Cyber Threat Analysis for 10 Apr 2017

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

IoT Security in Danger of Being Ignored

Security in Internet of Things (IoT) devices has been highlighted by the recent Mirai and Dyn botnet attack. Events like this these should not dissuade organisations from using IoT technology, as it is opening up a vast space for data collection and consumer convenience. IoT security will improve, but organisations must take steps to protect their hardware from attacks – and data privacy issues. It will require management, but the outcome will be worth it. (Security Brief Asia)

“In danger,” or “is being?” So far, in the trade-off between utility and security, the former is winning. The primary difference being that out of the box IoT devices provide organizations with minimal visibility and control. Not that commodity IT is completely transparent, but there is usually ample documentation, and we’ve had decades of experience building tools to tell us things that such devices won’t give up ordinarily. The easier IoT makes our lives the more loathe we will be to give it up in the name of ‘security.’ This means absent incentives to improve at the design and manufacturing level, its going to be the last 30 years all over again, only harder. If we’re lucky, we’ll be faster.

Top 5 Dumbest Cyber Threats That Still Pay Off

The common conception of cyber attacks are kind of like bad weather, ranging from irritating to catastrophic, but always unpredictable. Hackers are simply too sophisticated to draw any reliable judgments about, and we shouldn’t try. As it turns out, some hackers are fairly predictable in their successful use of really dumb attacks. In summary, a great many cyber threats are not sophisticated nation-state level, well thought out attacks. The bulk, in fact, tend to be the least effort required for success, which sometimes turns out to be not very much effort at all. (Dark Reading)

Why burn something high-end when something pedestrian will do? Malicious actors are so often portrayed as having it easy vice the work defenders have to put in, but that’s a misconception. 0-day in something worthwhile is hard and expensive. It has a short half-life. If a target isn’t using 2FA, hasn’t patched its systems in months, and supplies ample OSINT with which to build phishing lures, that’s the path down which they will go. Offense has it ‘better’ than defense only in the sense that they can more easily calculate ROI.

Chinese APT10 Hacking Group Suspected of Global Campaign Targeting MSPs

In what is described as “one of the largest ever sustained global cyber espionage campaigns,” China-based hacking group APT10 is suspected of orchestrating a well-planned attack on companies across 15 countries, says The Telegraph, quoting a new report. Managed IT service providers (MSPs) and other firms in countries including the UK, Japan, France, and the US have been targeted since 2016; in some cases, possibly as early as 2014. (Dark Reading)

Your rob banks because that’s where the money is. You outsource your IT and IT security to a service provider because they have expertise you don’t. But the quality and diligence of service providers varies. They’re subject to the same issues other service providers are when it comes to talent and costs. A lapse at a service provider is a potentially exploitable condition that can impact multiple organizations, not just the service provider itself. A reminder of the importance of diligence, no matter what you do or how skilled you are.

More Than a Quarter of SME (SMB) Staff Lack Cyber Threat Training

Data from cyber insurance provider CFC Underwriting shows that 38% of its claims in 2016 could have been avoided through better staff education and training on cyber risks. Some 27% of small to medium-sized enterprises (SMEs) are failing to educate staff on the threat of a cyber attack. This is despite the fact that nearly four in 10 of CFC’s claims in 2016 were caused by phishing attacks that could have been avoided with better education and training. (ComputerWeekly)

Another indication that cyber threat awareness is not evenly distributed. You cannot train them to respond accordingly when you don’t know what to teach them. What are you protecting? What is most valuable to you? What are you most concerned about? These are the starting points and foundation of all of your cybersecurity efforts, not just the technical. Starting out correctly not only pays dividends, it reduces costs; when the inevitable happens you’re head and shoulders above those who haven’t built on a solid foundation.

Anthem to Data Breach Victims: Maybe the Damages Are Your Own Darned Fault

Insurance giant Anthem has effectively scared off possible victims of a 2015 data breach by asking to examine their personal computers for evidence that their own shoddy security was to blame for their information falling into the hands of criminals. Some of the affected Anthem customers sued for damages they say resulted from the breach but then withdrew their suits after Anthem got a court order allowing the exams. The examiners would be looking only for evidence that their credentials or other personal data had been stolen even before the Anthem hack ever took place. If that proved to be true, it would call into question whether the plaintiffs’ alleged injuries had truly been caused by the Anthem hack. (Network World)

If it sounds like a ‘who is the father’ episode of the Jerry Springer show, you’re not far off. To be fair to Anthem, customer security hygiene is probably not what it could be, which would mean a leak of their data via Anthem would merely be insult to injury. But Anthem almost assuredly has far more information about an individual in one place than that person has on their home PC, so its not just about lost credentials or SSNs. I’m also not aware of many breach settlements that paid out more than a token amount to downstream victims, while as we saw last week, a well-insured breach victim might actually make money. Breaches happen, but not having an entry in shouldn’t be a prerequisite for justice, especially if the breach was preventable and the organization staffed, equipped, and required to be better at security than their customers.