Tag Archives: ‘Risk

Inside the GAO’s Equifax breach report

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the Government Accountability Office’s report on the Equifax breach and the questions it raises.

The U.S. General Accountability Office offered a detailed postmortem on the 2017 Equifax data breach, including new details about what led to the incident.

The Equifax breach report revealed that threat actors began scanning the credit rating agency’s systems for an Apache Struts vulnerability just two days after the vulnerability was publicly disclosed.

And while the Apache Struts bug enabled the attackers to gain a foothold in Equifax’s network, the General Accountability Office (GAO) report shows the vulnerability was just one of the many missteps that contributed to the breach. Those errors include missing 9,000 database queries made by the threat actors in search of valuable data, failing to catch data exfiltration because of a misconfiguration and an outdated recipient list of system administrators who should have been notified of the Apache Struts flaw.

In addition, the Equifax breach report describes how U.S. government agencies were unclear about which — if any — federal agency was coordinating the response effort; the U.S. Department of Homeland Security offered assistance, but Equifax turned it down. Several agencies, including the IRS, U.S. Postal Service and Social Security Administration, used Equifax’s identity verification services at the time of the breach.

What were the biggest lessons learned from the Equifax data breach report? What did the GAO investigation miss? Should companies like Equifax that handle massive amounts of personal data be subject to greater government oversight? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Are the Meltdown and Spectre flaws overhyped?

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss whether or not Meltdown and Spectre deserved to be nominated for the Pwnie Awards’ Most Overhyped Bug.

Were the Meltdown and Spectre flaws as bad as some claimed? That question was raised by the Pwnie Awards at Black Hat 2018 earlier this month.

While the Meltdown and Spectre flaws were nominated for the Most Innovative Research and Best Privilege Escalation Bug awards, the flaws were also nominated for the Most Overhyped Bug award. According to the Pwnie Awards, the “hype train jumped the tracks a bit” with the reaction to Meltdown and Spectre.

While the Most Overhyped Bug award eventually went to another vulnerability, the Pwnie nomination illustrated the ongoing debate over the seriousness of Meltdown and Spectre. While some experts at Black Hat argued the flaws opened up a dangerous new avenue of attacks, others said Meltdown and Spectre aren’t nearly as threatening as other recent bugs.

Were the Meltdown and Spectre flaws overhyped by some media outlets and security researchers? How dangerous can the flaws be if there’s no evidence they’ve been successfully exploited in the wild? Have we seen the worst of Meltdown and Spectre or are more variants coming? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Meltdown and Spectre disclosure in review

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss new insights — and questions — regarding the coordinated disclosure effort for Meltdown and Spectre.

Black Hat USA 2018 offered new insights into the Meltdown and Spectre disclosure process and raised questions about how such coordinated vulnerability disclosure efforts should be handled.

A Black Hat panel discussion provided a behind-the-scenes look at the process from the perspective of Microsoft, Google and Red Hat representatives.

During the discussion, the panelists revealed a number of stumbling blocks that posed problems for not only Intel, AMD and ARM, but the security response teams at various stakeholder companies, as well. For example, because of a miscommunication, Google wasn’t officially informed about the vulnerabilities until 45 days after they were first reported to the chipmakers.

The panelists also discussed the challenge of deciding which stakeholders to include in the Meltdown and Spectre disclosure and response process and when to include those parties.

How could the coordinated vulnerability disclosure process have been handled better? Should the pre-disclosure response and mitigation effort have included more people or fewer? How could Google have been left out of the loop for so long? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions on the Meltdown and Spectre disclosure and more in this episode of the Risk & Repeat podcast.

Deloitte CIO survey: Traditional CIO role doesn’t cut it in digital era

CIOs who aren’t at the forefront of their companies’ digital strategies risk becoming obsolete — and they risk taking their IT departments with them.

The message isn’t new to IT executives, who have been counseled in recent years to take a leadership role in driving digital transformation. But new data suggests CIOs are struggling to make the shift. According to a recently published global CIO survey by Deloitte Consulting, 55% of business and technology leaders polled said CIOs are focused on delivering operational efficiency, reliability and cost-savings to their companies.

Kristi Lamar, managing director and U.S. CIO program leader at Deloitte and a co-author of the report, said IT executives who are serving in a traditional CIO capacity should take the finding as a clarion call to break out of that “trusted operator” role — and soon.

“If they don’t take a lead on digital, they’re ultimately going to be stuck in a trusted operator role, and IT is going to become a back office function versus really having a technology-enabled business,” she said. “The pace of change is fast and they need to get on board now.”

Taking on digital

Manifesting legacy: Looking beyond the digital era” is the final installment of a three-part, multiyear CIO survey series on CIO legacy. The idea was to chronicle how CIOs and business leaders perceived the role and to explore how CIOs delivered value to their companies against the backdrop of digital transformation.

Kristi Lamar, managing director and U.S.CIO program leader at DeloitteKristi Lamar

In the first installment, the authors developed three CIO pattern types. They are as follows:

  • Business co-creators: CIOs drive business strategy and enable change within the company to execute on the strategy.
  • Change instigators: CIOs lead digital transformation efforts for the enterprise.
  • Trusted operators: CIOs operate in a traditional CIO role and focus on operational efficiency and resiliency, as well as cost-savings efforts.

Based on their findings, the authors decided that CIOs should expect to move between the three roles, depending on what their companies needed at a given point in time. But this year’s CIO survey of 1,437 technology and business leaders suggested that isn’t happening for the most part. “We have not seen a huge shift in the last four years of CIOs getting out of that trusted operator role,” Lamar said.

The pace of change is fast and they need to get on board now.
Kristi Lamarmanaging director, Deloitte

Indeed, 44% of the CIOs surveyed reported they don’t lead digital strategy development or lead the execution of that strategy.

The inability of CIOs to break out of the trusted operator role is a two-way street. Lamar said that companies still see CIOs as — and need CIOs to be — trusted operators. But while CIOs must continue to be responsible for ensuring a high level of operational excellence, they also need to help their companies move away from what’s quickly becoming an outdated business-led, technology-enabled mindset.

The more modern view is that every company is a technology company, which means CIOs need to delegate responsibility for trustworthy IT operations and — as the company’s top technology expert — take a lead role in driving business strategy.

“The reality is the CIO should be pushing that trusted operator role down to their deputies and below so that they can focus their time and energy on being far more strategic and be a partner with the business,” she said.

Take your seat at the table

To become a digital leader, a trusted operator needs to “take his or her seat at the table” and change the corporate perception of IT, according to Lamar. She suggested they build credibility and relationships with the executive team and position themselves as the technology evangelist for the company.

“CIOs need to be the smartest person in the room,” she said. “They need to be proactive to educate, inform and enable the business leaders in the organization to be technology savvy and tech fluent.”

Trusted operators can get started by seeing any conversation they have with business leaders about digital technology as an opportunity to begin reshaping their relationship.

If they’re asked by the executive team or the board about technology investments, trusted operators should find ways to plant seeds on the importance of using new technologies or explain ways in which technology can drive business results. This way, CIOs continue to support the business while bringing to the discussion “the art of the possible and not just being an order taker,” Lamar said.

Next, become a ‘digital vanguard’

Ultimately, CIOs want to help their organizations join what Deloitte calls the “digital vanguard,” or companies with a clear digital strategy and that view their IT function as a market leader in digital and emerging technologies.

Lamar said organizations she and her co-authors identified as “digital vanguards” — less than 10% of those surveyed — share a handful of traits. They have a visible digital strategy that cuts across the enterprise. In many cases, IT — be it a CIO or a deputy CIO — is leading the execution of the digital strategy.

CIOs who work for digital vanguard companies have found ways to shift a percentage of their IT budgets away from operational expenses to innovation. According to the survey, baseline organizations spend on average about 56% of their budgets on business operations and 18% on business innovation versus 47% and 26% respectively at digital vanguard organizations.

Digital vanguard CIOs also place an emphasis on talent by thinking about retention and how to retool employees who have valuable institutional knowledge for the company. And they seek out well-rounded hires, employees who can bring soft skills, such as emotional intelligence, to the table, Lamar said.

Talent is top of mind for most CIOs, but digital vanguards have figured out how to build environments for continuous learning and engagement to both attract and retain talent. Lamar called this one of the hardest gaps to close between organizations that are digital vanguards and those that aren’t. “The culture of these organizations tends to embrace and provide opportunities for their people to do new things, play with new tools or embrace new technologies,” she said.

Plan to map UK’s network of heart defibrillators could save thousands of lives a year

Thousands of people who are at risk of dying every year from cardiac arrest could be saved under new plans to make the public aware of their nearest defibrillator.

There are 30,000 cardiac arrests outside of UK hospitals annually but fewer than one-in-10 of those survive, compared with a 25% survival rate in Norway, 21% in North Holland, and 20% in Seattle, in the US.

A new partnership between the British Heart Foundation (BHF), Microsoft, the NHS and New Signature aims to tackle the problem by mapping all the defibrillators in the UK, so 999 call handlers can tell people helping a cardiac arrest patient where the nearest device is.

Ambulance services currently have their own system of mapping where defibrillators are located but this is not comprehensive.

It is hoped the partnership can evolve to capture heart data from cardiac arrest patients

“There is huge potential ahead in the impact that technology will have in digitally transforming UK healthcare,” said Clare Barclay, Chief Operating Officer at Microsoft. “This innovative partnership will bring the power of Microsoft technology together with the incredible vision and life-saving work of BHF and the NHS. This project, powered by the cloud, will better equip 999 call handlers with information that can make the difference between life and death and shows the potential that innovative partnerships like this could make to the health of the nation.”

Cardiac arrest occurs when the heart fails to pump effectively, resulting in a sudden loss of blood flow. Symptoms include a loss of consciousness, abnormal or absent breathing, chest pain, shortness of breath and nausea. If not treated within minutes, it usually leads to death.

Defibrillators can save the life of someone suffering from a cardiac arrest by providing a high-energy electric shock to the heart through the chest wall. This allows the body’s natural pacemaker to re-establish the heart’s normal rhythm.

However, defibrillators are used in just 2% of out-of-hospital cardiac arrests, often because bystanders and ambulance services don’t know where the nearest device is located.

Owners of the tens of thousands of defibrillators in workplaces, train stations, leisure centres and public places across the country will register their device with the partnership. That information will be stored in Azure, Microsoft’s cloud computing service, where it will be used by ambulance services during emergency situations. The system will also remind owners to check their defibrillators to make sure they are in working order.

It is hoped that the partnership can evolve to enable defibrillators to self-report their condition, as well as capture heart data from cardiac arrest patients that can be sent to doctors.

Simon Gillespie, Chief Executive of the BHF, said: “Every minute without CPR or defibrillation reduces a person’s chance of surviving a cardiac arrest by around 10%. Thousands more lives could be saved if the public were equipped with vital CPR skills, and had access to a defibrillator in the majority of cases.

Everything you need to know about Microsoft’s cloud

“While we’ve made great progress in improving the uptake of CPR training in schools, public defibrillators are rarely used when someone suffers a cardiac arrest, despite their widespread availability. This unique partnership could transform this overnight, meaning thousands more people get life-saving defibrillation before the emergency services arrive.”

Simon Stevens, Chief Executive of NHS England, added: “This promises to be yet another example of how innovation within the NHS leads to transformative improvements in care for patients.”

The defibrillation network will be piloted by West Midlands Ambulance Service and the Scottish Ambulance Service, before being rolled out across the UK.

Tags: , , , , ,

For Sale – Coloredge CX240

Ideal monitor for photographic work.

Collection only as I have no box and don’t want to risk packaging.

Price and currency: £300
Delivery: Goods must be exchanged in person
Payment method: Paypal or COD
Location: Burnley, Lancashire
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

DHS warns of power grid cyberattacks

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss a new warning from the Department of Homeland Security regarding Russian hackers targeting the U.S. power grid.

The Department of Homeland Security has renewed its concerns over potential power grid cyberattacks.

DHS officials held a briefing this week to discuss the threat of Russian hackers targeting utility companies and industrial control systems in an apparent effort to compromise and potentially cripple U.S. critical infrastructure, according to a report from The Wall Street Journal. The report also claimed the hackers, who were linked to the Russian threat group Dragonfly, last year gained access to the control rooms of U.S. electric companies during an extensive hacking campaign.

While the government has issued warnings about active threats to ICS and critical infrastructure before, the DHS briefing marks the first time the agency has publicly discussed the extent of the power grid cyberattacks. Government officials said the Dragonfly campaign is likely continuing.

What effect will DHS’ briefing have on critical infrastructure security? Is the government’s assessment of the ICS threats accurate? Why did DHS decide to make this information public now? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.

Closing the gender gap at cybersecurity conferences

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the under-representation of women at cybersecurity conferences and how it affects the infosec industry.

This week’s Risk & Repeat podcast looks at the lack of women at cybersecurity conferences and explores what can be done to improve those numbers, as well as to increase diversity as a whole in the infosec industry.

Earlier this year, RSA Conference came under fire for having just one woman keynote speaker among nearly two dozen keynote spots. The criticism led members of the infosec community to form a new event, dubbed Our Security Advocates, or OuRSA. And while cybersecurity conferences such as Black Hat 2018 will prominently feature women infosec professionals as keynote speakers, there is still a significant gender gap at cybersecurity conferences.

Why aren’t more women speaking at industry events? How can organizations increase the number of women attending and participating in these events? Is the lack of women at cybersecurity conferences a symptom of the larger gender gap in infosec or a contributor to it? SearchSecurity editors Rob Wright and Maddie Bacon discuss those questions and more in this episode of the Risk & Repeat podcast.

For Sale – Coloredge CX240

Ideal monitor for photographic work.

Collection only as I have no box and don’t want to risk packaging.

Price and currency: £300
Delivery: Goods must be exchanged in person
Payment method: Paypal or COD
Location: Burnley, Lancashire
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

U.S. government eyes offensive cyberattacks

Listen to this podcast

In this week’s Risk & Repeat podcast, SearchSecurity editors discuss the risks of the U.S. Cyber Command engaging in offensive cyberattacks against foreign adversaries.

The prospect of the U.S. government using offensive cyberattacks against foreign adversaries appears to be gaining steam.

According to the New York Times, the Pentagon approved a policy that empowers the U.S. Cyber Command to initiate constant offensive cyberattacks designed to disrupt foreign networks. The Times report details a vision statement from military leadership that calls for cyber activities that are “short of war” to retaliate against hacking campaigns from adversarial nation states. The Pentagon’s new strategy for the U.S. Cyber Command, which has traditionally led the nation’s cyber defensive efforts, comes in the wake of many recent high-profile cyberattacks attributed to the governments of Russia, North Korea and Iran.

The concept of “hacking back” against cyber adversaries has gained momentum in both the private sector as well as the government. Some cybersecurity experts, however, have warned that the risks and unintended consequences of offensive cyberattacks can put private enterprises in the crosshairs of nation-state hackers.

What are the implications of the U.S. Cyber Command turning its attention to offensive hacking? What activities would be considered short of cyberwarfare? Could the Pentagon’s policy lead to an escalation of cyberattacks? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.