Cyber Threat Analysis for 06/02/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

Cybersecurity recruitment in crisis

Globally cybersecurity is in crisis not solely from a lack of skilled personnel, but also from a lack of strategic direction and companies inability to hire staff in an expedient, effective and efficient manner. ISSA, (ISC)2, ISACA, Cisco, and PwC have all released major studies showing the cybersecurity skills gap has reached a crisis point worldwide. The number of positions to be filled vary widely from each study, but the majority of them put the gap at over a million positions by the end of the decade. One might go so far as to call it a cybersecurity skills gulf. This is not a new challenge, but one that has been developing over time. (CSO Online)

Everyone wants a superhero. Job advertisements for cyber security pros read like letters to Santa when it comes to skills, experiences, qualifications, etc. Companies lament that they cannot find enough expertise, but at the same time they are unwilling to admit that they may be asking for too much in any one individual. Your average Fortune 100 accounting department is not staffed entirely with CPAs; there is a hierarchy and specialization and tiers of responsibility with corresponding requirements of knowledge/skills/abilities. Such an approach to hiring in security would not make the effort any less expensive, but it would certainly enable more talent to enter the market quicker.
 

Cyber warfare more dire and likely than nuclear

The threat of a cyber attack is a clear and present danger to America and is more likely than a nuclear attack. America is vulnerable and gaps exist in both prevention and the response on the part of the government and private sectors. America has become good at responding to crisis, but we have not been very good at avoiding it. The White House, Congress and the business community have been warned of the clear and present danger of cyber attacks. We know that those who seek to do America harm like China, Iran, Russia, North Korea and others are constantly hacking, probing and attacking our internet infrastructure. Yet, in light of the thousands upon thousands of these daily attacks, we as a nation are ill-prepared for a devastating coordinated attack. (The Hill)

There is no meaningful analog between atomic weapons and digital ones. Cyber attacks happen all the time, and while some of them have caused serious damage to targeted institutions, there is the fallout from a hack, and then there is actual fallout. We should expect more numerous and more serious cyber attacks because the barrier to becoming a "digital power" is low, the rewards for success are high. The effects, however, are temporary. Better plans, better coordination across sectors and within and outside of government are absolutely necessary, but malicious actors don't benefit from destruction, no matter how much cold warriors want it to.
 

93% of phishing emails are now ransomware

At of the end of March, 93% of all phishing emails contained encryption ransomware, according to a report released by PhishMe. That was up from 56% in December, and less than 10% every other month of last year. And the number of phishing emails hit 6.3 million in the first quarter of this year, a 789%  increase over the last quarter of 2015. The skyrocketing growth is due to that fact that ransomware is getting easier and easier to send and that it offers a quick and easy return on investment. (CSO Online)

Whither cyber security in the age of cheap solutions? Why would you expect a victim to do anything but pay when it is less than an hour of your time? When, no matter how good you are, you cannot recover their data? When the solution to avoiding victim-hood in the future is a relatively cheap and un-glamorous backup system, not a "security" solution? The answer to threats that scale are responses that scale equally well. Such efforts tend to require the formation of diverse teams and require extensive coordination, which is why they happen so infrequently. The one who cracks this nut is the one who makes a serious difference in security. 
 

White House Fails to Detect a Single Cyber Threat

The White House has been unable to detect a single cyber security threat more than six months after issuing a “national emergency” to deal with what the administration identified as growing and immediate danger, according to a new government report. Six months after President Barack Obama invoked emergency powers to block the assets of any person caught engaging in “malicious cyber-enabled activities,” the administration has not identified a single qualifying target, according to the Treasury Department. (Free Beacon)

Have adversaries stopped attacking, or are we not paying attention to the right sources? There is no shortage of sources claiming recent political actions have deterred adversaries from committing bad acts; an answer too convenient by half. The question few people are asking is: 'what are we not seeing?' Over-dependence on certain data can lead to a number of mental pitfalls when that data can no longer be trusted (or in this case present). The bad guys are out there. What are they doing while we're operating blind?
 

63% of data breaches are caused by weak passwords

The IT department has conventionally been blamed for the majority of data breaches and incidents in organisations worldwide. However, the newly released Verizon 2016 Data Breach Investigations Report has found that most of the causes of corporate data breaches continue to play off of human frailty. In fact, 63% of confirmed data breaches involve leveraging weak, default or stolen passwords. (Human Resources)

Unique passwords, not just strong ones, are a simple yet powerful defense. Just as dangerous as weak (or default) passwords is the practice of password reuse between work and personal accounts. Databases of compromised user IDs and passwords are readily available and exceedingly useful if for no other reason than if you find a set of credentials that work, you've eliminated the need for a phishing attack, and the potential alert that could cause. Unfortunately the only environment in which you have some modicum of control over this issue is at work.
 

Cyber-security of the fridge: Assessing the Internet of Things threat

Are IoT devices security time bombs waiting to explode, or just benign and hugely-beneficial technological advances? ‘It depends'. IT decision-makers were asked to identify the main barriers when implementing or exploiting an IoT initiative: Device or data security was named as a factor by 39% of respondents, (the biggest consensus of the survey), while 34% named a lack of clarity of purpose or understanding of the benefits. Which sums up the entire debate in a single sentence: “We have reason to be afraid of the potential threat this advance in technology brings, while also questioning the value of the ‘advance' – do we need to internet-enable all these things?” (SC Magazine UK)

Just because you can do something doesn't necessarily mean you should. There is no denying that the Internet and the things that ride on and through it have been a net benefit to our lives, but too much of a good thing can lead to any number of negative consequences. "Hacking" doesn't even have to enter into the picture. Any sufficiently serious flaw that causes a critical mass of network-enabled devices to 'burp' en masse at the wrong time could cause far more actual damage than any hack (or squirrel).