info@qualityplusconsulting.com l +1 262-553-6510

Special note for Ubuntu users

Breakfast Bytes podcasts are streaming MP3. In order for Firefox on Ubuntu to play the streaming MP3, install the GStreamer extra plugins that list MP3 as one of the supported formats. GStreamer can be obtained through the Ubuntu Software Center.

Breakfast Bytes - Cybersecurity Compliance and Enforcement

10/6/2017, 10/20/2017

 

 

Cybersecurity Compliance and Enforcement



What is needed to actually achieve "good enough" cybersecurity practices in organizations?

An update on unconstitutional Stingray use.

RPC over HTTP ceases to be supported for Office 365 on 10/31/2017

MP3 - Cybersecurity Compliance and Enforcement

MP3 - Cybersecurity Updates

 

 

 

Summary

  • What level of enforcement is needed to close cybersecurity gaps in most organizations?
  • FTC published a new cybersecurity guide
  • FIDO U2F achieves AAL3 with NIST
  • Deloitte demonstrates that no one should use them for cybersecurity services
  • Stingray update
  • RPC over HTTP will cease to function after October 31, 2017 for Office 365 users
 

FTC Publishes new CyberSecurity Guide

Those of you that listen to the show know that I am not a fan of government regulations because they are usually more damaging than helpful. There is not a lot that government does well, and every regulation has a cost that is invariably passed down to the consumer of the product or services making those items less affordable.

About 15 years ago, the FTC used to have more teeth and actually published cybersecurity standards that needed to be adhered to in the protection of personally identifiable information. They backed off of enforcement for everything except organizations that were already needing to comply with SOX, GLBA, HIPPA, or PCI.

The problem is that leaves a massive hole which is how most consumers' PII is being compromised on a daily basis. And because the incidents are not big, they go undetected except by cybersecurity experts who are under no obligation to report anything.

Recently the FTC is trying to get privately owned businesses to up their cybersecurity game. The published a new guide for that market that is intended to be friendly and actionable.
https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
Nothing in the guide is new, but it is well done so is a valuable educational and referential resource.

 

FIDO U2F achieves AAL3 with NIST

Regular listeners know that I often refer to the NIST standards for cybersecurity. This is the NIST SP-800 set. It is a very mature, widely recognized and codified set of standards that the entire cybersecurity community contributes to and recognizes as authoritative.

NIST recently published new authentication standards that included recognition of the FIDO U2F standard. NIST has a standard called AAL3 which is Authentication Assurance Level 3 which is much better than SMS and OTP methods because those are weaker. This is an excellent article on the subject I suggest you read.
https://www.yubico.com/2017/06/nist-publishes-sp800-63-3-fido-u2f-achieves-aal3/

We have been using and recommending Yubikeys since 2014. They are very reliable and easy to use while providing an excellent layer of authentication assurance beyond MFA techniques that can be more easily compromised.

 

Deloitte demonstrates that no one should ever hire them again for any CyberSecurity services

https://www.theregister.co.uk/2017/09/26/deloitte_leak_github_and_google/
A search on the Internet reveals that many real cybersecurity experts have no respect for Deloitte's work in that field. The recently revealed massive Deloitte breach demonstrates their gross incompetence and negligence coupled with extremely inadequate internal controls.
If Deloitte cannot secure their own systems from such egregiously obvious problems, then why would anyone trust them for cybersecurity services or any accounting services?
It's just another prime example of the hazards of doing business with a massive business that is clearly too big for their britches and such a bureaurocratic dinosaur that they lack the agility to fix their own problems.
https://www.secplicity.org/2017/09/29/deloitte-email-breach-daily-security-byte/

 

Stingray update

DC court rules tracking phones without a warrant is unconstitutional
Stingrays have been extensively used by nearly every law enforcement organization in the country unconstitutionally for at least 15 years.
https://www.cbsnews.com/news/d-c-court-rules-warrant-is-required-for-stingray-cell-phone-tracking/

 

RPC over HTTP will cease to function after October 31, 2017

https://support.microsoft.com/en-us/help/3201590/rpc-over-http-reaches-end-of-support-in-office-365-on-october-31-2017
RPC over HTTP will no longer work when connecting to Office 365
This article includes a really nice PowerShell script that can be used to check if there are any at-risk users in your environment.
But basically, you should be trying to get all computers to be running Office 2016 with patches being installed at least twice per month.

 

Anti-Ransomware Free Tools from TrendMicro

https://www.trendmicro.com/en_us/business/capabilities/solutions-for/ransomware/free-tools.html

Cryptomator

A great replacement for TrueCrypt.

https://cryptomator.org/

Linkedin