Cyber Threat Analysis for 23 Oct 2017

Analysis & Commentary on Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.


End-user security requires a shift in corporate culture

An internal culture change can help organizations put end-user security on the front burner. If an organization only addresses security once a problem arises, it’s already too late. But it’s common for companies, especially startups, to overlook security because it can get in the way of productivity.  (TechTarget)

Organizations that take security seriously are the ones who make security a part of the every-day routine. Not because it is not important, but to ensure that the message of how important it is is driven home every day, multiple times a day. Too often security improvement efforts fail because it is treated as ‘special’ not ‘important.’ There is a difference, and those who recognize it are the ones who realize the benefits of investing in training, policy, and procedure. Aligning security incentives a’la performance incentives exploit the fact that we’re all human, and that’s a good thing.

NIST Small Business Cybersecurity Act Passes in the House

On October 11, 2017, the House of Representatives passed bill H.R. 2105, the NIST Small Business Cybersecurity Act (NIST Act), which would require the US Department of Commerce’s National Institute of Standards and Technology (NIST) to provide cybersecurity guidance to US small businesses. The Act would require NIST to issue voluntary guidelines, within the year following enactment, specifically tailored to the cybersecurity needs of small businesses. (National Law Review)

You can lead a horse to water, but you can’t make him configure off-line backups to mitigate ransomware. The SMB space is the largest segment of the economy, yet the most poorly served of markets when it comes to tools and talent. Too small to merit ‘enterprise’ capabilities and attention by Sales; too big and diverse to be effectively addressed like consumers. That they have standards is nice but probably not terribly useful absent resources, and a change in the mindset of business owners. The APTs look like a far-away problem when you’re trying to make payroll.

Bad passwords and weak security are making ships an easy target for hackers

Commercial shipping vessels have such poor cyber security it’s possible to track them down and hack into them via poorly secured communications systems. Many of the problems stem from how ships traditionally ran on dedicated, isolated networks which didn’t connected to the outside world. Now ships have evolved to become connected industrial control systems which happen to float and sail around the world’s oceans. (ZDNet)

The NotPetya malware attack is costing Maersk $300M dollars; imagine pwnage happening on any or every ship, worldwide, daily. That’s not the future, that could happen now. For every Maersk or Matson there are a dozen shipping “SMBs” that stitch together ships, captains, and crews in order to move goods around the globe: cybersecurity is not on their radar (no pun intended). Cybersecurity at ports isn’t much better, which means even if a given ship is hardened against attack, the moment they connect ashore they’re exposing themselves to threats. Low bandwidth and processing power means ships aren’t likely to be targeted for their resources, but they are most certainly targets for disruption, destruction, and deception.

Cyber security industry key to solving skills gap

The cyber security industry needs do a better job at marketing itself, demonstrating what roles are available, and making it easier for people to switch careers, according to a panel of industry experts. “As an industry, we are facing a huge shortfall in skills. “We are not sending the right messages to bring people into the profession – we are telling people we need one thing, but actually we want to hire for something else,” he said (Computer Weekly)

You cannot read a cybersecurity staffing story and not wonder if people aren’t taking an hour to save themselves ten. HR gets the bulk of the blame for hiring foibles and shortfalls, but they can only act on the information they get from hiring managers. No amount of recruiting magic can overcome crap requirements and unrealistic compensation schemes. Effective recruiting is a joint effort that requires an investment from all parties, and all parties have to work in harmony. Ultimately however, its the C-level that needs to set the priorities against which hiring functions takes place. You can build a solid cybersecurity team quickly, cheaply, or well, but only if you pick two.

Are IoT developers paying attention to security?

You can now readily buy “smart” door locks, coffee machines, garden sprinklers and even teddy bears. At present, many IoT gadgets are not as secure as they should be. Businesses using smart devices such as thermostats and security cameras need to be doubly careful. If your business uses these, you’re basically extending the boundaries of your corporate network. (Telegraph)

No one demands “secure” IoT devices, which is why manufacturers make functional ones. Blaming manufacturers and their developers for making insecure IoT devices is like blaming Ben and Jerry for your weight gain; no one knocked an apple out of your hand and shoved Cherry Garcia in your face. By opting to value utility over security we get the situation we’re in now: lots of opportunity due to the data generated by the IoT, along with lots of opportunities to have those devices crash and that data exploited maliciously. There is no ‘baking in’ security when it comes to IoT devices at this point in time. We will re-learn the lessons of the PC-age, slowly, until a sufficient amount of catastrophe forces us to that Unsafe at any Speed moment.

New bill would allow hacking victims to ‘hack back’

Reps. Tom Graves (R-Ga.) and Kyrsten Sinema (D-Ariz.) introduced a bill that would allow hacking victims to “hack back” when attacked. The Active Cyber Defense Certainty Act allows individuals and companies to hack hackers if the goal is to disrupt, monitor or attribute the attack, or destroy stolen files. “The certainty the bill provides will empower individuals and companies [to] use new defenses against cybercriminals,” he said. “I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders.” (The Hill)

The proper response to getting mugged is not to go out and buy a .454 Casull and then go looking for trouble. The proper response to getting mugged is to file a police report and take steps to minimize the risk of being a repeat victim. Nobody wants it to get out that their defenses failed because lawsuits, but everyone thinks that going Charles Bronson is a sound course of action because…not lawsuits? I understand the sentiment, but I’m trying to think of a more fruitless way to deter attacks. Offense, particularly in the commercial space, has a role, but giving Alice or Bob the right to pop caps isn’t going to end well.

Myth busted: A wait-and-see approach to cybersecurity is a terrible idea

While the costs tied to protection can be daunting, especially for small organizations, the costs only increase after an attack. For healthcare organizations that are already struggling with staffing shortages and tight budgets, there’s just too much to be done. And so they often undertake minimum requirements to reach HIPAA compliance and wait for an incident to react. There’s one simple reason not to wait: “It costs far more to recover from a breach than what an organization would have paid for protection.” (Healthcare IT News)

In the immortal words on the wall of my auto mechanic: pay me a little now, pay me a lot later. Everyone thinks they’re the ones who won’t get pwnd. They’re too small, too obscure, unimportant. Everyone forgets that they might not be rich, or deal in valuable intellectual property, but they do have resources: computers. There is a reason why someone put crypto-currency mining software in ‘smart’ light bulbs, or why bitcoin mining bots are a thing. CPUs may be commodities, but when you run them full-out they get expensive. It is also important to note that some of the biggest breaches are the result of the violation of a trust relationship. Every firm you deal with that doesn’t take security seriously undermines your efforts.