The update considers any system storing personally identifiable information (PII) as critical equipment, making them subject to regular reviews and testing processes. Technology implementations interacting with critical operating and maintenance systems are also considered critical.

Entities providing investment services shall also maintain an updated inventory of their systems, including hardware, software, storage units, network resources and data flows. System administrators should perform frequent security audits, performed only by entities previously approved by CERT-In.

If that were not enough, all organizations that provide these services must submit their security reports within ten days after receiving this notification.

As many readers may guess, ten days is a ridiculously short deadline to achieve such goals, so it is anticipated that many organizations will try to challenge this decision of the Indian government.

Online platforms think this is mission impossible, especially considering that the deadline granted by the authorities includes two weekends.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Indian companies listed in stock exchange to provide infosec audits and information system inventory to government. New SEBI guidelines appeared first on Information Security Newspaper | Hacking News.

On its reasons for making this determination, the agency mentions that its teams identified “certain gaps that hinder the analysis of security incidents”; in addition to this new deadline, CERT-In will encourage the submission of incident reports by analog mediums such as telephone or fax, in addition to e-mail.

The new mechanisms will apply to service providers, intermediaries, data center operators, enterprises and government organizations that manage IT infrastructure.

As mentioned above, the report lists 20 types of security incidents, including information breaches and ransomware infections. Although it is obvious that the situation merits a report in these cases, on other occasions CERT-In provides very little concrete definitions, as is the case of those defined as “Attacks or suspicious activities that affect systems/servers/software/applications in the cloud”.

In addition to ambiguous definitions, CERT-In has received criticism about how short the report window is. Other legislative frameworks such as EU’s General Data Protection Regulation (GDPR) establish a deadline of 72 hours for the reporting of security incidents after their detection, while for the U.S. Government 24 hours are more than enough to submit these reports.

This is not the only update to the security incident reporting process in India. According to the new guidelines, organizations under this regulation must also keep a detailed record of all their information systems during the 180 days after the report, also having the obligation to deliver this data to CERT-In when requested.

Finally, additional requirements were established for organizations operating with cryptocurrency. Providers of services related to virtual assets will have to verify the identity of their customers and safeguard this data for at least five years, in what appears to be an aggressive measure against money laundering through cryptocurrency.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post CERT-IN makes mandatory for Indian companies to report hacking/cyber security incidents to government within six hours after detecting them appeared first on Information Security Newspaper | Hacking News.

Usually, a phishing attack involves the usurpation of the identity of a senior executive in an organization, which makes sense if we remember that in these attacks hackers will appeal to the authority of these people to achieve their objectives, usually related to financial fraud.

As cybersecurity experts and company directors began to take more careful stances, threat actors had to rethink their approach, targeting lower-ranking employees but capable of accessing sensitive information. In the example shown below, we can see that a target employee with access to the company’s financial systems receives a request to update data from a direct deposit.

Avanan experts also noted that these attacks typically involve the use of DocuSign, a cloud platform for document signing, which gives a legitimate look to phishing messages. Hackers ask users to enter their credentials to sign the sent document, which will allow attackers to intercept sensitive data.

Phishing attacks are still as effective as ever, so it’s critical that users have the knowledge they need to differentiate legitimate content from a potential threat. Remember that when receiving an email from unknown users, you should try to identify unsolicited attachments, spelling errors, and login windows, as these factors indicate a potential phishing attack.

If you identify a security threat, do not interact with the message received and notify your organization’s IT department, where they will find the best way to deal with this security risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How DocuSign phishing technique can be used to bypass your spam controls appeared first on Information Security Newspaper | Hacking News.

We’re talking about unhackable devices: Morpheus processor, USB EyeDisk and Google Titan key. Arrested “The H-1” bank hackers in Mexico and Microsoft with updates.

Below are the links of the cyber security news.

1. USB device ‘inhakeable’ has been hacked by experts

2. Morpheus, the “impossible to hack” processor

3. Arrest hackers in Mexico; they stole 40 MDD from local banks

4. Security problems in Titan, Google’s Bluetooth security key

5. Critical vulnerability in Microsoft remote desktop services; update now

Please leave your questions and comments.

Subscribe to see more official content of the cyber security news channel: https://www.youtube.com/channel/UCkSS40hQHvq7_QvevJuME_g

Official website: https://www.securitynewspaper.com/

Follow us on our social networks.

Twitter: https://twitter.com/Webimprints

Facebook: https://www.facebook.com/webimprint/

The post Top cyber security news|26 May 19 appeared first on Information Security Newspaper | Hacking News.