Here are a few articles I found interesting this week:
Are data breaches inevitable in a digital age?
“With 93 per cent of large and 76 per cent of small organisations admitting to falling foul of a security breach in the past two years, you would be forgiven for thinking that some form of data loss within business is inevitable. Indeed Iron Mountain research found that more than half (53.3 per cent) of European businesses expect to lose data. As a result, they are unprepared when it comes to protecting company information. This complacency is cause for concern. Many businesses are choosing to insure their business against the financial impact of data loss, rather than doing something to protect against the loss in the first place. Surely it would be more cost effective and better for the long-term prosperity of the business to invest money in closing the gaps in its data-protection programme and keep information from getting into the wrong hands?”
This is a tricky line of thought. On the one hand- as a security professional and educator- I agree that holistic steps should be taken to prevent security breaches and data loss. These steps should be applicative such as:
- actionable and appropriate training for all employees in each and every role at the company
- a secure development lifecycle program (and it doesn’t have to be perfect out of the gate, start small and build up)
- defense in depth applied to infrastructure, products, policies, and procedures.
Is breach insurance part of this defense in depth? Is it irresponsible to your employees, investors, or shareholders to “risk it all” in the event of a costly and catastrophic breach? The other side of the coin is that an organization can never be 100% secure. Mistakes happen- people make mistakes and technology can be confusing and downright frustrating. Compound that same risk across vendors, contractors, service providers, and partners. What about insider threat? In terms of cost, in 2011 33% of Cert’s CyberCrime Survey respondents said that insider threat was more costly, compared to outsiders attackers and attackers of unknown origin.
Now feel that pang in your stomach when you realize that out of all of the attack surfaces, an organization would need to mitigate ALL of the holes to get to a state where a business was confident that data loss could not occur, and that insurance was not just a policy for the inevitable breach- while attackers just need to find ONE issue and worm their way to their goal.
Bank of America says data breach occured at other company
“Bank of America blamed a data breach on another company that revealed internal emails related to monitoring of hacktivist groups including Anonymous. A group affiliated with Anonymous, which calls itself the "Anonymous Intelligence Agency: Par:AnoIA" released what it claims is 14GB of data belonging to the bank and other organizations, including Thomson Reuters, Bloomberg and TEKsystems.”
Here, we see a breach of a third party company that reflects poorly on the larger entity- in this case: Bank of America. This instance is even more compounded by the fact that the third party was performing monitoring of hacktivist groups (such as Anonymous) and the breach and release of data was performed by the same group that was being monitored.
Further illustrating my point, the breach was not performed by exploiting a vulnerability in an application, server operating system, or network hardware, but by simply entering a misconfigured server which essentially left the data exposed on the Internet. Vendors, contractors, service providers, partners, and corporations alike would need to stay ahead of all vulnerabilities, malware outbreaks, social engineering attacks, and physical security breaches (including misplaced hardware, backup media, and laptops and mobile devices) in order to be secured to the point breach insurance would be simply a layer in the defense instead of protection from “the inevitable.”
Old School Malware Writers Resurface With 'MiniDuke' Cyberattack
“In a statement on their Securelist website, Kaspersky said miniduke is a very unusual cyberattack. I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld. These elite, ‘old school’ malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.”
This prospect is somewhat harrowing. Some of the most prolific and damaging viruses and worms were released through the late 90s into the mid-2000s:
- 1998: CIH virus was released
- 1999: Happy99 and Melissa worms
- 2000: the ILOVEYOU worm hit
- 2001: Sircam, Code Red, Nimda, and Klez
- 2002: A short lull
- 2003: SQL Slammer, Blaster, Welchia, and Sobig
- 2004: MyDoom and Sasser
- 2005: Samy MySpace XSS worm- somewhat of a harbinger of the application security exploit boom that transitioned from servers and services to desktops, applications, and web apps
I remember each and every one of the outbreaks above and the struggles we faced as not only a user, but a network admin, and an application security pentester. If these same admittedly creative, but ultimate destructive, minds of that era of technological terror are back at the helm during a time of Internet connected POS devices, smart grid technology, and the mobile device boom, I shudder to think what may become of our financial affairs, critical infrastructure, and communications platforms.
Stuxnet cyberwar malware older than thought
“Stuxnet was thought to have been first used by the United States and Israel in June 2010. But today, researchers at U.S. security firm Symantec announced that the virus has been operating in the wild since 2007, and that a command-and-control server was registered near the end of 2005. The 2007 variant was programmed to create physical damage to a specific uranium enrichment facility; it programmed valves and centrifuges to cause damage by creating improper amounts of pressure in the system. This earlier variant sheds more light on what, exactly, the worm was supposed to do.”
Stuxnet is most interesting because it appears to be the first official foray into the nation-state “cyber warfare” initiatives that now are nearly a daily occurrence in global headlines. China, the United States, Israel, Russia, North Korea, and Iran each issue accusations and denials with increasing frequency and fervor that the public is now inundated with the concept of “cyber warfare.” However, when news of Stuxnet initially broke in 2010, it was somewhat shocking. Nation-state sanctioned and deployed offensive malware was hypothesized, but not found in the wild, and certainly not taken credit for. Nearly a year later (in May of 2011), culpability was alluded to by White House officials, and then in June of 2012 the New York Times broke the official declaration of Stuxnet’s origins.
Finding earlier variants of the malware offer more insights into the malware itself, the evolution of its goals, the efforts that went into the programs that produced the malware, as well as how far back in time the operation goes.
