On preventing Snowden-style data leaks in your organization; should companies really worry about NSA spying?; On the usefulness of Red Team exercises; and how to defend against DDOS attacks.
Cause of recent DOE breach revealed to be outdated Coldfusion; 30% of adults willingly open emails they know are malicious; Spear phishing led to successful attacks on the nyt and twitter; DNS attack types
Cause of recent DOE breach revealed to be outdated Coldfusion: http://www.informationweek.com/security/attacks/energy-dept-hack-details-emerge/240160685
Spear phishing led to successful attacks on the nyt and twitter: http://www.networkworld.com/news/2013/082813-spear-phishing-led-to-dns-273297.html?page=1
DNS attack types: http://images.infoworld.com/d/security/3-types-of-dns-attacks-and-how-deal-them-225826
Mcafee apologizes for a USD$1T report; how the Snowden effect is impacting CIO’s; millions robbed from banks by attacking the wire transfer network, and hiding behind a DoS; Gartner’s recommendations for engaging the board of directors and other management in the security process.
Windows XP vulnerabilities may be stored up until after end of support on April 8, 2014; Department of Energy hacked for a second time in 2013; using metasploit and exploitDB to prioritize vulnerability patching; and a number of discussions on Lavabit.
Here is the link to the Society for Information Risk Analysts I mentioned: https://www.societyinforisk.org/ – the mailing list is here: http://lists.societyinforisk.org/mailman/listinfo/sira
Escrow service company forced to close after $1.5M theft resulting from malware, Incentives for complying with cyber framework, Benefits of expanding the cyber insurance market, Thousands of .nl domains redirected to black hole exploit kit
Escrow service company forced to close after $1.5M theft resulting from malware: http://krebsonsecurity.com/2013/08/1-5-million-cyberheist-ruins-escrow-firm/
Incentives for complying with cyber framework: http://www.csoonline.com/article/737795/white-house-considers-incentives-for-cybersecurity?page=1
Benefits of expanding the cyber insurance market: http://nakedsecurity.sophos.com/2013/08/09/will-insurance-firms-be-the-big-winners-in-the-struggle-for-cyber-security/
Thousands of .nl domains redirected to black hole exploit kit: http://www.zdnet.com/dutch-dns-server-hack-thousands-of-sites-serve-up-malware-7000019196/
Cyber Security, cybersecurity or cyber-security? On the need to be wary of USB devices despite having autorun disabled, the hacking of OVH highlights the need to take specific precautions with administrators, large UK companies urged to perform a cyber security review, and the misuse of the term “black swan”.
USB security concerns: http://www.zdnet.com/usb-flash-drives-masquerading-as-keyboards-mean-more-byod-security-headaches-7000018737/
OVH hack highlights exposure of administrators: http://www.itpro.co.uk/cloud/20266/ovh-hack-prompts-calls-tigher-system-admin-security-controls
GCHQ & MI5 pushing for security review of UK companies: http://www.computerweekly.com/news/2240201775/MI5-and-GCHQ-call-for-FTSE-350-cyber-health-check
Black swans: http://exploringpossibilityspace.blogspot.com/2013/07/think-you-understand-black-swans-think.html
Perception of risk as an art vs science, Estimating the economic impact of cybercrime and espionage, The futility of analyzing malware and the need to get better at detecting its activity, An attempt to link bad metrics to data loss trends, Insurance is getting cyber security savvy, Application whitelisting, Don’t forget about risks from security devices, Verizon releases the VERIS community database.
Ten year old Java bug, old and vulnerable versions of Java dominate on corporate desktops, a guide on critical infrastructure security, what is wrong with applying standard security approaches to industrial control environments, Lloyds survey finds cyber security is the number 3 concern of business leaders, watering hole attacks are replacing spear phishing as the attack method of choice, the crazy high value of health information dossiers and a cyber exercise performed by some large US banks.
Vulnerability market, OWASP top 10 still relevant, HP Storage back door, Default root ssh keys in EAS servers, IPMI Vulnerabilities, Dark Seoul update, Incident response goes horribly wrong, Dropbox and WordPress leveraged by attackers
Dark Seoul update: http://arstechnica.com/security/2013/07/hard-drive-wiping-malware-that-hit-s-korea-tied-to-military-espionage/
http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf
Here is an interesting article on changing the social contract of vulnerability disclosures from the current, though recent, seven day cycle, to one that follows patch Tuesday, or whatever equivalent date the particular software vendor has for patches.
It’s a good idea, but I think the author missed an important nuance: the short 7 day notice is for situations where the discovering researcher has found evidence that the vulnerability is being actively exploited. In other cases where the vulnerability is not being actively exploited, the time frame is 6o days, which is compatible with the author’s idea. Note that the 7 day recommendation comes from Google and is available to read here.
I do not think that it makes sense to wait until after the next patch Tuesday in cases of active exploitation. The point is that users of the vulnerable technology need to know that there is a vulnerability being actively exploited, whether or not a patch is available, so that the user can take steps to mitigate the problem.
