Cyber Threat Analysis 09 Jan 2017

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

/* Apologies all: TinyLetter’s filters found some of this content suspect, hence the delay. */

DDoS-for-hire services thrive despite closure of major marketplace

The closure of a major online marketplace for paid distributed denial-of-service attacks appears to have done little to slow the illegal activity. In late October, shut down its “Server Stress Testing” section, amid concerns that hackers were peddling DDoS-for-hire services through the site for as little as $10 a month. According to security experts, the section was the largest open marketplace for paid DDoS attacks. But since the section’s closure, the attacks remain rampant. In Richard Clayton, director of the Cambridge Cybercrime Centre in the U.K., said his sensor network hasn’t detected any drop in DDoS attacks.(Computerworld)
Hail Hydra! The cybercrime marketplace abhors a vacuum. As we saw with Silk Road, and numerous forums before it, taking down the king means a wide variety of pretenders will rush in to fill the void. This is not to say we don’t continue to carry out such actions, I merely point out that they are really only effective if done at scale. Every take down makes such activity more risky for the players, but because take-downs are so infrequent the risk is small. Take down a network twice-a-week and suddenly giving up a life of cybercrime for a day job starts to make sense.

Researchers: Brace for a Major Cloud Provider Compromise

Cloud-based methods of persistence and compromise have been presented at many security conferences, including BlackHat and Defcon this past year. “In 2017, we expect to see the leading security organizations begin to catch malicious actors breaching their cloud management infrastructure,” said Aaron Shelmire, of Anomali. “Additionally, we expect to see malware purpose-built to capture cloud services credentials, similar to the banking trojans that are able to intercept two-factor Authentication input.” (Infosecurity Magazine)
Put your hand in the hand of the man who controls your data. Generally speaking, major cloud providers take security seriously, which means they’re probably better at this than you are. Having said that, I would be more wary about trust in cloud-enabled services. Run a cloud-based CRM? I can’t imagine that data being out in the wild being good for business.To understand the threat of a cloud-based compromise, understand anything and everything you use that uses the cloud. INFOSEC 101: know what you are protecting. And as mentioned at the close of last year: delete what you don’t need.

Cyber Deterrence Should Be Key Focus For Trump Administration, Task Force Says

A Washington think tank issued a set of recommendations for the Trump Administration Thursday, advising against overeliance on the private sector to fix national sector cybersecurity challenges and against assumptions the government will work as a single entity to execute on security initiatives. Recommended measures include actions that would make it harder for attackers to monetize stolen data and create uncertainty about the value of stolen credentials. In addition to calls for more punitive legal measures, the recommendations suggest the need for retaliatory measure for paralyzing the network infrastructures used by adversaries to launch cyber attacks. (Dark Reading)
Our think tanks do so love their legacy futures. “Deterrence,” “arms control,” and other cold war thinking can help inform the debate, but it is not going to solve it. Nuclear weapons and cyber weapons are nothing alike, and the world of the 1950s is nothing like the world of the 2010s. We have decades of studies that tell us what is needed to improve cyber security; we don’t need more papers we need coordinated and dedicated action. We go through this exercise every 4-to-8 years, and at the end of each administration the outcome is the same: no appreciable change. Change will come when the body count is high enough.  

New California Law: Deploy Ransomware, Face Four Years in Prison

A new state law went into effect in California on January 1, 2017 that provides a maximum penalty of four years in state prison for deploying ransomware. SB 1137 was signed by Governor Jerry Brown on September 27, 2016. “This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware,” California State Senator Bob Hertzberg said in a statement. “Unfortunately, we’ve seen a dramatic increase in the use of ransomware. This bill treats this crime, which is essentially an electronic stickup, with the seriousness it deserves.”  (eSecurity Planet)
We write new laws because its what we know how to do, not necessarily the best solution. The most timely and cost-effective solution to ransomware is a sound backup scheme that incorporates off-line storage: an IT issue not a security one. The cost of paying the ransom is far less than the cost associated with an investigation. An investigation, I might add, that will not get you your data back and is almost assuredly going to reveal the perpetrator is outside of the local jurisdiction. If you have laws against larceny and related property crime, do you really need a stand-alone ransomware law? I don’t know how much time/energy/funds were expended passing this law, but I suspect a state-wide awareness campaign would have been a better investment.

The Need for Better Cybersecurity Prioritization Metrics

Most organizations are overwhelmed, understaffed, and/or underfunded when it comes to cybersecurity. These constraints create a critical need to prioritize on the most critical cybersecurity measures. However, often these priorities are unclear or hard to determine, leading to less-than-optimal cybersecurity product purchases and/or activities. This is because the metrics about which overarching cybersecurity priorities matter most are by-and-large not well-established or well-accepted by the cybersecurity industry – making it very difficult for customers to know what to do first and what is a “nice to have.” (Tripwire)
You cannot manage what you cannot measure. Too many people think you can’t get meaningful cyber security metrics because A-V triggers and IDS hits don’t have obvious, unambiguous positive or negative meanings. A search for meaningful metrics must be focused on those things you control that are critical to your business. You don’t control a lot when it comes to cyber security, but you can control things like ‘how fast you respond’ to a detected incident and ‘how fast you restore’ a compromised system. Up-time, productivity, utility, these are factors you can control or at least impact readily and reliably. How often you’re targeted or by whom…not so much.

Balancing Cybersecurity Practices With The Realities Of Healthcare Operations

A thorough risk assessment is prudent for any organization, but is particularly essential for companies in the healthcare industry. Protecting patient data is important, and failing to have robust security measures can shut down facilities and have life-or-death ramifications. However, implementing industry-standard cybersecurity practices can inhibit clinicians’ work, also leading to life-and-death consequences. (Forbes)
The Therac-25 case tells us the medical space needs help; let’s not make the cure worse than the disease. I would argue the most valuable thing we can do as practitioners is help health care entities threat model to identify those things that are most-dangerous, develop policies to address those threats, and reduce the amount of FUD in the market. The loss of my medical records pales in comparison to losing my life should someone pwn a medical device keeping me alive. Having said that, I don’t want emergency room staff struggling to remember one of 30, 25-character passwords they had to create in order to “secure” medical equipment, the drug cabinet, etc.

Will you be safe with an always-connected Internet of Things?