ICD Brief 29.
Perhaps its the RSA Conference 2017 effect in San Francisco this week. We cite stunning numbers of similar national, corporate and individual examples of new collaborations, education, prosecutions and increased expectations from the USA, China, EU, India, Iran, Israel, NATO, Netherlands, Poland, Russia, UK and in Insurance. We feature Isaca’s State of Cyber Security 2017 . Linked headlines offer a quick read followed by the full edition.
This effort remains personal and our pro bono contribution to chart realistic growth, innovation and working partnerships. We believe that reading these collected reports will help demystify and lift the fog of ambiguity that haunts this subject. But this is not a forced feeding exercise. To subscribe, just tap the Subscribe button below. To Unsubscribe, go to the bottom of the newsletter.
IoT experts join forces to secure the Internet of Things and share best practice
“AT&T, IBM, Nokia, Palo Alto Networks, Symantec and Trustonic are joining forces and combining their expertise to help tackle today’s top Internet of Things (IoT) security challenges. The IoT Cybersecurity Alliance will combine industry-leading security providers and IoT experts. The group will research and raise awareness of ways to better secure the IoT ecosystem. As the number and kinds of connected devices multiply, so have the security risks. In the past three years, AT&T has seen a 3198 percent increase in attackers scanning for vulnerabilities in IoT devices.”
“Watson for Cyber Security, announced by IBM on Monday, takes the same core capabilities of Watson—the ability to read millions of documents and terabytes of information to derive insights a human might not spot—and puts them into a security operations center. With security officers at large corporations sometimes scanning several hundreds of thousands of events happening over their networks each day, IBM says it can add another line of defense by proactively helping to spot breaches and hacking attempts that might slip through unnoticed, then making suggestions on the best response.”
“While the Department of Homeland Security (DHS) has worked toward implementing necessary cybersecurity measures in its National Cybersecurity and Communications Integration Center (NCCIC), there are still factors impeding its efficiency and effectiveness, the Government Accountability Office (GAO) found. NCCIC is required to by the National Cybersecurity Protection Act of 2014 and the Cybersecurity Act of 2015 to perform 11 cybersecurity-related functions. This includes sharing information and enabling real-time actions to address cybersecurity risks and incidents at federal and non-federal entities, GAO explained in a recent report.”
“Scientists from the Department of Homeland Security will be at the annual RSA Conference next week, showcasing new cybersecurity technologies ready for the marketplace, including several involving artificial intelligence. The news seems to confirm what many observers are predicting: the massive security conference in San Francisco will be a coming-out party for a new generation of cybersecurity technology powered by machine learning, or AI.”
“Philadelphia Federal Reserve Bank President Patrick Harker on Monday said he in increasingly concerned about cyber threats to small banks, citing hackers stealing money by exploiting third-party vendors that provide cyber-security to many small banks.”
“China has proposed to further tighten control over the internet by setting up a new commission to vet hardware and internet services, Beijing’s internet regulator said Tuesday.
In Nov. 2016, Beijing had adopted a controversial cyber security law to counter increasing threats related to hacking and terrorism over the internet. However, the adoption triggered serious concerns among foreign businesses and several human rights groups. Mark Austen, chief executive of the Asia Securities Industry and Financial Markets Association, told a forum in Hong Kong in November that the law marked a “worrying” development because regulators globally have to work together to address cyber risks rather than attempt to isolate their jurisdictions.”
“By its very nature, the EU’s General Data Protection Regulation, which comes into force in May 2018, is designed to considerably increase individuals’ rights on personal data. In particular, it outlines special new provisions and compliance requirements for sensitive personal data, which includes genetic, biometric and health data, and information relating to sexual orientation, race, political opinions and so on.”
“Over 50,300 cyber security incidents like phishing, website intrusions and defacements, virus and denial of service attacks were observed in the country during 2016, Parliament was informed today. “As per the information reported to and tracked by Indian Computer Emergency Response Team (CERT-In), a total number of 44,679, 49,455 and 50,362 cyber security incidents were observed during the year 2014, 2015 and 2016, respectively,” Minister of State for Electronics and IT P P Chaudhary said in a written reply to Lok Sabha.”
“According to Claudio Guarnieri and Collin Anderson, two independent security researchers who have been tracking Iranian hackers for the past few years, the malware has also been used against a human rights advocate. The malware, dubbed MacDownloader, attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, to extract system information and copies of OS X keychain databases.”
“Israel Aerospace Industries Ltd. (IAI), the country’s largest aerospace and defense company, said it has set up a special division to deal with the cyber business of its subsidiary ELTA Systems Ltd., a defense electronics company. The IAI has appointed Esti Peshin as the generalmanager of the division.”
“Israel’s cyber security bonafides are well-known with the country’s cybersecurity companies raising $581 million in 2016, totalling 15 percent of the global cyber pie. In the last few years, multinationals like Cisco, Amazon, Qualcomm and Microsoft have acquired several Israeli companies and others, such as EMC, Deutsche Telekom, PayPal, Oracle, IBM, Lockheed Martin have established their presence in Israel’s new cybersecurity centre in Beersheba.”
“The NATO Cooperative Cyber Defence Centre of Excellence on Wednesday released its first major revision to its influential Tallinn Manual, the closest thing there is to a rulebook for nation-led cyber operations. Like the original 2013 manual, the new version is the result of a study by NATO to gauge consensus opinions from international law experts on what types of cyber statecraft are acceptable.”
“A website used by millions of Dutch voters to test their political preferences was quietly keeping a tally of how many were matched with each party, a security researcher who penetrated the site said on Tuesday. The discovery by researcher Loran Kloeze raised potential privacy concerns and sparked a debate over whether the site was biased. The leaked results showed the Labour Party, a junior party in the governing coalition, received the second most matches even though it is running sixth in.”
“Polish banks are investigating massive systems hack after malware was discovered on several companies’ workstations. The source of the executables? The sector’s own financial regulator, the Polish Financial Supervision Authority (KNF). A spokesman for the KNF confirmed that their internal systems had been compromised by someone “from another country”. But when it was discovered that the regulator’s servers were hosting malicious files that were then infecting banks’ systems, the decision was made to take down the KNF’s entire system “in order to secure evidence.”
“Officials and security officers in France, Germany, and the Netherlands have agreed to share information as they brace for “influence operations,” including the leaking of hacked emails and using internet bots to spread fake or misleading news on social media, in the run up to presidential and general elections this year.”
“Thousands of British teenagers are to be given training in cyber security to boost the UK’s defences against the rising threat of online attacks. The new Cyber Schools Programme aims to teach pupils some of the skills they would need to help defend Britain’s businesses and institutions against online threats.”
“The UK’s cyber security chief has ridiculed public guidelines on internet passwords, claiming they require average Britons to memorise the equivalent of a 600-digit number every month. The head of GCHQ’s new National Cyber Security Centre, Ciaran Martin, said even his best spooks would not be able to remember all the different passwords current guidelines require.
He called for some new simpler advice to help people manage security, as the Queen was due to formally open his new centre, with Chancellor Philip Hammond also present to outline the threat to the UK from both criminals targeting the public and state actors attacking the Government.”
Private and public sector step up efforts to close the cyber security skills gap in the face of a global skills shortage.The UK cyber security workforce has grown by 163% in the past five years to 58,000, according to a research report by the Tech Partnership, a network of employers seeking to promote cyber skills.”
“Hiscox, the international specialist insurer, today released a study that gauges how prepared businesses are for cyber threats. The Hiscox Cyber Readiness Report 2017™ surveyed managers and IT specialists at 3,000 small to large companies in the US, UK and Germany and found that more than half (53%) of businesses are ill-prepared to deal with cyber-attacks. The study assessed firms according to their cyber readiness in four key areas — strategy, resourcing, technology and process — and ranked them from novice to expert. Fewer than a third (30%) qualified as ‘expert’ in their overall cyber readiness, of which nearly half (49%) were US-based companies.”
Microsoft Launches Security Score for Office 365
“Microsoft today began scoring the security settings of commercial customers that use Office 365, and at least one insurer said the ratings would be considered in the pricing of cybersecurity policies. Microsoft’s Secure Score API had been in preview availability since early August. At the time, users were measured on just 27 security configurations and behaviors that impact the security of data in an organization’s Office 365 environment.”
“For the third year in a row, ISACA has surveyed security leaders worldwide to determine their insights and experiences with key cyber security issues, ranging from workforce challenges and opportunities to the emerging threat landscape.”