IT Security News Blast 04-17-2018

Blockchain Cybersecurity in FinServ

Healthcare Data Security Requires Active Employee Participation!
A security campaign for healthcare workers needs to gradually develop as an ongoing behavioral program that starts by conducting a high-level risk assessment to identify organizational issues and how staff behavior affects them.  Device malfunction, system outrages and stolen or manipulated data contribute to risks that staff needs to be made aware of, along with how to react to each.
https://healthcare.cioreview.com/news/healthcare-data-security-requires-active-employee-participation-nid-26070-cid-31.html

Using Deception Technology to Stay Ahead of Cyber Threats
As part of HITRUST’s threat intelligence sharing efforts, “we’re actually deploying decoys that mimic healthcare systems,” such as electronic health records systems and medical devices, he says in an interview with Information Security Media Group. “We lure the would-be-attackers into these decoys that look and feel just like production systems but contain fake data so that we can capture their techniques, tactics and procedures,” he says.
https://www.govinfosecurity.com/interviews/using-deception-technology-to-stay-ahead-cyber-threats-i-3956

Understanding Risk Assessment for InfoSec Budgeting
Last month,  Critical Informatics founder Mike Hamilton moderated a panel discussion in downtown Seattle, reinforcing a practical methodology to establish common ground and build a case for IT Security investments. Comprised of regional Information Security leaders in legal, actuarial consulting, health insurance, and education, our panel explored the process and practicality of applying this methodology. Read on to learn what the experts had to say about their use of risk assessment to secure executive buy-in for investments that reduce the risk of IT security events leading to expensive outcomes.
https://criticalinformatics.com/resources/blog/understanding-risk-assessment-for-infosec-budgeting/

Is Blockchain Causing More Cybersecurity Attacks in the Financial Industry?
Rather than ignore it — or treat it as a security threat — the industry needs to identify the potential of blockchain and set to work to use this as a way to add security. This, increasingly, is the case, with banks and big tech firms working on ways to harness blockchain to shelter the data of financial firms and customers alike. Clearly scams shouldn’t be ignored — and work needs to be done to crack down on these — but nor should the positive potential of blockchain as a force for security.
http://www.circleid.com/posts/20180416_is_blockchain_causing_more_cyberattacks_in_financial_industry/

Cyber-attacks post GDPR: a doomsday scenario
The fallout from the breach in this example is likely going to be severe. Not only did the company fail to adequately protect themselves against cyber-attacks, they also failed to identify and report the breach within the GDPR-mandated 72 hours grace period for businesses under such circumstances. As a result, the company will likely be hit with an intense period of scrutiny from the relevant authorities, and then a fine depending on the severity of the breach, history of compliance and preventative measures that were in place before the breach.
https://www.itproportal.com/features/cyber-attacks-post-gdpr-a-doomsday-scenario/

The cybersecurity skills gap caused 40% of IT pros to stall their cloud migrations
It takes an average of six to nine months to fill a cybersecurity position, according to Barika Pace, a research director at Gartner, which means that cloud security efforts may be placed on hold for many companies, unless they turn to outside consultants or third-party security platforms. While 83% of IT professionals said they store sensitive data in the public cloud, only 69% said they trust the public cloud to keep their data secure.
https://www.techrepublic.com/article/the-cybersecurity-skills-gap-caused-40-of-it-pros-to-stall-their-cloud-migrations/

U.S. Offers $25 Million Cybersecurity Grant After Pipeline Attacks
The agency is making $25 million in grants available for projects that pursue new approaches to making the energy sector more resilient to cyberattacks. The deadline for applications is June 18, according to a statement Monday. Earlier this month, at least seven U.S. pipeline companies said their electronic communications systems were shut down, with five confirming the disruptions were caused by a web attack. The threat followed a U.S. government warning in March that Russian hackers are conducting an assault on the electric grid and other targets.
https://www.bloomberg.com/news/articles/2018-04-16/u-s-offers-25-million-cybersecurity-grant-after-pipe-attacks

Minnesota unveils 5-year plan to improve cybersecurity
The state’s budget for fiscal year 2019 would allocate $19.7 million to cybersecurity. “It’s a good start,” said Aaron Call, Minnesota’s chief information security officer, “But it wont set us up forever. What we really need is to get past the politics and agree on how much we are willing to spend on cybersecurity.” Minnesota spends about 2 percent of its IT budget on security, compared to an industry standard of 8 to 10 percent.
https://statescoop.com/minnesotas-five-year-plan-addresses-evolving-cyber-threat

The United States needs a Department of Cybersecurity
The Department of Homeland Security is responsible for national protection, including prevention, mitigation and recovery from cyberattacks. The FBI, under the umbrella of the Department of Justice, has lead responsibility for investigation and enforcement. The Department of Defense, including US Cyber Command, is in charge of national defense. In addition, each of the various military branches have their own cyber units. No one who wanted to win would organize a critical capability in such a distributed and disbursed manner.
https://techcrunch.com/2018/04/16/the-united-states-needs-a-department-of-cybersecurity/

Russian hackers mass exploit routers in homes, govs, and infrastructure
The Russian government-sponsored actors are using the compromised devices to perform man-in-the-middle attacks that extract passwords, intellectual property, and other sensitive information and to lay the groundwork for potential intrusions in the future, the officials continued. The warning was included in a technical alert jointly issued by the US Department of Homeland Security and FBI and the UK’s National Cyber Security Center.
https://arstechnica.com/tech-policy/2018/04/russian-hackers-mass-exploit-routers-in-homes-govs-and-infrastructure/

Putin predicts global ‘chaos’ if West hits Syria again
In a telephone conversation with his Iranian counterpart, Putin and Hassan Rouhani agreed that the Western strikes had damaged the chances of achieving a political resolution in the seven-year Syria conflict, according to a Kremlin statement. “Vladimir Putin, in particular, stressed that if such actions committed in violation of the UN Charter continue, then it will inevitably lead to chaos in international relations,” the Kremlin statement said.
https://www.euractiv.com/section/defence-and-security/news/putin-predicts-global-chaos-if-west-hits-syria-again/

Lawmakers still looking for definitive answer on what constitutes cyber war
As the United States is sorting out Russian involvement in the 2016 election and possible future elections, lawmakers are once again questioning the United States’ cyber war policy. Mostly they want to know exactly what the United States’ cyber war policy is. Since cyber became a major domain, what exactly constitutes an attack on the nation and its people remains debatable. Rep. Dan Donovan (R-N.Y.) wants to change that. Last week he went before the House Armed Services Committee to request a provision be added to the 2019 defense authorization bill that provides a legal definition of cyber warfare.
https://federalnewsradio.com/defense/2018/04/lawmakers-still-looking-for-definitive-answer-on-what-constitutes-cyber-war/

In harm’s way: Assessing Russia’s cyber-arsenal
Russia can draw from impressive resources: Its military culture breeds talented engineers able to perform increasingly damaging attacks. According to Echemendia, Russia is in a unique position, because the country doesn’t necessarily have to spend more money to gain a higher level of resources. […] “In Russia, there is no doubt that cyber-crime is more lucrative than working for a company,” Echemendia says. “Take, for example, if some kid in Russia finds a major hole, it could be sold on the dark web for well over a million dollars. There are very few times when people are moral enough to do anything else.”
https://www.scmagazineuk.com/in-harms-way-assessing-russias-cyber-arsenal/article/758656/

Cyber security watchdog warns UK telcos against using equipment from Chinese supplier ZTE
It is the latest crackdown on telecoms equipment suppliers by governments concerned about the national security threat of using telecoms networks supplied by Chinese companies. The US government has long barred American telecoms companies from buying network equipment from Huawei and has considered a plan to build a state-funded 5G network to alleviate security concerns.
https://www.ft.com/content/24c998b4-416c-11e8-803a-295c97e6fd0b

Police locate suspect from a crowd of 50,000 using Facial Recognition
According to police officer Li Jin from Honggutan police station, the 31-year old suspect was involved in a number of ‘economic crimes’ and was already listed on the national online system as a fugitive. […] The suspect was located by security cameras at the ticket entrance of the concert venue and as soon as he was identified, he was apprehended by the police. There were several security cameras installed at the ticket entrances and all were equipped with facial recognition tech.
https://www.hackread.com/police-locate-suspect-from-a-crowd-using-facial-recognition/

Facebook tracks you even if you’re not a user, and you can’t really do anything about it
“There are basic things you can do to limit the use of this information for advertising, like using browser or device settings to delete cookies,” Facebook said when asked if users could opt out. “This would apply to other services beyond Facebook because, as mentioned, it is standard to how the internet works.” That is true, but you’d have to rinse and repeat that operation over and over. Also, that doesn’t limit Facebook’s ability to collect data on you, and it doesn’t let you delete any of the info the company has on you.
http://bgr.com/2018/04/16/facebook-tracking-non-users/

Thousands of Android apps are tracking children, study finds
The study found thousands of kid-targeted apps were collecting data from the device, some including GPS location and personal information. The study brings up concerns for parents, who would need an expert’s level of technical knowledge to figure it out themselves, Serge Egelman, the paper’s co-author said. “They’re not expected to reverse engineer applications in order to make a decision whether or not it’s safe for their kids to use,” Egelman said.
https://www.cnet.com/news/thousands-of-android-apps-are-tracking-children-study/

AT&T and cable lobby are terrified of a California net neutrality bill
AT&T and the lobby group that represents Comcast, Charter, Cox, and other cable companies have been making their displeasure known to lawmakers in advance of hearings on a bill that could impose the toughest net neutrality law in the nation. The California bill implements the FCC’s basic net neutrality rules from 2015, but it also bans paid zero-rating arrangements in which home or mobile Internet providers charge online services for data cap exemptions.
https://arstechnica.com/tech-policy/2018/04/att-and-cable-lobby-are-terrified-of-a-california-net-neutrality-bill/

Cisco backs test to help classical crypto outlive quantum computers
The PQPKI test has adopted a hybrid approach to the problem, allowing certificates to be tested using post-quantum schemes if machines support them, but falling back to traditional certificate checks if not. A hybrid scheme would also save certificate authorities and users from having to run duplicate systems, Isara explained. Cisco’s Panos Kampanakis said: “Once the quantum-safe algorithms are standardised, we may have a very short time frame in order to migrate our systems.”
https://www.theregister.co.uk/2018/04/16/post_quantum_pki_test/

Hackers attack Casino’s fish tank thermometer to obtain sensitive data
At that time, Fier explained, someone managed to infiltrate the fish tank and used it to access the network and steal data. In that particular case too, the company refrained from revealing the name of the targeted casino. All that we know about the casino yet is that it was located on the outskirts of North America. Eagan stated that the proliferation of IoT devices have made users a lot more vulnerable to cyber-attacks and we couldn’t agree more.
https://www.hackread.com/hackers-casinos-fish-tank-smart-thermometer-hack/

 

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.