Cyber Threat Analysis for 10 Oct 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

/* “harmful language” filters caused a delay in sending last week’s newsletter, so you’ll get double the fun this week. */

The Best Way to Protect Data is to Kill It

[The] vice president and chief technology officer for Data Protection at Gemalto affirms that over the last 12 months hackers have continued to go after sensitive data to steal identities.“A breach involving 100 million user names is not as severe as a breach of one million accounts with social security numbers and other personally identifiable information that are used for financial gain. At the end of the day, the best way to protect data is to kill it. That means ensuring user credentials are secured with strong authentication and sensitive data is protected with encryption so it is useless to the thieves.” (IT Brief)

Encryption isn’t ‘death’ its a ‘coma.’ Step 0 in securing information is knowing what you’re trying to protect. Storage memory is cheap so we’ve gotten used to not cleaning up after ourselves and leaving data laying around willy-nilly. But just as important as knowing what you have is knowing what you don’t need anymore and taking any associated risk off the table by deleting it. While encryption can be a powerful tool in protecting information, it isn’t necessary if you simply don’t have the data in the first place.

Not OK, Google

At its hardware launch event in San Francisco yesterday, Alphabet showed the sweeping breadth of its ambition to own consumers’ personal data – data of a far more intimate nature — than ever before. The scope of Alphabet’s ambition for the Google brand is clear: It wants Google’s information organizing brain to be embedded right at the domestic center. In other words, your daily business is Google’s business. (TechCrunch)

This is how it ends: not with Skynet but Big Brother. In order to work effectively such a system needs a constant stream of data, which means everything you do or say is necessary to ensure maximum “value.” There is no place for privacy in an AI-enabled world. Most of us cannot hire an actual Majordomo, but there is a higher probability that they would be more discrete than the digital stand-in being offered. Is your life really so inconvenient that you’ll surrender your privacy totally for relief? And let someone else get rich off of it to boot?

IAEA Chief: Nuclear Power Plant Was Disrupted by Cyber Attack

A nuclear power plant became the target of a disruptive cyber attack two to three years ago, and there is a serious threat of militant attacks on such plants, the head of the United Nations nuclear watchdog said on Monday. “This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it’s the tip of the iceberg.” Amano declined to give details of either incident, but said the cyber attack had caused “some disruption” at the plant, although it did not prove to be very serious since the plant did not have to shut down its operations. (Reuters)

Everything is connected and everything is broken. For all the precautions taken by enterprises in the critical infrastructure space the fact remains that no system is unreachable. Experience also tells us that no matter how secure a system should be by design, you can rest assured that human failings will render a whole lot of engineering useless. Obscurity has not been an effective strategy in this space for some time, but security has played second fiddle to safety and reliability (rightfully so). Most attempts by cybersecurity practitioners to make the leap from commodity to industrial IT have not gone well, the latter not having the luxury of limitless memory, extensive bandwidth and other features the former take for granted. If we want to help ensure the lights stay on, we need better informed practitioners and more open-minded industry partners.

Hospitals Need Better Cybersecurity, Not More Fear

Cybersecurity risks associated with medical devices must be weighed against the often life-saving benefits of these devices. Hospitals struggle in assessing those risks: They may not know which medical-device assets are exposed to cybersecurity threats or get meaningful responses from vendors, and there is no national testing facility for medical-device security. There are different schools of thought on how to safely and effectively share information regarding medical-device security vulnerabilities. However, we should agree that vulnerability reporting should not be done in a manner that causes people to make decisions based on fear, rather than on clinically relevant data. (Modern Healthcare)

A little fear can be a useful tool for change. If you came up during the early days of business IT security, this is going to sound familiar, yet all current indicators suggest the outcome is probably going to be worse. While its easy to make someone metaphorically whole again if their bank account is hacked, its not clear that one can literally be made whole again should their implantable medical device get “blue-screened.” FUD is amplified when the matter is life and death, but we should ensure that the cure is not worse than the disease. Personally I would rather be treated in an ER with a slack password policy than be waiting for a life-saving treatment while the doctor is on hold with the help desk to get her password reset.

NIST Finds Security Fatigue Endemic Among Computer Users

A new study by NIST found that a majority of typical computer users experience “security fatigue” that often leads to risky computing behavior at work and in their personal lives. Security fatigue is defined in the study as a weariness or reluctance to deal with computer security. “The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” said Brian Stanton, a cognitive psychologist and co-author of the report . “It is critical because so many people bank online, and since health care and other valuable information is being moved to the Internet.” (Biometric Update)

Security products are developed by security nerds, for security nerds, which are an increasingly rare breed. Think about how you get a new app from your phone: search, click link to install, start using app. Now think about all the flaming hoops you had to jump through the last time you had a security problem, or tried to install some security mechanism. ​The less users have to think about making sound security decisions, and the easier it is for them to take action, the less likely they are to become victims. Hard core security wonks will laugh at the idea of cybersecurity UX, but there is a reason why the more elegant and efficient a tool the more passionate its users. 

The Rise of Cyber-Crime as a Service

This year began with explosive growth in ransomware domains, according to a DNS threat index, driving an all-time high in new malicious domains. The threat index, which measures the creation of malicious DNSs including malware, exploit kits, phishing and other threats, was created by Infoblox. “There has been a seismic shift in the ransomware threat, expanding from a few actors pulling off limited, smaller-dollar heists targeting consumers to industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises.” (CIO Insight)

C.R.E.A.M. For all the talk of “nation-state” threats (which are a certainly a thing) the fact of the matter is that the motivation for most malicious activity online is quite simple. Cyber criminals are just as business-oriented as the enterprises (and individuals) they steal from, and probably just as good if not better at their jobs. Cyber crime is a business; victims of cyber crime are not in the cyber security business. That disconnect is in large part why combating this problem is so difficult. Those who are forced to fight back will never do as well as those who willingly (create and) enter the breach.