| 05.01.14 | SEC likely to issue cybersecurity disclosure rules based on 2011 guidance

If you are unable to see the message below, click here to view.

What's New: 1. SEC likely to issue cybersecurity disclosure rules based on 2011 guidance 2. Security 'game changers' for forcing IT security pros to 'do things differently,' says SANS chief 3. IT downtime from attack or infrastructure failure can cost firms more than $1M per hour 4. When you go to the board, speak in their language, not yours 5. Network segregation is the best solution for diverse university environments, say IT pros Spotlight: Researcher used cheap drone to hack into widely used traffic control system Also Noted: Target takes steps to stop future breaches; Time travel from Google; Much more... News From The Fierce Network: 1. Facebook thanks mobile for ad revenue boost while Google struggles 2. Cisco, Sanofi take different paths to mobility 3. Keller Williams gets real with mobile app for realtors, home buyers May 1, 2014 Subscribe | Website Refer FierceITSecurity to a Colleague This week's sponsors: HP HP HP Gartner Follow @fierceitsec on Twitter This week's sponsor is HP.   Ponemon According to the Ponemon Institute's 2013 Cost of Cyber Crime study, the average cost to businesses of cyber crime is more than $7M per year—a 30% increase over last year. And the average number of attacks per company grew 20% to 73 successful attacks annually. With the incidence and cost of cyber crime rising sharply, this study of 234 companies in six countries details the types of cyber attacks found to be most common and the losses resulting from each type of attack. Read it to learn more. Sponsor: HP Webinars > Reduce Datacenter Energy Costs by up to 15%: Software Meets Datacenter ROI - Friday, May 16, 2014 - 2 pm ET / 11 am PT Marketplace > Whitepaper: Finding ROI in Document Collaboration > Whitepaper: Delight & Engage Customers with Mobile APIs > eBook: eBrief | How Big Data Changes The Way You Think and Operate > eBook: Critical Infrastructure and Cybersecurity > Whitepaper: 5 Unsung Tools of Dev Ops > eBook: Getting to DevOps (And Getting the Payoff) > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks > Whitepaper: Hardware Test Equipment is the Key to Accurate Network Testing > Whitepaper: Supporting VDIs and Thin Clients > Whitepaper: Four Ways to Improve IT Efficiency This week's sponsor is HP. eBook | Critical Infrastructure and Cybersecurity Critical infrastructure industries vary in the sophistication of their digital defenses. In this FierceITSecurity eBook, industry experts discuss how to stay ahead of cuber security threats and maximize their defensive efforts.Download this eBook today. What's New 1. SEC likely to issue cybersecurity disclosure rules based on 2011 guidance By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn BOSTON--Spurred on by the Target breach and other high profile breaches, the Securities and Exchange Commission is likely to issue mandatory rules on cybersecurity disclosures for public companies in their SEC filings--rules based on the voluntary staff guidance the regulator issued in 2011, explained Jason Weinstein, a partner at the law firm of Steptoe & Johnson specializing in cybersecurity, at the SANS Security Leadership Summit being held here this week. In October 2011, the SEC issued staff guidance advising companies to disclose information about cybersecurity risks and cyber incidents in their SEC filings. In the guidance, the SEC explained that "federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents." This guidance was advisory in nature, not compulsory. However, recent public breaches are pushing the SEC in the direction of making the guidance recommendations mandatory," explained Weinstein. "The rules will be based on the guidance; they will be basically the guidance converted into more prescriptive language," he said. In a letter to the SEC sent last year, Sen. John D. Rockefeller (D.-W.Va.), chairman of the Senate Commerce Committee, urged the then new SEC Chairman, Mary Jo White, to make the guidance mandatory. "Investors deserve to know whether companies are effectively addressing their cybersecurity risks--just as investors should know whether companies are managing their financial and operational risks. This information is indispensable to efficient markets, and as a country, we need the private sector to make significant investments in cybersecurity." Not everyone agrees. John Mutch, chairman of security firm BeyondTrust, argued in a Forbes column: "Having been CEO of a public company and now as CEO of a global enterprise software company which provides cyber security and compliance solutions to many public companies, I can attest to the growing complexities and pressures of supply (threats and risk to operations) and demand (regulatory requirements) that must be managed on a daily basis. This is going to be an even steeper climb if the SEC requires companies to disclose on their cyber risk." For more: - check out the SEC's staff guidance - see the Rockefeller letter - read Mutch's Forbes column Related Articles: Target breach, Heartbleed bug cause high anxiety among IT security pros Michaels' breach totals close to 3 million credit, payment card accounts Personal data breaches on the rise, Pew finds Read more about: Steptoe & Johnson, SEC back to top This week's sponsor is HP.   Reputation Whitepaper A study by Verizon finds 86% of security breaches come from the outside. Spotting cyber attacks in your network means identifying the signatures of known threats. Reputation data takes that one step farther by identifying communications coming from or going to known bad actors based on their reputations. Read this white paper now for more details. 2. Security 'game changers' for forcing IT security pros to 'do things differently,' says SANS chief By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn BOSTON--There are five top security "game changers" that are going to "break the way we are doing security" and force IT security pros to "do things differently," explained John Pescatore, director of the SANS Institute, during a presentation at the SANS Security Leadership Summit being held here this week. The five top security game changers are 1) consumerization of IT, 2) increased use of virtualization and cloud, 3) the Internet of Things, 4) supply chain integrity concerns, and 5) increased threat targeting and better evasion techniques. With the consumerization of IT, the IT staff has less control over increasingly heterogeneous user devices.  "The strategies we had for controlling security on the user devices were dependent on IT dictating [equipment] and our security strategies were based on IT control of devices. IT is not going to have that level of control ever again. Heterogeneity is what every IT organization is going to have to deal with," stressed Pescatore. To reduce costs, firms are increasingly turning to virtualization and cloud services. "With virtualization, IT can spin up badly configured servers much faster ... Doing the wrong thing faster rarely increases productivity and security," Pescatore notes. "Once you start using public cloud services, you run into the same phenomenon that you run into with employee-owned devices--business can use those services without going through IT… IT security strategies of putting firewalls around data centers won't work anymore," he adds. The Internet of Things is creating massive new data sources and increased machine automation. This reduces costs and improves productivity, but it also creates billions of new vulnerable endpoints and connections. "The ways we were used to doing security with the old-style devices don't work with the Internet of Things," he said. "A lot of these Internet of Things sensors are used in environments where even a denial of service attack could lead to loss of life," he added. On supply chain integrity, Pescatore observed: "we have to look at third party equipment and software to deter if they are dangerous." He cited the allegations that Chinese telecom gear manufacturer Huawei was putting backdoors into network equipment being sold on the commercial market. "By looking at our supply chain and doing what we can to eliminate vulnerable or dangerous software getting into our environment, we can cut down the aperture and shorten the incident response time," he said. Finally, attackers are increasing the targeting of specific people, organizations and data while improving their evasion techniques. Pescatore cited the Verizon Data Breach Investigations Report, which found that most breaches were low difficult intrusions and many of them were discovered by third parties, such as customers who suffered identity theft as a result of the breach. Pescatore concluded that IT security pros need not only identify and address these game changers, but also communicate these effectively to senior management so they can get the resources to solve these issues. Related Articles: Most IT pros lack confidence in their ability to manage security breaches Average SQL injection attack takes 7 months to find, fix Infographic: BYOD, cloud opens firms up to data breaches Read more about: consumerization of IT, Mobile Security back to top 3. IT downtime from attack or infrastructure failure can cost firms more than $1M per hour By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn IT downtime caused by an attacker or non-malicious infrastructure failure can cost firms more than $1 million per hour, as well as increase data security risks, according to a survey of 283 IT professionals and end users by security firm Globalscape. A full 60 percent of respondents estimated that an hour of downtime can cost their firm between $250,000 and $500,000, and one in six said it can cost $1 million or more. "Downtime, while understood to be tremendously costly and frustrating, has become commonplace and even expected in the enterprise. Oftentimes, downtime can be avoided, and companies should expect more from their vendors," observes James Bindseil, president and CEO of Globalscape. More than half of executive-level employees polled said that they grappled with system downtime at least once a month. "When core systems are unavailable, productivity suffers. And while lost files or the inability to send email may not have an 'assigned' value, per se--organizations lose money every minute a core system is unavailable," the report warns. To prevent unexpected data loss, employees turn to risky document handling practices. According to a separate survey of 500 corporate employees Globalscape conducted with the Ponemon Institute, 63 percent of employee said they use remote storage devices, like USBs, to transfer confidential work files, 45 percent use consumer sites like Dropbox and Box to share sensitive files, and 30 percent of employees use cloud storage services. "When employees use consumer-grade alternatives, frustration and productivity issues quickly evolve into serious security and compliance vulnerabilities, repeatedly putting organizations and their customers at risk," the report explains. For more: - check out the Globalscape release - read the full report (reg. req.) Related Articles: Verizon provides insight into attackers' behaviors Spotlight: Average enterprise sustains 4.5 large DDoS attacks every year 7 deadly sins: The most dangerous new attack techniques for 2014 Read more about: public Cloud Storage back to top 4. When you go to the board, speak in their language, not yours By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn BOSTON--When IT security pros brief the executive board, they should use language that senior executives can relate to, such as the impact of security on profits and losses, not language used by the IT security team, James Tarala, senior instructor at the SANS Institute, told an audience at the SANS Senior Security Leadership Summit being held here this week. "People in the security space need to communicate in the language that executives understand. The more we talk about the configuration of our firewalls, the more they tune out. The more we can talk in terms of profit ratios or sales quotas, the more likely we are going to catch their attention and start having an impact on the organization," explained Tarala. One way to bridge the "language gap" is for IT security pros to use metrics to measure progress in security and communicate that progress to business leaders. "What is measured improves," Tarala said, quoting management theorist Peter Drucker. Jack Nichelson, global information security and network manager at graphite products supplier GrafTech International, told the audience that he implemented a metrics-based IT security program at his firm. "I mapped the metrics that mattered to the initiatives I was trying to achieve. I wasn't trying to eat everything. I was just targeting what mattered most to my goals and I made sure those goals resonated up the chain to who was sponsoring the program," Nichelson related.   Drawing on insights from the Six Sigma program for process improvements, Nichelson developed a large board that provides an overview of all of the IT security initiatives, programs and performance at GrafTech. "We rolled this out for security because I wanted to not just keep the metrics in IT, I wanted to them to be public," he said. "You want to make sure you are not just reporting metrics, but you are creating actionable results from those metrics," Nichelson added. Related Articles: IT service model could ease transformation terrors Disruptive technologies creating opportunities for CIOs An ounce of security response is worth a pound of prevention Read more about: Peter Drucker, Information Security back to top 5. Network segregation is the best solution for diverse university environments, say IT pros By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn BOSTON--Network segregation is the best way to deal with the open environment of higher education while maintaining IT security, according to a panel of IT security pros from a number of New England universities at the SANS Institute Security Leadership Summit being held here this week. "One of the biggest challenges we face is our various constituencies--the staff who conducts the business of the college, our faculty that needs to create the research and programming to make the university viable and competitive, and the students who need access to resources," explained Sherry Horeanopoulos, information security officer at Fitchburg State University. "We segregate our networks. We give some network access to our student population, some network access to our faculty, and then try to secure the business portion of the university. It is one of the bigger challengers that we face," she added. David Escalante, director of computer policy and security at Boston College, said his college faces similar IT security challenges. "In terms of challenges, you have different people bringing in different devices. How do you deal with the network where there are devices doing very sensitive things? You need to create some sort of segregation where the devices aren't all commingled in the same areas," Escalante said. David Sherry, chief information security officer at Brown University, agreed that network segregation is key to IT security in higher education. "When the students are on the campus network, they are customers … When they go back to the residence halls, they are enemy combatants. Our computer science students learn something at 3 p.m. and attack me with it that night," Sherry quipped. Related Articles: IT's Hottest Jobs: Network administrator Cisco's SourceFire buy gives tech giant renewed network security momentum Cisco, Check Point, Fortinet top growing security appliance market, says IDC Read more about: Information Security back to top Also Noted This week's sponsor is Gartner. Gartner Security & Risk Management Summit June 23 - 26, 2014, National Harbor, MD Discover five programs covering IT security, risk and compliance, BCM, the CISO and the marketplace for security, so you can validate your strategy against the full spectrum of security and risk initiatives. Save $300 with code GARTFSI. To register, visit gartner.com/us/securityrisk. TODAY'S SPOTLIGHT... Researcher used cheap drone to hack into widely used traffic control system IOActive security researcher Cesar Cerrudo says he was able to hack into devices used to control traffic in major cities around the world. "The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less)," Cerrudo wrote in a blog. He said he used an inexpensive drone to launch the attack. Read more >> Target aims to lock doors to future security breaches (eWeek) >> Draft cybersecurity legislation on information sharing circulates (SecurityWeek) >> Google Chrome protection for Heartbleed-hacked sites called "completely broken" (Ars Technica) >> Tax fraud gang targeted healthcare firms (KrebsonSecurity) >> Siemens patches Heartbleed in popular SCADA system (IDG News Service) And Finally… You knew it was coming--Time travel from Google (InformationWeek) Webinars > Reduce Datacenter Energy Costs by up to 15%: Software Meets Datacenter ROI - Friday, May 16, 2014 - 2 pm ET / 11 am PT Join us for a look at two Intel Datacenter Software solutions, sample use cases, and implementation overviews. Intel Data Center Manager (Intel DCM): Energy Director provides device-level power and thermal monitoring and management for groups of servers, networking, storage, and other IT equipment. Register Today! Marketplace > Whitepaper: Finding ROI in Document Collaboration Read this Accusoft whitepaper to learn about the factors that make document collaboration more difficult than it should be, and about how to create a collaboration strategy that makes sense for your organization. Download Now! > Whitepaper: Delight & Engage Customers with Mobile APIs Read this success story and learn how a robust API and secure API Management powered Keep’s iOS app to become one of the most popular apps in the Lifestyle category in the iTunes App Store. > eBook: eBrief | How Big Data Changes The Way You Think and Operate Big data allows companies to focus on individuals instead of vague trends. Businesses that jump in and start learning now can reap an advantage over slower competitors. Download this eBrief today! > eBook: Critical Infrastructure and Cybersecurity This FierceITSecurity eBook looks at key dependencies among critical infrastructure sectors and how companies in these areas can stay ahead of threats and maximize their defensive efforts. Download this eBook today! > Whitepaper: 5 Unsung Tools of Dev Ops Jonathon Thurman shares his five favorite DevOps tools which have been around a long time. They may not be flashy but they're time tested and just work. He also tells you how to use them and how to configure them for maximum value. Download 5 Unsung Tools of DevOps to see which tools make the cut and why. > eBook: Getting to DevOps (And Getting the Payoff) DevOps is a more holistic approach to application development, more fully taking into account deployment and ongoing operational needs – and tossing a lot of automation into the mix. This FierceEnterpriseCommunications eBook provides step-by-step guidance on implementing DevOps for CIOs and IT and application development managers. Download this eBook today! > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies Download the White Paper "802.11ac in the Enterprise: Technologies and Strategies" to learn from industry expert Craig Mathias about the technologies behind 802.11ac, deployment misconceptions and review steps that every organization should take in getting ready for 802.11ac. Download today! > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats Today's most-damaging targeted attacks don't occur by happenstance. They are carefully planned and executed by a new breed of professional adversaries. Read this white paper, Defense Against the Dark Arts: Finding and Stopping Advanced Threats to gain a practical understanding of today's Advanced Threat Landscape and strategies for detecting and stopping Advanced Threats. Download today! > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks The last few years have seen a dramatic increase in the use of email as a vehicle for cyberattacks on organizations and large corporations. Recently, Proofpoint researchers identified a new class of sophisticated and effective, large-scale phishing attack dubbed "longline" phishing attacks. Download this whitepaper to learn about the unique characteristics of these attacks, how they are carried out, and the alarming effectiveness they have. Download today! > Whitepaper: Hardware Test Equipment is the Key to Accurate Network Testing Surprisingly, many organizations are not adequately testing their networks. Network testing is crucial for any IT organization that wants to ensure availability, security and performance of applications and services running on their networks. Download this whitepaper now to learn more! > Whitepaper: Supporting VDIs and Thin Clients Companies have already begun deploying VDIs and thin clients (like Google's Chromebook) on a massive scale. The low-cost, easily deployed workstations present a significant cost savings for companies, but require unique tools to support them. This whitepaper, written by Proxy Networks, outlines the best way to do that. Download now. > Whitepaper: Four Ways to Improve IT Efficiency The role of the help desk within businesses has expanded considerably over the last decade, becoming an integral piece of the overall corporate strategy. In this whitepaper, Proxy Networks outlines the best way to align your IT department with that strategy in order to improve overall departmental efficiency. Download now. ©2014 FierceMarkets, a division of Questex Media Group LLC This email was sent to ignoble.experiment@arconati.us as part of the FierceITSecurity email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778. Refer FierceITSecurity to a Colleague Contact Us Editor: Fred Donovan. VP sales and business development: Jack Fordi. Publisher: Ron Lichtinger. Advertise General advertising: Jack Fordi. Press releases: Fred Donovan. Request a media kit. Email Management Manage your subscription Change your email address Unsubscribe from FierceITSecurity Explore Our Network You may enjoy these publications from FierceMarkets: FierceBigData FierceBiotech FierceBiotechIT FierceBiotech Research FierceCable FierceCIO FierceCIO:TechWatch FierceCMO FierceCFO FierceContentManagement FierceCRO FierceDeveloper FierceDiagnostics FierceDrugDelivery FierceEMR FierceEnergy FierceEnterpriseCommunications FierceFinanceIT FierceGovernment FierceGovernmentIT FierceHealthcare FierceHealthFinance FierceHealthIT FierceHealthPayer FierceHealthPayerAntiFraud FierceHomelandSecurity FierceITSecurity FierceMedicalDevices FierceMedicalImaging FierceMobileGovernment FierceMobileHealthcare FierceMobileIT FierceMobileRetail FierceOnlineVideo FiercePharma FiercePharmaManufacturing FiercePharmaMarketing FiercePracticeManagement FierceRetail FierceRetailIT FierceSmartGrid FierceTelecom FierceVaccines FierceWireless FierceWireless:Europe FierceWirelessTech Hospital Impact