CyberheistNews vol 3,
CyberheistNews Vol 3, #7
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu Sjouwerman"]
New CyberSec Executive Order: Impact On IT?
Last Tuesday, the White House issued the long awaited CyberSec Executive Order,
which makes an attempt to outline policies that will protect US organizations
against cyber-attacks and espionage. The EO stays away from even hinting at
changes to privacy laws and regulations, which makes the anti-CISPA people
happy. The Cyber Intelligence Sharing and Protection Act died in the Senate
in any case.
So in short, what's in it?
The National Institute of Standards and Technology (NIST) will offer to work
with a mix of industry and other parties to establish guidance on how to
secure critical infrastructure components. Note that there are already many
security frameworks that government agencies have to comply with, like FISMA,
NIST 800-53, FERC, NERC, etc. The main thrust of the EO is that nobody is
-required- to do anything. In the case NIST creates any useful guidance,
it's up to you if you want to follow it or not. It will take an act of
Congress to give this EO actual teeth in the form of compliance demands.
The upshot at the moment? Critical infrastructure companies are allowed
business as usual, hence zero impact. It's positive though that the White
House puts cybersecurity front and center, and raises awareness for this
issue. That just might make it easier for you to get more budget and give
IT security high priority within your own organization. And remember that
your employees are the weak link in IT Security, so today mandatory
security awareness training for everyone is a must:http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Quote of the Week
"In the business world an executive knows something about everything, a
technician knows everything about something and the switchboard operator
knows everything." - Harold Coffin
Please tell your friends about CyberheistNews! They can subscribe here:
Arm Your Users Against Social Engineering
Your end-users are the weak link in your network security. Traditional
once-a-year Security Awareness Training doesn't hack it anymore. Today,
your employees are frequently exposed to advanced social engineering
attacks. Your users need to be trained by an expert like Kevin Mitnick,
and after the training stay on their toes with you sending them
'set-it-and-forget-it' simulated phishing attacks. Both the attacker
and the user are human. You need a 'human firewall'
Find out how affordable this is for your organization now! Click on the orange "Get A Quote" button on this page:
5 Myths About Awareness
Lance Spitzner of SANS Securing the Human program outlines five common
misconceptions about security awareness programs, this is an interesting
and quite instructive read:
Four CIA Secrets That Can Boost Your Career
J.C. Carleson is a former undercover CIA officer. She spent nine years
conducting clandestine operations around the globe before trading the real
world of espionage for writing about espionage.
"If only Hollywoods depiction of life as a CIA officer were true, Id have
a faster car, a better wardrobe, and a tool shed full of state-of-the-art
gadgets left over from my years working for the clandestine service. There
is nary a biometric device in my garage, however, and my career keepsakes
are far more bureaucrat than they are Bond.
"The truth is, spies rely on psychology far more than they do on technology.
Instead of gizmos or gadgets, CIA officers use behavioral techniques to
elicit secrets from people and organizations techniques that are broadly
applicable enough to be used in even the least cloak-and-dagger of settings.
I wrote my book, Work Like a Spy: Business Tips from a Former CIA Officer,
with the intention of identifying and explaining spy tradecraft in such a
way that it can be used in any workplace. Here are four examples of lessons
from the clandestine world that corporate America can use". Here they are:
Serious Data Breaches Take Months To Spot, Analysis Finds
John Dunn at TechWorld reported: "More than six out of ten organizations hit
by data breaches take longer than three months to notice what has happened
with a few not uncovering attacks for years, a comprehensive analysis of
global incidents by security firm Trustwave has found.
During 2012, this meant that the average time to discover a data breach for
the 450 attacks looked at was 210 days, 35 more than for 2011, the company
reported in its 2013 Global Security Report (publicly released on 20 February).
Incredibly, 14 percent of attacks aren't detected for up to two years, with one
in twenty taking even longer than that. Almost half - 45 percent - of breaches
happened in retailers with cardholder data the main target. The food and
beverage sector accounted for another 24 percent, hospitality 9 percent,
and financial services 7 percent.
Questions arise from this; how are attackers getting into organizations so
easily and why do IT staff not notice until long after the event?"
This is a good article to check out:
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Motorcycle Ridge Riding. This video will give you a physical reaction!:
Master speed-painter D. Westry shows off his creative skills during the
"Anderson's Viewers Got Talent" competition. Surprising End!:
A scary demo of software capable of tracking people's movements and
predicting future behavior by mining data from social networking websites:
Kaiser the Bengal cat performs amazing tricks:
A Detroit musician living in poverty didn't know that in South Africa, he
was more popular than the Beatles:
Girl meets boy in the office and they find a new way of expressing their
affection in this endearing short film. CUTE:
The million dollar 650 horsepower Ferrari Enzo is not usually driven as a
rally car ...
A 9-ton meteorite streaked across the sky over the Ural mountains in Russia
and exploded at 25 miles above the ground: