Monday, April 24, 2017

Cyber Security News of the Week, April 23, 2017

CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Individuals at Risk

Cyber Privacy

Cybersecurity for the People: How to Protect Your Privacy at a Protest: Planning on going to a protest? You might not be aware that just by showing up, you can open yourself up to certain privacy risks — police often spy on protesters, and the smartphones they carry, and no matter how peaceful the demonstration, there’s always a chance that you could get detained or arrested, and your devices could get searched. Watch this video for tips on how to prepare your phone before you go to a protest, how to safely communicate with your friends and document the event, and what to do if you get detained or arrested. TheIntercept, April 21, 2017
Surveillance Self-Defense. Tips & Tools for Safer Online Communications. Electronic Frontier Fdtn: Modern technology has given those in power new abilities to eavesdrop and collect data on innocent people. Surveillance Self-Defense is EFF’s guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices. Electronic Frontier Foundation
Privacy tools, apps, and resources from San Jose Public Library: Check out these privacy tools, apps, and resources to start managing your online activities and identities today. San Jose Public Library

Cyber Update

Patch Windows Now! Shadow Brokers release Windows exploits stolen from Equation Group: Warning: Drop everything and patch all the Windows things now. BankInfoSecurity, April 21, 2017
Google Fixes Unicode Phishing Vulnerability in Chrome 58, Firefox Users Must Implement Workaround: Google fixed a handful of issues when it released the latest version of its browser, Chrome 58, on Wednesday, including a vulnerability that could have made it easier for an attacker to carry out a phishing attack with Unicode domains. ThreatPost, April 20, 2017

Cyber Warning

Linksys works to patch 26 Linksys router models after multiple security holes discovered: Do home router makers devote enough resources to finding security vulnerabilities in their products before they ship? NakedSecurity, April 21, 2017
Several malicious apps discovered on Google Play: An often repeated piece of advice given to users of mobile devices says that they should stick to well-reputed, official app stores if they want to avoid malware. HelpNetSecurity, April 21, 2017

Information Security Management in the Organization

Information Security Management and Governance

Information security key to digital era sharing-based business models: Security will become increasingly important as industries seek to collaborate and use each other’s capabilities to enable new business models, with the banking sector leading the way. ComputerWeekly, April 21, 2017
C-Suite Leadership and Cultural Practices for Meeting Cybersecurity Challenges: Of course cybersecurity is critical today – yet many organizations view it as a huge expenditure that slows the flow of business and frustrates employees, users and customers alike. C-level executives need to be aware of how their organizations’ security measures affect the flow of business. At its best, cybersecurity infrastructure runs quietly in the background, unnoticed. TechZone 360, April 21, 2017
Cybersecurity skills shortage threatens the mid-market: Organizations with 100 to 999 employees remain understaffed and under-skilled in cybersecurity—and an easy mark for hackers. NetworkWorld, April 21, 2017
How to Hire Your Next CISO: One of the most critical hires of any IT-related job is usually the chief information security officer (CISO) or chief information officer (CIO). But the decision to hire these executives is one CEOs and boards of directors typically do not want to make. This decision is often made during a crisis of some kind. It could result from a knee-jerk reaction to a major security breach or a new CEO’s desire to clean house and set a new strategic path. SecurityIntelligence, April 20, 2017

Cyber Awareness

Another study shows users continue to lack understanding of when / how to share confidential data: Today’s workforce is caught between two imperatives: be productive and efficient on the job and maintain the security of company data. HelpNetSecurity, April 21, 2017

Cyber Warning

Top-ranked programming Web tutorials introduce vulnerabilities into software: Researchers from several German universities have checked the PHP codebases of over 64,000 projects on GitHub, and found 117 vulnerabilities that they believe have been introduced through the use of code from popular but insufficiently reviewed tutorials. HelpNetSecurity, April 21, 2017
Exploits Targeting Corporate Users Surged Nearly 30% In 2016: At same time, number of attacks targeting software vulnerabilities in systems used by consumers declined over 20%, Kaspersky Lab says in new report. DarkReading, April 21, 2017
PwC: IT Service Providers and MSPs Targeted by Advanced Chinese Hackers. Customers at Risk: Since late 2016, PwC UK and BAE Systems have been assisting victims of a new cyber espionage campaign conducted by a China-based threat actor. We assess this threat actor to almost certainly be the same as the threat actor widely known within the security community as ‘APT10’. The campaign, which we refer to as Operation Cloud Hopper, has targeted managed IT service providers (MSPs), allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally. A number of Japanese organisations have also been directly targeted in a separate, simultaneous campaign by the same actor. PWC, April 2017

Cyber Defense

Museum thefts provide valuable lessons for information security teams: Earlier this week, Ira Winkler wrote What security practitioners can learn from the United’s failures. He astutely noted that organizations should learn from failure, and ideally the failure of others. I’ll take his lead and provide another learning opportunity for information security professionals. CSO, April 21, 2017
The 5 Best Defenses Against Ransomware Are Aggressive Offenses: Ransomware is big money. In fact, according to the Federal Bureau of Investigation, ransomware attackers collected more than $209 million from victims in the first three months of 2016 alone. This is up dramatically [Note: Opens PDF] from $24 million for all of 2015. And if there is one thing history can teach us, it’s that big money drives innovation. So, it’s logical to predict that as ransomware evolves, so too will its sophistication. ITSP Magazine, April 21, 2017
Beyond Tabletop Exercises: Running a Data Breach Drill: You spent valuable time and resources crafting a cybersecurity breach action plan. You’ve assembled a multidisciplinary response team. You’ve identified who is responsible for what, and what decision-tree will go into effect. The plan has been circulated. You’ve even engaged a separate law firm that will be on call in the event of a breach. You’ve done the same with a PR firm, a private investigator and data breach hit squad. Robert Braun, SecureTheVillage Leadership Council, Cybersecurity Lawyer Forum, Jeffer Mangels Butler & Mitchell, April 20, 2017

Cyber Insurance

Cyber Threats Have Evolved. How About Your Insurance?: In 2017 organizations communicate at the speed of light in an effort to reduce friction points with clients while providing a user experience in step with the evolution of technology. The use of computers has made conducting business fast, efficient, and often more cost effective but it has also opened organizations up to new threats at an unprecedented level. There are no shortage of cyber horror stories experienced by organizations of all sizes highlighting the harm a data breach can inflict upon the two things that matter most which are profitability and reputation. From a ransomware attack against a public utility in Michigan to countless W-2 business email compromise scams targeting a variety of industries, no organization can escape the borderless span of the internet. Security professionals are aware that the threat landscape has evolved but the $7M question remains; has the approach to cyber liability insurance? ITSP Magazine, April 20, 2017

Cyber Career

When You Give, You Get. The Power of Mentoring, Elena Elkin, WISP Peer-to-Peer Mentoring Program: Did you know that the word “mentoring” originates from the ancient Greek language? Mentor was the name of a character in Homer’s Odyssey. When Odysseus, King of Ithaca, fights in the Trojan War, he entrusts his son Telemachus to an old man and a loyal advisor called Mentor. After the war, a grown Telemachus goes to search for his father. Athena, Goddess of War and patroness of the arts, assumes the form of Mentor and accompanies Telemachus on his difficult quest until he and his father are reunited. ITSP Magazine, April 20, 2017
Information security professionalism requires both credentialing and codes of professional practice: Cyber and information security literature – including accompanying reader’s comments – continuously debate the merits of professional certification for cyber and information security professionals. CSO, April 19, 2017

Application Security

Best Practices for Securing Open Source Code: Attackers see open source components as an obvious target because there’s so much information on how to exploit them. These best practices will help keep you safer. DarkReading, April 21, 2017
Secure Application Development: The Hidden Dangers of Component Vulnerabilities: Dangerous flaws in open source components and dependencies lurk within most applications today. DarkReading, April 21, 2017

Cyber Security in Society

Cyber Crime

InterContinental Hotel Chain Breach Expands: In December 2016, KrebsOnSecurity broke the news that fraud experts at various banks were seeing a pattern suggesting a widespread credit card breach across some 5,000 hotels worldwide owned by InterContinental Hotels Group (IHG). In February, IHG acknowledged a breach but said it appeared to involve only a dozen properties. Now, IHG has released data showing that cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data. KrebsOnSecurity, April 18, 2017

Cyber Privacy

Infrastructure Vulnerabilities Make Surveillance Easy: Weakness in digital communications systems allows security to be bypassed, leaving users at risk of being spied on. Schneier on Security, April 11, 2017

Know Your Enemy

UK study identifies factors that motivate youngsters to get into cybercrime: A UK National Crime Agency report, which is based on debriefs with offenders and those on the fringes of criminality, explores why young people assessed as unlikely to commit more traditional crimes get involved in cyber crime. HelpNetSecurity, April 21, 2017
Tracing Spam: Diet Pills from Beltway Bandits: Reading junk spam messages isn’t exactly my idea of a good time, but sometimes fun can be had when you take a moment to check who really sent the email. Here’s the simple story of how a recent spam email advertising celebrity “diet pills” was traced back to a Washington, D.C.-area defense contractor that builds tactical communications systems for the U.S. military and intelligence communities. KrebsOnSecurity, April 19, 2017

National Cyber Security

FireEye researchers allege China trying to hack South Korea missile defense efforts: Chinese government officials have been very vocal in their opposition to the deployment of the Terminal High-Altitude Air Defense (THAAD) system in South Korea, raising concerns that the anti-ballistic missile system’s sensitive radar sensors could be used for espionage. And according to researchers at the information security firm FireEye, Chinese hackers have transformed objection to action by targeting South Korean military, government, and defense industry networks with an increasing number of cyberattacks. Those attacks included a denial of service attack against the website of South Korea’s Ministry of Foreign Affairs, which the South Korean government says originated from China. ars technica, April 21, 2017

HIPAA

Cybercrime in the medical device sector: We don’t like it when things go wrong. We expect security as standard. From our bank accounts to online shopping, we put faith in our passwords, and hope they make the services we use as difficult to hack as possible. Medical Plastics News, April 21, 2017

Cyber Ethics

Cybersecurity Startup Uses Actual Hospital Data in Demos. Called “Unbelievably grossly negligent.”: Billion-dollar cybersecurity startup Tanium has acknowledged failing to thoroughly anonymize network information for a California hospital that appeared in live product demonstrations and online videos. BankInfoSecurity, April 20, 2017

Cyber Miscellany

Six Movies/Shows When Hollywood Got Cybersecurity Right: Hollywood has struggled to portray cybersecurity in a realistic and engaging way. Here are films and TV shows where it succeeded. Dark Reading, April 20, 2017

Jeff Snyder’s, SecurityRecruiter.com, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



SecurityRecruiter.com's Security Recruiter Blog