Cyber Threat Analysis for 15 Sep 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.


New Rule Would Require City Firms to Hire Cybersecurity Officers

Banks, insurance companies and other financial firms in New York would need to expand their C-suites to include a chief cybersecurity officer under new rules proposed by the state’s Department of Financial Services. Last year, Ben Lawsky, then superintendent of the DFS, warned of an “Armageddon-type” cyber attack that would devastate US financial markets. Gov. Andrew Cuomo said on Tuesday. The “first-in-the-nation” proposal would require financial firms to implement a cybersecurity program to identify threats and protect their systems, as well as safeguard information accessible to third parties. (NYPost)

Our compliance goes to 11. Its hard to imagine a firm on Wall St. that doesn’t already meet this requirement, consequently it is hard to understand what the point is. Having a position and mandating reporting doesn’t necessarily improve security, but it does give a boost to the compliance market. Not that compliance is unimportant, but without a mechanism to hold firms and people accountable for security, why add to the burden (and the corresponding rise in costs)? Addressing these issues through law is notoriously difficult, but it what we know how to do, so its what we do. Crack this nut and you’ve done more to advance the cause than any technological breakthrough.

Security Think Tank: How to Detect the Undetectable?

Malware has always been one of the top cyber security concerns, with 71% of respondents to the (ISC)2 2015 Global Information Security Workforce Study citing it as a significant threat.This shows no sign of abating, particularly as today’s malware is becoming increasingly sophisticated and difficult to detect. (ComputerWeekly)

Old Problem; Wrong Question. Will you be able to detect any given thing before it lands in your network? No. Can you more rapidly detect and respond to any given (anomalous) activity in your network? Certainly. “Thing” detection, and other methodologies from the castle/wall/moat point of view has never been a sound approach to security.  As long as functionality trumps security in the average enterprise, the need to operate at an uncomfortable level of risk will always exist. The goal is not to keep all evil out, its to make finding and dealing with evil so fast and easy you (kind of) don’t care.

Cyber Threat Sharing is Now a Two-Way Street Between Industry and Government

One of the more controversial laws passed last year just hit a major milestone. Companies are now officially sharing their cyber threat data with the government. As of Sept. 12, the Department of Homeland Security’s Automated Indicator Sharing (AIS) capability became a two way exchange of information on malicious cyber acts. The program comes from the Cybersecurity Information Sharing Act of 2015 (CISA), a law that spooked privacy rights groups and had broad support from the intelligence community. (Federal News Radio)

All of one company. Every year “public-private partnerships” is touted (usually by the government) as a key to success in cyber defense. We have decades of studies and reports saying sharing is important. Yet such enterprises are not nearly as productive as you might imagine, and truly meaningful efforts that are proposed are DOASharing cannot be forced. People share because there is mutual benefit and the government is notoriously parsimonious when it comes to give-and-take (its mostly take). CISA has the potential to be a step forward, but there is no clear indication it will address this issue any better than previous efforts. Especially if they can’t break double digit participation.

49% of Execs Say IoT Benefits Trump Security Concerns

When it comes to IoT security concerns, business executives at the top levels of organizations appear not to be as worried as those at the lower levels. Almost half of executives surveyed said they believe the benefits of connected devices outweigh the concerns about security, while 34% of IT professionals and 26% of those involved at the lower level of business share that view, according to a new study by CompTIA. (IoT Daily)

Functionality trumps security. Always. If there is a way to make money off of a thing, that is going to be the priority of every commercial concern involved with that thing. To make a thing secure AND profitable is extraordinarily difficult, and not something that the market asks for anyway. This is not a moment to throw up our hands in defeat, but an opportunity to look at a technology or field and try to address security issues in novel ways, not repeating the mistakes of the past. Commodity IT security is far more of a lost cause that IoT, though the window of opportunity to avoid disaster is dangerously small.

Government ‘Not Cool Enough’ for The Best Cybersecurity Talent, Admits MoJ

The creme de la creme of cyber security talent don’t think working in government is “cool”, according to an internal recruiter at the Ministry of Justice. In a blog post, the recruiter said that he had interviewed his 10th candidate in three months for a security engineer role, but lamented the fact that security­-minded people who can think originally don’t perceive working in Whitehall as cool. The MoJ recruiter said that the perception that if [security professionals] were to work for government, they would “forever be in a dank corner, trying to troubleshoot memory issues in some mid­-90s middleware, and be valued by how many colour­-coordinated reports they can churn out” wasn’t true. (ITPRo)

Well, its partially true. Regardless of where you live there is no getting around the fact that if you work for your Uncle Sam – or Her Majesty – you’re working as a cog in a bureaucracy. There is a lot of drudgery in government, but by the same token there are some things that you can only work on in government, and those things can be exceedingly cool indeed. You cannot blame or point fingers at government incompetence in this field and and simultaneously disdain to work there, even if for a little while. That just makes you part of the problem. Its not going to get better if all they can get are those who live for filling out TPS reports.

Public Yawns at Threat of Cyber Crime

The seemingly impenetrable National Security Agency was hacked recently. So was the Democratic National Committee, and voter registration offices in Illinois and Arizona. It’s been a summer of escalating cyberattacks — a trend that government officials say could lead to a “cyber Pearl Harbor.” So where’s the public outrage? Has the public simply accepted cyberattacks as part of life? Not quite. Cybersecurity experts say people aren’t crying for protection because the attacks, for the most part, have yet to hurt them personally. Oh, and the topic is boring. (San Diego Union Tribune)

Your regular reminder that security is not the issue we think it is. When it is trivial to make you whole after a breach, when the cost of breaches are painlessly passed on to consumer, when the level of effort required to bring a cyber criminal to justice far and away outweighs the penalties they will suffer (or that are recoverable), cyber crime is never going to rise to the level of much more personal and painful meat-space crimes. As the U.S. District Court for DC recently pointed out: there is being a “victim” and there is being a victim. Most people are not victims.