Save Yourself – Delete Your Data

You probably don’t remember but in the spring of 2015 I wrote:

What if ransomware is only the beginning? What about exposé-ware?  I’ve copied your files. Pay me a minimal amount of money in a given time-frame or I’ll publish your data online for everyone to see. Live in a community that frowns upon certain types of behavior? Pay me or I’ll make sure the pitchfork brigade is at your door.

This week we learn:

Instead of simply encoding files so that users can’t access them, some blackmailers armed with a new kind of malware called doxware are threatening to leak potentially sensitive files to the public if a ransom isn’t paid, says Chris Ensey, COO of Dunbar Security Solutions.

My response now is the same as it was a before:

In an era when remedying computer security failures is cheaper than calling in computer security experts, we need to collectively get on board with some new ways of doing things.

For starters, we need to work at scale. Botnet takedowns are one example. I’m proud to have been associated with a few, and I’m not going to pretend every effort like this goes off without a hitch, but we need to do more at or near the same scale as the bad guys, and often. That’s really the only way we have any hope of raising attacker costs: when they’re fighting people in the same weight class with similar skills on a regular basis.

We also need to accept that the future has to be more about restoration than conviction. Most corporate victims of computer crime don’t want to prosecute, they just want to get back to work. Tactics, techniques, procedures and tools need to reflect that reality. If you’re law enforcement you don’t have a lot of leeway in that regard, but everyone else: are you really doing right by your customers if you are adhering to a law enforcement-centric approach simply because that’s how you were taught?

Finally, we need to retire more problems. You’ve heard the phrase: “if you’re so smart how come you’re not rich?” My variation is: “if you’re such an expert how come you haven’t solved anything?” Now, not every computer security problem can be solved, but there are problems that can be minimized if not trivialized. That would require regularly growing and then slaughtering cash cows. Business majors who run massive security companies don’t like that idea, but it is not like we’re going to run out of problems. So as long as there are new opportunities to slay digital dragons, you have to ask yourself: am I in this to get rich, or am I in this to make the ‘Net a safer place? Kudos if you can honestly do both.

…and I would add one more thing: If you don’t need data, get rid of it. I remember when storage was expensive and you had to be judicious about what you saved, but if you buy enough memory these days its practically free, which has led people to think that there are no consequences for control-s’ing their way to retention nirvana. The supposed value of “big data” doesn’t help. When you get down to it though, you can’t be held ransom – or extorted – over something you don’t have.

We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

“reputation system”

From the Enterprise Resilience Management Blog:

Anyone who believes he knows of information relating to these proposed
patents will be able to post this online and solicit comments from
others. But this will suddenly make available reams of information,
which could be from suspect sources, and so the program includes a
‘reputation system’ for ranking the material and evaluating the
expertise of those submitting it.

“reputation system” – how the wiki-fied, blogosphered IC can sort the wheat from the chaff and cast off the last vestiges of the old way of doing things.

Now, to find out the status of that reform book draft . . .

underrattelser – US style

Ralph Peters’ latest report on improvements in MI. Money graph:

Appropriate technologies can help us – but no database or collection
system is a substitute for seasoned human judgment. The key task in
intelligence is understanding the enemy. Machines do many things, but they still don’t register flesh-and-blood relationships, self-sacrifice or fanaticism.

Underrattelser: Improvement from below (how Swedes describe MI) covered at John Robb’s site.