Cyber Threat Analysis – 27 Mar 2017

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Emerging Tech Creates Cybersecurity Solutions, Threats

Companies must understand that artificial intelligence, quantum computing and other new technologies bring both opportunities and collateral cybersecurity threats, panelist and lawmakers said at a March 22 Senate hearing. New technologies provide hope that companies will be able to stem the rising tide of cyberattacks, panelists told the Senate Commerce, Science & Transportation Committee. But those same advances in AI, blockchain-distributed authentication and quantum computing also carry new cybersecurity risks for companies.  (Bloomberg)

Cybercriminals are increasingly finding innovative ways to hack into U.S. companies and steal sensitive and often valuable corporate data. As more companies adopt internet of things (IoT) devices connected to the web and increase their involvement in the digital economy, their risk of facing a disabling cybersecurity event exponentially expands, security professionals said.

Here are the top 6 ways websites get hacked, according to Google

In 2016, the number of hacked websites rose by 32%, according to a recent blog post from Google. And, unfortunately, the search giant said it believes that number will continue to rise as hackers become more sophisticated. While 84% of webmasters who “apply for reconsideration” were able to clean up their sites, the post said, 61% were never alerted by Google that they had been hacked. The primary reason for this disconnect for more than half of hacked webmasters is that their sites weren’t verified in Google’s Search Console, which the company uses to communicate information about websites.(TechRepublic)

Blocking. And. Tackling. Stolen credentials, patching, social engineering, all the usual behaviors top the list, which should come as no surprise. Why employ something “sophisticated” when the simple will do? The pursuit of high-end solutions or ‘platforms’ is a waste of time if one is not going to get the basics down. Insert your own structure-on-a-weak-foundation analogy here. We lament the use of “FUD” to get people to buy widgets, but no one seems to want to talk about much less work down the economic stack. Yet it is this un-glamorous domain where we will see the most progress and ROI, and our only real chance of driving up the cost of attacks.

What the Cloudbleed disaster says about the state of internet security

Last month, Cloudflare, a web content delivery network, revealed that a security bug had caused sensitive data to leak from its customers’ websites.The security bug, or Cloudbleed, was found in a part of the Cloudflare system that powered vital security features.The Cloudbleed contamination resulted in private information leaking into the code of other web pages in the Cloudflare network. The data exposed ranged from private messages and IP addresses to cookies and passwords and was activated as early as September 2016. (Information Age)

If you’ve not heard of Sturgeon’s Law, take a minute to read up and then understand that cybersecurity is a domain rife with c**p. There is this misplaced sense of confidence we have because we think ‘security’ tools are better designed and built than ordinary ones. This is demonstrably false, but what choice do we have? Going without such tools is not an option, yet how do we stand in front of non-experts and speak with any credibility? All the pop-business lessons and mantras repeated in software entrepreneur porn were not made with security in mind, only profit. There is nothing wrong with making money, but if you’re in this fight for the sake of security, you need to strive for higher standards.

“If you want peace, prepare for war” – newspapers face the growing threat of cyber attacks

On 19 March, Sweden’s major news websites experienced a massive DDoS attack, taking the sites fully or partially offline for several hours. Although it is not clear from where the attacks originated, online traffic analysis indicates that the majority of the traffic came from a network of computers located in Russia. The implications of the attacks go beyond cyber security as news media were their target, raising questions about the possibility of a malicious actor orchestrating a media blackout. (WAN/IFRA)

Looking at a tree and ignoring a forest. The more serious concern is the alteration of news, not the removal of it. In the dawn of the age of “fake news” there is no more dangerous tactic than changing a message destined for an uncritical audience of information consumers. Everyone knows when a web site goes down that there is a problem; very few will notice when content in a web site is diddled with if it is done with sufficient skill. A reminder that the best defense against true information-based attacks is critical thinking.

Former cyber czar looks to change info sharing

Founded in 2014 as a consortium of cybersecurity firms seeking to improve threat-information sharing and incident response, the Cyber Threat Alliance is now a formal non-profit with former White House cyber czar Michael Daniel as its president. CTA members submit threat information into a proprietary platform that allows them to extract shared data in proportion to the quantity and quality of data they provide. “If you’re a member, your defensive products can now be based on a broader set of information than just your own,” Daniel said. “That’s a significant improvement just right there. And that happens at scale, at speed.” (FCW)

If you’re a member. Cybersecurity firms should be competing on value, not their access to commodity data with an ever-decreasing half-life. Yet feeds and feed aggregation are a cash cow so few are actually willing to slaughter in the name of security. The extent of the problems we face, and the associated scale and scope of same, shouldn’t be something proprietary. You can look up and crunch data on things that kill you more easily than you can things that will lead to identity theft or financial fraud. And while the former will happen eventually, you’re more likely to suffer from the latter several times in your lifetime.

Attackers thrive on misaligned incentives, executive overconfidence

Cybercriminals have the advantage, thanks to the incentives for cybercrime, while defenders are hard-pressed to keep up as they often operate in bureaucratic hierarchies. While cybercriminals have a direct incentive for their work, the survey not only shows there are few incentives for cybersecurity professionals, but that executives are much more confident than operational staff about the effectiveness of the existing incentives. (Enterprise Innovation)

A good cyber criminal gets rich; a good cyber defender gets health insurance. The more institutions treat cyber defense like other lines of business the worse this problem becomes. Part of the solution involves identifying security-related metrics that matter. The other part of the solution is recognizing that what a cyber defense unit and its people see as a reward is often not what motivates others in the company. Everyone likes money, but that alone is not the answer. Taking the time and effort to identify what drives your defenders and what they value is more likely to produce a motivated team that produces desired results.

Data security threat grows as businesses stagnate on solutions

According to a new report, organisations are putting more money toward data security solutions, only to experience more security breaches than ever. The issue is that organisations keep spending on the same solutions that have worked in the past, but have become outdated in today’s modern threat landscape. This can be seen in the fact that network and endpoint security continue to top the list of planned spending categories, despite the fact that endpoint security is now ranked at the bottom of the list in terms of effectiveness at preventing data breaches and data theft. (PACE)

We cannot expect to make progress in this field if we are not willing to try something new. It is easy to get hysterical over claims of the ‘death’ of a particular defense or the ‘end’ of a particular methodology. Firms that purport to have cracked these particularly hard nuts may be perpetrating hype, but even nascent efforts to break old paradigms should be taken seriously and the most promising employed liberally. What got us to this point is not going to take us the rest of the way. Advancing the cause of security is almost certainly going to be the death of cash cows and the abandonment of old dogmas.