Cyber Threat Analysis for 31 Mar 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Only 38% of Companies Are Confident They Can Survive a Ransomware Attack

At the RSA 2016 security conference security firm Tripwire conducted a survey among 200 security professionals on various topics. Questioned if their business would be able to recover crucial data after a crippling ransomware attack, only 38% said they were fully prepared. On the other hand, 49% said they were somewhat confident they could recover most of their files while 13% admitted that a ransomware attack at this point would severely damage their ability to do business and even lead to the loss of critical data. (Softpedia)

If my math is correct 100% of people surveyed lack complete confidence in their enterprise data backup scheme.That’s really the best tool we have to combat ransomware, but because backups are not glamorous or cutting edge or 2.something no one really wants to talk about it. They would rather talk about security technology or methodology, both of which are more expensive than paying the ransom, and both are unlikely to produce meaningful results. Others would rather argue morality or ethics; usually people who have not fallen victim to an attack and don’t have people depending on them to get their business (or hospital) back online. Ransomware is a security problem like any other with one important exception: a simple and relatively inexpensive solution exists.

The Four Concerns That Must Be Addressed Before the Internet of Things Can Really Take Off In 2016

Not only do people need to understand the whys and hows of the IoT, but they also need to be sure that the devices they are using are secure. This has been a clear concern for many, especially after high-profile hacks on internet-enabled cars. IoT developers, companies, and customers alike must recognize that every device is a potential target, which is what makes IoT security such a critical issue before it is publicly adopted…Fortunately, IoT devices have a limited scope of functionality, unlike a personal computer. This limitation makes it unlikely that a device itself will house the capability or information an attacker is looking for. (Infoq)

If you assume all attackers are the same, particularly in their motivations, you should prepare to be surprised. A lot. The author correctly points out that once you’re on a thing it is often easier to move to other things on the same network, but if my goal is disruption or damage I don’t need to get on your PC; your fridge or thermostat or sprinkler system is more than enough. Most Likely: IoT will take off regardless of whether or not security and privacy issues are addressed. It didn’t happen for PCs, it didn’t happen for mobile phones, its not going to happen now, as long as the net convenience factor for consumers is high enough. Most Dangerous: The quality and security of IoT-able things varies, and no one understands what might happen to critical infrastructure if a sufficient number of devices are attacked. Today squirrels cause more outages than ‘cyber’ but install enough smart appliances in a geographic area and that could change very quickly.

Why Hackers Are Going After Healthcare Providers

Washington is reeling from the news of a hack at MedStar, one of the largest medical providers in the area. A computer virus infecting the organization’s computer systems forced MedStar to shut down much of its online operations Monday. The exact nature of the attack is not yet known, but MedStar is just the latest victim in a string of cyberattacks that have hit the health-care industry hard.  (Washington Post)

To paraphrase bank robber Willie Sutton, thieves go to where the money is. Hospitals and other health care providers don’t deal in cash per se, but they do have readily monitizable data that historically has not been well protected. Most Likely: Hospitals and medical practices will continue to be soft targets and the primary goal of attacks against such targets is financially (fraud) related. Most Dangerous: Attacks against medical providers finally lead to the day when “cyber” kills, albeit not in the dramatic fashion doomsayers have been predicting. Rather than hacking a thousand pacemakers, or a repeat of Therac-25, medical records are diddled such that allergies are missed, symptoms not logged, etc., leading to a series of fatal medical errors.

Viewing Data as a Liquid Asset

Analytics used to be a competitive advantage, and now it’s becoming table stakes. It’s something you just need to have to execute on the business competitively. We’ve gone from experimenting with some analytics tools to deploying one visualization tool across the entire enterprise so every person has access to data reports and the ability to look at the data from the exact viewpoint they would like. If you had told me two years ago I was going to shift that tool out from a small group of people to all 1,400 customer-facing workers, I would have said, “I highly doubt it.” (MIT Sloan Review)

Just as data can be insanely valuable, so too can it be an outrageous risk. If yours is a business that demands massive volumes of data be live and malleable at all times there is no simple way to deal with this risk. For everyone else, the less data you store live the better (see the first article). That computers are fast, connectivity is ubiquitous, and storage is dirt cheap is not a good reason to maintain any more data than you absolutely need to in order to operate. Everything else should be archived and off-line. The time and effort it may take to retrieve off-line data is far less (and cheaper) than the time, disruption, and expense associated with a breach.

Cyber Security Budgets Falling Behind Threat Landscape

The Institute of Information Security Professionals (IISP) – With over 2,500 members working in security across a wide range of industries and roles, including a significant proportion at Senior/Lead/CISO level – has announced the findings from its 2016 member survey. It reveals that for over two thirds of members, information security budgets have increased, while a further 15% said that they had stayed the same. These are encouraging figures but they have to be examined alongside increasing risk and the survey also found that 60% of respondents felt that budgets were still not keeping pace with the rise in the level of threats. Only 7% reported they were rising faster than the level of threat. (IT Pro Portal)

The speed at which you operate (slow) and number of factors that are simply out of your control (OS, software, hardware, the Internet, third-parties, business model) ensure that no one can simply spend their way out of this problem. Do you think $250m is a big security budget? JP Morgan Chase thought so, until it wasn’t. Getting the best budget possible depends on your ability to effectively communicate the effectiveness of your security program – the wisdom of your past decisions and why your future spend will produce the greatest ROI – in a way that your leadership can appreciate. You don’t have metrics that go from lower-left to upper-right like your peers in Operations or Sales, but that doesn’t mean you can’t render the factors that count in a fashion that makes sense to business-people.

Making Cyber Great Again

Over the weekend, the NY Times published its own transcript of an interview between Donald Trump and two reporters, Maggie Haberman and David Sanger, focusing on foreign policy questions. Reading it presents an incredible picture of a man running for President who doesn’t know the most basic things about foreign policy. But the issue that is relevant to folks around here is his completely confused and nonsensical responses to two things: cybersecurity and Ed Snowden. (TechDirt)

If you’re going to pick a President based on their grasp of the issues related to the Internet in general and cyber security in particular, you’re going to be waiting a long time to cast a ballot. One candidate’s take on the issues my be ‘nonsensical’ but its hard to see how that’s different from the ignorance, ambivalence or at best half-measures of administrations past. Most Likely: Expect the type and rate of progress regarding cyber security over the next four years to remain unchanged regardless of who occupies the White House. Cyber security is simply not the policy issue cyber security people think it is. Most Dangerous: Offensive activities by adversaries (insert your favorite evil-doers here) trigger a series of ill-conceived policy decisions by ill-prepared and ill-informed appointees. What happens in cyberspace transitions to meat-space, leading us down a path towards a political-military disaster.