STE WILLIAMS

Six million of Verizon’s US customers had their personal and account information exposed, including PIN numbers.

Verizon Communications suffered a major data leak due to a misconfigured cloud server that exposed data on 6 million of its customers.

The leak was the result of its third-party provider NICE Systems incorrectly configuring Verizon’s cloud-based file repository housed in an Amazon Web Services S3 bucket on NICE’s cloud server, according to UpGuard, which issued a report on the breach today. Verizon customer names, addresses, account information, including account personal identification numbers (PINs), were compromised.

UpGuard in its data estimated that up to 14 million customer records were exposed, but Verizon stated that data on 6 million of its users was affected.

In one file alone, there were 6,000 PINs that were publicly exposed, according to Dan O’Sullivan, a cyber resilience analyst for UpGuard. “Although we did not evaluate how many files had PINs exposed, and certainly not all 14 million did, but a sizable smaller amount did and it was probably in the millions,” he says.

What’s unique about this leak is that it was not just personal data that was publicly exposed but also PINs, according to O’Sullivan. “The PINs are used to identify a customer to a customer care person,” O’Sullivan says, noting that an attacker could impersonate the user by using the PIN and then gain access to that individual’s account.

Verizon issued a statement acknowledging the public exposure of its customer data, but stressed that no loss or theft of Verizon or Verizon customer information occurred. The telecom giant also noted: “To the extent PINs were included in the data set, the PINs are used to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts,” Verizon stated.

“An employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access,” Verizon said.

How it Went Down

NICE was hired to help Verizon improve its residential and small business wireline self-service call center portal, according to Verizon’s statement. As part of this project, NICE needed certain data that included a limited amount of personal and cell phone number information. None of the information stored for the project included social security numbers, according to Verizon.

Meanwhile, on June 8, UpGuard’s cyber risk research director Chris Vickery came across the AWS S3 data repository and its subdomain “verizon-sftp.” The repository held six folders with titles spanning “Jan-2017” to “June-2017” and a number of other files with a .zip format. Vickery was able to fully download the repository because it was configured to be publicly accessible to anyone entering the S3 URL.

Following the discovery, UpGuard contacted Verizon on June 13 to inform the telecom giant of the data leakage and then on June 22 the exposure was sealed up, according to UpGuard’s report.

“There was a fairly long duration of time before it was fixed, which is troubling,” O’Sullivan says.

Verizon is not the first company to encounter data leakage as a result of permissions set to public rather than private on Amazon’s S3 bucket. Earlier this year, UpGuard also discovered a similar situation that involved the Republican National Committee (RNC), which left millions of voter records exposed on the cloud account.

As in the Verizon case, the RNC relied on a third party vendor to handle its cloud storage needs and it too used Amazon’s AWS S3. That third-party also improperly set the database to public rather than private.

“The number one thing to keep in mind if you are a CISO is evaluating your third-party vendors. You can have the best security in the world and the best visibility into your systems, but if you pass it onto a third-party vendor without checking out how well they handle their security, then you have done that all in vain,” O’Sullivan says. “Verizon did not own the server that was involved here, but it will own the consequences.”

Rich Campagna, CEO of Bitglass, stressed the importance of security teams ensuring services used are configured securely. “This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest,” Campagna said in a statement.

Related Content:

• Personal Data Leak Affects 33 Million US Employees
• Data Breaches Exposed 4.2 Billion Records In 2016
• Cloud Security Lessons from the Voter Data Leak
• 8 Most Overlooked Security Threats

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/cloud/verizon-suffers-cloud-data-leak-exposing-data-on-millions-of-customers/d/d-id/1329344?_mc=RSS_DR_EDT

Is the encryption used to secure satellite phone communications from eavesdropping secure or isn’t it?

Until 2012, the answer would have been a reasonably confident “yes”, but two theoretical papers, a German study of that year (added to in 2013), and a Chinese follow up published last week have injected growing doubt.

What the researchers have been aiming at is to find weaknesses in the proprietary GMR-1 (Geo-Mobile Radio-1) and GMR-2 stream ciphers, the first running on the Thuraya satellite system, the second used by Inmarsat.

The German attack was a shock at the time, although not entirely a surprise given that GMR-1 turned out to be based on the demonstrably weak GSM A5/2 cipher.  It was also couched in lots of qualifications such as the time taken to crack keys and the limited conditions under which it could be used in real-world circumstances.

The Chinese have moved this on a bit, uncovering ways to deduce the 64-bit encryption key using a bold procedure they describe as an “inversion attack”, basically working from one 15-byte frame of keystream output back to the plaintext.

In cipher terms might be called coming in the front door – stopping an attacker deriving the plaintext by working back from the output is an absolute first principle of this kind of security.

The researchers summarise:

Our analysis shows that, using the proposed attack, the exhaustive search space for the 64-bit encryption key can be reduced to about 213 when one frame (15 bytes) keystream is available.

Finally, the proposed attack are carried out on a 3.3GHz [satellite] platform, and the experimental results demonstrate that the 64-bit encryption-key could be recovered in around 0.02s on average.

Despite the impressive proof-of-concept, this isn’t the end of the story. Actually listening to satellite calls would mean isolating volumes of plaintext, scaling the inversion attack to the ongoing stream of data and, presumably, finding a way around any proprietary CODEC applied to it.

The researchers don’t go into detail on this but what they have achieved is clearly an important chink in its armour.

Satellite phone users might be tempted to ask whether revealing weaknesses like this is a good idea. In fact, far from being risky, the researchers are doing the companies and customers a massive favour. Spotting weaknesses in encryption is an essential part of keeping it secure.

How likely is it that someone could use this knowledge to eavesdrop a real satellite call? Fairly small, for now at least, although we know from previous reports on GSM surveillance that the concept is alluring. The most likely agencies with an interest in beating something like GMR-2, or any stream cipher, are nation states with resources, the better to conduct economic and political espionage.

But doing so is not that useful because while military and government applications utilise the same satellite systems, they do so using secret encryption add-ons where the conversation is deemed classified. The users affected by the undermining of satellite comms security would be business and personal users.

Such sophisticated attacks also depend on a compromise remaining an absolute secret, the very opposite of the open disclosure principle used by the German and Chinese researchers. Or, to sum it up in the logic of all espionage, as long as you know something your rivals don’t know you know then it remains worth knowing.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tHy4blVHdRk/

Are you worried about social engineering?

That’s the collective name for the tricks that cybercriminals use to make you feel comfortable (or scared, or confused) enough to let slip something that you later wish you’d kept to yourself.

Social engineering tricks start at the bluntly assertive end of the spectrum, such as a phone call claiming to be from your bank that insists, “Please tell me your PIN so I can confirm your identity.”

In the middle of the spectrum are innocent-sounding emails such as, “Your invoice is attached – please click below if there are any errors.”

And at the subtle end, the crooks may be happy to get their information a snippet at a time, for example by saying, “I was trying to get hold of that systems guy from IT, you know, the one with the beard and the Metallica T-shirts, what’s his name again?”

What to do?

Here’s a Facebook Live video featuring two entertaining and informative Sophos experts, James Burchell and Greg Iddon.

Watch our very own dynamic duo right here, as they explain the problem, and teach you how to fight back against social engineers…

If you’d like to hear more from James and Greg (or from other Sophos experts, for that matter) in the relaxed format of Facebook Live…

…please let us know in the comments below!

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wn8Xk-H4858/

Your daily round-up of some of the other stories in the news

Juno probes Jupiter’s giant red spot

NASA‘s Juno mission completed a fly-by of the giant planet’s iconic red spot on Monday, said the US space agency on Tuesday, gathering spectacular images of the 16,000km-wide storm that has been monitored from Earth since 1830.

The closest the Juno probe (pictured) got to the planet and the storm was 3,500km above Jupiter’s cloud tops on Monday, and shortly after that it logged a year in orbit after having been launched from Cape Canaveral in Florida in August 2011.

“For generations, people from all over the world and all walks of life have marvelled over the Great Red Spot,” said Scott Bolton of NASA. “Now we are finally going to see what this storm looks like up close and personal.”

NASA is posting the amazing raw images the probe gathers on its website and is encouraging people to download them, mix them up and upload them to share with fellow space geeks, saying: “Creativity and curiosity in the scientific spirit and the adventure of space exploration is highly encouraged.”

Footage of politician ‘did not break the law’

Footage of the leader of the UK’s opposition Labour party on a train did not breach data protection rules when the train operator, Virgin Trains East Coast, published the footage in August last year, data protection authorities said on Wednesday.

The CCTV footage, of Labour leader Jeremy Corbyn walking past empty seats on the train, was published by Virgin Trains after he had criticised the company for running packed services and had claimed he couldn’t find a seat and so had to sit on the floor.

However, the train operator had breached the law by not obscuring the faces of other passengers visible in the footage, said Steve Eckersley, the head of enforcement at the Information Commissioner’s Office, the UK’s data protection regulator.

“The ICO found that Virgin should have taken better care to obscure the faces of other people on the train. Publication of their images was unfair and a breach of the first principle of the Data Protection Act,” said Eckersley.

He went on to explain that although Jeremy Corbyn would normally also be protected, “the ICO’s view was that Virgin had a legitimate interest, namely correcting what it deemed to be misleading news reports that were potentially damaging to its reputation and commercial interests”.

Trump sued over blocking Twitter users

Donald Trump, the US president, is being sued by Twitter users he has blocked who claim that he has violated their constitutional rights.

The seven Twitter users, who are backed by the Knight First Amendment Institute at Columbia University, claim that the president’s personal Twitter handle, @realDonaldTrump, “is a kind of digital town hall in which the president and his aides use the tweet function to communicate news and information to the public, and members of the public use the reply function to respond to the president and his aides and exchange views with one another”.

The lawsuit, which was filed in the Southern District of New York, follows a letter sent by the Knight Institute last month which threatened the legal action. In the letter, the institute said that being blocked by the president “supresses speech in a number of ways”.

The letter adds: “Blocking users from your Twitter account violates the First Amendment. When the government makes a space available to the public at large for the purpose of expressive activity, it creates a public forum from which it may not constitutionally exclude individuals on the basis of viewpoint.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YMNUXqTdcSg/

The UK Ministry of Defence needs to stop reflexively demanding rights to its suppliers’ intellectual property if it is to attract more private sector tech innovators, according to the Royal United Services Institute.

In a report published on Tuesday, RUSI, the government’s defence and foreign policy thinktank, criticised the MoD’s current approach to adopting new ideas and technologies, branding its IP-hogging activities “a real disincentive” for private sector thinkers.

RUSI’s Defence Innovation and the UK report focused on “responding to the risks identified by the US Third Offset Strategy,” which is a policy wonk’s way of saying, “Oh bugger, China and Russia’s armed forces are catching up with our tech.”

The report (40 pages, PDF) mainly discusses how the US view of defence policy can be applied to the UK, and points out how the basic assumptions behind armed forces policy are shifting relatively quickly. It’s all well and good having two new aircraft carriers to dominate the high seas but if your immediate threat is Russian APT crews trying to hack MPs’ emails, you’re rather missing the point.

In its section titled “An emerging UK response”, the report goes into a bit more detail about MoD’s lukewarm efforts to attract interest from companies other than the usual suspects.

“Investments in ST [science and technology] and RD require a business case presenting a significant prospect of a rate of return. That private ST and RD spending from the defence industrial sector is limited is an indicator that industry is either receiving limited information from its main customer, or it has little confidence in the information it does get,” thundered RUSI’s authors.

Industry is wary of getting involved with the MoD and its reputation among potential suppliers, outside of the usual suspects such as BAE Systems, is low: last year the chief of the Motorsport Industry Association told Defence Secretary Michael Fallon that many firms in the MIA are “reticent to engage with defence”.

While the MoD launched its defence innovation fund last year, promising to spend £80m a year on taking innovative technological ideas from CAD file* to production, this spending makes up just 1 per cent of planned defence equipment spending, according to RUSI. Even then, seductive visions of robot war machines blasting Her Majesty’s enemies from the field of battle are probably best avoided for now, as the report states:

Currently, the MoD concentrates on technologies with high readiness levels, but a balance with emerging and adaptive technologies might offer greater utility… For example, in the US there has been some warning against focusing excessively on artificial intelligence and the man–machine interface.

Nonetheless, AI, autonomous tech in general, “electromagnetic capabilities” and “electronic warfare” are all areas that RUSI highlights as “key” for “future transformation” in defence technology.

That rules out the British Armed Forces fielding sharks with frikkin’ lasers for the time being. The lasers are still being tested at the moment. ®

*Who uses drawing boards in the modern era?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/12/rusi_defence_innovation_report/

Slower purchases of the F-35 fighter jet have piled $27bn on top of the cost of buying the ridiculously expensive aircraft, according to reports.

The Defense News website reports that the “estimated total acquisition cost of the F-35 program” increased by seven per cent in one year, from $379bn to $406.5bn. This figure covers the purchase of 1,763 F-35As for the US Air Force.

The price rise includes inflation and is said to have been blamed on a lower purchase rate by the USAF than planned, which is now down to 60 aircraft per year from the original rate of 80. In turn, the full rollout of F-35s across the USAF has been extended by six years.

The UK is buying 138 F-35s in total, the majority of which will be F-35Bs. Nobody can be sure about this, however, because the Ministry of Defence hasn’t ruled out an F-35A purchase as well. Early production F-35Bs cost around $122m each, according to Lockheed Martin’s own estimates. With F-35As coming in at $94.6m each, that price is now in the region of $101.2m per jet.

As we reported in May, the MoD has signed contracts to buy a total of 27 F-35Bs until the year 2023, which is when Lockheed Martin, maker of the F-35, appears to be going into full scale production. This appears to be a decision made in the hope of taking advantage of economies of scale once the design is frozen and mass production kicks in. With the US scaling back, however, and causing its own prices to rise, there is little doubt foreign customers will also be hit with price rises in turn – including the UK.

Taking the F-35A price rises as a guide, the price per airframe of each F-35B could now be $131.4m each. This will put increasing strain on Britain’s defence budget, which has a perilously slim margin for currency fluctuations and general unpredicted spending increases. In April this year the MoD paid Lockheed’s UK arm £64m ($82.5m) in a single transaction for a “single use military equipment asset under construction”, which may or may not be the upfront purchase cost of one F-35B.

Of the three models of F-35 available – A, B, and C – the latest figures from the US only cover F-35As. However, given the large number of common parts between each model, it is reasonable to assume that inflated costs for the F-35A will have a knock-on effect on the F-35B and F-35C.

F-35As are land-only fighters; F-35Bs are short take off and vertical landing aircraft (STOVL), best used from non-traditional aircraft carriers and short, improvised landing strips; F-35Cs are pure carrier-based fighters fitted with “cat and trap” gear that the other two models lack.

Britain’s F-35Bs will eventually be flown from new aircraft carrier HMS Queen Elizabeth, which is currently on sea trials off the coast of Scotland. She is accompanied by two Type 23 frigates, so-called “escort” warships optimised for anti-submarine warfare.

It is feared that Russia will try and obtain sensitive acoustic data from the carrier by sneaking a submarine into the trials area. That acoustic data can be used to precisely locate the “Big Lizzy” while she is at sea and ultimately be used to launch torpedoes at her. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/12/f35a_another_27bn_us_purchase_bill/

Hackers are touting a tool that allows any idiot with a smartphone to conveniently order up mass SQL injection attacks against websites.

From what we can tell, you can either rent an instance of the crooks’ Katyusha Scanner Pro for $200 per month, or install a copy on your own system for $500. This software uses the Anarchi Scanner, a freely available penetration testing tool, to perform SQLi attacks on websites. Crucially, it can be controlled via the Telegram instant messaging system.

So essentially, you run Katyusha on an internet-connected server, either rented or installed yourself, and then use Telegram to fire commands at it – such as attack somepoorbastard.biz or mydietpillsnotascam.org, and so on, until you hit a vulnerable site. Then, if you have the pro version, the package can automatically extract login credentials and extract the contents of internal databases. A light version of the scanner is available, too, if you think you can exploit any discovered bugs yourself.

SQL injections (SQLi) exploit insecure web apps and similar database-driven software to siphon off or tamper with data, such as user account records, or even execute shell commands on the server in worst cases. It’s a result of code not validating and sanitizing information provided by legit users and attackers. The software may expect, say, an order ID number, instead the hacker sends a portion of an SQL statement, and this malicious snippet ends up being included in the next database lookup, allowing the miscreant to effectively make the server do what she wants and cough up sensitive data.

This basically means non-tech-savvy criminals can easily book assaults against countless organizations and businesses from the comfort of their smartphones. It can be controlled via a web portal, we note, but it’s pretty wild you can essentially text it orders via Telegram. Security researchers at threat intel firm Recorded Future found the package for sale inside one of the dark web’s most exclusive and hidden hacker forums.

“While the hacking process could be controlled using a standard web interface, the unique functionality of Katyusha Scanner allows criminals to upload a list of websites of interest and launch the concurrent attack against several targets simultaneously, seamlessly controlling the operation via Telegram messenger,” Recorded Future explains in a blog post.

The technology has garnered rave reviews from script kiddies as well as praise for a professional customer support operation. Of course, a seasoned cyber-crim could do all this from an SSH terminal on their smartphone or tablet; it’s the fact that Katyusha is so easy to use is the mildly alarming thing about it.

Attacks on demand … A screenshot showing someone controlling Katyusha via Telegram messaging (click to enlarge)

Upon completion of the scan, Katyusha will display an Alexa web rating for each identified target, providing a handy guide to the potential significance and profitability of the discovered web security vulns.

“The availability of a highly robust and inexpensive tool such as Katyusha Scanner to online criminals with limited technical skills will only intensify the compromised data problem experienced by various businesses, highlighting the importance of regular infrastructure security audits,” Recorded Future concludes.

The most widespread attacks in the first quarter of 2017 were SQLi and cross-site scripting, each accounting for about a third of the total number of detected attacks, according to a study by infosec outfit Positive Technologies. The report lists government agencies’ web applications as the hackers’ top target, followed by IT companies and financial organizations, and with educational institutions in fourth place. ®

Bootnote

The name Katyusha references an iconic multiple rocket launcher, developed by the Soviet Union during World War II and known for inflicting panic in Nazi forces with its stealthy and devastating attacks.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/12/katyusha_scanner/

Another day, another leaky Amazon S3 bucket. This time, one that exposed account records for roughly 14 million Verizon customers to anyone online curious enough to find it.

The cloud-hosted repository, ironically owned by Israeli-based software security vendor NICE, contained terabytes of Verizon customer names, addresses, and account information – along with plenty of PINs, although the large majority of those were hashed.

The files, found in folders labeled “Jan-2017” to “June-2017,” include ZIP files containing as much as 23GB of text data apiece when extracted, and they looked like voice recognition log files from customer calls. In addition to personal information, the data showed the callers’ customer satisfaction levels (including “FrustrationLevel” –hope they had a large number range) and whether they had fiber on order.

The poorly secured data store was found by Chris Vickery’s virtuous vigilantes at UpGuard, who have made a habit of scouring Amazon buckets for interesting data. On June 8, they found the data in an open Amazon Simple Storage Service (S3) bucket with a subdomain “verizon-sftp,” and figured it was worth a look. They immediately got in contact with those concerned.

“This exposure is a potent example of the risks of third-party vendors handling sensitive data,” UpGuard said today. “The long duration of time between the initial June 13 notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22, is troubling.”

Verizon was quick to put out a statement claiming there was nothing to see here. The US telco said that, other than the researcher and the developer working on the data, no one else had found it and there had been no theft.

“The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area,” it said.

Verizon also disputed the exact number of customers involved in the case, and said any PINs found were used “to authenticate a customer calling our wireline call center, but do not provide online access to customer accounts.”

The bucket also had a separate section covering another NICE partner, European telco Orange. UpGuard found French-language text files of “internal data” in a separate directory, but it doesn’t appear to have been useful.

NICE hasn’t responded to requests for comment on the matter, but it’s a definite black eye for a biz that touts its credentials as a data security handler – albeit one with some slightly dodgy customers. The firm was cited by Privacy International for helping to build a network surveillance system for the Colombian government, until the Attorney General killed the project over legal concerns. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/12/14m_verizon_customers_details_out/

Companies will find themselves evaluating third-party cybersecurity more than ever — and being subject to scrutiny themselves. Here’s how to handle it.

Due diligence is becoming an increasingly important part of any cybersecurity strategy. Not only will companies often find clients checking their services for cybersecurity readiness, but they’ll also face regulations demanding that they subject their own service providers to similar scrutiny.

The Securities and Exchange Commission’s cybersecurity guidance says that registered investment advisers “may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers.” New York State’s recently introduced NYCRR Part 500 cybersecurity regulation is more explicit, requiring financial companies to subject their service providers to cybersecurity checks.

Across the Atlantic, the EU’s General Data Protection Regulation will demand that data controllers (the companies managing their customers’ data) exercise a high level of care when choosing data processors (the third-party service providers that they use to help process that data).

When Vendors Won’t Talk to You
The problem when conducting due diligence is that companies aren’t guaranteed a detailed response from the service provider. Depending on the customer and vendor’s relative sizes, companies may get no response at all. Hyperscale service providers, like Google or Amazon, are unlikely to let many, or any, companies into their data centers for a look around, or spend much time filling out RFPs for businesses.

Thankfully, cybersecurity auditing standards make evaluation of third-party services far easier. Gathering together due diligence questions into standardized, approved question sets makes it possible for even smaller customers to get a handle on a service provider’s cybersecurity readiness.

What kind of cybersecurity framework should you use when conducting due diligence on a supplier or a potential acquisition? Much depends on the kind of relationship and the industry involved, but a hardy perennial is the Standards for Attestation Engagements (SSAE) 16 auditing standard. Created by the American Institute of Certified Public Accountants (AICPA), it’s a standard for auditing controls at service organizations and replaces the existing SAS 70 standard. That standard’s Service Organization Controls (SOC) 2 audit process takes in cybersecurity controls.

The National Institute for Science and Technology (NIST), which develops voluntary best-practice cybersecurity guidelines, recommends that companies use its cybersecurity framework as the basis for due diligence. On its own, the NIST framework can be challenging to navigate, particularly for small and midsize firms. eSentire has distilled the NIST framework into an easy-to-follow workbook that will help identify a firm’s security risks and develop policies to support cybersecurity governance.

Certain industries or use cases also mandate their own requirements. One of the more prescriptive audits is the Payment Card Industry council’s Data Security Standard (PCI-DSS), which subjects companies storing, holding, or transmitting payment card details to a strict audit. For users of enterprise cloud computing services, the Cloud Security Alliance publishes a Cloud Controls Matrix, a risk assessment framework to help evaluate cloud security. Organizations providing cloud services to the public sector in the US will need to pass a FedRAMP cybersecurity evaluation.

Companies meeting these cybersecurity requirements to comply with their clients’ needs should expect to go through some internal pain when bringing themselves up to speed with the relevant standards. They should also devote time to regular reviews, so that they can show ongoing compliance.

Those in certain industries, including law and finance, may find themselves under increasing regulatory pressure to comply with due diligence requests, not only because they work in heavily regulated industries but because they sit at the cross-section of many different sectors. Legal and financial firms deal with so many kinds of companies, whether as clients or as investments, that they have access to sensitive data across multiple industries. As such, they may find themselves affected by sector-specific regulations outside their own.

While meeting these requirements may seem like a burden, senior management can also view this as an opportunity. Proving compliance with one or more cybersecurity standards can be a competitive differentiator, giving companies significant leverage among clients increasingly worried about data breaches. When it comes to due diligence, a little pain now can yield significant gains further down the line. 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

• 8 Things Every Security Pro Should Know About GDPR
• Cybersecurity Stands as Big Sticking Point in Software MA
• The Wide-Ranging Impact of New York’s Cybersecurity Regulations

Eldon Sprickerhoff is founder and chief security strategist at cybersecurity company eSentire (www.esentire.com). In founding eSentire, Eldon responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information … View Full Bio

Article source: https://www.darkreading.com/cloud/dealing-with-due-diligence/a/d-id/1329311?_mc=RSS_DR_EDT

A survey finds that 57% of IT security professionals work weekends, and most say they still find their jobs rewarding.

An overwhelming number of IT security professionals consider their jobs rewarding even though 57% report that they work weekends, according to a survey released today by Farsight Security.

The survey, which queried 360 IT security professionals, found 97% indicated they still find their jobs rewarding and that 85% plan to remain working in security. Additionally, nearly a third of survey respondents, 29%, noted they work on average 10-hour days.

According to the survey, 51% of respondents stated they missed an important event more than once, as a result of a security-related incident at their employer.

“Securing the Internet, our businesses, and national infrastructure is one of the world’s most critical challenges. Cybersecurity professionals work hard behind the scenes to avert disasters that we rarely hear about, and we need more like them,” Paul Vixie, Farsight Security CEO, said in a statement.

Read more about the survey here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/majority-of-it-security-professionals-work-weekends-/d/d-id/1329339?_mc=RSS_DR_EDT