Cyber Threat Analysis for 04/07/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.


Executives: We're not responsible for cybersecurity

More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack, according to a new survey. More distressing is that 40 percent of executives said they don't feel responsible for the repercussions of hackings, said Dave Damato, chief security officer at Tanium, which commissioned the survey with the Nasdaq. (CNBC)

Cyber security simply is not the issue cyber security professionals think it is. These survey results stand in stark contrast to media reporting over the past year+ that claimed Boards and CEOs were taking cyber security seriously. How many care and to what degree may be an open question, but practitioners should not be surprised that people who can't understand the issues are not going to make an effort to take responsibility for them. If cyber security wants to be taken seriously it has to integrate more tightly with, and keep in mind the priorities of, the organizations in which they serve. If security is a binary condition in your mind, you will never succeed in elevating the issue to the highest levels of your organization.
 

When Will We be Able to Trust the IOT?

While IoT is presently a very immature set of technologies, much more is coming, no doubt about it. But before we get too enamored with this latest shiny object, let’s ask a few fundamental questions. IoT assumes, in almost every case, either that (a) everything works correctly all the time, or (b) we can tell that it’s not working correctly and ignore it until it’s fixed. Underlying these seemingly reasonable assumptions is the belief that we can trust all the smart connected devices in the IoT world to tell us the truth about what they’re doing all the time. (CFO)

IOT cannot be trusted as long as it is treated like Industrial Control Systems-lite. Regulating power, water, temperature, lights and so on is what ICS systems have been doing for ages, now they're doing it in your home. In "industrial" environments you don't have security officers you have safety officers, because if something goes wrong in a power plant you're not talking about loss of funds you're talking about loss of life. The more connected our homes and appliances get the more convenient our lives will get, which will off-set security problems that will inevitably arise. However, as discussed a few weeks agoit is entirely possible that effects from an attack on the IOT could lead to fatalities.
 

Nation-State Cyber Actors Focused on “Maintaining Persistent Access” to U.S. Energy Infrastructure

The restricted DHS assessment titled “Damaging Cyber Attacks Possible but Not Likely Against the US Energy Sector” was obtained by Public Intelligence and reveals that at least seventeen intrusions against the U.S. energy sector were traced back to APT actors in FY 2014.  The attacks never resulted in damage or disruption, but were instead focused on “data theft from enterprise networks” and “accessing and maintaining presence on ICS” networks and systems. (Public Intelligence)

When it comes to critical infrastructure, there is no inherent value in destruction unless your mission is annihilation. The concept of Effects Based Operations may not be du jour in the U.S. military anymore, but its principles remain sound. If you have the ability to shut off or disrupt critical infrastructure in a nation with which you are at odds, that's your geo-political a trump card should diplomatic or economic instruments of power fail. If you are not actively looking for and ejecting persistence mechanisms you are ceding your enterprise to an enemy who will use your capabilities against you and the people you serve. 
 

Is Security Software Broken?

[...] After all that investment software security vendors still admit that the best security stance for a CSO today is to accept that they have already been breached. If a hacker is determined enough they will get into your organisation. The best the industry can do is to provide systems which try to spot when this has happened as soon as possible in an effort to minimize the risk of data loss. It is easy to see why organisations are reducing their security budgets when security software clearly is clearly broken.(Information Security Buzz)

Security software companies are not security companies, they are software companies, and all that that implies when it comes to how they address cyber security. You cannot make assumptions about the integrity of any security product because when your job is to ship product, functionality trumps security. Always. Treat everything you install or connect to your enterprise as a part of your attack surface. Be especially vigilant about security products because of the inherent trust levels at which they operate.
 

Hacker-for-Hire Market is Booming, Says New Report

It’s becoming cheaper than ever to buy hacking tools online. Intelligence analysts found that business is booming in underground markets for Russian and other hackers, according to a new report released Tuesday by security firm Dell SecureWorks Inc.(WSJ)

The commoditization of hacking services and tools is a clear indication that we are making little progress when it comes to cyber defense. Not that this is a new problem, but the fact that the number of "vendors" is growing and the prices are dropping tells us that demand (in general) is increasing and the utility of point-and-click tools is sufficient to meet that demand. In other words: there are enough potential victims out there that are not getting the basics of cyber security right.
 

We Must Stop The Race to Attribution After Each Cyberattack

It has become almost systemic for people to immediately question, “Who did it?” when a major breach occurs in the public and/or private sectors. Understandably, the victimized have a keen interest in identifying their faceless attackers especially when they have been publicly exposed. (Fabius Maximus)

The vast majority of organizations that are not an organ of the State have no real need for attribution. They are ill-prepared to defend themselves and respond to the incident in the first place, so the importance of knowing who did it is of little practical utility. Private sector enterprises want to get back to business; they are not able to go to war, invoke diplomatic protocols, or levy penalties. Even the government, who can do those things, doesn't expect to actually bring those they accuse to justice. A good deal of the cyber security talent in the private sector was trained in the military/government. Private sector entities should consider what their end-games are for various types of incidents before they concern themselves too much with this legacy governmental practice.