Cyber Threat Analysis – 20 Mar 2017

Analysis & Commentary on the Week’s Cyber Security Issues

Spring Blocking and Tackling Edition

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Study shows ignorance of and critical need to secure important documents

There is a growing need to improve security practices of confidential documents that include information such as financial data, employee records, business contracts and intellectual property. 95% of those surveyed expressed concerns about the security of documents in their organisation. 60% say sensitive documents have accidentally been sent to the wrong person. Less than 30% said their company has security solutions that are being effectively used, and only 16% of respondents say their organisation is “very effective” in stopping the loss or accidental distribution of confidential digital documents. (SC Magazine)

Security 101: know what you are trying to protect. You would also think this would be a fundamental business issue as well; know where your valuables are. This raises an important question: in our quest for security, are we chasing the right things? The castle-built-on-sand analogy comes into play here. What point an ‘advanced’ solution for ‘sophisticated’ threats if you’re not effectively locking doors and windows?

Want to blame someone for a data breach? Blame mobile workers

Almost a third of companies have suffered either data loss or a security breach because their employees use mobile technologies to work. This is according to a new report by Apricorn. The company polled 100 IT decision makers in the UK for the report. 44% expect mobile workers to expose their company’s data to risks of breaches and theft. 48% also agree that employees are the biggest security threat to their company. (ITPRoPortal)

More than enough blame to go around. Having said that, there is no more of a classic example of the role risk management plays in an overall cyber security strategy. Remote workers are a reality for most business of any size in certain fields. There are both cost benefits and indications that it actually leads to a more productive workforce. But you need to understand how much you’re willing to risk in the name of convenience, effectiveness, and cost savings. Basic protections like VPNs, full-disk encryption, and 2FA significantly reduce opportunistic and moderately complex attacks and accidental data loss, but they haven’t invented a firewall for humans yet.

NSA: Nation State Cyber Attack Included Virtual ‘Hand-to-Hand Combat’

Foreign government hackers caught secretly breaking into a U.S. national security network waged a 24-hour battle with cyber security officials trying to counter the cyber attack. Richard Ledgett, NSA D/DIRNSA said the virtual battle inside a U.S. government computer network in late 2015 represented a new phase in the ongoing covert cyber wars. “It was a nation state actor who had gotten in and what we saw for the very first time, the adversary, once we detected them, instead of disappearing they fought back.” (Free Beacon)

A fascinating story, and you tell it so well. The problem of course is that this is not your threat model. Even if it was, this is not your talent base. A clear sign that attackers have little to fear from even the best defense and defenders, but misleading in the sense that people will think this is the state they need to achieve and that such capability is attainable in a meaningful time-frame. If most of the items this week have shown us anything it is that an insufficient number of us can’t get the basics down; you have no business aspiring to nation-state status until you can say with confidence you have our own house in order.