Cyber Threat Analysis for 06 Mar 2017

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Security of IoT Devices to be Rated for First Time

Consumer Reports, a US non-profit group that reviews cars, kitchen appliances and other goods will begin considering the cybersecurity and privacy safeguards of products when rating them – a long overdue move perhaps, given Internet of Things (IoT) device manufacturers have previously been accused of doing the barest minimum to protect consumers. (Sputnik International)

The hype of what could happen due to an insecure computing device has always been a smidgen overblown until now. Its unclear how much consumers will actually care, given the primary emphasis on product functionality, but you cannot argue ‘the market has spoken’ if no one gives these issues a voice. Conflicts between security product vendors and testing entities are well known, so it will be interesting to see how manufacturers respond to the CR methodology. Regardless of how things turn out, it is refreshing to see that we’re responding to security issues in IoT faster than we did with commodity IT.

Is Your Data Breach Response Plan Good Enough?

Many savvy organisations are investing time and thought into data breach response plans. But plans rarely survive first contact with the enemy. That is why it’s important to stress test your incident response plan to identify weaknesses while time is on your side. (Insurance Post)

Your plan is probably the best it can be given that you drafted it based on a lot of assumptions. The fact that you don’t test those assumptions realistically is what will trip you up when its time to execute. No, a pen test is not enough. The best attackers are not noisy and they don’t limit their efforts to those systems you deem safe for testing this quarter. A periodic, comprehensive, testing without artificial limitations is the only way you’re going to know if your plans can withstand real world situations. This is not being reckless (though if you’re afraid a pen test will crash a vital system maybe security is not your biggest problem?) its about recognizing that there are far too many variables, constantly changing variables, to ever think that a static three-ring binder of directions will be useful.

Hack Back Measure Might Give Companies Vigilante Powers

The Active Cyber Defense Certainty Act would amend the Computer Fraud and Abuse Act to give entities that are a “victim of a persistent unauthorized intrusion” against their “computers” the ability to infiltrate an alleged cybercriminal’s computer for attribution purposes or to disrupt a cyberattack. It doesn’t allow entities to destroy information stored on other computers, cause physical injury to others or create a public health or safety threat. (Bloomberg)

This is a reasonable idea based on historical and legal precedence; this particular approach however, is terrible. We all understand the sentiment at work here, but if you can’t effectively defend yourself, you don’t have any business going on offense. Those ‘ethical hackers’ who will come out of the woodwork if this passes are not adequate for what you have in mind. Governmental use of proxies to project power is not a new thing, and if this is the path we want to go down then we should learn some lessons of when it was best put to use. Ultimately however, we should be asking: what’s the point? Your data, once taken, is gone forever. What point revenge if there is no satisfaction?

Yahoo Breaches Underline Executive Role in Cyber Security

The Yahoo board has decided to withhold CEO Marissa Mayer’s 2016 annual bonus in connection with a series of data breaches and accepted her offer to forego her 2017 stock award. Yahoo’s SEC filing also revealed that general counsel Ronald Bell has resigned without severance pay after an independent committee brought in to investigate the breaches concluded that the Yahoo management team failed to respond effectively to the breach discovered in 2014. (Computer Weekly)

That business executives don’t feel like cyber security is something they should take responsibility for, like any other aspect of their business, is baffling. No CEO would stand for epic fails like this in operations or sales. Is it because its ‘just cyber?’ When your bank account is seven-figures lighter than it would otherwise be how ‘virtual’ is the problem now? In the Navy, when a ship runs aground, the Captain is relieved. It doesn’t matter if a subordinate was actually behind the wheel. The CEO of Yahoo isn’t being flow off the ship in disgrace, but this case will always be a reminder of how not to lead when it comes to cyber security.

Verizon: Most Breaches Trace to Phishing, Social Engineering

90% of data breaches seen by Verizon’s data breach investigation team have a phishing or social engineering component to them. Not coincidentally, one of the hottest commodities on underground or dark web marketplaces are credentials, which attackers can use to log into enterprises and make it appear that they’re legitimate users. (Bank InfoSec)

There are very few technical fixes to human failings, but the defense against human gullibility that two-factor authentication has is one of them. If someone grabs you, your laptop, and your phone/fob you’ve got other problems, but for the rest of the world 2FA basically takes a whole class of problems off the table. Defending against attacks facilitated by unwitting insiders is a matter of will, not budget. 2FA is pennies/user/year, and regular phishing training is not much more. Compared to the direct and indirect costs of dealing with a breach, its not even a contest.