Week in review: Hidden cybersecurity talent, the myths hampering cybersecurity maturity

Here’s an overview of some of last week’s most interesting news and articles:

Counterfeit digital certificates for sale on underground forums
Researchers have discovered that, for the last couple of years, a few underground vendors have been offering legitimately issued code signing certificates and domain name registration with accompanying SSL certificates.

Whitepaper: What is GDPR and what does your organisation need to do to comply?
Wherever your team stands on its path to readiness, this whitepaper will help you better understand GDPR and your company’s compliance obligations.

Discover hidden cybersecurity talent to solve your hiring crisis
Not having access to technical talent is a common complaint in the cybersecurity world. Folks with security experience on their resumes are in such high demand, CISOs need to hunt beyond the fields we know. To borrow a phrase from the ever-logical Mr. Spock, CISOs need to embrace Infinite Diversity in Infinite Combinations.

Russian, Indian banks lose millions to hackers
The Russian central bank’s Financial Sector Computer Emergency Response Team (FinCERT) disclosed that hackers compromised a computer at a Russian bank and used the SWIFT system to transfer 339.5 million roubles (around $6 million) to accounts they controlled.

Which phishing messages have a near 100% click rate?
Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organization wants to see click rates decrease.

Email inboxes still the weakest link in security perimeters
Over one-third of all security incidents start with phishing emails or malicious attachments sent to company employees.

Intel releases Spectre 2 microcode updates for Kaby Lake, Coffee Lake, Skylake
Intel has released to OEMs a new set of Spectre firmware updates.

The four myths hampering cybersecurity maturity
The four myths that security organizations need to stop believing and how they should move forward.

What if defenders could see the future? Many clues are out there
Applying machine learning can help enhance network security defenses and, over time, “learn” how to automatically detect unusual patterns in encrypted web traffic, cloud, and IoT environments.

How organizations are confronting escalating third-party cyber risk
Based on in-depth interviews with security executives from 30 participating organizations across multiple industries, RiskRecon revealed how companies are managing the security risks of their complex digital supply chains and sensitive business partnerships.

BEC scammers actively targeting Fortune 500 companies
Nigerian scammers are targeting Fortune 500 companies, and have already stolen millions of dollars from some of them, IBM Security researchers have found.

Expected changes in IT/OT convergence and industrial security
Over the past year, we have seen a continued cross-pollination: IT security staff trying to step on the plant floor and plant teams trying to understand IT security.

Poor communication between CEOs and technical officers leads to misalignment
CEOs are incorrectly focused on malware, creating misalignment within the C-suite, which results in undue risk exposure and prevents organizations from effectively stopping breaches. Technical officers (CIOs, CTOs and CISOs) on the front lines of cybersecurity point to identity breaches – including privileged user identity attacks and default, stolen or weak passwords – as the biggest threat, not malware.

Afraid of AI? We should be
Not (yet!) of a sentient digital entity that could turn rogue and cause the end of mankind, but the exploitation of artificial intelligence and machine learning for nefarious goals.

Hack In The Box announces keynote speakers for 2018 Amsterdam event
Hack In The Box Security Conference (HITBSecConf) is returning to Amsterdam in April this year with more than 70 speakers who will take to stage.

The advent of GDPR could fuel extortion attempts by criminals
The number of exploit kit attacks is, slowly but surely, going down, and malware peddlers are turning towards more reliable tactics such as spam, phishing, and targeting specific, individual vulnerabilities. That’s the good news. The bad news is that everything else is on the rise: BEC scams, ransomware, stealthy crypto-mining, the number of enterprise records compromised in data breaches.

US sets up dedicated office for energy infrastructure cybersecurity
The US government is setting up a new Office of Cybersecurity, Energy Security, and Emergency Response (CESER) at the US Department of Energy. The CESER office will focus on energy infrastructure security and enable more coordinated preparedness and response to natural and man-made threats.

New infosec products of the week​: February 23, 2018
A rundown of infosec products released last week.