1.) Tony Stark Has Jarvis. And Now IBM Has Havyn (February 13, 2017)
Summary: IBM is testing a Cybersecurity interface that started as a weekend project for “IBM master inventor” Mike Spisak and his son Evan. The premise of the interface is to respond to voice commands, rather than requiring typing, in order to simplify tasks and allow multi-tasking for analysts within the field of cybersecurity. As analysts use the interface more, the system will likewise learn what information cybersecurity analysts often search for in order to predict the information needed by a cybersecurity operations center.
Why it matters: One of the biggest current challenges in cyber security today is a shortage of trained professionals to fill a quickly expanding roster of positions. Technologies such as Havyn are one solution to the problem, adding AI to the SOC to give cybersecurity professionals more methods to get more work done faster.
2.) How the Private Sector Can Remake US Cybersecurity (January 31, 2017)
Summary: In this commentary, it is recommended that the current administration improve the cybersecurity of American infrastructure by working with the private sector to improve “Active Defense” solutions. Recommended solutions range from uncontroversial methods such as honeypots to potentially illegal solutions such as “white-hat ransomware,” or encrypting data on foreign systems in order to protect proprietary information. Potential pitfalls and suggestions to overcome these hurdles are also discussed.
Why it matters: Attacks against the private sector from advanced threat actors such as those backed by nation-states are only going to become more common as time progresses, and how information systems and assets are protected in the private sector will require an overhaul. While an overhaul may not be controversial, whether or not companies should have any right to engage in the more aggressive forms of “active defense,” such as botnet take downs and white-hat ransomware is contentious. These types of actions have the potential to launch counter strikes against assets and systems caught in the crossfire, such as command and control servers that have been hijacked from an otherwise innocent third party. The government must have some hand in these sort of actions in order to legitimize the attacks, and ensure the private sector does not cause international incidents.
3.) Over One Million WordPress Sites Defaced (February 13, 2017)
Summary: Due to the recent disclosure of an unauthenticated privilege escalation vulnerability in WordPress that requires patching to remediate, over one million sites using WordPress have been defaced due to not having the automatic update cycle enabled within WordPress. Over 20 separate campaigns have been tracked since February 6, 2017, with multiple campaigns competing with one another to take credit for defacements.
Why it matters: A reinforcing message to the previous article, this high number of defacements across the internet shows that the private sector still has a ways to go in preparing themselves for handling cyber adversaries. In all cases, automatic patching was disabled – this is a basic cornerstone of good operational security that was not practiced by these organizations and users. While it is important to build a strong policy for private businesses to protect themselves, it is doomed to fail if it does not address these types of basic shortcomings found on so many areas of the internet.
4.) 4 Signs You, Your Users, Tech Peers & C-Suite All Have ‘Security Fatigue’ (February 9, 2017)
Summary: This article discusses some of the most common forms of “Cybersecurity Fatigue” that face organizations today, describes worst-case scenario if these symptoms are not addressed, and how to fix them. The overall message of the article illustrates the need to “adopt a new mental model about security and to develop new habits that support that mental model.”
Why it matters: This article does a great job pinpointing some of the problems that Information Security professionals must contend with on a day-to-day basis – among them, human behavior. While technical controls don’t often stop due to fatigue (a firewall does not open a port that was previously closed because a lot of the packets it rejected looked okay), humans do eventually let their guard down. The challenge of user awareness training is to convince your user base that they need to always be vigilant.
5.) Windows Trojan Hacks into Embedded Devices to Install Mirai (February 9, 2017)
Summary: Attackers are now using Windows and Android malware to hack into embedded devices that are not directly exposed to the internet. This technique dispels previous notion used by IoT vendors that a device on a LAN that was not directly connected to the internet was much more secure, and if it becomes popular, could greatly increase the size of the already burgeoning Mirai botnet.
Why it matters: Once again, business-minded innovation and strategy used by cyber criminals is changing the threat landscape in their favor. Much like a business, someone has found an “undertapped” market of IoT/embedded devices that can generate a greater profit, and designed the tools to take advantage of them. The previous belief that the LAN was somehow safer from botnets because it didn’t directly touch the internet will quickly disappear as more cyber criminals adopt this technique, further pushing the need for a more mature security process and centralized security management for IoT/embedded devices.
6.) What Tallinn Manual 2.0 Teaches Us About The New Cyber Order (February 9, 2017)
Summary: This article summarizes the release of the Tallin Manual 2.0. Written in collaboration with practitioners from 20 nations, and facilitated and led by the NATO Cooperative Cyber Defence Centre of Excellence, the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations was released on February 8, 2017. Expanding on the work of the Tallinn Manual released in 2013, the current issue focuses beyond the previous mapping of international law to the most severe cyber operations (those that violate the prohibition of the use of force in international relations), adding legal analysis for the more common cyber incidents that states encounter of a day-to-day basis.
Why it matters: This manual is definitely a sign of the times – while cyber operations can still be weaponized into a devastating weapon on par with other wartime devices, the focus on this publication seems to be more in line with identifying correct legal action for events similar to those experienced by the U.S. in the DNC Hack and other events during the 2016 presidential campaign. In addition, European countries such as Germany and France are already on high alert for indicators of interference during their upcoming elections from nations such as Russia, pointing to how common cyber operations focused on humiliating your opponents and spreading disinformation are likely to become.
7.) Smart TV Manufacturer Vizio Fined $2.2M for Tracking Customers (February 7, 2017)
Summary: Smart TV Manufacturer Visio has been fined $2.2 million by the Federal Trade Commission for tracking their consumers without their consent. Using a “second-by-second” transmission from the smart TVs to the company that recorded consumer viewing habits, this information was also tracked with information corresponding to customer’s “sex, age, income, marital status, household size, education level, home ownership and household value.” Tracking had been enabled by default since 2014 on most Vizio televisions, and in some instances was installed remotely by the company after the purchase of TV sets.
Why it matters: As smart technology continues to proliferate our everyday devices, from TVs and refrigerators to items such as hair brushes, there will likely be a rise in court cases like this where companies try to build additional revenue into their products through the use of researching consumer habits. The potential for revenue is too great – with so much information accumulated through various sectors of industry and the promise of finding correlations in data that could give a company an advantage, it’s likely that industries will continue these questionable practices.
8.) Former NSA Contractor may have Stolen 75% of TAO’s Elite Hacking Tools (February 6, 2017)
Summary: Federal prosecutors are expected to seek an indictment against a former National Security Agency (NSA) contractor who is accused of carrying out the theft of 50 terabytes of classified information. This stolen information may have included more than 75 percent of the hacking tools used by Tailored Access Operations, an elite hacking unit that develops and deploys software exploits on behalf of the NSA. While the motivation for the theft is unclear, the recent series of leaks of NSA-developed exploits by a group calling themselves the Shadow Brokers has brought into question if the contractor provided this information to nation-state threat actors.
Why it matters: This story is fascinating due to the magnitude of information that was stolen, as well as some interesting questions that have come up as a result – specifically, was this massive theft related to the leaks perpetrated by the Shadow Brokers, and if so, was it due to handing information off directly to the group, or something else? It’s suspected that the Shadow Brokers are a state-sponsored threat actor, meaning it’s not outside the realm of possibility that these threat actors had intel that this contractor worked for the NSA, and determined it would be easier to exfiltrate the data from his home network instead the NSA’s networks. A great example of why organizations need to ensure their data is not wandering off the network – it may be secure on the network, but not on an employee’s home computer.