St. Jude, MedSec and the FDA FDA, St. Jude go through disclosure/fix cycle No mention of MedSec - interesting for discussion; did they have an impact? St. Jude does a fairly great job of notification, updating “Benefits outweigh the risks”... that’s a big statement http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm http://www.businesswire.com/news/home/20170109005921/en/St.-Jude-Medical-Announces-Cybersecurity-Updates http://www.medsec.com/entries/stj-lawsuit-response.html http://podcast.developsec.com/ep-56-security-contacts   New York financial regulator to delay cyber security rules Originally supposed to go into effect Jan 1.. New Date is March 1 We discussed in passing in a previous episode There are final adjustments being made, of course http://www.reuters.com/article/us-cyber-new-york-idUSKBN14A224   Massachusetts makes data breach reports available online http://turnto10.com/news/local/massachusetts-makes-data-breach-reports-available-online-01-04-2017 Seems less like a report and more of just the quick details of the notification http://www.mass.gov/ocabr/data-privacy-and-security/data/data-breach-notification-archive.html How much value does this provide?    Finding a company on the list doesn’t indicate its current security posture.   Identifying that you did business with a company on the list.. Not much you can do anyway. Still no indications of what happened, or who was actually affected Wouldn’t you get an email or snail mail during the original notification procedures? New Hampshire has done this for a while, except they provide the submitted letters, not just statistics (http://doj.nh.gov/consumer/security-breaches/) Another article talking about a few other states that do this as well https://www.wired.com/2017/01/states-now-actually-help-figure-youve-hacked/ Washington, Indiana, California   California passes law making ransomware illegal Wasn’t it already illegal under the CFAA? The purpose is to make it easier to prosecute rather than being forced to prosecute under other extortion or laundering laws How does this affect the enterprise?  More apt to follow up or file with FBI or other law enforcement? Will we see more laws like this, where they target specific acts? http://www.computerweekly.com/news/450410402/California-legislates-against-ransomware   Online databases dropping like flies, with >10K falling to ransomware groups This was reported earlier in the week (last monday or Tuesday) and has grown to more than 10K infected in less than a week. Mongo Blog post outlining steps to protect your installation - https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data The security checklist for mongoDB - https://docs.mongodb.com/manual/administration/security-checklist/ http://arstechnica.com/security/2017/01/more-than-10000-online-databases-taken-hostage-by-ransomware-attackers/   TV anchor says live on-air ‘Alexa, order me a dollhouse’ - guess what happens next Secure Defaults?  Apparently Voice ordering is on by default..  https://www.amazon.com/gp/help/customer/display.html?nodeId=201952610 You can turn voice ordering on or off You can optionally set a confirmation code The issue here is it is vocal.  Couldn’t your kids or someone else close by hear the code? Manage your 1-click settings Are people bringing these sorts of technologies into your enterprise? How are you handling it? How does this impact your security? How are you handling it? http://www.theregister.co.uk/2017/01/07/tv_anchor_says_alexa_buy_me_a_dollhouse_and_she_does/   Others http://ww2.cfo.com/risk-management/2016/12/quantifying-cyber-risks/ http://healthitsecurity.com/news/health-it-overconfident-in-data-breach-detection-remediation https://hbr.org/2016/12/the-darknet-a-quick-introduction-for-business-leaders Appropriate for coverage or do you think just providing a quick mention and the link in the show notes?