Risk News

Cryptocurrency Mining Tops Ransomware Attacks as New Cyberthreat
"While ransomware attacks continue to preoccupy the minds of healthcare IT security pros, a new threat is emerging—cryptocurrency mining. Not as devastating as ransomware, cryptocurrency mining malware can still degrade system performance and cause vital healthcare IT systems to slow down or even shut down due to the enormous processing power the malware uses to mine cryptocurrency."
Annie's take:

Another kind of threat to the healthcare industry.
US warns of North Korea cyber campaign, days after historic summit
"The US Department of Homeland Security said that it has identified malicious cyber activity by the North Korean government, according to a new report released on Thursday, just days after the historic summit between President Donald Trump and North Korean dictator Kim Jong Un."
Annie's take:

There is not much anymore that surprises us, least of all this report.
Whistleblower Leaked Damning Cohen Financial Documents Because They Were Disappearing From Government Financial Crimes Database
"A recent string of disclosures about payments made to bank accounts linked to Michael Cohen and his shell company, Essential Consultants, used to pay off porn star Stormy Daniels, raised a host of new legal questions for the longtime personal lawyer to Donald Trump."
Annie's take:

A colleague pointed out at the inception of the current administration that we should be concerned with information disappearing, and it looks like she was right.
White House eliminates cybersecurity coordinator role
"The Trump administration no longer has a cybersecurity coordinator."
Annie's take:

Perhaps the most careless move yet by John Bolton.
Gaudeamus -- Let Us Rejoice!
“Among the map makers of each generation are the risk takers, those who see the opportunities, seize the moment and expand man's vision of the future.” -- Ralph Waldo Emerson
Annie's take:

This month's column features a Q & A on risk management careers. Zhou Shan has written a research note on privacy and big data.
One Cybersecurity Metric To Dwell On
"Having a robust set of indicators is important to assessing an agency’s cybersecurity, but how long hackers have access to a network may be the most important, one federal IT official said."
Annie's take:

This metric -- the average time to detection -- is still way too high.
Bringing It All Together: NYS DFS, SWIFT, SEC and GDPR
"The Financial Services industry tends to be at the cutting edge of technology, and as a result, is often the group to be ahead of the curve of both its benefit and hazards. Whether it’s faster transactional processing in support of gaining even the slightest edge in trade execution or leveraging big data to gain unprecedented insights, financial services is the place to be. On the other hand, the power of all that technology and data has also led to businesses running the risk of exposing customer’s data and committing fraud."
Annie's take:

Assimilation, finally?
Digital Identity Makes Headway Around the World
"As our real lives and online lives become increasingly intertwined, the old ways of authenticating identity are failing us."
Annie's take:

A quick trip around the world.
Cyber Adversaries: It's Not Just Russia
"The first great cyberattack of the century was a deliberate, targeted and slow-moving affair. It was a sophisticated operation tailored toward a specific tactical outcome to serve American and Israeli strategic purposes."
Annie's take:

Fascinating article!
House seeks feedback on cyber challenges posed by legacy systems
"The House Energy and Commerce Committee has issued a request for information from industry stakeholders on how to address the cybersecurity challenges posed by legacy healthcare technologies and medical devices."
Annie's take:

A wise move. The question is, what will they do with the information?
Fintech professional’s tech predictions: 5 – better understanding of privacy settings
"In this post the fintech IT professional looks at how the public will become better informed about the privacy settings online and how website operators will be forced to adopt rules including default settings that protect consumers."
Annie's take:

If just one of these predictions -- that a standard definition of privacy would be arrived at by the government -- came true, I would be thrilled.
Syria news latest: Russia 'could launch cyber warfare within weeks' after US-led military action, expert warns
"Russia could “launch cyber warfare within weeks” in retaliation to US-led airstrikes on Syria bringing down City firms, the UK transport network and the NHS, experts have warned."
Annie's take:

One would hope that U.S. cyberintelligence would be making the same assessment and preparations for a cyber blitz at this time.
After Cambridge Analytica, privacy experts get to say "I told you so"
Annie's take:

"The times, they are a changin'."
DHS Is Making A List and Checking It Twice
"The Department of Homeland Security (DHS) has launched a bid request to create a “media monitoring services,” describing a plan to identify, then gather and monitor professional journalists and “top media influencers” – from the RFI, we learn that DHS will track more than 290,000 news sources around the world as well as social media in over 100 languages (with immediate translation into English).
Annie's take:

The tension between the administration and the media has never been more pronounced. This RFI exacerbates the situation.
CEO says Facebook will impose new EU privacy rules “everywhere”
"Facebook CEO Mark Zuckerberg took an apologetic tone in a call with reporters Wednesday afternoon, weeks after the Cambridge Analytica debacle that has put a new level of pressure on the social media giant."
Annie's take:

I am pleased to say "I told you so." Where Facebook leads, can Google and Twitter be far behind? All this before the Congressional hearings!
The Next NSA Chief Is More Used to Cyberwar Than Spy Games
"After sailing through two friendly Senate hearings—one so uncontroversial that only six senators tops bothered to even show up at any given point in the hour—Lieutenant General Paul Nakasone seems set for confirmation as the next director of the National Security Agency."
Annie's take:

Too much power in one place when these two positions are combined? As the article points out, each agency asks different skills from its leader.
The Seemingly Random and Definitely Worrisome Cyberattack on Atlanta
"Last Thursday morning, the Atlanta city councilmember Howard Shook walked into his office and immediately began following the urgent recommendation of his I.T. department."
Annie's take:

Though the article does not suggest it, let's hope that the city has found federal or state resources to help them close holes and (if possible) retrieve the data.
Is Facebook Undermining Our Military?
"The U.S. military has long laid claim to having the best-equipped, best-trained fighting force in the world, and to spending more on defense than the next eight top-spending nations combined. But when the battleground is cyberspace, does that claim hold up?"
Annie's take:

Incisive article.
Combating cyber threats in critical infrastructure through due diligence
"Regardless of the implementation method, it’s important for critical infrastructure industries to assess their cybersecurity risks and to protect themselves. An optimal way to start is to adopt the NIST CSF, which will bring depth and breadth to your due diligence for your organization."
Annie's take:

Good article.
5 ways the 2018 omnibus promotes IT modernization, cybersecurity
"Rep. Will Hurd (R-Texas) said about 10 days before the end of the latest continuing resolution that he was optimistic that congressional appropriators would find some money for the Technology Modernization Fund."
Annie's take:

Good news here, at least.
Facebook’s Lax Data Policies Led to Cambridge Analytica Crisis
"Facebook Inc.’s loose approach to policing how app creators and others deployed its user data persisted for years, including after a 2015 effort by the social network to restrict access, according to court documents and people familiar with Facebook."
Annie's take:

More background information continues to emerge. Nice to see former Seattle reporter Kirsten Grind on this story!
FTC Probing Facebook for Use of Personal Data, Source Says
"Facebook Inc. is drawing scrutiny from the main U.S. privacy watchdog and half a dozen powerful congressional committees over how the personal data of 50 million users was obtained by a data analytics firm that helped elect President Donald Trump."
Annie's take:

The CISO was evidently overruled more than once on his recommendation that Facebook be more transparent about Russian efforts on the site. He's been marginalized. Now the FTC and Congressional committees will step in. Facebook has shown it will never be able to regulate itself.
How Trump Consultants Exploited the Facebook Data of Millions
" As the upstart voter-profiling company Cambridge Analytica prepared to wade into the 2014 American midterm elections, it had a problem."
Annie's take:

This is only the beginning of the story. More information continues to appear, as Congress prepares to interrogate Facebook's CEO. As you'll read here, Facebook was once years ago subject to a consent decree without fines via the Federal Trade Commission.
Cyber risks to your finances are rising as big banks rely on the oligopoly of big tech
"It is often said that practice makes perfect. Maybe that’s why a few of Canada’s larger financial institutions were recently asked to participate in what one regulator called a “severe but plausible cyber scenario.”"
Annie's take:

This analysis is probably as applicable in the United States as Canada.
Cybersecurity Challenges For The Boardroom: What Publicly Traded Companies Should Consider
"Steven Grimberg and Mark Ray are Managing Directors at Nardello & Co., a leading global investigations firm that, among other things, specializes in cybersecurity consulting, internal investigations and incident response."
Annie's take:

Good question and answer content. NACD, pay attention.
Guns, Bluster and Global Crapshoots
"February was a short month, dominated by Congressional inaction when DACA or gun control reform legislation was beaten back again by lobbyists."
Annie's take:

This month's column focuses on exactly what its title indicates.
Corporate boards will face the spotlight in cybersecurity incidents
"In my last article, I noted that corporate boards, especially those of public companies, are facing increased scrutiny and liability exposure in relation to cybersecurity and data privacy."
Annie's take:

How alert must boards of directors be? Here's a terrific article that lays it out.
Six Common Misconceptions About Cybersecurity
"Interest in cybersecurity is escalating across the legal profession, reflecting the complex and potentially catastrophic threats that clients, particularly financial services firms, now face. Because these risks are deep and potentially disastrous, lawyers are increasingly tasked with counseling clients about how to contain them."
Annie's take:

Excellent article!
Women cybersecurity leaders: RSA Conference can't find you
"At a major cybersecurity event in April, the only woman out of 20 keynote speakers will be a social commentator."
Annie's take:

Women are their own conference in San Francisco and you can get the details here: https://www.oursa.org.
Equifax Releases Updated Information on 2017 Cybersecurity Incident
Annie's take:

The drama continues, and Equifax leads the way for providing stellar lessons learned on what was a broad cultural problem.
Cryptocurrency Firms Targeted in SEC Probe
"The Securities and Exchange Commission has issued dozens of subpoenas and information requests to technology companies and advisers involved in the red-hot market for cryptocurrencies, according to people familiar with the matter."
Annie's take:

The SEC has turned out to be the most actively forward looking agency that the current administration has. This will be quite interesting.
SEC Refreshes Cyber Guidance
"It's been seven years since the U.S. Securities and Exchange Commission (Commission) issued its initial guidance to public companies on cybersecurity disclosure."
Annie's take:

Good summary of the guidance.
Global megatrends that are problematic for the state of cybersecurity
"The majority of senior-level IT professionals fully expect their organization will experience a catastrophic data breach that could greatly impact shareholder value, according to a study conducted by the Ponemon Institute."
Annie's take:

We're starting to see some honest answers in these surveys.
Interpol warns IoT devices at risk
"Cyberattacks against IoT devices have grown markedly over the past two years, prompting a warning from Interpol that nearly any IoT device – from refrigerators to smart phones - is vulnerable to attack."
Annie's take:

No surprises here, except the numbers.
The global cyber war is heating up: Why businesses should be worried
"Last Friday, the Department of Justice indicted 13 Russians and three Russian companies for interfering with the 2016 elections. Also last week, several countries including the U.S., the U.K., Canada, Australia, and Denmark accused Russia of being behind last summer's NotPetya attack."
Annie's take:

Excellent advice.
US regulator warns companies over cyber attack delays
"The main US financial regulator has beefed up its rulebook for companies faced with cyber attacks."
Annie's take:

The new SEC guidance is essentially a rehash of 2011 guidance. Note that in May, GDPR will require notification on breaches within 72 hours of the event.
How the FTC Act, HIPAA Privacy Rule Impact Healthcare Orgs
"Collecting and sharing consumer health information is fairly standard practice for covered entities and their business assets."
Annie's take:

There's more than one government agency involved in monitoring healthcare organizations for violations.
Global regulators neutral on new rules for 'hyped' fintech
"Global banking regulators signaled on Monday they were in no rush to adapt their rules to financial technology firms that have begun nibbling away at banks’ markets."
Annie's take:

"Volumes are still low" seems to be the rationale provided by global regulators at this time.
State elections officials fret over cybersecurity threats
"At a conference of state secretaries of state in Washington, several officials said the government was slow to share information about specific threats faced by states during the 2016 election. According to the Department of Homeland Security, Russian government hackers tried to gain access to voter registration files or public election sites in 21 states."
Annie's take:

Entirely appropriate to start assessments now!
FS-ISAC enables safer financial data sharing with API
"In an effort to keep consumer financial information and businesses safer from cyber attacks, the Financial Services Information Sharing and Analysis Center (FS-ISAC) is providing a new API free of charge."
Annie's take:

Hats off to my friends and colleagues at FS-ISAC. This is a big win for everyone involved.
How IoT, Edge Computing Can Impact HIT Infrastructure in 2018
"Many healthcare organizations are going through digital transformations and are interested in what evolving advanced technology is working for other entities. The Internet of Things (IoT) and edge computing are just two areas that could have significant impacts on HIT infrastructure in the coming year."
Annie's take:

Good analysis.
America lost a cyberwar to Russia in 2016. When will we have truth?
"Trump’s fantasy of a military parade and Trump’s choice to release or block congressional memos about the Russia investigation were the two big stories of last week."
Annie's take:

Dwindling resources at Justice, State and Defense to get the story out.
Looking Toward a More Just Society
"To ask whether a society is just is to ask how it distributes the things we prize--income and wealth, duties and rights, powers and opportunities, offices and honors."
Annie's take:

From my column: "We need to find a balance between bearing witness and enacting change that will lead to a more just society."
New SEC Cyber Unit Hunts for Fraudsters
"The SEC's recently launched Cyber Unit, which the agency rolled out in September, is starting to show serious results. In late January, as Forbes reports, the SEC "obtained a court order halting an allegedly fraudulent initial coin offering (ICO), which targeted retail investors to fund what was claimed to be the world's first 'decentralized bank.'"
Annie's take:

Such good news!
Olympics 2018: Drills Held In Pyeongchang Prepare For Threats Of Terrorism, War
"When Pyeongchang was awarded the 2018 Winter Olympic Games more than seven years ago, tensions in this region were much lower and North Korea did not have nuclear weapons thought capable of hitting the United States."
Annie's take:

These drills and other such scenario tests cannot be overvalued.
Olympics 2018: Drills Held In Pyeongchang Prepare For Threats Of Terrorism, War
"When Pyeongchang was awarded the 2018 Winter Olympic Games more than seven years ago, tensions in this region were much lower and North Korea did not have nuclear weapons thought capable of hitting the United States."
Annie's take:

The importance of drills and scenario tests cannot be overemphasized.
Hacking threats loom over 2018 Olympics
"Nation-state and criminal hackers are targeting the Winter Olympics at a rapidly increasing rate, raising fears of phishing scams, hacks and other disruptive attacks."
Annie's take:

Best advice for travelers to the Olympics: buy a burner phone and leave your smartphone at home.
Appeals court: Twitter can’t be sued for “material support” of terrorism
"An appeals court has ruled that Twitter is not liable for the deaths of two American military contractors who were killed in Jordan in 2015."
Annie's take:

Seems entirely appropriate!
War room to boardroom: The new era of cybersecurity
"Facebook’s hire of its first ever head of cybersecurity policy is recognition that protecting corporations from foreign hacking is an increasingly serious matter."
Annie's take:

"Corporate cybersecurity is not an IT problem."
Defending Our Nation's Cyber Services
"As the chief cybersecurity official for the Department of Homeland Security, Jeanette Manfra is laser-focused on preventing cyberattacks that could destabilize the U.S. financial system or open the federal government up to spying."
Annie's take:

Nice to see a senior female cyber official at DHS.
U.S. military personnel aren’t the only ones oversharing on fitness apps
"Soldiers using fitness tracking devices inadvertently revealed the locations of U.S. military bases — including classified ones — and the incident has lessons for anyone with a smartphone."
Annie's take:

EC issues GDPR guidance
"With just under four months to go before the General Data Protection Regulation (GDPR) takes effect, the European Commission (EC) published guidance Thursday meant to help organizations apply the new rules to their businesses."
Annie's take:

Compliance is expected to be in place by the deadline. This article has a link to the full guidance.
When #MeToo Becomes Catch-22
"A number of high-profile men have recently lost powerful positions over their alleged sexual misconduct. But for female victims of harassment, speaking up often is just as career damaging."
Annie's take:

"Harassment pervades the workplace."
Tsunami Advisories Lifted After Alaska Earthquake
"Within four hours of a major earthquake striking off the Alaskan coast early Tuesday, the authorities lifted all tsunami advisories, after initial concerns prompted guidance for coastal areas as far south as the American border with Mexico."
Annie's take:

Very clear explanation of what type of earthquake this was. I am speaking tomorrow afternoon to University of Washington Access students on "Assessing Personal Risk in Challenging Times." Earthquake preparation will certainly come up.
The Five Laws Of Cybersecurity
"As we enter the new year, I can't help but recall these words from Star Trek II: The Wrath of Khan -- one of my favorite movies. 2017, by all accounts, ended up being the year of the hacker in many ways."
Annie's take:

Interesting take on the situation.
Exchange body issues cyber security best practice guidelines
"The global trade association for exchanges has issued a set of cyber security best practice guidelines that proposes reducing bonuses for staff who fail tests and including awareness in performance indicators."
Annie's take:

Tying performance to bonuses will get their attention.
CISOs' No. 1 Concern in 2018: The Talent Gap
"The top concern among CISOs for 2018 falls outside the typical realm of attacks, employee negligence, or staffing shortages, according to findings released this week in a Ponemon Institute Survey."
Annie's take:

No surprises here. The UW information security/cyber Informatics and master's degree programs are helping to turn out qualified candidates.
Who should be responsible for cybersecurity?
"The news today is flush with salacious stories of cyber-security breaches, data held hostage in brazen ransomware attacks, and compromised records and consumer information."
Annie's take:

Good piece.
Think you are in control? Think again! New Data Protection Regulations Are Here
"If a stranger on the street asked me for my address and credit card details, I would be suspicious and would think about calling the police. However, multiple organizations are often collecting and saving this type of data all the time, usually without my consent. Unfair, don’t you think?"
Annie's take:

The new Global Data Protection Regulations should filter down to us Americans after August, when all the large tech companies have complied in order to do business in Europe.
Donald Trump's 'racist slur' provokes outrage
"US President Donald Trump has sparked outrage after he was reported to have used crude language to describe foreign countries in an Oval Office meeting."
Annie's take:

He can try to gloss over what he said in the meeting, but by now everyone (his supporters and the rest of us) know that is how he think and how he speaks. To friends and colleagues all over the world, I offer an apology on his behalf. And mine.
House Passes Bill Authorizing Array of Foreign Electronic Surveillance
"The House on Thursday approved an extension of an expiring surveillance law, reauthorizing the FISA Amendments Act through 2023."
Annie's take:

The bill was passed without any modifying amendments. If ever you needed a reason to get out and vote, this is it.
Can we really automate how security analysts think?
"In some conversations with security leaders, I inevitably run into a skeptic view that automation will never be able to replicate the decision making of security analysts. The truth is we can already automate a lot more of the decision making today than was possible just a couple of years ago."
Annie's take:

A good article.
Our Darkest Hour is Still Ahead
"Just like that, we are in a new year."
Annie's take:

My thoughts on the changes that have taken place this past year in our democracy
Cellphone and Computer Searches at U.S. Border Rise Under Trump
"Customs officers stationed at the American border and at airports searched an estimated 30,200 cellphones, computers and other electronic devices of people entering and leaving the United States last year — an almost 60 percent increase from 2016, according to Homeland Security Department data released on Friday."
Annie's take:

Here's another case or two for the Supremes.
Contractors Must Contend With New Cybersecurity Rule
"The April 2017 issue of National Defense reported on key aspects of the Defense Department rule on “Safeguarding Covered Defense Information and Cyber Incident Reporting” and actions that contractors could take to implement the rule."
Annie's take:

Now we're making progress!
“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws
"Windows, Linux, and macOS have all received security patches that significantly alter how the operating systems handle virtual memory in order to protect against a hitherto undisclosed flaw."
Annie's take:

This is the clearest analysis I've read.
NAIC Adopts Model Law on Cybersecurity: Will States Adopt It?
"On Oct. 24, the National Association of Insurance Commissioners (NAIC) formally approved the Insurance Data Security Model Law (model law). The NAIC is a standard setting and regulatory support organization consisting of the top insurance regulators from the 50 states, District of Columbia, and five U.S. territories."
Annie's take:

I am very anxious to see where this goes.
The everyday attacks in modern cyber warfare
"The Department of Homeland Security has identified 16 critical parts of our infrastructure that are at risk for a cyber attack — energy, financial services, transportation, water, and defense, to name a few."
Annie's take:

Nibbled to death.