Exploring the Cybersphere – July 2016

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

As sizzling summer temperatures scorch much of the North American continent I hear the faint echoes of Martha and the Vandella’s 1963 hit “Heat Wave.”  So, for those of you who’ve been “Tossin and Turnin,”  here’s a reminder of “What’s Going On.”

“Help!”
How To Use Threat Intelligence Intelligently
Dark Reading

Sometimes the best threat intelligence strategy is to not bother adopting it at all. “You probably should not be using threat intelligence unless you can act on it,” Jason Trost, vice president of threat research at threat intel firm Anomali, said this week. “If you can’t act on it, it’s probably not worth consuming that data.” Trost, who was a panelist on the Collecting and Using Threat Intelligence Data panel in this week’s Dark Reading Virtual Event, was making a point about one of the biggest problems with the way organizations approach threat intelligence: they often sign up for feeds and services without the resources or mechanisms in place to actually use the resulting information they receive.

It’s Time To Think Of Cybersecurity As A Business Enabler
Forbes

Last year, CIO, CSO and PricewaterhouseCoopers released a new Global State of Information Security survey, which polled more than 10,000 executives from 127 countries about IT security. The results were a mixed bag, with security incidents up 38% over 2014 but corresponding budgets rising only 24%. The survey reflected broad thinking about how companies are trying to defend themselves from hackers as well as employees, the most often cited sources of security compromises. But despite the continued growth in hacks and other security incidents, there were some important signs that security threats aren’t being taken seriously enough at the executive level. For one, the poll found that only 45% of boards participate in overall security strategy.

Why Old IT Assets Create New Security Problems
CIO Insight

If the daily drumbeat of hacks and cyber-attacks accomplish one thing, it’s raising everyone’s anxiety level about cyber-criminals. Although outside risk is a major cause for concern, much of the potential danger resides within an organization—and this extends beyond insiders who wittingly or unwittingly breach protocols and systems. The culprit? Out-of-date and non-compliant software and hardware assets. This leaves the enterprise door wide open for outside and insider breaches, which take advantage of known flaws in software and assets. The root of the problem? Because legacy software and hardware are no longer supported by a vendor, patches and fixes aren’t available—or aren’t easily fixed.

“It’s All in the Game”
6,000-man North Korean hacker army collects $866 million per year
The Stack

Experts in South Korea estimate that North Korea’s hacker army numbers more than 6,000 people and earns $866 million US per year through online gambling websites and cyber espionage. Officials at a South Korean information security conference yesterday warned that North Korean cyber attacks have progressed from humble origins, and are becoming bigger and more daring. Yu Dong-yeol, the Director of the Korea Institute for Liberal Democracy in Seoul, estimated that the hacker army in North Korea is currently made up of 6,800 trained specialists, 1,700 of whom are categorized as ‘mission personnel’, employed at Bureau 121, the cyberwarfare division of the country’s General Bureau of Reconnaissance. The hackers run online gambling operations in addition to other businesses, including the acquisition of encrypted files which are then sold in cyber-espionage schemes. These cyber schemes earn the North Korean government a combined total close to $1 billion per year.

How Bad is the North Korean Cyber Threat?
Hack Read

A few months ago, United States General Vincent Brooks warned the Senate about the growing threat from North Korean cyber-attacks, saying, “While I would not characterize them as the best in the world, they are among the best in the world, and the best organized.” In the past, the hermit kingdom has been called one of the “least network-ready and most isolated societies on the planet,” but now, it may actually be one of the biggest threats to international cyber security. The country of 25 million people is still technically fighting the civil war that started more than 60 years ago. The regime has been imposed with heavy sanctions, and they do not provide an economy that allows most citizens to obtain the basic necessities to live. Reports say that electricity is sparse, and only lasts a few hours a day…Even the few privileged citizens who can afford consistent electricity and a computer, are forbidden from accessing the Internet. Only tourists and citizens with permission can access the internet, everyone else needs to use the“Kwangmyong” Intranet, which is completely controlled and monitored by the state.

“Another One Bites the Dust”
China hacked the FDIC – and US officials covered it up, report says
CNN Money

China’s spies hacked into computers at the Federal Deposit Insurance Corporation from 2010 until 2013 — and American government officials tried to cover it up, according to a Congressional report. The House of Representative’s Science, Space and Technology Committee released its investigative report on Wednesday. It presents the FDIC’s bank regulators as technologically inept — and deceitful. According to congressional investigators, the Chinese government hacked into 12 computers and 10 backroom servers at the FDIC, including the incredibly sensitive personal computers of the agency’s top officials: the FDIC chairman, his chief of staff, and the general counsel. When congressional investigators tried to review the FDIC’s cybersecurity policy, the agency hid the hack, according to the report.

It Don’t Mean a Thing (If It Ain’t Got That Swing)
The first big Internet of Things security breach is just around the corner
ZD Net

There was a time when the only device you had connected to your network was a PC. Then laptops with a wireless connection came along — then after that, smartphones and tablets.

But the connected revolution hasn’t ended there. Gartner estimates that currently 5.5 million new ‘things’ — devices from toasters and kettles to cars and hospital equipment — are being connected to the internet every single day, and they will total 6.4 billion by the end of the year. That figure is up from 3.8 billion in 2014, and 5 billion in 2015 and is expected to rise to over 20 billion Internet of Things (IoT) devices being connected to the web in 2020.

IOT Insecurity: Pinpointing the Problems
Threat Post

It’s a coin toss whether or not that Internet of Things device you depend on is secure. Those unacceptable 50/50 odds come from a survey by IOActive where technology professionals were asked about the security of connected devices from thermostats, security cameras to alarm systems. Those numbers may be hard to swallow, but recent headlines concerning connected devices, sensors and controls – ranging from SCADA, IoT and M2M – suggests that what might seem like chicken-little opinions about IoT security may not be too far from the reality. A study by HP’s security unit Fortify found that 70 percent of popular consumer IoT devices are easily hackable. When Kaspersky Lab examined industrial controls systems exposed to the Shodan search engine it found seven percent of 172,982 ICS components vulnerable to attack had “critical” issues. “On the IoT continuum we are about 15 percent in,” said Chris Poulin, research strategist, IBM X-Force Security. “A common refrain from the business is ‘I don’t know what I don’t know’ when it comes to IoT security. The industry is evolving. To some extent we are just trying to figure out what’s a real threat and what is fear, uncertainty, and doubt.”

By Tom Davis, SDI Cyber Risk Practice

July 26, 2016

active