Welcome to SCIAP
SCIAP MISSION: To create a virtual cyber security support group supporting the Cybersecurity Community by facilitating communication, sharing information and providing free posting resources to do all that (with no ADs or collecting / using any of your info.) Contact us with your ideas for supporting our Security Community. For more information, contact Welcome to Cyber News Tidbits 4U ! Another periodic cyber security news gram / digest = tidbits. (.. been over 3 weeks since the last one, so….) Arranged in a top down, couple of ‘likely” interest levels as before…with more short snippets, fewer threats and only a few local events (at the very bottom) Feedback is always welcome too… as is sending me articles to share… cyber information sharing in action ! (all links have been checked out… though you may need to cut & paste into your browser.. NOVEMBER 22 —Microsoft Invests $1 Billion In ‘Holistic’ Security Strategy Executives detail strategic and cultural shift atMicrosoft to an integrated security approach across its software and services, and announce new managed services group and cyber defense operation center. —Millions of sensitive records exposed by mobile apps leaking back-end credentials Thousands of mobile applications, including popular ones, implement cloud-based, back-end services in a way that lets anyone access millions of sensitive records created by users, according to a recent study. —NIST Seeks Review of Email Safety Doc Email systems have become so routine that consumers and workers often regard them as simply part of the furniture — like a standard-issue desk at a government or business office. However, the technology is more complex than most users appreciate — and that complexity makes it constantly vulnerable to cybersecurity threats. — Backup Your Files To Thwart A Ransomware Attack On Your Laptop And PC Ransomware is on the rise and you should protect yourself by backing up your laptop and PC files today.An advisory from the FBI’s Internet Crime Complaint Center this past June stated that more than $1 million a month, on average ($18 million over the prior 15 months), was paid to recover computers from Ransomware incidents. The FBI had received nearly one thousand Ransomware complaints from citizens, businesses, and government agencies. —Cybercriminals turn to video ads to plant malware Cybercriminals have been delivering malware through online display ads for years, but they appear to be making headway with a new distribution method: video advertisements. Both methods of attack, known as malvertising, can have a broad impact and are a major headache for the ad industry. A single malicious advertisement, distributed to several highly trafficked sites, can expose tens of thousands of computers to malware in a short time. —IBM Report: Ransomware, Malicious Insiders On The Rise X-Force’s top four cyber threat trends also names upper management’s increasing interest in infosec. —One in six US employees who find lost USBs use them Some 17% of US consumers picked up USB sticks they `found’ and plugged them into their devices, opened the text file and either clicked the unique link or emailed the listed address, according to an experiment by The Computing Technology Industry Association. —Cryptolocker/Cryptowall Ransomware Kit Sold for $3,000 – Source Code Included The Cryptolocker/Cryptowall 3.1 ransomware kit is being sold for $3,000 worth of bitcoins, according to a Pastebin post, which claims to even offer the source code along with the manual and free support. For those interested in purchasing only a couple of binaries, the malware developers offer a bundle of 8 per customer for $400. However, the developer also seems open to an affiliation program in which both you – the customer – and the developer split the revenue 50/50. —Healthcare Apps, WordPress Most Popular Web Attack Targets Content management systems were attacked three times more oftenthan other Web applications — especially WordPress, which was hit 3.5 times more often, according to Imperva’s new Web Application Attacks Report. WordPress, the most popular CMS, has taken a beating this year, marred by a variety of vulnerabilities — particularly, weaknesses in plug-ins, of which the CMS has over 30,000 — and an increase in brute-force attacks. —Microsoft to Host Data in Germany to Block the US from Spying on Its Users Microsoft’s getting ready to take the fight with the United States government over user data to a completely new level, as the company is ready to turn to data centers in Germany in order to block American agencies from snooping in on customers. —Don’t Toy With The Dark Web, Harness It The Dark Web’s sinister allure draws outsized attention, but time-strapped security teams would benefit from knowing what’s already circulating in places they don’t need Tor or I2P to find. —Microsoft Finally Ties the Knot with Red Hat for Linux on Azure –Network World In a move many consider long overdue, Microsoft and Red Hat on Wednesday announced a new partnership through which Microsoft will offer Red Hat Enterprise Linux as the preferred choice for enterprise Linux workloads on Azure. —Emerging Threats to Maritime Energy Infrastructure Countries are increasingly dependent on the security of maritime energy infrastructure, which is vulnerable to a range of well-known risks and threats, including terrorist attacks, piracy and natural disasters. More recently, concerns about the potential consequences of cyber attacks have become more widespread. —Everyone Should Get a Security Freeze This author has frequently urged readers to place a freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims ofID theft. —States’ Cyber Security Readiness Presents “Grim Picture” Pell Study Finds Just eight states of 50 fared decently in a Pell study on their preparedness to deal with current and emerging cyberthreats —US-China Security Review Commission Discusses ‘Hack-Back’ Laws Commission’s annual report to Congress recommends a closer look at whether companies should be allowed to launch counterattacks on hackers. —DDoS And The Internet’s Liability Problem It’s past time for an improved liability model to disrupt DDoS. —What The Boardroom Thinks About Data Breach Liability Most public companies subscribe to cybersecurity insurance of some sort, and 90% say third-party software vendors should be held liable for vulnerabilities in their code. —How Web Analytics Is Being Used for Cyber Attacks Today, websites are being altered to redirect users to a profiling script known as WITCHCOVEN. The purpose is to track and profile Internet users and infect their computers withtargeted malware. WITCHCOVEN is part of a large-scale effort by cyber criminals that uses web analytics and open source tools for reconnaissance. The effort has been highly successful, with vast amounts of information collected on web traffic and Internet visitors from around the world. —Insider’s Guide to Incident Response handy guide provides expert, practical tips on how to build an incident response plan and team, and what tools and training you can use to arm those team members. Learn insider secrets like: Arming & Aiming Your Incident Response Team Incident Response Process & Procedures The Art of Triage: Types of Security Incidents —Is Your Data Governance Program Heading Down the Wrong Path? Good data governance is as much about doing things the right way as not doing things the wrong way. Although enterprise data governance efforts have been launched at many companies, the success rate of these initiatives isn’t encouraging. There’s a lot of advice available on datagovernance best practices that should be adopted; this expert guide lists the top “worst practices” that your company needs to avoid. You’ll view both sides of the issue: How data governance done right will add value to your business – and how data governance done wrong will create more work for your company, without any of the benefits. —Who’s Really In Charge If a Massive Cyberattack Strikes US? —FFIEC Updates Cybersecurity Expectations for Boards —IoT begs for Privacy | 21st Century Privacy —Clarifying the fog of cyber security complexity – the “sweet 16” capabilities / portfolios. Functionally decompose what “cyber” is into manageable portfolios! 2 ++++++ —Security researcher warns “future is extortion” as cyber-criminals target SMEs Sitting in the F-Secure Labs in Helsinki, Sean Sullivan, security researcher at F-Secure warned that the “future is extortion”. Referring to a significant rise in ransomware attacks by organised crime gangs, he warned thatransomware operations have become ‘slick’, so much so their customer support could be viewed as ‘enterprise’ grade. —Study: Serious Web Security Flaws Rampant on Embedded Devices The web interface is a bit like the “bacon” of the Internet of Things – every device tastes (and works) a lot better with one. But, if implemented or deployed improperly, those web interfaces can be fat targets for remote attackers. Now a survey of firmware by researchers in France and Germany finds that many of those web interfaces are, indeed, vulnerable. —Report: Botnets Help Bump Cyberattack Attempts by 20 Percent ThreatMetrix last week reported that it had detected and prevented more than 90 million attempted cyberattacks in real time across industries from July to September. The attempted attacks covered fraudulent online payments, logins and new account registrations, and represented a 20 percent increase over the previous quarter, according to ThreatMetrix Cybercrime Report: Q3 2015.