Cyber Threat Awareness – 03 Apr 2017

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

We Cannot Accept Data Breaches as the New Normal

Something as innocent and constructive as applying for a job online should not be a cause for concern for identity theft. Yet, this week, Delawareans who utilized a national database connecting job seekers with employers were the victims of a malicious hacker. An application was exploited to enable fraudulent access to users’ names, dates of birth and Social Security numbers. (Delaware Online)

Wish in one hand… The fact of the matter is that we’re no better off stopping breaches today than we were one, ten, even twenty years ago. A solution to the human factor – the most common and easy way into an enterprise – has yet to be solved. Phishing training and the like help, but the threat is constant and no one can stay vigilant 24/7/365. Technology can help, but as we will see a few articles down, we could do with a better incentive structure, since the stick isn’t working. Something more akin to a carrot perhaps?

40% of Industrial Computers Were Hacked in 2016

Nearly 40% of industrial computers experienced cyberattacks in the second half of 2016, according to a new report from Kaspersky Lab. And these attacks are on the rise: The percentage of targeted industrial computers grew from 17% in July 2016 to 24% in December 2016. The no. 1 source of attacks? The internet. Malware downloads and phishing webpages attempted to infect more than 22% of industrial computers, Kaspersky Lab found. “This means that almost every fifth machine faced the risk of infection or credential compromise via the internet at least once,” according to a press release.(Tech Republic)

Cue an ICS boffin saying they’re not connected to the Internet. Like any system, defending an ICS need not be excessively complex or expensive. In fact, the concept of blocking and tackling is probably more applicable in an ICS environment given the more straight-forward nature of things (if X, switch is on; if Y, switch is off).This is not to say it will be simple; inter-dependencies abound. Identify what needs protecting, understand what you care about the most, and take actions and implement controls that minimize your risk. You CAN worry about ”the APTs’ and other edge cases, but your plant was designed to be functional; it is not going to re-design itself to address the threat (and the owner is not going to spend all it could to combat it).

Compliance Isn’t Enough to Meet Cyber Threats, Experts Say

To meet today’s cybersecurity threats, and those that experts predict will pop up in the near future, government agencies will have to do more than just meet compliance guidelines. “I would argue compliance is a nice check at the end of a process, but I think the fundamental problem is that we don’t even really know what’s at risk,” said Thomas Donahue, research director of the Cyber Threat Intelligence Integration Center. “We are constantly surprised by interdependencies. We are surprised that some piece of data turned out to be much more valuable than we realized. In some cases, we’re surprised that the data even existed in the first place.”  (Meritalk)

Compliance regimes exist because compliance is what we know how to do. It is a blanket that makes you feel better but doesn’t really address the underlying danger of freezing to death. Because functionality trumps security in the marketplace, compliance will be the order of the day until a sufficiently high number of people die in a sufficiently short period of time. Compliance is not useless; if it helps organizations recognize and implement fundamentals then a compliance exercise can do more for security than any “solution” that purports to combat “advanced” threats. Having said that, if you’re striving towards actual, better security you need to understand that compliance is the starting point, not the finish line.

Neiman Marcus data breach settlement tells us plenty about the ROI of security

Back in January 2014, Neiman Marcus announced a data breach, even though it had known about it for roughly a month. The chain initially reported that the attack — which happened in 2013, between July 16 and Oct. 30 — impacted 1.1 million customers, a number that the retailer later reduced to 370,385. About 9,200 shoppers experienced actual fraud. The company settled a class-action lawsuit for $1.6 million, much of it covered by insurance. And even that may be more than it ends up paying.  (Computerworld)

What’s the point of investing in a lot in cyber defense when you might actually make money if you fail? This is why calculating cyber security spending ROI is so important. You cannot force clients to be “secure” but you can get them to agree to do certain things if it is clear those things will improve security in a cost-effective manner. Does that leave a lot of room for improvement? Of course, but that will always be the case. Your efforts to score a touchdown on every issue ignores the fact that you are playing a game of inches. Hail Mary passes are amazing, but they’re rare (and rarely successful) for a reason. Long-term success depends on compiling a series of small wins.

Legal Departments Face High Data Breach Risk, But Few Easy Solutions

While many employees in an organization handle data on a day-to-day basis, none are perhaps as exposed as those in the legal department. Attorneys, legal operations and supporting staff often work closely with other departments, and in so doing come into contact with very sensitive data. A survey senior business executives found that over half of respondents were most concerned about the theft or disclosure of legal documents and documents legal departments regularly touch, such as contracts and IP and trade secret information. (Corporate Counsel)

The usual approach to securing documents in a high-risk environment is to lock down access or the documents, or both. But any security protocol or mechanism that prevents people from getting things done only brings out the creativity in your staff and raises risks. “Shadow IT” is one example, as is outright violations of policy. You cannot base people’s compensation on their productivity, impede that productivity, and expect them to take it lying down. Elaborate, expensive solutions are not necessary. The more preliminary work you do assessing risks and modeling threats, the more likely you are to see that most of what you want to accomplish can be done cheaply, if not for free.

How to Protect Your Practice When Data Breach Hits a Partner

Healthcare data breaches involving protected health information (PHI) are growing increasingly common. Almost 90% of healthcare organizations experienced a data breach in the previous two years. Moreover, 45% of those had suffered more than five breaches within the reporting period. So while practices are monitoring their own in-house security methods to avoid jeopardizing patient data, they also face the threat of a cyberattack on one of their business partners, putting that same information at risk.  (Medical Economics)

If the Target stores breach had a lesson it was your cyber security posture is only as sound as the posture of everyone in your supply/vendor/partner chain. The problem is too many are not learning the lesson fast enough. To reiterate: the solution is not exclusively, nor is it necessarily primarily technical in nature. Malicious actors aim to violate trust relationships, which is why unusual or extraordinary communications from partners deserve the same scrutiny as a similar message from a “prince” from Nigeria. Both pose a threat to PHI, but we’ve grown accustomed to ignoring the latter, which is why so many are falling victim to the former. In the immortal words of the Gipper: trust but verify (out of band) and you can avoid becoming another weak link in the chain.