Cyber Threat Analysis for 17 Oct 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

How Much Do You Spend on Cybersecurity…and on What? reported that according to an International Data Corporation (IDC) forecast, by 2020, spending on security-related hardware, software, and services will eclipse $100 billion. However, consulting company NTT Com Security recently surveyed 1,000 executives and found only about half of them reported having a formal plan to respond to a data breach. (National Law Review)

Half of all security spending is wasted, you just don’t know which half. If security is a business issue (which it is) business leaders should demand data on ROI like they do other aspects of their business. That such data is hard to come by in security is not an excuse. We know what throwing money mindlessly in “the way things are done” only leads to the situation we are in today, which is really no better than it was 20 years agoBy changing our perspective and demanding more of our vendors and testing regimes, we can produce hard data on what is worth the expense and what is adequately funded. You will always be a cost center, but at least people will know you’re worth it, not wasteful.

St. Jude Medical Steps Up Cybersecurity Measures After Questions About Device Safety

Medical-device manufacturer St. Jude Medical has announced it will form an advisory board to address cybersecurity concerns following claims from short-sellers that its pacemakers and other devices are vulnerable to hacks. St. Jude’s Cyber Security Medical Advisory Board will include physicians to offer perspectives from the patient-management and clinical side. The advisory board members will work alongside St. Jude’s technology experts and external researchers “to help us maintain and enhance cybersecurity and patient safety,” said Dr. Mark Carlson, chief medical officer at St. Jude, in a prepared statement. (Modern Healthcare)

The echos of history. If there is one thing we can rest assured of it is that each new industry that is exposed to cybersecurity concerns is going to respond slowly, inadequately, and in a fashion that is perhaps best described as “kicking and screaming.” Security is what people and organizations are forced to do, not what they want to do. As practitioners we find this worldview abhorrent, but then we’re in the cybersecurity business; everyone else is just in business. The importance of medical devices not being vulnerable to trivial issues is something both manufacturers and security wonks can both agree on, but a perfectly secure device is probably a device that won’t perform in an optimal fashion, which frankly is more important to someone who needs one.

Think like a cyber criminal, prevent a data breach

Where should financial services IT teams start in better defending their networks? “From sports fields to battlefields, there’s an adage that has been used for centuries that states ‘the best defence is a good offence’. The idea behind this theory is that having a proactive offensive attitude – rather than a reactive defensive posture – is the best way to keep the opposition occupied and limit their ability to conduct an attack. Financial services IT teams that think like cyber criminals will be able to take an offensive approach to security. Understanding what makes the organisation an attractive target, and how malicious actors will attempt to gain entry, will lead to a more secure network and reduce the number of costly data breaches that impact the organisation.” (IT Web)

This is not an argument for more pen testing. Understanding how your attackers think is key to developing “better practices.” A pen test tells you what works for bad guys, in general, in a very short period of time; it does not tell you what you have done right or what will fail if given enough time and attention. If this is an argument for anything it is for an offensive testing regime that is far and away more rigorous and realistic than a pen test can ever be. If you adopt such practices it is important to note that the goal is not to prevent a data breach – that’s not a thing – its to understand what design, engineering, policies and practices will make your ability to respond that much faster and more effective and to develop metrics for cybersecurity spending ROI calculations.

7 signs your co-worker is a potential insider threat

Is there a spy in your office? Insider Threat Defense identifies behaviors that may indicate an employee is a potential insider threat. (Federal News Radio)
No one likes a rat. A good if well-known series of issues that have been linked to past insiders, which would be more helpful if people got their minds right about alerting the Security element to concerns about colleagues. The after-action reports of insider-threat cases are littered with reporting opportunities people failed to take for fear of misinterpreting something benign or being viewed as untrustworthy themselves. The hair on your neck is on end for a reason. You’re not a rat if you’re exposing someone who decided that cash is more important than your relationship or their own integrity.

SMBs victims of phishing attacks 5x more than ransomware

Despite a glut of research into new ransomware variants, low-tech threats like phishing attacks and viruses pose a more prevalent threat to small businesses than ransomware, according to a recent survey of SMB owners. 37% of small businesses that experienced a cyberattack were victims of malicious viruses, 20% experienced phishing attacks, and 15% experienced Trojan horses. Only 4% of business owners who suffered an attack were affected by ransomware. The report surveyed owners of U.S. businesses with less than 300 employees. (SC Magazine)
The importance of identifying an ideal customer. Ransomware is extremely lucrative, but only for victims who meet certain criteria. Like legitimate business, criminals develop target personas and initiate campaigns based on those who are most likely to pay a specific amount within a specific time-frame. There is no profit in targeting those who don’t fit the bill. That being said, it is important to note that the SMB space is officially defined by revenue, not headcount, so its unwise to draw too hard a set of conclusions based on such a small sample size. What am I confident in saying? The SMB space is still woefully under-served by the cyber security industry, and as such will always have a disproportionate number of victims.

We’re Afraid of Getting Hacked, But We’re Not Doing Much About It

While large numbers of Americans appreciate the threat of getting hacked, they don’t seem to be changing their behaviors in any appreciable way. That’s a key finding of a new poll of views of online privacy, funded by Craig Newmark, the founder of classified-ad website Craigslist. The poll, overseen by Rad Campaign, a creative agency, and Lincoln Park Strategies, a research firm, found that trust in social networks has declined over the past two years, even as people use those same networks in greater numbers. (Bloomberg)

Cybersecurity is not the issue we think it is. The hue and cry that follows an epic breach or catastrophic hack rarely lasts past the next news cycle. People will rant about “domestic spying”…on social media on their mobile phones with the GPS on. We can only chalk up so much to user ignorance; at some point people have to admit their unwillingness to put in the work. The flip side of that coin? Security wonks need to recognize that if security is hard for them to address, it is orders of magnitude more difficult for ordinary folk. The lack of effort to design security products and services for an effective and pleasant user experience is one reason why we don’t have greater adoption of sound practices and defensive technologies.

Billion-dollar hackers: meet the gangs treating cybercrime like the Fortune 500

It’s clear that for ransomware gangs, business is booming, but these cyber criminals aren’t just making as much money as major businesses; they’re acting like them too. “There’s a whole structure there that’s needed,” Patel explains. “An individual can’t just go in and do this now; it’s not a one man job… these are companies.” (ITPro)

Your regular reminder that you’re going up against professionals, and if you are not acting accordingly, don’t be surprised at the results.