Archives for October 2016

Exploring the Cybersphere – October 2016

SMALL cyber tuesday

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

Millions of years of evolution have given humans a shared legacy of fear triggers. Darkness, the snapping of a twig, a rush of sound can put us in full fight or flight mode. The best horror movies understand the psychology of fear, and play to our survival instincts. Movies about vampires, like the classic Nosferatu, use sound and shadows to keep us eerily on edge. As Halloween approaches, here are some stories that also can put us on edge.

It’s Alive

The combination of human and artificial intelligence will define humanity’s future
Tech Crunch

Through the past few decades of summer blockbuster movies and Silicon Valley products, artificial intelligence (AI) has become increasingly familiar and sexy, and imbued with a perversely dystopian allure. What’s talked about less, and has also been dwarfed in attention and resources, is human intelligence (HI). In its varied forms — from the mysterious brains of octopuses and the swarm-minds of ants to Go-playing deep learning machines and driverless-car autopilots — intelligence is the most powerful and precious resource in existence. Our own minds are the most familiar examples of a phenomenon characterized by a great deal of diversity. Yet, HI is unique among this variety of intelligence because of its unparalleled ability to design, modify and build new forms of intelligence. HI is what defines us as humans and our relationship with everything on earth. Now, through the combination of HI and AI, we are at the brink of intelligence enhancement, which could be the most consequential technological development of our time, and in history. Intelligence, in its varied forms, powers every opportunity we pursue and every problem we seek to solve. It sits upstream from everything else. It is at once the master tool and the master of all tools. It is not only the most general means to do things, it is also the meaning-making force that decides what is worth doing. Intelligence is what allows us to create forms of governance, cure disease, create art and music, discover, dream and love. Intelligence is also what decides that these things, rather than other things, are worth doing, by translating discoveries into meanings, experiences into values and values into decisions. The evolution of human tools, from rocks to AI, can be seen as a trajectory of increasingly powerful effort arbitrage, where we exploit our comparative advantage relative to our tools to do things better, and do more new things. Along this trajectory, tools that embody significant levels of intelligence are our most powerful yet. In this pursuit of effort arbitrage, the smallest of intelligence advancements has the power to yield enormous gains for humans, individual and collective. A seemingly simple change 2.5 million years ago — using stone tools to butcher animals — led early hominids down the path to becoming modern humans. From that modest starting point, throughout human history, we created tools that increased our individual and collective intelligence and became extensions of our natural selves. We started with crude functional tools such as hammers and axes. Over just a few tens of thousands of years, we progressed to more intelligent tools, such as thermostats, and governance technologies based on rule-of-law rather than despotism.

Artificial Intelligence-powered malware is coming, and it’s going to be terrifying
Business Insider

Imagine you’ve got a meeting with a client, and shortly before you leave, they send you over a confirmation and a map with directions to where you’re planning to meet. It all looks normal — but the entire message was actually written by a piece of smart malware mimicking the client’s email mannerisms, with a virus attached to the map. It sounds pretty far out — and it is, for now. But that’s the direction that Dave Palmer, director of technology at cybersecurity firm Darktrace, thinks the arms race between hackers and security firms is heading. As artificial intelligence becomes more and more sophisticated, Palmer told Business Insider in an interview at the FT Cybersecurity Summit in London in September, it will inevitably find its way into malware — with potentially disastrous results for the businesses and individuals that hackers target. It’s important to remember that Palmer is in the security business: It’s his job to hype up the threats out there (present and future), and convince customers that Darktrace is the only one that can save them. It’s a $500 million (£401 million) British firm, with an AI-driven approach to defend networks. It creates an “immune system” for customers that learns how businesses operate then monitors for potential irregularities. But with that in mind, Palmer provides an fascinating insight into how one of the buzziest young companies in the industry thinks cybersecurity is going to evolve.

Desperately Seeking Godzilla

Four reasons why Asia is a prime target for cybercriminals

From attacks on Ukrainian power grids to central bank heists in Bangladesh and the leak of stolen information from the Democratic National Committee in the U.S., cybersecurity threats have escalated massively in recent years. Governments, companies and individuals are equally susceptible all over the world, but cybersecurity experts believe Asia is most vulnerable to such attacks. Data from American security company FireEye showed 28 percent of organizations in Asia Pacific were hit with an advanced cyber-attack in the second half of 2015, nearly double the global average of 15 percent. Experts told CNBC there were several reasons why Asia is a prime target for hackers. Housing nearly 60 percent of the world’s population, the aggregate number of people connected to the Internet in Asia is massive – nearly a billion people have access to the Internet, with more than half of them in China. In August, Xinhua, China’s official news agency, reported the country had 710 million internet users as of June 2016, according to an official report from the China Internet Network Information Center. “That’s a lot of people on the Internet, transacting, doing social work, social media [and] doing business,” Keshav Dhakad, regional director at Microsoft’s Digital Crimes Unit, told CNBC in a recent interview. Collectively, experts say, Asia’s level of awareness towards cyber threats and cyber security was comparatively lower than other regions, such as the United States and Europe. As a result, many companies were less likely to devote additional resources to secure their technology infrastructure against external breaches and their response time to detect such breaches would be slower. FireEye data showed globally, companies took a median of 146 days in 2015 to identify a security breach, while in Asia Pacific that number was at 520 days. The delayed response time meant attackers were more likely to succeed in stealing information without immediate detection and could make a good return on their investment, according to Bryce Boland, chief technology officer for Asia Pacific at FireEye. Cyber attackers usually have to invest capital, time and effort to build new forms of attack and their reward is often in selling the data they manage to steal. Boland explained to CNBC, “If I spend $10,000 to try to break into a company, and they keep detecting me, I’m not going to make any money back.” By remaining undetected for longer, the same attack could be used repeatedly to steal data.

A Human Sacrifice

Businesses Sacrifice Security To Get Apps Released Faster
Dark Reading

Strong security is essential in an application-centric world, but new research shows businesses are sacrificing security in order to improve speed-to-market for their app offerings. This was one of the findings discovered in a new report, “The Security Imperative: Driving Business Growth In The App Economy,” conducted by Coleman Parkes and commissioned by CA Technologies. Researchers surveyed 1,770 senior business and IT executives, including more than 100 CSOs and CISOs, to investigate how their security operations affect business performance. Results indicate businesses view IT security as a business enabler but struggle to deliver stronger protection under the pressure of the app economy. Sixty-eight percent of respondents admit they compromise on security to get apps to market faster. This is a tremendous risk. Managing user identities across thousands of apps, systems, devices, and platforms requires organizations to increase the complexity of their security practices, not cut corners. The app economy is creating new cybersecurity challenges for IT leaders operating in a multi-channel, multi-platform world. Customers expect rapid and secure experiences from any device, and will take their business elsewhere if security is burdensome or data is jeopardized. The rise of mobile and cloud has opened up new opportunities to drive the app economy, explains Nick Nikols, SVP and CTO for cybersecurity at CA Technologies. However, it also changes the security dynamic. What happens to traditional security approaches, like hiding behind a firewall, when data can be located anywhere? “How do you secure something that is much more ‘out there,’ and not entirely under your control as much as it once was?” says Nikols of protecting cloud-based data. When information can be stored anywhere, businesses can’t rely on traditional approaches to security. It’s time for businesses to think outside these approaches as they pursue new opportunities in this environment.

Attack of the Killer DDOS

Here’s what crippled the internet

Twitter wasn’t working and neither was Netflix. Spotify was down, too. And anyone visiting Amazon, PayPal, or Reddit probably encountered trouble on the web.

For much of the day Friday, the internet’s core infrastructure was under a massive attack, shutting off access to many sites and slowing down the internet for much of the East Coast.

The disruptions were caused by a series of cyber attacks on Dyn, a provider of internet performance services to many of the biggest tech companies. Starting early Friday, Dyn experienced multiple distributed denial of service, or DDoS, attacks in which adversaries overload a victim’s network with traffic directed from a large number of malware-infected devices.


By Tom Davis, SDI Cyber Risk Practice

October 25, 2016

Sabre Rattling in Cyberspace

cyber-thiefChile is a South American success story, emerging from decades of tumult to become a stable, prosperous nation. But roughly a hundred years ago, Chile was torn by conflict between President Arturo Alessandri and the conservatively controlled congress. Congress had refused to pass any measures proposed by Alessandri, but they did find time to vote to increase their salaries, much to the dismay of the nation, and to the military, who had long been hoping to get a salary increase. A small group of young military officers sat in on the session during which the congressional salary increase was to be discussed. Ordered to leave, they began to rattle the sabers they wore within their scabbards, a plain warning to the members of congress. Thus was born the term sabre rattling.

The United States now is engaged in a very public form of sabre rattling. A number of news outlets have reported that the Administration has asked the CIA to provide plans for a cyber attack on Russia, purportedly in retaliation for Russian sponsored efforts to disrupt the U.S. election process. The fact the potential attack is being discussed so publicly is ample evidence that the Administration is intent on sending a clear warning, regardless of whether an actual attack takes place.

One can assume that if the U.S. does attack Russia in some fashion, Russia will respond, and it is clear that Russia has the ability to attack both the government and the private sector. It’s conceivable that Russia could pursue remedies at the U.N. Security Council and/or the International Court of Justice, but if recent history is a fair guide, it is more likely its response would be more direct.

Where all of this will lead is anyone’s guess. Both nations have the ability to significantly disrupt the economies of the other. Neither is likely to want to go that far, for at some point an ill-defined line would be crossed, and escalation beyond purely cyber measures would be on the table.

Legal guidance on how activities in cyberspace are covered by international laws, treaties and norms is provided by the Tallinn Manual, a product of the work of twenty international law scholars and practitioners created on behalf of NATO’s Cooperative Cyber Defence Centre of Excellence. The manual attempts to define some of the basics of cyber warfare. It stipulates that an online attack on a state can, in certain circumstances, be the equivalent of an armed attack. It states that such an attack is against international law, and says a state attacked has the right to retaliate. It also uses terms like maybe and probably as guidance for specific attack/counterattack scenarios, which tells us the rules governing cyber warfare are evolving and not generally agreed upon.

Writing in TechRepublic, Steve Ranger points out “Some countries have a very narrow model of what cyberwarfare should look like – that it should focus on hacking and damaging systems. Others see it as just one part of a much wider information warfare spectrum which stretches from hacking to disinformation and propaganda. Indeed, much of the criticism of the Tallinn Manual has been around how it represents a NATO—and specifically Western—outlook on what cyberwarfare should look like.” Not surprisingly, nations like China and Russia have a different perspective.

If the U.S. goes beyond sabre rattling and actually does execute a cyber attack on Russia, the next version of the Tallinn Manual will have a lot more experience to draw upon in providing legal guidance.

By Tom Davis, SDI Cyber Risk Practice
October 18, 2016

Only 40 Thieves Would Be a Blessing

cyber-thiefThe history of the use of passwords is long and rich. We can imagine a Roman sentry standing in rainy mist challenging a shape looming out of the darkness. But the use of passwords may well have started long before Rome ruled its empire. Perhaps the most remembered password in history is “Open Sesame,” the key to opening the cave where 40 thieves have hidden their treasure. Today, far more thieves are stealing passwords to get to the treasure. Now when we think of passwords, we generally associate them with computers. The first computer password is assumed to have been used at the Massachusetts Institute of Technology in the early 1960’s. It should not be altogether surprising that shortly thereafter came the first documented case of password theft. A researcher, frustrated by the limited amount of computer time he’d been allotted, found a way to print out all of the passwords stored on the system. He then used the purloined passwords to expand his time on the computer, and apparently shared them with several of his contemporaries.

CNBC just offered a commentary by Michael Chertoff, former head of Homeland Security, in which he wrote “A closer examination of major breaches reveals a common theme: In every “major headline” breach, the attack vector has been the common password. The reason is simple: The password is by far the weakest link in cybersecurity today.” In support of that perspective Verizon’s 2016 Data Breach Investigations Report says 63 percent of confirmed data breaches involved weak or stolen passwords.

The single biggest shortcoming in reliance on passwords is innate laziness. In an ever more complicated world most people simply do not want to make their passwords challenging (12345 anyone? Password?). We also store them in easily accessible word documents, willingly share them, constantly re-use them, and only reluctantly change them.

In 2004, Bill Gates declared the password dead. What ensued must surely be one of the longer wakes in history. The password has yet to be buried, but we are gradually moving toward systems that may not eliminate the password, but will buttress it with a layered defense. The trend toward multifactor authentication uses an approach based on what the user knows— the password, together with something the user has, like a security token, and perhaps even who the user is, based on biometric verification.
Long live password plus.

By Tom Davis, SDI Cyber Risk Practice
October 11, 2016

Is True Cybersecurity No Longer an Illusion?

safe_share_padlockAppleton is a typically friendly Wisconsin town that straddles the Fox River and lies close enough to Green Bay to host Packer fans who find that if you wait too long, you can’t get a reservation in Green Bay during football season. Perhaps its most famous citizen was the famous illusionist Erik Weisz. If you don’t recognize the name, and only true aficionados are likely to, allow me to introduce you to the real name of Harry Houdini, who grew up on Appleton Street in Appleton.

Houdini was the most famous illusionist of his time and, with apologies to David Copperfield, arguably the most famous magician/escape artist of all time. Among his tricks, making a 10,000 pound elephant disappear while on stage at the Hippodrome in New York City. While not as spectacular as making an elephant disappear, a company named SWIFT Guard has introduced a product Houdini might have appreciated, deception management technology.

Deception is one of the latest tools being used by advanced practitioners of cybersecurity.  Basically, it uses advanced luring techniques and engagement servers to move an attacker away from valuable company servers to decoy targets. It’s an outgrowth of the use of honeypots to attract attackers and get to know their methods. A honeypot is a server or computer that to an attacker appears to be an integral part of an organization’s network but actually is there as bait for hackers.

An Israeli based cybersecurity firm named Illusive Networks is pioneering employment of sophisticated deception management systems. CEO Shlomo Touboul explains the process… “On each and every machine we plant many deceptions and credentials such as web credentials and databases that don’t exist. If the attacker touches a deception and tries to use it to do a lateral movement, we detect it, report it to the security team and launch a forensic app in return, taking 360 degree view of him, in real-time.”  The company claims it will catch intruders early on, the only question is just how early. Once Illusive Networks has detected an intruder, it can either kick it out or follow it to learn more about where they’re coming from and how they work.

Houdini’s legendary feats included many breathtaking escapes from seemingly impossible situations. If Illusive Networks and other firms can use deception management to help extricate the world from the tightening cyber straightjacket, they too many become the stuff of legend.

By Tom Davis, SDI Cyber Risk Practice

October 4, 2016