CyberJudicata Weekly Debrief (3/2–6)
"Private security researchers and threat intelligence firms that visit black market online forums for research should create internal rules, document their work and have established relationships with law enforcement, according to new guidance from the Department of Justice. The document offers non-binding legal guidance for how to navigate cyber intelligence gathering on the internet, particularly for sites that 'openly advertise illegal services and the sale of stolen credit card numbers, compromised passwords, and other sensitive information.'"
"An information security policy is the foundation of an enterprise security program, ideally establishing in clear language what the organization expects from its security operations based on both its tolerance for risk and on its regulatory obligations. Yet security advisers say many organizations fail to give adequate attention to writing and maintaining strong information security policies, instead filling in blanks on generic templates and filing them away."
"A company that provides custom parts to aerospace giants Lockheed Martin, SpaceX and Boeing, has been the target of an attack by an emerging type of ransomware that can both encrypt files and exfiltrate data. Colorado-based Visser Precision said it was targeted by a “cyber incident” that involved the attacker accessing and stealing company data after a security researcher found some of the company’s stolen files leaked online."
"A security company has accused America's Central Intelligence Agency (CIA) of waging an 11-year campaign of cyber-espionage against critical industries in the People's Republic of China. Qihoo 360 announced yesterday that it had 'discovered and revealed cyber-attacks by the CIA hacking group (APT-C-39) which lasts for eleven years against China.'"
"One of the highlights of the annual RSA Conference in San Francisco is the opening keynote session that gathers together a world-class panel of cryptography experts to discuss and debate today's top cybersecurity issues."
"While “Internet of Things” (IoT) devices open up new worlds of convenience, they’ve also introduced new security vulnerabilities. At the risk of overgeneralizing, many of these vulnerabilities stem from the ease of set-up and use that make these singular-purpose devices so attractive. They tend to be scaled down, with little internal memory, and lack strong out-of-the-box security, often shipped with default accounts and passwords enabled."
"Washington state has an opportunity to create a groundbreaking privacy law, placing guardrails around facial-recognition technology and giving consumers control over personal information collected online. As passed by the Senate, Bill 6281 could be a standout accomplishment of this year’s Legislature. It would increase consumer protection and enable the Attorney General to enforce violations, while providing clear guidelines and responsibilities for companies handling large amounts of personal data."
"The District of Columbia’s attorney general would get new authority to sue companies that fail to protect consumer data, under legislation approved by the city council."
. . .