IT Security News Blast 5-30-2017

Organizations Concerned About Medical Device Attacks: Study

The study, based on a survey of 550 individuals conducted by the Ponemon Institute, shows that 67 percent of medical device makers and 56 percent of HDOs believe an attack on the medical devices they build or use is likely to occur in the next 12 months […] On the other hand, only 17 percent of device manufacturers and 15 percent of HDOs have taken significant steps to prevent attacks. Roughly 40 percent on both sides admitted that they haven’t done anything to prevent attacks.

http://www.securityweek.com/organizations-concerned-about-medical-device-attacks-study

 FTC: It Takes Criminals Just 9 Minutes to Use Stolen Consumer Info

Experts created a database of fake consumer credentials and posted them twice on a site that hackers use to make stolen data public. […] There were more than 1,200 attempts to access the information, which hackers tried to use to pay for things like food, clothing, games, and online dating memberships. The FTC advises consumers to stay safe with two-factor authentication, which prevented the thieves from gaining access.

https://www.darkreading.com/vulnerabilities—threats/ftc-it-takes-criminals-just-9-minutes-to-use-stolen-consumer-info/d/d-id/1328978?

 Think your SaaS provider has your information security completely covered? Think again

As the first decade of cloud computing draws to a close, confidence in the way SaaS- and cloud service providers manage data protection and security is very high. Occasionally surveys will highlight concerns, but these are significantly diminished compared to past years. Most SaaS providers’ security standards are much stronger than the typical SaaS user – a factor driving the widespread adoption of more SaaS-based apps, for more mission-critical functions. This perception is accurate – to a point.

https://www.scmagazine.com/think-your-saas-provider-has-your-information-security-completely-covered-think-again/article/655117/

 The masterminds who initiated the WannaCry cyber-attack might be Chinese

A new linguistic analysis conducted by an American intelligence company has revealed a shocking probability. According to the recent data, those behind the WannaCry ransomware attack would be a group of Chinese native speakers of. US experts examined the data redemption requests in 28 languages? and signs they would be written by a person who knows the Chinese language very well are quite relevant.

https://stocknewsusa.com/2017/05/29/masterminds-initiated-wannacry-cyber-attack-might-chinese/

 ‘Unrelenting’ rise in vulnerabilities, Risk Based Security reports

The study also discovered that more than a third of the vulnerabilities were already exploited or contained enough details that a public exploit was readily available. Half of the flaws, the report said, were remotely exploitable. And, these risks could be lessened – if only security administrators kept their systems patched – as nearly three-quarters of the vulnerabilities have a documented solution, such as workarounds, a patch or a fixed version, the study revealed.

https://www.scmagazine.com/unrelenting-rise-in-vulnerabilities-risk-based-security-reports/article/664700/

 Why can’t security have SLAs?

Vendors said no. “It would be extremely difficult to set specific service levels relating to security. I can’t think of the parameters that you would apply,” said Danny Allan, vice president of Cloud & Alliance Strategy at Veeam. Despite that sentiment, lets play a game of what-if. What if a parameter could be placed on a third party for security? What would it look like?

http://www.csoonline.com/article/3198497/security/why-can-t-security-have-slas.html

 China’s tough cybersecurity law to come into force from June 1

Online service providers in China will be banned from collecting and selling users’ personal information from June 1. The Internet service providers cannot collect user information that is irrelevant to the services, and they should handle such information in line with laws and agreements, according to the Cybersecurity Law adopted by China’s top legislature in November last year.

http://economictimes.indiatimes.com/news/international/business/chinas-tough-cybersecurity-law-to-come-into-force-from-june-1/articleshow/58895534.cms

 China’s Cyber Security Law: The Impossibility Of Compliance?

It is very likely that many multinational companies (MNCs) will feel the heat. The brunt of the CSL currently falls on “critical information infrastructure” (CII) operators. The broad definition of CII encompasses not only traditional critical industries such as power, transport and finance, but also other infrastructure that could, as outlined in the law, harm the “people’s livelihoods”. This means that any foreign company that is a key supplier to a ‘critical’ sector, as well as any company that holds significant amounts of information on Chinese citizens, could become a prime target for regulators seeking to enforce the CSL.

https://www.forbes.com/sites/riskmap/2017/05/29/chinas-cyber-security-law-the-impossibility-of-compliance/#67d4ec93471c

 Cybersecurity Governance: Transform Mediocrity into Excellence

So gold standard security relies on the top team putting in place first-rate governance to ensure everything works as it should. Information security rests on four key pillars:

  • Leadership and culture
  • Management of risks
  • Independent audit
  • Resourcing

https://www.infosecurity-magazine.com/opinions/cybersecurity-governance-transform/

 Cybersecurity startups will be funded at slower pace and lower valuations than last year

  1. Many companies weren’t even doing the basics right. Existing products were either never fully deployed or not used effectively, and best practices were falling by the wayside. This was usually the result of understaffed security teams being overwhelmed with alerts, many of which were false positives.
  2. The previous generation of security products were just plain inadequate. Not only had the bad guys become more advanced than ever, enterprises were rapidly shifting the way they consume technology. The rise of cloud and mobile put sensitive assets outside of an enterprise’s perimeter and beyond the protection of legacy security vendors.

https://venturebeat.com/2017/05/29/cybersecurity-startups-will-be-funded-at-slower-pace-and-lower-valuations-than-last-year/

 Sun Tzu’s ‘The Art of War’ for Cybersecurity

Beyond the military, its advice on how to outsmart opponents has been applied to various competitive fields from business to sports. Increasingly, as warfare moves from the battlefield to the realm of cyber-space, its principles are being seen as especially applicable to cybersecurity. Despite being written thousands of years ago, these classic defense strategies are undoubtedly still relevant for the modern defender of IT infrastructure. The principles of Sun Tzu are not only relevant to defense, but also for understanding the approach of attackers.

https://www.infosecurity-magazine.com/opinions/sun-tzus-art-of-war-cybersecurity/

 A Clever New Way to Protect Your Data at the Border Could Also Add Risk

The new 1Password feature, called Travel Mode, makes it easier for users to remove sensitive data from their password manager before they travel, and then reinstate it when they get to their destination or return home. It lets you create a set of passwords that are “safe for travel,” while temporarily removing any sensitive data you may not need on the road. It’s a way to reduce the exposure risk for nonessential data, or data that could impact others if revealed.

https://www.wired.com/2017/05/clever-new-way-protect-data-border-also-add-risk/

 G7 Demands Internet Giants Crack Down on Extremist Content

“The G7 calls for Communication Service Providers and social media companies to substantially increase their efforts to address terrorist content,” Britain, the United States and their G7 partners said in a statement. “We encourage industry to act urgently in developing and sharing new technology and tools to improve the automatic detection of content promoting incitement to violence, and we commit to supporting industry efforts in this vein including the proposed industry-led forum for combating online extremism,” they said.

http://www.securityweek.com/g7-demands-internet-giants-crack-down-extremist-content

 Elections, Deceptions & Political Breaches

Security is compromised most often by simple deception techniques, not by technical skill. A hacker needs only a foothold on the corporate network. Successful social engineering through spearphishing attempts typically rely on three key attributes of simple deception: a plausible method (for example, a seemingly plausible email communication designed to blend into our inbox), a plausible narrative (such as an overdue invoice), and, finally, moderation, to make the material believable.

https://www.darkreading.com/attacks-breaches/elections-deceptions-and-political-breaches/a/d-id/1328946?

 Florida GOP operative asked for – and received — Russian hackers’ help in congressional race

Aaron Nevins, a Republican operative in Florida, now admits that he colluded with Russian government hackers in order to help the candidate he supported win a congressional race. When the Journal asked Nevins whether it was right to collaborate with the Russian government to undermine a congressional race in the United States, he responded: “If your interests align,” he said, “never shut any doors in politics.”

http://www.homelandsecuritynewswire.com/dr20170526-florida-gop-operative-asked-for-and-received-russian-hackers-help-in-congressional-race

 Shadow Brokers Want $20,000 for Monthly Leaks

While some experts believe the most important files may have already been made public, the group claims it’s still in possession of a lot of data, including exploits for Windows 10, web browsers, routers and smartphones, SWIFT network data, and information on nuclear and missile programs in Russia, China, Iran and North Korea. The first monthly dump will be made available sometime between July 1 and July 17.

http://www.securityweek.com/shadow-brokers-want-20000-monthly-leaks

 Microsoft Patches Several Malware Protection Engine Flaws

The vulnerabilities affect several Microsoft products that use the antimalware engine, including Windows Defender, Exchange Server, Windows Intune Endpoint Protection, Security Essentials, Endpoint Protection and Forefront Endpoint Protection. Users of these products do not have to take any action as the update has been applied automatically.

http://www.securityweek.com/microsoft-patches-several-malware-protection-engine-flaws

 Using Bitcoin to prevent identity theft

Through a set of clever protocols, that computational hurdle prevents the system from being coopted by malicious hackers. Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory presented a new system that uses Bitcoin’s security machinery to defend against online identity theft. The system piggybacks on the digital currency’s security protocols to thwart hijacked servers.

http://www.homelandsecuritynewswire.com/dr20170530-using-bitcoin-to-prevent-identity-theft

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>