NIST SP 800-137

From: MedCity News

by Shahid Shah

I’ve been involved in building many life-critical and mission-critical products over the last 25 years and have found that, finally, cybersecurity is getting the kind of attention it deserves.

We’re slowly and steadily moving from “HIPAA Compliance” silliness into a more mature and disciplined professional focus on risk management, continuous risk monitoring, and actual security tasks concentrating on real technical vulnerabilities and proper training of users (instead of just “security theater”). I believe that security, like quality, is an emergent property of the system and its interaction with users and not something you can buy and bolt on.

From: ArcticWolf

Tom Clare

While much of the talk about cybersecurity recently has been centered around the need for organizations to invest more heavily in defense solutions, a new industry report suggests that increased cyberthreat education may be what’s needed instead.

Cisco’s 2015 annual security report analyzed threat information from last year and looked ahead to see what the pressing cybersecurity issues of 2015 will be. According to the report, enterprise IT decision-makers are much more confident in their defense postures than they should be, with 60 percent of organization failing to implement the necessary security patches. In fact, of the businesses surveyed that use Internet Explorer as their default browser, only 10 percent reported running the latest version, opening themselves up to a slew of zero day vulnerabilities. Despite this obvious lack of protection, 90 percent of survey participants still reported being confident in their cybersecurity capabilities.

From: Federal Times

Jim Ryan, Chief Operating Officer – Flexera Software

As chief operating officer, Jim Ryan is chartered with leading Flexera Software’s worldwide sales team, ensuring operational alignment and driving organizational development and leadership. Jim has been affiliated with the business since 1998. Prior to becoming chief operating officer, Jim was senior vice president of worldwide sales where he led consistent and strong revenue growth. Previously, while located in the UK, Jim served as the general manager for Macrovision’s EMEA region and led the global Macrovision software business unit sales team. Also during his tenure with Macrovision, he led the company’s services, technical support, operations and pre-sales teams. In 2008 Jim helped lead the spinoff of Macrovision’s Software Business Unit to the private equity firm of Thoma Bravo, which launched the Flexera Software brand.

From: InformationWeek/DarkReading

Kelly Jackson Higgins

Startup’s “power fingerprinting” approach catches stealthy malware within milliseconds in DOE test.

A security startup launching early next week uses trends in power consumption activity, rather than standard malware detection, to spot cyberattacks against power and manufacturing plants. The technology successfully spotted Stuxnet in an experimental network before the malware went into action.

PFP Cybersecurity, which officially launches on Monday and was originally funded by DARPA, the Defense Department, and the Department of Homeland Security, basically establishes the baseline power consumption of ICS/SCADA equipment such as programmable logic controllers (PLCs), supervisory relays, or other devices and issues an alert when power consumption or RF radiation changes outside of their baseline usage occur. Such changes could be due to malware, as well as to hardware or system failures, for instance.

From: CSO

Michael Lee

Security operations centers (SOC) have been around for a while, stretching back to the old room full of live camera feeds. The intent of a SOC is simple: provide the business with the ability to see what is going on in order to take action if necessary. The level of SOC sophistication varied depending on the risks and infrastructure complexity. Consider the humble stretch of road and an analogy for businesses in the very early days of the internet: In low risk, low traffic areas, it was often not necessary to have a constant additional surveillance of this road. Road rules — basic perimeter-based network security measures like firewalls — still applied, but it was considered sufficient for any out-of-the-ordinary incidents to be handled reactively.

From: Computerworld

As advanced persistent threats (APTs) evolve, they are becoming more of a threat to businesses.

James Henderson (Computerworld New Zealand)

As advanced persistent threats (APTs) evolve, they are becoming more of a threat to businesses.

Attacking until they reach their end goal, according to Palo Alto Networks, APTs aim to carry out corporate espionage or maintain control of a strategically important network, making it vital for businesses to understand the threat and take steps to protect themselves.

Research indicates that 83 per cent of APT infiltrations lasted weeks or more before they were discovered.

From: Squire Patton Boggs/Capital Thinking Blog

The National Institute of Standards and Technology (NIST) will hold a three-day meeting of its Information Sharing and Privacy Advisory Board from February 11-13. The meetings will be open to the public and will cover a range of issues including continuous monitoring and continuous diagnostics and mitigation, updates on the NIST Cybersecurity Framework and the President’s EO, the development of NIST cryptographic standards, and the legislation passed in December to update the Federal Information Security Management Act. Additionally, the meeting will also feature presentations from the Department of Justice’s cybersecurity unit and the National Security Agency’s privacy officer.

From: eSecurity Planet

By Jeff Goldman

In a speech at the Federal Trade Commission on January 12, 2015, President Obama proposed a nationwide breach notification standard that would require all U.S. companies to notify consumers of a breach within 30 days.

***

Steve Hultquist, chief evangelist at RedSeal,  said by email that the new law will likely create additional pressure on organizations to work harder to avoid breaches rather than simply responding to them. “To avoid being breached, organizations have to be able to see and comprehend their extensive and complex network-interconnected systems and to know all possible attack vectors before they are exploited,” he said. “The most visionary organizations understand that this analysis is actually possible, and deploy systems to continuously monitor their network and systems to safeguard their customers’ information and their critical assets.”

From: c/net

A recent attack against Morgan Stanley that exposed hundreds of thousands of customer accounts was an inside job, a threat experts say is nearly impossible to stop.

by Seth Rosenblatt

Companies spend billions of dollars each year to protect from determined hackers attacking from across the Internet, but experts warn they shouldn’t ignore a closer threat they aren’t even ready for: Inside jobs.

Morgan Stanley, one of the world’s largest financial services firms, revealed Monday its customer information was breached. But it wasn’t the result of determined hackers or sophisticated email attacks. Instead, Morgan Stanley said it was an employee who stole data from more than 350,000 customer accounts.

From: Wired

By Steve Jones, Capgemin

The security challenges that businesses face on a daily basis are innumerable. In fact, we’ve spent the last thirty years securing all things imaginable – firewalls, antivirus, access and identity controls, biometrics, GRC, etc. However, today’s “hackers” are smarter than ever and companies need a more efficient way to stronghold their data.

For a hypothetical example, let’s take Bob, a systems administrator in a major bank with access to most of the core systems in FX trading.  He’s become disenchanted recently after a string of average performance reviews and is thinking about setting up his own niche FX platform with a friend in another bank.  He thinks that with the bank’s existing trading model and some adaptations they can create a smart little business.