Putin signs data retention law (so what country is NEXT???) Russian President Vladimir Putin has signed a law requiring internet companies to store all personal data of Russian users at data centers in Russia, a move which could chill criticism on foreign social networking sites like Facebook and Twitter. These companies, which do not have offices in Russia, have become a vital resource for opposition groups and refuse to hand over user data to governments. The use of Russian data centers would make them subject to Russian laws on government access to information. Got a CDO…. Chief Data Officer? Do we even know what that is / does? Capital One, the Federal Reserve, Google, New York City and the U.S. Army all have at least one thing in common: they each employ a chief data officer to oversee their big data programs Confused on all the data jobs? 13 analytics jobs compared What You Can Buy for the Same Cost as Malware that depending on the type, malware tools and kitscan cost as little as $200 on the black market – price tags that rival common items and services that we buy every day. And guess what? Despite their affordability, these malicious tools can be quite effective, and your business could be the next victim. That’s why it’s critical to shore up your anti-malware defenses to help protect your valuable information. check out the infographic, which depicts what the average consumer can buy for the same price as malware – a reminder of just how simple and cost-friendly it is to be an attacker these days.. Security undermined by companies investing in the wrong areas The new report provides an assessment of the degree of confidence IT departments have in their efficacy, and identifies the areas most likely to receive future enhancements and investment – Growth In The Internet Of Things Market – 2 The ‘Internet Of Things’ Will Be Bigger Than The Smartphone, Tablet, And PC Markets Combined ++ Cyber Security News you canlikely use… Forget ‘Things’ – It’s The Internet Of Business Models With the Internet of Things, sensors and telematics don’t mean much if they’re not helping you disrupt traditional business models. Infographic: With BYOD, Mobile Is The New Desktop Security teams have no choice but to embrace the rapid proliferation of BYO devices, apps, and cloud services. To ignore it is to put your head in the sand. The convergence of mobile and cloud has increased employee productivity and increased the risk of data loss for enterprises. Because both technologies are data-centric and expose corporate data outside of the enterprise, we have to be aware of how we’re managing our resources and protecting our assets. Not knowing how to protect corporate data, many organizations have been hesitant to adopt mobile and cloud technologies Internet of Things: Security For A World Of Ubiquitous Computing Endpoint security is hardly dead, and claiming that it is oversimplifies thechallenges corporations face now and in the not-very-distant future. I got an email from my car the other day, informing me about its need for service. As a security professional, I found it unsettling, not surprising, but unsettling. What’s my car doing on the Internet, anyway? What are the possible implications of that? Security practitioners within corporate IT are rightly focusing on the emerging risks presented by laptops, tablets, and smartphones when used by employees and contractors in the course of doing business. But other trends are developing all around us that challenge the foundations of our security assumptions Is the Internet of Things Getting Too Big? US presidential policy advisers are concerned that the Internet of Things is simply too large. Companies that are making some of the items, such as refrigerators, “are not information companies, and the effect is that we are much more vulnerable,” according to Defense Policy Board and President’s IntelligenceAdvisory Board member Richard Danzig. A report from Danzig’s Center for a New American Security suggests that security can be improved by paring down systems to their essentials, so that they may be able to do less, but also will present fewer opportunities for security problems. [ There are some good thoughts in this report but if we really pared things down to their essentials to be more secure, cars would not have radios or cup holders and PCs would not include network interfaces. Trying to force technology changes to match old approaches to security is not a real world option. DASN C4I, IO, and Space Discusses NGEN, CANES and IT Cost Savings Dr. John A. Zangardi assumed the duties of Deputy Assistant Secretary of the Navy, Command, Control, Communications, Computer Systems, and Intelligence, Information Operations and Space (DASN C4I, IO, and Space) in March of 2011. In this capacity, he provides executive oversight on all Department of Navy business enterprise, informationtechnology acquisition and all space related acquisition. In his oversight role, he coordinates with key stakeholders to maximize alignment with Navy and Marine Corps needs. Mr. Zangardi responded to questions in writing in July Wall Street Journal Hacked Again | really…AGAIN! SQL injection flaw in Wall Street Journal database led to breach.. A vulnerability in a web-based graphics system led to a breach of The Wall Street Journal’s network by a hacker, the newspaper acknowledged late Tuesday. The system was taken offline, and the intrusion did not affect customers or customers’ data, according to a story published by the paper. How Hackers Hid a Money-Mining Botnet in the Clouds of Amazon and Others | Hackers have long used malware to enslave armies of unwitting PCs, but security researchers Rob Ragan and Oscar Salazar had a different thought: Why steal computing resources from innocent victims when there’s so much free processing power out there for the taking? Hacking: The $3 Trillion Threat » SO…. just DO hygiene and PbD!!! Threats and high risk costs are almost boring nowadays.. Just get an improved cyber hygiene program going… nets a 95% drop in security incidents.. then build in privacy by design for a huge liability reduction!!! I guess that simple message is too hard to see? As the RoI is huge… Your Biggest Security Threats are Convenience and Ignorance You’d think most of these breaches were the result of some sort of attack—a hacker or group of hackers trying to break in and find anything they can. Interestingly enough, 55 percent of security breaches were caused by human error, which is something we’re all familiar with. One can speculate as to why human error is a key piece of so many security breaches, but the fact is that these errors are likely the result of one (or both) of two things: a need for convenience, or simple ignorance. Researchers Develop ‘BlackForest’ to Collect, Correlate Threat IntelligenceResearchers at the Georgia Tech Research Institute develop the BlackForest system to help organizations uncover and anticipate cyberthreats. hat idea is the linchpin of BlackForest, a new cyber intelligence collection system developed by experts at the Georgia Tech Research Institute (GTRI). The system is meant to complement other GTRI systems that are designed to help companies and other organizations deal with sophisticated attacks. Changing the Culture of Government Cybersecurity Through The Agile Cybersecurity Action Plan (ACAP): Changes organization’s focus from compliance to adapting to new risks & threats. A cross-functional/ leadership team shares information and decisions to create an evolving risk profile and resultant Cybersecurity Strategy. Uses agile methods to generate the near 90% solution response to the current risk profile and then iterates on 1-6 month cycles depending on technical and cyber turbulence. Each cycle the team assesses the organization’sCybersecurity Infrastructure: Technology, Monitoring and Response Processes/Plans, Staff Capacity and Policies. This is an adaptive approach that focuses not on perfection, but good enough, iterating, adapting to make it better. Value is in creating a culture where strategy is seen as provisional, adaptive to changing threats and focused on action planning and implementation. Although the approach is “framework agnostic”, it can be a powerful process for implementing the Federal Cybersecurity Framework. An IT Auditor’s Guide to Security Controls & Risk Compliance (GREAT eBook!) Governance, risk and compliance professionals face many challenges. Most organizations must comply with multiple standards covering privacy, corporate financial data, protected health information and credit card data. Are you meeting the minimum requirements of the standards applicable to your business? Keeping Secrets on the Internet of Things – Mobile Web Application Security (good slide show) + From Flying Cars To 3-D Printed Candy: Hottest Tech Trends And Brands At SXSW Data security and privacy… wearable tech… payment methods.. mobile… Apple… (NIST) TBT Notifications for United States of America Update Are you a U.S. exporter? Register for Notify U.S. – a free, web-based alert service on changing foreign and U.S. technical regulations that could affect global market access for your business. The Rising Threat of Cybercrime Organizations are being breached on a daily basis while often completely unaware that their valuable information is being stolen. 94% of cybercrime victims discovered a compromise only because a 3rd party notified them, and once a cybercriminal gains access to an enterprise’s network it takes an average 416 days to detect the intrusion… SO.. understand cybercriminal motives and methods and how you can create an effective defense. ++ FYI / FYSA Items of interest… Did the White House website violate its own privacy rules? TheWhite House may have misled people who visited its website about how it tracked their online behavior. In a forthcoming paper, a group of researchers write that thousands of top websites, including WhiteHouse.gov, have been using a new persistent type of online tracking. Justin Brookman, the director of consumer privacy at the Center for Democracy and Technology, said the tracking was “probably inconsistent” with the White House’s own website privacy policy. According to the paper, which was first reported on by ProPublica, the White House site and other sites have been using a firm called Addthis, which used a form of tracking different from cookies. GAO: Weaknesses remain in FDIC’s information security The Federal Deposit Insurance Corporation enforces banking laws and regulates financial institutions across the country, yet weaknesses in its security posture place information at unnecessary risk, according to a new Government Accountability Office report. The GAO report positsthat while FDIC has “made progress in securing key financial systems” following a series of GAO audits dating back to 2011, its failure to implement specific recommendations by the watchdog agency has led to vulnerabilities in the “confidentiality, integrity, and availability of financial systems and information.” Significant deficiencies found in Treasury’s computer security Weaknesses in Treasury Department computer systems that track federal debt are severe enough to disrupt accounting, according to a government audit. Newly discovered security vulnerabilities at the Bureau of the Fiscal Service, coupled with older unfixed problems, constitute a “significant deficiency” for financial reporting purposes, the Government Accountability Office found. The weaknesses “increase the risk of unauthorized access, modification, or disclosure of sensitive data and programs, which could result in the disruption of critical operations,” Gary Engel, GAO director for financial management andassurance, wrote in an audit released July 18. iPhones have major security hole that Apple installed on purpose If you use an iPhone or iPad, your photos, web history, and GPS logs are vulnerable to theft and surveillance via back-door protocols running on all iOS devices, according forensic scientist Jonathan Zdziarski, better known by the hacker moniker “NerveGas.” In a security-conscious era, we’re used to hearing about zero-day exploits—newly-discovered security holes that can be used to steal personal data or snoop on unsuspecting users. But Zdziarski says the vulnerabilities he has discovered were intentionally installed by Apple and have existed for years. Are agency insider threat programs getting off the ground? More than a year and a half after President Barack Obama issued a directive to agencies for dealing with disgruntled or rogue employees, it appears insider- threat programs are finally getting off the ground. But even after the fallout from the WikiLeaksand Edward Snowden disclosures, it’s hard to tell how many agencies are actually checking all the boxes on the Obama administration’s plan for combating insider threats, which is one of the 15 cross- agency priority goals announced in its fiscal 2015 budget proposal. Agencies were supposed to have taken initial steps to set up insider-threat programs by June 30, according to an update posted on Performance.gov. Those initial steps included naming a senior agency official responsible for the agency’s effort, circulating an insider threat policy signed by the agency head and developing an implementation plan. Chamber backs Senate cyber bill The U.S. Chamber of Commerce is pressuring the Senate to take up and “expeditiously” pass a Senate cybersecurity bill that would encourage companies to share information about cyber threats with each other and the federal government. The Cybersecurity Information Sharing Act “would strengthen the protection and resilience of businesses’information networks and systems against increasingly sophisticated and malicious actors,” the Chamber said in a letter Monday. The bill – from Senate Intelligence Committee Chairwoman Dianne Feinstein (D-Calif.) and Vice-chairman Saxby Chambliss (R-Ga.) – passed through the Intelligence Committee earlier this month by a 12-3 vote. Microsoft to “Unify” Windows Development Microsoft CEO Satya Nadella says the company is working on unifying portions of different Windows operating systems. Microsoft plans to “streamline the next version of Windows from three operating systems into one single converged operating system for screens of all sizes.” The three systems are the one used on phones, the one used on tablets and PCs, and the one used on Xbox systems. This does not mean that Microsoft will move to a single OS, but instead that the links between the various OSes will be deepened. [: From a security perspective, this raises the specter of vulnerabilities in Xbox showing up in aWindows phone and a Windows PC. It also sounds kinda dj vu all over again from circa 2000 when the “same OS on your desktops and your servers” was deemed a competitive “feature” by Microsoft.] Is Password Protection Really Enough? When asked about their most commonly used risk control measures, 67 percent of respondents in a BYOD survey cited password protection. Numerous studies have discussed the issues associated with weak passwords and poor password protection practices, concluding that many users are particularly lax when it comes to password protection. Coupled with the fact that the majority of mobile devices are protected with just a four-digit passcode, which is relatively easy to guess or break, it is clear that passwords alone are far from sufficient ‘System on a chip’ a boost for next-gen RF communications DARPA researchers demonstrate an all-silicon SoC transmitter that could make RF systems smaller, lighter, cheaper and better A Complete Guide to CyberSecurity (pretty good overview!!!) There’s no doubt that cyber security is center stage in the world today, thanks to almost continuous revelations about incidents, breaches and vulnerabilities. IBM has recently released a new 80-page practical guide “Staying ahead in the Cyber Security game: What Matters Now” that aims to inspire and provoke new thoughts and insights even if you are familiar with the topic. For those new to security, it’s a primer on what matters today. Internet of Things: 4 Security Tips From The Military The military has been connecting mobile command posts, unmanned vehicles, and wearable computers for decades. It’s time to take a page from their battle plan. While the efficiencies and insights gained through the deployment of this massive interconnected system will bring new benefits, it could also bring new risk. Experience shows us that when everything is connected, everything is vulnerable === Resiliency in data AND network… keep up- with tech… focuson insider… embrace analytics.. Survey: Agencies could save billions with cloud Agencies could save nearly $19 billion by migrating services and applications to the cloud, according to a survey of IT professionals released July 23. Public-private IT partnership Meritalk interviewed 159 agency IT professionals and found that while managers believe in savings averaging 18 percent only 41 percent said their agencies were considering cloud computing options. The majority of IT managers surveyed gave their agencies only a “C” grade when it came to adoption cloud technologies. Chris Smith, the vice president of technology at AT&T government solutions, which underwrote the survey, said there is no one-size-fits-all approach to cloud computing and that agencies need to tackle their concerns about security and data management before making the jump. A Privacy Engineer’s Bookshelf Privacy Engineering: A Data Flow and Ontological Approach, Oliver The Privacy Engineer’s Manifesto,Dennedy, Fox, Finneran Understanding Privacy, Solove Privacy in Context, Nissenbaum Bloomberg – The ‘Unthinkable’ May Need Board Attention The lawsuit alleges that Target’s board breached its fiduciary duties to the company by ignoring the warning signs that a data breach could occur and participated in the maintenance of inadequate cyber-security controls by the company. Target is not unique, as similar suits for data security and privacy breaches have been filed against Google and others. The basis for liability revolves around whether the event could not have been reasonably anticipated by the directors–i.e., was it a “black swan” event–or if there were warning signs that were ignored or inadequately pursued by the board Are IT groups really ready for BYOD security challenges? A new survey of IT security professionals shows that many businesses are barely starting to exploit mobile technology, and some of them may be a mobile security nightmare waiting to happen. In aself-evaluation question, 40% of the 2014 sample (compared to 34% in 2013) ranked their readiness for BYOD at 60% or higher. Yet responses to other questions suggest that is wildly optimistic. ++ THREATs / bad news stuff / etc… This Emerging Malware Sends Secret Messages and Is Practically Impossible to Detect As if computer malware that steals your data weren’t enough, now there’s a new kind to worry about: Malware that does it via covert messages that are practically impossible to detect. And it’s becoming more prevalent, according to a new paper by researchers at the Warsaw University of Technology, the National Research Council of Italy, and Fraunhofer FKIE, a private information security research institute. The malware is a modern take on steganography, an old technique of hiding secret messages in apparently innocuous texts. This new so-called “network steganography” works by cramming extra information into the data packets that travel across networks when we usethe internet. How thieves can hack and disable your home alarm system When it comes to the security of the Internet of Things, a lot of the attention has focused on the dangers of the connected toaster, fridge and thermostat. But a more insidious security threat lies with devices that aren’t even on the internet: wireless home alarms. Two researchers say that top-selling home alarm setups can be easily subverted to either suppress the alarms or create multiple false alarms that would render them unreliable. False alarms could be set off using a simple tool from up to 250 yards away, though disabling the alarm would require closer proximity of about 10 feet from the home. Ram Scraper Malware: Why PCI DSS Can’t Fix Retail There is a gaping hole in the pre-eminent industry security standard aimed at protecting customers, credit card and personal data.. As you undoubtedly know, point of sale (POS) terminals are computers with card readers. Most computers have permanentstorage, such as hard drives or flash memory, and temporary storage, such as random access memory (RAM). The security standard that dictates how payment card data is protected is called the Payment Card Industry Data Security Standard (PCI DSS). It requires merchants to encrypt credit card data residing on permanent storage or traversing its publicly accessible networks, but not while being processed in RAM. U.S. releases intelligence on Flight 17 Officials describe the sensitive information, ranging from satellite images to social media analysis, as evidence that Moscow trained and equipped rebels in Ukraine responsible for the downed jet For nearly every legitimate online business there is a cybercrime-oriented anti-business The longer one lurks in the Internet underground, the more difficult it becomes to ignore the harsh reality. Case in point: Today’s post looks at a popular service that helps crooked online marketers exhaust the Google AdWords budgets of theircompetitors. ++ SD/SoCAL items of interest / opportunities AUG 11-14 – Gartner Catalyst – Harness the Power of IT Convergence 18 – USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE ’14) 21 – OWASP 6PM – Peleus Uhley from Adobe’s PSIRT Team 20-22 – 23rd USENIX Security Symposium ++ Future events FYI: TBD – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative! (at Coleman University – AM Technical approach… PM public discussions) +++ Help move SD forward in cyber – DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!! 17-19 Sep – CSA congress 2014 CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events 25 Sep – San Diego InfraGard Crisis Leadership Symposium 1 OCT – SoeC – CyberFest 2014 – great all dayagenda planned… improving on last year’s success! October is cyber month after all!!! 1 Nov – Started planning “BigDataDay 4 SD” on a SAT. Jump in and help us! WE went to the one in LA and it was great… the organizer will help us do that here… likely our three tracks will be: – Technical = Hadoop/Hbase/NoSQL; – Data science = predictive analytics, etc – Applications = actual products, etc.. Privacy / data security. ..