IT Security News Blast 02-07-2018

How Secure is Medical Data

Study claims most businesses lack cyber expertise to prevent attacks
Cyber insurance company Hiscox surveyed 4,000 organizations and rated them on a  cyber readiness model that divided respondents into ‘cyber novices’, ‘cyber intermediates’ and ‘cyber experts’ and found that only 11 percent scored highly enough in both cyber security strategy and the quality of its execution to qualify as cyber security ‘experts’. Nearly three quarters, 73 percent, fell into the novice category but not for underinvestment in technology but because firms are failing to support their investment in security technology with a formal strategy, sufficient resourcing and training, and sound processes.
https://www.scmagazine.com/cyber-insurance-company-hiscox-surveyed-4000-organizations-and-rated-them-on-a-cyber-readiness-model-based-on-their-security-posture/article/742434/

Are insurers ready to meet New York’s cyber security standards?
Under the rule, the DFS states that institutions, including insurance companies, need to have a cyber security program to protect consumers’ private data, written policies approved by a board or senior officer, a chief information security officer, as well as plans in place “to help ensure the safety and soundness of New York’s financial services industry.”
https://www.insurancebusinessmag.com/us/news/cyber/are-insurers-ready-to-meet-new-yorks-cyber-security-standards-91398.aspx

New SEC Cyber Unit Hunts for Fraudsters
The kinds of crimes the Cyber Unit investigates range from market manipulation schemes involving false information spread through electronic and social media to hacking to obtain material nonpublic information, and violations involving distributed ledger technology and initial coin offerings. The unit also will tackle misconduct perpetrated using the dark web, intrusions into retail brokerage accounts, and cyber-related threats to trading platforms and other critical market infrastructure.
https://fedtechmagazine.com/article/2018/02/new-sec-cyber-unit-hunts-fraudsters

Consumer Advocates Cry Foul On CFPB’s Equifax Stance
President Donald Trump and his administration are facing complaints from consumer protection advocates, who are advocating for a reopening of the investigation into the Equifax data breach. […] “The (Trump) administration should get on the side of consumers and focus on making sure hacks like the #EquifaxBreach don’t happen again,” tweeted Senator Mark Warner, a Democrat, according to Reuters.
https://www.pymnts.com/news/cfpb/2018/consumer-protection-mick-mulvaney-equifax/

Pentagon No. 2 foreshadows future of ‘uncompromising’ cyber-hygiene
The Defense Department’s No. 2 official hinted Tuesday of a future in which the military’s cybersecurity is “uncompromising” and good cyber-hygiene is a condition of business. […] He proposed a policy under which, like a financial disclosure statement, “we want you to sign a cyber disclosure statement that says everybody you do business with is secure.”
https://www.fedscoop.com/dod-cyber-hygiene-pentagon-military-defense-contractors-patrick-shanahan/

HIMSS Healthcare Security Forum call for proposals is open
There may be no topic more important in healthcare than securing data and maintaining business continuity in the face to today’s mounting cyber threats. Our goal for this event is to deliver, over two days, a mix of topics and speakers who can provide the best strategic and tactical information to our audience of 200-plus healthcare CISOs and security leaders.
http://www.healthcareitnews.com/news/himss-healthcare-security-forum-call-proposals-open

How Secure is Your Medical Data?
About a year ago the American Medical Association included security and telemedicine in its list of top issues facing physicians.  But it’s not just a doctor issue – add patients, clinics, and hospitals to the list of non-compromising stakeholders.  The medical industry, like other industries home to Small-and-Medium businesses (SMBs), needs to be especially sensitive to security requirements that protect patients and themselves against cyber breaches.
https://securityboulevard.com/2018/02/how-secure-is-your-medical-data/

Lawmakers: Cyber warfare skills critical for future military, homeland security
Gallagher said past U.S. cyberspace failures come down to humans, and future solutions will come down to recruiting the best talent. The military is among those weighing how to gain a larger share of servicemembers with those skills, with some military leaders brainstorming ideas of creating a separate career path for cyber and special operators, he said.
https://www.stripes.com/news/lawmakers-cyber-warfare-skills-critical-for-future-military-homeland-security-1.510216

Brig. Gen. Jennifer Buckner Promoted to Head Army Cyber Command
Her joint assignments include Joint Force Component Command – Network Warfare and later U.S. Cyber Command as an operational planner, Joint Interagency Task Force West in Iraq as an intelligence planner, and the Joint Chiefs of Staff as an intelligence planner supporting the Director of Strategic Plans and Policy (J-5).
https://www.hstoday.us/channels/dod-national-defense/brigadier-general-jennifer-buckner-promoted-head-army-cyber-command/

M&E Journal: Mitigating Cyber Risks Through Military Strategies
We need to understand how the theater of war has changed and apply that line of thinking to the cybersecurity field. Of course, our war plan still must include broad land attacks such as directed “noisy” assaults on our internet facing assets. However, we now need to consider Advanced Persistent Threat (APT) that may include crafted unique malware targeting our organizations, or even a single person.
http://www.mesalliance.org/2018/02/06/journal-mitigating-cyber-risks-military-strategies/

73% of firms fail cybersecurity readiness tests
That failure to prepare has major consequences: Globally, almost half of the 4,500 businesses surveyed (45%) across the US, UK, Germany, Spain, and the Netherlands reported at least one cyber attack in the past year. Of those, two-thirds suffered two or more attacks. This should further act as a warning for businesses that have not implemented strong cybersecurity practices: It’s no longer a question of if you will experience a breach, but when.
https://www.techrepublic.com/article/73-of-firms-fail-cybersecurity-readiness-tests/

Cybersecurity PTSD affects many security professionals
At the risk of continuing to sound like Chicken Little, I believe the cybersecurity skills shortage represents an existential threat to all of us. The organizations we regularly trust with our data don’t have enough trained people or advanced skills to adequately protect it. Furthermore, the cybersecurity professionals they depend upon are overworked, highly stressed, and prone to burnout.
https://www.csoonline.com/article/3253627/leadership-management/cybersecurity-ptsd-affects-many-security-professionals.html

Urgent Need for DHS to Take Actions to Identify Its Position and Critical Skill Requirements
In addition, although DHS has taken steps to identify its workforce capability gaps, it has not identified or reported to the Congress on its department-wide cybersecurity critical needs that align with specialty areas. The department also has not reported annually its cybersecurity critical needs to the Office of Personnel Management (OPM), as required, and has not developed plans with clearly defined time frames for doing so.
https://www.gao.gov/products/GAO-18-175

Cybersecurity skills shortage: What are the root causes?
Look at the engineering that goes into manufacturing an automobile or public transportation. It’s electrical, it’s mechanical, it’s software and it’s chemical engineering. We need to be raising that at the design and engineering phase across those disciplines. They at least need to have Cyber 101 and say, ‘When you’re using your creative juices at the inception stage, be thinking about how we put secure products out.’
http://searchsecurity.techtarget.com/answer/Cybersecurity-skills-shortage-What-are-the-root-causes

Why cybersecurity skills should be taught at business schools
If your CIO walks in and wants $100 million to invest in cybersecurity, that’s a lot of money no matter who you are. It’s like, “Well, can you prove to me that you made it better?” Part of your strategy, you need to involve this kind of thinking where you have, just like anything, you invest money, you expect a return. You invest money you expect other products, you money in cyber you expect better protection. That’s just part of the thinking that’s got to go into it.
https://www.techrepublic.com/article/why-cybersecurity-skills-should-be-taught-at-business-schools/

State Dept. Reverses Course, Plans to Launch Cyber and Digital Economy Bureau
Secretary of State Rex Tillerson plans to launch a new cyberspace and digital economy bureau, seemingly reversing course under congressional pressure after he shuttered the department’s cyber coordinator’s office in August. […] The new bureau “would cohesively unify the Office of the Coordinator for Cyber Issues and the Bureau of Economic Affairs’ Office of International Communications and Information Policy,” a State Department spokesperson said.
http://www.nextgov.com/cybersecurity/2018/02/state-dept-reverses-course-plans-launch-cyber-and-digital-economy-bureau/145767/

China launches salvo against “network navy” of trolls who spread fake news
Network navies are loose organizations of hundreds or thousands of people recruited through sites targeted at “leisure workers”—people seeking extra money by doing tasks similar to Mechanical Turk jobs in their spare time. The organizers of these groups have typically marketed the services of their workers to companies looking for “grassroots” marketing help—or, more accurately, fake grassroots (“astroturf”) campaigns—on social media services such as WeChat, the Weibo micro-blogging site (China’s answer to Twitter), Dianping (like Yelp), and RenRen (a Chinese Facebook clone).
https://arstechnica.com/tech-policy/2018/02/china-launches-salvo-against-network-navy-of-trolls-who-spread-fake-news/

Tech-support scammers have a new trick to send Chrome users into a panic
A new technique reported by security provider Malwarebytes works against Chrome by abusing the programming interface known as the window.navigator.msSaveOrOpenBlob. By combining the API with other functions, the scammers force the browser to save a file to disk, over and over, at intervals so fast it’s impossible to see what’s happening. Within five to 10 seconds, the browser becomes completely unresponsive.
https://arstechnica.com/information-technology/2018/02/tech-support-scammers-have-a-new-trick-to-send-chrome-users-into-a-panic/

Cisco Issues New Patches for Critical Firewall Software Vulnerability
“After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory,” said Omar Santos, principal engineer with Cisco’s product security incident response team, in a blog post. Cisco also found additional denial of service conditions. A “new comprehensive fix” is now available, Santos said.
https://threatpost.com/cisco-issues-new-patches-for-critical-firewall-software-vulnerability/129793/

All Ledger hardware wallets vulnerable to man in the middle attack
The report stated that a Ledger wallet creates a brand new address every time a payment is to be received but through man-in-the-middle attack, while the user is trying to generate this address in order to transfer cryptocurrency to their wallet, the amount would be transferred to a fraudulent address if the computer is infected with malware.
https://www.hackread.com/all-ledger-hardware-wallet-vulnerable-to-man-in-the-middle-attack/

X.509 metadata can carry information through the firewall
In brief, TLS X.509 certificates have many fields where strings can be stored … The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself.
https://www.theregister.co.uk/2018/02/06/x509_certificate_attack/

Oh, banks have cameras? Two men arrested for ATM jackpotting scheme must’ve forgot
The accused are Alex Alberto Fajin-Diaz, 31, of Spain, and Argenys Rodriguez, 21, of Massachusetts. Facing up to 30 years in prison if convicted, the pair appeared before a federal judge on Monday. Fajin-Diaz and Rodriguez allegedly dressed as repair staff, walked into banks and used malware to get the ATM machines to eject all of their money. The haul was thousands of dollars in cash each time.
https://www.cyberscoop.com/two-arrested-for-atm-jackpotting-scheme-forget-banks-have-cameras/

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.