Cyber Threat Analysis for 05/05/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.


The economics of hacking: Change your thinking

If the simple question is “why are economically motivated cyber-attacks on the rise?,” the equally simple answer is “because it pays.” Based on some recent estimates, an exploit kit can bring in over $25,000 a month or more if it is proven to be particularly effective.  (Helpnet Security)

The most economical way to reduce the effectiveness of the advantages attackers have is to re-define success. For example, "keeping bad guys out," is a goal you will never achieve; reducing the time between compromise, detection and remediation is something you can accomplish cost-effectively. Yards gained, not touchdowns. To understand where your precious security dollars will have the greatest impact, you need to implement a realistic security testing regime that simulates the type and nature of threats you face, because those who are actually attacking you are disinclined to share their findings.
 

More money doesn’t guarantee success in cyber security race

Over the next four years, Australia’s federal government will invest more than A$230 million on cyber security. But instead of addressing root causes, the strategy on offer suggest government intends to continue to escalate a hacking arms race. Despite the clear intention to, “actively promote an open, free, and secure cyberspace”, the Australian strategy’s most revealing passages relate to the intention to, “deter and respond to malicious cyber activities”, through the use offensive cyber capabilities. This arms race will thus continue to escalate and thus degrade the openness, freedom and security of cyberspace. Companies and individuals that are subject to or caught up in these attacks will continue to be the collateral damage. (The Conversation)

You cannot avoid spending money to address the problems we face, but solutions that attempt to address 'root causes' are not necessarily any less expensive. Industrial-age policing of info-age problems simply does not scale, which means the amount of money spent to combat evil will always be disproportionate to the amount of evil that is actually stopped. By  the same token, the hardware, software, and protocols that make the 'Net run have fundamental weaknesses that are not going to be re-engineered overnight or for free. The ideal security-liberty formula has yet to be calculated, which means we will continue doing what we're familiar with, rather than exploring what may actually produce widely-desirable results.
 

CISOs need to pay attention to IoT security spending

Research firm Gartner released a new report this week which summarized IoT security spending at $281.54 million in 2015, and double that by 2018. They also predict that by 2020, more than 25% of identified attacks in enterprises will involve IoT, although IoT will account for less than 10% of IT security budgets. Juniper Research recently predicted that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019. If these IoT security spending forecasts and cybercrime figures prove out, then CISOs and IT security executives will have some explaining to do. The big question they'll have to answer: Why did they underspend on protecting IoT devices -- which led to data breaches and incident response costs that could have been avoided? (CSO)

CISOs need to be aware of IoT spending, period. As an example, every modern building of any size functions via a set of "IoT." Shutting off the HVAC in a building via cell phone was demonstrated in government threat briefings almost 20 years ago. CISOs may have no idea how big or bad their IoT problem is because IoT spending may have nothing to do with IT. IoT is going to flatten the metaphorical perimeter walls that were breached by BYOD.CISOs are going to have to expand their sphere of influence and push their ingenuity to its limits if they are to have any hope of being aware of the full scope of the problem, much less effectively address it.
 

Rhode Island Attorney General Pushing For A State-Level CFAA That Will Turn Researchers, Whistleblowers Into Criminals 

The Rhode Island Attorney General is is behind a legislative proposal that would amend the state's computer crime laws into something more closely resembling the catastrophic federal equivalent: the CFAA. "Whoever intentionally and without authorization or in excess of one's authorization, directly or indirectly accesses a computer, computer program, computer system, or computer network with the intent to either view, obtain, copy, print or download any confidential information contained in or stored on such computer, computer program, computer system, or computer network, shall be guilty of a felony...".  (TechDirt)

The only thing more detrimental to computer security than criminals is law enforcement efforts that attempt to shoe-horn industrial age approaches to information age problems. We need need better computer crime laws. Yet efforts taken to date are no less ham-handed than the laws that are on the books today. By the same token there is no way to effectively manage all the "independent security research" that takes place, detracting from the benefits such efforts (diversity, scale), which precludes the ability to determine intent (white hat v black hat). Meaningful progress on this front will only come when the nerds stop mocking lawmakers and start working with policy wonks to create laws that work for everyone.
 

Counterterrorism expert says it's time to give companies offensive cybercapabilities

The U.S. government should deputize private companies to strike back against cyberattackers as a way to discourage widespread threats against the nation’s businesses, a former government official says. The U.S. government could issue cyberwarrants, giving a private company license “to protect its system, to go and destroy data that’s been stolen or maybe even something more aggressive.” (PCWorld)

While emotionally attractive, the idea of victims hacking-back is an exceedingly bad idea. Most private concerns cannot defend themselves adequately; giving them swords when they cannot use shields doesn't make a lot of sense. Having said that, government co-option of private capabilities is arguably the more historically accurate and practical approach to the problem, more so than cold war analogs. Rigorous oversight of a focused privateering effort is a reasonable way to provide the government - which has its own talent recruiting and retention problems - the ability to project greater amounts of force (assuming policy is to go on the offensive). (For an extended discussion)