Cyber Threat Analysis for 24 Oct 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

US, UK Cybersecurity Officials: Destructive Hacks Are Coming

The world should brace itself for more physically destructive hacks, two senior cybersecurity officials said Wednesday, warning that a more dangerous era of hacking was already upon us. Paul Chichester, the director of operations at Britain’s new National Cyber Security Center, told an event hosted by British defense think tank RUSI that electronic intrusions were on their way to becoming more “destructive, disruptive and coercive. That will be our future,” he told a crowd of officers, academics and industry experts gathered for a two-day symposium in central London. (ABC)
Probably not, actually. Short of all-out war, no malicious actor gains from destruction. Even in the case of war, at least where the mission is the control of territory, disruption is the more effective approach (dusting off Effects Based Operations) because blowing stuff up only means you have to rebuild it once you’ve taken over. Further down the scale of conflict, you can’t make money (illicitly) if things are damaged. Victims need to be connected in order to perpetrate fraud. This is not to say that destruction is not in the cards, its just less likely to be armageddon and more Molotov cocktail.

Cyber Security Threats Getting Less Easy to Ignore

Nation-states — such as China, Russia, Iran, North Korea — are more aggressive in cyber attacks. The fraudsters have upped their game beyond the once easy-to-spot spam e-mails filled with bad grammar and spelling mistakes. Cyber security threats are growing more ominous for individuals, small business owners and large corporations. “In their mind, you’re low-hanging fruit,” said George Smirnoff III, senior vice president and chief information security officer for Comerica Bank. “As executives, guess what? You’re all targets. (Detroit Free Press)

Deja Vu all over again. It would be nice to think that this time people would pay attention but even in the days when things were “easy-to-spot” there was no shortage of victims. Cybersecurity is simply not the issue we think it is. That we have to have this same article with a different by-line every year is confirmation of that. As inappropriate or callous as this sounds, people are going to have to die before cyber threats are taken as seriously as physical ones. As security professionals we can rend our hair and gnash our teeth as much as we want, but we’re clearly not doing things that resonate with decision-makers and consumers.

6 Ways to Train Your Employees to Prevent Cyberattacks

Keeping your company safe from a cyberattack isn’t as simple as implementing endpoint protection software. You’ll want to train each and every employee to know what to look for before, during, and after work each day. Things such as phishing, physical theft, and spam can dramatically harm your business. I spoke with Michael Kaiser, Executive Director of the National Cyber Security Alliance, about the many ways in which companies should be providing workers with information and tools to stay alert about potential cyberattacks. (PC Mag)

Culture, culture, culture. If you have a strong security culture – procedures reinforced with training, backed by policies, observably supported by leadership – You are well on your way to reducing the failings of human beings (traditionally, the weakest link). The list of tips and tricks can be 6 items long or 100, if it is not baked into the culture it will fail. A strong security culture will result in people responding appropriately when presented with a sufficiently novel tactic or in the absence of clear guidance, which given the range of malicious tactics in use/being developed, is exactly the kind of behavior you want.

Moving cybersecurity from art to science

When it comes to cybersecurity and the ability to catch threats in the early stages before they can much damage, where does government stand? Effective, ineffective? Is it at least improving? The picture over of the past couple of years  doesn’t look encouraging. One of the emerging technologies that’s being pitched as a potential advance for security is big data analytics, which can look into the flood of data that’s being collected by various sensors and sort out the patterns that might point to potential security attacks. Even though many are skeptical of data analytics, particularly predictive analytics, it’s one of the more promising technologies government can use to get in front of security problems. (GCN)

You need data: period. Whether its “big” data or not, hard numbers are not hard to come by if you’re clear about what you’re trying to measure. To date most have been comfortable with the ambiguity associated with security products and services, but let’s be clear: the opposition is very data driven and their success is due in large part because we have thrown up our hands about how ‘intangible’ security is. Cybersecurity metrics are thing; you have to figure out what they are relative to your enterprise and integrate them into your operations if you hope to achieve any sort of forward progress or asses cybersecurity spending ROI.

There Isn’t a Cybersecurity Skills Gap: Rik Ferguson

“You’re being conned. There’s no such thing. It doesn’t exist,” says Rik Ferguson, vice president for security research at Trend Micro. He’s talking about the much-discussed skills shortage in the cybersecurity sector. Ferguson was speaking at the national conference of the Australian Information Security Association (AISA) national conference in Sydney. “The problem is too many organisations are busy hiring pieces of paper, and not busy enough hiring people.”  (ZDNet)

He’s right, in a sense. There is clearly a shortage of talent, we just don’t know the true scope or scale of the problem because of the hiring (and retention) process. The problem is acute enough that recruiters and HR departments will resort to myriad shortcuts in order to address the issue of volume, but such approaches are inadequate for assessing quality or potential. The further away hiring managers get from the process the worse the problem becomes. Therein lies a conundrum: if you’re too busy to screen and engage candidates, how do you expect to address your problems? We like to think automation can be applied to every problem, but that’s clearly not the case. This is a people problem and it will take time regardless, so why not make that time count?

Why Poor Cyber Hygiene Invites Risk

Modern cybersecurity today is all about risk management. That means eliminating and mitigating risks where possible, and knowingly accepting those that remain. (Dark Reading)

Your regular reminder of the importance of blocking and tackling.