What I'm Reading 3/3/2020 - Malware? We don't need no stinking malware!

Books

Network Forensics Tracking Hackers Through Cyberspace

The Ten-Day MBA 4th Ed.: A Step-By-Step Guide To Mastering The Skills Taught In America's Top Business Schools

Wired for War: The Robotics Revolution and Conflict in the 21st Century

Breach (Cold War Magic novel, A Book 1)

Blogs / News

Reuters - Exclusive: Newly obtained documents show Huawei role in shipping prohibited U.S. gear to Iran -

China’s Huawei Technologies, which for years has denied violating American trade sanctions on Iran, produced internal company records in 2010 that show it was directly involved in sending prohibited U.S. computer equipment to Iran’s largest mobile-phone operator. 

 Mac Rumors - WSJ Examines Apple's Reliance on China Amid Coronavirus Outbreak -

Amid the China coronavirus outbreak, which has caused Apple to announce that it won't make its March quarter revenue goals, The Wall Street Journal has taken a look at Apple's reliance on China and why Apple is likely to continue to be dependent on China for the foreseeable future.

Apple's operations team has been raising concerns about the company's reliance on China, and as early as 2015, there were suggestions that Apple relocate assembly of one or more products to Vietnam, allowing Apple to start training workers and creating component providers outside of China.

Senior managers shot down the idea at the time, and transitioning away from China has been "too challenging to undertake.

Dark Reading - How Security Leads at Starbucks and Microsoft Prepare for Breaches -

Panelists spoke to employee and customer training strategies, tabletop exercises, and other steps they take to better prepare for security incidents. One key takeaway was the importance of working employee training into the corporate culture for everyone. As organizations change over time, and new people are onboarded, there will be gaps in cybersecurity knowledge.

"I have to take cybersecurity training at Microsoft just like everybody else," said Kelley. "We don't just assume because somebody has a title, they get to be exempt from that training." She advised annual or biannual security training for all employees. "Psychologically, humans are much better at learning when we've got a little bit of an adrenaline pump." If an employee is caught getting phished, they may remember to be more cautious next time.

"The best training is in-the-moment training," Kirkland emphasized. While some trainings are done for compliance, the unexpected phishing emails deliver real learning moments.

Fifth Domain -  How to secure the U.S. government’s technology supply chain -

• First, agree on a consistent standard. Standards like ISO 28000, which outline specific requirements for a security management system, including aspects critical to security assurance of the supply chain, or the U.S. National Institute of Standards and Technology (NIST) framework, which provides voluntary guidance, based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk are both excellent starting points. Regardless of which standard is chosen, a clear set of requirements for the government or business to follow can help ensure technology supply chains are secure.

• Build supply chain security into contracting requirements. Make it mandatory for bidding that companies abide by particular supply chain security requirements.

• Include supply chain security requirements in regular audits of vendors and contractors, benchmarking them against the standard, and include these measurements in evaluations of overall vendor performance.

• Be active in building databases of supply chain security-related incidents and suppliers that have been identified as higher-risk. Intelligence-sharing among government agencies, between government and the private sector and within a company’s industry would help in this area as well, to ensure that organizations are more prepared for emerging perils and can avoid common pitfalls once they realize they have them with their suppliers.

• Continue to stress the importance of corporate due diligence. This is already a priority from an anti-corruption perspective, but it should be extended as a general supply chain measure. Suppliers should be vetted for their possible connections to foreign governments (or “politically exposed persons,” in the parlance of due diligence) to determine how much influence those foreign governments may have over them.

 ZDNet - 'Malware-free' attacks now most popular tactic amongst cybercriminals -

Malware-free tactics accounted for 51% of attacks in 2019, compared to 40% just the year before, though this figure was significantly driven by a sharp increase of such attacks targeting North America. Some 74% of attacks in the region were malware-free. while such techniques accounted for 25% of attacks targeting Indo-Pacific, according to CrowdStrike's Global Threat Report 2020. 

Computer World - Verizon: Companies will sacrifice mobile security for profitability, convenience -

Despite an increase in the number of companies hit by mobile attacks that led to compromises, four in 10 businesses sacrificed security to meet profit goals or avoid “cumbersome” security processes, according to Verizon’s third annual Mobile Security Index 2020.

Security Week - Telecom Sector Increasingly Targeted by Chinese Hackers: CrowdStrike -

CrowdStrike on Tuesday published its 2020 Global Threat Report, which provides data on both state-sponsored and financially-motivated operations observed by the company last year.

The report shows that the telecommunications and government sectors were the most targeted by the threat groups monitored by the cybersecurity firm. In the case of the telecom sector, many of the attacks were attributed to China-linked hacker groups, including the ones tracked as Wicked Panda (aka APT41), Emissary Panda (aka APT27, TG-3390, Bronze Union and Lucky Mouse), and Lotus Panda (aka Thrip).