Cyber Threat Analysis for 15 Jul 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Obama’s cybersecurity strategy takes shape

The Commission on Enhancing National Cybersecurity was launched under President Obama’s executive order this year. It has taken on a broad mandate to examine all facets of the cybersecurity policy puzzle and will put a final stamp on the outgoing president’s approach to cyber. (Washington Examiner)

We know what it takes to reduce risk and combat threats, we are just not doing enough of either. Every President going back several decades has gone through this same exercise, which produces effectively the same document. The President who will leave their mark on cyber security will commission an implementation plan to carry out the timeless recommendations made over the years and make its execution a success factor for his executive appointees

Accessing People’s Browser History Is Almost Like Spying on Their Thoughts

Given what web browsing history can reveal, there is little information that could be more intimate. Getting access to somebody’s web browsing history is almost like spying on their thoughts. This level of surveillance absolutely ought to come with court oversight. Yet a number of senators are moving to go in the opposite direction. (Slate)

This is America: investigations of citizens is supposed to be hard. Its not that NSLs don’t have their place, but this is greasing an already slippery slope, especially when there are ample legal tools to accomplish the task. It is refreshing to see senior legislators take this stand on the issue. It is an indication that the level of understanding of cyberspace and security issues is growing more sophisticated and suggests that better and more nuanced legislative proposals related to cyber security we so sorely need are not that far off.

U.S. Air Force project threatened by cybersecurity cost overruns

The U.S. Air Force is learning a tough lesson when it comes to hardening its systems against cyberintrusions, primarily that the cybersecurity threat landscape changes faster than the military’s budgeting process. Harding the Air Force’s Operational Control Segment (OCX) program, which oversees GPS systems, has resulted in a 20% cost overrun for the project. The Air Force now has to decide whether or not to sustain or cancel OCX. (SC Magazine).

Its always harder to add security later, yet its always what we seem to do. Malicious use of computers was not unknown when GPS went live, but it is certainly a concern today. So much so that the Navy, which stopped training in celestial navigation 10 years ago, is bringing it back. It is a recognition that while you can attempt to reduce risks and mitigate threats, resilience is arguably the more powerful capability to acquire and maintain.

Feds: Popular Computer Antivirus May Make Hackers’ Lives Easier

The U.S. Department of Homeland Security warned the public against the risks of using Norton and Symantec computer security tools, which come with critical holes which hackers could exploit to enter into users’ systems. Government researchers explained that Symantec can actually help cyber criminals take control over a system because users are asked to allow the software gain access to sensitive data on their computers in exchange of malware protection. (The Monitor Daily)

It is a common misconception that security software vendors are security companies. They are in fact software companies, and all that that implies when it comes to coding practices and quality. As highlighted two weeks ago in the industrial control space, fighting technological problems with more technology is tempting, but not always the best course of action. Decision-makers should take note that novel and effective means of improving security may have nothing to do with technology.

Cyber Threats Knocking On Door Of US State And Local Law Enforcement Agencies

The National Consortium for Advanced Policing released a report providing guidelines for state and local law enforcement agencies on how to identify cyber threats and improve awareness of how cybersecurity relates to their daily lives, as well as the importance of a collaborative approach to cybersecurity in order to counter the recent threat of cyber attacks on local agencies. (Homeland Security Today)

Law enforcement’s ability to combat cyber crime is woefully inadequate under the best of circumstances. This is a problem that just gets worse the farther down the governmental stack (federal, state, county, local) you go. We are reaching the point where its not ‘cyber’ crime its just ‘crime’ and police at all levels need better ways of dealing with it if we’ve any hope of maintaining both the letter and spirit of the law. Technology is not going to change to suit the needs of law enforcement; the latter needs to look at how it does things and identify how to operate in a modern context while maintaining legally supportable changes to the otherwise hide-bound ‘way things are done.’

CISSP certification: Are multiple choice tests the best way to hire infosec pros?

Want a job in infosec? Your first task: hacking your way through what many call the “HR firewall” by adding a CISSP certification to your resume. A cottage industry of boot camps has sprung up to help would-be CISSPs cram for and pass the exam. Boot camps can cost thousands of dollars, and candidates must spend ($599) to sit the exam. But does adding a CISSP to your resume really mean you know your stuff? (ARSTechnica)

Certifications can be useful, but their use as an HR screen – and those who hack the system that way to get a job – are not doing the industry or their employers any favors. No, the CISSP is not the certification you should pursue if you want to be a deeply technical practitioner. Likewise, no one is going to hire a CISO because they’ve held the CompTIA A+ certification for 20 years. That’s not what they’re for, nor are they marketed that way. The more fruitful discussion would be which certifications, if any, are helpful for specific positions, but that would leave the non-certified, hands-on crowd without an outlet for their outrage and force certification bodies to demonstrate their value.

Cyber spies are still using these old Windows flaws to target their victims

Hackers using only the most basic forms of cyberattack have been able to successfully steal files from high-profile governmental and diplomatic targets. The researchers suggest that attacks originate from India and that attacks are undertaken using old exploits, low-budget malware tools and basic social engineering methods. (ZDNet)

Your weekly reminder of the importance of blocking and tackling.