A Review of the Best News of the Week on Cybersecurity Management & Strategy

Facebook Boss Calls for Greater Internet Regulation (Infosecurity Magazine, Apr 01 2019)
Zuckerberg pre-empts government intervention with his own suggestions

Towards better vendor security assessments (Dropbox Tech Blog, Apr 01 2019)
“[W]e’re sharing the results of an experiment to improve vendor security assessments—directly codifying reasonable security requirements into our vendor contracts. We’re also sharing our model security legal terms and making them freely available for anyone to use and modify. We hope that more companies adopting this approach will help incentivize vendors to prioritize security and lead to broader security improvements among vendors. Would Dropbox sign these security terms when we are the vendor in question? Of course! We can only demand our vendors commit to a top-tier security posture if we have done the same ourselves.”

Chinese woman arrested with malware-laced thumb drive after illegally entering Mar-a-Lago (SC Magazine, Apr 03 2019)
A Chinese national was arrested after she illegally entered President Trump’s Mar-a-Lago resort in Florida March 30 and was found to be carrying a thumb drive containing malware as well as a laptop, a “hard drive type” device and four cell phones.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

---

Former NSA spies hacked BBC host, Al Jazeera chairman for UAE (Reuters, Apr 02 2019)
A team of former NSA cyber spies helped the United Arab Emirates break into the iPhones of at least 10 media figures, Reuters finds

NIST cybersecurity resources for smaller businesses (WeLiveSecurity, Apr 04 2019)
How can smaller businesses address their cybersecurity risks without the resources of large organizations?

States spent just a fraction of $380 million in election security money before midterms (Washington Post, Apr 05 2019)
Congress scrambled in early 2018 to deliver a surge in election security money before the midterms. But it turns out that states only spent about 8 percent of the $380 million Congress approved by the time the elections rolled around.

CIOs admit certificate-related outages routinely impact critical business applications and services (Help Net Security, Mar 29 2019)
Certificate-related outages harm the reliability and availability of vital network systems and services while also being extremely difficult to diagnose and remediate. Unfortunately, the vast majority of businesses routinely suffer from these events.

Companies will stop storing data in Australia, Microsoft warns (Naked Security – Sophos, Mar 29 2019)
Australia’s controversial anti-encryption laws came under independent scrutiny this week as tech leaders criticized the proposed rules.

Saudis hacked Jeff Bezos’s personal data, probe finds (SC Magazine, Apr 01 2019)
Saudi Arabia’s government gleaned private information from Amazon CEO Jeff Bezos’s phone, security consultant Gavin de Becker said his investigation into how texts and intimate photos from Bezos’s phone had their way to the National Enquirer discovered.

A v-CISO’s Take on the 5 Issues Facing Cybersecurity (SC Magazine, Apr 01 2019)
In just 20 years, we’ve seen the cybersecurity field grow from virtually non-existent into a $120 billion industry. But no matter how much it grows, it still feels like the bad guys are always two steps ahead. Why? Because our adversaries are, in fact, at an advantage.

Insurance Companies collaborate to offer cybersecurity ratings (SC Magazine, Mar 29 2019)
In a collaborative effort, some of the world’s largest insurers have set out to create a consumer ratings service for the cybersecurity industry. The initiative, launched Tuesday and set to be led by Marsh & McLennan, will attempt to score best products to reduce hacking risks and will create an assessment of the best cybersecurity offerings available to businesses, according to the Wall Street Journal.

Man Behind Fatal ‘Swatting’ Gets 20 Years (Krebs on Security, Mar 29 2019)
“Tyler Barriss, a 26-year-old California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident, has been sentenced to 20 years in federal prison.”

Michigan medical practice folds after ransomware attack (SC Magazine, Apr 02 2019)
A Battle Creek, Mich. medical practice is being forced to shut its doors after cyberattackers wiped out its files when the firm refused to pay a ransom. Brookside ENT and Hearing Center’s Dr. William Scalf told wwmt.com the center was hit with ransomware which locked up its files and presented the practice with a $6,500…

Security Policy Management Firm Tufin Sets Terms for IPO (SecurityWeek, Apr 02 2019)
Tufin, which has been approved for listing on the New York Stock Exchange as TUFN, plans on offering 7,700,000 ordinary shares at $12-14 per share. The company hopes to raise over $100 million and is seeking a valuation of $500 million.

Canadian Police Raid ‘Orcus RAT’ Author (Krebs on Security, Apr 02 2019)
“Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.”

Bayer Confirms Cyber Attack But Says No Data Stolen (SecurityWeek, Apr 04 2019)
German chemicals giant Bayer confirmed Thursday reports it had suffered a hacking attack, but insisted that so far no data appeared to have been stolen.

Organizations still use low levels or no automation of key security and incident response tasks (Help Net Security, Apr 04 2019)
As the study demonstrates, cybersecurity professionals are turning their focus to SOAR in their search for a solution that will not only answer the immediate need to overcome the current resource and skills gap, but also enhance security operations in the years to come.

Addressing the Challenges of Moving Security to the Edge (SecurityWeek, Apr 04 2019)
“the best approach is to develop a comprehensive and adaptable security fabric that can simply be extended to include new network environments without sacrificing any of the functionality and interoperability provided by security devices deployed elsewhere—nor give up any of the visibility and centralized orchestration and control that keeps a comprehensive security strategy manageable and cost effective.”

Facebook Let Dozens of Cybercrime Groups Operate in Plain Sight (Wired, Apr 05 2019)
Who needs the dark web? Researchers found 74 groups offering stolen credit cards and hacking tools with simple Facebook searches.

Unhackable Cryptography? (Schneier on Security, Apr 05 2019)
A recent article overhyped the release of EverCrypt, a cryptography library created using formal methods to prove security against specific attacks.The Quantum magazine article sets off a series of “snake-oil” alarm bells. The author’s Github README is more measured and accurate, and illustrates what a cool project this really is. But it’s not “hacker-proof cryptographic code.”

A Review of the Best News of the Week on Cybersecurity Management & Strategy

DLA Piper and its insurers clash over multi-million NotPetya payout (Graham Cluley, Mar 25 2019)
Multinational law firm was hit in the crossfire as Russia-backed ransomware spread, and Hiscox is reportedly declining to pay up citing an “act of war”.

Attack Surface Reduction By Dynamic Compilation (Nick Hutton’s Blog, Mar 21 2019)
Lines of code you’ll never use in your environment have no value. Worse than that, they’re just a source of vulnerability. Isn’t it time you evolved?

Norsk Hydro May Have Lost $40M in First Week After Cyberattack (SecurityWeek, Mar 26 2019)
Norwegian aluminum giant Norsk Hydro estimates that it may have lost more than $40 million in the first week following the ransomware attack that disrupted its operations.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

---

FBI crackdown on DDoS-for-hire sites led to 85% slash in attack sizes (Naked Security – Sophos, Mar 21 2019)
According to a new report, average and maximum DDoS attack sizes decreased by 85.36% and 23.91%.

The death of the VPN – It’s time to say goodbye (SC Magazine, Mar 21 2019)
Zero trust architectures provide an alternative model for access where the users never gain excessive network layer access to a trusted corporate network because there is no trusted corporate network in this architecture. Instead, access decisions are moved up from the network layer to the application layer where much more granular access decisions are made based on a variety of data sources. Access is then mediated on an app-by-app basis predicated on a strong understanding of the user’s Identity and the minimal access required by Identity.

CEOs more likely to receive pay rise after a cyber attack. Wait, what? (Help Net Security, Mar 21 2019)
“In the long run security breaches appear to have a more significant impact on firms’ strategies and policies than their cash flow.”

Insurers Creating a Consumer Ratings Service for Cybersecurity Industry (WSJ, Mar 26 2019)
Some of the world’s biggest insurers plan to work together on an assessment of the best cybersecurity available to businesses, an unusual collaboration that highlights the rising dangers posed by digital hackers.

Trojan Horses for the Mind, Part 2 of Building Impactful Security Awareness Messaging (Infosec Island, Mar 27 2019)
Another reason to use repetition in the awareness context is that you are always battling the “decay of knowledge.” Simply stating something once will not likely have a lasting impact. As a result, your once-per-year training marathons are (sorry to say this) next to useless in shaping behavior. Instead, you need to adopt this mindset: If it is worth saying once, it is worth saying multiple times. If it is worth saying once, it is worth saying multiple times. If it is worth saying once, it is worth saying multiple times…

How to build an effective vulnerability management program (Help Net Security, Mar 26 2019)
CISOs should also be aware that an accurate, context-rich asset inventory can have a tremendous, positive impact on the effectiveness of their vulnerability management program.

Microsoft’s takedown of Iranian fake sites shows ‘creative lawyering,’ experts say (Washington Post, Mar 28 2019)
Instead of just reporting the issue to the FBI and waiting for the government’s help, Microsoft got the legal go-ahead to take action by citing violations of laws that were written long before the modern Internet. In this case, Microsoft argued Phosphorus was violating the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act — both laws from the 1980s. The company also claimed Phosphorus was violating its trademarks because it was using Microsoft product names on its phony websites.

Experts to help boards tackle cybersecurity threats (Help Net Security, Mar 22 2019)
The Cyber Readiness for Boards project, which is jointly funded by the National Cyber Security Centre and the Lloyd’s Register Foundation, has launched to explore the factors shaping UK board decisions around cyber risk and develop interventions to provide guidance and support.

D.C. Attorney General Introduces New Data Security Bill (SecurityWeek, Mar 22 2019)
The attorney general for the District of Columbia, on Thursday announced the introduction of a new bill that aims to expand data breach notification requirements and improve the way personal information is protected by organizations.

Global Security Spend Set to Grow to $133.8 Billion by 2022: IDC (SecurityWeek, Mar 21 2019)
Global spending on security-related hardware software and services will grow at a compound annual growth rate (CAGR) of 9.2% between 2018 and 2022, to a total of $133.8 billion in 2022.

Under Attack: Over Half of SMBs Breached Last Year (Dark Reading, Mar 26 2019)
Many small and midsize businesses work faster and harder than large enterprises, but they’re just as vulnerable to cybercrime.

CFOs and CIOs must collaborate on digital transformation to remain competitive (Help Net Security, Mar 26 2019)
CFOs are shifting their priorities from cutting costs to rapidly investing in technology and data.

Supreme Court allows data breach lawsuit against Zappos to continue (SC Magazine, Mar 26 2019)
The U.S. Supreme Court has rejected an appeal from shoe retailer Zappos to quash a class action lawsuit brought against the company from those who had their PII exposed in that firm’s 2012 data breach. Zappos was attempting to overturn made a decision by a San Francisco-based appeals court…

GAO Finds Deficiencies in Systems for Handling National Debt (Dark Reading, Mar 27 2019)
IT systems at the Bureau of the Fiscal Service and the Federal Reserve Bank show vulnerabilities that could lead them open to exploitation and breach.

Polish Regulator Issues First GDPR Fine (Infosecurity Magazine, Mar 27 2019)
UODO slaps unnamed firm with £187K fine for failing to notify

UConn Health Center hit with $5M suite over breach (SC Magazine, Mar 27 2019)
The University of Connecticut Health Center is being hit with a class action lawsuit over a data breach that exposed 326,000 current and former patients. The lawsuit, which is seeking $5 million in damages, was filed last week on behalf of New London, Conn., resident Yoselin Martinez who alleges the university took months…

Algorithms can now find bugs in computer chips before they are made (Help Net Security, Mar 28 2019)
What’s more important is that they’ve shown that such security holes exist in a much wider spectrum of processors than previously thought, affecting not just high-end processors but even the simple processors that are omnipresent in numerous applications of daily life, such as in the Internet of Things.

A Review of the Best News of the Week on Cybersecurity Management & Strategy

Vladimir Putin signs sweeping Internet-censorship bills (Ars Technica, Mar 18 2019)
President Vladimir Putin has tightened his grip on the Russian Internet Monday, signing two censorship bills into law. One bans “fake news” while the other makes it illegal to insult public officials.

Improve cybersecurity program reporting with time-based metrics (SC Magazine, Mar 18 2019)
Since we know that security isn’t truly a zero-sum game, instead of focusing on the raw numbers or the volume of work being done, prioritize quickly addressing vulnerabilities as they’re discovered. The speed of attacks and compromises continues to increase as more computing resources become available to attackers, and strong defense-in-depth programs help in slowing down the attack chain and gives defenders more time to respond. How quickly your teams respond to threats is a powerful metric that can provide executives with a more realistic understanding of the progress of the security program’s efforts.

Norsk Hydro cyber attack: What happened? (Help Net Security, Mar 20 2019)
“Hydro subject to cyber-attack,” warned Oslo-headquartered Norsk Hydro ASA, one of the world’s biggest aluminum producers, on Tuesday. According to the company’s CFO Eivind Kallevik, the “root of the problem” is ransomware and the Norwegian National Security Authority confirmed the ransomware in question is LockerGoga.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

---

Gargantuan Gnosticplayers breach swells to 863 million records (Naked Security – Sophos, Mar 19 2019)
Another 26m records stolen from another six online companies brings this hacker’s total number of records to 863m from 38 websites.

Quantum computing will break your encryption in a few years (Network World Security, Mar 20 2019)
It’s verticals like the automotive industry and the infrastructure sector that have to worry, Lucier said. Anything with a long service life and anything that’s expensive to repair and replace is potentially vulnerable. That’s not to say that it’s time to rip-and-replace immediately. Standards bodies are expected to approve quantum-safe encryption algorithms at around the same time experts are predicting that quantum-powered decryption threatens modern security, so a hybrid approach is possible.

An Argument that Cybersecurity Is Basically Okay (Schneier on Security, Mar 20 2019)
There is a rising tide of security breaches. There is an even faster rising tide of hysteria over the ostensible reason for these breaches, namely the deficient state of our information infrastructure. Yet the world is doing remarkably well overall, and has not suffered any of the oft-threatened giant digital catastrophes. This continuing general progress of society suggests that cyber security is not very important.

Only 28% of Gov.uk Domains Support DMARC (Infosecurity Magazine, Mar 19 2019)
Egress warns of security gap as old GSI domains are switched off

Beto O’Rourke was teen hacker in Cult of the Dead Cow (SC Magazine, Mar 18 2019)
Democrat Beto O’Rourke, who just raked in $6.1 million in campaign donations in the first 24 hours after kicking off his presidential bid, as a teenager was a member of the Cult of the Dead Cow, an old (relatively speaking) and well-known hacking group, whose activities compelled Microsoft to boost the security of Windows.

Elsevier exposes users’ emails and passwords online (Naked Security – Sophos, Mar 20 2019)
The science publisher is blaming a misconfigured server that exposed a constant stream of its users’ credentials.

Just One Third of UK’s Small Firms Have Security Strategy (Infosecurity Magazine, Mar 18 2019)
New study aims to raise SMB awareness this week

Zillow sued for $60 million after mansion listing hijacked (Graham Cluley, Mar 15 2019)
Using a fake mobile phone number and a Chinese IP address they were able to waltz past Zillow’s security questions – successfully convincing the site that they were the genuine owner. And what did they do with all that power? They posted a history of recent (bogus) sales for the property for up to $60 million *less* than the genuine owner is asking.

Crowdsourced vs. Traditional Pen Testing (Dark Reading, Mar 19 2019)
A side-by-side comparison of key test features and when best to apply them based on the constraints within your budget and environment.

The modern threat landscape and expanding CISO challenges (Help Net Security, Mar 19 2019)
Prior to starting Signal Sciences, its founders were running security at Etsy, and growing frustrated with existing legacy technology. So they built their own. For this interview with Andrew Peterson, CEO at Signal Sciences, we dig deep into hot topics such as modern CISO challenges and application security visibility.

Dragos acquires NexDefense, provides free asset identification tools (Help Net Security, Mar 18 2019)
As part of this announcement, the company also introduced today Dragos Community Tools, a set of free assessment tools to help organizations of all sizes around the globe forge the path forward towards comprehensive ICS security.

Reports: Israeli officials’ devices hacked; data possessed by Iran (SC Magazine, Mar 18 2019)
Hackers stole information from former Israeli prime minister Ehud Barak’s computer and phone months ago and sold it to Iran, according to multiple news outlets, citing a TV report by Israel’s Channel 12 this past weekend.

Slack Introduces Enterprise Key Management Tool (SecurityWeek, Mar 18 2019)
Slack on Monday announced the introduction of Enterprise Key Management, an Enterprise Grid add-on feature that gives customers complete control over their encryption keys.

Orange County hit and taken offline with ransomware (SC Magazine, Mar 19 2019)
The Orange County, N.C., government was knocked offline by a ransomware attack early Monday morning. County officials discovered files were being encrypted and shut down its entire network in an effort to stop the malware from spreading, effectively shutting down online access to most county services, according to a statement.

Stealing Corporate Funds Still Top Goal of Messaging Attacks (Dark Reading, Mar 19 2019)
Cybercriminals focus on collecting credentials, blackmailing users with fake sextortion scams, and convincing privileged employees to transfer cash. The latter still causes the most damage, and some signs suggest it is moving to mobile.

A network is only as strong as its weakest shard (Help Net Security, Mar 20 2019)
The term sharding, which means horizontal partitioning, is used to describe a method for dividing a database in such a way that data can be accessed and analyzed much faster in horizontal pieces, instead of a single, large database. Existing blockchain solutions that employ sharding work with the notion that having an entire network of machines to reach consensus, where each machine has to do the same amount of work, can be time-consuming and costly. So, they shard the consensus, thus splitting the network into halves, quarters and eighths.

Unsurprisingly, only 14% of companies are compliant with CCPA (Help Net Security, Mar 20 2019)
With less than 10 months before the California Consumer Privacy Act (CCPA) goes into effect, only 14% of companies are compliant with CCPA and 44% have not yet started the implementation process.

A Review of the Best News of the Week on Cybersecurity Management & Strategy

DARPA Is Building a $10 Million, Open Source, Secure Voting System (Motherboard, Mar 14 2019)
The system will be fully open source and designed with newly developed secure hardware to make the system not only impervious to certain kinds of hacking, but also allow voters to verify that their votes were recorded accurately.

Navy, Industry Partners Are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts (WSJ, Mar 12 2019)
The Navy and its contractors are “under cyber siege” by Chinese hackers who have stolen national security secrets in recent years, an internal review concluded.

Trump’s bold hack back strategy actually sounds pretty tame. (Washington Post, Mar 15 2019)
There’s still a lot of bureaucracy before the U.S. strikes back in cyberspace.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

---

Russia internet freedom: Thousands protest against cyber-security bill (BBC, Mar 10 2019)
Thousands of people in Russia have protested against plans to introduce tighter restrictions on the internet. A mass rally in Moscow and similar demonstrations …

Citrix admits attackers breached its network – what we know (Naked Security – Sophos, Mar 12 2019)
While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security.

Marriott CEO reveals more details about the massive data breach (Help Net Security, Mar 12 2019)
The first indication that something might be wrong was on September 8, 2018, when Accenture, which managed the Starwood Guest Reservation Database, notified Marriott’s IT team about an unusual query from an administrator’s account.

After parliament hack, Australia learns from U.S. missteps (Washington Post, Mar 11 2019)
More than two years after the U.S. government bungled its response to a foreign government hack of one of its main political parties, Australia is trying to do better.

How Walmart Uses a Purple Team to Improve Cyber-Resilience (eWEEK, Mar 08 2019)
O’Dell said that Walmart began on its Purple Team journey in 2016, and the effort didn’t start well at all for a number of reasons. The nature of Red and Blue teaming is adversarial, and that created conflict. If the Red Team wins, it means there is a breach, and if the Blue Team wins it means an attack was contained. O’Dell emphasized, however, that what Walmart learned is that while winning is interesting, that’s not what matters in a Purple Team exercise.

#RSAC: How to Get and Maintain Your Risk Appetite (Infosecurity Magazine, Mar 07 2019)
“What is the loss or event scenario you care about: maybe it’s disclosure, outage, non-compliance or financial mis-statement – it could be all of them, and by defining distinctly you could define it and manage risk appetites.”

On Surveillance in the Workplace (Schneier on Security, Mar 12 2019)
“In a blog post about this report, Cory Doctorow mentioned “the adoption curve for oppressive technology, which goes, ‘refugee, immigrant, prisoner, mental patient, children, welfare recipient, blue collar worker, white collar worker.'” I don’t agree with the ordering, but the sentiment is correct. These technologies are generally used first against people with diminished rights: prisoners, children, the mentally ill, and soldiers.”

Ad Network Sizmek Probes Account Breach (Krebs on Security, Mar 13 2019)
“Online advertising firm Sizmek Inc. [NASDAQ: SZMK] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers.”

Jackson County, Geogia pays $400,000 ransom to release files (SC Magazine, Mar 11 2019)
Jackson County, Ga., is the latest ransomware victim to fork over a payment to its attackers in order to regain access to its encrypted files. The county government paid out $400,000 over the weekend to the attackers that struck on March 6 effectively taking down the municipal government computer network, including 911.

Why It’s So Hard to Restart Venezuela’s Power Grid (Wired, Mar 12 2019)
Approaching a full week, Venezuela’s national power outage shows just how hard it is to restart a grid from scratch.

Two Doors to SOAR Visual (Gartner Blog Network, Mar 08 2019)
Essentially, you have TWO DOORS TO SOAR.
“Automation / orchestration first” – this path leads most to ruin, but it did lead some enlightened elite organization to raging success with SOAR
“Workflow / case management first” – thus path is unglamorous, but it is the one where we see more success for most mainstream organizations that are seeking to adopt SOAR.

Venezuelan ‘Cyber-Attack’ Possible But Unlikely, Experts Say (SecurityWeek, Mar 13 2019)
Venezuelan President Nicolas Maduro’s government has accused the United States of “cyber sabotage” to knock out the country’s central hydroelectric complex and leave the nation largely without electricity since Thursday afternoon.

A Saudi Cybersecurity Company Tried to Buy Zero Day Exploits from Me (Motherboard, Mar 12 2019)
We recently got a rare look at how a company tried to source these exploits through private one-on-one deals—because the company came to us.

Under GDPR, can a CISO be the DPO? (SC Magazine, Mar 12 2019)
The GDPR also defines the obligation of companies/entities to nominate a Data Protection Officer (DPO) if they plan to conduct personal data treatment activities (collection, storing, processing or sharing) over sensitive personal data (data that if exposed to non-authorized third parties represents a severe risk towards the data subject) or extensive volumes of personal data of many data subjects.

These Cookie Warning Shenanigans Have Got to Stop (Troy Hunt, Mar 13 2019)
“This will be short, ranty and to the point: these warnings are getting ridiculous…”

Huawei trolls the U.S. by opening a cybersecurity center in Europe (VICE, Mar 09 2019)
Huawei trolls the U.S. by opening a cybersecurity center in Europe  VICETrust in cybersecurity is one of the major challenges that we face as a global community.“

Trump’s 2020 Budget Asks for $11bn for Cyber-Defense (Infosecurity Magazine, Mar 11 2019)
Securing critical infrastructure, and growing workforce top priorities in nation’s cyber strategy.

A Review of the Best News of the Week on Cybersecurity Management & Strategy

Huawei Sues US Government Over Ban (Infosecurity Magazine, Mar 07 2019)
Chinese telecoms kit maker brings out the big guns in escalating battle

As Trump and Kim Met, North Korean Hackers Hit Over 100 Targets in U.S. and Ally Nations (The New York Times, Mar 04 2019)
McAfee researchers watched, in real time, as the North Koreans attacked the networks of companies in the United States and around the globe.

Alphabet aims for Splunk in security startup’s coming-out party (MarketWatch, Mar 05 2019)
Alphabet Inc. announced its biggest thrust into the cybersecurity space Monday, as the Google parent company’s internal security startup, Chronicle, detailed a new big-data software offering similar to Splunk Inc.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

---

Cisco Publishes Annual CISO Benchmark Study (SecurityWeek, Mar 04 2019)
Cisco’s 2019 Chief Information Security Officer (CISO) Benchmark Study has one great strength. It queried more than 3,200 senior leaders with a CISO role (if not title) from 18 different countries. This greater than average quantity of respondents gives it a greater than average legitimacy.

Data Breach Cost Marriott $28 Million So Far (SecurityWeek, Mar 04 2019)
The massive data breach disclosed by Marriott last year has cost the company $28 million to date, most of which has been covered by insurance, the hotel giant revealed last week in its earnings report for the last quarter of 2018.

NSA’s top policy advisor: It’s time to start putting teeth in cyber deterrence (Ars Technica, Mar 04 2019)
The midterms were just a warmup, NSA’s Joyce warns, as work begins to defend 2020 election.

Symantec CEO Says He Aims To Drive Down Cost And Complexity Of Cybersecurity (Forbes, Mar 05 2019)
Symantec’s CEO Greg Clark has been in the cyber security field for three decades. He has founded and sold multiple companies. He was the CEO of Blue Coat when Symantec acquired the company. In his current perch as the head of the combined company, he leads, by some measures, the largest cyber security company in the world. I sat down with him to talk about the recent announcement, but also to get his thoughts on the evolving threat landscape, as well as to talk about his extraordinary career path.

Cybersecurity for the Public Interest (Schneier on Security, Mar 05 2019)
The Crypto Wars have been waging off-and-on for a quarter-century. On one side is law enforcement, which wants to be able to break encryption, to access devices and communications of terrorists and criminals. On the other are almost every cryptographer and computer security expert, repeatedly explaining that there’s no way to provide this capability without also weakening the security of every user of those devices and communications systems.

U.S. officials: It’s China hacking that keeps us up at night (Washington Post, Mar 06 2019)
Russia hacking has Washington spooked. But security officials say China is the biggest long term threat.

Axonius’ ‘Unsexy’ Tool Wins RSAC Innovation Sandbox (Dark Reading, Mar 05 2019)
Judges award top honor to new company solving an old, unsolved problem: asset discovery and management.

Coinbase Says Ex-Hacking Team Members Will ‘Transition Out’ After Users Protest (Motherboard, Mar 05 2019)
Coinbase acquired Neutrino in February, sparking a #DeleteCoinbase campaign in protest.

Senate report: Equifax neglected cybersecurity for years (Yahoo Finance, Mar 07 2019)
A new report claims Equifax neglected cybersecurity for years leading up to the massive 2017 data breach.

Huawei calls for common cybersecurity standards amidst concerns (Reuters, Mar 07 2019)
Huawei, in the spotlight over the security risks of its telecom equipment gear, urged governments, the telecoms industry and regulators on Tuesday to work together to create a common set of cybersecurity standards.

How Superforecasting Can Help Improve Cyber-Security Risk Assessment (eWEEK, Mar 06 2019)
Palo Alto Networks Chief Security Officer Rick Howard ran a session on an advanced method known as “Superforecasting” that can help organizations go beyond basic heat maps to better evaluate and define risk.

U.S. to try new approach to punish hacking nations: Working with allies (Washington Post, Mar 07 2019)
State Department cyber chief wants “swift and transparent consequences that will change their calculus.”

United Airlines CISO: To soar, security teams must focus on business, not technology (SC Magazine, Mar 06 2019)
This approach requires security teams to develop an understanding of the most critical functions that drive the company, and the various needs and risks of each business department — something Heath herself seeks to achieve in her role at the airline carrier.

#RSAC: Build Better Bridges Between OT and IT (Infosecurity Magazine, Mar 05 2019)
“OT care about safety and not data loss, and what is going off the production line,” she said. “The OT world wants systems up and running.”

#RSAC: How to Nudge User Behavior (Infosecurity Magazine, Mar 05 2019)
In terms of methods, Williams picked four examples of simplification (making information more straightforward and easy to process) and framing (phrasing of information to activate values/attitudes of the target), changes to physical environment to guide your target to one choice over another (such as an arrow on the ground), changes to a default policy so that the standard choice is the one you want made and use of social norms to leverage peer pressure to cause your target to choose the preferred option.

For enterprises, malware is the most expensive type of attack (Help Net Security, Mar 07 2019)
…the cost to companies due to malware increased 11 percent, to more than US$2.6 million per company, on average, and the cost due to malicious insiders — defined as employees, temporary staff, contractors and business partners — jumped 15 percent, to US$1.6 million per organization, on average.

FBI’s Wray says cyberthreats ‘bigger than government’ (SC Magazine, Mar 06 2019)
“Today’s cyberthreat is bigger than any one government agency — in fact it’s bigger than the government itself,” he said. “The scope, breadth, depth, sophistication and diversity of the threat we face now is unlike anything we’ve had in our lifetimes.”