Tag Archives: threat

Highlights of Cisco 2014 Annual Security Report

cybercrime hierarchy

  • Report focuses on exploiting trust as thematic attack vector
  • Botnets are maturing capability & targeting significant Internet resources such as web hosting servers & DNS servers
  • Attacks on electronics manufacturing, agriculture, and mining are occurring at 6 times the rate of other industries
  • Spam trends downward, though malicious spam remains constant
  • Java at heart of over 90% of web exploits
  • Watering hole attacks continue targeting specific industries
  • 99% of all mobile malware targeted Android devices
  • Brute-force login attempts up 300% in early 2013
  • DDOS threat on the rise again to include integrating DDOS with other criminal activity such as wire fraud
  • Shortage of security talent contributes to problem
  • Security organizations need data analysis capacity

Top themes for spam messages:

  1. Bank deposit/payment notifications
  2. Online product purchase
  3. Attached photo
  4. Shipping notices
  5. Online dating
  6. Taxes
  7. Facebook
  8. Gift card/voucher
  9. Pay Pal

Cisco 2014 Annual Security Report

Rats on the West Side, bed bugs uptown

enisa20122013trends

The just-released 2013 ENISA (European Union Agency for Network and Information Security) Threat Landscape report  is consistent with Mick Jagger’s prescient 1978 prediction of the state of cybersecurity, captured here:

Don’t you know the crime rate
Is going up, up, up, up, up
To live in this town you must be
Tough, tough, tough, tough, tough

A number of known threats continue, attack tools are increasingly sophisticated,  more nation-states are becoming proficient with these tools, and the mobile ecosystem is a ripe new battlefield. On the upside, reporting and information sharing between organizations has increased and vendor turn around in response to new vulnerabilities is faster.

I can’t give it away on 7th avenue — cheap and plentiful devices

!n 1969 Jagger-Richards revisit uncertainty & remind us that we can't always get what we want

While known to be a factor for some time, a newcomer to the threat list is the Internet of Things (IoT).  IoT are networked devices that move, control, sense, surveil, video/audio, and otherwise collect and share information from and with the environment. Development tools and production for these networked devices and systems are cheap and billions more are expected in the next couple of years.  (There’s even a conference preparing a road map for a trillion sensors in the next several years.)

Low security is the rule rather than exception for these devices and large amounts of data are being generated. The ENISA report says, “smart environments are considered the ultimate target for cyber criminals.”  For example, preliminary work for phishing attacks can be augmented by gaining information about where a victim’s smart home is, picking up information leakage from their integrated media devices (Xbox One is doing more than just playing Halo), accessing what a user’s energy usage profile might be, etc. ENISA calls out the following top emerging threats in the Internet of Things space:

enisaiot Other threats identified include:

  • Differences in many different smart appliances lead to large variances in context and content of transmitted data, opening avenues for cybercriminals.
  • Devices built on embedded systems, some of which have not yet been widely deployed.  Some of these embedded cores (of many different types and manufacturers) will have unknown and unpublished functions and many will be difficult to maintain (keep patched). Look at the recent D-Link saga.
  • Many devices built on embedded systems do not communicate operational status to the user, eg “I am working,” “I am actively collecting data on your environment, “I am behaving erratically,” “I am off,” etc.
  • Increased data creation leads to increased data storage amounts, data concentration, and corresponding increased bandwidth requirements/loads. Even a little bit of analysis can result in a significant increase in resources. Remember the basic database join (or even simpler Cartesian product) ? — you start with three elements in one list (A,B,C), but want to relate them to data in another list (D,E,F), so you relate them in a third table and you have (AD,AE,AF,BD,BE,BF,CD,CE,CF).  If each element used say 1 MB of space, your initial storage and bandwidth requirement quadrupled from 6 MB (A + B + C + D + E + F) to 24 MB (A + B + C + D + E + F + AD + AE + AF + BD + BE + BF + CD + CE + CF).

For me, the other thing about Internet of Things (IoT) devices is that we often don’t really think of them as sensing, computing, analyzing, data collecting and transmitting devices.  Many seem innocuous and, often, we don’t even know they’re there.

Life’s just a cocktail party

Finally, assuming that these IoT devices have already been vetted by somebody else (like the store that we bought it from) is, unfortunately, flawed logic. Businesses large and small will be rushing to market with typically insecure devices and they won’t be taking the time to analyze all of the use cases of how their product could be misused. As consumers, we need to develop the skill of thinking, ‘how could this device be misused? ‘ Most of us aren’t used to thinking like that.  A family in Texas learned that the hard way a few months ago with their baby monitor. In general, if a device operates over the network and we can see it, then somebody else can see it.

Shadoobie.

[chart images from http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats]

Lions and Tigers and Bears

In this age of exponentially growing information risk, we can become like Dorothy was early in her journey and focus only on the things that can go wrong. We can get so caught up in what can go wrong that we forget to take inventory of what needs to go right.

Lions and tigers and bears ...

Lions and tigers and bears …

Over lunch recently, a friend of mine with a career in risk management shared a helpful perspective on this.  Instead of always approaching risk as trying to think of everything that can go wrong, think of what must go right first. That might sound like two sides of the same coin, but I think it is more than that. This approach helps to prioritize efforts and resources.

It’s easy to get caught up in trying to create an exhaustive list of everything that can go wrong. A problem with this is that it can:

      1. be overwhelming to the point of analysis paralysis, and
      2. tend to identify risk that may not be relevant to your situation. 

There are some risks that may not be immediately pertinent to you. For example, the latest specification for encryption for data at rest for DOD contractors might not be at the top of your list.  However, having an always-on internet connection so that you can make company website updates might be.

Take the hypothetical of a bike shop with three stores.  Some things that must go right for the owner might be:

  • Internet connection constant for running credit cards
  • Customer information (to include personally identifiable information) retained for billing and marketing and only accessible by authorized employees
  • Bookkeeper has secure connection to financials from outside the stores
  • Safe, secure workstations available 6:00 am – 6:00 pm for employees
  • 24/7 access to current inventory across all stores

These are some pretty basic requirements, but they help to prioritize need. By looking at these requirements for things to go right, what are things that can prevent this from happening? What’s the risk of loss of internet connection? Are we sure that customer information is available to only authorized employees?   What kind of connection is the bookkeeper using? Do the workstations have regular anti-virus updates? Are there policies/guidelines on workstation use by employees? If the computer with the store inventory fails, is there backup? How quickly does it need to be recovered?

In spite of the risks of lions, and tigers, and bears, Dorothy was able to return to her mission and seek the Wizard. We must do the same and not lose sight of our business objectives in our analysis of the lions and tigers and bears.

 

Can you name 5 things in your organization that must go right for you to be successful? What vulnerabilities do these objectives have? What threats do they face?