Cyber Threat Analysis 16 Jan 2017

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Why you’re not investing enough in IT security

We all agree that IT security is a major issue facing all companies. But what has brought on the change? For such a complicated and widespread problem, the reason is actually quite simplistic: budget.To put it into laymen terms, CEOs and boards have spent a lot of time and money enticing customers in the front door and making sure the front end of the business works efficiently, all the while leaving the back door wide open for criminals to come in and take what they want. (CSO Online)
You have no idea if you’re investing enough in IT security. You cannot blame business leaders for trying to build and operate the best business they can. Every hue and cry over the lack of cyber security budget fails to consider that in business, what gets measured is what gets done. Cyber security has yet to come up with a set of universally accepted metrics or KPIs, which means there is no way to calculate ROI. Who honestly believes CEOs are going to pour any more money down the cyber security budgetary black hole than they have to? Figure out what security metrics work for your enterprise and you begin to speak the language of business, and put yourself on the path to garnering some modicum of respect from the people whose money you are spending. Or you can keep doing what you’re doing and see how far that takes you.

Inadequate intelligence integration

Many organizations flirt with the notion of threat intelligence. Academically it makes sense [However,] Most organizations do not have a large enough threat intelligence and/or counterintelligence organization to process all the received intelligence in an efficient and effective way. As such, intelligence becomes little more than a lagging indicator. The volume of data from free, paid and hybrid intelligence services is overwhelming and brings baggage… (CSO Online)
Intelligence is really only of value if: it tells you something you do not already know; it tells you what you need to know in a timely fashion; and improves your ability to make good decisions. Feeds are not intelligence; feeds are throwing a brick to a drowning man. I would add one additional point to the author’s sound advice: don’t bother with intelligence if you are not willing to act on it. History is replete with examples of people who stared at (actual or metaphorical) flashing red lights but failed to believe what they were seeing, leading to catastrophe. It is on the intelligence provider to develop a level of reliability and trust in their consumers; it is on the consumer to make effective use of that knowledge.

Hacking, Cyber-Security, and Asymmetric Threat

In the recent past, our government has been concerned about Chinese hacking. Today, it’s concerns about Russia. In the evolving world of cyber warfare, it’s not just governments that pose large threats.  An NBC report quoted a “security analyst” (in their words) who said: “…a single individual is very capable of waging cyber war at a level we previously attributed only to intelligence agencies or crime syndicates.” (Windows IT Pro)

Arguably one of the greatest shortcomings in international efforts to curb malicious activity online is the inadequate attention paid to non-state actors. They are not ignored, merely given short shrift, which is odd given that cyberspace is the one domain where the ability to project power is not held exclusively by the state. What good is a treaty between states in the age of the superempowered individual? Before you say “law enforcement” check the stats of cyber crimes vs cyber criminals incarcerated for their crimes. Like counter-terrorism, combating cyber threats is going to require a range of capabilities and approaches. We cannot afford to be dogmatic if we are to have any chance of success.

Giuliani as a Cybersecurity Advisor for Donald Trump Does Not Bode Well

Well, the good news is that authoritarian former New York City Mayor Rudy Giuliani will only be serving President-Elect Donald Trump’s administration as an advisor on cybersecurity issues. But it’s still bad news that Giuliani is going to be connected at all. Though Giuliani has been working as a security consultant in the private sector, tech experts blasted the cybersecurity vulnerabilities of his company site, which is now no longer even accessible online. (Reason)

Angst-ridden cyber security experts layered on the snark on this announcement: not one provided proof of their application to join the incoming administration. Every report about a vulnerable (or hacked) web site recalls for me this XKCD cartoonThe fact of the matter is that Rudy is perfect for the role when you remember the job is not a technical oneTechnical experts decrying the lack of such expertise in policy people is like complaining a running back can’t throw a curve ball: two different gigs. Its easy to criticize, and its easy to use someone’s politics as an excuse for vitriol, but cybersecurity is a bipartisan issue. If you’re not willing to serve on a level greater than yourself, or at least set aside your personal politics and provide advice any chief executive would fine useful, you should expect to continue to be lone voice in the wilderness.

Who’s winning the cyber war? The squirrels, of course

For years, the government and security experts have warned of the looming threat of “cyberwar” against critical infrastructure in the US and elsewhere. Predictions of cyber attacks wreaking havoc on power grids, financial systems, and other fundamental parts of nations’ fabric have been foretold repeatedly over the past two decades. So far, however, the damage done by cyber attacks, both real and imagined or exaggerated cannot begin to measure up to an even more significant cyber-threat—squirrels. (ARSTechnica)

Its funny because its true. That elements of critical infrastructure are so fragile speaks to our lackadaisical attitude about operations and maintenance and our unwillingness to invest in same. It is an issue that has the potential to trike at the heart of institutional legitimacy, but very few view things through that lens because that only happens in the third-world, right? Critical infrastructure must be resilient to all types of threats, not just the glamorous, headline-grabbing ones. Bolstering and defending critical infrastructure comes at a price, and as my car mechanic puts it: pay me a little now, or pay me a lot later.