Shaun Waterman – Page 12 – WindowsTechs.com

Insurance regulators pitched on FICO-style score for cybersecurity

Posted on August 7, 2017 by Shaun Waterman

In the fast growing cybersecurity insurance market, underwriters face a uniquely complex problem — measuring or estimating the risk their policy-holders face from cybercrooks, online spies and other hackers. The insurance industry “doesn’t have … a set of baseline tools or metrics … to quantify their customers’ risks,” Anand Paturi, vice president of security research and engineering at RiskSense told CyberScoop. In life insurance for instance, depending on the value of the policy, risk might be measured by reference to actuarial tables which predict life expectancy, or by a medical examination measuring a wide range of physical risk factors. “That [risk] data is how you set the price of the policy,” he explained. But, in a presentation Monday to the National Association of Insurance Commissioners 2017 National Meeting, Paturi argued that the question is much more complicated in cybersecurity. He gave as an example the potentially massive losses from the WannaCry and Petya outbreaks earlier this year. In […]

The post Insurance regulators pitched on FICO-style score for cybersecurity appeared first on Cyberscoop.

Continue reading Insurance regulators pitched on FICO-style score for cybersecurity→

U.S. government’s cyber Scholarship-for-Service program would expand under Senate bill

Posted on August 4, 2017 by Shaun Waterman

Legislation advancing in the Senate would expand a National Science Foundation scholarship program that funds cybersecurity education for students who commit to government service after they obtain their degree. The Cyber Scholarship Opportunities Act would expand the NSF’s CyberCorps: Scholarship-for-Service program, which awards grants and scholarships to students in exchange for agreeing to take on cybersecurity jobs in federal or state and local government after they graduate. The proposal, S. 754, which was marked up and approved unanimously Wednesday by the Senate Commerce, Science and Technology Committee, would expand the parameters of the SfS program so that it can include students studying part-time or in two year courses at community college. It also would mandate a series of pilots at community colleges around the country, including for military veterans. Workforce experts predict a growing “skills gap” in the cybersecurity workforce, especially for the government, which cannot easily hike its wages. Policy initiatives like the CyberCorps SfS […]

The post U.S. government’s cyber Scholarship-for-Service program would expand under Senate bill appeared first on Cyberscoop.

Continue reading U.S. government’s cyber Scholarship-for-Service program would expand under Senate bill→

DHS cyber incubator graduates malware ‘playback’ tech

Posted on August 3, 2017 by Shaun Waterman

A software package that records and “replays” the operation of malware is the latest technology to graduate from a Department of Homeland Security cybersecurity incubator. The technology, REnigma, allows network defenders to quickly see exactly how an attack unfolded and work out how best to recover, DHS official Nadia Carlsten told CyberScoop. “It’s all about getting the analysts the facts as fast as possible — and as accurately as possible,” she said. The software was developed at the John Hopkins University Applied Physics Laboratory and will be licensed to Deterministic Security LLC — a startup founded by the two scientists who wrote it. The Oregon-based company becomes the 15th successful graduate from the DHS Transition To Practice (TTP) incubator, said Carlsten, the program’s manager. “The developers wanted to take their technology into the marketplace themselves,” she said. Run in the Cyber Security Division of DHS’s Science and Technology Directorate, TTP selects candidate technologies from federal laboratories […]

The post DHS cyber incubator graduates malware ‘playback’ tech appeared first on Cyberscoop.

Continue reading DHS cyber incubator graduates malware ‘playback’ tech→

SSH inventor analyzes tools the CIA wrote to exploit his protocol

Posted on August 2, 2017 by Shaun Waterman

The CIA hacking tools called Gyrfalcon and BothanSpy, as described in documents released by anti-secrecy group WikiLeaks, are “effective, but surprisingly unsophisticated,” according to Tatu Ylonen. And he should know — he invented the security protocol they exploit. In a blog post he published Wednesday, Ylonen — inventor of the Secure Shell or SSH security protocol — analyzes the descriptions of the tools provided by WikiLeaks. The group, which has not released the source code for the exploits, published classified “user guides” for the two tools earlier in July as part of a trove of stolen documentation about CIA hacking tools they’ve dubbed Vault 7. “From the [documents], it is easy to figure out how they work,” Ylonen told CyberScoop of the exploits, which are designed to let hackers move around an IT network once they’ve compromised a single machine. In an interview, he speculated they probably would have taken “a few weeks of work” to develop, […]

The post SSH inventor analyzes tools the CIA wrote to exploit his protocol appeared first on Cyberscoop.

Continue reading SSH inventor analyzes tools the CIA wrote to exploit his protocol→

GAO: Pentagon hasn’t met conditions for separating NSA and Cyber Command

Posted on August 1, 2017 by Shaun Waterman

The Department of Defense has not finally decided whether to separate the leadership of the National Security Agency and U.S. Cyber Command and has not begun to meet the congressionally mandated conditions for doing so, the Government Accountability Office said in a report Tuesday. A provision in last year’s National Defense Authorization Act required the Secretary of Defense and the chairman of the Joint Chiefs of Staff to jointly certify that ending the so-called dual-hat arrangement — under which the same four-star general is both NSA director and in charge of U.S. Cyber Command — will not pose risks to the command’s military effectiveness. “As of April 2017, DOD’s senior leaders had not decided whether the dual-hat leadership should be ended,” states the GAO report, adding that department’s leaders were “reviewing the steps and funding necessary to meet the statutory requirements of Section 1642” but had not yet begun to do so. The NDAA […]

The post GAO: Pentagon hasn’t met conditions for separating NSA and Cyber Command appeared first on Cyberscoop.

Continue reading GAO: Pentagon hasn’t met conditions for separating NSA and Cyber Command→

DMARC use continues to climb inside federal government

Posted on August 1, 2017 by Shaun Waterman

The number of federal government departments and agencies deploying the highest level anti-spoofing and anti-phishing email security has nearly doubled since the end of May, new figures show. A total of 135 federal email domains had some form of the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol deployed Aug. 1, according to the non-profit Global Cyber Alliance. That’s only six more than the 129 who had some deployment May 26 — but of those 135, 60 had the protocol set to p=reject, the highest level of deployment. That compares to just 32 who had the protocol fully deployed in May. DMARC helps prevent phishing and other email spoofing attacks, when a message is made to look as if it comes from a company or government agency. The IRS, for instance, is a frequent target of phishers, who prefer to impersonate banks or other email senders who might have a financial relationship with potential victims. At […]

The post DMARC use continues to climb inside federal government appeared first on Cyberscoop.

Continue reading DMARC use continues to climb inside federal government→

Ad industry body issues first certificates for anti-malware best practices

Posted on July 31, 2017 by Shaun Waterman

The digital advertising industry’s cybersecurity assessment and information-sharing organization has issued its first set of anti-malware certifications, signing off on measures against cyberattacks taken by nine companies who represent as much as half of the digital advertising market. The Trustworthy Accountability Group, or TAG, issued “Certified Against Malware” seals Monday to AppNexus, DataXu, Google, LKQD, OpenX, Publishers Clearing House, Rocket Fuel, Sovrn, and The Media Trust, TAG CEO Mike Zaneis told CyberScoop in an interview. Zaneis estimated the nine companies between them probably touched up to half of digital advertising impressions on any given day. “I don’t have an exact percentage,” he added, “but there are major players here … A big chunk of the [digital advertising] supply chain.” The seal means that the companies have “implemented TAG’s rigorous anti-malware standards,” according to a statement from the group. Traditionally, ads have been a favorite way for hackers to serve malware and other malicious content, […]

The post Ad industry body issues first certificates for anti-malware best practices appeared first on Cyberscoop.

Continue reading Ad industry body issues first certificates for anti-malware best practices→

Former FTC lawyer: Expect fewer data breach and privacy cases under Ohlhausen

Posted on July 31, 2017 by Shaun Waterman

The Federal Trade Commission’s new chairwoman will focus the agency on economic harm to consumers, meaning there will be fewer cybersecurity and privacy enforcement actions, a former FTC official says. “I think you’ll see a drop off in cases,” former FTC attorney Whitney Merrill told CyberScoop after a presentation she co-hosted at the DEF CON hacker convention in Las Vegas last week. “We can’t deny that’s true.” New Chairwoman Maureen Ohlhausen, a Republican, told a lawyers at conference earlier this year that under her leadership the agency will focus on “objective, concrete harms such as monetary injury” and eschew “speculative injury, or … subjective types of harm.” Most data breaches fall into that latter category. The agency pursues those cases as part of its mission to fight identity theft. “It’s hard to show economic harm,” in data security and privacy breaches, and there hasn’t been much research into it, said Merrill, now an attorney for video game publishers Electronic Arts. […]

The post Former FTC lawyer: Expect fewer data breach and privacy cases under Ohlhausen appeared first on Cyberscoop.

Continue reading Former FTC lawyer: Expect fewer data breach and privacy cases under Ohlhausen→

No wonder cybersecurity is so bad: There’s no way to measure it

Posted on July 28, 2017 by Shaun Waterman

When the founders of a new nonprofit assessing the cybersecurity of software for consumers were trying to develop a scoring system that would rate programs depending on which security features they used, they encountered a “mind-blowing” problem. No one had ever measured how well such features actually worked. “There haven’t been a lot of studies that look at how effective are the safety measures that we use and trust,” Sarah Zatko, co-founder of the Cyber Independent Testing Lab, told a session at the DEF CON hacker convention Friday. The gap, she said, helped create space for the relatively high proportion of “snake oil” products in the cybersecurity market, she said. “In most other industries that sort of data [about how well different security measures worked relative to each other] would be pretty fundamental — something you could take for granted that it existed,” said Zatko, whose husband and co-founder is Peter Zatko, […]

The post No wonder cybersecurity is so bad: There’s no way to measure it appeared first on Cyberscoop.

Continue reading No wonder cybersecurity is so bad: There’s no way to measure it→

Everyone is working on their own ways to secure IoT

Posted on July 28, 2017 by Shaun Waterman

If there’s one thing that alarms even the hardened cybersecurity veterans at the Black Hat convention this year, it’s the huge attack surface represented by the burgeoning internet of things — and at least two researchers are presenting solutions designed to secure connected devices. Mikko Hypponen, chief research officer for F-Secure was touting his company’s solution for consumer devices; and Brian Knopf, Neustar’s senior security researcher gave a presentation about an alternative to Public Key Infrastructure encryption that enterprises can use to secure their IoT devices. “PKI is awful,” Knopf told CyberScoop, “It works OK for browsers … but it wasn’t designed for IoT devices … The problem is the scale.” PKI is a form of asymmetric encryption, in which users have a private key and a public key. Anyone with the public key can encrypt a message, which can then only be unscrambled with the private key. PKI is the basis for most internet […]

The post Everyone is working on their own ways to secure IoT appeared first on Cyberscoop.

Continue reading Everyone is working on their own ways to secure IoT→