IT Security News Blast 03-22-2018

Expert Cybersecurity Panel

[EVENT] Next Wednesday! ‘Understanding Risk Assessment for Your InfoSec Budget’ Luncheon and Expert Panel Discussion on 3/28 in Downtown Seattle
Join me and the Critical Informatics team in downtown Seattle for a complimentary luncheon and panel discussion on 3/28 at Noon reinforcing a practical methodology to build common ground and build a case for the most important IT Security investments your organization faces today. I’ll be moderating a dynamic panel of local InfoSec leaders, including Vern Cole at Perkins Coie, Glenn Joiner from Milliman, Matt Morton with Seattle Public Schools, and Sean Murphy on behalf of Premera Blue Cross.  We’ll explore how to get security requirements funded – and how to assess what can be safely ignored. Registration required. Free lunch provided.

HITRUST updates its cyber framework to certify compliance with new EU privacy rules
The industry-based Health Information Trust Alliance has updated its cybersecurity framework to incorporate tough new European Union privacy requirements, as the group seeks accreditation for certifying compliance with the international regulations going into effect this spring. “HITRUST continues to build on its initiative to make the HITRUST CSF — a widely used information privacy and security framework — more open and comprehensive so that it can be applied more effectively across a variety of global industries,” the group said[.]

Healthcare sector ‘lacks awareness’ of cybersecurity threats
The RAE notes however that connected devices have different vulnerabilities – for example a large number of people may have access to them and consequences of tampering can be life-threatening. “There is little robust evidence or quantification of the current security risks and potential impacts in the NHS for connected health devices, or more broadly, upon which to base solutions,” the report says, adding “there is a need to start measuring the problem before solutions can be identified”.

How healthcare security efforts can incorporate advanced tech tools
Provider organizations also need to use more technology tools, both to defend networks, and confuse and thwart attackers. One category of active defense technology gaining increased adoption among healthcare providers is deception technology, an emerging category of security tools and techniques designed to prevent an attacker who has already entered the network from doing damage.

Cyber security: an opportunity rather than a threat in the cloud
This global trend to make cyber security a regulatory matter is a clear reflection of the actual threat to undisturbed, continuous operation of the global financial markets. Some parts of the market see intervention by the regulators in such matters as an “additional burden”, “over-regulation,” or an “unwelcome distraction” to generating revenue. […] In a world rife with cyber security threats, we are far away from the required cultural shift within the financial services markets—a shift from “brushing issues under the rug” to a culture of proactive disclosure and management of issues faced in day-to-day operations.

White Paper calls for industry coordination to challenge cyber attacks
Andrew Gray, chief risk officer at DTCC, said: “An attack on one or more institutions or critical infrastructures could have a contagion effect across the financial system, especially as interconnectedness continues to grow. As a result, it is critically important that firms incorporate additional redundancies to ensure that the failure of any single institution can be contained and mitigated.” He added: “To successfully achieve this, we must collectively prioritise resilience and recovery efforts across market participants, infrastructure providers, technology vendors and regulators.”

Cyber security expert issues call to modernise Patriot Act
Restrictions on data-sharing in the USA Patriot Act and at the Financial Services Information Sharing and Analysis Center (FS-ISAC) are hindering efforts to combat cyber attacks, the leader of a cyber crimes unit at Wells Fargo has said. FS-ISAC is an industry-run initiative that allows financial firms to anonymously exchange information on cyber threats. Banks can also share data about money laundering and terrorist activities under Section 314(b) of the Patriot Act[.]

The New Military-Industrial Complex of Big Data Psy-Ops
A science that is oriented toward the development of behavioral technologies is bound to view us narrowly as manipulable subjects rather than rational agents. If these technologies are becoming the core of America’s military and intelligence cyber-operations, it looks as though we will have to work harder to keep these trends from affecting the everyday life of our democratic society. That will mean paying closer attention to the military and civilian boundaries being crossed by the private companies that undertake such cyber-operations.

US Homeland Security Head: Election Cyber Security is Top Priority
Former president Barack Obama’s Homeland Security head, Jeh Johnson, also testified before the committee, which has been critical of both administrations for not acting more quickly to limit Russia’s meddling in the 2016 elections. Johnson said he agreed with the committee’s recommendations but cautioned they may not go far enough to prevent foreign meddling in U.S. elections. “The reality is that given our electoral college and our current politics, national elections are decided in this country in a few precincts, in a few key swing states. The outcome, therefore, may dance on the head of a pin.”

Kaspersky’s ‘Slingshot’ report burned an ISIS-focused intelligence operation
Kaspersky did not attribute Slingshot to any single country or government in its public report, describing it only as an advanced persistent threat (APT). But current and former U.S. intelligence officials tell CyberScoop that Slingshot represents a U.S. military program run out of Joint Special Operations Command (JSOC), a component of Special Operations Command (SOCOM). The complex campaign, which researchers say was active for at least six years, allowed for the spread of highly intrusive malware that could siphon large amounts of data from infected devices.

A New Front in Information Warfare
For the United States to succeed in this battle, citizens, not just the government, need to be more discerning about information, experts say. The country’s citizens are not well-versed in state-controlled messages or propaganda commonly used by closed, autocratic societies. American citizens must learn to handle digital meddling by adversaries, defend Western democracy and freedoms, and improve the country’s stance in assessing the truth, information warfare experts recommend.

US mulls drafting gray-haired hackers during times of crisis
At the behest of Congress, the commission has been directed to solicit public input on possible rule changes. The commission did so in February through a notice published to the Federal Register, the official record of US government actions. Among the various aspects of the US Selective Service System being re-evaluated is whether it might make sense to change the process to ensure that individuals with technical skills needed for national defense – medical, language, cyber, and science, technology, engineering and mathematics (STEM) skills – are be required to register for a possible draft “without regard to age or sex.”

6 Cyber and Privacy Suits We’re Watching
Electronic communications go to Washington: It’s a privacy case more than a cybersecurity case—at question is whether the U.S. government can force Microsoft to hand over emails stored in Ireland under a Stored Communications Act (SCA) warrant.
Current rating: Not great: The data breach that has made the most national news in the past six months is also perhaps the largest: The breach of credit reporting agency Equifax that resulted in the personal information of more than 147 million people being compromised.

Privacy and Civil Liberties Under the CLOUD Act: A Response
It would appear to persist no matter how many privacy-related enhancements were added to the bill. Instead, the authors seem to prefer one of two possible results: (1) a continuation of the status quo or (2) a greatly revised CLOUD Act that essentially requires foreign governments to adopt U.S. standards, laws and policies as a precondition to accessing any content held by U.S. service providers.

New ransomware Zenis will delete backup files even if victim pays
The hacker viewed the ransomware recipient a player in Zenis’s game, and if precise instructions are not followed exactly “you will become the main loser of the story.” Zenis went on to explain in an email – from four different accounts so far – that he would “decrypt your file for free” and “then receive the price of decrypting files.” After he confirms receipt of the deposit, the ransom payer” would receive the “Zenis Decryptor” along with a “private key” to recover all the taken files.

SOC in Translation: 4 Common Phrases & Why They Raise Flags
Having worked in many different security environments, I’ve picked up on more than a few phrases that you hear only in the security operations center (SOC). These catchphrases frequently need translation — especially as CISOs and the entire C-suite look to get more involved with their organizations’ security practices. Below are a few to listen for, along with what they mean for the business.

8 security tools and tips for journalists
1. Use Signal
2. Use Tor
3. Don’t use PGP
4. Don’t use email
5. Deploy Transport Layer Security (TLS) on your news org’s website
6. Learn how the internet works
7. Think like an attacker
8. Stop thinking you’re going to go cloak-and-dagger with spies and win

GDPR is more important than ever: The Cambridge Analytica-Facebook meltdown
I am not going to delve into politics here (which is what this data was ultimately used for micro-targeting and influencing the electorate). There is a lot more at stake here—subversion, ethics and privacy. Let us do quick post-mortem here on the mechanics of this breach, the impact on what it means to a platform vendor and ultimately what you and I as consumers can and must do going forward.



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.