess is about a decade, maybe more, maybe less. Not exactly what you want to hear if you’re trying figure out how to replace the encryption schemes used for everything from email to the world’s banking systems.

Senate Passes Ransomware Law (Infosecurity Magazine, Sep 30 2019)
DHS will be required to provide assistance to organizations

Cyber-Harassment Expert Wins MacArthur Genius Grant (Infosecurity Magazine, Sep 27 2019)
Professor of law awarded $625,000 to propose cyber-harassment reforms

GAO Says Electric Grid Cybersecurity Risks Only Partially Assessed (SecurityWeek, Sep 27 2019)
A new report from the United States Government Accountability Office (GAO) shows that the Department of Energy (DOE) has yet to fully analyze the electric grid cybersecurity risks.

The CrowdStrike Conspiracy: Here’s Why Trump Keeps Referencing The Cybersecurity Firm (Forbes, Sep 26 2019)
as Vice reported, turning over the physical server isn’t necessary (or the usual procedure) for forensic analyses, and it isn’t as useful as a copy of what was on the server at the time, which CrowdStrike provided to the FBI. And independent security experts and U.S. intelligence agencies confirmed that Russia was behind the hack, using Crowdstrike’s evidence and more than what was found on one server.

Threat Spotlight: Inefficient incident response (Barracuda, Oct 01 2019)
In a recent survey, Barracuda researchers found that, on average, a business takes three and a half hours (212 minutes) to remediate an attack. In fact, 11% of organizations spend more than six hours on investigation and remediation.

Baltimore Reportedly Had No Data Backup Process for Many Systems (Dark Reading, Sep 30 2019)
City lost key data in a ransomware attack earlier this year that’s already cost more than $18.2 million in recovery and related expenses.

Why big ISPs aren’t happy about Google’s plans for encrypted DNS (Ars Technica, Sep 30 2019)
DNS over HTTPS will make it harder for ISPs to monitor or modify DNS queries.

Danish company Demant expects to suffer huge losses due to cyber attack (Help Net Security, Oct 01 2019)
Danish hearing health care company Demant has estimated it will lose between $80 and $95 million due to a recent “cyber-crime” attack.

Senate Passes DHS Cyber Hunt and Incident Response Teams Act (SecurityWeek, Oct 01 2019)
The United States Senate recently passed the DHS Cyber Hunt and Incident Response Teams Act, a piece of legislation that instructs the DHS to help organizations protect themselves against cyber threats and respond to incidents.

America Launches New Cybersecurity Directorate (Infosecurity Magazine, Oct 02 2019)
The Cybersecurity Directorate has been created to unify the efforts of the NSA’s existing foreign intelligence and cyber-defense missions. The new organization will bring the Agency’s threat detection, future-technologies, and cyber-defense personnel together under one roof for the very first time.

Hacking back may be less risky than we thought (Washington Post, Oct 02 2019)
The United States has historically been wary of punching back in cyberspace, fearing that a digital conflict could rapidly escalate to rockets and bombs. But those concerns may be overblown. A pair of recent studies has found it’s extremely rare for nations to ratchet up a cyber conflict, let alone escalate it to a conventional military exchange, and that the U.S. public may put extra pressure on leaders not to let a cyber conflict get out of hand.

49% of infosec pros are awake at night worrying about their organization’s cybersecurity (Help Net Security, Oct 02 2019)
Six in every ten businesses have experienced a breach in either in the last three years. At least a third of infosec professionals (36%) whose employers had not recently been a victim of a cyber attack also believe that it is likely that they are currently facing one without knowing about it.

CISO View – The Week’s Best News – 2019.09.27

2019-09-27 by Lucas Samaras

A Review of the Best News of the Week on Cybersecurity Management & Strategy

How The U.S. Hacked ISIS (NPR, Sep 26 2019)
In 2016, the U.S. launched a classified military cyberattack against ISIS to bring down its media operation. NPR interviewed nearly a dozen people who lived it.

Women in Cybersecurity: Where We Are and Where We’re Going (Scientific American, Sep 23 2019)
Here’s how to bring gender equality to a thoroughly male-dominated field

How Google Changed the Secretive Market for the Most Dangerous Hacks in the World (VICE, Sep 23 2019)
For five years, Google has funded Project Zero, a team of hackers with the sole mission of finding bugs in whatever software they wanted to research, be it Google’s or somebody else’s. Are they making the internet safer?

Share today’s post on Twitter Facebook LinkedIn

Study Reveals Most Expensive State for Cyber Insurance (Infosecurity Magazine, Sep 19 2019)
Across America’s 50 states and the District of Columbia, the cost of cyber insurance averaged out at $1,501 per year, or around $125 a month, but for Delaware business owners the price rose to $1,626.92 per year. In Arizona, where the cost of cyber insurance was 24.15% cheaper than the national average, policies were on average $1,139 per year.

Investors accuse FedEx of lying, stock dumping after NotPetya attack (Naked Security – Sophos, Sep 23 2019)
This is the second such suit, with shareholders asking why execs sold $40m+ of their shares while downplaying the ransomware attack.

France Outlines Its Approach to Cyberwar (Schneier on Security, Sep 23 2019)
“In a document published earlier this month (in French), France described the legal framework in which it will conduct cyberwar operations. Lukasz Olejnik explains what it means, and it’s worth reading.”

McConnell’s support for election security funding is just the start of a big fight (Washington Post, Sep 20 2019)
Senate Majority Leader Mitch McConnell (R-Ky.) partially relented yesterday in the fight over election security by throwing his support behind a $250 million infusion of cash for state election officials.

All the Code Connections Between Russia’s Hackers, Visualized (Wired, Sep 24 2019)
A sort of constellation chart for Kremlin malware, made by two cybersecurity firms, demonstrates the scale of Russia’s distinct hacking operations.

Crown Sterling Claims to Factor RSA Keylengths First Factored Twenty Years Ago (Schneier on Security, Sep 20 2019)
“Earlier this month, I made fun of a company called Crown Sterling, for…for…for being a company that deserves being made fun of. This morning, the company announced that they “decrypted two 256-bit asymmetric public keys in approximately 50 seconds from a standard laptop computer.” Really. They did. This keylength is so small it has never been considered secure. It was too small to be part of the RSA Factoring Challenge when it was introduced in 1991.”

HP Purchases Security Startup Bromium (Dark Reading, Sep 20 2019)
The purchase will bring new isolation and threat intelligence capabilities to the HP portfolio.

Metasploit Creator HD Moore’s Latest Hack: IT Assets (Dark Reading, Sep 19 2019)
Moore’s IT asset discovery tool. Rumble Network Discovery. aims to solve one of the most basic yet confounding problems organizations face and have faced for years: getting a true inventory of all of the devices and services running in their increasingly diverse and growing networks.

FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime (Infosecurity Magazine, Sep 19 2019)
Memorandum of Understanding aims to reduce cyber-risk in the financial system through intelligence sharing

How SMBs can bring their security testing on par with larger enterprises (Help Net Security, Sep 23 2019)
What are the challenges of securing small and medium-sized enterprises vs. larger ones? And how can automated, continuous security testing help shrink the gap?

How Can I Ensure Cyber Insurers Will Pay My Claim? (Dark Reading, Sep 23 2019)
To get the best out of your policy, do more than just sign on the dotted line.

Hundreds of US Schools Hit by Ransomware in 2019 (Infosecurity Magazine, Sep 24 2019)
Education sector the second most popular for hackers, says Armor

Malindo Air: Data Breach Was Inside Job (Infosecurity Magazine, Sep 24 2019)
Two former employees of airline’s e-commerce provider are blamed

Microsoft to Provide Free Security Updates for Voting Systems Running Windows 7 (SecurityWeek, Sep 23 2019)
Microsoft will continue to provide some Windows 7 machines with security updates beyond the January 2020 end-of-support date, and voting systems are among them, the company has announced.

Being CISO Is No Longer a Dead-End Job (SecurityWeek, Sep 23 2019)
The combined effect is that the role of CISO has been elevated — to such an extent that 76% of CISOs now believe that managing cyber risk is becoming so important that we will see companies naming CISOs as CEOs in the future.

Czech Intelligence Blames China for Major Cyber Attack (SecurityWeek, Sep 25 2019)
China was behind a major cyber attack at a key government institution in the Czech Republic last year, the EU member’s intelligence agency said in a report Wednesday.

60% of Major US Firms Have Been Hacked in Cloud: Study (SecurityWeek, Sep 25 2019)
Hackers have penetrated cloud computing networks of some 60 percent of top US companies, with virtually all industry sectors hit, security researchers said Tuesday.

CISO View – The Week’s Best News – 2019.09.20

2019-09-20 by Lucas Samaras

A Review of the Best News of the Week on Cybersecurity Management & Strategy

WannaCry – the worm that just won’t die (Naked Security – Sophos, Sep 18 2019)
WannaCry never went away – it just became less obvious. Remember WannaCry? That’s the infamous self-spreading ransomware attack that stormed the world in May 2017. WannaCry was an unusual strain of ransomware for two main reasons.

U.S. sanctions North Korea hacking groups, says attacks funded missile program (SC Magazine, Sep 13 2019)
The U.S. Office of Foreign Assets Control (OFAC) sanctioned North Korea Friday for ransomware attacks on the Swift interbank messaging system and other critical infrastructure targets that generated funding for the nation-state’s weapons and missile programs. The Treasury Department targeted three state-sponsored hacking groups – the Lazarus Group, whose WannaCry attacks wreaked havoc…

Advanced hackers are infecting IT providers in hopes of hitting their customers (Ars Technica, Sep 18 2019)
Previously undocumented Tortoiseshell is skilled, but by no means perfect.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Check the scope: Pen-testers nabbed, jailed in Iowa courthouse break-in attempt (Ars Technica, Sep 13 2019)
They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement’s response to a break-in. Unfortunately, the Iowa state court officials who ordered the test never told county officials about it—and evidently no one anticipated that a physical break-in would be part of the test. For now, the penetration testers remain in jail.

Chicago Broker Fined $1.5m for Inadequate Cybersecurity (Infosecurity Magazine, Sep 16 2019)
Phillip Capital has been fined after its poor cybersecurity led to a $1m theft

Australia Knows China Hacked Its Parliament: Report (SecurityWeek, Sep 17 2019)
Australia is confident that China was behind cyberattacks on its parliament and political parties, but decided not to make public accusations to avoid disrupting trade relations, according to Reuters.

GitHub Becomes CVE Numbering Authority, Acquires Semmle (Dark Reading, Sep 18 2019)
As a CVE Numbering Authority, GitHub can assign a CVE ID, post to the CVE List, and then post to the National Vulnerability Database (NVD) on behalf of a developer. According to a blog post announcing its news, GitHub said it expects the combination of Semmle code scanning and CVE number assignment will make it much more likely that vulnerabilities in open source projects will be found and reported.

Arizona Schools Provide Model for Managing Ransomware (SecurityWeek, Sep 13 2019)
On Wednesday, September 4, 2019, ransomware was discovered at Flagstaff Unified School District, Arizona. Schools were closed on Thursday and Friday of that week, but re-opened after the weekend. No ransom was paid, and only two days schooling was lost.

Security Leaders Share Tips for Boardroom Chats (Dark Reading:, Sep 12 2019)
Cisco, Oracle, and LinkedIn security leaders share their challenges in communicating with business teams and advice for how CISOs can navigate the relationship.

CISO do’s and don’ts: Lessons learned (Help Net Security, Sep 16 2019)
“The best way I’ve managed to make the case for specific security improvements has been to relate them to financial loss. The simple formula is: how many applications could an attack potentially take down? Estimate a likely time span. How much does an application generate? And then present to the board how much you can save, in terms of hours lost and money, by displaying how much a security control would protect the total value of the application,” he explains.

Making the case for IT/OT security integration (SC Magazine, Sep 16 2019)
Traditionally, ICS networks and SCADA systems have been segregated from unsecure areas (corporate networks and the internet) through air-gapping and increased physical security. But in recent years, more of these systems have been brought online to cut costs, share operational information and improve efficiencies—thus increasing their exposure to IT networks as infection vectors. One of the best-known recent examples of this was NotPetya, a ransomware exploit which began by infecting enterprise IT networks and then spread to disrupt the OT networks of several large companies, including Merck and FedEx.

Five Thoughts on the Internet Freedom League (TaoSecurity, Sep 13 2019)
“In the September/October issue of Foreign Affairs magazine, Richard Clarke and Rob Knake published an article…The article proposes the following: The United States and its allies and partners should stop worrying about the risk of authoritarians splitting the Internet. Instead, they should split it themselves, by creating a digital bloc within which data, services, and products can flow freely, excluding countries that do not respect freedom of expression or privacy rights, engage in disruptive activity, or provide safe havens to cybercriminals…My initial reaction to this line of thought was not encouraging.”

Preventing PTSD and Burnout for Cybersecurity Professionals (Dark Reading, Sep 16 2019)
The safety of our digital lives is at stake, and we need to all do our part in raising awareness of these issues.

How Intel Unlocks the Powerful Potential of Diversity in Cybersecurity (Dark Reading, Sep 17 2019)
Sparking cultural shifts within an organization — and throughout an entire industry — can feel like a monumental task, but the juice is well worth the squeeze.

Man Who Hired Deadly Swatting Gets 15 Months (Krebs on Security, Sep 17 2019)
An Ohio teen who recruited a convicted serial swatter to fake a distress call that ended in the police shooting an innocent Kansas man in 2017 has been sentenced to 15 months in prison.

Businesses facing post breach financial fallout by losing customer trust (Help Net Security, Sep 18 2019)
44% of Americans, 38% of Brits, 33% of Australians, and 37% of Canadians have been the victim of a data breach, according to newly released research conducted by PCI Pal.

Panda’ Group Makes Thousands of Dollars Using RATs, Crypto-Miners (SecurityWeek, Sep 18 2019)
A new threat actor has generated thousands of dollars in the Monero cryptocurrency using remote access tools (RATs) and illicit cryptocurrency mining malware, Cisco’s Talos threat intelligence and research group revealed on Tuesday.

One Arrested in Ecuador’s Mega Data Leak (Dark Reading, Sep 18 2019)
Officials arrest a leader of consulting firm Novaestrat, which owned an unprotected server that exposed 20.8 million personal records.

Top 10 Tactical Recommendations for SMB Cybersecurity (SecurityWeek, Sep 18 2019)
“In my previous column I introduced the concept of “Think 360, Demand 360” as it applies to data protection, privacy, and cyber security. The concept is as follows: whether you represent a small business, a Fortune 50 company, an NGO or a government entity, what you are protecting and who you are protecting it from is really a 360-degree exercise.”

Lawmakers want to bring back top White House cybersecurity post (Washington Post, Sep 19 2019)
With a new official set to take the reins of the Trump White House’s national security strategy, some Democratic lawmakers are pushing for cybersecurity to get more top-level attention.

CISO View – The Week’s Best News – 2019.09.13

2019-09-13 by Lucas Samaras

A Review of the Best News of the Week on Cybersecurity Management & Strategy

New NSA cyber lead says agency must share more info about digital threats (Washington Post, Sep 05 2019)
The NSA is the U.S. government’s premier digital spying agency and it has a well-earned reputation for keeping secrets. But the agency needs to stop keeping so many things confidential and classified if it wants to protect the nation from cyberattacks.

#GartnerSEC: Maersk CISO Outlines Lessons Learned From NotPetya Attack (Infosecurity Magazine, Sep 10 2019)
We were the collateral victim of a state-sponsored attack and look what it did, so if you are trying to build a company to stop 100% of state-sponsored weapons, forget it. If you adopt a strategy around that, you will fail.

On Cybersecurity Insurance (Schneier on Security, Sep 10 2019)
Good paper on cybersecurity insurance: both the history and the promise for the future. From the conclusion: Policy makers have long held high hopes for cyber insurance as a tool for improving security. Unfortunately, the available evidence so far should give policymakers pause. Cyber insurance appears to be a weak form of governance at present.

Share today’s post on Twitter Facebook LinkedIn

Ping Identity launches initial public offering of its common stock (Help Net Security, Sep 09 2019)
Ping Identity is offering 12,500,000 shares of its common stock pursuant to a registration statement on Form S-1 filed with the Securities and Exchange Commission (the “SEC”).

#GartnerSEC: Maersk’s Adam Banks Reflects on NotPetya Response and Recovery (Infosecurity Magazine, Sep 10 2019)
“I didn’t go home for 70 days,” Banks said, as he worked tirelessly with the rest of the business to respond and recover. In the first one to three days of the outbreak of NotPetya, Maersk:

#GartnerSEC: 2019 Projects Should Include Incident Response, BEC and Container Security (Infosecurity Magazine, Sep 10 2019)
The need for phishing training, automated security scanning and micro-segmentation have been replaced by container security, incident response and business email compromise technology in the top ten security projects for the year.

Secret Service Investigates Breach at U.S. Govt IT Contractor (Krebs on Security, Sep 09 2019)
“The U.S. Secret Service is investigating a breach at a Virginia-based government technology contractor that saw access to several of its systems put up for sale in the cybercrime underground, KrebsOnSecurity has learned. The contractor claims the access being auctioned off was to old test systems that do not have direct connections to its government partner networks.”

The Doghouse: Crown Sterling (Schneier on Security, Sep 05 2019)
A decade ago, the Doghouse was a regular feature in both my email newsletter Crypto-Gram and my blog. In it, I would call out particularly egregious — and amusing — examples of cryptographic “snake oil.”

I dropped it both because it stopped being fun and because almost everyone converged on standard cryptographic libraries, which meant standard non-snake-oil cryptography. But every so often, a new company comes along that is so ridiculous, so nonsensical, so bizarre, that there is nothing to do but call it out.

Crown Sterling is complete and utter snake oil.

How counties are war-gaming Election Day cyberattacks (Washington Post, Sep 11 2019)
If Russian hackers seek to disrupt the 2020 election, it will be county election officials on the front lines. And some are diving in to war games so they can be ready for anything Moscow or another U.S. adversary can throw at them.

#GartnerSEC: Questions Your Board Will Ask About Security (Infosecurity Magazine, Sep 11 2019)
He said: “We feel that in a couple of years, your performance as security and risk leaders will be on demonstrating value at enterprise risk level.” This is because the board care about three things:

US city balks at paying $5.3 million ransomware demand (Naked Security – Sophos, Sep 09 2019)
The attack quickly encrypted 158 workstations – and would have been worse had it struck later in the working day.

Texas Refuses to Pay $2.5M in Massive Ransomware Attack (Dark Reading, Sep 09 2019)
The ransomware campaign affected 22 local governments, none of which have paid the attackers’ $2.5 million ransom demand.

The DEA Didn’t Buy Malware From Israel’s Controversial NSO Group Because It Was Too Expensive (VICE, Sep 11 2019)
Emails between the DEA and NSO obtained by Motherboard explain why the DEA didn’t purchase the company’s malware in 2014.

#GartnerSEC: Hiring Strategies Do Not Consider Future Digital Trends (Infosecurity Magazine, Sep 09 2019)
Consider looking forward, rather than at what is needed now, in your hiring efforts

Stop Using CVSS to Score Risk (SecurityWeek, Sep 10 2019)
The mechanics of prioritizing one vulnerability’s business risk over another has always been fraught with concern. What began as securing business applications and infrastructure from full-disclosure bugs a couple of decades ago, has grown to encompass vaguely referenced flaws in insulin-pumps and fly-by-wire aircraft with lives potentially hanging in the balance.

Tighter control over IT asset management: The key to securing your enterprise (SC Magazine, Sep 11 2019)
Recent evidence of the new BlueKeep Windows vulnerability is an excellent and scary example of the need for enterprises to have thorough, accurate and current visibility into all the devices in use by their employees and contractors. Here’s a scenario that could happen: Joe Smith decides to work at home one night and rather than…

Wikipedia Gets $2.5m Donation to Boost Cybersecurity (Infosecurity Magazine, Sep 12 2019)
Wikipedia Gets $2.5m Donation to Boost Cybersecurity Infosecurity MagazineCraigslist founder boosts non-profit’s efforts to recover from DDoS.

Mountain View cybersecurity giant Symantec begins layoffs (SF Chronicle, Sep 11 2019)
Cybersecurity company Symantec is cutting 152 jobs at its Mountain View headquarters and 18 in San Francisco, along with 36 in Culver City (Los Angeles County), a California filing revealed, giving a sense of planned job cuts’ local impact.

Cloudflare says it may have violated US law ahead of IPO (Business Insider, Sep 11 2019)
Cybersecurity company Cloudflare is about to become public company, possibly as soon as this week, and there are indicators that investors are ready to buy in. However, the company also quietly updated its S-1 filing to go public to disclose that it may have broken the law in ways including including selling its services to terrorists, to narcotics traffickers, and to governments being sanctioned by the US.

Fed Kaspersky Ban Made Permanent by New Rules (Dark Reading, Sep 11 2019)
A new set of regulations converts the government ban on using Kaspersky products from a temporary rule to one that’s permanent.