Cyber Threat Analysis for 16 Jun 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

45% of organisations unsure if email cyber attack insurance will pay up

Email and data security company Mimecast, has issued “a warning to organisations relying on cyber insurance: your policies may not be fully up-to-date in covering new social engineering email attacks, leaving firms at risk for taking the full financial brunt of these attacks”. The research was assisted by “a survey of 436 IT experts at organisations in the US, UK, South Africa and Australia in March 2016”.  (IT Wire)

Your regular reminder that cyber insurance is shiny, but it isn’t a silver bullet. It takes very little to find yourself out of compliance, and consequently not covered by your policy. The importance of constant vigilance not just from a security perspective, but for pedestrian issues like inventory control (You were compromised via that box? That box is not covered.”), cannot be over stressed. Cyber insurance is really only cost effective when the wounds are not self-inflicted.

SMEs not prepared for the threat of cyber criminals

Research from Barclaycard claims cyber security is not being prioritized by small businesses. Only 20% of the organizations surveyed believe cyber security is a top business priority, with 10% claiming their team has not invested in cyber security at all. The average attack costs UK businesses between £75,000 and £311,000. More than 50% of the respondents believe their organization is at risk of a breach within the next 12 months. (Business Cloud News)

Every enterprise can harden themselves against attacks, as long as that enterprise can foot the bill. Most small businesses do everything then can to stay afloat; cyber defense cuts into already razor thin margins. It does not help that most security solutions are designed for big-E enterprise sales (thousands of nodes), and most salespeople prefer chasing a few massive sales, not dozens of small ones. Until a solution/business model formula can be worked out that benefits all parties, SMBs will continue to be at greater risk of compromise, and if they are a link in your supply chain, consider them a weak one.

The Most Important Security Question No One Seems to be Able to Answer

Let me ask you a very simple question: “What is your organization’s sensitive data, and where is it?” You can’t shrug this two-part question off, although many security leaders have been doing just that. While we can all agree that fundamentally security can’t succeed without knowing what we’re protecting, there are next to no good answers for how to do this. There is, however, no lack of excuses for why organizations don’t have these answers. (Security Week)

Blocking and tackling will do more to improve your security posture than the hot technology of the month. Good computer security has little to do with fancy tools or flashy displays. SANS and OWASP vulnerability lists remain largely unchanged content-wise over the years for a reason: very few people have mastered the fundamentals. If you cannot readily answer cyber security 101 questions you are wasting time and money, and as the next story indicates, you aren’t doing yourself any favors in the eyes of the people upstairs.

Why Security Execs Lack Confidence in Security

A majority of IT security executives are only somewhat confident in their enterprise’s security, according to a new survey. One-third of respondents are confident in their security posture and one-quarter said they communicate effectively about security metrics and posture to senior management. These executives continue to rely mainly on quantitative metrics aimed at preventing breaches.  (CIO Insight)

Cyber security isn’t respected in part because as a practitioner you’re always coming up short, often in very public fashion. Data that is readily collected and reported – anti-virus hits, vulnerabilities – don’t necessarily translate one-to-one into factors that impact your security posture or response capability. Even when the data is there, as mentioned a few weeks ago, practitioners are notoriously bad at communicatingThe more rigorous and realistic your efforts to test your defenses and response capability, the more meaningful data you will be able to share with Mahogany Row. 

Terrorist groups acquiring the cyber capability to bring major cities to a standstill, warns GCHQ chief

Terrorists and rogue states are gaining the capability to bring a major city to a standstill with the click of a button, the Director of GCHQ has warned. Robert Hannigan said the risk to cities like London would increase as more physical objects, such as cars and household appliances, are connected online – the so-called “internet of things”.  (Telegraph)

Better cyber security around IoT is imperative, but hyperbole is not helpful. Rodents and primates cause more network and power issues than things-cyber. Rather than focus on the Who and the How, we would be better served making sure our infrastructure is resilient enough to deal with the What. This is not a security issue per se, but a design and engineering one, which is probably why it won’t be resolved soon (not sexy enough). You may not be able to keep the grid up, but you can take steps to ensure that your enterprise is able to fail gracefully in the aftermath of any sort of outage.

ISIS Cyber Threat Limited Says Deputy Commander of U.S. Cyber Command

ISIS has “lots of aspirations” to be a major threat to U.S. networks, Lt. Gen. James K. “Kevin” McLaughlin told Wall Street Journal. Major state actors pose a significantly greater threat than ISIS, though it could threaten soldiers by posting information about them online, Lt. Gen. McLaughlin said. (WSJ)

Until it is demonstrated the cyber attacks can kill reliably and at scale, “cyber terrorism” should not be a major concern. This has effectively been the state of terrorist capabilities for over a decade, which speaks to their view of cyber attack as a means to their ends. Computers as a means of communication? Use of encryption and other methods of avoiding detection and interception? Terrorists care about these things much like everyone else. A most dangerous scenario would involve self-radicalization of someone in a position of trust, who would use their legitimate access to cause irreparable damage to systems linked to life support (hospital) or way of life (critical infrastructure).

Real Hackers Don’t Wear Hoodies

Most people probably have an idea about what a hacker looks like. The image of someone sitting alone at a computer, with their face obscured by a hoodie, staring intently at lines of code has become widely associated with hackers. After decades of researching hackers, I’ve decided that this picture is distorting how people need to see today’s threats. It makes some very misleading implications about the adversaries that people and businesses need to focus on. (

There is no graver sin in security than underestimating your adversary. This is especially true if that judgement is passed because of their haberdashery. The flip side to this coin is also true: don’t disregard someone’s expertise just because they’re casual of dress or otherwise unconventional in appearance. If you are not hiring someone based on this most superficial of factors, you’re saying you care more about flash over substance, which might explain why you need so much help.