The Essential Risk of Facebook ThreatExchange

Duran Holycross

Last month Facebook announced a new social network called ThreatExchange, which, according to the International Business Times, "is designed to help cybersecurity experts protect Internet users from malicious software and security vulnerabilities by allowing them to alert each other quickly about evolving threats." Saying that companies who participate can do so selectively to ensure that they don't "accidentally divulge private information," Facebook wants to make it "easier for an organization that may want to share data that needs to be handled with extra sensitivity."

Hmm... As a long-time member of the profession being targeted by this initiative, I immediately see a number of red flags. For starters, I think we can all agree that nobody's going to share real intelligence on a real hack without being guaranteed some privacy or, ideally, full anonymity.

The State of the Union Address and the Call for Corporate and Armed Forces Evolution

Mark Harrington

This week’s State of the Union Address was the fourth in a row in which President Obama highlighted the critical nature of cybersecurity. Until the most recent onslaught of headlines painted a painful picture of the consequences of a data breach, all too many of our organizations have been focused on passing compliance audits and dealing with a broad variety of threats to long-term business viability. Times have changed, and the headlines and the tough reality are all crystal clear: the bad guys are strong, dedicated, and working productively together, and they are in our networks today.

As President Obama said, lawmakers must “finally pass the legislation we need to better meet the evolving threat of cyber-attacks,” and, “If we don’t act, we’ll leave our nation and our economy vulnerable.” Recently proposed legislation would relieve some of the risk of participating in the information-sharing for which the federal government is asking. Defending our organizations is becoming increasingly complicated for legal and security teams, so it’s crucial for such legislation to increase the incentives or decrease the exposure that companies would experience in being more transparent and collaborative with government when data breaches occur. 

2015: Fighting Adaptive Attacks Requires Adaptive Defense with Response Automation

Anthony Di Bello

Attackers are always looking for new vulnerabilities to exploit technologies with large-scale adoption or use/create/modify malware that changes just enough to avoid known detection methods as it propagates through a corporate network. The same malware or vulnerability is rarely used after public discovery. The identification and sale of new vulnerabilities is a high-revenue enterprise, as is the sale of malware kits which can be customized and use as weapons against unsuspecting organizations. Cybercrime is a high-growth industry and the players are only getting better organized and their attack methods more elaborate.

The defenses widely in use today are limited to technology that is overly reliant on the known, is unable to adapt when attackers change their patterns, or find easier ways to sneak onto our networks undetected. The headline-grabbing hacks of 2014 — Home Depot, JP Morgan Chase, eBay — only serve to highlight this fact.

Hack-y Holidays: Best Practices for Retailers and Credit Card Processors

The holiday season is in full swing, with security professionals worldwide still reeling from the scope of last year’s infamous December hack. Many response teams have taken steps to beef up data protection processes and technology, and so far, no news is good news in the retail/credit card processing world.

Making a List and Checking it Twice

We deliver technology that empowers you to respond faster and more effectively to hacking attempts. Are the new practices you put into place this year on our list? We’ve put together ten of the strongest steps you can take toward a more complete security posture in our first annual “Guidance Software Hack-y Holidays Cyber Defense Report.”

How Legal Can Leverage the Latest Version of the NIST Cybersecurity Framework

Mark Harrington

Last week, the National Institute of Standards and Technology (NIST) released an update to its Framework for Improving Critical Infrastructure Cybersecurity, incorporating feedback from its October workshop as well as responses to an August Request for Information. While adoption of the Framework remains voluntary and not a regulatory requirement, many large organizations in a variety of industries consider it to be an effective benchmark for security operations. We at Guidance Software believe it will soon be considered a “commercially reasonable” standard, but we also recommend incorporating additional, proactive security practices for a more complete security posture.

This most recent update to the Framework reports on certain implementation issues, including the need to expand awareness among smaller and medium-sized businesses in the critical infrastructure sector. Some concern exists that the Implementation tier of the Framework’s three main components—Core, Profile, and Implementation Tiers—is being used the least frequently. Instead, the Framework is being most commonly used simply as a basis for evaluating security—as a yardstick, if you will.

Information-Sharing Holds Real Promise for More Effective Organizational Defense

Among the aspects of the NIST Framework that I believe holds the most promise in defending our organizations is that of information-sharing. Many who have responded to NIST’s calls for feedback have expressed interest in expanding this type of collaboration in order to build more powerful threat intelligence feeds across American industries. While interest in participation is high, so are the levels of concern about potential impact on corporate reputation if data breaches were made public. Since the original Framework was published, there has been a clear call for a means of reporting a breach and related information anonymously.

Congress has just passed the National Cybersecurity Protection Act in order to better support cyber-threat information exchange between the public and private sector via the National Cybersecurity and Communications Integration Center. However, a bill that incorporates liability protections for those reporting on breaches will have to wait until early next year.