http://www.crainsdetroit.com/article/20150726/NEWS/307269992/survey-nearly-1-in-4-it-firms-suffered-security-breach By TOM HENDERSON Crain’s Detroit Business July 26, 2015 Twenty-three percent of executives at technology companies say their firms have suffered a security breach in the past 12 months, according to the national annual Technology Industry Business Outlook survey conducted by KPMG LLP, the audit, tax and advisory firm. Three-fourths of executives surveyed say their companies will spend between 1 percent and 5 percent of annual revenue on IT security in the next 12 months. “The survey findings on security are an important marker, since tech companies are the pacesetters in IT security. How much and where tech companies spend on IT security, and how successful they are, can serve as guides for all other industries,” Gary Matuszak, global chairman of KPMG’s technology, media and telecommunications practice, said in a release. The KPMG survey was of upper managers at 111 U.S.-based technology companies. Of the respondents, 54 percent were in companies with revenue of more than $1 billion a year, with the rest at companies with annual revenue between $100 million and $1 billion. […]
http://krebsonsecurity.com/2015/07/credit-card-breach-at-a-zoo-near-you/ By Brian Krebs Krebs on Security July 9, 2015 Service Systems Associates, a company that serves gift shops and eateries at zoos and cultural centers across the United States, has acknowledged a breach of its credit and debit card processing systems. Several banking industry sources told KrebsOnSecurity they have detected a pattern of fraud on cards that were all used at zoo gift shops operated by Denver-basd SSA. On Wednesday morning, CBS Detroit moved a story citing zoo officials there saying the SSA was investigating a breach involving point-of-sale malware. Contacted about the findings, SSA confirmed that it was the victim of a data security breach. “The violation occurred in the point of sale systems located in the gift shops of several of our clients,” the company said in a written statement. “This means that if a guest used a credit or debit card in the gift shop at one of our partner facilities between March 23 and June 25, 2015, the information on that card may have been compromised.” […]
http://www.bankinfosecurity.com/interviews/fs-isac-remote-access-attack-alert-i-2787 By Tracy Kitten Bank Info Security July 8, 2015 Remote-access attacks waged against smaller merchants are a growing threat, according to a cybersecurity alert published July 7. The alert was released by the Financial Services Information Sharing and Analysis Center, along with Visa, the U.S. Secret Service and The Retail Cyber Intelligence Sharing Center, which provides threat intelligence for retailers. While industry attention in late 2013 and early 2014 was focused on the large-scale RAM-scraping malware attacks that resulted in breaches at big-box retailers, including Target and Home Depot, more attention is now being paid to remote-access attacks against point-of-sale devices commonly used at smaller merchants, says Charles Bretz, director of payment risk at the FS-ISAC. The organization provides a conduit for information sharing among financial services institutions. “We are seeing a shift in the breaches of card data,” Bretz says in this interview with Information Security Media Group. Now that many of the larger retailers have implemented end-to-end encryption and tokenization, in conjunction with their rollouts of EMV-compliant POS terminals, hackers are turning their attention toward smaller retailers, he says. “Criminals continue to find success by targeting smaller retailers that use common IT and payments systems,” Bretz explains. “Merchants in industry verticals use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business.” […]
http://www.bobsguide.com/guide/news/2015/Jul/6/overcoming-paralysis-why-financial-services-organisations-have-to-race-to-update-their-windows-server-strategy.html By Dave Foreman, ECS, Practice Director Bob’s Guide July 6, 2015 Most of the technical support teams we work with know their Microsoft Server operating system inside out and have hardly lifted their phone to call Microsoft support in years. But this well-oiled machine is about to become IT departments’ biggest headache. With the end of Microsoft’s support for Server 2003 on July 14th 2015, migration from this rather old operating system has escalated from being a niggling worry to a high-risk agenda item. Only a handful of businesses have started their migration and even they will have to rely on Microsoft extended support. But this is not a cost-effective or risk-free option in the long term. At some point a new vulnerability in the operating system will be discovered and exploited; businesses will be exposed and the regulators will have a stronger case for non-compliance. According to the credit card industry’s PCI Security Council standards, if an unsupported operating system is Internet-facing, it will be logged as an automatic compliance failure. CIOs are caught between a rock and a hard place. Nobody wants to be caught in a position where they have to answer tough questions about plans to meet compliance and mitigate risk. […]
http://www.wired.com/2015/06/airlines-security-hole-grounded-polish-planes/ By Kim Zetter Security Wired.com 6.22.15 MORE THAN 10 airplanes were grounded on Sunday after hackers apparently got into computer systems responsible for issuing flight plans to pilots of Poland’s state-owned LOT airline. The apparent weak link? The flight plan-delivery protocol used by every airline. In fact, though this may be the first confirmed hack of its kind, it’s very similar to a mysterious grounding of United Airlines planes that happened last month. Yesterday, hackers breached the network at Warsaw’s Chopin airport, causing some flights to be cancelled and others to be delayed. Approximately 1,400 passengers on flights headed to Dusseldorf, Hamburg, Copenhagen, and cities in Poland were affected by the grounding. The problem was reportedly fixed after about five hours. “We’re using state-of-the-art computer systems, so this could potentially be a threat to others in the industry,” LOT spokesman Adrian Kubicki told the BBC. It’s possible that potentiality is already a reality. Last month, all United flights in the US were grounded for nearly an hour after the airline apparently experienced problems with flight plans dispatched to its pilots. […]
http://www.energyglobal.com/downstream/special-reports/29052015/How-can-SCADA-security-be-improved-for-oil-and-gas-companies-089/ By Deborah Galea Manager, OPSWAT. 29/05/2015 According to the recently released 2015 Dell Security Annual Threat Report, SCADA attacks are on the rise. The report found that in 2014 the number of attacks on Supervisory Control and Data Acquisition (SCADA) systems doubled compared to the previous year. Most of these attacks occurred in Finland, the UK, and the US, probably due to the fact that in these countries SCADA systems are more likely to be connected to the internet. The Dell Report came on the heels of findings from the US Industrial Controls Systems Cyber Emergency Response Team (ICS-CERT) showing that energy was the most targeted sector for attack among all critical infrastructure providers. “Since companies are only required to report data breaches that involve personal or payment information, SCADA attacks often go unreported,” said Patrick Sweeney, Executive Director of Dell Security. “This lack of information sharing combined with an aging industrial machinery infrastructure presents huge security challenges that will continue to grow in the coming months and years.” This does not come as a surprise to those in hydrocarbons. Many SCADA and industrial control systems (ICS) were built decades ago when cyber security was not yet an issue for the industry. There has been an inevitable collision as operational technology (OT) systems like SCADA come into closer contact with IT management modalities, introducing risks as systems not designed for outside connectivity are exposed to the internet. In addition to their importance for hydrocarbons, SCADA systems control key functions for other critical infrastructure providers, such as utilities, airports and nuclear plants. Successful attacks on SCADA systems could potentially cause disruptions in services that we all depend on every day. For this reason, SCADA attacks are often politically motivated and backed by foreign state actors with motives such as industrial espionage and major supply chain disruption. […]
http://www.theage.com.au/it-pro/security-it/this-is-just-the-tip-of-the-iceberg-aeroplane-hacking-case-points-to-deeper-cyber-issues-20150526-gh9n4y.html By Jeremy Wagstaf The Age May 26, 2015 Security researcher Chris Roberts made headlines last month when he was hauled off a plane in New York by the Federal Bureau of Investigation and accused of hacking into flight controls via his underseat entertainment unit. Other security researchers say Roberts – who was quoted by the FBI as saying he once caused “a sideways movement of the plane during a flight” – has helped draw attention to a wider issue: that the aviation industry has not kept pace with the threat hackers pose to increasingly computer-connected airplanes. Through his lawyer, Roberts said his only interest had been to “improve aircraft security.” “This is going to drive change. It will force the hand of organisations [in the aviation industry],” says Jonathan Butts, a former US Air Force researcher who now runs a company working on IT security issues in aviation and other industries. […]
This management book focuses on the crucial knowledge you'll need to become a great manager and leader. It will teach you the important management and leadership skills so others will call you "great"!
