Cyber Threat Analysis 06 Feb 2017

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Wake Up to the Threat of Cyber Fatigue

The ever-present threat of cyber attacks is taking its toll — not simply on security budgets, but on the psyches of business and IT executives, as well as employees. The constant vigilance against potential breaches has resulted in a rising chorus of “cyber fatigue” permeating boards that are tired of revisiting cybersecurity issues over and over again, with constant pleas from IT leadership for more money and bandwidth. (CIO)

The cyber threat clock doesn’t have a snooze button, unfortunately. If you let security drive this particular train your executive team and front-line defenders both will be fatigued indeed. Business concerns are what should focus security’s attention and efforts. That is unsettling to security types but it reflects the reality of any enterprise: there are only so many resources and so much time so you have to prioritize. Its not that you don’t care about lesser threats or minor risks, since it doesn’t take much to lead to a waterfall of failure, but you deal with them in time.What’s the point of addressing a given security issue linked to a minor business process if suddenly revenue stops flowing?

Security firm agrees many others use fear to propel sales

Security firm High-Tech Bridge has backed the UK National Cyber Security Centre’s (NCSC) claim that many security firms sell products by exaggerating the abilities of cyber attackers. (Computer Weekly)

They said, with no apparent sense of irony. We are all guilty of this to one degree or another. Sometimes you cannot help it: the only way to get the point across is a scare tactic, especially to someone new to the problems at hand. Over the long-term however, in the immortal words of Sy Syms: the educated consumer is the best customer. Better cyber security is achievable if those who have problems and those who purport to solve them collaborate, rather than try to win one over on the other. Its not like we’re going to run out of security problems to address…

How data breaches are discovered

While the laws dealing with cybersecurity notifications vary by state, there’s general agreement among organizations that they ought to notify consumers, regulators and others as soon as they discover a breach. But what happens when those other stakeholders are the ones who notify you with the first news of the breach?  (CSO)

Awkward. If 50% of breach discoveries are via external sources, you are not only doing something wrong, you’re spending money on the wrong things. Both pen tests and breaches will tell you how you are failing, but because hackers don’t provide deliverables only the pen testers can tell you what you’re doing right. Is that information in their deliverable? If it is you’ve have the makings of an ROI calculation; if it isn’t you should demand it going forward.Breaches may be unavoidable, but if at all possible you should ensure breach notifications (to you) are discrete.

Banks Show a Woeful Lack of Data Security

About 83% of consumers believe their banks are secure from cyber attack and trust it with their money and most sensitive data too, but their faith is misplaced. A report from Capgemini found that just one in five banking executives (21%) are “highly confident” in their ability to detect a breach, let alone defend against it. (Infosecurity Mag)

Comforting. Its 2017 and yet bank insecurity is still a thing. How? Some of the earliest computer crime cases were in banks (for obvious reasons). If you remember the ‘salami attack’ you’re probably shaking your head ruefully that we’re still talking about banks not getting it. Or is that right? Is this just another reminder that computer security is not the issue we think it is – even in the financial sector? Alternately, do banking executives not understand the state of things because practitioners and vendors are not explaining themselves effectively? Its easy to look at the bad guys and admire how well they have their act together, but then they’re not encumbered by regulation, policy, or fiduciary responsibilities.