Cyber Threat Analysis for 04 Sep 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.


Cybercrime Inc.: How Hacking Gangs Are Modeling Themselves on Big Business

The stereotype of cyber criminals as lone hackers huddled over a computer in their parent’s basement couldn’t be further from the truth. Now more than ever, cybercrime is carried out by gangs running sophisticated operations. The most organized criminal groups are operating like legitimate businesses, with departmentalized teamwork, collaboration tools, training, and even service agreements between malicious software providers and their hacker customers. Like the legitimate software market, cybercrime is now a huge economy in its own right, with people with a range of skill sets working together towards one goal: making money with illicit hacking schemes, malware, ransomware, and more. (ZDNet)
Get the money: dollar dollar bill y’all. Not a new revelation but a timely reminder that as a defender, you are going up against professionals. Whether legitimate or not, as soon as the ability to “make” money at scale is recognized, the mechanisms of the market are soon to follow. The trick as a defender is to take advantage of the same types of leverage without falling victim to the flip side of scale: bureaucracy. Efficiency and effectiveness are paramount, as is the ability to deal ruthlessly with those things and people that negatively impact either.

Courts Raising Bar For Data Breach Class Actions

The U.S. District Court for the District of Columbia in early August declined to grant standing to a class action filed in the wake of a data breach at CareFirst BlueCross BlueShield. In dismissing the class action, Judge Christopher Cooper concluded that the plaintiffs failed to show that the private personal data allegedly obtained by hackers had caused any injury to plaintiffs or was sufficient in and of itself to do so. Merely establishing that private personal information had been illegally acquired via a data breach is no longer sufficient to warrant standing in a class action. (Legal NewsLine)
The road to hell is paved with good intentions. Not clogging the courts with groundless lawsuits is important, but the potential for unintended consequences is significant. There mere loss of PII or PHI does not necessarily translate into personal harm…today. However, without an ability to detect when such data is exploited – and it will be at some point – rulings like this could make companies that handle such data complacent. Victims have no resources to track stolen data; hacked companies have no obligation to get it back. The sheer volume of data breaches means when someones data is exploited they cannot link that harm to any single breach.

Three Quarters of Firms Believe Tech Skills Gap Could Be Solved By Apprenticeships

Just under 75% of businesses believe the technology skills gap could be solved by taking on digital and technology apprentices. Research by employer network firm Tech Partnership found 56% of apprentice employers have difficulty finding the right people to fill jobs. (ComputerWeekly)

Apropos given that the most important work in security is that of the Journeyman. Chatter around this idea continues to grow, but an actual program and report on its effectiveness remains elusive. One serious drawback that I can envision: a skeleton staff that cannot keep up with day-to-day activities is hardly going to have time to deliver OJT to novices. Having said that, the ability to apply knowledge in a practical fashion in a real-world environment can be exceedingly valuable, arguably more so than exposure to concepts and tools in a boot-camp lab. An apprenticeship may require greater effort, but employers know they will have people who can do the job, not paper tigers.

Employee Security Hygiene is on a (Steep) Decline

In a new report entitled “The Widening Gap Between End Users and IT,” just above a third of over 3,000 employees believe they take all the appropriate measures to protect company data, down from 56% two years ago. More than half of respondents believe data security policies are being enforced and followed, yet 35% said their companies are enforcing them. While 61% of IT security pros said defending critical data has highest priority, just 38% of end users think the same way.  More than a third of IT security pros, and almost half of end users said their company is willing to accept more risk to keep productivity high. (ITProPortal)
Your regular reminder that security is not the issue we think it is. Companies are in business, not the security business (even most “security” companies). Cyber security practices and discipline will fade as long as cash rules everything (around me).