Cyber Threat Analysis – 09 Oct 2017

Analysis & Commentary on Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.


Subscribe to the Cyber Threat Analysis Weekly


/* Sorry for the delay in publication. It’s been a lot of work but also great
fun getting up to speed at the new gig. Thank you all for your patience. */

IoT Regulations Necessary for Cybersecurity

Industry experts told Congress on Oct. 3 that regulations are necessary to secure the Internet of Things (IoT). Recent ransomware attacks on hospitals were used as examples of places where cybersecurity could improve. Critics have argued that heavy regulation will hinder the growth of innovation in the technology sector.  (MeriTalk)
Witness the difference between the security industry and the security lobby. While the latter argues safety and security, the other appeals to issues policy-makers truly care about: keeping industry back home humming. Cybersecurity is the issue Washington discusses when people aren’t dying. The problem of course is that the pervasive nature of IoT – especially medical wearables and implantables – means now they can. The short-sightedness of the security industry will be revealed when sufficient numbers of people lose their lives in a sufficiently short period of time, not before. And while the security lobby will be able to say, “I told you so,” it will take no joy in it.

Small Businesses Flirting With The “Security Poverty Line”

A third of UK small businesses are risking their online safety by operating at or below the “security poverty line,” according to new research. A survey of 1,0009 senior decision makers across the UK found that 38% of small businesses had spent nothing at all to protect themselves from cybersecurity threats this year and 30% of respondents said that less than 3% of their overall budget was allocated for cybersecurity. (ITPro Portal)

No one thinks they’re a target, and no one has enough money or the knowledge to protect themselves if they did. While the stats are from the UK, the general situation is similar regardless of where you are on the globe. As the supply chain and trust relationships continue to be exposed for the weak points that they are, this is a situation that will contribute to insecurity more than any given vulnerability. Given the scarcity of talent, the expense of tools, and the reluctance to levy unfunded mandates on those least able to pay, the status quo will remain just that.

Experts Have Sobering Message on Human Rights, Privacy for Security Pros

Two influential speakers at Virus Bulletin painted grim pictures of the threats to physical safety and civil liberties posed by commercial spyware and high-end surveillance software often sold to governments. The call to action was again foisted upon security professionals […]to do more with their considerable skills, share their insight into this type of technology, use their ability to thwart these threats, and influence others to spread awareness about these issues. (Threatpost)

There are parts of the world where a cybersecurity fail is fatal: or worse. It is easy to get caught up in the flail of the month and jump on the outrage bandwagon, forgetting that the impact to most of us is one of inconvenience, or a pain so weak as to be undetectable. Lost in the quest for more or better security is the need for discretion and ease-of-use. The mere presence of certain tools is suspicious in some places, and not everyone has the skill or time to use the command line. Making a difference in security doesn’t always mean greater market share; sometimes measures of success are more personal.

How the Las Vegas Shooter Foiled a Well-Drilled Counterterrorism Plan

Las Vegas had spent years planning for the worst: training its police force according to an anti-terrorism protocol it adopted in 2009 to respond to mass shootings, chemical attacks, suicide bombings, and planes flying into buildings. But when it came to [the] attack that killed 58 people and wounded hundreds more at an open-air concert in the city, police found themselves with few options to stop the gunman quickly.(Reuters)

The best laid plans…can’t account for crazy. We train to deal with what we know. What we have seen before. What we think is reasonable. The problem is that someone smart enough and determined enough will do the seemingly unreasonable because the pay-off (so to speak) is worth the effort. Your defensive game needs to take that into account. This is why your security testing regime must take into account the extreme, over time, not merely the likely. Defenders should have the advantage of knowing the terrain, the available resources, and other factors, but absent persistent visibility and the ability to exercise control, a lot of those resources are double-edged swords.

Cyber Security Defense Hinders on a Better Understanding of the Threats

The SWIFT Institute has published three new working papers, each aiming to contribute towards the establishment of better cyber defenses for the financial industry. The research papers focus on enabling financial institutions to get ahead and stay ahead of their cyber adversaries by providing a better understanding of the actors involved, examining a means to effectively share threat information, and establishing common terminology to allow meaningful discussions between industry stakeholders. (Information Age)

An effective defense requires knowledge of the adversary, their capabilities, and their motivations. But with several decades of cybersecurity history under our belts, this effort is more recognition that the price of failure is cheaper than mounting a robust defense. Security professionals deride “compliance” efforts, as if “security” were an achievable state in anything but a notional environment. We are right to point out that more can be done, but we display both arrogance and ignorance when we blame others for not achieving perfection. As if security companies and professionals have never been caught short. The more compliant organizations are, the more we can help them address the fundamentals, the greater the impact we will have on security.

Life in a Post-Authentication Age

Is it worth getting excited or upset over data breaches anymore? The Yahoo hack was 1 billion accounts, now we learn its 3 billion. Equifax gave up personal data on over 100 million people. If you’re a Fed, or used to be one, you’re still sore from the beating you took thanks to the OPM hack. Companies of all sizes are giving up data weekly. We’ve reached the point where you cannot truly authenticate who you are online anymore. There is enough information on just about everyone that anyone can be any other person for a time. Save for giving up blood every time you log in, how is any vendor or service provider supposed to know you’re you? They can’t, not without getting more intrusive or making a massive investment in technology not everyone might adopt (like the SSN). We have reached the point where one of three things is going to happen:

  • We’re going to punt on the concept of a verified identity online. The current level of fraud is considered acceptable by those offering services online. Algorithms that detect fraud are good enough that it is cheap to make victims whole. “Solving” the issue is more expensive that being duped.
  • The world online is going to get radically transparent. Everyone will know you’re a dog. Your alias or handle becomes an affectation because everyone knows your name (you can’t do anything without giving it up). Digital life becomes more like meat-space in that trust and acceptance comes from being both vetted and vouched for. Secondary benefits: all the Internet tough guys suddenly get more reasonable and polite.
  • Identity online gets very True Names. Your life and activities online are disconnected from your meat-space persona, because compromise in the former means catastrophe in the latter. No one knows who anyone is for sure, except perhaps for public officials, and things like email-gate will seem quaint.

Given the economic factors involved, the first scenario is the most likely for the foreseeable future. There isn’t a sufficient amount of political will to drive change, and no one advocating for a better situation has the necessary political capital to make it happen.