The Insecure Post: Volume 1: January 2016
2016 promises to be a year of great change for information security – it will be the year of the customer’s expectations about data security transform significantly, the year of shareholders demanding clear accountability about enterprise security, and the year of organizations actively partnering with their workforce to balance usability, convergence and security to protect competitive advantage while optimizing productivity.
Why now? Because as a collective, we have seen a lot of change, a lot of disruption, and a lot of ad-hoc corrections to legacy processes and technology. There was “the year of the data breach”, that doesn’t seem to end. There was the “biggest security incident of the year” that seems to have been topped every month. There was the “biggest cache of personal data breached” title for an incident that has changed hands many times over. We’ve seen security incidents become the new activist message, and we probably wouldn’t go three days in any week without spotting a new headline about a security incident that impacted some level of high-value public or private asset repository. The media has tailored entire shows around information security, which have, as could be expected; created an even heavier burden of “incident fatigue” on the viewer who saw oversimplified exploit techniques and diligence being completed at hyperspeed.
Organizations have reacted in many ways to counteract the criminalization of information security. Some have implemented a “solution” for every problem that popped out of the ether; and the lack of interoperability between all these solutions has typically become a bigger problem than what they originally set out to solve – not counting the lost employee productivity as the workforce navigates these various hurdles, most of which are essentially glorified Turing tests. Most have eventually realized that the problem is not entirely about flawed process and insecure technology, but with the way that their workforce perceives the value of the intellectual capital it creates every minute; and how it rolls up to protecting and enhancing the brand.
2015 also saw “Big Data” juggernaut promise to use its might to accurately and immediately recognize all anomalous behavior within the enterprise network; thus allowing enterprise security teams to optimize their time by – in some manner – gaining precognitive abilities regarding major security incidents. Some of these are very convincing; others have a way to get to the seamless execution presented in their demos, but they’ve made their case. Security and analytics make a very good team to proactively recognize indicators of compromise.
So, we’ve had a long (and sustained) exposure to security incidents at almost every conceivable impact level to our personal and professional lives; we have seen “hactivism”, we have seen a massive growth in the security industry and we come home to TV shows about information security. Plausible deniability of impact and consequence is an implausible notion now. If 2016 isn’t the year of change in information security, we can only blame ourselves.
Cybercrime is the greatest threat to every company in the world
At IBM’s Security Summit, IBM’s CEO Ginni Rometty said – “Cyber crime is greatest threat to every company in the world“. Juniper Research has released a (paid) study that suggests an increase in the cost of data breaches to $2.1 Trillion, globally, by the year 2019.
Justine Brown at the CIO Dive recently wrote about a survey indicating that enterprises were planning to increase their security spend in 2016. Her article summarized a survey by 451 Research into the following three bullet points:
- A new report from 451 Research found 44% of enterprise security managers expect to increase their budget in the next 90 days
- However, the majority of those increases will be small, according to the report
- Just 4% of enterprises said they plan to decrease security spending in 2016
eWeek’s Nathan Eddy also wrote about this survey. Here are three interesting points from his article:
- While security budgets are stable or increasing for almost all organizations, security managers reported significant obstacles in fully realizing the benefits of SIEM solutions because of lack of staff expertise (44.4 percent) and inadequate staffing (27.8 percent)
- The survey also found 41 percent of respondents noted hackers with malicious intent as their top security concern over the past 90 days, followed by navigating compliance requirements (37 percent)
- As a consequence, 23 percent of security managers noted that compliance requirements were a key driver in getting projects approved, second only to risk assessment, cited by 25 percent of respondents
But, is this just a “big company problem”? Absolutely not. Both startups as well as the small-to-medium-sized industry segment, are equally vulnerable and attractive as targets for major security incidents depending on:
- The kind of data they get from their users, collect about their users and/or generate through aggregation
- The nature of services they provide in free / freemium / paid format to consumer / enterprise users
- The ecosystem that they integrate or partner with, thus framing them as the potential “weakest link” to compromise an associated entity
Michael Kassner at TechRepublic recently released an excellent list titled “9 privacy and security errors that startups can’t afford to make“. All of them are worth printing out and discussing with your team, but here are a few that I found to be helpful:
- Assuming privacy or security is just for the geeks
- Thinking you are flying under the radar
- Ignoring the benefits from policies
- Assuming that more is better
- Copying the privacy policy of the business next door
- Misunderstanding the effect of anonymization
Neither is it a “big company problem”, nor is it limited only to the private sector. Cory Bennett at the Hill wrote about the Department of Homeland Security investigating almost twice as many cyberattacks on the nation’s critical manufacturing sector in fiscal year 2015 as the year before.
So, what is included in the “Critical manufacturing sector”? The DHS page says:
The Critical Manufacturing Sector identified the following industries to serve as the core of the sector:
- Primary Metal Manufacturing
- Iron and Steel Mills and Ferro Alloy Manufacturing
- Alumina and Aluminum Production and Processing
- Nonferrous Metal (except Aluminum) Production and Processing
- Machinery Manufacturing
- Engine, Turbine, and Power Transmission Equipment Manufacturing
- Electrical Equipment, Appliance, and Component Manufacturing
- Electrical Equipment Manufacturing
- Transportation Equipment Manufacturing
- Vehicle Manufacturing
- Aviation and Aerospace Product and Parts Manufacturing
- Railroad Rolling Stock Manufacturing
The DHS Industrial Control Systems Cybersecurity Emergency Response Team, or ICS-CERT, said it looked into 97 reported cyber incidents across these sectors.
“This increase over previous years … is primarily related to a widespread spear-phishing campaign that primarily targeted critical manufacturing companies,” the agency said in its report.The 97 digital attacks represented a third of the 295 cyber incidents ICS-CERT investigated overall. That overall total is up 20 percent from the previous fiscal year, the agency said.
Here’s the breakdown:
- Energy Sector: 46
- Water and Wastewater Systems Sector: 25
- Transportation Systems: 23
ICS-CERT Director Marty Edwards said during an industry conference that the government has seen a rise in cyberattacks that penetrated industrial control systems. “We see more and more [cyberattacks] that are gaining access to that control system layer,” he said.
In other areas of government, the U.S. Commodity Futures Trading Commission voted unanimously to approve two proposals for amendments to existing regulations addressing cybersecurity testing and safeguards for the automated systems used by critical infrastructures the Commission regulates. The proposals will be open for public comment during a 60-day comment period after their publication in the Federal Register. The proposals, to be published in separate Federal Register Notices, identify five types of cybersecurity testing as essential to a sound system safeguards program:
- Vulnerability testing
- Penetration testing
- Controls testing
- Security incident response plan testing, and,
- Enterprise technology risk assessments
Here’s the associated declaration and Q&A [both PDF links]. The two proposals would require all derivatives clearing organizations, designated contract markets, swap execution facilities, and swap data repositories to conduct each of the five types of cybersecurity testing, as frequently as indicated by appropriate risk analysis. In addition, the proposals would specify minimum testing frequency requirements for all derivatives clearing organizations and swap data repositories and specified designated contract markets, and require them to have certain tests performed by independent contractors.
Along similar lines, the U.S. Food and Drug Administration released a draft guidance to invite comments for recommendations to address cybersecurity throughout the product life cycle, including during the design, development, 19 production, distribution, deployment and maintenance of medical devices. The 25-page PDF is a very interesting read; and is very comparable to cybersecurity program framing that is usually seen in the private sector.
In summary, the security conversation is very active, very serious and very much in focus at all the right levels across all the ecosystems that we touch.
In fact, two-factor authentication makes this attack significantly easier.
Just yesterday, indepdent security researcher Sean Cassidy published an excellent write-up and code that allowed him to circumvent safeguards in a popular password management program called LastPass. LastPass charges $12/year for its premium offering and purports to be a user’s answer to password management by offering a secure repository for passwords and related password management features. This is the same LastPass that was compromised in June 2015 in an incident that “the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses”, per their CEO’s post on the company’s blog.
Sean’s post starts with a simple, yet shockingly clear assertion –
I have discovered a phishing attack against LastPass that allows an attacker to steal a LastPass user’s email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.
Sean goes on to describe how two-factor authentication does not stop this attack, but makes it significantly easier.
2016 is off to a good start with healthy changes at the right levels of our government with regards to attention to cybersecurity; the right focus at the executive levels in the private sector; and a healthy security expert community on the Internet that is keeping developers and products on their toes. Well begun is half done.