Cyber Threat Analysis – 13 Mar 2017

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Boeing Insider Data Breach Serves as Reminder for HR

He couldn’t format a spreadsheet, so he sent it to his spouse for help, ultimately causing a breach that could have exposed the personal data of 36,000 Boeing employees in four states. This is a good reminder of why HR needs to ensure employees are trained on proper data security measures. (SHRM)

Treating cyber security as a “special” issue is a mistake. The more integrated into your overall operation, the more fundamental it is with regards to business practices, the more effective it will be. HR can be integral in helping craft not only a sound but also a defensible cyber security policy.  One that not only improves compliance, but also helps you reduce risk (read: removing those who regularly endanger the company).

All U.S. Companies Need to Share Cybersecurity Threat Data

U.S. companies large and small feeling the burn in the aftermath of a data breach are struggling to find resources to bolster their security systems. Cybercriminals usually don’t discriminate based on a company’s size, going after valuable personal data no matter the target. Companies of all sizes need to work with the government and private-sector partners to combat the growing cyberthreat in the U.S., even though many hesitate to share threat data, given the limited liability protection offered by the government. (Bloomberg)

There is only value in sharing if everyone involves derives some benefit. The value of any discrete indicator drops the longer it stays in any vendor or service provider’s cloister, and the half-life of any discrete indicator gets  shorter by the day. The limited liability afforded participants in current sharing programs is insufficient, and government involvement in such environments is also seen as a detriment (friend today, regulator tomorrow; no meaningful info from .gov). Meaningful sharing is a force multiplier. It supports the concept of ‘herd immunity’ and allows defense to work at scale: two principles that actually support the idea of raising attacker costs.

The New Cyber Security Ecosystem

When one compares cyber security today to what it was ten years ago, the two are almost unidentifiable as the same industry. The iPhone had only just launched; Facebook was still in it’s infancy; the Internet of Things (IoT) was still a dream. The routes a hacker could use to access a system were limited, and because of this, cyber security was built around walls. Today’s landscape is utterly different. The routes into a system are so numerous they are impossible to police effectively, with the IoT making this problem greater by the day. (InfosecBuzz)
There is nothing new under the sun when it comes to cyber security. The landscape may differ, but the core principles remain the same. This is something that gets lost in all the hullabaloo about the Internet-of-this and the hack-of-the-week. Know what needs protecting, know where it is, know your capabilities (and shortcomings), and know how much risk you’re prepared to accept. Solutions are ample, tried, and true, but only if you know what problems you need to solve. None of this is a guarantee of success but it is how you avoid falling victim to something stupid or being labeled incompetent.

How to Update All Your Gear (For Safety!)

This week’s WikiLeaks revelations, which showed that the CIA can compromise a huge range of devices, shouldn’t send you into paroxysms of fear over your smartphone. It should, though, be a solid reminder that one of the best ways to keep yourself safe from hackers is also one of the simplest: Update your gear. (Wired)

Your regular reminder of the importance of blocking and tackling. Timely updates seem like an administrative chore, but they are arguably the simplest thing you can do to reduce certain risks en masse. The minutes of inconvenience pale in comparison to the days of suffering you’re likely to endure if Bring Your Own Device becomes Bring Your Own Brick.