Cyber Threat Analysis for 29 Sep 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.


Top Cyber Threats Can Shift by Industry, But Risk is Universal

What keeps risk managers up at night? Cyber threats are top of mind as hacking and data breaches present a pervasive and growing threat. But the specific type of cyber exposures might depend on the business, and some industries are bigger targets than others. In general, 90% of businesses reported at least one hacking incident in the past year, and 64% had more than six hacking incidents.Hacking can speak to a range of cyber exposures. These exposures may involve different risks and the likelihood and potential fallout from different types of “hacks” can differ substantially between industries. (Property Casualty 360)

History becomes legend, legend becomes myth. If you were brave enough to watch the presidential debates the other night you know that even at the highest levels it is the stereotype of a hacker that prevails in people’s minds, not the myriad entities, their professionalism, and their diverse motivations. Failure to model the most likely and most dangerous threats to your business is going to waste money and rare human resources on issues that you will never face or give you a false sense of security about an impending failure. Giving in to FUD about the hack of the week is never smart. It is particularly stupid if the victim isn’t even in your industry.

Punish Companies for Cyber Security Failures, Directors Say

Companies should face severe financial penalties if they fail to keep customers’ data safe, a majority of directors believe, amid a spate of cyber attacks on big businesses. Seven in 10 board members have demanded stricter punishment for those who fail to meet basic cyber-security requirements. Big companies are often the most complacent about cybersecurity, with directors themselves refusing to take responsibility for safety. (Telegraph)

An interesting position given a Board’s primary mission. The fact of the matter is that the conventional wisdom about the costs and financial impact of compromises and breaches are starting to fall awayThe stock price of any major business that was victim to a breach is higher on the one year anniversary of the breach. Anecdotal evidence of short-term stock price manipulation exists, and of course there is the MedSec/St. Jude case, but cases of businesses failing because of a cyber attack are notable because they’re rare. This is not an argument for downgrading cybersecurity concerns at the C- and board-levels, but a reminder that business are in business (full stop) not the security business.

FAA Advisory Body Recommends Cybersecurity Measures

U.S. aviation authorities took the strongest formal action yet to combat potential cyber threats to planes in the air as well as on the ground.The Federal Aviation Administration’s top technical advisory group adopted language seeking to ensure that cybersecurity protections will be incorporated into all future industry wide standards—affecting everything from aircraft design to flight operations to maintenance practices. By officially elevating cyber issues to such a high priority for the first time, the decision means manufacturers, carriers, maintenance facilities and even airports eventually will be obligated to include cybersecurity factors in routine activities. (WSJ)

Bake it in from the beginning. This is a familiar mantra that we rarely see implemented. It was commonly thought that we might have another shot at seeing the words made manifest with the advent of the “Internet of Things” but clearly that train (or plane) has left the station (tarmac). You can engineer and test to try and ensure safety and security, but particularly in the transportation field, we really only learn from death (and then only in sufficient numbers). If we are lucky, the lessons learned from commodity IT security fails will be used to prevent future tragedy.

Microsoft Previews Project Springfield,  A Cloud-Based Bug Detector

Microsoft is making available to its customers one of the most sophisticated tools it has for rooting out potential security vulnerabilities in software. Code named  Project Springfield  the team that built it has thought of it  as the million-dollar bug detector. That’s because every time the system finds a potentially serious bug proactively, before a piece of software is released, it is saving a developer the costly effort of having to release a patch reactively, once the product is public. With widely used software, deploying those patches can cost as much as $1 million. (Microsoft)

Blocking and Tackling. Keeping in mind that functionality trumps security (always), the availability of such a capability means developers anywhere have one less excuse for not checking code for common issues before release. It is efforts like this, that work at scale, that will have the greatest impact on security over time. Microsoft’s reputation and the product’s ease of use can only help adoption, which supports the kind of fundamental tasks that need to get done to reduce the most common risks.

Only One Company is Using DHS’s Automated Cyber Threat Sharing Portal

Only one company is sharing automated cyber threat data with the Department of Homeland Security, nine months after Congress passed divisive private-public threat sharing legislation critics claim violates privacy and boosts government surveillance. (Inside Sources)

You cannot force sharing. This would not be a story if years of the government following a ‘share with me but nothing for thee’ approach to the private sector. Industry is right to slow-roll participation given the parsimonious reveals from government sources (FTR: I’ve been on both sides of the fence). A solid sharing relationship can have significant benefits to both sides, but the effort and value of data has to be equal, otherwise its not a relationship but an unfunded mandate.

Good Cybersecurity Can Be Good Marketing

Recent research conducted by IBM among global boardroom and C-suite executives in 28 countries found that better cybersecurity is among their top technology priorities. But while [Chief Marketing Officers] “are key drivers of digital-based growth for most organizations, many are not in the habit of working with the CIO, and are certainly not in the habit of working with the security department.” As a result, marketers and their employers are missing a potentially powerful brand- and business-building opportunity: leveraging online security measures as a way to build trust with shoppers, which will ultimately lead to increased sales.  (HBR)

A debatable prospect outside of very high-trust transactions. I’m a victim of numerous breaches of commercial concerns. I still shop at all those stores. I fully expect that at some point in the future they will be breached again. The average consumer demonstrates daily that they say they care about cybersecurity, but they’re more than happy to surrender their security, privacy, and anonymity for $.25 off of albacore tuna or $2 drafts at happy hour. For most people, choosing between two competing vendors, one who touts ‘security’ and one who is $.50 cheaper than the other, is not a decision that needs much contemplation.