LADING

How to get your staff to take cybersecurity seriously

Education is the key to teach employees a shared sense of responsibility for the data that they work with. Any campaign should become part of an ongoing process. While some small businesses may feel they lack the resources, there are ways to direct an effective cybersecurity education campaign without breaking the bank.

FULL STORY

Security Operations Teams Are Overwhelmed by Vulnerabilities and Volume of Threat Alerts, Study Finds

What emerged, in a nutshell, is that operations staff are overwhelmed by the sheer volume of vulnerabilities; they are falling behind in efforts to remediate them; and tend to under-report the problem to their seniors. To put this into context, on average, a mid market firm might have 10 full time staff servicing ten new vulnerabilities per month across just under 2,000 assets (almost 20,000 vulnerabilities to service every month). For a very large enterprise those figures translate to 100 staff servicing more than 1.3 million vulnerabilities every month. Seventy-four per cent of security teams admit they are overwhelmed by the volume of maintenance work required.

FULL STORY

More Voters View Cyberattack As Act of War

A new Rasmussen Reports national telephone and online survey finds that 62% of Likely U.S. Voters believe a major cyberattack on the United States by another country should be viewed as an act of war. That’s up from 57% in late 2014 after alleged attacks by North Korea and Iran and 55% in April 2013 following a cyberattack on South Korea. Only 17% now say such an attack should not be viewed as an act of war, but a sizable 21% are undecided.

FULL STORY

NIST Cybersecurity Framework: The smart person's guide

The framework isn't just for government use, though: It can be adapted to businesses of any size. TechRepublic's smart person's guide about the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) is a quick introduction to this new government recommended best practice, as well as a "living" guide that will be updated periodically to reflect changes to the NIST's documentation.

FULL STORY

Cyber Attacks: Criminals could use attacks to disable key buildings, experts warn

The warning comes in the wake of the WannaCry ransomware attack last week that brought the NHS to a standstill and infected the systems of Nissan, O2 owner Telefonica, FedEx and others. The attack is believed to have shut down 200,000 devices in 150 countries. Although it was eventually foiled, the number of cyber attacks is increasing.“Their culture is extortion and using ransomware for cyber attacks. Instead of damaging buildings, they have been stopping people doing business, but we know a cyber attack on a Germany steel mill caused an explosion. They have not been combined with a physical one yet, but there is no reason why they won’t.”

FULL STORY

Ransomware’s Aftershocks Feared as U.S. Warns of Complexity

The attack is more complicated because “the experts tell us that this code was cobbled together from many places and sources,” according to an administration official who insisted on anonymity to discuss the government’s cybersecurity plans. The more potential sources of the malicious code, the harder it is for investigators to run down the trail of possible perpetrators.

FULL STORY

As prices rise, oil companies drill down on industrial cyber security

Rising oil prices and increased awareness of industrial cyber threats seem to have spurred new corporate-level maneuvers this year to secure computer controls that run energy facilities, said Barak Perelman, chief executive of Israeli cyber security firm Indegy. At some oil companies, he said, chief information security officers now spend a quarter of their monthly security committee meetings discussing so-called industrial control systems, the devices that control oil and gas equipment.

FULL STORY

Dealing with WannaCry on Monday morning, and the days ahead

In the medical sector, an IT staffer explained during a brief phone conversation that his team isn't allowed to install patches or additional software, as doing so often requires various checks and change approvals, as well as certification. There is also the consideration of support contracts, where the hospital isn't allowed to alter a systems software, which includes patching. As for the legacy systems in the medical world, dealing with them isn't a simple upgrade or replace. And that's not because the organization is cheap, but because when you purchase expensive medical equipment, the investment is measured in decades, not years. There is also the issue of compatibility to consider.

FULL STORY

The urgent need to ‘quantify the hidden costs of a data breach’

“Increasingly, we are seeing organisations struggling to recover from a cyber incident when compared to more traditional types of downtime. If a disk fails or a database corrupts for example, the recovery process is relatively simple. You can fail-over to a replica system or restore data from a backup. Cyber attacks however, add an increased layer of complexity.”

FULL STORY

Why You Really Need to Stop Using Public Wi-Fi

The most common method of attack is known as “Man in the Middle.” In this simple technique, traffic is intercepted between a user’s device and the destination by making the victim’s device think the hacker’s machine is the access point to the internet. A similar, albeit more sinister, method is called the “Evil Twin.” Here’s how it works: You log on to the free Wi-Fi in your hotel room, thinking you’re joining the hotel’s network. But somewhere nearby, a hacker is boosting a stronger Wi-Fi signal off of their laptop, tricking you into using it by labeling it with the hotel’s name.

FULL STORY

Cybersecurity is one of the top risks organizations must manage in 2017

Healthcare: ransomware attacks are projected to rise 250%, and hackers were responsible for 106 major healthcare data breaches in 2016. Financial services: Despite ranking only third in volume of security incidents, the financial services industry came in first in number of incidents leading to confirmed data losses. Insurance: Risk is twofold in this market, because insurers are not only targets of hackers, they're also providers of coverage to victims. Education: At the beginning of February 2016, the University of Central Florida announced a data breach had affected approximately 63,000 current and former students, faculty and staff.

FULL STORY

Researchers hack industrial robots; yet another IoT disaster

The demonstration centers around the security flaws in Internet of Things (IoT) devices and how they require emergency security implementations. The robots in question are manufactured by forums like ABB, Kawasaki, Fanuc and Yaskawa. T. The TrendMicro researchers found out that industrial robots from these firms have a vulnerability which allows hackers to make changes in robots altering they way they operate.

FULL STORY

Board members are main targets in a cyber attack

`How many of our people already took the awareness training?' And the answer will be 80-90%.And then I ask the board members if they took the training. And they say, `Oh no! We haven't taken it yet.' But their inbox is the first inbox that is going to be targeted.A company can have 6,000 people but the first in line to be targeted are the people in the boardroom. In most of the hacks, the first step is a phishing email.So board members need to be trained to understand the threat and ask the right questions.

FULL STORY

Improving Cybersecurity: The Diversity Imperative

Cybersecurity problems, including some of the most urgent, pressing, and knotty ones, often have little or no technical component. There are so many other elements to contend with -- awareness and training, security processes and procedures, incident response, recovery planning and communication. To fill those one million cybersecurity jobs, the industry must look to cross-train professionals from other disciplines.

FULL STORY

Homeland Security Issues Warning on Cyberattack Campaign

The Department of Homeland Security is warning IT services providers, healthcare organizations and three other business sectors about a sophisticated cyberattack campaign that involves using stolen administrative credentials and implanting malware, including PLUGX/SOGU and RedLeaves, on critical systems. [...] "Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments," the alert notes. "Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools."

FULL STORY

Unlocking the Power of NIST’s Cybersecurity Framework

NIST developed the CSF three years ago as a set of voluntary industry standards and best practices to help critical infrastructure organizations manage cybersecurity risks. It was intended to be effective and specific in its recommendations while remaining flexible enough for all organizations to implement it. The CSF makes complex information about cybersecurity and risk management more accessible. It creates a common vocabulary that personnel can understand at all levels of the organization from the server room to the boardroom.

FULL STORY

Why businesses have the wrong cybersecurity mindset, and how they can fix it

"Building an impenetrable defense is no longer practical and the mentality of preventing all breaches is outdated," Seth Robinson, senior director of technology analysis for CompTIA, said in a press release. "But a new, proactive approach combining technologies, procedures and education can help find problem areas before attackers discover them."

FULL STORY

Security-as-a-service model gains traction

With mid-market companies feeling an increasing need to devote time and resources to network security, the security-as-a-service model is gaining traction, according to new research released yesterday by 451 Research. "The security challenge for mid-tier businesses is multi-dimensional," Daniel Cummins, analyst at 451 Research, said in a statement. "For these businesses, everything seems to be increasing — attack frequency, compliance requirements, complexity, costs and the number of security products that need to be managed.

FULL STORY

The Internet of Things Needs a Code of Ethics

We’ll be seeing a lot more autonomous systems, we’ll be seeing enhanced humans and smart systems, devices, and organizations. When you put all of those together, and you start thinking about how to bring out the best of the Internet of Things rather than the worst of the Internet of Things, governance is really the key. That means understanding how to design and build and think about these systems. Who’s responsible and who’s accountable, what does it mean to be ethical, and what does it mean to promote the public good?

FULL STORY

Ransomware, Cyberespionage Dominate Verizon DBIR

The DBIR, an analysis of more than 40,000 incidents (including 1,935 breaches) investigated by Verizon, shows that cybercriminals targeted manufacturing, the public sector and education the most, but Verizon senior network engineer Dave Hylender said the healthcare industry was hit the hardest with ransomware. “Organized criminal groups continue to utilize ransomware to extort money from their victims, and since a data disclosure in these incidents is often not confirmed, they are not reflected in statistical data,” Verizon wrote.

FULL STORY