Cyber Threat Analysis for 14 Apr 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.


Will the Panama Papers Make All Law Firms a Bigger Target?

The massive haul of data from the Mossack Fonseca Panama Papers breach includes over 2.6 terabytes of data, the largest known breach in hacking history. It is pretty clear that Mossack Fonseca did not exercise good security practices. Their emails were not encrypted, its websites had many vulnerabilities which could have contributed to exploitation, and, perhaps more importantly, Mossack Fonseca did not have a means to detect the movement of all this data out of their enterprise. (ThreatBrief)

Given the state of cyber security at most law firms its unclear if the Panama Papers case raises the threat or merely alerts firms to the fact that they’ve had problems but didn’t know it. Hackers don’t respect the principle of attorney-client privilege, so if your firm has not been working to reduce the risk of inadvertent disclosure since you started networking the office, you’ve probably been an open book for some time. Resist the urge to spend money on tech and people you don’t necessarily. Take some time to appreciate and model the threat, and understand the risks. Start your cyber security program on a solid foundation of blocking and tackling because that’s where you get the best ROI.

Business Leaders are Inadvertently leaving their Companies Open to Threats From Social Engineering

Cyber criminals are increasingly turning to social media to mine valuable information on targets, with many high-profile business figures inadvertently revealing more than they should. The study discovered that, although 62% of businesses offer staff advice on digital security and the kinds of personal information they should and should not be posting online, many business leaders are making silly mistakes that leave their firms open to risk. (City AM)

The information age should remember a few practices from the industrial age. Things like “CEO-fraud” are a multi-million dollar problem because too many have forgotten old fashioned practices like the “four-eye” rule and how inter-connectedness and our demand for speed can amplify a mistake. Oversharing online provides attackers with the information they need to effectively spoof whomever they need to. Make sure your people know that they are always welcome to contact you out-of-band if the purpose is to avoid being defrauded. Understand that just because you can reveal something about yourself it is probably a good idea to consider if the benefits of doing so do not outweigh the potential risks.

Don’t let embarrassment about a data breach cost you even more

Nobody likes to be embarrassed. This fact of human nature helps explain why the breach-disclosure laws that have been adopted by many states can be leveraged by data thieves for even more profit than they could realize before. When a company’s executives decide to hide a breach, that decision can leave them vulnerable to the attackers behind the breach in the first place, who know that the company has not done what the law requires and can now threaten it with disclosure. (Computerworld)

The idea that anyone should be ashamed that they were hacked is one that needs to die. Gross negligence aside, there are far too many factors that are out of your control as a good guy. A good defense requires significant investment, extensive and intensive effort, and perpetual vigilance, and even then there are no guarantees. That you do not have to report a breach does not mean that is the best course of action, economically or practically. The more you and your peers know about your adversaries, the better prepared you will all be to combat them. Everyone has come up short at least once; don’t let embarrassment stop you from contributing to the good fight.

Burr And Feinstein Release Their Anti-Encryption Bill… And It’s More Ridiculous Than Expected

They’ve been threatening this for months now, but Senators Richard Burr and Dianne Feinstein have finally released a “discussion draft” of their legislation to require backdoors in any encryption… and it’s even more ridiculous than originally expected. (Tech Dirt)

That security/privacy experts would excoriate such an effort it not a surprise, but it is also not particularly helpful. This draft bill would not be a thing, or at least such a horrible thing, if there was a proper cyber security lobby, vice a bunch of angry math nerds making fun on political science majors and lawyers. Security and cryptography experts would be advised to find sympathetic ears in Congress and help them draft legislation that might actually work rather than deriding the efforts of amateurs who are almost inevitably being told what to say by those you oppose. Politics is the game and if you are not playing you have no chance of winning.

Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

An analysis of the top 121 US university computer science and engineering programs found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don’t offer any cybersecurity courses at all. (Dark Reading)

If software is eating the world, is anyone surprised that there is a demand for carnivores? As long as functionality trumps security in the marketplace, do not expect schools to make a serious effort to educate future developers on how to code in ways that reduce vulnerabilities. This is a multi-generational problem that would to take generations to undo even if there were sufficient demand, which there is not. Calls to make developers liable for poor practice have never gone anywhere and are unlikely to do so, barring a sufficiently severe and/or far-reaching catastrophe.

Cyber Liability Insurance: Do Businesses Really Need It?

Most brick-and-mortar business owners have never heard of cyber liability insurance. This is unfortunate because this type of insurance can protect businesses in the event of a cyber attack, a type of attack that can essentially destroy a business’s online presence. A cyber liability insurance policy is critical for businesses that do most or all of their business online. (

Like any other form of insurance, you get what you pay for, and the devil is in the fine print. Insurance doesn’t protect you in the event of an attack, and it may not even make you whole. Your failure to disclose sufficient or accurate details about your IT infrastructure and defensive mechanisms, or the use of a sufficiently novel attack, could be (and has been) grounds for not reimbursing your claim. Any dispute with your carrier is almost assuredly going to lead to a settlement that is pennies on the dollar. Insurance can be a part of your overall risk mitigation strategy, but remember that insurance companies are not in the habit of writing checks.