27% of cloud apps are high risk

As more and more organizations adopt cloud platforms, new shadow IT risk vectors are coming into play in the form of connected third-party apps, according to CloudLock CyberLab’s analysis across 10 million users, 1 billion files, and nearly 160,000 unique applications.


These apps (and by extension, their vendors) are authorized using corporate credentials, have API access to corporate data on multiple SaaS platforms via OAuth connections, and can act on behalf of users to access, delete, store, externalize and exfiltrate data.


The shadow IT dilemma is only becoming more challenging as usage is increasing exponentially year over year. From 2014 to 2016, we’ve seen nearly a 30x increase in apps from 5,500 to nearly 160,000. Each application instance represents a backdoor through which hackers can infiltrate and externalize sensitive corporate assets.


Measuring risk by a combination of access scopes, community-sourced ratings, and expert-driven analytics, the CloudLock CyberLab found that 27% of third-party apps are classified as high risk through which cybercriminals could gain programmatic access to corporate platforms impersonating end users.


Read the full article here.

Singapore will cut off public servants’ Internet access next year

In what seems like a surprising and drastic move, the Singapore government has decided that all computers used by public servants will have their Internet access blocked from May 2017 onwards.


According to The Straits Times, more than 100,000 computers will be cut off, in an effort to minimise security risks.


A spokesperson for the Infocomm Development Authority (IDA) said: "The Singapore government regularly reviews our IT measures to make our network more secure."


Read the full article here.

US warns banks on cyber threat after Bangladesh heist

U.S. regulators on Tuesday told banks to review cyber-security protections against fraudulent money transfers in the wake of revelations that a hacking group used such messages to steal $81 million from the Bangladesh central bank. The notice from the Fed and other financial regulators came two weeks after the U.S. Federal Bureau of Investigation privately urged banks to look for signs of possible cyber attacks.


Read the full article here.

Payment Application Data Security Standard 3.2 released

The PCI Security Standards Council (PCI SSC) published a new version of its data security standard for payment software, the Payment Application Data Security Standard (PA-DSS) version 3.2. The Payment Application Data Security Standard is used by payment application vendors to ensure their software products will protect payment card data from theft. Merchants and other businesses globally use “PA-DSS Validated” software to ensure they can safely accept payments, both in-store and online.


Read the full article here.

SANS maps SAP cybersecurity to the CIS Critical Security Controls list

The CIS Critical Security Controls are a set of internationally recognized standards outlining the most important cyber hygiene actions that every organization should implement to protect their IT networks. They are highly regarded by the global IT community as they are developed, refined, validated, and updated by experts who pull data from a variety of public and private threat sources; and are transforming security in government agencies and other large enterprises by focusing spending on the key controls that block known attacks and find the ones that get through.


Read the full article here.

Why Walmart Is Suing Visa, and What It Means for Your Credit Cards

Last year, credit card issuers finally introduced “chip” credit cards to the United States. It’s been a painless process for the most part, but now Walmart is suing Visa over the technology, claiming it’s not secure for customers.


EMV is meant to be more secure, and while it will incorporate PINs in the future, for now, chip-enabled credit and debit cards will work just fine with a signature.


Last year, Walmart tried to require debit card customers to pay the old way: with their PINs. Visa came back and demanded they allow signatures for those cards via the new chip technology. Walmart spokesperson Randy Hargrove explained the issue:


PIN is the only truly secure form of cardholder verification in the marketplace today, and it offers superior security to our customers. Visa has acknowledged in many other countries that chip-and-pin offer greater security. Visa nevertheless has demanded that we allow fraud-prone signature verification for debit transactions in our U.S. stores because Visa stands to make more money processing those transactions.


Walmart’s outrage probably has less to do with security and more to do with money, though. It’s cheaper for Walmart to verify via PIN than signature. According to the Wall Street Journal, signature verification costs about five cents more per transaction. In other words, the new technology encourages customers to use their bank cards as credit instead of debit, which is more expensive for Walmart.


It’s easy to see why Walmart is upset—this new technology is costing them money, and the credit card companies still haven’t rolled out cheaper, more secure PIN technology. Their suggestion that customer security is at risk, however, is a little misleading.


Walmart’s statement suggests Visa puts customers’ security at risk by allowing signatures instead of PINs for debit card transactions. It does kind of suck that we’re still waiting for full blown “chip and PIN” technology, which is supposed to be even more secure, but the new credit cards aren’t any riskier than your old ones.


Read the full article here.

PCI Council publishes appendix to PCI Data Security Standard

The PCI Security Standards Council has published an appendix to the PCI Data Security Standard to help organizations make payment security part of everyday business practice.


“PCI DSS Designated Entities Supplemental Validation” provides additional criteria for demonstrating how PCI DSS controls are being applied continuously to protect payment data from compromise, a press release from the organization said.


Read more here.

NIST updates ICS security guide

The National Institute of Standards and Technology (NIST) has issued the second revision to its Guide to Industrial Control Systems (ICS) Security. It includes new guidance on how to tailor traditional IT security controls to accommodate unique ICS performance, reliability and safety requirements, as well as updates to sections on threats and vulnerabilities, risk management, recommended practices, security architectures and security capabilities and tools.


The guide can be downloaded from here.


Read more here.