Cyber Security News of the Week, May 21, 2017

Cyber Security News of the Week, May 21, 2017

Individuals at Risk

Identity Theft

Fraudsters Exploited Lax Security at Equifax’s TALX Payroll Division: Identity thieves who specialize in tax refund fraud had big help this past tax year from Equifax, one of the nation’s largest consumer data brokers and credit bureaus. The trouble stems from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees. KrebsOnSecurity, May 18, 2017

Cyber Update

Android Gets Security Makeover With Google Play Protect: Mobile operating system Android received a big security makeover Wednesday with the introduction of Google Play Protect. At Google I/O, Google’s annual developer conference, the company teased a major update to its security platform that consists of a mix of new features, a rebranding of existing ones and UI enhancements that will now live under one security umbrella called Google Play Protect. ThreatPost, May 18, 2017

98% of Android Users Fail to Run Latest OS Version: A study finds 98% of Android devices are not running the latest software version, according to a report released today by Zimperium. DarkReading, May 18, 2017

Cyber Warning

App maker’s code stolen in malware attack: The Mac and iOS software developer Panic has had the source code for several of its apps stolen. BBC, May 18, 2017

Breach at DocuSign Led to Targeted Email Malware Campaign: DocuSign, a major provider of electronic signature technology, acknowledged today that a series of recent malware phishing attacks targeting its customers and users was the result of a data breach at one of its computer systems. The company stresses that the data stolen was limited to customer and user email addresses, but the incident is especially dangerous because it allows attackers to target users who may already be expecting to click on links in emails from DocuSign. KrebsOnSecurity, May 15, 2017

Information Security Management in the Organization

Information Security Management and Governance

Need for strategy, management structure, & basic security hygiene emphasized in CISO discussion: Some security leaders argue there is little point in worrying about emerging threats when businesses can’t defend against today’s attacks. DarkReading, May 18, 2017

Cyber Defense

5 Security Lessons WannaCry Taught Us the Hard Way: There is a lot more our industry should be doing to protect its systems and data from cyber blackmail. DarkReading, May 18, 2017

Cyber Update

WordPress Fixes CSRF, XSS Bugs, Announces Bug Bounty Program: WordPress is urging webmasters to update to the latest version of its content management system to mitigate several issues, including a pair of cross-site scripting (XSS) bugs and a cross-site request forgery (CSRF) bug that’s existed for 10 months. ThreatPost, May 18, 2017

Cyber Culture

​How to get your staff to take cybersecurity seriously: Common sense only goes so far and you need to make sure that best practices around security don’t go in one ear and out the other. Here’s your attack plan. CNet, May 18, 2017

Security Is an Organizational Behavior Problem: At what point will we admit that technology is not enough? When will we discover that our well-documented processes are insufficient? Who will acknowledge that their leadership when it comes to governance isn’t working? It takes a strong person to admit these flaws in organizational behavior and tackle the hardest problems head on. SecurityIntellignece, May 17, 2017

Despite security risks, 75% of CEOs use applications that aren’t approved by IT: CEOs and business decision makers (BDMs) say they understand the massive cybersecurity risks facing organizations today. However, that does not stop 75% of CEOs and 52% of BDMs from using applications and programs that are not approved by their IT department, according to a new report from Code42. About half of these professionals said they have experienced a security breach within the last 18 months. TechRepublic, May 16, 2017

User misdeeds responsible for 2/3 of breaches. Better awareness training needed: Screen Shot 2017-05-15 at 7.11.23 AMThe 2017 Verizon DBIR (Data Breach Investigations Report) is out. For those of you who are unfamiliar with it, this is THE data driven report that helps you better understand threats and what are the leading causes of incidents / breaches. The report is important as it provides a trusted resource to help you make data driven decisions on what you should be teaching in your awareness program. The report can be used a variety of ways, from understanding overall threats to doing a deep dive on the greatest risks facing your own industry. My favorite resource in this year’s report is Figure 9, which we have posted in this blog. This figure gives you an overview the most common risks facing the 8 most common industries. If you are in one of those 8 industries, my suggestion is to go straight to the report’s detailed write-up on your industry and learn everything you can. SANS, May 16, 2017

Cyber Security in Society

Cyber Defense

NIST Cybersecurity Framework: The smart person’s guide: President Trump’s cybersecurity order made the National Institute of Standards and Technology’s framework federal policy. Here’s what you need to know about the NIST’s Cybersecurity Framework. TechRepublic, May 19, 2017

Ransomware’s Aftershocks Feared as U.S. Warns of Complexity: The components of the global cyberattack that seized hundreds of thousands of computer systems last week may be more complex than originally believed, a Trump administration official said Sunday, and experts warned that the effects of the malicious software could linger for some time. The New York Times, May 14, 2017

Looking Back at 2016 Data Breaches. Lessons to Learn: According to a report by the Identity Theft Resource Center (ITRC), the number of data breaches tracked in 2016 in the U.S. reached an all-time record of 1,093 incidents and exposed more than 36 million records. The most headline-making breaches affected the healthcare sector (e.g., Centene, 21st Century Oncology), federal and local governments (e.g., U.S. Department of Homeland Security, the National Security Agency, the U.S. Navy) and IT companies (e.g., Verizon Enterprise Services, Seagate, LinkedIn, Yahoo). Cyber attacks ranged from traditional web-app attacks to relatively new methods such as ransomware. In addition, 2016 is remarkable for several major state-sponsored attacks, which affected large companies like the Federal Deposit Insurance Corporation and Mossack Fonseca. ITSP Magazine, May 2017

National Cyber Security

FCC inundated with fake emails opposing net neutrality using stolen email names: Last week, we told you about the travails of the US Federal Communications Commission’s comments website, which crashed after John Oliver sent hundreds of thousands of pro-net-neutrality commenters their way – and someone else sent a major DDoS attack. Naked Security, May 18, 2017

Any Half-Decent Hacker Could Break Into Mar-a-Lago. We Tested It: Two weeks ago, on a sparkling spring morning, we went trawling along Florida’s coastal waterway. But not for fish. Gizmodo, May 17, 2017

Why Extending Laptop Ban Makes No Sense: The Department of Homeland Security is rumored to be considering extending the current travel ban on large electronics for Middle Eastern flights to European ones as well. The likely reaction of airlines will be to implement new traveler programs, effectively allowing wealthier and more frequent fliers to bring their computers with them. This will only exacerbate the divide between the haves and the have-nots—all without making us any safer. Schneier on Security, May 16, 2017

Cyber Medical

FDA, Industry Look for Gaps in Cybersecurity: The US Food and Drug Administration (FDA) on Thursday kicked off a fortuitously-timed public workshop on medical device cybersecurity, the agency’s third on the subject to date. RAPS, May 18, 2017

Patches Pending for Medical Devices Hit By WannaCry: It was initially thought just Windows machines were vulnerable but it probably shouldn’t come as a surprise that medical devices and industrial control systems were subjected to the perils of this weekend’s WannaCry ransomware outburst as well. ThreatPost, May 18, 2017

Internet of Things

GAO Assesses IoT Vulnerabilities: Internet of things devices are vulnerable to an array of potential cyberattacks, including zero-day exploits, distributed denial-of-service attacks and passive wiretapping, according to a new Government Accountability Office report, which cites mitigation advice from experts. BankInfoSecurity, May 17, 2017

Cyber Enforcement

How to Catch Hackers? Old-School Sleuthing, With a Digital Twist: LONDON — Bank robbers wear masks and escape in vans with stolen license plates. Kidnappers compose ransom letters from newsprint to elude handwriting experts. Burglars target houses with the upstairs window ajar. The New York Times, May 14, 2017

Secure the Village

The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack: Early Friday morning the world experienced the year’s latest cyberattack. Microsoft, May 14, 2017

The World Is Getting Hacked. Why Don’t We Do More to Stop It?: The path to a global outbreak on Friday of a ransom-demanding computer software (“ransomware”) that crippled hospitals in Britain — forcing the rerouting of ambulances, delays in surgeries and the shutdown of diagnostic equipment — started, as it often does, with a defect in software, a bug. This is perhaps the first salvo of a global crisis that has been brewing for decades. Fixing this is possible, but it will be expensive and require a complete overhaul of how technology companies, governments and institutions operate and handle software. The alternative should be unthinkable. The New York Times, May 13, 2017

Growing consensus on the need for an international treaty on nation state attacks: This week, the Group of 7 (G7) published a declaration recognizing the urgent need to establish international norms for responsible nation state behavior in cyberspace. It’s encouraging to see the commitment of this leading group of nations, but sobering to witness the growing imperative to act. Earlier this year at the RSA Conference in San Francisco I outlined the framework for a Digital Geneva Convention aimed at protecting and defending civilians against nation-sponsored attacks. Microsoft, April 13, 2017

The post Cyber Security News of the Week, May 21, 2017 appeared first on Citadel Information Group.

from Citadel Information Group
via Citadel Information Group