5 cyber issues the next presidential administration needs to prioritize immediately

The next administration must do better on cyber than previous ones, two experts behind a new McCrary Institute and Cyberspace Solarium Commission 2.0 report argue.

The post 5 cyber issues the next presidential administration needs to prioritize immediately appeared first on CyberScoop.

Continue reading 5 cyber issues the next presidential administration needs to prioritize immediately

America’s allies are shifting: Cyberspace is about persistence, not deterrence

Countries like the United Kingdom, Japan, and Canada are adopting the U.S.’s proactive cyber strategy to anticipate and mitigate vulnerabilities, reflecting a shift away from deterrence.

The post America’s allies are shifting: Cyberspace is about persistence, not deterrence appeared first on CyberScoop.

Continue reading America’s allies are shifting: Cyberspace is about persistence, not deterrence

Why grassroots efforts like #ShareTheMicInCyber play a vital role in a whole-of-society approach to cyber

Amid increasingly sophisticated ransomware and supply chain attacks, the cybersecurity community needs a cultural shift and novel ideas to help new executive branch leadership operationalize President Biden’s recent Executive Order. The insight and authority of the government — coupled with the agility and innovation of the private sector — will create a powerful force multiplier capable of painting a clearer picture of the threat landscape, timelier coordination of defensive activities, and quicker recovery. Unfortunately, for many reasons, like fear of legal or regulatory liability, lack of regulations and incentives, and uncertainty in where to turn, strong collaboration is largely unrealized today and is limiting US’s ability to get ahead of cyber threats. The lack of trust between the public and private sectors must be overcome at the grassroots level by creating strong communities and humanizing practitioners. But the onus of creating partnerships across sectors cannot rest with the government or the private sector alone. The entire […]

The post Why grassroots efforts like #ShareTheMicInCyber play a vital role in a whole-of-society approach to cyber appeared first on CyberScoop.

Continue reading Why grassroots efforts like #ShareTheMicInCyber play a vital role in a whole-of-society approach to cyber

3 strategies for addressing sensitive legal cybersecurity issues

Three years after enacting one of the most exacting cybersecurity regulations in the United States, the New York State Department of Financial Services (NYDFS) recently filed its first cybersecurity enforcement action. This enforcement action shows the importance of mitigating legal risks when addressing cybersecurity risks. NYDFS alleged that First American Financial, one of the country’s largest providers of title insurance, failed to properly address a known security vulnerability on its website that allowed millions of documents containing consumers’ nonpublic information to be exposed. After the vulnerability surfaced in a penetration test, First American misclassified the vulnerability as “low,” failed to investigate the vulnerability in the timeframe set by the company’s cybersecurity policy, the scope of documents that were exposed, and heed the recommendations of its in-house cybersecurity team. The timing of the NYDFS’s inaugural enforcement action shows that cybersecurity remains a key priority for government agencies, even during the COVID-19 […]

The post 3 strategies for addressing sensitive legal cybersecurity issues appeared first on CyberScoop.

Continue reading 3 strategies for addressing sensitive legal cybersecurity issues

Fixing supply chain vulnerabilities should be a team effort

In the last few weeks, the Ripple20 vulnerabilities have once again brought the challenge of securing IoT and OT devices to the forefront, underscoring the risky supply chain of software and hardware components that serves as the foundation for many of these devices. While these vulnerabilities are significant on their own, what they show on a more fundamental level is the dire need to rethink how we are all approaching IoT security as an industry, all the way from manufacturing to the mitigation of vulnerabilities. What makes the Ripple20 vulnerabilities so widespread is that the security flaws lie in the TCP/IP stack that underlies many embedded systems, including industrial control systems, medical devices, and printers. It’s not just one type of device or manufacturer that is impacted by this, but potentially hundreds of millions that this software crept into their supply chain. This is an opaque process, with little or […]

The post Fixing supply chain vulnerabilities should be a team effort appeared first on CyberScoop.

Continue reading Fixing supply chain vulnerabilities should be a team effort

Taking steps to break down systemic racism in cybersecurity

Racism, like cybersecurity, is a national security issue. Systemic racism prevents diverse perspectives from informing policy and security. As a result, it hampers our ability to understand and combat misinformation and to address our society’s vulnerabilities so as to prevent our adversaries from exploiting them. Systemic racism also blinds us from seeing and leveraging the diverse experiences before us, undermining our ability to understand how all communities use technology and to ensure different voices are welcomed, heard, and protected in our national security institutions. We all have a role to play in the security of our nation, and there are so many institutional, systemic, and overt racial biases that make this problem so complex. So how do we start to dismantle them? We must start by acknowledging that these problems exist in our industry and begin taking tangible steps to educate ourselves on the impact of slavery and systemic racism […]

The post Taking steps to break down systemic racism in cybersecurity appeared first on CyberScoop.

Continue reading Taking steps to break down systemic racism in cybersecurity

Why the FBI’s cyber attachés are so valuable

On an average day, cybercriminals visiting the Darkode darkweb forum would expect to enter an underground, invitation-only digital marketplace to buy, sell, and trade malware, access to botnets, and stolen personal information. However, in July 2015, users were instead confronted with the emblems of the U.S. Federal Bureau of Investigation (FBI), the U.S. Department of Justice (DOJ), and EUROPOL’s European Cyber Crime Center (EC3) instead of the Darkode homepage. A large, bold warning surrounded by the official seals of 17 additional international police departments prominently proclaimed, “This domain and website have been seized.” This was the culmination of a multi-year joint undercover operation by U.S. and international law enforcement from 20 countries who searched, charged, or arrested 70 of the forum’s members worldwide and indicted 12 individuals with computer fraud conspiracy. This joint effort, known as Operation Shrouded Horizon, exemplifies the collaboration needed to counter the increasingly complex and diffuse […]

The post Why the FBI’s cyber attachés are so valuable appeared first on CyberScoop.

Continue reading Why the FBI’s cyber attachés are so valuable

Trust us, information sharing can work. Here’s how we’re doing it.

You know what’s worse than trying to share cybersecurity information? Writing about it. Everyone has read over and over again about how important information sharing is for cybersecurity. The idea is certainly not new. It’s definitely not cool. It’s also hard. No one has completely nailed it even after talking about it for decades. Why is information sharing so hard and why are we still working on it? We’ve identified plenty of barriers and worked to address them. In many cases, we’ve addressed them quite well. For example, information sharing is tough from a technical perspective because the volume and speed of data continues to increase. So the community developed standards like STIX (Structured Threat Information eXchange) as a common language to share indicators and context at machine speed, TAXII (Trusted Automated eXchange of Intelligence Information) to provide a protocol for the transfer of information, and MITRE’s ATT&CK framework for […]

The post Trust us, information sharing can work. Here’s how we’re doing it. appeared first on CyberScoop.

Continue reading Trust us, information sharing can work. Here’s how we’re doing it.

What Shopify has learned from five years of bug bounty programs

As a part-time hacker and full-time security engineer at Shopify, I’ve learned a lot along the way. One of the biggest takeaways I recognized early on was that I kept returning to programs run by security teams that respected me and my time, were responsive to my reports and inquiries, and were transparent in their communications and disclosures. When I first joined Shopify, we were challenged to scale our team alongside our relatively new bug bounty program. I was excited to bring my insights and improve upon a program that hackers would engage with. Our goal has always been to build upon the success of our hacker-powered security programs with a concerted effort to promote transparency and attract talent. With the extra sets of eyes, we are able to implement more checks and balances to harden our attack surfaces. We attribute much of our success to our work as an […]

The post What Shopify has learned from five years of bug bounty programs appeared first on CyberScoop.

Continue reading What Shopify has learned from five years of bug bounty programs

It’s hard for campaigns to be transparent without aiding attackers

Everyone knows what happened to John Podesta in 2016. Hillary Clinton’s campaign manager clicked on a phishing email, and as far as we know, it was the first time a cyberattack shaped a presidential election. This time around, the campaigns are more focused on recognizing and stopping phishing attacks. That’s good, because phishing has become way more sophisticated over the last four years, including the painstaking research smart attackers run. So if we were to see a repeat of 2016, where would hackers conduct their homework? They could look no further than the Federal Election Commission, whose website illustrates how tough it is to balance transparency and security. The bad guys are looking, too Check out the FEC’s campaign finance data repository. It enables anyone to see where campaigns are spending their money: They’re required to list individuals, vendors, and others they are paying to support their operations. The site […]

The post It’s hard for campaigns to be transparent without aiding attackers appeared first on CyberScoop.

Continue reading It’s hard for campaigns to be transparent without aiding attackers