Cyber Threat Analysis for 07/15/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

Obama's cybersecurity strategy takes shape

The Commission on Enhancing National Cybersecurity was launched under President Obama's executive order this year. It has taken on a broad mandate to examine all facets of the cybersecurity policy puzzle and will put a final stamp on the outgoing president's approach to cyber. (Washington Examiner)

We know what it takes to reduce risk and combat threats, we are just not doing enough of eitherEvery President going back several decades has gone through this same exercise, which produces effectively the same document. The President who will leave their mark on cyber security will commission an implementation plan to carry out the timeless recommendations made over the years and make its execution a success factor for his executive appointees

Accessing People’s Browser History Is Almost Like Spying on Their Thoughts

Given what web browsing history can reveal, there is little information that could be more intimate. Getting access to somebody’s web browsing history is almost like spying on their thoughts. This level of surveillance absolutely ought to come with court oversight. Yet a number of senators are moving to go in the opposite direction. (Slate)

This is America: investigations of citizens is supposed to be hard. Its not that NSLs don't have their place, but this is greasing an already slippery slope, especially when there are ample legal tools to accomplish the task. It is refreshing to see senior legislators take this stand on the issue. It is an indication that the level of understanding of cyberspace and security issues is growing more sophisticated and suggests that better and more nuanced legislative proposals related to cyber security we so sorely need are not that far off.

U.S. Air Force project threatened by cybersecurity cost overruns

The U.S. Air Force is learning a tough lesson when it comes to hardening its systems against cyberintrusions, primarily that the cybersecurity threat landscape changes faster than the military's budgeting process. Harding the Air Force's Operational Control Segment (OCX) program, which oversees GPS systems, has resulted in a 20% cost overrun for the project. The Air Force now has to decide whether or not to sustain or cancel OCX. (SC Magazine).

Its always harder to add security later, yet its always what we seem to do. Malicious use of computers was not unknown when GPS went live, but it is certainly a concern today. So much so that the Navy, which stopped training in celestial navigation 10 years ago, is bringing it back. It is a recognition that while you can attempt to reduce risks and mitigate threats, resilience is arguably the more powerful capability to acquire and maintain

Feds: Popular Computer Antivirus May Make Hackers' Lives Easier

The U.S. Department of Homeland Security warned the public against the risks of using Norton and Symantec computer security tools, which come with critical holes which hackers could exploit to enter into users’ systems. Government researchers explained that Symantec can actually help cyber criminals take control over a system because users are asked to allow the software gain access to sensitive data on their computers in exchange of malware protection. (The Monitor Daily)

It is a common misconception that security software vendors are security companies. They are in fact softwarecompanies, and all that that implies when it comes to coding practices and quality. As highlighted two weeks ago in the industrial control space, fighting technological problems with more technology is tempting, but not always the best course of action. Decision-makers should take note that novel and effective means of improving security may have nothing to do with technology.


Cyber Threats Knocking On Door Of US State And Local Law Enforcement Agencies

The National Consortium for Advanced Policing released a report providing guidelines for state and local law enforcement agencies on how to identify cyber threats and improve awareness of how cybersecurity relates to their daily lives, as well as the importance of a collaborative approach to cybersecurity in order to counter the recent threat of cyber attacks on local agencies. (Homeland Security Today)

Law enforcement's ability to combat cyber crime is woefully inadequate under the best of circumstances. This is a problem that just gets worse the farther down the governmental stack (federal, state, county, local) you go. We are reaching the point where its not 'cyber' crime its just 'crime' and police at all levels need better ways of dealing with it if we've any hope of maintaining both the letter and spirit of the law. Technology is not going to change to suit the needs of law enforcement; the latter needs to look at how it does things and identify how to operate in a modern context while maintaining legally supportable changes to the otherwise hide-bound 'way things are done.'

CISSP certification: Are multiple choice tests the best way to hire infosec pros?

Want a job in infosec? Your first task: hacking your way through what many call the "HR firewall" by adding a CISSP certification to your resume. A cottage industry of boot camps has sprung up to help would-be CISSPs cram for and pass the exam. Boot camps can cost thousands of dollars, and candidates must spend ($599) to sit the exam. But does adding a CISSP to your resume really mean you know your stuff? (ARSTechnica)

Certifications can be useful, but their use as an HR screen - and those who hack the system that way to get a job - are not doing the industry or their employers any favors. No, the CISSP is not the certification you should pursue if you want to be a deeply technical practitioner. Likewise, no one is going to hire a CISO because they've held the CompTIA A+ certification for 20 years. That's not what they're for, nor are they marketed that way. The more fruitful discussion would be which certifications, if any, are helpful for specific positions, but that would leave the non-certified, hands-on crowd without an outlet for their outrage and force certification bodies to demonstrate their value.

Cyber spies are still using these old Windows flaws to target their victims

Hackers using only the most basic forms of cyberattack have been able to successfully steal files from high-profile governmental and diplomatic targets. The researchers suggest that attacks originate from India and that attacks are undertaken using old exploits, low-budget malware tools and basic social engineering methods. (ZDNet)

Your weekly reminder of the importance of blocking and tackling.

Cyber Threat Analysis for 06/30/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

On This Date In Cyber Doom History: An Example of Getting It So Wrong For So Long

At this year’s International Conference on Cyber Conflict in Estonia, Jason Healey of Columbia University argued, “For 25 years of the 75 since Pearl Harbour, we have been talking about a digital Pearl Harbour. It still hasn’t happened, so we are probably missing the point.” On the same day in 1996, CIA Director John Deutch testified before Congress that cyber attacks were the number two threat to the U.S. behind chemical, nuclear, or biological weapons. Later that same day, terrorists struck Khobar Towers in Saudi Arabia. They struck with a truck bomb. (Forbes)

What do you do after the third time the boy cries 'wolf!'? Concerns about hype in cyber security have been long justified, but we've reached the point where the hype has caught up to reality (IoT, implantable devices). Yet those who warned of these very scenarios aren't viewed as prescient but rambling crazy uncles. From the 'very serious problems' point of view it is hard to give things-cyber the same attention as things that are proving fatal to masses of people right now. The most dangerous bad actors in cyberspace don't use it for destruction, and those who would wreak havoc in meat-space still value spilling blood over spilling bytes. Unfortunately, if things hold true to form, countering cyber threats will not become a front-burner issue until there are sufficient casualties.

Experts call energy infrastructure cybersecurity bill ‘shortsighted’

Some cybersecurity experts are skeptical of new legislation to address concerns of hacker attacks against the U.S. energy infrastructure. Much criticism of the bill is directed at a research recommendation that suggests replacing some advanced ICS components at energy-providing facilities with “retro,” offline and otherwise human-operated options. “By mandating analog controls you are in a sense already admitting defeat. Information security professionals will routinely say that it is not when, but if, you get compromised, at no time do we advocate that you return to pencils and paper because you are afraid of the big bad cyber threat.”  (Fed Scoop)

When security technology is just another avenue of attack, going analog can make a whole lot of sense. There would be no such thing as 'CEO fraud' if a little meat-space interaction were required. When we're dealing with ICS, is including a function that cannot be remotely hacked a terrible idea? Especially when there are no security solutions that provide the kind of reliability and safety - two things most cyber security people don't consider - required in an ICS environment? There is a difference between being able to automate everything (which would be inviting'defeat') and needing to automate everything. When it comes to critical infrastructure, keeping an authorized man-in-the-middle (so to speak) is arguably the superior defense against digital threats.

How your staff's LinkedIn habits are exposing you to cyber security threats

A survey of 2,000 people by Intel Security discovered that almost a quarter of [those surveyed] had connected with somebody they did not know personally on LinkedIn, which could not only open them up to targeted cyber attacks, as criminals use personal information to tailor their approach, but also the companies they work for. (City AM)

Its not the strangers that get you, its what you exchange with them after connecting that's dangerous. Depending on your role, its hard to argue against the importance of expanding your professional network. Having said that, fake profiles on social networks that are designed to elicit information are a thing. Ensuring that employees understand what good operational security is, and rewarding its effective practice, can help mitigate one of the oldest threats in the book: flattery.

Infamous Hacking Groups: 5 Things They Hope to Accomplish

Web hackers are certainly no strangers to grabbing the attention of the media and the general public. On an individual basis, hackers might have a litany of reasons why they want to hack your website; however, with the development of large hacking groups, their motives for attack may be more focused and goal-oriented.  (Tech Co)

To paraphrase Star Trek, the power of the many is greater than the power of any one. Nearly 20 years of observing hacker/defacement activity tells us that collective of talent can be more powerful than any individual, but today any individual with a modicum of talent can assemble the necessary components to punch far above their individual weight (force multiplication). The more significant danger is not simply a collective of technical talent, but a group of true believers. A zealot on the inside of a targeted institution can cause more damage alone - or amplify the impact of a digital attack originating from outside. 

Microsoft proposes international code of conduct for cyberspace

At a time when the web is emerging as the new front for global conflicts, Microsoft has proposed a set of standards for how corporations and countries should engage in these digital battles. Microsoft is pushing for states and technology firms to team up to halt the lucrative sale of "zero-day" vulnerabilities that are used in cyberattacks or espionage operations. The report also calls on governments to stop demanding tech companies intentionally insert vulnerabilities, into products that would create access for intelligence and law enforcement agencies.(CS Monitor)

An admirable effort that will produce meaningful yet superficial results. Attempts to shoe-horn familiar political approaches into a digital context ignore the fact that cyberspace is almost nothing like the physical environment where the old-think worked. We need more cooperation between the good guys to deal with cyberspace problems. Even low-hanging fruit needs to be picked, so while this keeps honest people honest in the light of day, it does not address the fact that no nation is going to stop developing and using offensive capabilities. Such legacy futures impede our ability to generate and put forth novel ideas that might actually produce meaningful results.

Should the Careless Be Punished for Getting Hacked?

Nearly everyone with Internet access is harmed, at least indirectly, by digital criminals. Josephine Wolff, a professor at the Rochester Institute of Technology, believes cybersecurity policy would benefit from a debate about if and when it might be appropriate to punish careless computer users for their role in enabling those criminals.  (The Atlantic)

Well no wonder, look at the way she was dressed. If we are going to have a discussion about holding people responsible for vulnerabilities, let's go to the source of the problem: developers. Consumers of technology demand functionality and usability, not security. Developers give the people what they want. This is not the 80s, when if you used IT outside of work you probably built it yourself; today users are far removed from the inner workings of the technology they use. Proportionate liability seems like a compelling path to take, but until security trumps functionality in IT, personal liability is a non-starter.

Medicos could be world's best security bypassers, study finds

A university-backed study has revealed that nurses, doctors, and other medical workers will so often bypass information security controls in a bid to administer rapid health care that the shortcuts are taught to other staff. "We find, in fact, that workarounds to cyber security are the norm, rather than the exception," the team writes. "They not only go unpunished, they go unnoticed in most settings — and often are taught as correct practice.   (The Register)

'Secure systems or dead patients' is a hard argument to counter. Having said that, this is less a failure of "security" as it is a failure of design. Patients in medical distress get access to sensitive "technology" (drugs) rapidly even though drugs are subject to strict security protocols. Threat models specific to the environment, and mechanisms suited to specific workflows, could go a long way towards ensuring medical IT is secure enough to provide effective care at minimal risk. This is a multi-disciplinary problem that requires a corresponding, coordinated level of effort.

Hackers Turn Computer Fans Into Snitches

Security researchers recently published a paper (PDF) detailing a new method to spy on a computer. It turns the computer's fan into a signaling device. A computer fan is one thing you really can't disconnect, and the fan can communicate subtly enough that you might not even recognize something is wrong. The researchers created malicious software called a Fansmitter that takes the CPU activity within a computer and uses that data to modulate the computer fan's movement. It's almost like turning a fan into a telegraph signaling device with Morse code. (How Stuff Works)

An interesting if niche capability of nominal concern to most of us. Every few years someone needs to re-discover Van Eck emissions, or the functional equivalent thereof. Potentially a high-threat  issue for high-security environments, but successfully compromising the vast majority of systems needs nothing so sophisticated.

Cyber Threat Analysis for 06/23/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

Cybercrime market sells servers for $8 to launch attacks

A major underground marketplace acting like an eBay for criminals is selling access to more than 70,000 compromised servers. It offers access to hacked computers owned by governments, companies and universities in 173 countries. Access goes for as little as $8 for a compromised server pre-equipped with software to mount DoS attacks, spam campaigns, illicit bitcoin mining or compromise online or retail payment systems. Low prices, searchable feature lists that advertise attack capabilities, together with services to protect illicit users from becoming detected attract buyers from entry-level cybercriminals to state-sponsored espionage groups. (Financial Review)

Why cyber security is losing, in a nutshell. What is our answer to such illicit marketplaces? What about our approach is going to change in response to the economically superior approach of our adversaries? The short answer is: nothing. Or viewed the other way: everything, as long as you can afford it. Cyber security has become a racket. It wasn't intended to be, no one started out to be a war profiteer, but this is where we find ourselves and this is where we're remain until we can figure out how to compete on price.

FBI approach to investigations puts security at risk, experts say

In an essay to be published on June 17, 2016 in Science magazine Susan Landau, professor of cybersecurity policy at Worcester Polytechnic Institute (WPI), argues that the FBI's recent and widely publicized efforts to compel Apple Computer to write software to unlock an iPhone used by a terrorist in California reflects an outdated approach to law enforcement that threatens to weaken the security of all smartphones, potentially putting the private information of millions of smartphone users at risk and undermining the growing use of smartphones as trusted authenticators for accessing online information. (Science Daily)

The benefit of the rapid growth/use/evolution IT is the ability to come up with new ways to do things. Law enforcement, like most governmental organs, can only seem to shoe-horn old ways into modern contexts. Poorly.Better investigative solutions that leverage technology in novel ways is more likely to come from an engineer, not a special agent, which is problematic in an agency that treats anyone not a special agent as a second-class citizen. Developing new investigative tactics, techniques and procedures that keep pace with advances in IT can help investigative agencies avoid the sticky legal, political and social problems they're dealing with now. Success will depend not so much on technical expertise, but forward thinking leadership that is willing to blaze a trail vice trod well worn ground.

A massive cyber attack could trigger NATO response

A major cyber attack could prompt a collective response by NATO, according to secretary general Jens Stoltenberg. "A severe cyber attack may be classified as a case for the alliance. Then NATO can and must react. How, that will depend on the severity of the attack." In 2014 the US-led alliance assessed that cyber attacks could potentially trigger NATO'S mutual defense guarantee, or Article 5. That means NATO could potentially respond to a cyber attack with conventional weapons, although the response would be decided by consensus. (IT News)

What constitutes a "severe cyber attack" isn't defined, which is important because recovering from a cyber attack can be a relatively trivial thing when compared to recovering from an airstrike. The more severe the impact of a physical weapon the less analogous they become to digital ones. All the usual means and mechanisms for proving and confirming adversary action in meat space quickly fall away in cyber space. In the time it takes to achieve a high level of confidence in a perpetrator, and get sufficient support to act, and get agreement on what a proportional response is, the enemy has achieved its goal. 

Ransomware scum build weapon from JavaScript

New ransomware written entirely in JavaScript has appeared encrypting users files for a $250 ransom and installing a password-stealing application. Researchers @jameswt_mht and @benkow_ found the ransomware they dubbed RAA. Bleeping Computer malware man Lawrence Abrams described the ransomware: "RAA is currently being distributed via emails as attachments that pretend to be doc files and have names like mgJaXnwanxlS_doc_.js. To make matters worse, it will also extract the embedded password stealing malware called Pony from the JS file and install it onto the onto the victim's computer." (The Register)

The ingenuity of our adversaries is not to be underestimated. As long as there is a buck (or bitcoin) to be made, there will be a tool that helps separate the innocent from their assets. As with all cyber security threats, combating this one will require a mix of technical and personal effort. "Don't click on random attachments" is a mantra we as practitioners have been chanting for years with mixed results. Good training, incentives for good behavior, and a reasonable and enforceable policy on bad user behavior - actually enforced - is more likely to produce the kinds of results that help minimize the scourge of malware of all types.

Inside the Pentagon's secretive preparations for a 'cyber 9/11'

The massive coordinated cyber attack began with rolling blackouts throughout the electrical grid stretching across the Midwest. Then came the inexplicable malfunction at a large oil refinery in Texas. In southern California, the attack shut down several major ports by disabling hydraulic systems. Attacks on DOD networks threatened the systems that monitor North American airspace and the radars on which the U.S. military relies.This fictitious scenario was laid out for nearly 1,000 military, government and private sector personnel at this year’s Cyber Guard exercise, the nation’s largest test of its network defenses. (Military Times)

As with offensive tests of any type, the most valuable information is not necessarily what the bad guys did that worked, but what they did that didn't work. Absent such information we are left to speculate that the good guys probably fared as well as most do in such circumstances, which is to say 'not well'. Perhaps the most useful data to be generated from exercises like this is lost in the discussion of things-martial: what can we do to establish greater resilience in the face of an attacker's inevitable success? 'Keeping out bad guys' is a goal we will never achieve; rapid detection and recovery is something within everyone's grasp.

China-Based Hacking Incidents See Dip, Cybersecurity Experts Say

Chinese hacking of corporate and government networks in the U.S. and other countries appears to be declining, according to computer-security experts at companies hired to investigate these breaches. The drop-off is stark and may date back two years.  (WSJ)

Far ranging conclusions drawn from a relatively small data set. Ascribing a decline in observable activity from a set of actors to any particular governmental action is reasonable, but it also ignores myriad factors that argue in other directions. Far more in- and exculpatory data is going to be required before anyone can speak with any level of accuracy and authority about what works and does not work with regards to political/diplomatic/economic actions in cyberspace. As a former intelligence officer the thing that concerns me the most in situations where a source of information suddenly goes dark is: what am I missing? 

Cyber Threat Analysis for 06/16/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

45% of organisations unsure if email cyber attack insurance will pay up

Email and data security company Mimecast, has issued "a warning to organisations relying on cyber insurance: your policies may not be fully up-to-date in covering new social engineering email attacks, leaving firms at risk for taking the full financial brunt of these attacks". The research was assisted by "a survey of 436 IT experts at organisations in the US, UK, South Africa and Australia in March 2016".  (IT Wire)

Your regular reminder that cyber insurance is shiny, but it isn't a silver bullet. It takes very little to find yourself out of compliance, and consequently not covered by your policy. The importance of constant vigilance not just from a security perspective, but for pedestrian issues like inventory control (You were compromised via that box? That box is not covered."), cannot be over stressed. Cyber insurance is really only cost effective when the wounds are not self-inflicted.

SMEs not prepared for the threat of cyber criminals

Research from Barclaycard claims cyber security is not being prioritized by small businesses. Only 20% of the organizations surveyed believe cyber security is a top business priority, with 10% claiming their team has not invested in cyber security at all. The average attack costs UK businesses between £75,000 and £311,000. More than 50% of the respondents believe their organization is at risk of a breach within the next 12 months. (Business Cloud News)

Every enterprise can harden themselves against attacks, as long as that enterprise can foot the bill. Most small businesses do everything then can to stay afloat; cyber defense cuts into already razor thin margins. It does not help that most security solutions are designed for big-E enterprise sales (thousands of nodes), and most salespeople prefer chasing a few massive sales, not dozens of small ones. Until a solution/business model formula can be worked out that benefits all parties, SMBs will continue to be at greater risk of compromise, and if they are a link in your supply chain, consider them a weak one.

The Most Important Security Question No One Seems to be Able to Answer

Let me ask you a very simple question: “What is your organization’s sensitive data, and where is it?” You can’t shrug this two-part question off, although many security leaders have been doing just that. While we can all agree that fundamentally security can’t succeed without knowing what we’re protecting, there are next to no good answers for how to do this. There is, however, no lack of excuses for why organizations don’t have these answers. (Security Week)

Blocking and tackling will do more to improve your security posture than the hot technology of the month. Good computer security has little to do with fancy tools or flashy displays. SANS and OWASP vulnerability lists remain largely unchanged content-wise over the years for a reason: very few people have mastered the fundamentals. If you cannot readily answer cyber security 101 questions you are wasting time and money, and as the next story indicates, you aren't doing yourself any favors in the eyes of the people upstairs.

Why Security Execs Lack Confidence in Security

A majority of IT security executives are only somewhat confident in their enterprise's security, according to a new survey. One-third of respondents are confident in their security posture and one-quarter said they communicate effectively about security metrics and posture to senior management. These executives continue to rely mainly on quantitative metrics aimed at preventing breaches.  (CIO Insight)

Cyber security isn't respected in part because as a practitioner you're always coming up short, often in very public fashion. Data that is readily collected and reported - anti-virus hits, vulnerabilities - don't necessarily translate one-to-one into factors that impact your security posture or response capability. Even when the data is there, as mentioned a few weeks ago, practitioners are notoriously bad at communicatingThe more rigorous and realistic your efforts to test your defenses and response capability, the more meaningful data you will be able to share with Mahogany Row. 

Terrorist groups acquiring the cyber capability to bring major cities to a standstill, warns GCHQ chief 

Terrorists and rogue states are gaining the capability to bring a major city to a standstill with the click of a button, the Director of GCHQ has warned. Robert Hannigan said the risk to cities like London would increase as more physical objects, such as cars and household appliances, are connected online – the so-called “internet of things”.  (Telegraph)

Better cyber security around IoT is imperative, but hyperbole is not helpful. Rodents and primates cause more network and power issues than things-cyber. Rather than focus on the Who and the How, we would be better served making sure our infrastructure is resilient enough to deal with the What. This is not a security issue per se, but a design and engineering one, which is probably why it won't be resolved soon (not sexy enough). You may not be able to keep the grid up, but you can take steps to ensure that your enterprise is able to fail gracefully in the aftermath of any sort of outage.


ISIS Cyber Threat Limited Says Deputy Commander of U.S. Cyber Command

ISIS has “lots of aspirations” to be a major threat to U.S. networks, Lt. Gen. James K. “Kevin” McLaughlin told Wall Street Journal. Major state actors pose a significantly greater threat than ISIS, though it could threaten soldiers by posting information about them online, Lt. Gen. McLaughlin said. (WSJ)

Until it is demonstrated the cyber attacks can kill reliably and at scale, "cyber terrorism" should not be a major concern. This has effectively been the state of terrorist capabilities for over a decade, which speaks to their view of cyber attack as a means to their ends. Computers as a means of communication? Use of encryption and other methods of avoiding detection and interception? Terrorists care about these things much like everyone else. A most dangerous scenario would involve self-radicalization of someone in a position of trust, who would use their legitimate access to cause irreparable damage to systems linked to life support (hospital) or way of life (critical infrastructure).

Real Hackers Don't Wear Hoodies 

Most people probably have an idea about what a hacker looks like. The image of someone sitting alone at a computer, with their face obscured by a hoodie, staring intently at lines of code has become widely associated with hackers. After decades of researching hackers, I've decided that this picture is distorting how people need to see today's threats. It makes some very misleading implications about the adversaries that people and businesses need to focus on. (

There is no graver sin in security than underestimating your adversary. This is especially true if that judgement is passed because of their haberdashery. The flip side to this coin is also true: don't disregard someone's expertise just because they're casual of dress or otherwise unconventional in appearance. If you are not hiring someone based on this most superficial of factors, you're saying you care more about flash over substance, which might explain why you need so much help.

Cyber Threat Analysis for 06/09/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

Battling Cyber Threats Begins With Employee Education

Clearly businesses seem to understand the importance good security practices. But are they taking the right steps? The best security technology products and the most comprehensive policies and processes won’t work without appropriate human action and intervention. Spreading cybersecurity awareness, knowledge and training throughout the entire organization, from the receptionist at the front desk to the CEO in the corner officer, is essential. (Entrepreneur)

The argument over whether employee training is useful or not is unlikely to be resolved any time soon. Training is clearly not useless, but most organizations deliver training in a fashion that does not support retention or spark employee interest. Just as important: most organizations don't reinforce what is learned by holding policy violators accountable. Gamification techniques and executives walking the walk can produce positive results; the same old-same old will continue to produce victims.

45% of organisations unsure if email cyber attack insurance will pay up

Email and data security company, Mimecast, has issued "a warning to organisations relying on cyber insurance: your policies may not be fully up-to-date in covering new social engineering email attacks, leaving firms at risk for taking the full financial brunt of these attacks". The research which Mimecast conducted was assisted by "a survey of 436 IT experts at organisations in the US, UK, South Africa and Australia in March 2016". The company says "respondents assessed the growth in a range of email attacks seen over the prior three months". (IT Wire)

Cyber insurance may not necessarily help you sleep better at night. Draw analogs to other types of insurance you may be more familiar with: think of the loopholes and reasons your insurer won't pay out. Now read the fine print on your cyber policy. Think about how much work it will take and money it will cost to maintain compliance (things you should be doing anyway). If things were to go sideways, think about your legal team and the legal firepower retained by an insurance company. Cyber insurance should be a part of your security portfolio, but far too many think the shine on such policies is silver, when in fact its more like pyrite.

Study: C-Suite Leadership Can Cut Cyber-Attack Growth by 50%

The C-suite and board have critical roles in defending their firms against cyber-crime, highlights a new report published by The Economist Intelligence Unit. Findings from a global survey of 300 C-suite executives reveal a primary driver of success was the adoption of a proactive cyber-defense strategy. The 28% of firms that prioritized this approach were able to cut the growth of cyber-breaches by more than 50%. Another significant factor of success was the active support of this strategy by the C-suite or board of directors. Companies that pursue a proactive cyber-defense strategy strongly supported by C-suite and board have cut the growth of eight major cyber-attacks by an average of 53%. (CFO Innovation)

Nothing spurs action like attention from mahogany row. You would be hard pressed to craft a better argument for why a CISO/CSO should report to the top. Friction that would otherwise stall a cyber security effort miraculously falls away when people know they can't ignore or slow-roll you. Still, cyber security is something people outside of the security function are forced to do, not something they do willingly. Any sufficiently meaningful improvement is likely to lead to a new status quo, not a rush to an ideal state.

Cyber Threats to Supply Chain on the Rise

Cyber threats to supply chains have become increasingly prevalent due to extensive sharing of digital information between organizations and their suppliers. Still, some companies don’t do enough to protect their assets, sensitive data and information by addressing the risks within their networks. Many breaches don’t start at the top – attackers start somewhere in the supply chain and work their way up to the target through a trusted supplier. (Global Trade Magazine)

The cliche of the weakest link applies. Always. The more complex and extended the relationships necessary to operate your enterprise, the greater the risk and the more diverse the threats you will face. Security is a team sport, but especially when it comes to inter-connected commercial concerns, everyone on the team is playing a different sport and being scored differently. Incentivizing all elements of your supply chain to adhere to the same security rules is not going to be easy, but a collective defense / herd immunity is going to improve resilience against attacks.

Fashion Industry Tells Feds: We Need Better Cybersecurity for Internet-Connected Clothes

The fashion industry is urging Washington not to hinder creativity when the government formulates policies surrounding the internet of things, as everyone from Met Gala celebrity guests to U.S soldiers slip on wired garments. Kenya N. Wiley, founder of the D.C.-based Fashion Innovation Alliance, is asking the Commerce Department to consider the $260 billion digital economy, when crafting any new federal regulations for networked-clothing and other internet of things gear. (NextGov)

I'll let you formulate your own Zoolander-related jokes here.

Cyber Threat Analysis for 06/02/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

Cybersecurity recruitment in crisis

Globally cybersecurity is in crisis not solely from a lack of skilled personnel, but also from a lack of strategic direction and companies inability to hire staff in an expedient, effective and efficient manner. ISSA, (ISC)2, ISACA, Cisco, and PwC have all released major studies showing the cybersecurity skills gap has reached a crisis point worldwide. The number of positions to be filled vary widely from each study, but the majority of them put the gap at over a million positions by the end of the decade. One might go so far as to call it a cybersecurity skills gulf. This is not a new challenge, but one that has been developing over time. (CSO Online)

Everyone wants a superhero. Job advertisements for cyber security pros read like letters to Santa when it comes to skills, experiences, qualifications, etc. Companies lament that they cannot find enough expertise, but at the same time they are unwilling to admit that they may be asking for too much in any one individual. Your average Fortune 100 accounting department is not staffed entirely with CPAs; there is a hierarchy and specialization and tiers of responsibility with corresponding requirements of knowledge/skills/abilities. Such an approach to hiring in security would not make the effort any less expensive, but it would certainly enable more talent to enter the market quicker.

Cyber warfare more dire and likely than nuclear

The threat of a cyber attack is a clear and present danger to America and is more likely than a nuclear attack. America is vulnerable and gaps exist in both prevention and the response on the part of the government and private sectors. America has become good at responding to crisis, but we have not been very good at avoiding it. The White House, Congress and the business community have been warned of the clear and present danger of cyber attacks. We know that those who seek to do America harm like China, Iran, Russia, North Korea and others are constantly hacking, probing and attacking our internet infrastructure. Yet, in light of the thousands upon thousands of these daily attacks, we as a nation are ill-prepared for a devastating coordinated attack. (The Hill)

There is no meaningful analog between atomic weapons and digital ones. Cyber attacks happen all the time, and while some of them have caused serious damage to targeted institutions, there is the fallout from a hack, and then there is actual fallout. We should expect more numerous and more serious cyber attacks because the barrier to becoming a "digital power" is low, the rewards for success are high. The effects, however, are temporary. Better plans, better coordination across sectors and within and outside of government are absolutely necessary, but malicious actors don't benefit from destruction, no matter how much cold warriors want it to.

93% of phishing emails are now ransomware

At of the end of March, 93% of all phishing emails contained encryption ransomware, according to a report released by PhishMe. That was up from 56% in December, and less than 10% every other month of last year. And the number of phishing emails hit 6.3 million in the first quarter of this year, a 789%  increase over the last quarter of 2015. The skyrocketing growth is due to that fact that ransomware is getting easier and easier to send and that it offers a quick and easy return on investment. (CSO Online)

Whither cyber security in the age of cheap solutions? Why would you expect a victim to do anything but pay when it is less than an hour of your time? When, no matter how good you are, you cannot recover their data? When the solution to avoiding victim-hood in the future is a relatively cheap and un-glamorous backup system, not a "security" solution? The answer to threats that scale are responses that scale equally well. Such efforts tend to require the formation of diverse teams and require extensive coordination, which is why they happen so infrequently. The one who cracks this nut is the one who makes a serious difference in security. 

White House Fails to Detect a Single Cyber Threat

The White House has been unable to detect a single cyber security threat more than six months after issuing a “national emergency” to deal with what the administration identified as growing and immediate danger, according to a new government report. Six months after President Barack Obama invoked emergency powers to block the assets of any person caught engaging in “malicious cyber-enabled activities,” the administration has not identified a single qualifying target, according to the Treasury Department. (Free Beacon)

Have adversaries stopped attacking, or are we not paying attention to the right sources? There is no shortage of sources claiming recent political actions have deterred adversaries from committing bad acts; an answer too convenient by half. The question few people are asking is: 'what are we not seeing?' Over-dependence on certain data can lead to a number of mental pitfalls when that data can no longer be trusted (or in this case present). The bad guys are out there. What are they doing while we're operating blind?

63% of data breaches are caused by weak passwords

The IT department has conventionally been blamed for the majority of data breaches and incidents in organisations worldwide. However, the newly released Verizon 2016 Data Breach Investigations Report has found that most of the causes of corporate data breaches continue to play off of human frailty. In fact, 63% of confirmed data breaches involve leveraging weak, default or stolen passwords. (Human Resources)

Unique passwords, not just strong ones, are a simple yet powerful defense. Just as dangerous as weak (or default) passwords is the practice of password reuse between work and personal accounts. Databases of compromised user IDs and passwords are readily available and exceedingly useful if for no other reason than if you find a set of credentials that work, you've eliminated the need for a phishing attack, and the potential alert that could cause. Unfortunately the only environment in which you have some modicum of control over this issue is at work.

Cyber-security of the fridge: Assessing the Internet of Things threat

Are IoT devices security time bombs waiting to explode, or just benign and hugely-beneficial technological advances? ‘It depends'. IT decision-makers were asked to identify the main barriers when implementing or exploiting an IoT initiative: Device or data security was named as a factor by 39% of respondents, (the biggest consensus of the survey), while 34% named a lack of clarity of purpose or understanding of the benefits. Which sums up the entire debate in a single sentence: “We have reason to be afraid of the potential threat this advance in technology brings, while also questioning the value of the ‘advance' – do we need to internet-enable all these things?” (SC Magazine UK)

Just because you can do something doesn't necessarily mean you should. There is no denying that the Internet and the things that ride on and through it have been a net benefit to our lives, but too much of a good thing can lead to any number of negative consequences. "Hacking" doesn't even have to enter into the picture. Any sufficiently serious flaw that causes a critical mass of network-enabled devices to 'burp' en masse at the wrong time could cause far more actual damage than any hack (or squirrel). 

Cyber Threat Analysis for 05/26/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

U.S. Can’t Detect When Cyber Attacks Are Under Way, Survey Finds

A majority of senior federal officials responding to a survey said they don’t think the U.S. government can detect cyber attacks while they’re under way. 65% of cyber security officials from the DOD, intelligence agencies and federal civilian agencies said they disagreed with the idea that the federal government as a whole can detect cyber attacks while they’re happening. 59% said their "agency struggles to understand how cyber attackers could potentially breach their systems."  25% said their agency made no changes in response to last year’s breach at OPM. 40% reported their agencies don’t know where their key cyber assets are located. (Bloomberg

Federal systems face a double-whammy in that they are both aggressively targeted and the least likely to be able to respond - strategically or tactically - in kind. Attacks move "at the speed of cyber" while their targets move at the speed of government, which is to say "glacially." As with the private sector, security is a secondary aspect to the mission of government agencies, so we should not expect them to be any better or worse than anyone else. It is easy to conflate the capabilities of a rare bird like the NSA, forgetting that the vast majority of government is downright pedestrian, and so too goes their response to cyber threats.

The Cyber Security Industry's Big Blind Spot

Today's threat actors are more focused, funded and disruptive than ever, but the cyber security defense industry is not built to respond appropriately, says thought leader Tom Kellermann. What are security leaders overlooking? In his new role as CEO of Strategic Cyber Ventures, a cyber security technologies investment firm, Kellermann sees lots of new ideas. But too many of them are variations of the same theme: They are focused on developing specific tactical solutions that address only temporary problems that ultimately will morph. There is a systemic, industry-wide lack of long-term vision. (Bank Info Security

There is nothing new under the sun when it comes to computer security. The functional aspects of information technology marches apace with inventor imagination and user demand, but security technology is fundamentally stuck in the early '90s. Are there relatively novel ideas on how to address long-standing problems? Sure. Would bringing them to market negatively impact the cash cow that is the heart of any large cyber security business? Absolutely. This is not to say that the field will never see innovation, merely that - barring a sufficiently enlightened investment community and corporate buyers willing to eschew 'how things are done' thinking - it will emerge at a pace that does not disrupt revenue milch cows.

DOD cyber officials: Pace of threats calls for faster acquisition

A panel of top naval military officials outlined the need for faster fielding of technological tools to fight at so-called cyber speed as one of the many challenges within information warfare. Leaders discussed how rapidly technology has changed and how adversaries have adapted, creating faster and more complex threats. To help combat these emerging threat vectors, new tools and capabilities must be brought into the fold. “You can’t fight in the cyber domain with old acquisition processes…it doesn’t work,” Brig. Gen. Loretta Reynolds, commander of Marine Forces Cyber Command. “The cyber threat is an all-day, everyday thing. We have got to have the ability to put tools on a network that get after the threats as they arrive.” (Defense Systems

In a world where prevailing offensive tactics can change several times in a year, the multi-year acquisition process means defenses tomorrow that are cutting edge for yesterday. Efforts like 18F and other 'fast track' approaches are of limited utility in the security space because of requirements that anything new go through an expensive and time-consuming vetting process that is trivial for industry giants but onerous for small businesses who are actually innovating. It also does not help that decision-makers in this space tend to have acquired their expertise via PowerPoint, leading to buying decisions that are reminiscent of "buy IBM" thinking. Of course none of this explains why the military cannot successfully execute the fundamentals (see first story).

Time To Treat Sponsors Of Ransomware Campaigns As Terrorists, Lawmaker Says

A senior lawmaker hinted that nations not doing enough to stop ransomware groups from operating within their countries should be treated in the same way that the US treats countries that sponsor terror groups. In opening comments at a Senate Judiciary subcommittee hearing, Senator Lindsey Graham described ransomware attacks as a “terrible crime” affecting the lives of thousands. The goal should be to identify nations that are doing a good job in trying to deal with the problem and to help them in that effort while weeding out the ones that are not doing enough or are actively sponsoring such attacks. (Dark Reading)

Legacy-future thinking has yet to solve one cyber security-related problem. Looking to the world of arms control and non-proliferation is a crutch that ignores the exponentially more difficult nature of the problem. The idea that nation-states where bad actors originate from would attempt to curb their activities displays a shocking level of ignorance about how these entities are intertwined. All of this ignores the fact that paying ransoms is actually cheaper and faster than calling for help. The simple economics of ransomware make it an ideal model to refine and expand, since the solution has nothing to do with "security" and everything to do with un-glamorous, sound IT practices.(see below)

Ransomware and DDoS combine to form a dangerous new two-pronged cyber attack

Criminal developers have created a new evil way to monetise their operations by adding a DDoS component to ransomware payloads. Instead of 'just' encrypting data files and locking the machine, a new variant of the Cerber ransomware is now adding a DDoS bot that can quietly blast spoofed network traffic at various IPs. It means that while the victim is unable to access their endpoint, that same endpoint is being used to deny service to another victim: two attacks for the price of one (and two ways cybercriminals can make money off victims). (Information Age)

If you were ever confused about the level of ingenuity and professionalism of your adversaries, labor under such delusions no longer. Ransomware, and any of the myriad variations evil-doers can come up with have the potential to be far more pervasive than other threats. Done well, and with professionalism (as the vast majority of such cases are) it is a 'perfect storm' of conditions: effective, efficient, and lucrative. As long as paying a ransom is cheaper than calling for help (to the extent DFIR can help at or below the right price point) the best defense against ransomware has nothing to do with security.

Should Companies Be Required to Share Information About Cyberattacks?

Damage from cyberattacks comes in layers. Direct harm, in the form of theft and other losses. Damage to the reputation of the companies affected when news gets out. And the slow erosion of confidence in overall online security. How do we limit the damage and, more important, restore confidence in online security? Requiring companies to report when they’ve been attacked and to share details about how it was done might help strengthen cyber defenses for everyone. But it can also complicate the process of trying to keep systems secure, and injure the companies’ reputations in the meantime. Conversely, allowing breached companies to work on solutions in secret may fix problems quickly and prevent reputational harm. But keeping attacks secret may also increase the danger for others. (WSJ)

It is a mistake to consider sharing an either-or option. Sharing information about tactics, techniques and procedures is undeniably a useful endeavor. Done well it can support a herd-like immunity that has the potential to negatively impact attackers at scale. Negative reputation or financial impacts associated with disclosure exist, but are temporary. True: too public a disclosure too early could lead to attackers changing tactics, but by the same token too much secrecy defeats the entire purpose of sharing. Participating in a good private sharing forum that strikes a balance between both sets of equities and has a diverse membership base is one of the more useful things you can do to defend yourself and contribute to the security of others.

When Executives Ignore Security Policies

A new study finds that 45% of IT executives knowingly circumvent organizational security policies, and many have even successfully hacked their own or another organization. IT decision-makers between the ages of 18 and 44 demonstrate a "much more cavalier" toward IT security than those over age 45. "Even if these actions are being performed to validate existing infrastructure, senior leadership should be aware that this activity is occurring. It may also be worthwhile to consider third-party audits to ensure adherence with corporate security policies." (CIO Insight)

Employees as the security "weakest link" applies to every employee. The idea that as an 'expert' you know more and so can take on additional risk is a common sentiment in every discipline. Yet cases like HBGary and Hacking Team tell us that such actions are a slippery slope because expertise in one area does not make one an expert in all things.Standards and policies have to apply to everyone, and especially those at the top, or they will never be taken seriously by those below. 

Cyber Threat Analysis for 05/19/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

CISO Playbook: Games of War & Cyber Defenses

The modern enterprise should take a page from [the military and] apply cyberwar games to their network and data security strategies. Similar to the hacker’s playbook concept, cyberwar gaming is an exercise that will help an organization better understand its readiness for cyberwarfare. Unlike conceptual table-top scenarios, true enterprise war games involve actual attacks and require a real response. Properly executed, the lessons derived from enterprise war gaming can be applied to the organization’s defense strategy and then tested again in a regular cycle in order to identify weaknesses, challenge security assumptions, identify and anticipate potential threats, and develop security incident response “muscle memory.” (Dark Reading

The more you sweat in training, the less you bleed in combat is a military adage that applies equally well in the digital domain. Everyone had input into your IR plan, but have they opened it since the 3-ring binder was placed on the shelf in their cubicle? Everyone is on "high-alert" during pen-test week, but what about the rest of the year? The best training in the world is still a contrivance if it does not reflect your actual environment. If yours is an industry or organization that is facing serious threat actors, you need to go beyond vulnerability scans and pen tests if you hope to compete as a peer force and not a banana republic gendarmerie. 

TalkTalk profits halve after cyber-attack

TalkTalk profits more than halved following a cyber-attack in which the personal details of thousands of customers were hacked. The telecoms company was hit with £42m in costs when almost 157,000 customers were affected by the attack in October last year. Almost one in 10 of those customers had their bank account numbers and sort codes accessed. TalkTalk insisted it “recovered strongly” in the fourth quarter following the attack, after losing 95,000 customers in the third quarter as a direct result of the hacking. (The Guardian)

Short-term focus on profits is short-term thinking about the impact of breaches on a business. Every enterprise that suffers an attack suffers a financial setback...for a time. Board and C-level interest in computer security is growing we hear, yet cases like Target's firing of its CEO post-breach remain anomalous. A look at the share prices of companies that suffered epic breaches over the past several years suggests that one breach does not a catastrophe make. That doesn't mean computer security is not important, it suggests it is not as important as we may think.

'This is just the beginning' Anonymous hackers take down banks in 30-day cyber attack

In a coordinated strike called Operation Icarus the activist hackers took the Bank of Greece offline for a few minutes. Days later the website of the Central Bank of Cyprus also briefly came under cyber attack. The central bank's website came under "some form of a denial-of-service" attack, a spokeswoman said. She added the attack "resulted in some delays in user connections, but generally the website could handle the anticipated number of users for the day." The group also claim they have taken down the central banks of New Zealand, Montenegro and France as well as the Guernsey Financial Services Commission. (Express)

Hacktivists occupy a unique niche in the threat landscape and pose a number of interesting policy challenges.The "DDoS-as-Sit-in" analog does not translate quite so well between physical and digital worlds, yet absent actual damage the latter could be viewed as a legitimate political action (they're not there to take money but to make a point).True believers of any sort can be a significant threat - both externally and internally - because they will go above and beyond to achieve organization/movement goals. It is easy to disregard such movements writ large because in the long run they are largely ineffectual, but it would be a mistake to disregard the potential impact they may have if your industry becomes a target.

SEC says cyber security biggest risk to financial system

Cyber security is the biggest risk facing the financial system, said the chair of the U.S. Securities and Exchange Commission (SEC). Banks around the world have been rattled by a $81 million cyber theft from the Bangladesh central bank that was funneled through SWIFT, a member-owned industry cooperative that handles the bulk of cross-border payment instructions between banks. The SEC, which regulates securities markets, has found some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced. "What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks," said the SEC chairwoman."We can't do enough in this sector," she said. (Reuters)

Functionality trumps security. Always. The speed and convenience that information technology lends to legitimate activities, also works to the advantage of attackers, which is why we have things like CEO fraud. Injecting a manual step or out-of-band function prior to executing otherwise automated transactions would thwart such attacks, but negatively impact efficiency. When time is money a lack of efficiency, even in the name of security, is seen as a detriment. While the impact of a given security incident may seem large, it is likely dwarfed by the negative impact inefficiency would have on all transactions conducted over any length of time. There is undoubtedly a technical solution to his, but as long as such crimes are rare, it is unlikely to be adopted. 

Security and Privacy Fears Can Affect Internet Use

According to the results of a survey from the National Telecommunications and Information Administration, just shy of 1/5 of respondents indicated that they were the victims of some kind of negative experience online related to security and privacy. 45% of online households reported that [security and privacy] concerns stopped them from conducting financial transactions, buying goods or services, posting on social networks, or expressing opinions on controversial or political issues via the Internet, and 30% refrained from at least two of these activities." The greatest online concerns among those surveyed included identity theft (63% of all households). After that, credit card and banking fraud 45%, with data collection by online services at 23%, loss of control over personal data 22%, and government collecting user data 18%. (PC Mag)

It is probably a stretch to say this is an indication that the general public are starting to recognize the importance of privacy and security in the information age. There is no apparent drop in the amount of selfie-taking, bar-check-ins, and downloads of "free" apps (free to you because you're the product). Having said that, it would be fair to say that making people think twice before they click on a link, download a file, or join another store loyalty program, is a yard gained. Some level of assurance that your product or service is more secure and private than the competition can be a discriminator, but the findings of one survey does not a trend make.

Is One Year of Credit Monitoring Enough After a Data Breach?

I recently received a check in the mail from the IRS. To most people, this would be a welcome bounty. The problem was, I wasn’t expecting this check. It turns out that someone had taken the liberty of filing my taxes for me, using my Social Security number and other personal information obtained illegally through a data breach. It also turns out that they weren’t so good at it either, since the check was actually sent to me — their direct deposit information was entered incorrectly. That somehow at least made me smile, in a moment of what was still a situation leaving me pretty vulnerable. Vulnerable…for Life? (Business 2 Community)

Remedies available to breach victims have clearly not grown along with the threat. As the article points out, once you're a victim, you're a victim for life, since we cannot walk back the cat when it comes to the data about us that is floating around in the ether. The protection of personal information in databases and online has been an issue for decades, and unlikely to be resolved in a meaningful time-frame, which means new models for verifying identity and proactively combating fraud are going to be essential in order to establish trust for transactions of any sort.


Overconfidence Plagues Financial IT Pros’ Ability to Detect a Breach, Finds Survey

Back in February, Tripwire first unveiled its 2016 Breach Detection Survey. The study evaluated the confidence and efficacy with which IT professionals in the United States could implement seven key security controls: PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53, CIS 20 Critical Controls, and IRS 1075. The results of the survey revealed that IT pros were generally overconfident in their ability to detect a breach. 60% of respondents said they were unsure how long it took for automated tools to generate alerts. The majority of those who did have an idea answered it would take only minutes or hours, which disagrees with the findings of both Mandiant’s M-Trends 2015 Report and Verizon’s 2016 Data Breach Investigations Report. (Tripwire)

The sheer volume and complexity of threats we face mandates the use of automated systems to a degree, but key to the success of any security solution is human mastery of the technology. All surveys are but a slice of metaphorical pie, but if these results are at all reflective of the wider ecosystem of practitioners, we should be worried.The value of technologists who have an interest or passion for security over a button-pusher or tool-user cannot be over emphasized. You are not being attacked by a machine, you are being attacked by a human who has mastery over machines.

Cyber Threat Analysis for 05/12/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

Are You Getting the Most from Your Threat Intelligence Subscription?

Many organizations, in order to ensure they getting as much intel as possible, subscribe to multiple threat intelligence feeds and spend hundreds of thousands of dollars every year on subscription fees. But in the rush to sign up for the latest and greatest threat subscription, my guess is that most organizations don’t have a good plan for ensuring the information from their multiple feeds can be turned into new protections within their security devices, meaning the ROI for their subscription payments may be extremely low.  (Security Week)

Cyber threat intelligence can help you defend your enterprise, but it is not a silver bullet. History is replete with examples of decision-makers not liking or agreeing with flashing red lights in front of them, and then paying the price. On the other hand, decision-makers have to understand that "most dangerous" scenarios are called that for a reason: the probability may be small, but it is not zero. Intelligence is only useful if you have a system in place that enables you to act on it, and you actually do so. With enough time and false alarms you will start to think that because nothing you have been warned about has ever happened nothing will ever happen. That's the point at which you're going to devalue intelligence and be caught by "surprise" and intelligence will have "failed" you.

Why Cyber-Criminals Are Always One Step Ahead

Cyber-criminals have an uncanny ability to stay under the radar for long periods of time—making the difficult business of cyber-protection even more difficult. Cyber-security is an ever-evolving undertaking, and the need for enterprises to reassess their security tools is constant. A recent study reveals just how easy it is to purchase or rent havoc-causing malware. "It's no small feat to keep up with how cyber-criminals operate. Attackers have an incredibly vibrant underground community where they can buy or rent anything from command-and-control infrastructure to sophisticated exploit kits to bare metal malware," said Steven Newman, CTO of Damballa. (CIO Insight)

The cliche that offense has it easier than defense really only applies when it comes to issues of scale. It is easy to do bad things to a large number of unsuspecting and unsophisticated people. A reasonably protected enterprise is largely opaque to an intruder in the early stages of an attack. They have no idea if or when they'll get caught until it is clear the defenders are blind, deaf, or otherwise not paying attention. Practices, relationships, and mechanisms that enable you to learn and work at scale help to even the odds. Information sharing, services that provide herd immunity, services/tools that shorten time between infection and detection are not necessarily glamorous but they help you keep pace with the threat.

Why Physical Security Professionals Need to Get to Grips with Cyber Security

In today’s connected workplace, weak links in security systems can be the easiest way for hackers to get onto a network. Those culpable for inviting outsiders in sometimes include: manufacturers, who push out unsecured products until end-users stump up; installers, who leave systems running with default passwords; and end-users, who unknowingly open up networks, leaving their organisations vulnerable to attack. (IFSec Global)

Default passwords and other configuration follies are the physical security device equivalent of 'password123' on routers and maintenance accounts. The ability to control such devices unbenknownst to system users provides attackers with a range of options, from 'eye in the sky' enabled credential acquisition, to insider-level knowledge that can enable and support physical compromise. Physical security systems were IoT before IoT was a thing, and their importance - and potential risk they pose - is only going to grow. Making friends with your counterpart in physical security to make sure you're not inadvertently working against each other.

The Cyber Threat: [Administration] Policies Toward Hackers From China, Iran, Syria Produce Few Results

Recent federal indictments of Iranians and Syrians for cyber attacks on U.S. networks further highlight the failure of [the current administration] to counter the growing threat of foreign hacker strikes on American networks. The indictments are largely symbolic, since none of the Iranians or Syrians are within reach of U.S. law enforcement and the chances the hackers will ever face justice in a courtroom are slim. Like many of [the administration's] foreign policies, the indictments appear designed to provide political cover by adopting seemingly proactive measures, but without having much impact. (Free Beacon)

Declaring policies on cyber threats as ineffective is good politics, but legacy political models for dealing with these issues are inadequate regardless of your party affiliation. Indictments on the domestic front, international efforts to cyber-ize cold-war-like practices, both are signs that the legacy policy establishment is largely devoid of meaningful solutions to the problems we face. Rather than shoe-horn legacy futures into a modern context, we should be working towards novel solutions that reflect the world as it is, not as we wish it to be. Security practitioners can think of few things less attractive than policy development, yet it is a skill that must be mastered if we hope to avoid a world where math is banned and knowing how to code casts a pall of suspicion upon you.

Business failing to learn lessons of past cyber attacks, report shows

Business and other organisations are failing to learn the lessons of past cyber attacks, the latest Verizon Data Breach Investigations Report (DBIR) reveals. The analysis of 2,260 breaches and more than 100,000 incidents at 67 organisations in 82 countries shows that organisations are still failing to address basic issues and well-known attack methods. “This year’s study underlines that things are not getting better,” said Laurance Dine, managing principal of investigative response at Verizon Enterprise Solutions. “We continue to see the same kind of attacks exploiting the same vulnerabilities because many organisations still lack basic defences,” (Computer Weekly)

Your regular (sadly) reminder that it is a focus on fundamentals that will bring about the biggest improvements in your cyber security posture. 

Cyber Threat Analysis for 04/21/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

Data Breach? Consumers Are Forgiving According to Survey

In the digital age, a hacker getting a hold of our personal data is par for the course. A quarter of American adults' report they have been in the uncomfortable position of learning their information was involved in a data breach. It doesn’t seem to matter, though — only 11 percent of those people say they stopped doing business with the hacked company after their information was compromised, according to a new survey from the RAND Corporation. (Medical Daily)

The ability of most organizations of any size to make victims whole again could be viewed as a serious impediment to better security. When a minuscule increase in prices or fees spread out across hundreds or thousands of customer pays for even the most expensive breaches, what incentive does a firm have to spend money to improve security beyond the regulatory minimum? Barring new legislation, or an event of catastrophic proportions that drives an over-reaction, one might say "retail" cyber crime and defense have reached a stasis.

Majority of Healthcare Data Breaches Caused by Cyberattacks

According to a recent study, most healthcare data breaches in 2015 were caused by cyberattacks, such as phishing scams and ransomware. Cyberattacks were the top cause of healthcare data breaches in 2015, according to a recent study by Symantec Corporation on healthcare cybersecurity. The study showed that providers have shifted their views on healthcare cybersecurity to account for the rise of cyber threats, such as ransomware and phishing scams, and the increasing risk to care delivery and patient safety. (Health IT Security)

In a way, organizations in the healthcare industry have the potential to improve their security postures faster than in other industries. The development and use of well-researched, time-tested protocols is a hallmark of the industry, as are things like checklists, two-person rules and oversight by experts. Following formulas and working through checklists does not guarantee a more secure enterprise, but medical culture could enable sound practices to spread more quickly and stick with employees over time. The industry will need to take care to understand and look clearly at the threats they face and respond well under pressure (another trait of medical professionals), as the opportunity to "believe the hype" when lives may be on the line is going to be high.

Cyber Security Budgets Not Keeping Up With Threat Levels

Cyber security budgets are on the rise but are not keeping in line with increasing threats, according to security professionals. Almost two-thirds (60%) of members at the Institute of Information Security Professionals (IISP) say budgets do not fully meet the threats. Only 7 percent reported that budgets were rising faster than the level of threats. (Channel Biz)

Whether budgets are keeping pace with threats is a claim that few (especially practitioners) can  make in an objective fashion. Very few organizations have practices in place that can effectively measure security spending ROI.The lack of realism and rigor in testing regimes ensures that most organizations have a false sense of security when it comes to how protected they are and how well they can respond in a crisis. When their illusions are shattered, decisions tend to be reactive and may have no real impact on an organization's defensive posture. Effective threat modeling and continuous realistic testing of mechanisms, methodologies, and people will give you a better idea of how much it costs to defend yourself against threats.

Know Thy Employees to Detect and Mitigate Security Risks

According to the UK Government Communications Headquarters, the scale and rate of cyber-attacks shows little sign of slowing down. In a 2014 report, the Department of Business Innovation and Skills (BIS) reported 81% of large organisations had experienced some type of security breach, and these breaches cost each organisation, on average, between $850,000 and $2mm. One of the easiest and most overlooked steps in managing and controlling the “danger” within organisations is - employees. (SC Magazine UK)

Countering the insider threat problem is going to require a significant commitment by organizational leadership that heretofore has been lacking. This is essentially a counterintelligence problem and most commercial concerns lack both the knowledge, skills and will to conduct such activities. Rather than being viewed as threat identification and risk reduction activities, they are too often viewed as "spying on employees," which is a realistic concern if done poorly. A good insider threat program will include both technical monitoring and a human engagement element that helps assess if suspect activity is indeed intentional, and helps serve as a deterrent in case it is. 

Reduce Cyber Security Risks with Employee Training

Your employees are an important line of defense against a data breach or cyber attack that could lead to financial or reputation loss for your company. Increased investment in employee training can reduce the risk of a cyber attack 45 to 70 percent, according to a 2015 study by Wombat Security Technologies and the Aberdeen Group. The study surmised that employees are “perhaps the greatest evolving security threat.” (Milwaukee Business News)

Training employees on computer security can be a net benefit if leadership takes it seriously and holds people accountable for failing to meet standards. Computer security training is usually a one-off, pencil-whip exercise that everyone promptly forgets while they go about getting things done. No manager would tolerate repeated, fundamental mistakes by someone in Operations, but when it comes to security all too often the attitude is, "its just security." If you believe improving computer security is important and you want to get value out of the training you provide, ensure everyone understands that "its just security" is a thing of the past and work with HR to develop a reasonable and defensible policy that includes rewards as well as punishments. 

In Praise of (a little) Cyber Security Hype

Chris Wysopal is against hyping vulnerabilities in computer systems. He certainly has a point, but as is the case with most situations where people claim things have gone too far, I want to make sure things don’t go too far…in the other direction.

In security writ large, any event that has a negative impact is treated like the end of the world, or very nearly so. The most common reaction is to over-react, because “we can’t allow this to happen again.”

Until of course it happens again.

“It” happens again for several reasons. The first being that time passes and memories fade. When your trip through airport security is delayed because someone decided wearing ten pounds of costume jewelry was a good idea and she can’t understand what the fuss is all about, that’s what I’m talking about. The further away we get from a bad event, the less the need for precautions seems necessary.

Second, the vast majority of security mechanisms – technical, human, physical – fail in a brittle fashion. A security breach of any sort is bad, period. But it is almost always horrifically bad, particularly when it comes to computers. A breach doesn’t result in a few records lost, it results in ALL records being lost.

Finally, really bad events that require drastic counter-measures are pretty rare. It doesn’t take long to figure out that the cost associated with over-reacting is disproportionate to the impact of the event itself.

So what do you do when the next vulnerability marketing campaign kicks off?

Not every “minor” vulnerability is minor to you. Every vulnerability is important to a degree. If I told you there was a vulnerability in finger you wouldn’t think too much about that, but there was a brief period of time when that was a big deal. Just because expert X thinks the vuln-of-the-month is weak sauce, remember that that guy doesn’t work for you and has no idea what your network looks like.

Not every “critical” vulnerability is critical to you.  Heartbleed was a serious problem, but having been involved in an offensive security test during peak Heartbleed hype, I can tell you that in the course of fulfilling our role as a simulated Very Bad Actor ™ Heartbleed wasn’t useful to us at all given the security posture of the customer and the goals we were trying to accomplish.

Understand that just because someone is trying to make a buck, that doesn’t mean they should be ignored. Marketing circuses around vulnerabilities are probably here to stay (sadly). But if you decided you weren’t going to spend money on any vendor who was given to hyperbole, or played fast and loose with the English language, you budget for security products would go unspent (#makingcfohappy).

A certain amount of hype can be healthy. It could be the factor that gets your recalcitrant boss to give you the resources you need to deal with an actual problem. The more and more detailed knowledge you have of your enterprise the better you will be able to suss out what vulnerabilities deserve to be priorities, regardless of they hype.

Cyber Threat Analysis for 04/07/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Executives: We're not responsible for cybersecurity

More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack, according to a new survey. More distressing is that 40 percent of executives said they don't feel responsible for the repercussions of hackings, said Dave Damato, chief security officer at Tanium, which commissioned the survey with the Nasdaq. (CNBC)

Cyber security simply is not the issue cyber security professionals think it is. These survey results stand in stark contrast to media reporting over the past year+ that claimed Boards and CEOs were taking cyber security seriously. How many care and to what degree may be an open question, but practitioners should not be surprised that people who can't understand the issues are not going to make an effort to take responsibility for them. If cyber security wants to be taken seriously it has to integrate more tightly with, and keep in mind the priorities of, the organizations in which they serve. If security is a binary condition in your mind, you will never succeed in elevating the issue to the highest levels of your organization.

When Will We be Able to Trust the IOT?

While IoT is presently a very immature set of technologies, much more is coming, no doubt about it. But before we get too enamored with this latest shiny object, let’s ask a few fundamental questions. IoT assumes, in almost every case, either that (a) everything works correctly all the time, or (b) we can tell that it’s not working correctly and ignore it until it’s fixed. Underlying these seemingly reasonable assumptions is the belief that we can trust all the smart connected devices in the IoT world to tell us the truth about what they’re doing all the time. (CFO)

IOT cannot be trusted as long as it is treated like Industrial Control Systems-lite. Regulating power, water, temperature, lights and so on is what ICS systems have been doing for ages, now they're doing it in your home. In "industrial" environments you don't have security officers you have safety officers, because if something goes wrong in a power plant you're not talking about loss of funds you're talking about loss of life. The more connected our homes and appliances get the more convenient our lives will get, which will off-set security problems that will inevitably arise. However, as discussed a few weeks agoit is entirely possible that effects from an attack on the IOT could lead to fatalities.

Nation-State Cyber Actors Focused on “Maintaining Persistent Access” to U.S. Energy Infrastructure

The restricted DHS assessment titled “Damaging Cyber Attacks Possible but Not Likely Against the US Energy Sector” was obtained by Public Intelligence and reveals that at least seventeen intrusions against the U.S. energy sector were traced back to APT actors in FY 2014.  The attacks never resulted in damage or disruption, but were instead focused on “data theft from enterprise networks” and “accessing and maintaining presence on ICS” networks and systems. (Public Intelligence)

When it comes to critical infrastructure, there is no inherent value in destruction unless your mission is annihilation. The concept of Effects Based Operations may not be du jour in the U.S. military anymore, but its principles remain sound. If you have the ability to shut off or disrupt critical infrastructure in a nation with which you are at odds, that's your geo-political a trump card should diplomatic or economic instruments of power fail. If you are not actively looking for and ejecting persistence mechanisms you are ceding your enterprise to an enemy who will use your capabilities against you and the people you serve. 

Is Security Software Broken?

[...] After all that investment software security vendors still admit that the best security stance for a CSO today is to accept that they have already been breached. If a hacker is determined enough they will get into your organisation. The best the industry can do is to provide systems which try to spot when this has happened as soon as possible in an effort to minimize the risk of data loss. It is easy to see why organisations are reducing their security budgets when security software clearly is clearly broken.(Information Security Buzz)

Security software companies are not security companies, they are software companies, and all that that implies when it comes to how they address cyber security. You cannot make assumptions about the integrity of any security product because when your job is to ship product, functionality trumps security. Always. Treat everything you install or connect to your enterprise as a part of your attack surface. Be especially vigilant about security products because of the inherent trust levels at which they operate.

Hacker-for-Hire Market is Booming, Says New Report

It’s becoming cheaper than ever to buy hacking tools online. Intelligence analysts found that business is booming in underground markets for Russian and other hackers, according to a new report released Tuesday by security firm Dell SecureWorks Inc.(WSJ)

The commoditization of hacking services and tools is a clear indication that we are making little progress when it comes to cyber defense. Not that this is a new problem, but the fact that the number of "vendors" is growing and the prices are dropping tells us that demand (in general) is increasing and the utility of point-and-click tools is sufficient to meet that demand. In other words: there are enough potential victims out there that are not getting the basics of cyber security right.

We Must Stop The Race to Attribution After Each Cyberattack

It has become almost systemic for people to immediately question, “Who did it?” when a major breach occurs in the public and/or private sectors. Understandably, the victimized have a keen interest in identifying their faceless attackers especially when they have been publicly exposed. (Fabius Maximus)

The vast majority of organizations that are not an organ of the State have no real need for attribution. They are ill-prepared to defend themselves and respond to the incident in the first place, so the importance of knowing who did it is of little practical utility. Private sector enterprises want to get back to business; they are not able to go to war, invoke diplomatic protocols, or levy penalties. Even the government, who can do those things, doesn't expect to actually bring those they accuse to justice. A good deal of the cyber security talent in the private sector was trained in the military/government. Private sector entities should consider what their end-games are for various types of incidents before they concern themselves too much with this legacy governmental practice.

Cyber Security Through the Lens of WMATA

The Washington Metropolitan Area Transit Authority runs Metro, the transit system that serves Washington DC, and the immediate areas in Virginia and Maryland. Its light rail service – Metro – may serve as a stand-in for whatever rail system or other public infrastructure project plagues your city.

WMATA works. Sometimes. The rest of the time it sucks. It is rarely on time, its communication system is unintelligible to anyone but an adult in a Peanuts cartoon, and when trains aren’t crashing and killing people, the rails are catching fire. Sound like the security apparatus in your enterprise? I’m not surprised. Want to avoid becoming cyber security’s Metro?

Operations and Maintenance Cannot be an Afterthought. Everyone loves to build stuff because that’s exciting; no one like to oil the gears and sweep the floors, that’s boring. But if you build something that people come to depend on, you need to ensure that it remains dependable. In the security world that means basic, boring stuff like patching and other unglamorous tasks. If you fail at the fundamentals, all the work that went into building your security architecture is for naught.

Walk in the Other Guy’s Shoes. A transit system is a thing, not an abstraction. If you do not ride the rails the problems that are brought to your attention are at best things to go to the bottom of your to-do list, at worst something to be ignored while you do ‘real’ work. People complain about security a lot and because security is not filled with empaths the results are predictable.  If you have not taken the time to use a system the way ordinary users do (you know, the people who generate revenue), you’re not in a position to understand what security mechanisms and methodologies are optimal for your enterprise, and what security-operational trade-offs are worth the risk.

Keep Walking (in the Other Guy’s Shoes). There is nothing like a transit station manager from (insert your own local neighborhood here) trying to explain how fare cards work to a family who only speaks Mandarin. The answer isn’t to grab the next Asian person you see coming and asking you to translate (true story). The answer is you take your ‘root’ card and demonstrate how to use it to get through the turnstiles. It takes more time and it’s a bit of an inconvenience, but in this case learning by doing is going to work better than shouting in a language they don’t understand. Do you know what repeating a CVE entry to the average user or executive sounds like? Mandarin. Taking the time to show people the how and why of security is going to advance your cause further than doing your best Chris Tucker impression.

Recognize IOCs: Indicators of Catastrophe. The situation is so bad at Metro that entire lines of the system may need to be shut down for months at a time. The transit system in the capitol city of the most powerful nation in the world is in danger of collapse because it has spent years ignoring the little things. Small changes and expenses now might not prevent some type of security failure in your enterprise, but it will assuredly be smaller and less painful than the negative impact of what will happen if leadership continue to kick the can down the road. They might not want to do security, but it is imperative that you communicate that without it the result is inevitable.

Cyber Threat Analysis for 03/31/2016

Only 38% of Companies Are Confident They Can Survive a Ransomware Attack

At the RSA 2016 security conference security firm Tripwire conducted a survey among 200 security professionals on various topics. Questioned if their business would be able to recover crucial data after a crippling ransomware attack, only 38% said they were fully prepared. On the other hand, 49% said they were somewhat confident they could recover most of their files while 13% admitted that a ransomware attack at this point would severely damage their ability to do business and even lead to the loss of critical data. (Softpedia)

If my math is correct 100% of people surveyed lack complete confidence in their enterprise data backup scheme. That’s really the best tool we have to combat ransomware, but because backups are not glamorous or cutting edge or 2.something no one really wants to talk about it. They would rather talk about security technology or methodology, both of which are more expensive than paying the ransom, and both are unlikely to produce meaningful results. Others would rather argue morality or ethics; usually people who have not fallen victim to an attack and don't have people depending on them to get their business (or hospital) back online. Ransomware is a security problem like any other with one important exception: a simple and relatively inexpensive solution exists.

The Four Concerns That Must Be Addressed Before the Internet of Things Can Really Take Off In 2016

Not only do people need to understand the whys and hows of the IoT, but they also need to be sure that the devices they are using are secure. This has been a clear concern for many, especially after high-profile hacks on internet-enabled cars. IoT developers, companies, and customers alike must recognize that every device is a potential target, which is what makes IoT security such a critical issue before it is publicly adopted...Fortunately, IoT devices have a limited scope of functionality, unlike a personal computer. This limitation makes it unlikely that a device itself will house the capability or information an attacker is looking for. (Infoq)

If you assume all attackers are the same, particularly in their motivations, you should prepare to be surprised. A lot. The author correctly points out that once you're on a thing it is often easier to move to other things on the same network, but if my goal is disruption or damage I don't need to get on your PC; your fridge or thermostat or sprinkler system is more than enough. Most Likely: IoT will take off regardless of whether or not security and privacy issues are addressed. It didn't happen for PCs, it didn't happen for mobile phones, its not going to happen now, as long as the net convenience factor for consumers is high enough. Most Dangerous: The quality and security of IoT-able things varies, and no one understands what might happen to critical infrastructure if a sufficient number of devices are attacked. Today squirrels cause more outages than 'cyber' but install enough smart appliances in a geographic area and that could change very quickly.

Why Hackers Are Going After Healthcare Providers

Washington is reeling from the news of a hack at MedStar, one of the largest medical providers in the area. A computer virus infecting the organization's computer systems forced MedStar to shut down much of its online operations Monday. The exact nature of the attack is not yet known, but MedStar is just the latest victim in a string of cyberattacks that have hit the health-care industry hard.  (Washington Post)

To paraphrase bank robber Willie Sutton, thieves go to where the money is. Hospitals and other health care providers don't deal in cash per se, but they do have readily monitizable data that historically has not been well protected. Most Likely: Hospitals and medical practices will continue to be soft targets and the primary goal of attacks against such targets is financially (fraud) related. Most Dangerous: Attacks against medical providers finally lead to the day when "cyber" kills, albeit not in the dramatic fashion doomsayers have been predicting. Rather than hacking a thousand pacemakers, or a repeat of Therac-25, medical records are diddled such that allergies are missed, symptoms not logged, etc., leading to a series of fatal medical errors.

Viewing Data as a Liquid Asset

Analytics used to be a competitive advantage, and now it’s becoming table stakes. It’s something you just need to have to execute on the business competitively. We’ve gone from experimenting with some analytics tools to deploying one visualization tool across the entire enterprise so every person has access to data reports and the ability to look at the data from the exact viewpoint they would like. If you had told me two years ago I was going to shift that tool out from a small group of people to all 1,400 customer-facing workers, I would have said, “I highly doubt it.” (MIT Sloan Review)

Just as data can be insanely valuable, so too can it be an outrageous risk. If yours is a business that demands massive volumes of data be live and malleable at all times there is no simple way to deal with this risk. For everyone else, the less data you store live the better (see the first article). That computers are fast, connectivity is ubiquitous, and storage is dirt cheap is not a good reason to maintain any more data than you absolutely need to in order to operate. Everything else should be archived and off-line. The time and effort it may take to retrieve off-line data is far less (and cheaper) than the time, disruption, and expense associated with a breach.

Cyber Security Budgets Falling Behind Threat Landscape

The Institute of Information Security Professionals (IISP) - With over 2,500 members working in security across a wide range of industries and roles, including a significant proportion at Senior/Lead/CISO level - has announced the findings from its 2016 member survey. It reveals that for over two thirds of members, information security budgets have increased, while a further 15% said that they had stayed the same. These are encouraging figures but they have to be examined alongside increasing risk and the survey also found that 60% of respondents felt that budgets were still not keeping pace with the rise in the level of threats. Only 7% reported they were rising faster than the level of threat. (IT Pro Portal)

The speed at which you operate (slow) and number of factors that are simply out of your control (OS, software, hardware, the Internet, third-parties, business model) ensure that no one can simply spend their way out of this problem. Do you think $250m is a big security budget? JP Morgan Chase thought so, until it wasn't. Getting the best budget possible depends on your ability to effectively communicate the effectiveness of your security program - the wisdom of your past decisions and why your future spend will produce the greatest ROI - in a way that your leadership can appreciate. You don't have metrics that go from lower-left to upper-right like your peers in Operations or Sales, but that doesn't mean you can't render the factors that count in a fashion that makes sense to business-people.


Making Cyber Great Again

Over the weekend, the NY Times published its own transcript of an interview between Donald Trump and two reporters, Maggie Haberman and David Sanger, focusing on foreign policy questions. Reading it presents an incredible picture of a man running for President who doesn't know the most basic things about foreign policy. But the issue that is relevant to folks around here is his completely confused and nonsensical responses to two things: cybersecurity and Ed Snowden. (TechDirt)

If you're going to pick a President based on their grasp of the issues related to the Internet in general and cyber security in particular, you're going to be waiting a long time to cast a ballot. One candidate's take on the issues my be 'nonsensical' but its hard to see how that's different from the ignorance, ambivalence or at best half-measures of administrations past. Most Likely: Expect the type and rate of progress regarding cyber security over the next four years to remain unchanged regardless of who occupies the White House. Cyber security is simply not the policy issue cyber security people think it is. Most Dangerous: Offensive activities by adversaries (insert your favorite evil-doers here) trigger a series of ill-conceived policy decisions by ill-prepared and ill-informed appointees. What happens in cyberspace transitions to meat-space, leading us down a path towards a political-military disaster.

On Best Practices

In the wake of every major hack or data breach, executives at the peer firms of the victim-of-the-week all wonder if what happened across town could happen to them. The answer of course is “yes” because everyone is following the same cyber security best practices.

But if everyone is following "best practices" and coming up short, does it stand to reason that there might be better practices?

Roughly 15 years ago the world’s most powerful fighting force went to war in Afghanistan and later Iraq.

It didn’t exactly go as planned.

How does a force designed, trained and equipped to defeat the forces of the world’s other great armies come up so short against a bunch of terrorists and insurgents? Because it was designed, trained and equipped to fight great armies, not terrorists or insurgents. There was nothing wrong with the U.S. military except that they were waiting for the People’s Liberation Army to show up and instead they got the Taliban, al Qaeda, and militias.  

Likewise companies buy and deploy technologies, and train and employ security practitioners, with specific threat models in mind, and in anticipation of specific threats and attack methodologies. They are told ‘this is how you stop X’ where X is whatever technique or vector you like. There may be other ways to stop X, but because those ways aren’t doctrine, no one does it.

If X is a best practice, and everyone is doing X and coming up short, do you think maybe it is time you tried Y to see if that’s not a more effective way of dealing with that particular problem? A better practice in other words?

For a brief time the military got to exercise their skills in maneuver warfare in Iraq, but once they won those battles they spent a long time losing. Pick your cyber security parallel: anti-virus, intrusion detection, network monitoring; they addressed a serious problem, and then the serious problems moved or changed, rendering the defense less useful. If you’re a fan of the movie The Patriot you know what I’m talking about. Cyber security best practices are like the British Army wondering why in the world these colonials and their allies don’t stand in a neat and orderly line and fight like civilized people.

I don’t know the risks that concern you, or the threats you face. What I do know is that your adherence to de facto cyber security doctrine is not going to provide optimal protection for your enterprise (or your job). If you are taking security seriously you owe it to all parties involved to explore your options beyond doctrine in order to effectively fight the fight you are in, not the one you wish you were in. Your enemies are winning because they know your doctrine and its shortcomings. By identifying better practices you stand a chance of being George Washington, not Charles Cornwallis

Cyber Threat Analysis for 3/25/16

Insufficient boardroom focus on cyber security, finds study

Although 81% of boards in the UK have placed more emphasis on cyber security in light of the breach at TalkTalk, a mere 53% have drawn up plans for breach management, according to a recent survey. (Acumin)

Whether boards actually care enough about cyber security to do something about it remains to be seen. For every report that suggests they do, another exists that indicates they don't. Its true that C-level executives are losing their jobs over breaches, but whether that's because the board has decided that that executive was negligent, or simply for optics, can't be determined. What we do know is that high-performing CEOs (those who have a track record of keeping the stock price going from lower left to upper right) are unlikely to face the axe in light of a compromise because boards care about a lot more about financials than they do security.

Are you liable for a cybersecurity attack?

By far the most misunderstood insurance coverage is cyberliability. Just the name alone sounds futuristic and “techie.” Within the industry it’s also referred to as cybertheft, data security and data breach coverage.(Argus Leader)

Contrary to popular opinion, cyber insurance is not new. It was a thing, then it wasn't, now its back, look for it to go away again. You only need to spend a few minutes listening to insurance agents and lawyers to realize that - in the wake of a breach - if the former doesn't get you with the fine print, the latter will drive you to settle for pennies on the dollar. Nobody is fulfilling the role of "nurse-to-your-house" that happens when you apply for supplemental life insurance, and absent a sufficiently detailed understanding of what is and is not being done from a security perspective, no agency isreally going to sign up for your liabilities. Not that insurance should be play a role in your risk-management scheme, just recognize that it is not going to make you whole.

 Tanium CEO on The Security Industry


"We as an industry owe our customers better than to say that they should be terrified constantly and to give us lots of money." (Bloomberg)

That this statement from a cyber security company CEO strikes so many people as unusual really says more about the industry than it does the man. You hear a lot of CEOs talk about focus on product and shipping and quality and customer just don't hear about it in security. They don't have to. You can ship stuff that doesn't work, or shake people down, and people will still stroke a check because they don't have any choice: security (or more accurately 'compliance' with a security regulation) is something they have to do. If 1/10th of the security vendors decided they would adopt Orion's attitude, this would be a much different world.


Cyber Security Through the Lens of Belgium

This is by no means an effort to equate terrorism and its horrible aftermath to an intrusion or data breach, merely an attempt to use current events in the physical world – which people tend to understand more readily - to help make sense of computer security – a complicated and multi-faceted problem few understand well.

You can’t stop evil; you can improve your ability to respond to it

You invest a lot of money in defense, but you can’t protect everything, perfectly, forever. If you spent $1m on defensive mechanisms and capabilities, and it only takes a few hours of research and keyboard time for someone to overcome those defenses, the answer is not to spend $2m in more defense (worst. ROI. ever). The better approach is to spend more on your ability to respond to the inevitable.  You can only know how much to spend by implementing a testing regime that provides you with the right data. 200 pages of boilerplate and CVE numbers from your commodity testing service isn’t going to cut it.

You know what the problems are; you need to be willing to act

Reportedly no one involved in the attacks in Belgium was unknown to authorities. Apparently three of them in an airport in full Michael Jackson mode was not enough to go from yellow to red. In defense people have a penchant for discounting warnings because the vast majority of the time such warnings amount to nothing. Every alert is important. Every issue needs to be run to ground. If you only focus on what people tell you is “critical” you are going to miss the chain of “low” problems someone is chaining together in order to pwn you. I get that budgets are not bottomless and everyone is busy, but you need to make regular, if small, progress in this area or everything else is for naught.

Everyone has an agenda and they often conflict

Countering evil of any sort is not a solo endeavor, but because there are multiple aspects to the mission there are multiple agendas and motivations. If your mission is “how big is the threat” (intelligence) and you spend a lot of time and energy trying to determine that, you are naturally disinclined to give that data to, say, the police, whose mission is “stop the threat.” Cyber security will always conflict with other missions, but you must understand and appreciate what the other side is doing and develop a level of trust sufficient for both of you to be able to work together. Decision-makers need a comprehensive answer from their team, they don't want to deal with inter-company squabbles. As a cyber-person you don't want that either because you're always going to lose to the guy who generates revenue.

Cyber Threat Analysis for 3/18/16

Apple employees may quit rather than comply with FBI encryption orders

Compelling Apple to break its own security measures may not be as simple as it sounds. A new New York Times report suggests that even if the company loses its court fight and is legally compelled to produce security-breaking software, the employees tasked with creating the software may quit or simply stop working rather than comply with the court order. If enough of the company's employees participate in the action, it could make the FBI's goal nearly impossible to achieve. (The Verge)

Should the Bureau succeed in court they will almost assuredly be reveling in a Pyrrhic victory. The price of access to a phone of questionable intelligence value is the loss of any friction-free future cooperation or good will with any U.S. technology company of note. Do not be surprised if a Bureau victory leads to a number of leading U.S. technology companies becoming former U.S. technology companies (at least on paper). Such a move does not place an entity outside the reach of Uncle Sam, but some firms may view being a target for SIGINT (company = person; foreign person = legitimate NSA target) is better than having to respond to subpoenas from the FBI.

Lack of IoT Security Awareness Opens up companies to hack attacks

Speaking at the Wearable Technology Show in London, Brian Witten, senior director of IoT security at Symantec, said companies of all sizes lack the know-how to secure low-powered IoT devices, which leaves them vulnerable to skilled attackers.

“What we see a lot of is a lack of awareness mainly because there are a lot of companies out there that are great at device engineering but aren’t security companies. And there are a lot of security companies that have never done engineering in these extremely constrained devices,” (V3)

All the king's commodity IT security horses and men are of little value when it comes to making sure you're refrigerator is not a threat or if you can trust your toaster. It is not that such devices cannot be secured, it just requires people with a sufficient amount of knowledge and experience working at lower-levels of technology to do the job. Users of such technology also need to understand that thinking obscurity or isolation means you are immune to threats is how so many of your peers become victims of seemingly trivial issues.

4 reasons not to pay up in a ransomware attack

Online extortion is on the increase, as criminals use a variety of attack vectors, including exploit kits, malicious files, and links in spam messages, to infect systems with ransomware. [...] Whether or not the organizations should pay the ransom is not a security decision -- it's a business decision. Paying encourages criminals to attack again. Not paying means lost revenue while waiting for IT to recover the files. This isn’t an easy choice, but read on for reasons to not pay the ransom. (CSO Online)

When it comes to ransomware, no amount of digital forensics or incident response will save you; your moral or ethical code is not going to put food on the table. I don't know how many infected firms have gone under because of ransomware, but it is not 0. A few hundred dollars in ransom is a small price to pay to learn the importance of a sound backup scheme. Once you've implemented such a scheme you are more resilient to such attacks. I know of no ransomware crews that are not consummate (if illicit) professionals: there is more money in the long game. Advice to the contrary is inevitably issued by people on a high horse who have not fallen victim to a ransomware attack and have the luxury of dealing with hypotheticals.

Motor Vehicles Increasingly Vulnerable to Remote Exploits

As previously reported by the media in and after July 2015, security researchers evaluating automotive cybersecurity were able to demonstrate remote exploits of motor vehicles. The analysis demonstrated the researchers could gain significant control over vehicle functions remotely by exploiting wireless communications vulnerabilities. While the identified vulnerabilities have been addressed, it is important that consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future. (FBI)

Given that it is St. Patrick's Day I definitely have concerns about automobile safety, they just have nothing to do with my sedan being pwned and everything to do with the number of people who have partaken of three-too-many pints of Guinness. At this stage car backing is not something a significant number of people need to be concerned about. because the risk of some very old fashioned threats to your safety while rolling are dramatically higher. Car hacking is in vogue, but its a specialty issue until someone figures out how to fuse car hacks with ransomware at scale.

The Problem with Moonshots

When someone wants to talk about making a big impact in computer security they almost always want to use the Manhattan Project as an analog. The problem of course is that the Manhattan Project wasn’t about improving defense, it was about improving offense. Indeed the Manhattan Project produced a weapon of such power that it’s only been used twice, and the civilized world works extraordinarily hard in making sure it does not proliferate (much).

A more appropriate analog is the Apollo program, the goal of which was putting a man on the moon. Mercury proved we could put men (well, primates) into space, and Apollo was the next “hard thing” we choose to do as a nation. But while a cyber security moonshot is an admirable goal, when it comes to cyber security – like space flight – the devil is in the details.

For starters, there is the democratizing impact of technology and the corresponding shift in power. In the 1960s the ability to put a man in space, much less on the moon, was the sole domain of the nation state. Today anyone can create the information technology equivalent of the Apollo or Mercury programs. Linux is a great example of such an effort, so is ransomware.

Then we need to consider the investment that has already been made in legacy technology. TCP/IP is what it is, and it is not going to change. We are not re-engineering the Internet and everything that rides through and on top of it. Not because it can’t be done, but because there is no ‘Sputnik was there first’ reason to do so (more on this in a second).

Everyone agrees there are problems, but no one can produce the kind of hard data needed to advance the cause. To be sure, there is no shortage of surveys that will provide numbers about the scope and scale of the problem, but none of those surveys are comprehensive and there is no way to independently verify their accuracy. The problem is bad, but is it prostate cancer bad (annoying) or pancreatic cancer bad (fatal)?

Even if you could back up your assertions with comprehensive, verifiable data, there is a fundamental unwillingness in both the security and broader enterprise decision-making apparatus to rock the boat.  “No one ever got fired for buying IBM” was the mantra in the early days of enterprise IT. That same mantra – replacing IBM with whatever the market-leading appliance or security suite is for a given class – is recited in Mahogany Rows all over the world. The courage to ‘slip the surly bonds of Earth’ in the context of cyber security is extremely hard to find.

Finally, in the early 1960s the Cold War was actually quite hot. The only reason we put men in space or on the moon at the pace we did was because Yuri Gagarin scared the **** out of us. By “us” I mean “the nation” or “the people” not merely NASA or the government. There is no such movement or sentiment today. When it comes to cyberspace, functionality trumps security.

Long term success in this field is indeed about reaching the stars, but you don’t get there from here in one giant leap. In order to get to the moon we had to master a host of component technologies first (and, let’s be honest, rely on the help of some Germans of questionable background). You’re never going to get a critical mass of people – security experts, executives, or ordinary people – to back a cyber security moonshot, but you can get everyone to agree that <pick your small improvement here> is a good idea and grab market share. Compile enough small victories and we might be amazed at what we can accomplish.