Comment

Beware of VARs posing as Managed Security Service Providers (MSSP)

Cyber security should be a concern for any company, and especially small and mid-sized businesses (SMB). But this does not mean that those SMBs should turn to their value-added reseller (VAR) or managed IT service partners (MSP) for help. On the contrary, those partners have a clear motivation: Sell you more security tools and IT services, and Cyber Security is not about the hardware and software tools. Those companies who get 80% or 90% of their revenue from resale of vendor tools still must have the motivation to sell more tools in order to fund their new foray into security. With shrinking margins for reselling tools these companies are turning to managed services, including security. This does not make them security experts.

The good news is that the trend is for businesses to turn to a Managed Detection and Response (MDR) provider, which is a great way to reduce costs and risks and get a true security strategy in place. However, if that service is simply a “bolted-on” service that your long-time VAR or MSP is adding in order to capitalize on a hot market, you may be making a mistake. Security is a very deep and technical disciple and takes a clear focus to get right. Spinning up a SEIM tool, collecting logs and installing Anti-virus on your endpoints is not complete security.

Another trend for VARs is to resell or use an MSSP white-labeled service under their logo. This may be a good service from the partner MSSP, but the VAR will typically struggle to add necessary security expertise and security process for a service they may not know a lot about. They may also use security monitoring to position specific hardware they want to sell you to provide the service. In fact, that hardware may be a good control and worth the price, but it needs to be assessed from a risk point of view, not a vendor. Do not get your security strategy from a security product vendor. When you sell hammers, everything looks like a nail.

So, what should you look for when your business needs help with cyber security and you want to keep costs down, risks under control and need a true security partner that focuses on your business and not their bottom line? Here is a quick list to start:

• Pick an MDR partner that provides cyber security only, and that is their sole focus.

• Pick an Independent MSSP/MDR provider that does not sell any hardware or software tools. They will have your interests in mind when recommending controls and tools you may need.

• Use an MDR partner that treats cyber security as a Business Risk, not just a technical one. It is not about the tools. Make sure risk management is part of the MDR service.

• Use an MDR partner that does gap and risk assessments, tied to industry standards, not just glass watching.

• Use a “high touch” MDR partner. Just getting alerts thrown over to you by email is not effective. You need a true security firm that will be your vCISO advisor.

If your SMB needs some help with cyber security then get an MDR service that includes people, process, technology and risk management. Tools will change, and actually this is one of the reasons you want to consider outsourcing your security to an independent MDR partner, so that you get best of breed coverage that you may not be able to afford otherwise. Don’t jump into security services because of a provider’s appliance, firewall, tool or software. Jump in for the right reason, to enable your business. Beware of a VAR in MSSP clothing. You will be glad you did.

Comment

Comment

SENIOR CYBER SECURITY LEADER JOINS SECUVANT AS GLOBAL SOC MANAGER

Neal_Francom.jpg

Salt Lake City, UT (November 14, 2017) – Secuvant, an independent cyber security risk management and managed detection and response firm, today announced that Neal Francom has joined the company as its new Global Security Operation Center (SOC) Manager. Neal brings over 20 years of experience in the information/Cyber Security field, and many more years of experience building successful businesses and programs. Neal will be leading the Secuvant cyberMDR operations practice that delivers unique business-driven co-managed security detection and response services to clients and locations around the world.

“We are incredibly lucky to have Neal lead our SOC. This is not Neal’s first rodeo! His experience is very impressive. Having Neal as part of the Secuvant leadership team shows clients our commitment to excellence and experience,” said Todd Neilson, COO and co-founder of Secuvant. “Neal brings a very unique balance of security leadership experience, team building expertise, and an entrepreneurial spirit to help manage our hyper-growth and process improvement. He is a world-class talent.”

Neal joins Secuvant in his second act after retiring several months ago from the Office of the CISO, in the Information Services and Communications Department of The Church of Jesus Christ of Latter-day Saints. He most recently served as the Information Security and Risk Portfolio Director and Church IT Audit Response Manager. He had also been the Chief of Staff to the CISO and an Assistant CISO over the past 10+ years. He is a seasoned professional with solid IT systems design, cyber security, IT auditing, domestic and international privacy compliance, operations policy/process design, staff planning and training experience.

“I had a number of opportunities after retiring and Secuvant is the most unique security play I have seen” said Neal. “The Business-enabled cyber security platform is not just a sales pitch, it is how we manage our client’s risk. The Secuvant leaders and SOC team are wonderful to work with and I am excited about the future.”

About Secuvant: Secuvant is unique in its product-independent approach to cyber security, uniquely focusing on the Secuvant Cyber-7™ business priorities. Secuvant is one of the fasting growing companies in Utah providing business-drive cyber security solutions including gap and risk assessments, risk management programs, a complete managed detection and response using its state-of-the-art security operations center for the SMB market. Secuvant provides a complete team, tools, technology and processes, and in most cases for less than hiring

Comment

Comment

JOE NELSON JOINS SECUVANT AS VICE PRESIDENT OF MANAGED SERVICES

Salt Lake City, UT (August 3, 2017) – Secuvant, an independent cyber security risk management and managed detection and response firm, today announced that Joe Nelson has joined the company as Vice President of Managed Services. Joe has over 20 years of experience in technical project management and IT operations with amazing skills and experience adding efficiencies to complex processes. Joe will be working directly with Secuvant clients to deliver Secuvant’s enterprise grade cyberMDR Managed Detection and Response services along with Secuvant’s unique risk management program based on the Secuvant Cyber-7™.

“Joe brings an amazing operational skill set to Secuvant managed services that will help our clients see the true business value of cyber security,” said Todd Neilson, President and COO of Secuvant. “Joe’s client facing skills, process automation experience and technical ability is the right combination to deliver on the high-touch model our clients are used to. Joe allows Secuvant to manage our hyper-growth while maintaining an excellent client experience.”

Prior to joining Secuvant Joe spend over twelve years as an Enterprise Network Service Manager for the LDS Church managing global network projects, driving excellence into life-cycle programs and mapping service improvements and demand management. Joe has a technical background as an engineer as well, spending time at Cutthroat Communications and Avalanche Net Wireless.

“This is a great opportunity for me to join a fast paced, fast growing company in the dynamic cyber security space,” said Joe. “Secuvant has something special and unique in how we offer security services that is based on business risk, and not just throwing tools at the problem. I am looking forward to working with Secuvant’s current clients to achieving excellence using the Cyber-7™ methodology, along with helping new companies get real business value as they join Secuvant’s managed services.”

About Secuvant: Secuvant is unique in its product-independent, vendor-agnostic approach to cyber security, uniquely focusing on the Secuvant Cyber-7™ business priorities. Secuvant is one of the fasting growing companies in Utah providing business-driven cyber security solutions to the SMB market, including gap and risk assessments, risk management programs, and a complete managed detection and response service, delivered from its state-of-the-art security operations center. Secuvant provides a complete team, tools, technology and processes, and in most cases, all for less than the cost of hiring internal resources.

# # #

If you would like more information about this topic, please contact Jeff Smith, EVP Business Development at 855-SECUVANT or email at JSmith@Secuvant.com.

Comment

Comment

CYBER SECURITY EXPERT AND ATTORNEY MATT SORENSEN JOINS SECUVANT AS CISO & VP OF RISK MANAGEMENT

Salt Lake City, UT (July 27, 2017) – Secuvant, an independent cyber security risk management and managed detection and response firm, today announced that Matt Sorensen has joined the company as its new Chief Information Security Officer and Vice President of Risk Management. Matt brings 17 years of security experience, over 17 professional certifications in cyber security and 6 years as an Attorney to Secuvant. Sorensen will be leading the Secuvant cyberRPM practice that is focused on bringing real value to businesses through Secuvant’s unique Cyber-7™ risk management methodology.

“Having someone as skilled and well respected as Matt join the Secuvant management team is nothing short of incredible,” said Ryan Layton, CEO and co-founder of Secuvant. “Matt has a very unique combination that is rare to find in cyber security, that being business, legal and technical. He has proven to many businesses and their executives that he is the go-to guy when it comes to cyber risk advisory, and now he can add the Secuvant Cyber-7 methodology that just puts client benefits over the top.”

Prior to joining Secuvant Matt was an attorney with Holland and Hart in Salt Lake City, focused on managing data breach events, overseeing incident response and investigation teams for clients and helping commercial data breach victims prepare civil claims against negligent data custodians and processors. In addition, Matt has worked for the LDS Church as an IT Compliance Officer, US Bank and Bank of America in information security roles and in KPMG’s risk advisory practice. “Secuvant starts by helping executives understand that security is a business risk and not just a technical one,” said Matt. “I am excited to deliver value to our clients using the Cyber-7™ process which is like nothing I’ve seen before. That is what attracted me to Secuvant. The way they help businesses address growing security threats while enabling revenue and lowering risks and costs, is unique in the marketplace.”

About Secuvant: Secuvant is unique in its product-independent, vendor-agnostic approach to cyber security, uniquely focusing on the Secuvant Cyber-7™ business priorities. Secuvant is one of the fasting growing companies in Utah providing business-driven cyber security solutions to the SMB market, including gap and risk assessments, risk management programs, and a complete managed detection and response service, delivered from its state-of-the-art security operations center. Secuvant provides a complete team, tools, technology and processes, and in most cases all for less than the cost of hiring internal resources.

Comment

Comment

Why Automation isn't everything in Cyber Security

Everything is becoming more automated, but what does this really mean or look like for SecOps? How do you evolve with automation while still keeping your analysts?

Secuvant MSSP

By Kumar Saurabh, Contributor, CSO

With the latest advancements in automation and AI, many CISOs are recognizing the potential for automation to transform security operations. Given the way many technology vendors hype their solutions, you could be forgiven for thinking humans should be removed from security flows to the greatest extent possible. But, you would be wrong!

On the contrary, security analysts are not only an important part of the security process, they are THE most important part. So, when you think of automation, you should think of it not as a way of replacing security analysts, but rather as a way of empowering them to do more of what they do best. This is an important distinction.

More automation does not mean a smaller analyst role

The fact is, automation is not a panacea. Certainly, the early and rudimentary forms of automation our industry has seen in the past decade have fallen short of their promise. SIEM systems allow you to collect lots of log data, but the growth in data means ever-increasing amounts of backlog to process. Those same systems, with their inflexible, rules-based approach to threat detection, overwhelm analysts with torrents of false positives.

To make things worse, there are still far too many false negatives and intrusions that get by undetected. No matter what an automation vendor tells you, humans are still the absolute best at identifying previously unknown threats. However, we just can’t do it at scale.

Solving the cybersecurity crisis can’t start with the assumption humans should be automated out of the system - in fact, it should be quite the opposite. In an ideal configuration, human analysts are at the center of everything, supported with advanced automation tools that can make sense of the torrents of data being generated and allowing them to make the types of nuanced decisions that will take a very long time to yield to technology.

Uniting analyst and machine

Some new generation solutions are purely focused on AI and machine learning. The promise is you turn it on in your environment and after a few days of the system learning on its own, it will be able to detect all the bad stuff. However, these systems suffer from a fatal flaw: missing the business context, adaptability and explainability needed to be truly effective.

What do human analysts know better than any system or, more importantly, any intruder? They know their own environment and the enterprise context, as well as having an intuition about how their system operates and what is normal versus what is questionable. Humans also adapt quickly to fast changing conditions and can always explain why they did something. On the other hand, humans cannot scale and could struggle with mistakes and inconsistencies. Machines, as we know, are exponentially faster and consistent.

The ideal system is still one that unites analyst and machine, augmenting the intelligence of a security analyst with the automation scale of a machine. To achieve this, we need the right kind of automation.

There are different types of automation. As explained by Harvard Business Review, basic robotic process automation handles routine and repeatable tasks, and can only scale some of the motions of an analyst, but cannot scale intelligence. Cognitive automation, on the other hand, can handle decision making around the severity of an alert by evaluating the full context of all data surrounding an event. Cognitive automation by itself, however, is not sufficient. To avoid pitfalls of a “blackbox,” automation needs to be complemented by analysts’ input and feedback on a continuous basis. Technology that supports a human-centric approach to automation

Recent, new technologies now make it possible to play to analysts’ strengths far more effectively. The next generation of automation technology allows analysts to feed their tribal knowledge about context and environment easily into the machine learning system, without requiring large training data sets. In addition to drastically increasingly efficacy, this allows a properly designed system to adapt and evolve flexibly as context and environment change. The analyst is in charge and the machine dutifully mimics and executes what the analysts would do, only at extreme scale.

The right automation

Security automation doesn’t mean removing analysts from the equation. Instead, good security automation is about empowering your analysts to force multiply their efforts, aiding them to be more productive and satisfied in their jobs, and freeing them to tackle the most challenging threats. With the right technologies and processes in place, your secops dream team can become a tag team of expert human security analysts plus virtual security analysts powered by cognitive automation.

Comment

Comment

HTTPS scanning in Kaspersky exposed Users to MITM attacks

From: CSOOnline.com by: Lucian Constantin

Security vendor Kaspersky Lab has updated its antivirus products to fix an issue that exposed users to traffic interception attacks.

The problem was found by Google vulnerability researcher Tavis Ormandy in the SSL/TLS traffic inspection feature that Kaspersky Anti-Virus uses to detect potential threats hidden inside encrypted connections.

Like other endpoint security products, Kaspersky Anti-Virus installs a self-signed root CA certificate on computers and uses it to issue "leaf," or interception, certificates for all HTTPS-enabled websites accessed by users. This allows the product to decrypt and then re-encrypt connections between local browsers and remote servers.

Ormandy found that whenever the product generates an interception certificate it calculates a 32-bit key based on the serial number of the original certificate presented by the website and caches this relationship. This allows the product to present the cached leaf certificate when the user visits the same website again instead of regenerating it.

The problem, according to Ormandy, is that a 32-bit key is very weak and an attacker could easily craft a certificate that matches the same key, creating a collision.

He described a possible attack as follows: "Mallory wants to intercept mail.google.com traffic, for which the 32bit key is 0xdeadbeef. Mallory sends you the real leaf certificate for mail.google.com, which Kaspersky validates and then generates it's own certificate and key for. On the next connection, Mallory sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (let's say attacker.com). Now mallory redirects DNS for mail.google.com to attacker.com, Kaspersky starts using their cached certificate and the attacker has complete control of mail.google.com."

This implies that the attacker -- Mallory in Ormandy's example -- has a man-in-the-middle position on the network that allows him to redirect the user accessing mail.google.com via DNS to a rogue server under his control. That server hosts and presents a certificate for a domain called attacker.com.

Under normal circumstances the browser should display a certificate error, because the certificate for attacker.com does not match the mail.google.com domain accessed by the client. However, since the browser will actually see the interception certificate generated by Kaspersky Anti-Virus for mail.google.com, and not the original one, it will establish the connection without any error.

The 32-bit key is so weak that certificate collisions would also occur naturally during normal browsing. For example, Ormandy found that the valid certificate used by news.ycombinator.com has the same 32-bit key calculated by Kaspersky Anti-Virus as the certificate for autodiscover.manchesterct.gov.

According to the researcher, Kaspersky Lab pointed out that there is an additional check being performed on the domain name in addition to the 32-bit key. This makes attacks harder, but not impossible.

"We were able to come up with alternative attacks that still worked and Kaspersky resolved it quickly," Ormandy said in an advisory made public Wednesday. The company fixed the issue on Dec. 28, he said.

Security vendors justify their SSL/TLS interception practices through a legitimate need to protect users from all threats, including those served over HTTPS. However, their implementations have often resulted in security issues. That's because performing certificate validation correctly is not easy and is something that browser vendors themselves have perfected over many years.

Comment

Comment

4 Information Security Events that will Dominate 2017

From: CSOonline.com By: Thor Olavsrud

As with previous years, 2016 saw no shortage of data breaches. Looking ahead to 2017, the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017.

"2016 certainly lived up to expectations," says Steve Durbin, managing director of the ISF. "We saw all sorts of breaches that just seemed to get bigger and bigger. We lurched from one to another. We always anticipate some level of it, but we never anticipate the full extent. I don't think anybody would have anticipated some of the stuff we've seen of late in terms of the Russians getting involved in the recent elections."

The ISF says the top four global security threats businesses will face in 2017 are the following:

  1. Supercharged connectivity and the IoT will bring unmanaged risks.
  2. Crime syndicates will take quantum leap with crime-as-a-service.
  3. New regulations will bring compliance risks.
  4. Brand reputation and trust will be a target.

"The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations," Durbin says. "In 2017, we will see increased sophistication in the threat landscape with threats being tailored to their target's weak spots or threats mutating to take account of defenses that have been put in place. Cyberspace is the land of opportunity for hacktivists, terrorists and criminals motivated to wreak havoc, commit fraud, steal information or take down corporations and governments. The solution is to prepare for the unknown with an informed threat outlook. Better preparation will provide organizations of all sizes with the flexibility to withstand unexpected, high-impact security events."

The top four threats identified by the ISF are not mutually exclusive. They can combine to create even greater threat profiles.

Supercharged connectivity and the IoT bring unmanaged risks

Gigabit connectivity is on the way, and it will enable the internet of things (IoT) and a new class of applications that will exploit the combination of big data, GPS location, weather, personal health monitoring devices, industrial production and much more. Durbin says that because connectivity is now so affordable and prevalent, we are embedding sensors everywhere, creating an ecosystem of embedded devices that are nearly impossible to secure.

Durbin says this will raise issues beyond privacy and data access: It will expand the threat landscape exponentially.

MORE ON CSO: 6 products that will protect your privacy "The thing for me with 2017 is I describe it as an 'eyes-open stance' we need to take," Durbin says. "We're talking about devices that never ever had security designed into them, devices that are out there gathering information. It's relatively simple to hack into some of these things. We've seen some moves, particularly in the U.S., to encourage IoT manufacturers to engineer some level of security into their devices. But cost is an issue, and they're designed to link."

Durbin believes many organizations are unaware of the scale and penetration of internet-enabled devices and are deploying IoT solutions without due regard to risk management and security. That's not to say organizations should pull away from IoT solutions, but they do need to think about where connected devices are used, what data they have access to and then build security with that understanding in mind.

"Critical infrastructure is one of the key worry areas," Durbin says. "We look at smart cities, industrial control systems — they're all using embedded IoT devices. We have to make sure we are aware of the implications of that."

"You're never going to protect the whole environment, but we're not going to get rid of embedded devices," he adds. "They're already out there. Let's put in some security that allows us to respond and contain as much as possible. We need to be eyes open, realistic about the way we can manage the application of IoT devices."

Crime syndicates take quantum leap with crime-as-a-service

For years now, Durbin says, criminal syndicates have been operating like startups. But like other successful startups, they've been maturing and have become increasingly sophisticated. In 2017, criminal syndicates will further develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations. This, he says, will facilitate their diversification into new markets and the commoditization of their activities at the global levels.

"I originally described them as entrepreneurial businesses, startups," Durbin says. "What we're seeing is a whole maturing of that space. They've moved from the garage to office blocs with corporate infrastructure. They've become incredibly good at doing things that we're bad at: collaborating, sharing, working with partners to plug gaps in their service."

And for many, it is a service offering. While some organizations have their roots in existing criminal structures, other organizations focus purely on cybercrime, specializing in particular areas ranging from writing malware to hosting services, testing, money mule services and more.

"They're interested in anything that can be monetized," Durbin says. "It doesn't matter whether it's intellectual property or personal details. If there is a market, they will go out and collect that information."

He adds that rogue states take advantage of some of these services and notes the ISF expects the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously.

New regulations bring compliance risks

The ISF believes the number of data breaches will grow in 2017, and so will the volume of compromised records. The data breaches will become far more expensive for organizations of all sizes, Durbin says. The costs will come from traditional areas such as network clean-up and customer notification, but also from newer areas like litigation involving a growing number of partners.

In addition, public opinion will pressure governments around the world to introduce tighter data protection legislation, which in turn will introduce new and unforeseen costs. Reform is already on the horizon in Europe in the form of the EU General Data Protection Regulation (GDP) and the already-in-effect Network Information Security Directive. Organizations conducting business in Europe will have to get an immediate handle on what data they are collecting on European individuals, where it's coming from, what it's being used for, where and how it's being stored, who is responsible for it and who has access to it. Organizations that fail to do so and are unable to demonstrate security by design will be subject to potentially massive fines.

"The challenge in 2017 for organizations is going to be two-fold," Durbin says. "First is to keep abreast of the changes in regulations across the many, many jurisdictions you operate in. The second piece is then how do you, if you do have clarity like the GDP, how do you ensure compliance with that?"

"The scope of it is just so vast," he adds. "You need to completely rethink the way you collect and secure information. If you're an organization that's been doing business for quite some time and is holding personally identifiable information, you need to demonstrate you know where it is at every stage in the lifecycle and that you're protecting it. You need to be taking reasonable steps even with your third party partners. No information commission I've spoken to expects that, come May 2018, every organization is going to be compliant. But you need to be able to demonstrate that you're taking it seriously. That and the nature of the information that goes missing is going to determine the level of fine they levy against you. And these are big, big fines. The scale of fine available is in a completely different realm than anyone is used to."

Brand reputation and trust are a target

In 2017, criminals won't just be targeting personal information and identity theft. Sensitive corporate information and critical infrastructure has a bull's eye painted on it. Your employees, and their ability to recognize security threats and react properly, will determine how this trend affects your organization.

"With attackers more organized, attacks more sophisticated and threats more dangerous, there are greater risks to an organization's reputation than ever before," Durbin says. "In addition, brand reputation and the trust dynamic that exists amongst customers, partners and suppliers have become targets for cybercriminals and hacktivists. The stakes are higher than ever, and we're no longer talking about merely personal information and identity theft. High-level corporate secrets and critical infrastructure are regularly under attack, and businesses need to be aware of the more important trends that have emerged in the past year, as well as those we forecast in the year to come."

While most information security professionals will point to people as the weakest link in an organization's security, that doesn't have to be the case. People can be an organization's strongest security control, Durbin says, but that requires altering how you think about security awareness and training.

Rather than just making people aware of their information security responsibilities and how they should respond, Durbin says the answer is to embed positive information security behaviors that will cause employees to develop "stop and think" behavior and habits.

"2017 is really about organizations having to wake up to the fact that people do not have to be the weakest link in the security chain," Durbin says. "They can be the strongest link if we do better about understanding how people use technology, the psychology of human behavior."

Successfully doing so requires understanding the various risks faced by employees in different roles and tailoring their work processes to embed security processes appropriate to their roles.

Comment

Comment

New Cybersecurity Guidelines for Medical Devices Tackle Emerging Threats

From: The Verge By: Rachel Becker

Today, the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they’ve entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device — with potentially deadly results.

THE RECOMMENDATIONS ARE LARGELY TOOTHLESS

First issued in draft form last January, this guidance is more than a year in the making. The 30-page document encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable — so they’re largely without teeth.

The FDA has been warning the healthcare industry for years that medical devices are vulnerable to cyberattacks. It’s a legitimate concern: researchers have managed to remotely tamper with devices like defibrillators, pacemakers, and insulin pumps. In 2015, FDA warned hospitals that the Hospira infusion pump, which slowly releases nutrients and medications into a patient’s body, could be accessed and controlled through the hospital’s network. That’s dangerous to patients who could be harmed directly by devices altered to deliver too much or too little medication. It also means poorly-secured devices could give hackers access to hospital networks that store patient information — a situation that’s ripe for identity theft.

“In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety,” says Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships, in a blog post about the new guidelines. “And as hackers become more sophisticated, these cybersecurity risks will evolve.”

“AS HACKERS BECOME MORE SOPHISTICATED, THESE CYBERSECURITY RISKS WILL EVOLVE.”

The FDA issued an earlier set of recommendations in October 2014, which recommended ways for manufacturers to build cybersecurity protections into medical devices as they’re being designed and developed. Today’s guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur.

Most patches and updates intended to address security vulnerabilities will be considered routine enhancements, which means manufacturers don’t have to alert the FDA every time they issue one. That is, unless someone dies or is seriously harmed because of a bug — then the manufacturer needs to report it. Dangerous bugs identified before they harm or kill anyone won’t have to be reported to the FDA as long as the manufacturer tells customers and device users about the bug within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO.

This attempt to secure medical devices is just the beginning, says Eric Johnson, a cyber security researcher and dean of the Vanderbilt University business school, in an email to The Verge. The FDA’s Schwartz agrees, writing in a blog post: “This is clearly not the end of what FDA will do to address cybersecurity.”

Comment

Comment

What 2017 Has In Store for Cybersecurity

From: CSO Online By: Gage Skidmore

There is much uncertainty surrounding the security industry for 2017, and according to experts in the field, a lot of the trepidation is directly connected to what the nation’s next president will do.

Here's what security vendors and analysts are predicting for the year ahead.

John B Wood, CEO of Telos Corporation, cites a need for cooperation between the government and the private sector. President-elect Donald Trump took a break from his “thank you” tour to meet with tech executives to smooth over a contentious time between the two sides during his campaign.

“President-elect Trump has been vocal about the need for a stronger and more aggressive cyber security posture, and I’m confident that he’ll work with leading members of Congress. Many non-political cyber experts throughout the government, various agency CISOs and [Federal Chief Information Security Officer] General Touhill will also be great resources to further refine cyber security policies to protect U.S. interests in the face of constantly changing threats,” Wood said.

He also noted the renewed focus on U.S. Cyber Command. The President-elect has promised to eliminate the threat of defense sequestration and to spend more on the military. “This needs to include working to roll back the budget caps for defense spending and providing additional resources for cyber security, including more money for U.S. Cyber Command, which I believe is grossly underfunded,” Wood added.

Speaking of funding, Wood does not believe that a change of administration will automatically lead to a change in regulatory policy.

“Although there will certainly be a big push by the Trump administration to roll back or modify overly burdensome regulations, I don’t see this affecting cybersecurity regulations, like the NIST Cyber Security Framework that has been developed in consultation with the private sector,” he commented.

Reuven Harrison, CTO and co-founder of Tufin, a provider of network security policy orchestration solutions for enterprise cybersecurity, said the thought of a Trump administration inevitably failing to uphold regulations will keep IT departments tossing and turning at night. “If Trump implements his deregulation promises, and penalties for non-compliance with industry-wide security regulations are relaxed, security teams will need to be self-disciplined to maintain a high level of security by turning to outside resources for security best practices,” he said.

Carson Sweet, co-founder and CTO at CloudPassage, said privacy will take center stage over security.

“Trump’s administration will create a fundamental shift in concerns as it pertains to security. There’s a new sheriff in town, and many posit that he has less regard for privacy concerns than the current administration. Case in point, Trump supported the FBI in its battle with Apple over iPhone privacy and security,” Sweet stated. “If this new administration demonstrates in their policies a value for law enforcement and intelligence access over citizens’ privacy, they’ll double or triple down on the government’s right to inspect data. The impact of such a reality would extend to the use of online services, cloud providers, even personal computing devices and IoT.”

What that impact would be is very hard to know, but it’s safe to bet that it won’t be positive, he said. The wars around PGP and personal encryption come to mind (anyone remember the Clipper chip?).

John Bambenek, threat systems manager at Fidelis Cybersecurity, said he never would have predicted last year that we would be talking about the DNC and hacking of elections.

“Ransomware will be on the upswing and evolve in new unforeseen ways. It will be more targeted and focus on more valuable targets as we saw with healthcare. And it will continue to attack new, more damaging industries like we recently witnessed with San Francisco BART and Muni,” he said.

While 2016 found the election under scrutiny because of alleged hacking by foreign powers, 2017 will continue the trend of identity theft and ransomware.

Forrester predicts that within the first 100 days, the new president will face a cybercrisis. The momentum of winning the election gives new presidents the public's support to follow through on key initiatives of their campaigns. However, the 45th president will lose that momentum coming into office by finding the administration facing a cybersecurity incident.

Forrester suggests that the administration prepare for nation-states and ideologies looking to disrupt and degrade. They believe the U.S. should be on the lookout for China, North Korea and Iran.

“Political ideologies use electronic means to both recruit and spread information. DDoS attacks using IoT devices are becoming a common means of disrupting operations for companies or individuals that threat actors disagree with. A company can become a target not just because of its size or global presence but also because of its political donations or public statements. If you’ve never factored geopolitical concerns into your security risk analysis, you ignore them at your own firm’s peril.”

Civilian “casualties” in the Cyber Cold War

Corey Nachreiner, CTO at WatchGuard Technologies, follows Forrester’s way of thinking. “Whether you know it or not, the cyber cold war has started. Nation-states, including U.S., Russia, Israel, and China, have all started both offensive and defensive cyber security operations. Nation-states have allegedly launched malware that damaged nuclear centrifuges, stolen intellectual property from private companies, and even breached other governments' confidential systems. Countries are hacking for espionage, crime investigation, and even to spread propaganda and disinformation.”

"Trump’s administration will create a fundamental shift in concerns as it pertains to security." -- Carson Sweet, CTO, CloudPassage

He believes 2017 will be much of the same: Behind the scenes, nation-states have been leveraging undiscovered vulnerabilities in their attacks, suggesting that these countries have been finding, purchasing, and hording zero-day flaws in software to power their future cyber campaigns.

“In other words, the nation-state cyber cold war is an arms race to discover and horde software vulnerabilities — often ones in the private software we all use every day,” he said.

Comment