STE WILLIAMS

The ongoing challenge to fill mass cybersecurity job vacancies amid the backdrop of a lack of diversity continues to haunt one of the world’s hottest industries.

But there are some best practices organizations can adopt to help hack the talent gap by recruiting and then retaining more women in the cybersecurity field, according to a new report from Forrester Research. A lack of staff (25%) and lack of staff with the right skills (22%) are the biggest challenges today for IT security decision-makers, according to the report, which draws from interviews with more than 30 women in the security field as well as men in security leadership roles, and other survey data and research.

The best practices for recruiting and retaining women in security include where to recruit outside – and within – an organization, how to build a relationship with the HR department, and creating a more inclusive and less biased corporate culture that attracts and fosters more diversity.

Forrester analyst Stephanie Balaouras, who co-authored the report with fellow analyst Claire O’Malley, says there are a couple of best practices for recruiting and retention that are fairly simple to adopt right away. “I definitely think recruiting beyond traditional security conferences and [job] fairs … is an easy step” to broaden recruitment, she says. “And looking at internal [employees who are] career-changers is a really easy one to take on, too.”

That means attending or sponsoring conferences like Women in Security and Privacy, or Grace Hopper, for example, and recruiting from colleges and universities that enroll more or mostly women. Look for existing employees with risk and technology, or business skills, who may be interested in a career change like an IT staffer or business staff with strong communications skills and creativity, Forrester recommends.

On the retention side, Balaouras recommends security mentoring programs for women on staff and advocating for cybersecurity events to become more inclusive and welcoming to women. “I myself personally benefited from mentoring, and a lot of people we interviewed for the report had mentors, [including] vendors outside of their job as part of their network, too,” she says. “And being a part of cultural change at cybersecurity events” is another initial first step to help in the retention equation, she says.

Number Crunching

Forrester’s report cites the widely reported 11% statistic that quantifies women’s representation in the security industry worldwide, and the projected 1.8 million empty security positions worldwide by 2020, according to the Frost Sullivan report from last year.

But initial data from an as-yet unpublished study by Cybersecurity Ventures shows the 11% number may be a bit on the low side. Steve Morgan, CEO and founder of Cybersecurity Ventures, says his firm’s research finds the number of women in cybersecurity jobs worldwide is actually over 20%. That number takes into account security vendors, security service providers, small-to midsized enterprises, and security startups in Israel that include women in their ranks.

“We looked at dozens of different sources and tried to synthesize [the data] and did our own outreach,” Morgan explains. Morgan says that while his firm’s data appears to indicate a healthier representation of women in the industry, it’s still not great news.

“Women are definitely underrepresented,” he says.

Forrester’s Balaouras says she believes women now represent somewhere between 15- and 20% of the industry when security vendors are included in the headcount, and other factors. “It depends on how you define security. If you include security and risk, and include privacy, compliance and audit functions, I could easily see that it gets to 15- to 20% women.”

If the data is focused specifically on core security architecture and operations, including detection, threat hunting, forensics and incident response, the figure stays at about 11%, she says.

Meanwhile, Forrester’s report also notes that diverse teams and companies tend to be more successful, so there’s an obvious business benefit as well. “Studies show that diverse groups focus more on the facts, process these facts more carefully, and are more innovative — all outstanding attributes for a security team,” the report says.

“Companies in the top quartile for ethnic and racial diversity in management were 35% more likely to have financial returns above their industry mean, and those in the top quartile for gender diversity were 15% more likely to see returns above the industry mean,” Forrester said, citing data from a Harvard Business Review report.

Best Practices

Here are Forrester’s Best Practices for recruiting women in security:

Connect women with cybersecurity early on
Outreach with free cybersecurity classes and certificate training for underrepresented populations, for example. Another example is Palo Alto Networks’ partnership with the Girl Scouts’ cybersecurity badge.

Recruit from academic institutions with a higher enrollment of women
Check out colleges such as the The University at Buffalo, Florida Institute of Technology, and the Massachusetts Institute of Technology (MIT), which partner with Women in Science and Engineering and the Graduate Consortium in Women’s Studies. Consider recruiting from women’s colleges like Bryn Mawr, Smith, and Wellesley.

Look to internal career-changers
Existing employees with risk and technology or business chops who bring risk management skills as well as communications and creativity strengths.

Look beyond STEM backgrounds
Few of the women Forrester interviewed began their careers via a traditional path.

Join forces with HR
Human Resources plays a major role in selecting job candidates, so work with HR to be sure you’re on the same page on diversity of hiring and the type of qualifications needed.

Sponsor, recruit from diverse security events
Think Grace Hopper, etc.

Mentoring programs
Encourage security staff to mentor women both inside and outside the organization.

Here are Forrester’s Best Practices for retaining and promoting women in security:

Track data on your diversity in hiring, promotions
How many women are in technical security jobs? How many have applied for open security positions? “Work with your HR department to dig into behaviors that may be holding candidates or employees back, and be honest about what needs to change,” the report says.

Provide training to deal with internal unconscious bias issues
DCI Consulting, Paradigm, and PDT, are examples of firms that offer unconscious-bias training services to help organizations set policies and procedures to remedy those problems.

Offer family-friendly benefits for all employees
Flexible maternity and paternity leave, breastfeeding rooms, and working remotely.

Formal mentoring programs
Professional support, career path assistance.

Culture improvements as a performance metric
Make employees accountable for helping foster a diversity culture.

Foster cultural change at cybersecurity events
Help encourage better harassment reporting, more representation of women speakers and panelists. 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/best-practices-for-recruiting-and-retaining-women-in-security/d/d-id/1331114?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

To effectively respond to cyber threats these days you need to have a way to prioritize them. Data from your IDS, IPS, firewalls, routers and other internal hardware and software systems is critical to detecting threats on your network. But the sheer volume of alerts generated by these systems can make it very hard for your security team to separate the threats that are likely to cause most harm from the ones that are less severe.

Correlating external cyber threat intelligence with internal telemetry can help provide the context you need for prioritized responses. Indicators of compromise and other intelligence on threat campaigns, recent incidents, threat actors and their TTPs can help give you an idea of the threats that you should be most concerned about.

The data can also help you determine which of your assets are likely already compromised, or are in most danger, so you can put appropriate filters and mitigating controls in place to protect them. Such prioritization is vital at a time when cyberattacks are becoming increasingly targeted, persistent and pervasive.

The SANS Institute describes threat intelligence as “the process of understanding the threats to an organization based on available data points.” Threat intelligence is not just about collecting data but also about understanding how to relates to your organization. “Teams must combine data points with contextual information to determine relevant threats to the business,” says SANS.

A well-implemented threat intelligence capability can help improve your organization’s situational awareness, threat responsiveness and ability to detect threats. Market research firm Markets Markets estimates the market for threat intelligence services will top $8.9 billion by 2022 from around $3.8 billion in 2017.

Threat intelligence is available from a variety of sources and includes IOCs, malware hashes, listings of bad URLs and files, threat actor TTPs, incident reports, exploits and targets. You can get threat intelligence via free open source feeds, paid commercial services, from peer organizations, from sector-specific information sharing groups, even newsletters, emails and spreadsheets.

Implementation Challenges

In order to benefit from threat intelligence, you need to be able to operationalize it. That means you need to have systems and processes in place for consuming external threat intelligence and correlating it with data from your internal systems. You need to be then able to use the information to identify potential attacks and implement the fixes necessary for them enterprise wide. The whole thing must happen quickly, consistently and reliably each time you identify a relevant threat.

The quality of your threat intelligence is key as well. For an intelligence feed to be useful, it needs to be timely, relevant and most of all accurate. It should give you context about vulnerabilities, exploits and adversaries and how they relate to your organization.  A threat intelligence report should contain IOCs and other artifacts critical to identifying threats such as file-, app-, IP-and web-reputation. If you are consuming threat intelligence from multiple sources, as many organizations do, you need to be able to validate the data from the different feeds and weed out redundancies and inconsistencies.

Your internal telemetry is vital as well. External threat intelligence is of little use if you cannot map it to data from and about your internal systems. The massive data volumes and real-time nature of cyber threat intelligence also mean you require a security information and event management (SIEM) system or some other kind of automated capability for correlating external and internal data. 

Bringing all this together is a large undertaking. Considering that the security team is likely overworked dealing with day-to-day operational issues, you are going to be hard pressed finding the staff and the resources needed for a robust threat intelligence program. But you do not always need a dedicated internal team to implement the capability. Numerous third-party managed services are available these days that can help you collect, aggregate and correlate external threat intelligence with telemetry from your internal systems and then analyze the data so you can take action on it.

Administrators for instance can use the actionable information from these services to automatically apply security policies on key network gateways to protect against unfolding attacks. Threat intelligence platforms and services can help you quickly triage developing events and dramatically shorten threat detection and response times.

To learn more about linking security intelligence to policy enforcement to defend against advanced threats, click here. 

Laurence Pitt is the Strategic Director for Security with Juniper Networks’ marketing organization in EMEA. He has over twenty years’ experience of cyber security, having started out in systems design and moved through product management in areas from endpoint security to … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/juniper/enabling-better-risk-mitigation-with-threat-intelligence/a/d-id/1331091?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Malware authors have for some time been using code-signing certificates for their malicious payloads so they can sneak past enterprise anti-malware tools. But contrary to popular belief, not all of the certificates that are being used to distribute malware are stolen from their legitimate owners.

New research by Recorded Future shows that a growing number of code-signing certificates in the cyber underground are actually being created on demand for specific buyers by Dark Web vendors using stolen corporate identities. Each certificate is unique to the buyer and is usually delivered within two- to four days.

The certificates, available for prices ranging from $299 to $1,599, are being issued by reputable companies such as Symantec, Comodo, and Thawte, and are proving very effective at malware obfuscation, Recorded Future said in a report this week.

“We do not have information on what percentage of all certificates circulating in the Dark Web were obtained using compromised corporate credentials,” says Andrei Barysevich, director of advance collection at Recorded Future. “However, considering the malicious intent of hackers when utilizing such certificates, it is safe to assume that a high proportion of them were obtained fraudulently.” 

The use of code-signing certificates to distribute malware is not new. But more malware authors have recently begun resorting to the tactic as a way to distribute malware.

Organizations use code-signing certificates to authenticate their software and protect it against tampering. The certificates give users a way to verify the identity of the publisher and the integrity of the code. Malware that has been digitally signed with a valid code-signing certificate can be hard to spot. Most anti-malware tools and browsers assume the payload can be trusted because it is from a trusted publisher.

Security vendor Venafi last October reported that a six-month investigation it had conducted showed a thriving market for code signing certificates on the Dark Web.

The research, conducted for Venafi by the Cyber Security Research Institute, showed such certificates to be more expensive even than stolen US passports, credit cards, and even handguns. Venafi found that stolen code-signing certificates can fetch up to $1,200 in underground markets and are being used in a wide range of malicious activity including man-in-the-middle attacks, malware obfuscation, website spoofing, and data exfiltration.

Recorded Future says its investigation shows cybercriminals are currently offering new code-signing certificates and domain-name registration services with SSL certificates. The vendors of these services register the counterfeit certificates using stolen information belonging to legitimate organizations. There is little indication that impacted companies are aware their identity data is being used to illegally obtain code-signing certificate for use by malware authors.

Recorded Future researchers first observed a Dark Web vendor selling such certificates in 2015. Since then, they have seen at least three new actors selling code-signing certificates obtained from major CAs using stolen corporate credentials. One of the vendors has moved on to other activities while the remaining two are currently continuing to sell counterfeit certificates primarily to Russian threat actors.

One of the vendors specializes only in Class 3 certificates that do not support the so-called Extended Validation (EV) assurance, while the other sells EV certificates as well, Recorded Future said. The basic certificates without EV assurance are available for $600 from the vendors, or twicenthe $295 that an organization would normally pay for a code-signing certificate for legitimate use.

A threat-actor that wants to buy a high-assurance version of a code-signing certificate can get one for $1,599 — a 230% markup compared to the price of an authenticate certificate, Recorded Future said. A fully authenticated domain with EV SSL encryption and code-signing support costs $1,799 currently.

“Surprisingly, across the vast number of cybercriminal communities we monitor, we only identified two vendors of compromised certificates, both of whom are Russian-speaking,” Barysevich says. “They were, however, offering their products indiscriminately to any willing buyer.”

The cost associated with these certificates means they are likely to be of most interest to hackers with specific motives in mind, he says. “Attackers who are engaged in targeted campaigns, such as corporate espionage or bank infiltration, are the most likely buyers of counterfeit code-signing certificates,” Barysevich says.

“That being said, there are many applications of compromised SSL EV certificates, and they could be used in a more widespread malware campaign.”

Related Content:

• Encrypted Attacks Continue to Dog Perimeter Defenses
• SSL After The Heartbleed
• Digital Certificate Security Fail
• More Than 40% Of Attacks Abuse SSL Encryption

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/criminals-obtain-code-signing-certificates-using-stolen-corporate-ids--/d/d-id/1331113?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The ongoing challenge to fill mass cybersecurity job vacancies amid the backdrop of a lack of diversity continues to haunt one of the world’s hottest industries.

But there are some best practices organizations can adopt to help hack the talent gap by recruiting and then retaining more women in the cybersecurity field, according to a new report from Forrester Research. A lack of staff (25%) and lack of staff with the right skills (22%) are the biggest challenges today for IT security decision-makers, according to the report, which draws from interviews with more than 30 women in the security field as well as men in security leadership roles, as well as other survey data and research.

The best practices for recruiting and retaining women in security include where to recruit outside – and within – an organization, how to build a relationship with the HR department, and creating a more inclusive and less biased corporate culture that attracts and fosters more diversity.

Forrester analyst Stephanie Balaouras, who co-authored the report with fellow analyst Claire O’Malley, says there are a couple of best practices for recruiting and retention that are fairly simple to adopt right away. “I definitely think recruiting beyond traditional security conferences and [job] fairs … is an easy step” to broaden recruitment, she says. “And looking at internal [employees who are] career-changers is a really easy one to take on, too.”

That means attending or sponsoring conferences like Women in Security and Privacy, or Grace Hopper, for example, and recruiting from colleges and universities that enroll more or mostly women. Look for existing employees with risk and technology, or business skills, who may be interested in a career change like an IT staffer or business staff with strong communications skills and creativity, Forrester recommends.

On the retention side, Balaouras says security mentoring programs for women on staff as well as helping advocate for cybersecurity events to become more inclusive and welcoming to women. “I myself personally benefited from mentoring, and a lot of people we interviewed for the report had mentors, [including] vendors outside of their job as part of their network, too,” she says. “And being a part of cultural change at cybersecurity events” is another initial first step to help in the retention equation, she says.

Number Crunching

Forrester’s report cites the widely cited 11% number the quantifies women’s representation in the security industry worldwide, and the projected 1.8 million empty security positions worldwide by 2020, according to the Frost Sullivan report from last year.

But initial data from an as-yet unpublished study by Cybersecurity Ventures shows the 11% number may be a bit on the low side. Steve Morgan, CEO and founder of Cybersecurity Ventures, says his firm’s research finds the number of women in cybersecurity jobs worldwide is actually over 20%. That number takes into account security vendors, security service providers, small-to midsized enterprises, and looking at security startups in Israel that include women in their ranks.

“We looked at dozens of different sources and tried to synthesize [the data] and did our own outreach,” Morgan explains. Morgan says that while his firm’s data appears to indicate a healthier representation of women in the industry, it’s still not great news.

“Women are definitely underrepresented,” he says.

Forrester’s Balaouras says she believes women now represent somewhere between 15- and 20% of the industry when security vendors are included in the headcount, and other factors. “It depends on how you define security. If you include security and risk, and include privacy, compliance and audit functions, I could easily see that it gets to 15- to 20% women.”

If the data is focused specifically on core security architecture and operations, including detection, threat hunting, forensics and incident response, the figure stays at about 11%, she says.

Meanwhile, Forrester’s report also notes that diverse teams and companies tend to be more successful, so there’s an obvious business benefit as well. “Studies show that diverse groups focus more on the facts, process these facts more carefully, and are more innovative — all outstanding attributes for a security team,” the report says.

“Companies in the top quartile for ethnic and racial diversity in management were 35% more likely to have financial returns above their industry mean, and those in the top quartile for gender diversity were 15% more likely to see returns above the industry mean,” Forrester said, citing data from a Harvard Business Review report.

Best Practices

Here are Forrester’s Best Practices for recruiting women in security:

Connect women with cybersecurity early on
Outreach with free cybersecurity classes and certificate training for underrepresented populations, for example. Another example is Palo Alto Networks’ partnership with the Girl Scouts’ cybersecurity badge.

Recruit from academic institutions with a higher enrollment of women
Check out colleges such as the The University at Buffalo, Florida Institute of Technology, and the Massachusetts Institute of Technology (MIT), which partner with Women in Science and Engineering and the Graduate Consortium in Women’s Studies. Consider recruiting from women’s colleges like Bryn Mawr, Smith, and Wellesley.

Look to internal career-changers
Existing employees with risk and technology or business chops who bring risk management skills as well as communications and creativity strengths.

Look beyond STEM backgrounds
Few of the women Forrester interviewed began their careers via a traditional path.

Join forces with HR
Human Resources plays a major role in selecting job candidates, so work with HR to be sure you’re on the same page on diversity of hiring and the type of qualifications needed.

Sponsor, recruit from diverse security events
Think Grace Hopper, etc.

Mentoring programs
Encourage security staff to mentor women both inside and outside the organization.

Here are Forrester’s Best Practices for retaining and promoting women in security:

Track data on your diversity in hiring, promotions
How many women are in technical security jobs? How many have applied for open security positions? “Work with your HR department to dig into behaviors that may be holding candidates or employees back, and be honest about what needs to change,” the report says.

Provide training to deal with internal unconscious bias issues
DCI Consulting, Paradigm, and PDT, are examples of firms that offer unconscious-bias training services to help organizations set policies and procedures to remedy those problems.

Offer family-friendly benefits for all employees
Flexible maternity and paternity leave, breastfeeding rooms, and working remotely.

Formal mentoring programs
Professional support, career path assistance.

Culture improvements as a performance metric
Make employees accountable for helping foster a diversity culture.

Foster cultural change at cybersecurity events
Help encourage better harassment reporting, more representation of women speakers and panelists, for example. 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/best-practices-for-recruiting-and-retaining-women-in-security/d/d-id/1331114?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

We like to think that cyberattacks are focused primarily on stealing credit card numbers and that attackers don’t know much about the control systems that run critical infrastructure. Unfortunately, that’s just wishful thinking. In 2017, we saw an increasing number of threat actors bypass existing network perimeter security controls to perform sophisticated reconnaissance of industrial process control networks (PCNs). They then moved beyond reconnaissance to infiltrate PCNs and disrupt production.

Here’s how a knowledgeable outsider can shut down an industrial process using a published industrial control system (ICS) vulnerability in a way that is very difficult to detect.

Ambient gas detectors identify releases of small amounts of toxic flammable gases. It is common to locate many such detectors in a processing area, and to configure both alarms and automatic process shutdowns on multiple simultaneous detection signals.

In December 2015, ICS-CERT published advisory ICSA-15-309-02, which provided details on vulnerabilities affecting specific ambient gas detectors. According to the ICS-CERT advisory, “Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes.” The advisory noted that “an attacker with low skill would be able to exploit these vulnerabilities.”

Now, let’s examine industrial Internet of Things (IoT) devices and their vulnerabilities through the eyes of an attacker. The attacker has performed reconnaissance against an industrial facility, probing its cyber defenses. During her reconnaissance, she obtained access and visibility to a dozen gas detectors. Due to the Web server interface vulnerability identified in the ICS-CERT advisory, she can bypass the authentication process and make configuration changes to the device, such as altering detection ranges and alarm limits. This access enables her to generate alarms at will.

Armed with this access and knowledge, she decides to launch an attack aimed at shutting down production by tricking operators into taking drastic action for a condition that does not exist.

In the initial phase of her attack, she decides that she doesn’t want to make all sensors alarm at once. Instead, she selects four or five sensors that seem associated by their names (West Side First Level, West Side Second Level), and initiates an alarm by lowering the alarm threshold.

The detectors generate false alarms that appear to an operator as a serious leak. However, the operator has no way of knowing the alarms are false. The operator responds to the situation in a variety of ways, such as lowering the production rate, lowering pressure, or even shutting down part of the process. Evacuation of operations and maintenance personnel in the affected area is ordered. Responders suit up and try to verify the sensor readings using hand-held gas detectors, but they find nothing. The physical process examination is thorough and time consuming. Since multiple gas detector alarms sounded simultaneously, operators take the situation seriously because they cannot attribute it to a single sensor failure.

In the meantime, the attacker covers her tracks, restoring the manipulated detectors to their initial values. By the time the investigator reviews the configuration of the detectors, there is nothing amiss. After an exhaustive yet futile leak search, the process is restarted, but with additional personnel stationed in the area with leak detectors, which is both expensive and disruptive to production.

The attacker is patient. Two weeks later, she strikes again, choosing different sensors. The attacker is smart enough to select sensors based on wind direction — easy to determine from weather.com — this time, on the south side. The response to this second incident may require a much more detailed plant inspection, involving hundreds of hours and a significant production outage looking for a leak that isn’t there. The hours to investigate the false gas leak and the loss of production can result in a cost of hundreds of thousands of dollars per attack.

This attack underscores the importance of assessing all known ICS vulnerabilities and prioritizing them based on risk and consequences. Industrial teams must remediate or mitigate high-priority vulnerabilities as quickly as possible. For example, the ICS-CERT advisory I reference in the example recommends implementing a firmware upgrade to remediate the device vulnerability.

Before applying system updates, though, asset owners must consider potential impacts. ICSs are highly proprietary, complex systems, implemented with very specific hardware configurations and operating system versions. Due to precise configuration specifications for automation systems, software or configuration changes can cause malfunctions that negatively affect process reliability and safety. ICS upgrades or patches must receive thorough testing by both the system vendor and asset owners, or automation engineers prior to implementation. Due to concerns over uptime requirements, asset owners in plants must plan and schedule updates months in advance. ICS upgrades and patching are a major effort for plant staff.

New vulnerabilities appear daily. Effectively managing the ever-increasing number of vulnerabilities that can affect ICSs is critical to industrial cybersecurity. Most companies struggle to keep up with the myriad ICS alerts and advisories issued each month. In fact, far too often, ICS vulnerabilities are unseen or ignored, leaving many plants at risk.

Plant managers need to make sure that their facilities have vulnerability management programs in place for continuous assessment of ICSs. Current remediation and mitigation states must be tracked and managed systematically to obtain a clear understanding of industrial risk. The downside for companies that fail to recognize and address these serious risks is that they face potentially disastrous consequences that may negatively affect plant safety, reliability, and the company’s bottom line.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

• Siemens Leads Launch of Global Cybersecurity Initiative
• Industrial Safety Systems in the Bullseye
• Schneider Electric: TRITON/TRISIS Attack Used 0-Day Flaw in its Safety Controller System, and a RAT

Eddie Habibi is the founder and CEO of PAS Global. Eddie is a pioneer and a thought leader in the fields of industrial control systems (ICS) cybersecurity, Industrial IoT, data analytics, and operations management. In 2017, PAS was recognized in CRN’s 15 coolest industrial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/anatomy-of-an-attack-on-the-industrial-iot-/a/d-id/1331097?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The IRS Online Fraud Detection Prevention Center (OFDP), which monitors for IRS-related phishing attacks, said it has detected an increase in compromised emails, starting in January 2017. It says cybercriminals are aiming for mass data theft in addition to targeting individual taxpayers.

Their most common tactic is impersonating an executive with a compromised email, which is sent to a human resource professional within the same business to request W-2 information. OFDP officials say this is one of several new variations of phishing campaigns targeting W-2 data, an sign of criminals’ growing interest in sensitive tax information.

Businesses are urged to limit the number of employees who handle wire transfers, adopt multifactor authentication to verify requests for W-2 information, and use verbal confirmation for data change requests. Those hit with these attacks should report data loss to the IRS, state tax agencies, and the FBI’s Internet Crime Complaint Center. Suspected phishing emails should also be reported to the IRS.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/irs-warns-of-spike-in-w-2-phishing-emails-/d/d-id/1331108?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Securities and Exchange Commission (SEC) has issued updated guidance for public companies that calls for providing investors more information on their cybersecurity incidents – as well as risks – in a more timely fashion.

In the so called interpretive guidance statement released yesterday, the commission also said corporate officers, directors, and “other corporate insiders” cannot trade shares if they have unpublicized knowledge of a security incident at the company.

“Public companies should have policies and procedures in place to (1) guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident, and (2) help ensure that the company makes timely disclosure of any related material nonpublic information,” the SEC said.

The SEC didn’t specify what it meant by “timely fashion,” but it did reiterate the need to disclose breaches and security risks sooner and with more information. “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack,” the SEC said in its statement. 

Chris Pierson, CEO of Binary Sun Cyber Risk Advisors, says the SEC’s new guidance forces companies to more proactively address risks of security incidents.

“This Guidance serves as a loud wake-up call for all Boards of Directors to determine who among them is a cybersecurity and risk expert, what role the Board is playing in governing cybersecurity risks, and how exactly the Board is managing these risks and responding to incidents,” Pierson says. “Just like with Sarbanes Oxley, the SEC is telling the Board to figure out how they will govern and oversee all risks, but most especially cybersecurity risks and incidents.”

The SEC doesn’t go into specifics on disclosure guidance. Chris Roberts, chief security architect at Acalvio, says the SEC actually goes “round and round in circles” on that.

“Basically it’s saying we’d like to know if you have a risk, but we are not really asking because we don’t want you to disclose because that’ll be bad and give the criminals ways to break into you,” he says. “But, really we want to know if it’s going to break Wall Street. However, we don’t want to know because it’ll break you. But we kind of want to know if you really think we need to know,” he says the SEC’s statement said.

Read the full SEC guidance here.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/sec-companies-must-disclose-more-info-on-cybersecurity-attacks-and-risks/d/d-id/1331109?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple