Cyber Threat Analysis for 19 May 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

CISO Playbook: Games of War & Cyber Defenses

The modern enterprise should take a page from [the military and] apply cyberwar games to their network and data security strategies. Similar to the hacker’s playbook concept, cyberwar gaming is an exercise that will help an organization better understand its readiness for cyberwarfare. Unlike conceptual table-top scenarios, true enterprise war games involve actual attacks and require a real response. Properly executed, the lessons derived from enterprise war gaming can be applied to the organization’s defense strategy and then tested again in a regular cycle in order to identify weaknesses, challenge security assumptions, identify and anticipate potential threats, and develop security incident response “muscle memory.” (Dark Reading

The more you sweat in training, the less you bleed in combat is a military adage that applies equally well in the digital domain. Everyone had input into your IR plan, but have they opened it since the 3-ring binder was placed on the shelf in their cubicle? Everyone is on “high-alert” during pen-test week, but what about the rest of the year? The best training in the world is still a contrivance if it does not reflect your actual environment. If yours is an industry or organization that is facing serious threat actors, you need to go beyond vulnerability scans and pen tests if you hope to compete as a peer force and not a banana republic gendarmerie.

TalkTalk profits halve after cyber-attack

TalkTalk profits more than halved following a cyber-attack in which the personal details of thousands of customers were hacked. The telecoms company was hit with £42m in costs when almost 157,000 customers were affected by the attack in October last year. Almost one in 10 of those customers had their bank account numbers and sort codes accessed. TalkTalk insisted it “recovered strongly” in the fourth quarter following the attack, after losing 95,000 customers in the third quarter as a direct result of the hacking. (The Guardian)

Short-term focus on profits is short-term thinking about the impact of breaches on a business. Every enterprise that suffers an attack suffers a financial setback…for a time. Board and C-level interest in computer security is growing we hear, yet cases like Target’s firing of its CEO post-breach remain anomalous. A look at the share prices of companies that suffered epic breaches over the past several years suggests that one breach does not a catastrophe make. That doesn’t mean computer security is not important, it suggests it is not as important as we may think.

‘This is just the beginning’ Anonymous hackers take down banks in 30-day cyber attack

In a coordinated strike called Operation Icarus the activist hackers took the Bank of Greece offline for a few minutes. Days later the website of the Central Bank of Cyprus also briefly came under cyber attack. The central bank’s website came under “some form of a denial-of-service” attack, a spokeswoman said. She added the attack “resulted in some delays in user connections, but generally the website could handle the anticipated number of users for the day.” The group also claim they have taken down the central banks of New Zealand, Montenegro and France as well as the Guernsey Financial Services Commission. (Express)

Hacktivists occupy a unique niche in the threat landscape and pose a number of interesting policy challenges. The “DDoS-as-Sit-in” analog does not translate quite so well between physical and digital worlds, yet absent actual damage the latter could be viewed as a legitimate political action (they’re not there to take money but to make a point). True believers of any sort can be a significant threat – both externally and internally – because they will go above and beyond to achieve organization/movement goals. It is easy to disregard such movements writ large because in the long run they are largely ineffectual, but it would be a mistake to disregard the potential impact they may have if your industry becomes a target.

SEC says cyber security biggest risk to financial system

Cyber security is the biggest risk facing the financial system, said the chair of the U.S. Securities and Exchange Commission (SEC). Banks around the world have been rattled by a $81 million cyber theft from the Bangladesh central bank that was funneled through SWIFT, a member-owned industry cooperative that handles the bulk of cross-border payment instructions between banks. The SEC, which regulates securities markets, has found some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced. “What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks,” said the SEC chairwoman.”We can’t do enough in this sector,” she said. (Reuters)

Functionality trumps security. Always. The speed and convenience that information technology lends to legitimate activities, also works to the advantage of attackers, which is why we have things like CEO fraud. Injecting a manual step or out-of-band function prior to executing otherwise automated transactions would thwart such attacks, but negatively impact efficiency. When time is money a lack of efficiency, even in the name of security, is seen as a detriment. While the impact of a given security incident may seem large, it is likely dwarfed by the negative impact inefficiency would have on all transactions conducted over any length of time. There is undoubtedly a technical solution to his, but as long as such crimes are rare, it is unlikely to be adopted.

Security and Privacy Fears Can Affect Internet Use

According to the results of a survey from the National Telecommunications and Information Administration, just shy of 1/5 of respondents indicated that they were the victims of some kind of negative experience online related to security and privacy. 45% of online households reported that [security and privacy] concerns stopped them from conducting financial transactions, buying goods or services, posting on social networks, or expressing opinions on controversial or political issues via the Internet, and 30% refrained from at least two of these activities.” The greatest online concerns among those surveyed included identity theft (63% of all households). After that, credit card and banking fraud 45%, with data collection by online services at 23%, loss of control over personal data 22%, and government collecting user data 18%. (PC Mag)

It is probably a stretch to say this is an indication that the general public are starting to recognize the importance of privacy and security in the information age. There is no apparent drop in the amount of selfie-taking, bar-check-ins, and downloads of “free” apps (free to you because you’re the product). Having said that, it would be fair to say that making people think twice before they click on a link, download a file, or join another store loyalty program, is a yard gained. Some level of assurance that your product or service is more secure and private than the competition can be a discriminator, but the findings of one survey does not a trend make.

Is One Year of Credit Monitoring Enough After a Data Breach?

I recently received a check in the mail from the IRS. To most people, this would be a welcome bounty. The problem was, I wasn’t expecting this check. It turns out that someone had taken the liberty of filing my taxes for me, using my Social Security number and other personal information obtained illegally through a data breach. It also turns out that they weren’t so good at it either, since the check was actually sent to me — their direct deposit information was entered incorrectly. That somehow at least made me smile, in a moment of what was still a situation leaving me pretty vulnerable. Vulnerable…for Life? (Business 2 Community)

Remedies available to breach victims have clearly not grown along with the threat. As the article points out, once you’re a victim, you’re a victim for life, since we cannot walk back the cat when it comes to the data about us that is floating around in the ether. The protection of personal information in databases and online has been an issue for decades, and unlikely to be resolved in a meaningful time-frame, which means new models for verifying identity and proactively combating fraud are going to be essential in order to establish trust for transactions of any sort.

Overconfidence Plagues Financial IT Pros’ Ability to Detect a Breach, Finds Survey

Back in February, Tripwire first unveiled its 2016 Breach Detection Survey. The study evaluated the confidence and efficacy with which IT professionals in the United States could implement seven key security controls: PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53, CIS 20 Critical Controls, and IRS 1075. The results of the survey revealed that IT pros were generally overconfident in their ability to detect a breach. 60% of respondents said they were unsure how long it took for automated tools to generate alerts. The majority of those who did have an idea answered it would take only minutes or hours, which disagrees with the findings of both Mandiant’s M-Trends 2015 Report and Verizon’s 2016 Data Breach Investigations Report. (Tripwire)

The sheer volume and complexity of threats we face mandates the use of automated systems to a degree, but key to the success of any security solution is human mastery of the technology. All surveys are but a slice of metaphorical pie, but if these results are at all reflective of the wider ecosystem of practitioners, we should be worried. The value of technologists who have an interest or passion for security over a button-pusher or tool-user cannot be over emphasized. You are not being attacked by a machine, you are being attacked by a human who has mastery over machines.