[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: FYI - Cyber news tidbits 4 U
FYI Cyber team mates:
I put out a periodic cyber security news gram / digest / tidbits- enclosed is the latest.
It is a compilation of many sources, no ads, all links verified...cyber news snippets / excerpts
Let me know if you want on the list (every week or two) .. this is a one-time broadcast.
topic list:
1 - Security news you can likely use (re: management / opportunity items)
2 - Items of general FYI / FYSA level interest
3 - Threats / bad news stuff / etc.. and…
4 - SD/SoCAL events / opportunities
( some great topics / meetings here in SD … scroll to bottom and get engaged)
Ciao
Mike
http://www.linkedin.com/in/mikedavissd
(admin note - all links should work, I checked them all myself.. you may need to cut and paste link into browser…
"IF " you no longer need the cyber news, just tell me)
++++ Some highlights of the week +++
+ Appeals Court to Hear Oral Arguments in Idaho Woman's Case Against NSA Spying
EFF, ACLU Support Smith in Fighting Mass Surveillance Before Ninth Circuit
+ Cyber security is one of six new industries of the future,
Cyber security will excel at as long as it makes the necessary investment in its education and engineering base, the Institution of Engineering and Technology (IET) has argued in a new report. In addition to cyber security, Ones to Watch lists space, new power networks, 3D printing ('additive manufacturing'), food security, and robotics as making up the half dozen industries in which the UK is already considered a world leader. The inclusion of cyber security among these might surprise some. Security is still seen in some quarters as a short-term function, secondary to others and essentially a drain on the bottom line. The idea that it might be a competitive advantage in a world built on increasingly complex automated systems is only now starting to become apparent.
http://www.cso.com.au/article/560853/cyber-security-one-six-new-industries-future-says-iet-report/
+ How to defend against a Sony hack
So... the usual pitch.. okay.. Better tools... "multipart" authentication (yes...better access control! ) ..analytics. .. better Malware detection (a data deleting one here). . Insider threat detection. Etc.. Yes... all good...yet..
No mention of THE NO. ONE issue...10 times worse than the next worst thing
*** poor cyber hygiene... causes 85+% of all security incidents... (just ask NMCI about that...:-((
And also use SCM / SIEM (monitor for bad behavior) and a little DLP too.. (how do you exfiltrate all those movies/data and not get noticed?)
It is of course not about any one thing.. rather a risk prioritized, balanced and integrated, security posture.
Continuing to sell one capability while dismissing others does a disservice to all
http://m.utsandiego.com/news/2014/dec/03/Sony-cyber-hack-security-movies/2/
+ Defense Industrial Base ISAC to Launch in February 2015
The Defense Industrial Base Information Sharing and Analysis Center
(DIB-ISAC) is scheduled to open in February 2015. The center will allow member organizations to share information about threats and mitigations. The DIB-ISAC will be based in Huntsville, Alabama and will support chapters all over the US. Membership fees are based on the size of the company.
http://www.al.com/business/index.ssf/2014/12/defense_contractors_fighting_c.html
+ The Cybersecurity Myths That Small Companies Still Believe
+ GSA's short list of emerging technologies
An Alliant II RFI specifies 18 "Leading Edge Technologies" the agency is watching with interest.
http://fcw.com/blogs/the-spec/2014/12/alliant-let-list.aspx?s=fcwdaily_051214
+ New virtual assistant helps stop breaches:
Personal information safeguard tool scheduled for rollout
http://www.robins.af.mil/news/story.asp?id=123433420
+ CIOs and CISOs Can Learn From the Massive Sony Data Breach
+ Top Chinese hackers recruited for Google's Project Zero team
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20141205000132&cid=1204
+++ Join our PbD / data security meetup, stay tuned into what’s happened..
http://www.meetup.com/San-Diego-Privacy-by-Design-Data-Security-Meetup/
+ Good Morning, San Diego! Nice aerial view of SD... quad-copter and go-pro camera
++++ Cyber Security News you can use +++
+_ Pro-Iranian hackers have penetrated some of the world's most sensitive networks,
A sustained cyber attack campaign dubbed Operation Cleaver has compromised computer networks at several high profile organizations, including governments and companies supporting elements of critical infrastructure, over the past two years. There are 50 known compromised targets in 16 countries worldwide and it is likely that there are many more that have not been detected. For more than two years … including those operated by a US-based airline, auto maker, natural gas producer, defense contractor, and military installation, security researchers said. In many cases, "Operation Cleaver," as the sustained hacking campaign is being dubbed, has attained the highest levels of system access of targets located in 16 countries total, according to a report published Tuesday by security firm Cylance. Compromised systems in the ongoing attacks include Active Directory domain controllers that store employee login credentials, servers running Microsoft Windows and Linux, routers, switches, and virtual private networks. With more than 50 victims that include airports, hospitals, telecommunications providers, chemical companies, and governments, the Iranian-backed hackers are reported to have extraordinary control over much of the world's critical infrastructure.
For instance, among the targets is a company specializing in natural gas production, unclassified computers in the San Diego Navy Marine Corps Intranet (NMCI) and airlines and airports in Saudi Arabia, Pakistan and South Kore
+ Obama's pick to lead the Pentagon is big on cybersecurity
President Obama's pick to lead the Pentagon, former deputy secretary of defense Ashton "Ash" Carter, has been a big supporter of increasing the country's cybersecurity capabilities. His nomination signals that the administration is likely to continue to aggressively build out its ability to fight adversaries in the digital world. Carter served as the deputy secretary of defense from October 2011 to December 2013 -- and before that spent two years as the Defense Department's chief weapon and technology buyer. He first joined the Pentagon as a civilian program and technical analyst in 1981, working on missile defense.
+ How the Pentagon plans to bolster cloud security
The latest installment in the Defense Department's quest to find the right blend of security and affordability in the commercial cloud came in the form of a report released by the DOD CIO's office. The report offers "cradle-to-grave" guidance for commercial cloud providers and DOD customers, acting DOD CIO Terry Halvorsen wrote in a prefacing memo. The report, "DOD Cloud Way Forward," is the product of a 45-day study by Halvorsen's office, the Defense Information Systems Agency and the National Security Agency. It contains three main proposals to help DOD customers evaluate cloud security, with a central goal of cutting out unnecessary requirements for less-sensitive information and systems.
http://fcw.com/articles/2014/12/01/pentagon-bolsters-cloud-security.aspx
+ AHA to FDA: Hold med device makers responsible for cybersecurity
Medical device cybersecurity should be the responsibility of device makers, according to the American Hospital Association. In a recent letter to the U.S. Food and Drug Administration, AHA Senior Vice President of Public Policy Analysis and Development Linda Fishman called on the agency to "hold device manufacturers accountable" for ensuring the safety of medical devices from cyberthreats. The letter was in response to a request for comments published by the FDA in late September on collaborative approaches for medical device and healthcare cybersecurity.
+ More on Sony Pictures Attackers Release Sensitive Data
The attackers responsible for infiltrating the Sony Pictures computer network have leaked more than 40 gigabytes of stolen data, including compensation details for top executives, and a slew of passwords for computers, social media accounts and web services. The attackers claim to have stolen more than 100 terabytes of data. Despite speculation that North Korea was involved in the attacks, a more likely scenario is that they are the result of activists or disgruntled former employees. Sony was in the midst of a changeover of chief information security officers when the company was hit with a crippling attack on its computer network ..
http://www.wired.com/2014/12/sony-hack-what-we-know/
[Note : From the wide range of data compromised, we may fairly conclude that Sony had NOT YET had the intent, design, time, or resources to apply the lessons that might have, should have, been taken from their own earlier breaches and those of others reported in 2014 but dating from months to years earlier. The rest of us have little enough time to apply those lessons. They include, but are not limited to, more compartmentation, true end to true end encryption on the enterprise network, fewer privileged users and more multi-party controls, more structured data stored only on enterprise servers, controls (Active Directory) to resist access and gratuitous copies, and timely egress and other anomaly detection and mitigation….]
The malware used in the attack against the Sony Pictures network can spread over network file shares and is capable of destroying data on Windows computers it infects. The FBI has sent confidential notifications to certain businesses, urging them to be vigilant about malware like that used in the Sony attack.
http://www.pcmag.com/article2/0,2817,2472989,00.asp
+ DOJ Establishing Cybersecurity Unit
The US Justice Department (DOJ) is creating a new unit in its criminal division that will be focused on fighting cyber crime. "Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance," according to Assistant Attorney general Leslie Caldwell.
http://thehill.com/policy/cybersecurity/226028-doj-forms-dedicated-cyber-unit
http://www.npr.org/2014/12/04/368351872/justice-department-plans-new-cybercrime-team
+Always good to step back and see what others recommend as the best cyber posture..
These are a couple worth reviewing and implement, especially the third – reduce security incidents by 85% with no added resources.
DoD strategy for defending networks and data
http://iac.dtic.mil/csiac/download/DDNSD_Public_Releasable_11132014.pdf
NIST SP 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems
http://csrc.nist.gov/publications/drafts/800-160/sp800_160_draft.pdf
--- National campaign to improve cyber hygiene - with tool kits now
https://www.cisecurity.org/about/CHToolkits.cfm
+ Navy's information networks must be available, secure and capable of serving as warfighting platforms, said the head of Navy Cyber Command during a Dec. 2 event hosted by the Center for Strategic and International Studies.
http://www.fiercegovernmentit.com/node/34656/print
+ Internet of Things on docket for new Congress
The incoming GOP Senate majority is likely to focus on how the government regulates the growing universe of networks and connected devices.
http://fcw.com/articles/2014/12/04/internet-of-things-docket.aspx?s=fcwdaily_051214
+ No More FOUO: Government Plans to Simplify Labeling of Sensitive Information
http://www.nextgov.com/cio-briefing/2014/12/government-stamp-out-fouo/100605/
+ ONE comprehensive defense mobility strategy & policy
http://defensesystems.com/~/media/19749A129B514E45B6AFBE511934BC63.pdf
+ 2015 Security predictions - websense
http://www.websense.com/assets/reports/report-2015-security-predictions-en.pdf
What don’t we just FIX what we know needs it first…quit admiring the problem and DO CYBER!
+ Information Security Salary Survey
https://www.checkmarx.com/wp-content/uploads/2014/02/InfoSec_Salary_Survey_Report-FINAL.pdf
only 150 respondents, but… CISO… well over 70% made over $161,000.. and climbing..
+ What Does All That Healthcare Data Really Mean?
+ Payouts average $2.9M per cyber loss claim for large companies
http://businessinsurance.com/article/20141203/NEWS07/141209913?template=smartphoneart
+ DOD CISO rattled off technologies he wants to help secure an Internet of stuff.
A new DARPA program wants to throw light on the dark alleys in computer systems where Advanced Persistent Threats and other attacks hide.
http://defensesystems.com/articles/2014/12/04/darpa-transparent-computing-apts.aspx
+ Google cloud remains price leader,
https://gigaom.com/2014/12/03/google-cloud-remains-price-leader-says-rightscale/
++++ FYI / FYSA +++
+ Whitelisting project helps ICS owners find suspicious files – YES, & MORE – SO DO IT!!!
Industrial control systems have been at the center of some scary security stories recently, but investigating malware infections in such environments isn't easy because analysts often having a hard time telling good files from suspicious ones. Security researchers have identified two malware campaigns this year that targeted SCADA (supervisory control and data acquisition) systems -- Havex and BlackEnergy. Such attacks are expected to grow in number, as new reports show that state-sponsored hackers are increasingly interested in critical infrastructure companies. A newly launched service called WhiteScope provides industrial control system owners and investigators with a list of good files from SCADA products and related software. The "whitelist" can be used to pin down potentially suspicious files when investigating possible compromises.
+ Cheap IT, dwindling maintenance leave Navy vulnerable to cyber threats
The military has plenty of cybersecurity challenges on its plate as it is trying to ward off threats from unfriendly governments, unaligned hackers and criminal syndicates. But it's not doing itself any favors by insisting on buying the cheapest possible equipment it can find to build and defend its own networks, the Navy's top cyber officer said Tuesday. Vice Adm. Jan Tighe, who became commander of the Navy's Fleet Cyber Command earlier this year, said that despite pressures on the overall budget, her service needs to reexamine the calculus it has tended to use up until now when weighing costs against security within its cyber systems. She framed the refocus as in- line with official military doctrine, which now stipulates that cyberspace is truly a warfighting domain, on par with and interdependent with the old-fashioned ones: land, sea, air and space.
+ Hardware secured mobile devices toughen first line of defense
It's been 10 years since the federal government introduced measures to standardize identity and credentials across all agencies. Since then, almost 5 million smart card-based Personal Identity Verification (PIV) credentials have been issued to government employees and contractors for secure access to government buildings and IT systems. Standards have also been widened for non-federal and commercial use to include millions more through Personal Identity Verification Interoperable (PIV-I) and Commercial Identity Verification (CIV) cards. Aware of the potential offered by mobile devices, the federal government is now expanding the HSPD-12 standard in the form of FIPS 201-2, which enables credentials derived from PIV to be provisioned onto mobile devices so users can access applications and networks securely, quickly and easily.
http://gcn.com/articles/2014/12/01/hardware-secured-mobile-devices.aspx
+ Commerce takes bigger oversight role in tis bureaus' cybersecurity
For the first time ever, the Commerce Department is building a real-time view of its overall cybersecurity posture. And with that information, it's taking on a greater oversight role over the 14 different agencies within its purview. Commerce officials emphasized that the establishment of a new Enterprise Security Oversight Center (ESOC) is not meant to be a takeover of the IT functions that have traditionally been managed by bureaus with disparate missions, ranging from the Census Bureau to the National Weather Service to the Patent and Trademark Office. Rather, it's a recognition that the push toward continuous diagnostics and mitigation in the government only works if everyone's sharing information - and if each agency is on basically the same cybersecurity footing.
+ Thoughts on NIST Draft Guide to Cyber Threat Information Sharing (SP 800-150)
+ Leveraging The Kill Chain For Awesome
There are good reasons why the Kill Chain is being used by some of the most successful information security teams around. Here are three.
+ Why We Need Better Cyber Security: A Graphical Snapshot
By 2022, demand for security industry professionals will grow 37%. Also a great crime statistic infographic
+ The Real Cost of Cyber Incidents, According To Insurers
Healthcare is hit by the most malicious insiders and the highest legal costs, according to a NetDiligence report.
n August, the Ponemon Institute reported that security exploits and data breaches had cost survey respondents (some of which experienced multiple incidents), on average, $9.4 million over a year. Yet, according to research released today by NetDiligence, the average payout of a cyber insurance claim is only $733,109.
http://www.darkreading.com/the-real-cost-of-cyber-incidents-according-to-insurers/d/d-id/1317851
full report
http://www.netdiligence.com/NetDiligence_2014CyberClaimsStudy.pdf
+ DISA takes on defense of DOD networks
The initiative will create a Joint Force Headquarters for DOD Information Networks
http://defensesystems.com/articles/2014/12/03/disa-cyber-command-joint-force.aspx
+ POS Security Essentials: How to minimize Payment Card Breaches
http://www.sans.org/reading-room/whitepapers/bestprac/point-sale-pos-systems-security-35357
+ Not Just the NSA: Privacy Breaches Closer to Home - In Short: Negligence and Privacy
http://greplinux.com/blog/2014/02/03/not-just-the-nsa-privacy-breaches-close-to-home/
+ Destructive Cyber Attacks on the Rise
+ The Millennium Falcon And Breach Responsibility
http://blogs.forrester.com/rick_holland/14-12-04-the_millennium_falcon_and_breach_responsibility
+ DoD To Silicon Valley, VCs: How ‘Bout Some Help!
http://breakingdefense.com/2014/12/dod-to-silicon-valley-vcs-how-bout-some-help/
+ Hiring R2D2 to Protect Your Mall or Campus, All for $6.25 Per Hour
http://www.nbcnews.com/tech/innovation/hiring-r2d2-protect-your-mall-or-campus-all-6-25-n262796
+ Stopping Zero-Day Attacks With Secure Configuration Management (SCM / SIEM is essential – got one?)
+ Cyber liability: how can businesses protect themselves against underestimated cyber risks?
http://www.lexology.com/library/detail.aspx?g=c2133d6f-a384-442c-943b-3f7b4db57a20
+ Penetration Testing: 5 Common Myths Explained
+ Advanced Cyber Defense Methods – eBook
http://assets.teradata.com/resources/ebooks/102914-CyberSecurity-eBook/FLASH/index.html
+ the actual cost of failed trust..
https://www.venafi.com/assets/pdf/wp/Ponemon_Cost_of_Failed_Trust_Report.pdf
+ 4th annual benchmark study on Patient Privacy and Data Security. 2014
+ Privileged use abuse and insider threat
http://www.trustedcs.com/resources/whitepapers/Ponemon-RaytheonPrivilegedUserAbuseResearchReport.pdf
+ State of endpoint RISK
++++ THREATs / bad news stuff / etc +++
+ SSH and Next-generation vulnerabilities
https://www.venafi.com/assets/pdf/Ponemon_2014_SSH_Security_Vulnerability_Report.pdf
+ Computing goes to the cloud. So does crime.
As more of our world, from family photos to financial information, moves into the cloud, malicious hackers are following. It is easy to see why: Cloud computing systems contain lots of critical information, from sensitive corporate and personal financial data to government secrets and even nude photographs never meant to be shared. All of it has been targeted by hackers, and in many cases stolen. In 2009, a password-stealing "botnet," or collection of malevolent software, was found inside Amazon Web Services, perhaps the world's largest cloud-computing system. More recently, celebrities' private photos were stolen from Apple's iCloud storage system. IBM says its researchers regularly receive taunts from Russian hackers who leave them mocking messages in software aimed at stealing from the 300 banks IBM serves.
http://bits.blogs.nytimes.com/2014/12/02/computing-goes-to-the-cloud-so-does-crime/
+ China, a fish barrel for cybercriminals
In China, some of the most successful cyberthreats are frighteningly simple. One recent viral mobile message offered free Golden Retriever puppies to lure users into giving away personal information. Another online scam took thousands from a woman who wired money to an impostor she thought was her son's teacher. A current favorite of Chinese cybercriminals, according to Pei Zhiyong, the senior security researcher of the antivirus company Qihoo 360 Technology, is to simply program malicious code that asks users to disable their antivirus software. "It will say their security program is incompatible with whatever they're trying to do," he said. "We call it a 'Candy Trojan Horse,' and 30 percent of users will actually respond by turning off their antivirus system."
http://bits.blogs.nytimes.com/2014/12/02/china-a-fish-barrel-for-cybercriminals/?ref=technology&_r=1
+ FBI warns of 'destructive' malware in wake of Sony attack
The Federal Bureau of Investigation warned U.S. businesses that hackers have used malicious software to launch a destructive cyberattack in the United States, following a devastating breach last week at Sony Pictures Entertainment. Cybersecurity experts said the malicious software described in the alert appeared to describe the one that affected Sony, which would mark first major destructive cyber attack waged against a company on U.S. soil. Such attacks have been launched in Asia and the Middle East, but none have been reported in the United States. The FBI report did not say how many companies had been victims of destructive attacks.
http://www.reuters.com/article/2014/12/02/us-sony-cybersecurity-malware-idUSKCN0JF3FE20141202
+ Malware Targets Password Managers
http://www.bankinfosecurity.com/malware-targets-password-managers-a-7602
+ Mobiles to be among top targets of hackers in 2015
+ Tor secret comms – blocking reduces bank account takeover.
A new report from the U.S. Treasury Department found that a majority of bank account takeovers by cyberthieves over the past decade might have been thwarted had affected institutions known to look for and block transactions coming through Tor, a global communications network that helps users maintain anonymity by obfuscating their true location online.
http://krebsonsecurity.com/2014/12/treasury-dept-tor-a-big-source-of-bank-fraud/
+ Most U.S. Companies Under Cyberattack
----- Browser vulnerabilities are the most pressing security issue, study finds.
http://readwrite.com/2014/12/04/cybersecurity-corporate-networks-ransomware-cyberattack
+ New POS Malware Discovered Just in Time for the Holiday Shopping Season
++++ SD/SoCAL security events / opportunities +++
+ CyberTECH events / networking / startups / etc -- THE cyber happening place in SD!!! Join their Meetup Group for the latest event information! The definition of “Cyber KEWEL”
http://www.meetup.com/cybertech/
+ Webster University’s new SD cyber security program – check it out..
http://www.webster.edu/sandiego/academic-programs/cybersecurity.html
DEC
16 – ISSA Annual elections and BIG prize raffle!! AND Ira Winkler, President ISSA International
18 – ISACA chapter meeting - (FREE!) Leveraging a Strong IT Audit and Information Security Partnership… BY Alex Branisteanu, Director Information Security, Scripps Health.. NEW LOCATION – Coleman University.
https://www.eventbrite.com/e/december-2014-isaca-san-diego-chapter-meeting-tickets-14512514321
JAN
15 – OWASP – Running InfoSec for America's Finest City.. Gary Hayslip, CISO for the city of San Diego,
28 – International Data privacy day – all day event - “Securing the IoT Privacy masters” CyberTECH, SOeC, others)
30 – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event, all day Friday!!! (Hosted at Coleman University) – Contact me to join in…
31 Jan – Tentative - Started planning “BigDataDay 4 SD” all-day event – free - Jump in and help us!
WE went to the one in LA and it was great… likely our three tracks will be:
(1) Technical = Hadoop / Hbase / NoSQL;
(2) Data science = predictive analytics, parallel algorithms, statistical modeling, algorithms for data mining, etc and
(3) Applications = key use cases… Privacy by Design / data security, data start-ups / incubators, novel products,
+++ Future events in planning FYI:
TBD – Provided by IEEE Cyber SIG / Various Security groups – all day - – Privacy by design workshop – a cyber model & why you must be part of this initiative! (at Coleman University - AM Technical approach… PM public discussions)
Help move SD forward in cyber - DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!
+++ Join our PbD / data security meetup, stay tuned into what’s happened..
http://www.meetup.com/San-Diego-Privacy-by-Design-Data-Security-Meetup/
See our over Cyber for PbD brief at
http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-security.pdf
AND Our more detailed technical paper on our Cyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft is also getting ready to be published in a major IEEE magazine in Jan 2014):
http://www.sciap.org/blog1/wp-content/uploads/Cyber-security-enable-privacy-design.pdf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]