A Review of the Best News of the Week on Cybersecurity Management & Strategy

Scanning for Flaws, Scoring for Security (Krebs on Security, Dec 12 2018)
“Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late.”

Unencrypted medical data leads to 12-state litigation (Naked Security – Sophos, Dec 07 2018)
The Attorneys general of 12 states are suing an e-record provider who lost 3.9 million personal healthcare records in 2015.

7 Lessons from Marriott Starwood breach and what Mueller teaches us (Gartner Blog Network gbn-feed – Gartner Blog Network, Dec 10 2018)
Here are the lessons that stand out to me from the Marriott/Starwood breach

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

---

UK Spy Agency Joins NSA in Sharing Zero-Day Disclosure Process (SecurityWeek, Dec 06 2018)
GCHQ Joins the NSA in Publishing its Vulnerabilities Equities Process

Google CEO Faces House Grilling on Breach, China Censorship (SecurityWeek, Dec 11 2018)
Google’s CEO faces a grilling from U.S. lawmakers on how the web search giant handled an alarming data breach and whether it may bend to Chinese government censorship demands.

House Report Says Equifax Breach Was Preventable (, Dec 11 2018)
The Committee on Oversight and Government Reform says Equifax did not do enough to prevent massive data breach.

House Releases Cybersecurity Strategies Report (SecurityWeek, Dec 11 2018)
The U.S. House of Representatives’ Committee on Energy and Commerce has released a report identifying strategies for the prevention and mitigation of cybersecurity incidents.

How Internet Savvy are Your Leaders? (Krebs on Security, Dec 10 2018)
“Back in April 2015, I tweeted about receiving a letter via snail mail suggesting the search engine rankings for a domain registered in my name would suffer if I didn’t pay a bill for some kind of dubious-looking service I’d never heard of. But it wasn’t until the past week that it become clear how many organizations — including towns, cities and political campaigns — actually have fallen for this brazen scam.”

Bomb Threat Hoaxer, DDos Boss Gets 3 Years (Krebs on Security, Dec 07 2018)
“The alleged ringleader of a gang of cyber hooligans that made bomb threats against hundreds of schools and launched debilitating denial-of-service attacks against Web sites (including KrebsOnSecurity on multiple occasions) has been sentenced to three years in a U.K. prison, and faces the possibility of additional charges from U.S.-based law enforcement officials.”

Getting ROI From a Security Advisory Board That Works: Part 2 (SecurityWeek, Dec 10 2018)
In this first part of this series, I talked about why a Security Advisory Board (SAB) is worth the time and effort. Now, it is time to dive into the details of how to actually make one work.

How Well Is Your Organization Investing Its Cybersecurity Dollars? (Dark Reading:, Dec 11 2018)
The principles, methods, and tools for performing good risk measurement already exist and are being used successfully by organizations today. They take some effort — and are totally worth it.

CISO challenges and the path to cutting edge security (Help Net Security, Dec 11 2018)
Zane Lackey is the co-founder and CSO at Signal Sciences, and the author of Building a Modern Security Program (O’Reilly Media). In this interview with Help Net Security he discusses CISO challenges, cloud security strategies, next-gen security, and much more.

High profile incidents and new technologies drive cybersecurity M&A to record highs (Help Net Security, Dec 11 2018)
The Cybersecurity M&A Market Report from international technology mergers and acquisitions advisors, Hampleton Partners, outlines how high profile hacks, the global digitisation of business and new regulations are driving record transaction volumes and valuations, with 141 completed transactions by October this year, surpassing 2016 and 2017 levels.

Quarter of NHS Trusts Have No Security Pros (, Dec 11 2018)
RedScan FOI results reveal worrying skills shortages

Italian Oil Services Company Saipem Hit by Cyberattack (SecurityWeek, Dec 11 2018)
Italian oil and gas services company Saipem reported on Monday that some of its servers were hit by a cyberattack.

Russian Critical Infrastructure Targeted by Profit-Driven Cybercriminals (SecurityWeek, Dec 11 2018)
Several critical infrastructure organizations in Russia have been targeted by hackers believed to be financially-motivated cybercriminals rather than state-sponsored cyberspies.

Tor Project Releases Financial Documents (SecurityWeek, Dec 10 2018)
The Tor Project, the organization behind the Tor anonymity network, has published financial documents for the past two years, and while they show that its revenue has increased significantly, it’s still small compared to the budgets of potential adversaries.

Trump Claims Progress with China as Negotiators Talk Trade (- The New York Times, Dec 12 2018)
A telephone call between top negotiators comes despite concern over the arrest of an executive from the Chinese company Huawei.

Bug Hunting Is Cybersecurity’s Skill of the Future (, Dec 12 2018)
80% of security researchers say that hunting skills helped land them a job.

If China Hacked Marriott, 2014 Marked a Full-on Assault (Security Latest, Dec 12 2018)
It increasingly appears that China was behind the Marriott hack, making 2014 a landmark year in cyberattacks against the US.

A Review of the Best News of the Week on Cybersecurity Management & Strategy

Gartner Identifies Top 10 Trends for Infrastructure, Operations in 2019 (eWEEK, Dec 04 2018)
Gartner analysts on Dec. 4 presented these findings during the Gartner IT Infrastructure, Operations and Cloud Strategies Conference

What the Marriott Breach Says About Security (Krebs on Security, Dec 01 2018)
“We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.”

Magecart Delivers Malware to 1-800-FLOWERS (Infosecurity Magazine, Dec 05 2018)
1-800-Flowers’ Canadian website is the latest victim in card-skimming malware attacks.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

---

First Lawsuits Filed in Starwood Hotels’ Breach (Dark Reading, Dec 03 2018)
Class-action suits have been filed on behalf of guests and shareholders, with more expected.

Why Leading Software Vendors Are Dumping GRC for IRM (Gartner Blog Network, Nov 29 2018)
One of the most common questions I receive from software vendors has to be “what’s the difference between governance, risk and compliance (GRC) and integrated risk management (IRM) solutions?”

Australia Set to Pass Sweeping Cyber Laws Despite Tech Giant Fears (SecurityWeek, Dec 04 2018)
Australia’s two main parties struck a deal Tuesday to pass sweeping cyber laws requiring tech giants to help government agencies get around encrypted communications used by suspected criminals and terrorists.

Bad Consumer Security Advice (Schneier on Security, Dec 04 2018)
There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice: 1. Never, ever, ever use public (unsecured) Wi-Fi such as the Wi-Fi in a café, hotel or airport.

Starwood Breach Reaction Focuses on 4-Year Dwell (Dark Reading, Dec 05 2018)
The unusually long dwell time in the Starwood breach has implications for both parent company Marriott International and the companies watching to learn from.

Evidence in Starwood/Marriott Breach May Point to China (Dark Reading, Dec 06 2018)
Attackers used methods, tools previously used by known Chinese hackers.

Kaspersky Lab’s US Ban Appeal Thrown Out (Infosecurity Magazine, Dec 03 2018)
US court says products will remain off-limits to federal government

Lenovo Pays $7.3 Million to Settle Superfish Adware Lawsuit (SecurityWeek, Dec 03 2018)
Lenovo has agreed to pay $7.3 million to settle a consumer class action lawsuit related to the Superfish adware scandal from 2015.

Knowing Value of Data Assets is Crucial to Cybersecurity Risk Management (SecurityWeek, Dec 03 2018)
Understanding the value of corporate assets is fundamental to cybersecurity risk management. Only when the true value is known can the correct level of security be applied.

Nonprofits on Facebook Get Hacked—Then They Really Need Help (Wired, Dec 04 2018)
Facebook is an enormous platform for charitable giving, but some nonprofit leaders say there aren’t enough resources when something goes wrong.

Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP (Microsoft Secure, Dec 03 2018)
MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, as part of the testing, all protection and prevention features were turned off. In the case of Windows Defender ATP, this meant turning off blocking capabilities like hardware-based isolation, attack surface reduction, network protection, exploit protection, controlled folder access, and next-gen antivirus.

Situational awareness: Real-time decision making to improve business operations (Help Net Security, Dec 05 2018)
Although the term situational awareness usually pertains to the military and first responder space, it also plays a crucial role in the efficiency of public and private organizations such as large-scale businesses, government agencies, transportation and logistics, and many other industries.

Are Lawyers the Best Judge of Cybersecurity? (Infosecurity Magazine, Dec 05 2018)
It’s not just lawmakers who sometimes seem ill equipped when it comes to cybersecurity; lawyers can be far from perfect in this regard too.

Ukraine: We Blocked Major Russian Attack on Judiciary (Infosecurity Magazine, Dec 05 2018)
SBU claims phishing email was loaded with malware

House GOP Campaign Arm Targeted by ‘Unknown Entity’ in 2018 (SecurityWeek, Dec 05 2018)
Thousands of emails were stolen from aides to the National Republican Congressional Committee during the 2018 midterm campaign, a major breach exposing vulnerabilities that have kept cybersecurity experts on edge since the 2016 presidential race.

Security Risks of Chatbots (Schneier on Security, Dec 05 2018)
Good essay on the security risks — to democratic discourse — of chatbots….

55% of Companies Don’t Offer Mandatory Security Awareness Training (Dark Reading, Dec 06 2018)
Even those that provide employee training do so sparingly, a new study finds.

A Review of the Best News of the Week on Cybersecurity Management & Strategy

Marriott: Data on 500 Million Guests Stolen in 4-Year Breach (Krebs on Security, Nov 30 2018)
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.

First Round of MITRE ATT&CK Evaluations Released – MITRE ATT&CK (Medium, Nov 30 2018)
“We have just published the first seven MITRE ATT&CK™ evaluations on our new website. We have created an open and transparent methodology…”

Propaganda and the Weakening of Trust in Government (Schneier on Security, Nov 27 2018)
“we need to start thinking more systematically about the relationship between democracy and information. Our paper provides one way to do this, highlighting the vulnerabilities of democracy against certain kinds of information attack. More generally, we need to build levees against flooding while shoring up public confidence in voting and other public information systems that are necessary to democracy.”

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

---

The Origin of the Term Indicators of Compromise (IOCs) (TaoSecurity, Nov 25 2018)
tl;dr Mandiant invented the term indicators of compromise, or IOCs, in 2010, building off the term “indicator,” introduced widely in a detection context by Kevin Mandia, no later than his 2003 incident response book.

Iranians Accused in Cyberattacks, Including One That Hobbled Atlanta (- The New York Times, Nov 29 2018)
The suspects chose targets with the means to pay ransom and a need to put their systems back online quickly, law enforcement officials said.

Uber Fined Nearly $1.2 Million by Dutch, UK Over Data Breach (SecurityWeek, Nov 27 2018)
The ride-hailing service Uber has been fined the equivalent of nearly $1.2 million by British and Dutch authorities for failing to protect customers’ data during a cyberattack in 2016.

The “Typical” Security Engineer: Hiring Myths & Stereotypes (Dark Reading:, Nov 28 2018)
In an environment where talent is scarce, it’s critical that hiring managers remove artificial barriers to those whose mental operating systems are different.

Dell Admits Potential Breach in Early November (, Nov 29 2018)
Attackers may have obtained names, emails and hashed passwords

Deputy AG Rod Rosenstein Is Still Calling for an Encryption Backdoor (Security Latest, Nov 29 2018)
The government has not proposed its own workable solution since the 90s, when its “Clipper chip” backdoor was roundly discredited. Rosenstein did, though, repeat past assertions that unyielding encryption blocks crucial investigative avenues, and potentially endangers public safety.

Transforming into a CISO Security Leader (Dark Reading:, Nov 26 2018)
Are you thinking of changing your career route from techie to CISO? Are you making the right choice? Only you know for sure.

North Korean Hackers Hit Latin American Banks (SecurityWeek, Nov 23 2018)
The North Korean hacking group know as Lazarus recently targeted financial institutions in Latin America, Trend Micro security researchers have discovered.

Edinburgh Napier University Student Named as 2018 Cyber Security Challenge Champion (, Nov 27 2018)
The Cyber Security Challenge has named 19-year-old Edinburgh Napier University student Charlie Hosier as its 2018 champion

Facebook Knew About Russian Activity in 2014: British MP (SecurityWeek, Nov 27 2018)
A British MP on Tuesday claimed Facebook knew about potentially malicious Russian activity in 2014, long before such activity becomes public, during a parliamentary hearing where international lawmakers grilled the company.

German chat site faces fine under GDPR after data breach (WeLiveSecurity, Nov 27 2018)
The country’s first fine under GDPR is lower than might have been expected, however, as the company was acknowledged for its post-incident cooperation and enhanced security measures.

New Hacker Group Behind ‘DNSpionage’ Attacks in Middle East (Dark Reading:, Nov 27 2018)
Motives are not fully clear, though data exfiltration is one possibility, Cisco Talos says.

Data Breach Hits 2.6 Million Atrium Health Patients (SecurityWeek, Nov 28 2018)
Hospital network Atrium Health informed patients on Tuesday that their personal information was compromised following a breach at technology solutions provider AccuDoc.

Google Staff Urge Firm to Drop China Search Plans (, Nov 28 2018)
Employees don’t want to be a part of Dragonfly

C-Suite: GDPR Could Lead to Greater Risk of Breaches (, Nov 28 2018)
German and UK executives vent concern as six-month milestone passes

New Zealand Bars Huawei From Its 5G Network Over Security Fears (WSJ, Nov 29 2018)
Chinese telecom giant Huawei has been blocked from supplying a 5G mobile network in New Zealand, a fresh setback as a U.S. campaign to shun its equipment intensifies.

Dunkin’ Donuts Serves Up Data Breach Alert (Dark Reading:, Nov 29 2018)
Forces potentially affected DD Perks customers to reset their passwords after learning of unauthorized access to their personal data.

A Review of the Best News of the Week on Cybersecurity Management & Strategy

66.1% of vulnerabilities published through Q3 2018 have a documented solution (Help Net Security, Nov 20 2018)
There have been 16,172 vulnerabilities disclosed through October 29th, which is a 7% decrease from the high record reported last year at this time. The 16,172 vulnerabilities cataloged through Q3 2018 by Risk Based Security’s research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by over 4,800. It’s also worth noting that NVD is still significantly behind in vulnerability scoring and creating the automation component.

Mixed buyers harvest security targets (Inorganic Growth, Nov 16 2018)
With BlackBerry’s $1.4bn pickup of Cylance, there have now been 15 acquisitions of infosec vendors valued above $250m this year…

JPMorgan Invests in Startup Tech That Analyzes Encrypted Data (WSJ, Nov 21 2018)
The bank has invested in Inpher, a startup whose technology can analyze an encrypted dataset without revealing its contents. Samik Chandarana, head of data analytics for the Corporate and Investment Bank division, says the technology could be “materially useful” for the company and its clients.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

---

Cybersecurity Is Getting Its Own Agency (Infosecurity Magazine, Nov 16 2018)
The renamed agency will oversee cybersecurity under a reorganization bill that went to the White House for the president’s signature.

Is Encryption an NTA / NIDS / NFT Apocalypse? (Gartner Blog Network, Nov 16 2018)
Here is a funny one: does pervasive traffic encryption KILL Network Traffic Analysis (NTA) dead?

CVSS Scores Often Misleading for ICS Vulnerabilities: Experts (SecurityWeek, Nov 19 2018)
While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading, which can have negative consequences for organizations, particularly if they rely solely on CVSS for prioritizing patches.

Amazon Exposes Customer Names, Email Addresses (SecurityWeek, Nov 21 2018)
Amazon informed some customers this week that their name and email address were exposed due to a “technical error,” but the company provided very few other details.

Scientists revolutionize cybersecurity through quantum research (Science X, Nov 21 2018)
Scientists at the RDECOM Research Laboratory, the Army’s corporate research laboratory (ARL) have found a novel way to safeguard quantum information during transmission, opening the door for more secure and reliable communication for warfighters on the battlefield.

95% of Organizations Have Cultural Issues Around Cybersecurity (Dark Reading, Nov 16 2018)
Very few organizations have yet baked cybersecurity into their corporate DNA, research finds.

Did a copy-paste error reveal the US’s secret case against Assange? (Naked Security – Sophos, Nov 19 2018)
How common is the name “Assange” in the US judicial system? Not common at all. Searching the Pacer case locator turns up five cases, all against one Assange: namely, Julian.

Under attack! Should your company ever ‘hack back’? (Graham Cluley, Nov 16 2018)
In short, it’s all too easy for things to escalate and get much much worse, with hackers striking back even harder.

Leaderboard Shows Adoption of DMARC Email Security Protocol (Dark Reading, Nov 20 2018)
A new tool from the Global Cyber Alliance shows where companies and organizations are adopting Domain-based Message Authentication, Reporting & Conformance.

TalkTalk Duo Get Jail Time (Infosecurity Magazine, Nov 20 2018)
Young men tried to make money by selling stolen data online

Austin Startup Raises $1.25M for Cybersecurity Escape Rooms (Austin Inno, Nov 21 2018)
The startup’s escape rooms present teams of employees with an exciting storyline. Then, the team has to work together to solve puzzles and escape the room within a set period of time.

US Says China Hacking Increasing Ahead of Trump-Xi Meeting (SecurityWeek, Nov 21 2018)
A U.S. government report ahead of a meeting between Presidents Donald Trump and Xi Jinping accuses China of stepping up hacking aimed at stealing American technology as a tariff dispute escalated.

A Review of the Best News of the Week on Cybersecurity Management & Strategy

The US Didn’t Sign the Paris Call for Trust and Security in Cyberspace (Wired, Nov 12 2018)
Corporations have taken the lead over nations on governing the internet: The initiative might not have counted the US as a signatory, but did include Microsoft, Facebook, Google, and others.

Something You Probably Should Include When Building Your Next Threat Models (DisruptOps, Nov 13 2018)
“One thing that quickly stood out is that nearly none of the threat modeling documentation or tools I’ve seen covers the CI/CD pipeline. This. Is. A. Problem. Include your pipeline in your threat models.”

What Ever Happened to GRC? (Gartner Blog Network, Nov 12 2018)
In our ongoing coverage of Integrated Risk Management (IRM) technology and service providers, the relevance and frequency of client inquiry related to Governance, Risk & Compliance (GRC) continues to decline.

---

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a new way to conduct a strategy assessment.

---

Narrow gap between CEO, CIO and CISO roles means companies are struggling to secure digital assets (Help Net Security, Nov 13 2018)
At a global level, 22 per cent of respondents believe the CIO is ‘ultimately responsible’ for managing security, compared to one in five (20 per cent) for the CEO and 19 per cent for the CISO. In the UK, fewer respondents point to the CIO (19 per cent) and CISO (18 per cent) while the CEO gets the biggest vote at 21 per cent.

DARPA’s Hail Mary Plan to Restart a Hacked US Electric Grid (Wired, Nov 14 2018)
On tiny Plum Island, DARPA stages a real-life blackout to put its grid recovery tools to the test.

Getting to Know Magecart: An Inside Look at 7 Groups (Dark Reading, Nov 13 2018)
A new report spills the details on Magecart, the criminal groups driving it, and ongoing attacks targeting low- and high-profile victims.

Law firms are increasingly investing in cybersecurity programs (Help Net Security, Nov 15 2018)
Less than half of law firms are implementing some of the top-weighted cybersecurity protocols – these being multi factor authentication (47%), 3rd party risk assessment (37%), having the proper security executive (34%), and SOC monitoring (24%).

SAM nabs $12M for cybersecurity aimed at home routers and devices connected to them (TechCrunch, Nov 14 2018)
A wave of security startups have built solutions for enterprises that are meeting the challenges of “consumerization”, where IT organizations are tasked with securing a range of devices and apps — some brought in by employees, not issued by IT — that are on the organization’s networks.

More Than 50% of Free Mobile VPN Apps Have Chinese Ties (Dark Reading, Nov 15 2018)
This story is about a researcher who published an Oracle zero-day because Oracle has a history of harassing researchers and ignoring vulnerabilities.

Nordstrom Quick to Tell Employees of a Data Breach (Infosecurity Magazine, Nov 13 2018)
After a data breach was detected at Nordstrom, co-president Blake Nordstrom contacted employees.

Oracle and “Responsible Disclosure” (Schneier on Security, Nov 14 2018)
This story is about a researcher who published an Oracle zero-day because Oracle has a history of harassing researchers and ignoring vulnerabilities.

CARTA’: A New Tool in the Breach Prevention Toolbox (Dark Reading, Nov 12 2018)
Gartner’s continuous adaptive risk and trust assessment for averting a data breach addresses the shortcomings of static security programs.

Implications of the EU NIS Directive for the industrial sector (Help Net Security, Nov 12 2018)
The law lists 14 cybersecurity principles that form the objectives of NIS, but each member country must develop its own regulations to achieve them. Here are some of NIS’ best practices and guidelines complying with the legislation.

Phishing Training is a Tool, Not a Solution (SecurityWeek, Nov 12 2018)
If You Find Yourself Frequently Blaming Users for Successful Attacks, You Know Your Security is Not Working

Empathy: The Next Killer App for Cybersecurity? (Dark Reading, Nov 13 2018)
The toughest security problems involve people not technology. Here’s how to motivate your frontline employees all the way from the service desk to the corner office.

Japan Cyber Minister Says He Has Never Used a Computer (Dark Reading, Nov 15 2018)
Yoshitaka Sakurada, who recently took on the role after a cabinet shuffling, says it’s up to the government to deal with it.

OPM Still Failing on Security After 2015 Breach (Infosecurity Magazine, Nov 15 2018)
GAO report claims over a third of recommendations have not been enacted

US Panel Warns Against Government Purchase of Chinese Tech (SecurityWeek, Nov 14 2018)
A congressional advisory panel says the purchase of internet-linked devices manufactured in China leaves the United States vulnerable to security breaches that could put critical infrastructure at risk.

HITRUST Common Security Framework – Improving Cyber Resilience? (SecurityWeek, Nov 14 2018)
Healthcare organizations must recognize that HIPAA and HITRUST CSF compliance does not guarantee their systems are adequately protected from threats. These guidelines represent a minimum barrier to entry for attackers.

Congress Passes Bill to Create New Federal Cybersecurity Agency (Dark Reading, Nov 15 2018)
Cybersecurity and Infrastructure Security Agency Act now headed to President Trump for signing into law.