Cyber Security News of the Week, March 5, 2017

Cyber Security News of the Week, March 5, 2017

Individuals at Risk

Cyber Warning

130+ Android apps on Google Play found with malware. Did developers use infected computers?: More than 130 Android apps on the Google Play store have been found to contain malicious coding, possibly because the developers were using infected computers, according to security researchers. PC World, March 1, 2017

Cyber Update

macOS malware on the rise as Apple silently patches a mysterious new threat called Proton: No one is safe from malware these days, even macOS users. 2017 has been a banner year for malware on Apple computers, including a new threat that allows total remote control from a web console. Tech Republic, March 2, 2017

Cyber Defense

Apple pushing two-factor authentication for iOS 10.3 users: Beta users of Apple iOS 10.3 are reporting that they’re receiving push notifications from Apple to enable two-factor authentication (2FA) for their Apple IDs, which is used on Apple devices (like iPads, iPhones and Macs) to synchronize and share iCloud user data. NakedSecurity, March 3, 2017

Securely Using Mobile Apps: Mobile devices, such as tablets, smartphones, and watches, have become one of the primary technologies we use in both our personal and professional lives. What makes mobile devices so versatile are the millions of apps we can choose from. These apps enable us to be more productive, instantly communicate and share with others, train and educate, or just have more fun. However, with the power of all these mobile apps comes risks. Here are some steps you can take to securely use and make the most of your mobile apps. SANS Institute Security Awareness Newsletter, March, 2017

Phishing Defense: Email is one of the primary ways we communicate. We not only use it every day for work, but to stay in touch with our friends and family. In addition, email is now how most companies provide online services, such as confirmation of your online purchase or availability of your bank statements. Since so many people around the world depend on email, it has become one of the primary attack methods used by cyber criminals. In this newsletter, we explain phishing, a common email attack method, and the steps you can take to use email safely. SANS Institute Security Awareness Newsletter, December 2015

Information Security Management in the Organization

Information Security Management and Governance

How to Use & Share Customer Data without Damaging Trust–5 Tips for Protecting Consumer Privacy: These five tips for protecting consumer privacy will ensure that your customers will stay customers for the long run. Dark Reading, March 3, 2017

Situational Awareness: The Five C’s of Enlightened CyberSecurity: If you spend a lot of time with security vendors and testing their products, you are likely bombarded with sales pitches touting “next generation” of X, “real-time prevention” of Y, or “advanced” Z. These are all good things but studies suggest (PDF) security professionals are in short supply, and they are busy fighting fires caused by current products and lack the time to evaluate new ones. Our intent is to provide a five-point guide for security professionals looking to embark on the path of security enlightenment. ITSP Magazine, March 2, 2017

Yahoo CEO Loses Bonus Over Security Lapses After Sales Price Drops Significantly: Yahoo CEO Marissa Mayer will lose her cash bonus after an independent investigation into security breaches at the search giant found that the company’s senior executives and legal team failed to properly comprehend or investigate the severity of the attacks. BankInfoSecurity, March 2, 2017

Importance of engaging cybersecurity counsel early, Robert Braun, JMBM Cybersecurity & Privacy Group: Last year, SEC Chair Mary Jo White named cybersecurity as the biggest risk facing financial markets. But the risk isn’t limited to the financial industry – even a casual review of breach reports in the mainstream press shows that cybersecurity is a risk common to all companies in any industry. The challenge facing companies is how to prepare for what seems to be inevitable, and how to do it in an efficient and economical basis. [Braun is a member of the SecureTheVillage Leadership Council.] JMBM, March 1, 2017

Fewer Than One-Fourth Of Cybersecurity Job Candidates Are Qualified: ISACA report finds that 55% of security jobs take three- to six months to fill, and under 25% of candidates are qualified for the jobs they apply for. DarkReading, February 22, 2017

Cyber Warning

Fileless Powershell malware uses DNS as covert communication channel: Targeted attacks are moving away from traditional malware to stealthier techniques that involve abusing standard system tools and protocols, some of which are not always monitored. PC World, March 3, 2017

How hackers turned a Cape Cod fishing guide’s site into a host for e-commerce fraud: Cape Cod fishing guide Eric Stapelfeld trusted me to look after his website the same way that I trust him to find fish. Until a few weeks ago, I believed I had the easier part of the bargain. After all, what’s hard about maintaining a simple WordPress site with a phone number and lots of striped bass pictures? As it turns out, everything is hard, really hard, when hackers go to work on a vulnerable site — even a simple one. And no fish ever put up a fight like the malware that took over Eric’s site. Tech Crunch, March 3, 2017

Cyber Defense

Video: Seven most dangerous new attack techniques – RSA 2017 Keynote: During RSA 2017 in San Francisco, SANS faculty members and expert instructors Ed Skoudis, Michael Assante, Johannes Ullrich and SANS Institute founder Alan Paller walked the audience through the seven most dangerous attack techniques. It didn’t take Ed Skoudis long to get into it. At 3:20 into the keynote video Ed highlighted the dangers and variants of modern crypto-ransomware and why it is a growing threat. SANS, February 28, 2017

Cyber Security in Society

Cyber Attack

Ransomware shuts down PA Senate Democratic Caucus: A cyberattack forced the Pennsylvania Senate Democratic Caucus to shutdown its computer system on Friday, according to a statement from the caucus’ leader Sen. Jay Costa. PENN Live, March 3, 2017

Emory Healthcare Breach Exposes 80,000 Patient Records. Believed Caused by Misconfigured Database: An attack on a database used by Emory Healthcare for patient appointments is the largest health data breach reported to federal regulators so far in 2017. The incident, which exposed data on almost 80,000 individuals, seems to spotlight a persistent problem facing a growing number of organizations that use misconfigured MongoDB and other similar databases, security exerts say (see Database Hijackings: Who’s Next?). BankInfoSecurity, February 28, 2017

Know Your Enemy

Video Ad Sells Program to Manage Ransomware Campaigns. Any Miscreant w $400 Can Attack Your Computer: Among today’s fastest-growing cybercrime epidemics is “ransomware,” malicious software that encrypts your computer files, photos, music and documents and then demands payment in Bitcoin to recover access to the files. A big reason for the steep increase in ransomware attacks in recent years comes from the proliferation of point-and-click tools sold in the cybercrime underground that make it stupid simple for anyone to begin extorting others for money. KrebsOnSecurity, March 1, 2017

National Cyber Security

New Report Illustrates Why Encryption Is Such a Headache for Lawmakers: Encrypted smartphones and messaging apps that prevent even the companies that make them from decrypting their data are unreasonably hindering criminal investigations, and the situation is worsening, say law enforcement officials. A new report from the Center for Strategic and International Studies, a prominent bipartisan policy think tank, helps quantify the scale and complexity of the issue. MIT Technology Review, March 3, 2017

Mike Pence used an AOL e-mail account for state business and it got hacked: As the US Republican vice presidential candidate, Mike Pence vigorously chastised Hillary Clinton for using a personal server to send and receive official e-mails while she was Secretary of State. Not only was the arrangement an attempt to escape public accountability, he said, it also put classified information within dangerous reach of hackers. ars technica, March 3, 2017

Ex-NSA head: Cybersecurity agencies don’t share enough information to be successful: A former leader of the National Security Agency (NSA) told lawmakers Thursday that government agencies working on cybersecurity are too “stovepiped” to safeguard the nation from digital threats. The Hill, March 2, 2017

House Panel OKs Plan for NIST to Audit Framework Implementation: A divided House Science, Space and Technology Committee has approved legislation that would expand the National Institute of Standards and Technology into the domain of auditing. The bill calls for NIST to assess federal agency compliance with its cybersecurity framework. BankInfoSecurity, March 1, 2017

Global cybercrime prosecution a patchwork of alliances: We don’t hear much about John Dillinger-style bank robberies these days, with exciting police chases to the state lines. In 2015, there were 4,091 traditional bank robberies in the US, according to the FBI, with an average loss of less than $4,000 per incident. No customers or bank employees were killed in any of these robberies, though eight would-be robbers were killed. CSO, March 1, 2017

Governors put spotlight on cybersecurity: Governors from states across the country put the spotlight on cybersecurity at an annual gathering in Washington on Saturday. The Hill, February 25, 2017

Cyber Law

New York cyber security law serves as model: New York’s cyber security regulation could serve as a model for how other states can ensure insurers and other regulated companies protect consumers and themselves from cyber breaches. Business Insurance, February 28, 2017

Cyber Enforcement

New cyber crime training complex opens in San Luis Obispo: On Wednesday, the California Cyber Training Complex opened its doors in San Luis Obispo.This facility will provide a shared home to forensics investigators across the county. KEYT, March 1, 2017

In Memorium — Howard Schmidt

Kimberly, David and I had the great pleasure of knowing Howard Schmidt. Ten years ago, when he was ISSA International President and I had just become President of the Los Angeles ISSA Chapter, he was the guest speaker at a monthly Chapter meeting. His talk was a major influence on the decision by the Chapter to commence our Community Outreach Program, reaching out the business and professional community, the IT community, educators, and law enforcement. As President Obama’s Cybersecurity Coordinator in 2013, he was the keynote speaker at ISSA-LA’s Annual Summit, helping us carry the message that it takes the village to secure the village. Howard was selfless. He always said ‘yes.’ He cared deeply about helping others. His passing is a loss, not just to those who knew him, but for the entire nation and all who care about improving cybersecurity. He was a blessing and we mourn his loss.

Howard Schmidt, Cybersecurity Adviser to Two Presidents, Dies at 67: Howard A. Schmidt, a computer crime expert who advised two presidents and drafted cybersecurity safeguards that were approved by Congress in 2015, died on Thursday at his home in Muskego, Wis. He was 67. The New York Times, March 4, 2017

HOWARD SCHMIDT’S LEGACY OF SERVICE REMEMBERED: Howard Schmidt, one of the security industry’s groundbreaking public policy mavens who served as the top White House cybersecurity advisor under two presidents, died on Thursday. He was 67. ThreatPost, March 3, 2017

Cybersecurity Leader Howard Schmidt Remembered: News appeared on Thursday 2 March that Howard Schmidt had passed away following a long battle with cancer. InfoSecurity Magazine, March 3, 2017

Howard Schmidt, former Obama cyber adviser, dies: Howard Schmidt, who served as special assistant to President Barack Obama for cybersecurity from 2009 to 2012, and who just received the 2016 (ISC)² Harold F. Tipton Lifetime Achievement Award, passed away on the morning of March 2. According to his family, Schmidt had been battling cancer and died at home in Muskego, Wis. FCW, March 2, 2017

The post Cyber Security News of the Week, March 5, 2017 appeared first on Citadel Information Group.

from Citadel Information Group
via Citadel Information Group