Sep 15, 2016

Chrome to label more sites as insecure in 2017

• Link: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
• Focus on sites that transmit passwords or credit card info over HTTP

A USB Device is all it takes to steal credentials from locked PCs

• Link: http://www.pcworld.com/article/3117793/security/a-usb-device-is-all-it-takes-to-steal-credentials-from-locked-pcs.html
• This is actually pretty interesting, but a little trickier than it sounds
• Still - it's quite fascinating that a USB attack works cross-platform, based on network activity and default USB behaviors

DHS chief: 'Very difficult' for hackers to skew vote

• Link: http://thehill.com/policy/national-security/294956-homeland-head-very-difficult-for-hackers-to-skew-vote
• • Instead of dismissing the claim, let’s explore the merits
  • Then let’s consider what, if anything, it means for enterprise security
• “It would be very difficult through any sort of cyber intrusion to alter the ballot count, simply because it is so decentralized and so vast,” he said, noting the series of state, local and county systems involved in running elections. “It would be very difficult to alter the count.”
• • Decentralized and vast - the merits
  • How many companies make the systems - so is it as decentralized as we’d like
  • How much of what you do in the enterprise is decentralized?
  • What are your points of failure - or the easy pathways to attack?
• If someone did alter the vote… would we know? How would we know?
• What’s the impact of appearing to alter the vote?
• Depending on your organization… how would you handle the same sort of situation? How would you convey confidence to the executives and board?

Big business worried more about data loss than hackers – survey

• Link: http://www.ibamag.com/news/cyber/big-business-worried-more-about-data-loss-than-hackers--survey-37489.aspx
• This might feel like a “surprise” or a “shake your head” moment; but maybe it’s a signal of where we need to focus
• If you’re in the enterprise, where (and how) would you rank the concerns?
• What is the impact from data loss? Relative to a “breach” 
• And then note: “But 15% of the companies Wells Fargo surveyed don’t require any employee training on cyber security, according to the report.”
• • That’s because the industry still botches this; 
  • I’m finally going to write up a series on this - and I’ll time it for October - make something productive out of security awareness month
• Overall, this signals a need to seek better alignment with the executives and board; might I say… you need some straight talk

Obama Names Retired Air Force General as First Federal CISO

• Link: http://www.bankinfosecurity.com/obama-names-retired-air-force-general-as-first-federal-ciso-a-9387
• Position so broad… is it even useful?
• Some notes of interest
• General Officer (1 star)
• Among Touhill's past positions was a 2-year stint as CIO and director of C4 systems, the nation's military transportation combatant command. 
• He also served for nearly 1½ years as CIO and director for communications and information for the air mobility command. He retired from the Air Force in 2005 after nearly 22 years of service.
• • Reports to Federal CIO -- based in White House Office of Management & Budget
  • So they see this as a tech play only?
• “...in the blog, say Touhill will leverage his considerable experience in managing a range of complex and diverse technical solutions with his strong knowledge of civilian and military best practices, capabilities and human capital training, development and retention strategies.”
• • So basically… we have no idea what he’s doing or why
  • Only has 4 months
  • Window dressing?