Cyber Threat Analysis 23 Jan 2017

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Cybersecurity in the Internet of Things is a game of incentives

Given the proliferation of [IoT] devices—already, there are estimated to be at least 6.4 billion—there remains the critical question of how to ensure their security. The cybersecurity challenge posed by the internet of things is unique. The scale of connected devices magnifies the consequences of insecurity. (The Hill)

That we are tacking on security after-the-fact is an echo of commodity IT security history. The IoT world has plenty of lessons to learn that can help avoid the painful mistakes of the past, but that doesn’t seem likely as the demand for functionality continues to trump security concerns. The costs associated with making “secure” IoT devices is more than consumers are willing to pay, which means phenomenon like the Mirai botnet is merely a precursor to the new normal from a threat perspective. An incentive-based approach to improve cyber security is not new, but its unclear why anyone thinks it will work this time around. Sadly, it is more likely casualties is what will drive change.

What Consumers Think About Businesses Post-Data Breach

Over the past few years, hundreds of businesses have suffered the ultimate technology failure: the data breach. Though some businesses might recover from a data breach, believing their technological snafu to be little more than an embarrassing blunder, the truth is that data breaches have a lasting impact on brands’ reputations and consumer opinions. (Customer Think)

Do they really? Hacked businesses could respond faster and in a more empathetic fashion; customers are victims too after all. That some still feel that getting hacked is a cause for shame is one reason why they don’t, which is what leads to consumer mistrust. Every hacked business suffers in the short term, but very few suffer long-term effects if revenue and stock price are any indication.  In the end pricing/value tends to overcome most consumer’s dismay over security failures. This is not justification to slack off, but recognition that security the retail space faces some particular challenges, not all of which can be overcome.

Cyber criminals avoid fraud within their own ranks with new site

Sometimes it’s not easy being a cyber criminal. In addition to law enforcement and private security companies, cyber thieves have to battle fraudsters out to beat them at their own game. has been maintaining a database of known “rippers” or scammers since June last year and it may help online black markets flourish. Fraud is a nagging problem in the cyber criminal world. Although some hackers believe in honor amongst thieves, others peddle bogus stolen credit card numbers or user credentials that turn out to be fake. (CSO Online)

Its getting so you can’t find an honest criminal anymore. If you were ever in doubt about the professionalism of your adversaries, let this piece dissuade you of that notion. Cyber crime is their business, and they’re good at it to the tune of billions of dollars a year. As you think about how much to spend on cyber security, where, and in what fashion, keep in mind that you’re probably going up against someone with at least as much business acumen as you. Formulating a defensive scheme that takes into account your adversary’s ROI calculations (“raise attacker costs”) can produce meaningful results, but is difficult given the lack of data to support decision-making (e.g. a pen test deliverable tells you where you came up short, it rarely tells you where they came up short). A better defense starts with having both positive and negative information about the state of your security posture.

How CIOs trap themselves by recycling the same talent

According to recent Gartner research, talent is the single biggest issue standing in the way of CIOs achieving their objectives. Like many other professions, CIOs tend to recycle talent within their sectors. If you’re good at automotive, pharmaceutical, banking, insurance or retail IT, you tend to stay in those environments. While this creates expert knowledge of the sector and a high skillset, it can also mean that we end up approaching problems with the same mindset and consequently create the same or similar solutions. We end up trapped by our own expertise and viewpoints. (Computer Weekly)

The power of involving an outsider in your work cannot be underestimated. I literally co-founded a whole company thanks to that approach. A fresh set of eyes, a different set of experiences, a different outlook, can lead to novel and powerful solutions. If there is a caution with this approach it is that one needs to balance outside experience with the realities of the domain. Rotating people in and out of security organizations tends to add to the chaos if not done properly. We should demand rigor and accountability in a cyber security practice. We also need to recognize that measures of success in this discipline do not always lend themselves to familiar lower-left to upper-right renderings that non-security people are most familiar.

Now more than ever, manufacturing needs to guard against cybersecurity threats

According to “Cyber Risks in Advanced Manufacturing,” a report from the consulting firm Deloitte and the industry association Manufacturers Alliance for Productivity and Innovation (MAPI), 39% of manufacturers that responded to a survey had experienced a cybersecurity breach in the past year. Additionally, nearly half of surveyed executives acknowledged that they were not fully confident that their organization’s assets were protected from external threats.  (Supply Chain Quarterly)

Manufacturers had IoT issues before there was an IoT. Industrial control systems, robots, building control systems, all “cyber” issues that rarely get the attention given to commodity IT. Further complicating cyber security issues in the manufacturing sector: attackers exploiting trust relationships in the supply chain. Ensuring you have a solid understanding of the threat is arguably the most important thing you can do to help reduce risk. No one in the widget business thinks anyone is targeting them, until it is too late.  

How to Turn Every Employee into a Cybersecurity Expert

While it is the obligation of a CSO or CISO to spearhead a company’s defense against cyber attacks, the responsibility cannot fall solely on the shoulders of a single person. With 43% of data breaches caused internally and the average data breach costing $4 million, fostering a company wide commitment to cybersecurity awareness becomes a shared responsibility. (Security Magazine)

Improving cyber security awareness and reducing employee-based risks starts with the recognition that an “enforcement” mind-set is very often counter-productive. It does not help that security organizations tend to be staffed with people who live to say “no” and operate like the police, rather than as enablers of a more secure business (there being no such thing as a completely secure business). Incorporating cyber security training into your business, and improving awareness and behaviors, is possible. Its been doneSuccess depends on making these issues readily understandable, delivering the material in easily digestible chunks, and demonstrating how poor security practices impact the business in the real-world.