Cyber Threat Analysis for 21 July 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

90% of global consumer product companies have experienced data breach, almost half not complying with regulations 

Capgemini consulting conducted a global survey of 300 managerial executives across 86 companies in the consumer goods industry. The report found that 46% of company executives said that their company lacks robust policies for ensuring data privacy, and of the 90% of companies that experienced data security breaches, almost 88% of “front-runners” and 100% of “slow-starters” admitted to having experienced breaches of their consumer’s data. (Canadian Underwriter)

You have to wonder what progress we hope to make when no one seems to care. Past reports have documented the results of similar surveys, which reinforce the idea that security – being something forced on most of us – always  gets short shrift. The story below suggests one way to remedy that situation, but we would need to seem a steady stream of negative impacts at the C-level before there was a sea change of attitude and action.

Will Linking Executive Pay to Cybersecurity be the Wake-Up Call CEOs Need?

The Culture, Media and Sport Committee’s investigation into cybersecurity, which was triggered by last October’s cyber-attack on TalkTalk, published their report. It suggests that a portion of CEO compensation should be linked to effective cybersecurity. “To ensure this issue [cybersecurity] receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cybersecurity, in a way to be decided by the Board”. (Infosecurity Magazine)

Nothing attracts attention like a negative impact to compensation. Generally speaking, what gets rated is what gets done. If you set goals, particularly numeric ones, at the expense of other issues, do not be surprised when people do all sorts of crazy things to make their numbers. Good security costs money and not all of that can be born on the backs of customers. Greater security also means more inconvenience, which impacts productivity. As promising as this may be, there is no corresponding declaration that boards/investors are prepared to take the financial hit that elevating security is going to have on revenue and profit.

Security experts: antivirus products become increasingly useless

An interview from learns us that many security experts agree that antivirus software isn’t doing a good on protecting against today’s threats. Cybercriminals increasingly focus on social engineering and phishing and no longer on circumventing antivirus software. (MyCE)

Life is easy when you have the luxury of dealing in absolutes. Picking on anti-virus – or any security product – is a popular game but it is not a terribly useful or informative. Every product or class of products has shortcomings, but lost in all the hate is the recognition that while they are not perfect, if used properly most security products allow increasingly rare expertise to focus on the most serious of problems and not the trivial. Absent a dramatic increase in investment in novel approaches to security problems, we have to fight the war we are in with the weapons we have.

Auto Industry Bug Bounty Programs Point to Our Security Future

Top auto industry companies have announced coordinated vulnerability disclosure programs. This use of ‘bug bounties’ to encourage global hackers to help identify security holes points to the future of critical infrastructure protection. Here’s what’s happening now with crowdsourcing vulnerability management, and why the entire cybersecurity industry is taking notice. (Government Technology)

Functionality trumps security. Always. Regardless of the industry, companies are incented to produce goods and services people want (benefits), not secure goods and services. Bug bounties, while an after-the-fact solution, are arguably the most cost effective and timely way of reducing the risk associated with using increasingly code-dependent capabilities. Reducing bugs that impact security (and in this case safety) through better coding practices has never had sufficient traction and likely never will until there is a sufficient loss of life. 

NYU study finds cybersecurity threats in 3D printing

A study from New York University researchers suggests that 3D printing presents challenges to network and data security. The study says ‘malicious actors’ can hack into printers without strong network controls and alter the orientation of a printer itself, or introduce micro-additives in material which can compromise the integrity of a final project. The impact of faulty products could result in large-scale recalls or lawsuits. (Education Dive)

This is a potential issue that goes beyond printing naughty bits on desktop hobby gear. When you realize that 3D printing can be used to produce substantial things that might play a significant role in your life, health or safety, the importance of the integrity of that process and the materials therein becomes apparent. However, if our own experience is any indication, do not expect manufacturers to to take security seriously. At least not until the first fatality.

Many Lloyd’s contracts woefully inadequate on cyber wording

An analysis of almost 400 reinsurance contracts underwritten at Lloyd’s of London has proven that there could be potentially significant vulnerabilities and exposures if a catastrophic cyber-attack was to occur. The analysis concluded that in the event of a catastrophic cyber-attack, reinsurers could find themselves open to the full limits on their policies, which were initially intended to cover property damage or casualty lines, as a cyber “hack” is found to be the proximate cause of loss. (Intelligent Insurer)

History: rhyming. Few seem to remember that about five years ago cyber insurance was a thing, until insurers started losing money, and then it wasn’t. It is back, yet there is no clear indication that the market has learned its lesson. There is no analog to, say, supplemental life insurance, where someone shows up to verify your claims of height, weight, health and lifestyle. The current strategy seems to be protect yourself with fine print and if that fails: litigate for pennies on the dollar. A great deal if you have billions backing you, not so much if you’re the victim trying to get whole.