Cyber Threat Analysis 13 Feb 2017

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Data breaches affect all parts of business, Verizon report shows

Data breaches are becoming more complex and are affecting every department in an organisation, not just IT, according to the Verizon 2017 Data Breach Digest. Breaches often involve legal counsel, human resources, corporate communications and other incident response stakeholders. (Computer Weekly)

Incident response is too important to be left to the nerds. For anyone who has not had to respond to a breach beyond the tracking of bytes, the broader actions involved are indeed all-encompassing. Breaches cost a lot in part because both overhead and revenue-generating personnel are taken off task. The victim is both spending money and not making it, which is generally considered a bad business practice. Yet another argument for making cyber security a company-wide issue at all times, because it is most certainly going to be one in the worst of times.

Most Americans with knowledge of employer’s cybersecurity wouldn’t want to be a customer

Revelations in the vendor report “Hacking America: Cybersecurity Perception” include that most Americans wouldn’t want to be a customer of their employers since they don’t trust their employers to protect their personal data. The study, based on answers provided by 5,000 US adults who were surveyed in December 2016, revealed that despite all the cybersecurity news coverage, American consumers and businesses still need a better understanding of cyberthreats and how to protect their personal and sensitive business data online. (Network World)

Awkward, but not entirely a surprise. No one really wants to know how the sausage is made, they just know its delicious so why ask uncomfortable questions. Regardless of the type of business, business comes first, and functionality trumps security. That so many firms still don’t have security regimes that enable more secure operations (vice ‘securing’ the business) says more about our discipline and mindset than it does our bosses and colleagues. 

‘Digital Geneva Convention’ needed to deter nation-state hacking: Microsoft president

Microsoft President Brad Smith on Tuesday pressed the world’s governments to form an international body to protect civilians from state-sponsored hacking, saying recent high-profile attacks showed a need for global norms to police government activity in cyberspace. Countries need to develop and abide by global rules for cyber attacks similar to those established for armed conflict at the 1949 Geneva Convention that followed World War Two. (Reuters)

If wishes were horses, beggars would ride. There is no finer example of the kind of legacy future thinking that is pervasive among the Very Serious People(tm) crowd. Facile, but not really helpful as far as advancing the cause. Attempts to apply diplomatic or political structures and practices onto cyberspace problems is an admirable endeavor, but we need to  delineate between the practical and the fanciful. That you might get some nations to agree to such a scheme in public doesn’t change the fact that none of them would adhere to it behind closed doors. There are things that make us feel good and there are things that will work, and the less time we waste on the former the less likely we’ll all end up living in our favorite Sci-Fi dystopia.

Most US firms would pay to avoid data breach shame going public

According to new research from Bitdefender, two-thirds of 250 IT decision makers at enterprise firms say their companies would pay $124,000 to avoid public shaming after a data breach, and 14 percent would even go so far as to pay $500,000. (ZDNet)

Victims are victims, period. That people still feel shame – or that others would shame them – is a practice from another age that needs to stop. You cannot chastise people for not sharing or participating in partnerships on the one hand, if on the other hand you’re pointing fingers and throwing scarlet letters around. Stockholders need to understand this (and not threaten lawsuits absent clear indications of negligence). Boards do as well. Those who criticize and second guess but have no experience in a similar role need to be reminded that absent a mile in another’s shoes, their opinions are just that, and hardly helpful.

What Executives and Board Members Should Demand of Security

Without a doubt, one of the most important new capabilities of enterprise security should be to detect an attacker early in the process, before theft or damage can occur. A parallel capability is also quite valuable—the ability to know whether the network is free from attackers. With the costs and penalties of a data breach becoming increasingly more expensive, enterprise executives and boards of directors should start demanding that their security heads provide regular reporting attesting that the network is safe from internal or external attackers. (Infosecurity Magazine)

Don’t ask questions and I won’t have to lie. Yes, it would be great to be able to answer such questions definitively, but even the most well financed, staffed, and equipped enterprise is hard pressed to do so. Mahogany row is right to demand performance, but if your measure of effectiveness is zero active threats, you will never succeed. Establishing effective security metrics is dependent upon tying security data to business operations. As an example: you don’t have any real control over how many viruses you get infected by, but you can control how quickly you remediate and get a system operational. The most effective metrics in security are measured in inches, not touchdowns.

The Tripwire That Sets Off Real Progress in Cyber Security

Two articles – Lack of IoT security could be our downfall and Cybersecurity of medical devices: The new threat landscape – are the latest indications that we are starting to recognize what it will take to bring about real change in the field of cyber security: bodies. Lots of them in a very short period of time. At the risk of being overly macabre, nothing brings about rapid change like fatalities. We all wish it were not so, but at the same time we also know that it is easy to push anything with less of an impact to the right. Hijacking planes was not a new thing. Neither was hijackers killing passengers. Hardening cockpit doors 2 or 3 decades ago would have prevented a number of such attacks, but it took 9/11 to actually make it happen.