Cyber Threat Analysis for 22 Sep 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Almost every business has been hit by a ‘significant’ cyber-attack

A survey by Lloyd’s of London, which quizzed CEOs and other senior management at around 350 European companies, found that no less than nine out of 10 big businesses had been hit by a ‘significant’ cyber-attack in the last five years. Despite that fact, the research discovered that less than half of those organisations are worried about getting blasted by a breach in the future. Lloyd’s CEO Inga Beale declared that European businesses are ‘complacent’ – and that it’s a reality that a company will be “hacked or attacked in some way”, at some point. (TechRadar)

Hack me once, shame on you. The idea that firms are confident in their ability to weather future attacks is mildly disturbing. Assuming these events were stereotypical, their performance was likely somewhere between dismal and sorry. Most organizations learn the wrong lessons from past failures because data from breaches only tell you what went wrong; hackers don’t provide deliverables on what they tried but victims were able to defeat. There is your data to support security spending ROI. If your offensive testing regime doesn’t provide it, demand it from your service provider.

How HR and IT departments can join forces to bolster security strategies

The threat of data breaches, and the rising costs of dealing with the aftermath of security incidents, are pushing security strategies to the top of the corporate agenda and boardroom discussions. The impact of a breach can be far reaching: from reduction of share values, to lost client contracts and the operational impact of downtime. Whilst cyber security may once have been thought of as the exclusive domain of the IT department, it’s time to enable a more collaborative, cross-departmental approach. (IT Pro Portal)

Cybersecurity is too important to be left to the nerds. You can rest assured that as long as this issue is not dealt with in a cross-functional manner and with an eye towards business goals, security will never be the issue we think it is, and whatever “solution” that is developed will fail. Every system is secure and operates as designed as long as humans don’t get involved, which is why the more non-technical inputs you have to the cybersecurity process the better the outcomes are likely to be. 

Covering webcam ‘doesn’t hurt,’ not a replacement for good computer security

FBI Director James Comey does it and thinks you should, too. A piece of tape or cover to block the webcams built into laptop screens can serve as a robust cyber-security measure against hackers. “There’s some sensible things you should be doing, and that’s one of them,” Comey, whose FBI notoriously hacked webcams to spy on targets, said last week during a conference at the Center for Strategic and International Studies in Washington. (TribLive)

Every little bit helps. I don’t know any security pro who doesn’t do this, so to say they are laughing it off is somewhat disingenuous. Is it a fix for camera hijacking? No, but it works, so what’s so funny? The theme of blocking and tackling gets a lot of repetition here because there is significant value in doing the very basic. There are not enough professionals, so the more we get the amateurs to practice fundamentals, the more we can concentrate on the complex.

Volkswagen Launches New Cybersecurity Firm To Tackle Car Security

Volkswagen has teamed up with cybersecurity experts to establish a new company dedicated to automotive security. On Wednesday, the German automaker said that the new company, dubbed Cymotive, is the result of the efforts of Volkswagen and three Israeli cybersecurity experts. Tim Erlin, Director, Security and IT Risk Strategist at Tripwire commented below. (Information Security Buzz)

A smart move that should be copied by other industries. Gathering as much rare talent as you can around a technology/problem set they are excited about is a key factor in retention. Likewise there is tremendous value in being able to guide research and gain rapid (exclusive?) access to findings. Ensuring conflicts of interest do not arise will be critical to establishing credibility. No one likes to work on things that will never see the light of day, especially when it comes to issues of safety.

Uber, Square, Airbnb, and others form cybersecurity coalition for vetting vendors

Cyberattacks have become more frequent in recent years. How hackers gained access varies case by case, but in some instances, the culprit was a compromised vendor system. There are ways to make it harder for hackers to gain access, but it’s going to require that everyone step up their game. That’s the reason cybersecurity experts from nine tech companies have banded together to create the Vendor Security Alliance (VSA), a coalition determined to establish cybersecurity standards that businesses can use to assess how secure third-party providers really are. (Venture Beat)

Are you your brother’s keeper? In an interconnected world you may not have a lot of control over second and third party connections, but you are almost assuredly impacted by them. It is not unreasonable to require that partners and vendors take reasonable precautions and to define what those are, as a prerequisite of doing business you. Finding partners who can comply and auditing them regularly to ensure compliance has the potential to reduce risk on a much larger scale than any discrete thing you can do alone. This approach will be complicated if you deal with truly small businesses that barely spend money on IT much less IT security.

Ransomware’s next target: Your car and your home

With more and more connected objects joining the Internet of Things, there’s the potential that cybercriminals could also seek to install ransomware on these additional devices. Researchers at Intel Security recently discovered a vulnerability in the infotainment system of a connected car from one manufacturer, which could allow criminals to install malware on the vehicles’ systems. (ZDNet)

The rhymes of history. The Internet and related technologies have been a net plus in our lives, but our rush to slap a computer and network connection to anything and everything despite the dangers repeats itself with alarming regularity. Insecure PCs, tablets and phones did not result in the end of society, but impact people’s ability to live safely and travel and you are flirting with a serious challenge to legitimacy in legacy institutions. People will stand for a security incident with their cars or homes: once. Heads will roll if it happens more than that and at any sort of scale.