Analysis & Commentary on the Week’s Cyber Security Issues — 08/26/2016
The “so what” factor feeds and aggregators don’t give you.
Cyber attack recovery 300% dearer due to skills shortage
Large businesses that struggle to attract skilled IT security experts are paying up to three times more to recover from a cyber security incident, a report has revealed. As the gap between the available security skills continues to widen, a growing number of organisations are being forced to call in outside help to supplement in-house skills. This model is likely to continue for some time, according to information professionals’ organisation, ISACA. (ComputerWeekly)
Who wants a self-licking ice cream cone? While it is hard enough to find talented people to do the ordinary things that need to be done, the fact that these things are not being done means that the demand — and price — for even digital janitorial work goes up as well. Tools and efforts that help accelerate threat detection and response are the most meaningful step you can take to reduce costs associated with attacks and breaches. Nothing catches everything, and no breach is cost-free, but anything that helps you operate at or near the speed your attackers are operating at helps.
Is your supply chain your biggest cyber threat?
After shelling out thousands or millions on cyber security for your enterprise, it might be dismaying to find that your organisation could still be vulnerable to a major breach — and it wouldn’t even be your fault. The threat posed to organisations, however prepared they are for cyber attacks, by their supply chains is a serious one and needs to be given serious consideration. The textbook case study for this type of attack is Target, where 40 million customer details were leaked after network credentials were stolen from a HVAC subcontractor. (CBR Online)
Your supply chain contains a lot of weak links, only some of which you are aware. In an industry where everyone is focused on the “enterprise” (and enterprise sales) it is easy to forget that the vast majority of businesses are small- to medium-sized, and for most of those entities “the IT department” is the son of the yoga buddy of the sister of the CEO.Cost-effective and easy-to-use solutions largely neglect enterprises with node counts in the tens or single digits, which is exactly where an attacker looking to exploit a trust relationship is going to focus their energy. Upstream large enterprises will attempt to deal with this contractually, and SMBs will look for insurance to cover their shortcomings; both are going to be sorely disappointed when hackers ignore the fine print.
Cyber Fatigue: The Risks of Weariness to Data Breaches
Cybersecurity should be a top concern of all businesses and organizations worldwide, but unfortunately, that isn’t always the case. A panel discussing cyber risk indicated that more than 50% of the time, corporate leaders don’t learn about a data breach from within their own company. The clear disconnect between the people running companies and their own security practices is disconcerting, but can be explained through a phenomenon known as cyber fatigue: feelings of being overwhelmed by all the security-related issues that exist. Because of cyber fatigue businesses approach security in a reactive vice a proactive manner. (Next Advisor)
Victims are in business, they are not in the security business. Cyber security has no meaningful parallel in the business world. Security costs a lot of money, then it fails, and it asks for more money. Every MBA knows how to deal with perpetual failure and cost over-runs in Operations, but security is an enigma wrapped around a conundrum that they don’t tell you about in B-school. Getting the business-side on your side is an uphill battle. It helps to learn their language and to put things into a context that they will understand. It is not a guarantee of success, but it essential if you hope to get them thinking about Security as a near-peer component of the business.
Private-sector security leaders must leverage threat-intelligence sharing better, CISO warns
Empowered by high-level endorsement of their collaboration, Australia’s businesses and government bodies need to proactively leverage their growing body of threat intelligence into new defensive and offensive cybercrime strategies, one regional CISO has advised. While it had taken some time for comfort levels with increased threat-sharing practices to grow, increasing familiarity with threat-exchange formats like STIX and TAXII had taken the complexity out of the actual processes of data sharing. (CSO)
There is such a thing as too much of a good thing. If you are not participating in some kind of information sharingprogram, and a good intelligence sharing program, you are doing your enterprise a huge disservice. No one vendor has a complete picture of the threat you face, so the more data from a variety of sources you can ingest the better. Having said that, it is important to ensure that you are not trading a needle in a haystack for a stack of needles. You need to be able to make sense of everything you’re getting in a timely fashion and in the context of your environmentotherwise you are simply paying to drown yourself in data.
Singapore’s web cut-off for public workers balances cyber security and inconvenience
Singapore is working on how to implement a policy to cut off web access for public servants as a defense against potential cyber attack — a move closely watched by critics who say it marks a retreat for a technologically advanced city-state that has trademarked the term “smart nation”. Some security experts say the policy, due to be in place by May, risks damaging productivity among civil servants and those working at more than four dozen statutory boards, and cutting them off from the people they serve. (South China Morning Post)
You learn a lot about your organization and how it works when you remove distractions. While it seems like a radical step, its important to remember that any reduction in avenues of attack helps defense. This move won’t eliminate all threats, but it reduces the number of things both employees and IT staff need to think about. It is also a reminder that while we take the convenience the Internet provides us for granted, it is still entirely possible to operate in the “information age” without driving down the information superhighway.
Cybercriminals are targeting telecom employees in order to hack telecommunication networks from the inside
A report from Kaspersky Lab has revealed that cybercriminals are targeting telecoms employees via blackmail, and recruiting disillusioned employees, in order to carry out cyber attacks on telecommunications networks. Cybercriminals often use insiders as part of their malicious ‘toolset’, to help them breach the perimeter of a telecommunications company and perpetrate their crimes. The intelligence report surmises that 28% of all cyber attacks, and 38% of targeted attacks (state-sponsored, or competitive) involve criminal misgivings from insiders. (Information Age)
Recruiting agents isn’t just for spies. The best source of data comes from someone with legitimate access. Hackers traditionally go for user credentials, but hacking the actual user works too. One drawback to getting humans to do your dirty work for you is the necessity of actually meeting them for recruitment and occasional handling (being a traitor of any sort is nerve-racking stuff). This is not an issue if you’ve stolen a User ID and password, but then credentials alone don’t provide you with insight that might make your penetration into a victim’s systems more productive in less time. That’s something only a human can do.
Health IT pros are worried about hacking, but many still don’t encrypt
Hackers have captured the attention of members of the healthcare security community, but the industry’s top data guardians are feeling hampered in their efforts to protect their organizations by a lack of manpower and money. A significant minority of security pros still report their systems are not encrypting patient data, a basic defense. “People view encryption and security in general as a hindrance to their work,” said Lee Kim, director of privacy and security at HIMSS North America. “They have to swallow that vitamin. It’s yucky, but it’s good for you.” (Modern Health Care)
Your weekly reminder on the importance of blocking and tackling.
Subscribe to the Cyber Threat Analysis Weekly
Michael Tanji serves as CSO of Kyrus Tech, a boutique computer security consultancy. He was a co-founder of Carbon Black, the former CEO of Syndis, and is involved in supporting a number of novel approaches to computer security problems and the companies that are developing them. Michael is a former supervisory intelligence officer who managed the Defense Indications and Warning System for Cyber Threat, among other things in what today is called “cyber.” He has spent over twenty years working to improve the security posture and disposition of organizations in a wide range of markets and industries.