The CyberWire Daily Briefing 10.15.18

Summary

By The CyberWire Staff

Late Friday Facebook released more information on the cyberattack that led it to log some ninety-million users out at the end of September. In brief, it seems that fewer users were affected than feared, but that the information exposed was more sensitive than hoped. Roughly thirty-million people were affected. One-million lost nothing. Fifteen-million lost name and contact details. Fourteen-million lost name, contact information, and other data they had in their profiles (username, gender, locale or language, relationship status, religion, hometown, date-of-birth, education, work, search history, etc.). Facebook's Help Center can tell users if they were among those affected.

Bloomberg's story of Chinese attacks on the IT supply chain remains controversial, but at this point reactions are trending toward skepticism. Bloomberg has been standing by its story, but one of those they interviewed in their follow-up piece, Sepio's Yossi Appleboum, told ServetheHome that he's disappointed his words were used to reinforce Bloomberg's claims that Supermicro was compromised: "I think they are innocent." He says instead it's a general problem and not even necessarily even a manufacturing one—attacks can occur anywhere in the supply chain.

The September 13th lethal explosion involving the Columbia Gas Low-pressure Natural Gas Distribution System in Massachusetts was greeted with speculation that the tragedy was caused by a cyberattack. But a preliminary report by the US National Transportation Safety Board concludes that it was indeed an accident.

Estonia joined the Netherlands' and UK's push to clarify EU sanctions for cyberattacks. Italy pushed back, preferring to relax tensions.

Learn how Cylance silences cyber attacks with Artificial Intelligence.

Notes.

Today's issue includes events affecting Australia, Bahrain, Canada, China, Estonia, European Union, Germany, India, Italy, Kenya, Kuwait, Macedonia, New Zealand, Oman, Pakistan, Philippines, Qatar, Russia, Saudi Arabia, Turkey, United Arab Emirates, United Kingdom, and United States.

Through the LookingGlass™: Top Trends to Keep Your Organization Cyber Aware

It’s 2018 and threat actors continue to leverage the same tactics – phishing, ransomware, social engineering – against their targets. The best way to fight these threats is to start with the basics. Join LookingGlass on Wednesday, October 24 @ 2PM ET for a discussion on how cyber criminals are leveraging ‘old’ tactics in ‘new’ ways. We’ll give you tips and tricks to avoid being a victim to the same old schemes. Sign up now!

On the Podcast

In today's podcast we hear from our partners at Palo Alto Networks, as Rick Howard discusses exponential technologies, and how they could change the notion of scarcity.

Sponsored Events

Cyber Security Summits: October 16 in Phoenix and on November 29 in Los Angeles (Phoenix, Arizona, United States, October 16, 2018) Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The FBI, The CIA, Verizon, AT&T, CenturyLink and more. Register with promo code cyberwire95 for $95 VIP admission (Regular price $350) https://CyberSummitUSA.com

SecurityWeek 2018 Industrial Control Systems (ICS) Cyber Security Conference (Atlanta, Georgia, United States, October 22 - 25, 2018) SecurityWeek’s ICS Cyber Security Conference is the conference where ICS users, ICS vendors, system security providers and government representatives meet to discuss the latest cyber-incidents, analyze their causes and cooperate on solutions. Register today for the original ICS/SCADA Cyber Security Conference – October 22-25 in Atlanta.

Maryland Cybersecurity Career & Education Fair (Rockville, Maryland, United States, November 9 - 10, 2018) Join us for two dynamic days that put on display why Maryland is where cyber works. Friday will feature a career and education fair, connecting cybersecurity job seekers with opportunities across the state of Maryland. On Saturday, high school and undergraduate students compete in our cyber challenge.

Selected Reading

Cyber Attacks, Threats, and Vulnerabilities

Facebook Says Fewer Users Impacted by Recent Cyberattack than First Thought (Wall Street Journal) Facebook said fewer users than it initially thought were impacted by hackers in the largest-ever security breach at the social-media giant two weeks ago—and the company detailed for the first time the depth of personal information that was accessed.

Facebook says millions of users had phone numbers, search history and location data stolen in recent hack (Washington Post) An online attack that forced Facebook to log out 90 million users last month directly affected 29 million people on the social network, the company said Friday as it released new details about the scope of an incident that has regulators and law enforcement on high alert.

An Update on the Security Issue | Facebook Newsroom (Facebook Newsroom) We're sharing new details about the recent security issue.

Why Facebook's Breach Should Mean #DeleteFacebook But Won't (Forbes) The sad truth is that Facebook's network has become so ingrained in society across the world that we simply cannot function without it anymore and thus we'll look past the latest breach. What must change to make the Facebooks of the world more like the Googles?

The security community increasingly thinks a bombshell Bloomberg report on Chinese chip hacking could be bogus (Business Insider) A Bloomberg report from last week alleged that Chinese spies had been able to malicious chips into servers made by SuperMicro, an American company. All parties involved have denied the report, including, most recently, secretary of the Department of Homeland Security, during a Senate hearing.

Yossi Appleboum Disagrees with How Bloomberg is Positioning His Research Against Supermicro (ServeTheHome) Today Bloomberg cited security researcher Yossi Appleboum, CEO of Sepio Systems, as supporting Supermicro hardware supply chain issues. We interviewed Mr. Appleboum and he is angry with how Bloomberg is presenting his research saying it impacts many more vendors and impacts networking equipment as well

The tech giants, the US and the Chinese spy chips that never were… or were they? (the Guardian) A sensational Bloomberg story about a major hardware hack was swiftly denied. But the journalists aren’t backing down

Supply Chain Security 101: An Expert’s View (KrebsOnSecurity) Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency.

1 bn records compromised in Aadhaar breach since January: Gemalto (Hindu Business Line) In the first six months of 2018, almost one billion records were compromised in Aadhaar breach incident, including name, address and other personally identified information, according to a new report

'Five Eyes' Agencies Release Joint Report on Hacking Tools (SecurityWeek) Cybersecurity agencies in the US, UK, Canada, Australia and New Zealand release joint report on publicly available hacking tools

Largest Cyber Attack Against Iceland Driven by Complex Phishing Scheme (BleepingComputer) A brazen phishing campaign took Iceland by surprise the last weekend, sending out malicious emails to thousands of individuals, in an attempt to fool them into installing a powerful remote access tool.

Industry Reactions to Google+ Security Incident: Feedback Friday (SecurityWeek) Industry professionals comment on recent Google+ security incident involving a bug that exposed personal information from 500,000 accounts

Magecart Injects Skimmer Code in Customer Rating Widget (Security Boulevard) The groups of attackers who specialize in injecting payment card skimmer code called Magecart into online shops managed to compromise a third-party The Magecart payment card skimmer code was used to compromise a third-party customer rating plugin called Shopper Approved.

Payment skimmers sneaking on to websites via third party code (Naked Security) Whatever Magecart is, it’s been blamed for several high-profile payment card breaches this summer.

GandCrab ransomware operators team up with crypter service (ZDNet) The hacking agreement could result in the ransomware strain becoming more difficult to spot and analyze in the future.

Proof-of-concept code published for Microsoft Edge remote code execution bug (ZDNet) The PoC can be hosted on any website and requires that users press the Enter key just once.

India’s online festive sales are a happy hunting ground for cybercriminals (Quartz India) Expert tips on how to avoid phishing.

Colorado Springs on front lines of cyber Cold War with Russia (Colorado Springs Gazette) The Russians have come, and Colorado Springs is a bit shaken after a Putin-directed military intelligence operation purloined data from a local non-profit.For decades, Colorado Springs was on the lookout

Pentagon Reveals Cyber Breach of Travel Records (SecurityWeek) The Pentagon said there has been a cyber breach of Defense Department travel records that compromised the personal information and credit card data of U.S. military and civilian personnel.

Pennsylvania voting systems at risk of cyber attack, says commission urging more security (themorningcall.com) A Pennsylvania commission is urging the state and counties to better protect voting system from cyber attacks.

ICS Security Plagued with Basic, Avoidable Mistakes (Threatpost) A survey of ICS security posture found outdated firewalls, improper segmentation password mistakes and more.

The Columbia Gas natural gas pipeline ruptures were process sensor-related and there is still little understanding (Control Global) The September 13, 2018 Columbia Gas Low-pressure Natural Gas Distribution System pipeline explosions killed one-person, injured 28, and damaged 131 structures. This was not a malicious control system cyber event (though it could have been) but a tragic comedy of errors, lack of appropriate process sensor monitoring, lack of SCADA control, and lack of understanding of similar events that have already occurred.

Preliminary Report Pipeline: Over-pressure of a Columbia Gas of Massachusetts Low-pressure Natural Gas Distribution System (National Transportation Safety Board) The information in this report is preliminary and will be either supplemented or corrected during the course of the investigation.

ECP thwarts cyber-attack attempts at I-voting website for overseas Pakistanis (Pakistan Today) The website set up by the Election Commission of Pakistan (ECP) to for I-voting by overseas Pakistanis sustained multiple cyber-attacks, reported a private media outlet. Voting for the by-election on 35 national<a href="https://www.pakistantoday.com.pk/2018/10/14/ecp-thwarts-cyber-attack-attempts-at-i-voting-website-for-overseas-pakistanis/" title="Read more" >...</a>

Security Patches, Mitigations, and Software Updates

Microsoft patch for Jet Engine Database Zero-day Bug is ‘incomplete’, making Windows still vulnerable (Cyware) Microsoft patch issued for zero-day in its JET Database Engine may not be a complete fix for the remote code execution vulnerability. The vulnerability (CVE-2018-8423) is a memory corruption vulnerability, and could also allow remote code execution on a targeted computer. The vulnerability quoted as a zero-day was discovered by Trend Micro’s Zero Day Initiative (ZDI). The company swiftly notified Microsoft about the vulnerability. However, Microsoft did not patch the vulnerability for at least 135 days after Trend Micro’s notification.

Juniper issues seven critical updates (SC Magazine) Juniper Networks released a long list of security updates including seven critical flaws, six of which affect all platforms running Junos OS.

Cyber Trends

Privacy advocates face negative stereotyping online (TechRadar) A stigma exists for those who seek privacy online

How to irregular cyber warfare (Errata Security) Somebody ( @thegrugq ) pointed me to this article on " Lessons on Irregular Cyber Warfare ", citing the masters like Sun Tzu, von Clausewitz...

10% would steal boss’s passwords, finds SailPoint (Business Computing World) Do you think about your digital identity? Many of us are at least somewhat in tune to our reputations – how we look, how we feel and what is happening in our social circles. However, the extension of ourselves in today’s digital world is not as material as the ways we often think of when we hear the word “identity.”

Who's Winning the Cybercrime Battle? (SecurityWeek) We all need to be aware of the need for innovative responses on the part of the security industry, to counter a threat industry which is innovating both technical and business models at a rapid pace.

The Issue of Generational Cyber-Risk: Millennials Versus Baby Boomers (Dynamic Business) How can we deal with the generational tech divide?

The Growing Issue Of Compromised Credentials (Forbes) Detecting and protecting against the use of compromised credentials should be a top priority for businesses.

PH banks build up defense vs cybercriminals (Business Inquirer) As the Philippines emerges as a hotbed of online gaming firms, it has also become an attractive target for international cybercriminals, challenging banks to invest in stronger firewall and IT risk management systems.

Are Blue Teamers the True Heroes? (Infosecurity Magazine) Is it time to recognize those tasked with defending and recovering from incidents?

Marketplace

Microsoft employees speak out against US government's JEDI Project (Computing) Like Google, Microsoft workers have concerns about how the Department of Defense will use technology

Look to Cyber Security ETFs to Capitalize on a Growing Digital Industry (ETF Trends) In the age of communications, an increasing number of professionals are growing concerned about potential digital threats, bolstering demand for cyber security. Investors can also capitalize on this growing industry through sector-specific ETF plays.

L3, Harris to merge in deal creating ’sixth prime’ defense giant (Washington Busijness Journal) Meet the sixth prime — L3 Harris Technologies.

Nucleus Cyber Acquires Security Sheriff (PRWeb) Nucleus Cyber, the AI-driven data security company for the intelligent workplace, acquired the Security Sheriff platform from Cyxtera Technologies and launched int

SAP, Symantec extend contracts with AWS (CRN Australia) Worth an estimated US$1 billion in revenue over five years.

Window Snyder Shares Her Plans for Intel Security (Dark Reading) The security leader, known for her role in securing Microsoft, Apple, and Mozilla, discusses her new gig and what she's working on now.

Even the bad guys have a talent problem: Sandra Joyce, FireEye’s vice president (The Economic Times) "You can expect every responsible nation state to be conducting espionage of some kind. That is a normal nation-state behaviour," Joyce said.

Thales and Gemalto Expect Merger Deal to Close in Q1 2019 (FindBiometrics) The leadership at Gemalto and Thales are adjusting their expectations with respect to their proposed merger, announcing that they now expect the deal to...

C6 Intelligence is now Acuris Risk Intelligence (Tech Observer) C6 Intelligence which deals in data intelligence for anti-money laundering, third-party risk and cybersecurity professionals has rebranded as Acuris Risk Intelligence.

Centrify CEO Tom Kemp to step down, IDaaS unit spun off (SC Media) Centrify has spun off its Identity-as-a-Service business creating the standalone company Idaptive. Tom Kemp The creation of Idaptive will help spur

Safaricom to launch a programme to support ethical hackers (Business Chief) Kenya's Safaricom to promote the ethical hacking of its software

Security Industry Association to Present Larry Folsom With Jay Hauhn Excellence in Partnerships Award (Security Industry Association) Folsom, president of I-View Now, will be honored at SIA Honors Night 2018 for his leadership in collaboration in the security industry.

Products, Services, and Solutions

Using Machine Learning to Find Human Social Engineering Risks (Credit Union Times) “We’ve integrated a deep learning neural network that evaluates risk changes over time within an organization.

enSilo and Arbala Systems Form Partnership Delivering Managed Detection and Response Services (PR Newswire) enSilo, the company protecting endpoints pre-and post-infection, stopping data breaches in real time and...

5 Best Anonymous Browsers for Private Web Browsing (Technotification) Do you want complete privacy while browsing the web? The following are the five best anonymous browsers that for private web browsing.

F-Secure partners with NetAssist to provide solutions to Malaysian SMEs (CISO MAG) The company claims that the new partnership will address the cyber protection issues facing by SMEs across the cloud, hybrid, and on-premise environments.

Technologies, Techniques, and Standards

How to Fight Russian Infowar in Central Europe (Defense One) Traditional counter-propaganda techniques are decreasingly effective. The next steps will require focus, engagement, and new thinking.

Meet The Internet Researchers Unmasking Russian Assassins (NPR.org) The group Bellingcat seeks to unmask covert operations, rogue groups and corruption around the globe. But can it keep its independence?

Here Is How Social Media Crime Fighters Find Fake Accounts (Popular Mechanics) FireEye helped Facebook identify fake accounts with subversive international agendas. Here’s how.

How to Check If Your Facebook Account Got Hacked—and How Badly (WIRED) On Friday, Facebook offered more details about its recent breach. Here's how to see if you were affected.

Purging Long-Forgotten Online Accounts: Worth the Trouble? (SecurityWeek) The internet is riddled with long-forgotten accounts on social media, dating apps and various shopping sites used once or twice. Sure, you should delete all those unused logins and passwords. And eat your vegetables. And go to the gym.

Seven Security Activities You Should Automate (SecurityWeek) Automation can bring value to just about any security team, but the amount of value will depend entirely on how well you match it to your most pressing needs, existing security infrastructure, and organizational procedures.

Securing legacy medical devices is daunting – but not optional (MobiHealthNews) Skipping out on comprehensive device documentation and risk assessment will cripple an organization's cybersecurity program, experts say.

Cops Told ‘Don’t Look’ at New iPhones to Avoid Face ID Lock-Out (Motherboard) After five failed attempts with the 'wrong' face, Apple's Face ID system will fall back to asking a passcode; a tricky situation for investigators.

What is the Army’s integrated jamming and cyber pod capable of? (C4ISRNET) Leidos believes its solution exceeds the Army's expectations.

Scaling the IoT product security lifecycle with automation (Help Net Security) There are many security standards applicable to IoT products. Manufacturers are having a hard time understanding which standards apply to their products.

The future of OT security in modern industrial operations (Help Net Security) Both the likelihood and consequences of cyberattacks to OT/ICS components continue to grow for modern industrial operations.

Government puts IoT security at the forefront with new Code of Practice for industry (Computing) The IoT has gone unsecured for too long, say DCMS and NCSC

PSD2: The real RTS deadline is closer than banks think (Fintech Finance) Let’s work backwards. Most banks know that the final deadline to comply with PSD2’s Regulatory Technical Standard (RTS) is 14th September 2019. Eleven months away. Following the amendments to the R…

Design and Innovation

PAID POST: Can blockchain save the vote? (TechCrunch) Elections are a symbol of hope and freedom, and the right to vote is an expression of belonging and of having a voice. We trust our electoral systems to preserve an immutable record of the voices we have raised, and the choices we have made. Yet the concept of “one person, one vote” is [&hel…

Research and Development

DARPA Says the Biggest Obstacle to Effective Artificial Intelligence Is Common Sense (Outer Places) If you went through public school in the last fifteen years, odds are that your math tests included a space for an answer and a follow-up question tha...

The Pentagon’s Push to Program Soldiers’ Brains (Defense One) DARPA’s developing capabilities still hover at or near a proof-of-concept stage. But that’s close enough to have drawn investment from some of the world’s richest corporations.

“Fixed mindsets” might be why we don’t understand statistics (Ars Technica) Study finds people prefer complicated methods because that's what they're used to.

Academia

Online cybersecurity training propels students into industry jobs (CIO Dive) More affordable for students, online training programs like Cybrary focus on real-world applications and can help workers expand their existing knowledge base or pivot careers entirely.

UVU promotes cybersecurity through 'Hacktober' event (Daily Herald) An October campaign is hoping to convince students to have “the talk” with their parents. No, not that one. The one about cybersecurity.

Legislation, Policy and Regulation

GCC should join hands to fight cyber threats: experts (DT News) The Gulf Cooperation Council (GCC) nations should form a cyber-security alliance unit to tackle...

The challenge of providing a common defense in cyberspace (FCW) Government leaders should examine how the private sector addresses massive vulnerabilities and inherent instability through collaboration.

Italy resisting EU push to impose sanctions over cyberattacks (Reuters) Italy is resisting a European Union push to impose sanctions on states who carry...

Estonia joins other EU states pressing for cyber-attack sanctions listing (ERR) Several EU member states including Estonia have called on the EU to add cyber-attacks to its sanctions regime.

Is Crystallizing Red Lines in Cyber Space a Good Idea? (TechNative) Recently, the U.S. Senate's version of the 2019 National Defense Authorization Act (NDAA) was approved and sent back to the House for reconcilement of differences

U.S. and Macedonia Participate in Cyber Defense Cooperation (U.S. Cyber Command) U.S. service members, working alongside cyber defenders from the Republic of Macedonia, have been cooperating over the last few weeks to share best practices in cyber security and to build cyber

Apple to Australia: “This is no time to weaken encryption” (Ars Technica) Apple underscores that access for only good guys is "a false premise."

Cybercom: How DOD’s Newest Unified ‘Cocom’ Works (U.S. DEPARTMENT OF DEFENSE) Due to increasing cyber threats across the world, U.S. Cyber Command officially became a unified combatant command this past spring.

U.S. lawmakers urge Canada to snub China's Huawei in telecoms (Reuters) Two leading U.S. lawmakers, both sharp critics of China, urged Canadian Prime Mi...

It’s not just foreign state-owned telecom posing a threat (TheHill) Every device connected to the internet creates a potential pathway for foreign governments and other malevolent actors to compromise essential networks — particularly the electric power grid.

Support for ‘hack back’ grows after Trump’s pledge to get aggressive in cyberspace (Fifth Domain) Support for the idea that businesses should be able to retaliate to cyberattacks, or “hack back,” has recently come from former government officials, experts and lawmakers who say it could be effective deterrent.

Analysis | The Cybersecurity 202: The U.S. needs a law that requires companies to disclose data breaches quickly, cybersecurity experts say (Washington Post) We asked The Network, a group of 100 cybersecurity experts who participate in our informal survey.

No One Can Get Cybersecurity Disclosure Just Right—Especially Lawmakers (WIRED) If Facebook and Google's recent security debacles proved anything, it's that disclosure is tricky business.

Amid Church Rift, Kremlin Vows To 'Protect Interests' Of Faithful In Ukraine (RadioFreeEurope/RadioLiberty) The Kremlin has issued a fresh warning following a key step in Kyiv's quest for an independent church that is recognized by the Orthodox Christian leadership, saying Russia will protect the interests of the faithful in Ukraine if the historic split leads to illegal action or violence.

Ukraine’s Spiritual Split From Russia Could Trigger a Global Schism (The Atlantic) For Moscow, the crisis is geopolitical as well as religious.

Litigation, Investigation, and Enforcement

Russian UK envoy denies Kremlin tried hack computers and murder ex-spy (Reuters) Russia's ambassador to London denied on Friday that spies from his country&...

Crown prince sought to lure Khashoggi back to Saudi Arabia and detain him, U.S. intercepts show (Washington Post) Some Western officials believe that what transpired at the consulate in Istanbul may have been a “rendition” gone bad, ending in the Post contributor’s death.

A Saudi Disappearance With Russian Echoes (Bloomberg) The death of a journalist shaped Putin’s rule. Will it do the same for Saudi Crown Prince Mohamed?

Trump, Saudis Escalate Threats (Wall Street Journal) The White House and Saudi Arabia traded sharp words over the suspected killing of a dissident Saudi journalist as the case tests the Trump administration efforts to make the kingdom the linchpin of its Middle East policy.

Naher Osten: „Bei Khashoggi ging es nicht nur um Journalismus“ (Die Welt) Der Politologe Asiem El Difraoui kannte den verschwundenen Saudi-Araber Jamal Khashoggi. Er stellt eigene Vermutungen über den Fall an. Denn sein Bekannter war nicht nur Journalist.

Saudi Journalist’s Disappearance Sends Chill Through Foreign Investors, Firms (Wall Street Journal) Crown Prince Mohammed bin Salman’s plans to attract investors and transform his country’s economy face dire threats after the disappearance and alleged murder of a dissident writer at a Saudi consulate in Turkey.

The Russia Investigations: Unanswered Questions In The Eye Of The Storm (NPR) The president and his lawyers may be close to submitting a take-home exam of sorts to special counsel Robert Mueller, but so many other points about this imbroglio remain unresolved.

Robert Mueller Has Already Told You Everything You Need To Know (WIRED) With the exception of President Trump’s legal team, no one has been watching the Mueller investigation more closely than Garrett Graff.

Grassley pressures Google for details of user data breach (TheHill) The Chairman of the Senate Judiciary Committee is pressing Google to explain its data privacy practices in the wake of revelations that user data was hacked from its now defunct social media platform, Google Plus.

Google CEO Tells Senators That Censored Chinese Search Engine Could Provide “Broad Benefits” (The Intercept) Google CEO Sundar Pichai refused to answer a list of questions from a bipartisan group of six senators.

How An Amateur Rap Crew Stole Surveillance Tech That Tracks Almost Every American (Forbes) Both the Freebandz Gang and its crimes would have been quickly forgotten as garden variety larceny were it not for the way it stole people's identities.

FCC resorts to the usual malarkey defending itself against Mozilla lawsuit (TechCrunch) Mozilla filed a lawsuit in August alleging the FCC had unlawfully overturned 2015's net neutrality rules, by among other things "fundamentally mischaracteriz[ing] how internet access works." The FCC has filed its official response, and as you might expect it has doubled down on those fundamental mi…

Ex-NASA Contractor Pleads Guilty in Cyberstalking Scheme (SecurityWeek) A former NASA contractor who allegedly threatened to publish...

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Cryptocurrency, Cybersecurity and the Law (Annandale, VIrginia, USA, October 24, 2018) Legal and security considerations for users of cryptocurrencies and blockchain technology.

Hybrid Identity Protection Conference (New York, New York, USA, November 5 - 6, 2018) Learn what cutting-edge industry leaders are doing to improve identity protection in the modern organization and how they are boosting enterprise security. Network with the world’s leading identity experts and interact with your industry peers facing the same complex infrastructure and security challenges. Acquire critical technical knowledge, discover best practices and learn how to secure the evolving enterprise identity infrastructure.

upcoming Events

FAIRCON18 (Pittsburgh, Pennsylvnia, USA, October 14 - 18, 2018) Focused on advancing cyber, operational risk management.The event will feature in-depth training seminars, insightful presentations from industry leaders, candid executive and practitioner-led discussions and keynotes aimed at driving awareness, knowledge and the development of operational blueprints for building quantitative risk management programs. FAIRCON18 will attract C-suite officers and practitioners responsible for information and operational risk management decisions. The event will unite leaders in information and operational risk management to explore FAIR best practices that produce greater value and alignment with business goals.

The Cyber Security Summit: Phoenix (Phoenix, Arizona, USA, October 16, 2018) This event is an exclusive conference connecting Senior Level Executives responsible for protecting their company’s critical data with innovative solution providers & renowned information security experts. Learn from cyber security thought leaders and Engage in panel discussions focusing on trending cyber topics such as Sr. Leadership’s Best Approach to Cyber Defense, What’s Your Strategic Incident Response Plan?, Protecting your Enterprise from the Human Element and more. Your registration includes a catered breakfast, lunch, and cocktail reception. Receive half off your admission with promo code cyberwire50 at CyberSummitUSA.com and view details including the full agenda, participating solution providers & confirmed speakers. Tickets are normally $350, but only $175 with promo code.

Zero Day Con: Hacking Democracy (Washington, DC, USA, October 16, 2018) Join Zero Day Con and Strategic Cyber Ventures on October 16th in Washington, D.C. to examine the path forward in reducing our attack surface, managing risk, regaining control of our networks and data, and restoring trust in our cyber-powered global democratic institutions. Zero Day Con Washington DC is an independent conference comprised of interactive learning sessions, keynotes and panel discussions, and will feature an area designated for technology companies to demo and share their latest innovations, products and services. Open to security executives, researchers, operators, policy makers, and all defenders of democracy from private industry, non-profits, academia, military, and government. A half day of focused discussions on cyber-enabled information warfare efforts eroding democracy and the infosec capabilities we need. Network with peers and speakers at the event and during the post-conference cocktail hour.

FAIRCON18 (Pittsburgh, Pennsylvania, USA, October 16 - 17, 2018) Hosted by the FAIR Institute and Carnegie Mellon University’s Software Engineering Institute (SEI) and the Heinz College of Information Systems and Public Policy, the 2018 FAIR Conference brings leaders in information and operational risk management together to explore best FAIR practices that produce greater value and alignment with business goals. Large enterprises and government organizations are creating breakthroughs in the management of information and operational risk that enable business-aligned communication, cost-effective decision-making and ultimately managing what matters. Interested in on-site FAIR training? Head to FAIRCON18 early to attend an on-site FAIR Analysis Fundamentals Course, October 14-15, for those that elect to partake in this optional conference add-on. The FAIR Institute is an expert, nonprofit organization led by information risk officers, CISOs and business executives to develop standard information and operational risk management practices in a movement central to “cyber risk economics,” the revolutionary approach to measuring and managing information risk enabled by the Factor Analysis of Information Risk (FAIR) model.

PCI Security Standards Europe Community Meeting (London, England, UK, October 16 - 18, 2018) The PCI Security Standards Council’s 2018 Europe Community Meeting is THE place to be. We will provide you with the information and tools to help secure payment data. We lead a global, cross industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent criminal attacks and breaches. Don’t miss out!

SecureWorld Cincinnati (Cincinnati, Ohio, USA, October 17, 2018) Connecting, informing, and developing leaders in cybersecurity. SecureWorld conferences provide more content and facilitate more professional connections than any other event in the Information Security industry. Join your fellow InfoSec professionals for high-quality, affordable cybersecurity training and education. Earn 6-12 CPE credits through 30+ educational elements, learning from nationally recognized industry leaders. Attend featured keynotes, panel discussions, breakout sessions, and solution vendor displays-all while networking with local peers.

2018 ISSA International Conference (Atlanta, Georgia, USA, October 17 - 18, 2018) Join us for solution oriented, proactive and innovative sessions focused on Securing Tomorrow Today. Every day, cyber threats become increasingly intricate and difficult to detect. No cyber security professional can become an expert on these dangers without continued efforts to educate themselves on the industry’s latest trends and technologies. We look forward to welcoming you and over 1,000 of your colleagues and peers in Atlanta as we discuss topics ranging from incident response, to emerging technologies, to business skills for the information security professional. Join us at the 2018 ISSA International Conference and we’ll help you prepare to Secure Tomorrow Today.

Fifth Annual Cyber Warfare Symposium (New York, New York, USA, October 18, 2018) The Fifth Annual Cyber Warfare Symposium is an annual one-day event presented by the Journal of Law & Cyber Warfare in conjunction with academia, government and private industry organizations at NYU School of Law in New York City. The theme, “Attend. Engage. Learn,” captures the event’s intent to provide unparalleled information sharing and networking opportunities for development of cyber assets on both the human and technological side.

5th Annual Women in Cyber Security Reception (Washington, DC, United States, October 18, 2018) This annual networking event highlights and celebrates the value and successes of women in the cyber security industry. Leaders from the private sector, academia, and government from across the region and at varying points on the career spectrum can connect with each other to strengthen relationships and build new ones. - See more at: https://thecyberwire.com/events/s/5th-annual-women-in-cyber-security-reception.html

National Insider Threat Special Interest Group (NITSIG) - Insider Threat Symposium & Expo (Laurel, Maryland, USA, October 19, 2018) The NITSIG will hold an Insider Threat Symposium & Expo (ITS&E), on October 19, 2018, at the Johns Hopkins University Applied Physics Laboratory, in Laurel, Maryland. This is a must attend event if you are involved in Insider Threat Program (ITP) Management or Insider Threat Risk Mitigation. We have some outstanding speakers lined up with hands-on experience: Insider Threat Risk Mitigation Subject Matter Experts, managing or supporting ITPs, who work for the US Government, Defense contractors and private sector businesses. The symposium and expo will focus on, and provide guidance on developing, managing or enhancing an Insider Threat Program (ITP) / ITP Working Group, ITP Unintended Impacts / Consequences / Challenges, Insider Threat Fraud, Employee Threat Identification and Mitigation, Employee User Activity Monitoring, Protecting Controlled Unclassified Information and more.

2018 ICS Cyber Security Conference USA (Atlanta, Georgia, USA, October 22 - 25, 2018) SecurityWeek’s Industrial Control Systems (ICS) Cyber Security Conference is the largest and longest-running event series focused on industrial cybersecurity. Since 2002, the conference has gathered ICS cyber security stakeholders across various industries and attracts operations and control engineers, IT, government, vendors and academics. Over the years, the focus of the conference has shifted from raising awareness towards sharing security event histories and discussing solutions and protection strategies. As the original cybersecurity conference for the industrial control systems sector, the events cater to the energy, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations.

Energy Tech 2018 (Cleveland, Ohio, USA, October 22 - 26, 2018) The annual EnergyTech Conference & Expo is an organized event, supported by NASA and INCOSE, highlighting advancements in Energy, Smart-Grids and Microgrids, Aerospace, Critical Infrastructure, Security and Policy. In 2018, we continue to expand our collaboration effort with professional societies including InfraGard, IEEE, SAE, AIAA, PMI, and others, to join in advancing the technology and system integration of these complex domains, and managing the risk scenarios confronting civilizations.

Cryptocurrency, Cybersecurity and the Law (Annandale, VIrginia, USA, October 24, 2018) Legal and security considerations for users of cryptocurrencies and blockchain technology.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

Facebook breach updates. More skepticism on Chinese supply chain attack. Pipeline explosion not an attack. EU cyber sanctions.