By Colby Proffitt
1.) Graves: ‘Active defense’ bill will launch a new industry (November 27, 2017)
Summary: One of the authors of a controversial “hack back” bill in Congress believes the legislation can launch a new industry around “active defense” that allows companies to strike back against hackers who steal data.
Why it matters: Attribution is one of the biggest challenges to cyber conviction. Due to the nature of cyber crimes, and the ever-evolving and increasingly clever tactics employed by cyber criminals, it’s hard to know with 100% certainty who is responsible. Plus, it’s not uncommon for uninvolved parties to claim responsibility as a badge of honor or another highlight on their resume. Hacking back may be an effective cyber deterrence solution, but unless Rep. Graves and his staff have a solution to the attribution problem, organizations that engage in hacking back run the risk of targeting the wrong individual or nation-state.
2.) DOD exposed data stored in massive AWS buckets (November 20, 2017)
Summary: A security researcher at UpGuard found exposed data in Amazon Web Services’ cloud storage buckets. And once again, the data belongs to the Department of Defense.
Why it matters: This article digs into various speculations about the sensitivity and validity of the data uncovered – some say the collection of data was just a honeypot to distract adversaries, others say that with enough analysis, it could be dangerous in the wrong hands. What’s more important than those speculations, however, is the fact that data has been exposed again. How many times will this mistake be made until the problems are corrected? Federal organizations need to implement better data security practices, but even if their processes and procedures are flawless, they can’t forget about their weakest link: people.
3.) Will new breach reporting rules make defense firms more secure? (November 29, 2017)
Summary: New information security rules governing defense industrial base firms take effect on Dec. 31. The rules require compliance with the new standard for protecting “controlled unclassified information” from the National Institute of Standards and Technology and set time limits on contractors for reporting system breaches.
Why it matters: These new rules for the DIB are well-intentioned, but time will tell if they have the desired effect. Compromises need to be reported, these new rules set a 72 hour reporting requirement. As this article points out, that may not always be enough time to complete a thorough investigation and cleanup, and it may distract cyber analysts from other critical tasks. There has to be a balance between box-checking and protocols (compliance) and security. Compliance is important, but being compliant doesn’t necessarily mean you are secure. Optimum security requires flexibility on top of best practices.
4.) AWS unveils security monitoring service (December 1, 2017)
Summary: Amazon Web Services (AWS) this week unveiled a new service called Amazon GuardDuty that the cloud giant says will play an important role in helping keep AWS accounts and workloads safe from cyber criminals.
Why it matters: Amazon is pretty well-known for providing an exceptional user experience. Time will tell if GuardDuty is worth the extra cash, but the idea behind it is on point. One of the reasons organizations and end users break cyber rules and don’t always have the best cyber hygiene is because security can be hard. Doing things securely usually means taking extra time and extra steps to accomplish a task (e.g., emailing a classified document to yourself so you can finish it at home on your personal PC, as opposed to finishing it in the office on a classified machine). Organizations would be well-served by following Amazon’s example and making security as easy as possible for end users.
5.) FBI, DHS Warn of Hacker Mercenaries Funded by Nation-States (November 30, 2017)
Summary: Lines between government-backed hackers and cyber criminals are getting fuzzier, top officials told lawmakers Thursday. That’s one message the FBI wanted to send when it indicted two Russian intelligence officers and two criminal co-defendants for a major breach of the Yahoo email service in March, Director Christopher Wray said.
Why it matters: Some say it’s more important to protect your assets than to spend time trying to identify who tried to steal them. In some cases, that’s true. But, by accurately identifying one criminal, you can accomplish several things: conviction and another bad guy without a keyboard, connections to other criminals and partners, and a greater understanding of criminal and nation-state plans and campaigns. After an attack, the decision to pursue and prosecute is up to the organization, and depends on the damage done, funds potentially required to identify and prosecute, and potential connection to other compromises and ongoing investigations.