A Review of the Best News of the Week on Cybersecurity Management & Strategy

China Used Tiny Chip in Hack That Infiltrated Amazon, Apple (Bloomberg, Oct 04 2018)
In one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached, according to one person who saw pictures of the chips. That generation of chips was smaller than a sharpened pencil tip, the person says.

Security Staffing Low in Midsized and Large Orgs (Infosecurity Magazine, Sep 28 2018)
Large organizations have only one security staff for every 1,488 employees, says ProtectWise.

Making an Impact with Security Awareness Training: Quick Wins and Sustained Impact (Securosis, Sep 27 2018)
It’s a balance between being overly heavy-handed against the importance of training users to defend themselves. You need to ensure employees know about the ongoing testing program, and that they’ll be testing periodically. That’s the continuous part of the approach – it’s not a one-time thing.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

---

NYC wants to build a cyber army (TechCrunch, Oct 02 2018)
New York City Economic Development Corporation (NYCEDC) announced the launch of Cyber NYC, a $30 million “catalyzing” investment designed to rapidly grow the city’s ecosystem and infrastructure for cybersecurity.

Organizations need to shift strategies, adopt a proactive approach to cybersecurity (Help Net Security, Oct 01 2018)
The cybersecurity market has reached a point whereby organisations need to shift their strategies and have a new, proactive approach to their cybersecurity, according to a report by 451 Research.

More on the Five Eyes Statement on Encryption and Backdoors (Schneier on Security, Oct 01 2018)
Susan Landau examines the details of the statement, explains what’s going on, and why the statement is a lot less than what it might seem.

Quantifying a firm’s security levels may strengthen security over time (Help Net Security, Oct 01 2018)
Cyberattacks grow in prominence each and every day; in fact, 2017 was the worst year to-date for data breaches, with the number of cyber incidents targeting businesses nearly doubling from 2016 to 2017.

CISOs: How to Answer the 5 Questions Boards Will Ask You (Dark Reading, Oct 02 2018)
As boards learn the importance of cybersecurity, certain issues arise on a regular basis. These tips can help you address them.

Financial Sector Breaches Have Tripled Since 2016 (Infosecurity Magazine, Oct 02 2018)
Bitglass report claims over 100 incidents in US alone

U.S. Energy Department Invests Another $28 Million in Cybersecurity (SecurityWeek, Oct 02 2018)
The U.S. Department of Energy on Monday announced that it’s investing up to $28 million in tools and technologies that will improve the resilience and cybersecurity of the power grid and oil and gas infrastructure.

How Ashley Madison Recovered From Its Massive Data Breach (eWEEK, Oct 03 2018)
At SecTor, the CISO of Ruby Life, the parent company of breached infidelity website Ashley Madison, details the steps the company has taken to improve security.

Patching and Policy Lessons Learned from WannaCry (Infosecurity Magazine, Oct 03 2018)
IT and cybersecurity professionals that don’t make patching a priority are essentially shining a light on their organization’s weaknesses.

NKorea Said to Have Stolen a Fortune in Online Bank Heists (SecurityWeek, Oct 03 2018)
North Korea’s nuclear and missile tests have stopped, but its hacking operations to gather intelligence and raise funds for the sanction-strapped government in Pyongyang may be gathering steam.

Tanium Raises $200 Million at $6.5 Billion Valuation (SecurityWeek, Oct 02 2018)
Emeryville, CA-based endpoint security and systems management firm Tanium announced on Tuesday that it has raised an additional $200 million through the sale of common stock, which raises the company’s pre-money valuation to $6.5 billion.

GDPR Report Card: Some Early Gains but More Work Ahead (Dark Reading, Oct 04 2018)
US companies paid the most, to date, to meet the EU’s General Data Protection Regulation, according to a recent study, but UK companies made greater progress in achieving compliance goals.

Malware Outbreak Causes Disruptions, Closures at Canadian Restaurant Chain (Dark Reading, Oct 03 2018)
Recipe Unlimited, a publicly traded company that operates nearly 1,400 restaurants under 19 different brands in Canada, has experienced what appears to be a significant security incident impacting several of its brands.

US to Let NATO Use its Cyber Defense Skills (SecurityWeek, Oct 03 2018)
The United States is expected to make its offensive cyber warfare capabilities available to NATO, officials said Wednesday, as the alliance seeks to strengthen its defenses against Russian electronic attacks.

How Letting Go of the Familiar Can Improve Security Maturity (SecurityWeek, Oct 03 2018)
The known provides something very comforting to the human psyche. On the contrary, the unknown causes discomfort and unsettledness. Perhaps it is because of this that people love to stay with what is known and familiar, even if it is less optimal.

The Effects of GDPR’s 72-Hour Notification Rule (Schneier on Security, Oct 03 2018)
The EU’s GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem.

Endpoint Has Won, Why Bother With NTA? (Gartner Blog Network, Oct 03 2018)
SOCs should use logs, endpoint and network data on their threat detection and response efforts. But we also know that organizations don’t have infinite resources and will often have to decide about which tool to deploy first (or ever). Leaving logs aside for a moment, as it usually has additional drivers (i.e. Compliance), the decision eventually becomes: Endpoint vs Network.

A Review of the Best News of the Week on Cybersecurity Management & Strategy

Uber Fined $148m for Breach Cover-Up (Infosecurity Magazine, Sep 27 2018)
A heavy price tag for Uber’s data breach mismanagement

14 years prison for man who helped hackers evade detection by anti-virus software (Graham Cluley, Sep 25 2018)
Bondars (also known by his online nickname of “Borland”) worked in conjunction with co-conspirator Jurijs “Garrik” Martisevs on the notorious Scan4You website. Scan4You allowed criminals – for a monthly fee – to upload their latest malware to receive a report on whether any of a wide range of anti-virus products would detect it as malicious.

Domain flub leaves 30 million customers high and dry (Naked Security – Sophos, Sep 26 2018)
Zoho’s CEO begged for help on Twitter after his domain registrar effectively took the company offline, stranding millions of users.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

---

Tencent engineer attending cybersecurity event fined for hotel WiFi hacking (Yahoo News Singapore, Sep 24 2018)
While attending a cybersecurity conference in Singapore, a Chinese national decided to hack into the WiFi of the hotel he was staying in. Zheng Dutao, a 23-year-old security engineer with Chinese internet giant Tencent Holdings, was curious to find any vulnerabilities in the WiFi server…

Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data (Elie Bursztein (Google), Sep 23 2018)
We examine the comprehension of 551 participants on the risks of data breaches and their sentiment towards potential remediation steps. In the second survey, we ask 10,212 participants to rate their level of comfort towards eight different scenarios that capture real-world examples of security practitioners, researchers, journalists, and commercial entities investigating leaked data.

The state of network security in organizations with 1000+ employees (Help Net Security, Sep 27 2018)
The research also pinpointed some of the differences. As noted before, large organizations generally do not have a much larger security team that mid-sized ones.

Variations in State Data Breach Disclosure Laws Complicate Compliance (Infosec Island, Sep 26 2018)
In some states, companies must report breaches to the Attorney General’s Office even if only one record is breached. In other states, reporting does not apply unless a minimum number of records —250, 500 or 1000 — is breached.

Hacking Back: Simply a Bad Idea (Dark Reading, Sep 24 2018)
While the concept may sound appealing, it’s rife with drawbacks and dangers.

Most enterprises now running Windows 10, security hygiene no longer optional (Help Net Security, Sep 27 2018)
For the first time in the survey’s history, the majority (57%) of respondents reported that their organizations are running most of their computers on Windows 10.

Senate Committee Approves Several Cybersecurity Bills (SecurityWeek, Sep 27 2018)
The U.S. Senate Committee on Homeland Security and Governmental Affairs on Wednesday voted to approve several cybersecurity bills, including ones related to incident response, supply chain security, the government’s cyber workforce, and safeguarding federal information systems.

How organizations overcome cybersecurity hiring challenges (Help Net Security, Sep 24 2018)
The data is based on a survey of 250 U.S. cybersecurity professionals with oversight of hiring and managing security departments, who say their organization does an adequate job of ensuring it has enough cybersecurity expertise on staff.

How companies view their cyber exposure, and how they deal with it (Help Net Security, Sep 24 2018)
The 2018 Travelers Risk Index found cyber risks are the No. 2 concern across all business sizes and industries, and the percentage of businesses reporting they have been the victim of a cyber attack has doubled.

White House Issues National Cyber Strategy (Infosecurity Magazine, Sep 21 2018)
President Trump released aggressive plans for nation cyber defense

Facebook faces sanctions if it drags its feet on data transparency (Naked Security – Sophos, Sep 24 2018)
The European Commission (EC) has had it up to here with Facebook dragging its feet on providing more information about what it does with users’ data and is ready to slap it upside the head with sanctions…

Fault-Tolerant Method Used for Security Purposes in New Framework (Dark Reading, Sep 25 2018)
A young company has a new patent for using fault tolerance techniques to protect against malware infection in applications.

Ex-NSA Developer Gets 5 1/2-Year Prison Sentence (Dark Reading, Sep 25 2018)
Nghia Hoang Pho, who illegally took home classified NSA information, also sentenced to three years of supervised release after prison term.

Testing Firm NSS Labs Declares War on Antivirus Industry (SecurityWeek, Sep 25 2018)
NSS Labs claims that AMTSO has organized a conspiracy against the EPP product testing industry – and specifically NSS Labs – to prevent independent testing of EPP products.

New tactics subvert traditional security measures and strike organizations of all sizes (Help Net Security, Sep 26 2018)
Among the notable findings in the report is the end of the traditional killchain, with 88 percent of killchain attacks now gaining efficiency and speed by combining what was formerly the first five phases—”recon,” “weaponization,” “delivery,” “exploitation” and “installation”—into a single action.

Full compliance with the PCI DSS drops for the first time in six years (Help Net Security, Sep 26 2018)
After documenting improvements in Payment Card Industry Data Security Standard (PCI DSS) compliance over the past six years (2010 – 2016), Verizon’s 2018 Payment Security Report (PSR) now reveals a concerning downward trend with companies failing compliance assessments and perhaps, more importantly, not maintaining – full compliance.

Despite BOD 18-01, Fed Agencies Not at 100% HTTPS (Infosecurity Magazine, Sep 26 2018)
Federal agencies have yet to improve the way they handle machine identities, says Venafi.

A Review of the Best News of the Week on Cybersecurity Management & Strategy

US military given the power to hack back/defend forward (Naked Security – Sophos, Sep 20 2018)
The new preventative cybersecurity powers include potentially acting against countries considered friendly toward the US – a risky move, some say.

Guccifer to Be Extradited to US for Prison Sentence (Dark Reading, Sep 14 2018)
Four-year, four-month term will follow a longer sentence in hacker’s home country of Romania.

New Magecart victims ABS-CBN and Newegg are just the tip of the iceberg (Help Net Security, Sep 20 2018)
With the Magecart attackers compromising web shops left and right, online shopping is becoming a risky proposition. After Ticketmaster, British Airways and Feedify, two new Magecart victims have been identified: the broadcasting giant ABS-CBN and online retailer Newegg.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

---

CISOs and the Quest for Cybersecurity Metrics Fit for Business (SecurityWeek, Sep 17 2018)
Asked if CISOs are currently delivering good metrics, the answer was an unequivocal yes and no, maybe, it depends, but probably not.

Firewalls and the Need for Speed (TaoSecurity, Sep 18 2018)
“This bothered me, so I Tweeted about it….What do you think of this architecture? My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates “firewall” with “security.” Long-time blog readers will laugh at that, like I did. So what was my problem with the original recommendation, and what problems do I have (if any) with the 2018 version?”

The Mirai Botnet Architects Are Now Fighting Crime With the FBI (Wired, Sep 18 2018)
In 2016, three friends created a botnet that nearly broke the internet. Now, they’re helping the feds catch cybercriminals of all stripes.

As Tech Drives the Business, So Do CISOs (Dark Reading, Sep 19 2018)
Business leaders used to ask the CISO what controls they needed; now they want security embedded in business planning and application development. “You want security expertise in the operations groups, you want that in development groups, you want that in each component of operations, including the cloud,” he adds.

Your business should be more afraid of phishing than malware (Graham Cluley, Sep 19 2018)
More than twice as many breaches were blamed on phishing rather than malware (48% compared to 22%) In fact, even when malware was combined with unpatched systems (coming to a total of 41% of reports) it still failed to be as big of a problem as phishing.

DMARC Fully Implemented on Two Thirds of U.S. Government Domains (SecurityWeek, Sep 21 2018)
DMARC has been fully implemented on roughly two thirds of U.S. government domains, but agencies have less than a month to roll out the email security standard on the remaining websites.

NTA: The Other IDS? (Gartner Blog Network, Sep 20 2018)
“IMHO, Network Traffic Analysis (NTA) was born to separate the old, mostly flow-based (layer-3) technology from the modern layer-7 based tech that analyzes network activities for security purposes.”

Lawmakers warn Trump’s election interference order does not go nearly far enough (Washington Post, Sep 13 2018)
The main bill lawmakers are pushing is the bipartisan DETER Act, which was introduced by Sens. Marco Rubio (R-Fla.) and Chris Van Hollen (D-Md.). The bill would require the administration to slap Russian businesses and oligarchs with sanctions within 10 days if the director of national intelligence determines that the Kremlin has interfered in an election. It would also place a powerful check on the White House: Under the legislation, the president would be barred from lifting the sanctions unless intelligence officials report to Congress that Russia has gone two election cycles without interfering in U.S. elections.

83% of SMB owners have no cash put aside to deal with the fallout from a cyber attack (Help Net Security, Sep 19 2018)
Small businesses are leaving themselves exposed to significant financial risk from cybercrime by not having adequate measures in place to recover in the event of a cyber attack. That’s according to the findings of InsuranceBee’s Cyber Survey, which asked more than 1,000 SMBs how prepared they are to deal with cybercrime.

AES Resulted in a $250 Billion Economic Benefit (Schneier on Security, Sep 21 2018)
“NIST has released a new study concluding that the AES encryption standard has resulted in a $250-billion worldwide economic benefit over the past 20 years. I have no idea how to even begin to assess the quality of the study and its conclusions — it’s all in the 150-page report, though…”

Russian Spies Arrested on Suspicion of Plans to Hack Swiss Laboratory (SecurityWeek, Sep 14 2018)
Dutch intelligence services arrested two alleged Russian spies on suspicion of planning to hack a Swiss laboratory investigating the poisoning of double agent Sergei Skripal, reports and officials said Friday.

Yahoo Class-Action Suits Set for Settlement (Dark Reading, Sep 17 2018)
Altaba tells SEC it will incur $47 million to settle consumer litigation for massive Yahoo data breaches.

Insurance experts expect higher cyber-related losses (Help Net Security, Sep 18 2018)
Large cyber-attacks, like WannaCry or NotPetya, are also expected to be more frequent, with over 60% of respondents stating they anticipate these occurring at least once every five years.

Awareness and tendency towards risky online behavior (Help Net Security, Sep 18 2018)
It found that, while employees are generally risk averse, more than half (55 percent) admitted to clicking links they didn’t recognize, 45 percent said they would allow a colleague to use their work computer and 34 percent were unable to identify an unsecure ecommerce site.

Fidelis Cybersecurity Raises $25 Million (SecurityWeek, Sep 18 2018)
The funding, which brings the total raised by the company to date to nearly $50 million, will be used to extend product innovation, support business growth, and invest into the company’s 24×7 Managed Detection and Response (MDR) service. The round was led by existing investors.

Japan Digital Currency Exchange Hacked, Losing $60 Million (SecurityWeek, Sep 20 2018)
Hackers have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies from a Japanese digital currency exchange, the operators said Thursday.

NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO (Dark Reading, Sep 19 2018)
The lawsuit accuses the three security vendors and the nonprofit AMTSO, of which they and other endpoint security vendors are members, of unfairly allowing their products to be tested only by organizations that comply with AMTSO’s testing protocol standard. NSS Labs, which also is a member of AMTSO, earlier this year voted against adoption of the standard and says it has no plans to comply with it.

A Review of the Best News of the Week on Cybersecurity Management & Strategy

A Security Expert Tied to WikiLeaks Vanishes, and the Internet Is Abuzz (The New York Times, Sep 07 2018)
Arjen Kamphuis was last seen on Aug. 20 in a remote Arctic town in Norway. Online theories range from C.I.A. abduction to a secret mission for Julian Assange.

‘Only paper ballots by 2020!’ call experts after election tampering (Naked Security – Sophos, Sep 10 2018)
The National Academy of Sciences says the US election system uses insecure technology and is fighting off attempts to destabilize it.

Georgia says switching back to all-paper voting is logistically impossible (Ars Technica, Sep 12 2018)
In Curling v. Kemp, both sides are set to duke it out in court.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

---

Attackers Made 9,000 Unauthorized Database Queries in Equifax Hack: Report (SecurityWeek, Sep 10 2018)
It took Equifax 76 days to detect the massive 2017 data breach, despite the fact that attackers had conducted roughly 9,000 unauthorized queries on its databases, according to a new report from the U.S. Government Accountability Office (GAO).

Bruce Schneier Reddit AMA (Schneier on Security, Sep 07 2018)
Bruce Schneier did a Reddit Ask Me Anything on Thursday, September 6….

Making an Impact with Security Awareness Training: Continuous Contextual Content (Securosis Blog, Sep 11 2018)
“To overcome these limitations we introduced the concept of Continuous, Contextual Content (3C) as the cornerstone of the kind of training program which can achieve security initiatives…Now we can dig in to understand how to move your training program toward 3C.”

Trump’s New Executive Order Slaps a Bandaid on Election Interference Problems (Wired, Sep 12 2018)
Trump’s order creates a framework to sanction foreign meddling in elections, but experts say it’s not enough.

Quantum Computing and Cryptography (Schneier on Security, Sep 14 2018)
Quantum computing is a new way of computing — one that could allow humankind to perform computations that are simply impossible using today’s computing technologies. It allows for very fast searching, something that would break some of the encryption algorithms we use today. And it allows us to easily factor large numbers, something that would break the RSA cryptosystem for any key length. This is why cryptographers are hard at work designing and analyzing “quantum-resistant” public-key algorithms.

#GartnerSec: Embrace Hacker Culture to Battle Cyber-Criminals (Infosecurity Magazine, Sep 10 2018)
Embrace hacker culture, tools and techniques in the battle with cyber-criminals

U.K. Teen Involved in ProtonMail DDoS Attack Arrested (SecurityWeek, Sep 07 2018)
ProtonMail has helped law enforcement identify one of the members of the Apophis Squad, a group that has made bomb threats and launched distributed denial-of-service (DDoS) attacks against many organizations.

Twenty Years of Network Security Monitoring: From the AFCERT to Corelight (TaoSecurity, Sep 11 2018)
Richard Bejtlich joins Corelight

Busting the VDI Security Myth (Infosec Island, Sep 11 2018)
Many CISOs and security pros see Virtual Desktop Infrastructure (VDI) and other remote application solutions as security barriers. They think VDI isolates sensitive resources from the user’s device, making it impossible for hackers to bust through. But that’s a dangerous myth. In reality, VDI is only a minor hurdle for cyber-criminals.

Senators Concerned About State Department’s Cybersecurity Failures (SecurityWeek, Sep 13 2018)
A group of United States senators this week sent a letter to Secretary of State Mike Pompeo requesting clarifications regarding the Department of State’s failure to meet federal cybersecurity standards.

GDPR Requires IRM For Fast and Effective Response (Gartner Blog Network, Sep 14 2018)
No longer will organizations have the luxury to take as much time as they want to disclose and when they do, accuracy of the disclosure is paramount.

The “How To Build a SOC” Paper Update is OUT! (Gartner Blog Network, Sep 07 2018)
All that work finally made its way into the paper “How to Plan, Design, Operate and Evolve a SOC”.

Russian National Extradited for 2014 JP Morgan Hack (Dark Reading, Sep 10 2018)
Andrei Tyurin was arrested for his involvement in a hacking campaign targeting US financial institutions, financial news publishers, brokerage firm, and other companies.

Many adults want to reskill for cybersecurity careers (Help Net Security, Sep 11 2018)
Of the 1,004 adults surveyed, 41 percent said they would probably or definitely consider returning to college to earn a certificate or degree to prepare for a cybersecurity job. However, willingness rose to 72 percent if current employers were willing to pay for respondents’ education in preparation for an in-house cybersecurity job.

Law firm launches £500 million group action over British Airways hack (Graham Cluley, Sep 11 2018)
Within hours of British Airways admitting that it had suffered a serious security breach, with hackers accessing customer data and the full details of 380,000 payment cards, a British law firm announced that it was launching a £500m group action against the airline.

Prison for man who assisted scareware scheme that targeted newspaper website (Graham Cluley, Sep 13 2018)
A man who spent years on the run from the FBI for his part in a lucrative criminal operation that spread scareware via the Minnesota Star Tribune website has finally been sent to prison.

Security Risks of Government Hacking (Schneier on Security, Sep 13 2018)
“Some of us — myself included — have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking.”

A Review of the Best News of the Week on Cybersecurity Management & Strategy

Five Eyes demand for encryption workarounds raises stakes for tech companies (Washington Post, Sep 05 2018)
The U.S. government is going global in its anti-encryption push.

The SOC Gets a Makeover (Dark Reading, Sep 06 2018)
Today’s security operations center is all about reducing the number of alerts with emerging technologies – and enhancing old-school human collaboration. Here’s how some real-world SOCs are evolving.

Financial info of 380,000 British Airways customers stolen in site, app breach (Help Net Security, Sep 07 2018)
“From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making or changing bookings on our website [ba.com] and [mobile] app were compromised,” the company stated. “The stolen data did not include travel or passport details.”

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

---

Senator Mark Warner Is Not Happy With Google (Wired, Sep 04 2018)
“What I’ve told the companies is that I don’t want this to be a retrospective on what happened in 2016, but I want to know what they’re doing to prevent this happening in 2018 and beyond. Increasingly, this kind of manipulation can be used not just in politics, but also in business and other areas.”

One of Google’s newest sister companies is ready to go after the $96 billion cybersecurity industry (CNBC, Sep 04 2018)
Alphabet’s X ‘Moonshot’ start-up Chronicle wants to shake up the cybersecurity landscape 

Less than a third of companies have dedicated cybersecurity insurance (Help Net Security, Sep 04 2018)
Just six percent of respondents in the UK say their company insurance covers only for information security breaches, while 11 percent are covered only for data loss.

There are no real shortcuts to most security problems (Help Net Security, Sep 05 2018)
Xerox Chief Information Security Officer Dr. Alissa Johnson…“Diverting more funds into cybersecurity insurance instead of bolstering defenses increases the likelihood of a breach. More to the point, though, insurance payments can’t make up for all of the damage done by a cyberattack,” she points out.

What to expect when the internet gets a big security upgrade (Network World Security, Sep 05 2018)
More secure keys protecting the directory name system (DNS) are ready to deploy, but for those using DNS servers that haven’t been upgraded, it could cause problems reaching websites.

Facebook Chief Says Internet Firms in ‘Arms Race’ for Democracy (SecurityWeek, Sep 04 2018)
Facebook chief Mark Zuckerberg said late Tuesday that the leading social network and other internet firms are in an arms race to defend democracy.

How leadership implements cyber resiliency across their organizations (Help Net Security, Sep 06 2018)
Only 8% of executives say that their CISO or equivalent performs above average in communicating the financial, workforce, reputational or personal consequences of cyber threats.

Gartner SOAR Adoption Rate Prediction: From 1% to 15% by 2020 – Why Should You Care? (Infosec Island, Sep 06 2018)
SOAR tools allow for an effective way of fighting security threats through a central collection of intelligence that can be quickly transformed into action.

Leader of DDoS-for-Hire Gang Pleads Guilty to Bomb Threats (Krebs on Security, Sep 06 2018)
“A 19-year-old man from the United Kingdom who headed a cybercriminal group whose motto was “Feds Can’t Touch Us” pleaded guilty this week to making bomb threats against thousands of schools.”

US to Charge North Korea for Sony Breach, WannaCry (Dark Reading, Sep 06 2018)
The DoJ plans to charge North Korean threat actors for their involvement in two major cyberattacks, US officials report.

What Is FIPS 140-2 & Why Does It Matter? (Carbon Black, Aug 31 2018)
FIPS 140 was written as a requirements document for encryption with the goal to standardize a minimum strength level for the cryptography used in all Sensitive But Unclassified (SBU) federal operating environments.

Bitfi Retracts ‘Unhackable’ Claims (Infosecurity Magazine, Sep 03 2018)
Controversial firm shutters bug bounty program

43% of Security Pros Could Execute Insider Attack (Infosecurity Magazine, Aug 31 2018)
Despite increased spending on security, insider threats remain a risk to business, according to new survey.

Orgs Still Feel Vulnerable Despite Cyber Standards (Infosecurity Magazine, Aug 31 2018)
A IT Governance survey finds implementing ISO 27001 beneficial in mitigating risk.

The Continuing Problem of Aligning Cybersecurity With Business (SecurityWeek, Sep 04 2018)
…asked what types of data most need to be protected, both groups agreed on first customer or patient data, and second, intellectual property. They disagreed however, on the third priority. The business group specified employee data, while the security group specified financial data.

Investor Sues AT&T for Cryptocurrency Theft Losses (Dark Reading, Sep 04 2018)
The victim of cybercurrency theft blames the carrier for failing its security obligations.

Security Orchestration, Automation and Response Demand Set to Grow (eWEEK, Sep 06 2018)
Demisto sponsored study found that security operations centers are largely overwhelmed by the volume of alerts, which is helping to drive demand and awareness for Security Orchestration, Automation and Response (SOAR) technologies.