Analysis & Commentary on the Week’s Cyber Security Issues
The “so what” factor feeds and aggregators don’t give you.
Subscribe to the Cyber Threat Analysis Summary
A Lack of IoT Security is Scaring the Heck out of Everybody
Enterprises aren’t yet managing the risks posed by the swelling wave of IoT technology very well, according to a study released today by the Ponemon Institute. The study, which surveyed 553 enterprise IT decision-makers, found that 78% of respondents thought that it was at least somewhat likely that their organizations would experience data loss or theft enabled by IoT devices within the next two years. (Network World)
Knowledge of the risks associated with IoT devices is here, it’s just not evenly distributed. It does not help that in many environments, IoT device procurement and operation may be out of the hands of IT, where risk assessment and security knowledge is arguably strongest. Institutions, like people, demand functional and reliable devices, not secure ones, and manufacturers are happy to oblige them. When risks are not well understood, and adverse events rare, human nature is to punt our concerns away until a sufficient number of tragic events occur in a sufficiently short time-frame. As Crash Override has shown, IoT will not be any different.
Is Your Company Spending on the Right Security Technologies?
Investing in security technologies is a given for most companies today, and with stories of breaches and hacks making headlines every week, the importance of these tools has risen to prominence. While there’s no shortage of security technologies to choose from, the big question that remains is: How does a company choose the right security investments? (Network World)
Understand that security is a secondary concern in most enterprises. Bank, hospital, shipping company; everyone has at least one priority that comes before security. The “right” security technologies are the ones that improve security without impeding operations. If most surveys and breach after-action reports tell us anything it is that a focus on sound IT fundamentals will address the vast majority of security issues in an enterprise. Until you’ve mastered blocking and tackling (which is usually free), you don’t really have any business looking at more advanced (and expensive) defensive technologies. Not if you want to be viewed an asset to your organization.
Information Security in the Age of Disinformation
Depending on their specific goals and motivations, malicious external actors seek to blackmail individuals, organizations or security vendors to disrupt breach defenses or otherwise wreak havoc on IT operations. For security leaders tasked with defending against these threats, it’s hard to know who or what to believe. That challenge has only gotten worse as the spread of false information has become more prevalent. (Security Intelligence)
In an age of plentiful and cheap information, integrity is the new currency. Concerns about “semantic attacks” were raised close to 20 years ago. Few remember when “fake news” online first became a thing. We have grown used to being, if not well informed, not wanting for information. Because until recently most information has been largely accurate, we have left ourselves open to manipulation, but gross and subtle. Developing critical thinking skills and a healthy sense of skepticism will serve you well in the future, far more than learning to code or earning a security certification.
Top 5 Dumbest Cyber Threats That Still Pay Off
The common conception of cyber attacks are kind of like bad weather, ranging from irritating to catastrophic, but always unpredictable. As it turns out, some hackers are fairly predictable in their successful use of really dumb attacks. In summary, a great many cyber threats are not sophisticated nation-state level, well thought out attacks. The bulk, in fact, tend to be the least effort required for success, which sometimes turns out to be not very much effort at all. (Dark Reading)
Why burn something high-end when something pedestrian will do? Malicious actors are so often portrayed as having it easy vice the work defenders have to put in, but that’s a misconception. An attacker has to be right many times, and in series. 0-day in something worthwhile is hard and expensive. It has a short half-life. If a target isn’t using 2FA, hasn’t patched its systems in months, and supplies ample OSINT with which to build phishing lures, that’s the path down which attackers will go. Offense has it ‘better’ than defense only in the sense that they can more easily calculate ROI.
Insiders – Still an organization’s biggest silent cybersecurity threat
The largest and most notorious data breaches of our time are credited to the work of sophisticated cybercriminals. But executives would do well to recognize that their own employees play a significant role in their organization’s’ cybersecurity. Accidental or deliberate, an employee leaking sensitive data is a real possibility, and is an issue commonly referred to as an insider threat. (Information Management)
Training will help spread threat awareness; accountability will help reduce threats. Repeated, flagrant safety violations in a factory will get you fired. The same holds true if you repeatedly violated a two-man rule at a bank. Cyber security violations often don’t get the same kind of management attention because unless money or productivity are lost, they’re seen as “virtual.” Why are we surprised insiders continue to be the biggest problem when we don’t give security the same attention we do harassment, violence, or fraud? A sound, reasonable, and defensible (work with HR and Legal) cyber security compliance policy you actually enforce will do more to reduce this particular threat than any device or software you can buy.
The Time to Fix IoT Security is Now
The Internet of Things has enjoyed a huge surge in growth in recent years, with businesses and consumers alike flocking to get the world around them smarter and more connected. However, it is becoming quickly apparent that as well as offering a number of useful benefits, the Internet of Things could pose a lucrative opportunity for cyber-criminals able to exploit some potentially major flaws. (Beta News)
I’m not entirely sure that ship hasn’t sailed. IoT is not new, it just hasn’t been marketed as well as it has been in the last few years. Every elevator you ride in, the traffic lights you have to deal with on the way to work, the machines that go ‘ping’ in your hospital room are all a part of IoT. We value, and then demand, the efficiency and utility IoT provides, and like commodity IT before it, we don’t consider the security implications until it is too late. The rate at which IoT is growing, the inability to apply familiar security models, and the lack of defensive technology that can operate in the resource-constrained world of network embedded devices means “security” is an even greater pipe dream than it is in the land of PCs.
Threat Intelligence Fails to Deliver on its Promise
A new study by the Information Security Forum (ISF), an independent authority on cyber security and information risk management, reveals that threat intelligence isn’t delivering the expected business objectives. While 82 percent of ISF Members surveyed have a threat intelligence capability, with the remaining 18 percent planning to implement one in the next twelve months, only 25 percent of those surveyed believe their capability is fully delivering. (Beta News)
The problem with the vast majority of threat intelligence offerings is that they aren’t about threats and they aren’t intelligence. If you bought a feed you are not significantly better informed about what threats you face; you are more aware of the truth of Sturgeon’s Law. It also does not help that most practitioners are terrible at communicating threats to decision-makers. Even with perfect, timely, contextual information in hand, intelligence is useless if not acted upon. Every “intelligence failure” you’ve ever heard if is rooted in “very smart people” knowing better than the red lights flashing in front of their eyes.