Cyber Threat Analysis 21 Nov 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Happy Thanksgiving everyone!

To Defend Against Cyber Threats, Expand Your Security Perspective Outside Your “Walls”

Defending your business and customers against cyber threats starts with understanding what you’re up against. That may sound pretty obvious; studying the adversary is a common practice. In sports it’s done all the time. Teams watch hours of game film of their upcoming opponents to understand strengths and weaknesses and devise winning strategies and plays. But when it comes to cyber security, instead of looking outward, we’ve become accustomed to traditional security approaches that start at the perimeter and focus inward. In today’s increasingly connected and digital world we need to expand our perspective to look outside the walls of the enterprise as well. (Security Week)

“Know your enemy and know yourself and you can fight a hundred battles without disaster.” Sun Tzu, every cyber security philosopher’s favorite source of quotes, had something going there. Cyber defenses tend to focus on things that have been seen before. But there is a difference between knowing what your enemies can do and knowing how they think and why they think that way. Arguably the greatest misconception in cyber security today is that offensive has it easier than defense, but an attacker doesn’t have to be right only once; they have to be right several times in series. Every time they get something right or wrong its an opportunity for the defense to respond. That you’re not picking up on those clues is an indicator that you know neither your enemy nor yourself.

IoT Attacks Could Bring Real-World Damage

Members of Congress received a dire warning this week about security vulnerabilities in the so-called internet of things (IoT), as cyber experts cautioned that with billions of new devices coming online, coordinated hacking attacks could become — literally — a matter of life and death. House lawmakers convened the hearing on IoT security in response to last month’s distributed denial-of-service attack on the internet addressing provider Dyn, which resulted in temporary outages at popular sites like Twitter and Spotify. (Network World)
I’m not worried about not being able to reach Twitter; I’m worried about not being able to escape my house. Seasonal heat-related brown-outs and ice-related power outages are trivial compared to what is possible when everything that makes your life convenient is bricked and large swaths of homes and businesses can be rendered uninhabitable at any given moment. That IoT is largely an infrastructure or maintenance thing and not a corporate IT thing just means security will be given even shorter shrift (ever dealt with a commercial landlord?). You may choose to not buy “smart” appliances but if enough of your neighbors do you’ll suffer the same negative impacts if they’re hacked en masse.

Study: 66% of Organizations Won’t Recover After Cyberattack

A recent study performed by IBM’s Resilient and the Ponemon Institute found that 66% of organizations would be unable to recover from a cyberattack. The results of the 2016 Cyber Resilient Organization study show a decline in organizational resilience against cyberattacks. Of the respondents, 32% of IT and security professionals ranked their resilience as high. That same number was 35% in 2015, marking a drop over the past 12 months. A press release announcing the study defined resilience as “an organization’s ability to maintain its core purpose and integrity in the face of cyberattacks.” (Tech Republic)
Make America Vulnerable (Again). Given that most phishing attacks are ransomware attacks or that 77% of ransomware attacks successfully bypass email filtering, this doesn’t exactly instill a lot of confidence in the future of the private sector. Granted, businesses go under all the time, but in this case no business need run the risk of closing its doors due to a ‘cyber’ issue if they would just address some fundamentals. Good security need not be complicated, expensive, or time-consuming. Nothing is guaranteed, but do you want to go down fighting or with a self-inflicted wound?

Cyber Responsibility: The Trickle-Down Effect

There was a time when cyber security was the sole responsibility of IT, but those days are long gone. Today’s executives know better than to presume themselves and their enterprises immune from a cyberattack, which is why staying safe online requires more than an old “do as I say” mentality. A pair of Cisco leaders, CEO John Chambers and SVP and Chief Security and Trust Officer John N. Stewart place the responsibility squarely on the leadership’s shoulders. “The CEO must make it clear that security is not just an IT problem—it is a priority for the business that is top of mind. Business and technology leadership must work together to discuss potential risks and find solutions that protect intellectual property and financials alike.” (CIO)

Toujours en Avant. I just made this very same argument recently to a room full of CxOs and board members, to varying levels of agreement. You’re never going to convince someone who has had the ‘lead from the front’ mantra drilled into his psyche that there is any other approach, but then in business circles not everyone at echelons-above feels the same way. Regardless of your leadership style remember one thing: people will focus on whatever they are rated on or compensated for. If cyber security is not something that impacts their personal bottom line, they won’t do it regardless of what you say or do.

Adobe Fined $1M Over Personal Data Leaked in 2013 Data Breach

A data breach that occurred in 2013 has resulted in Adobe Systems being fined $1 million by 15 U.S. states for failing to put the necessary security measures in place to prevent the attack. Almost half a million of the company’s customers were affected in the breach when servers containing their personal data were accessed after a cyber attack. North Carolina and the 14 other states involved in the case have levied such a high fine on Adobe to send the message that companies are indeed responsible for their customer’s data. (IT Pro Portal)

That’ll show ’em! To put things into perspective, Adobe made $1.4 Billion last quarter. There is no shortage about the costs of data breaches rising, but economically speaking doing the least you are required to do – poorly – still makes a lot of sense for the largest enterprises, which ironically are the ones who have the most personal data to lose. To be fair the time and expense of trying to determine who needed to be alerted probably cost another $1M, but that’s 3-5 cyber security FTEs they didn’t have to hire. What’s the solution? With courts increasingly requiring that “victims” show loss or suffering due to a breach, its not clear that there is one. 

Back to Basics: Maximizing Cybersecurity Capabilities

Following the 9/11 attacks in 2001, firms around the world turned their attention to enhancing physical security. At the time, many organizations established vast data centers to protect against the loss of company data and to ensure the continuity of business operations. Fast forward to the present day, and innovative information technology solutions are once again contributing to robust risk management programs, specifically around the ability to prevent and combat cyberthreats. But while new defense technologies to obstruct cyberthreats are innovative and often helpful, there are a number of prevention techniques that have existed for many years that remain fundamental components of any modern security program. (Dark Reading)

Your regular reminder of the importance of blocking and tackling.