Robin’s Newsletter #116

6 September 2020. Volume 3, Issue 36
Benchmark data from Hiscox's Cyber Readiness Report 2020, MIT's SCRAM, US federal vulnerability disclosure policies, CEO responsibilities and Tesla's fleet-wide hack.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Hiscox Cyber Readiness Report 2020

Hiscox’s Cyber Readiness Report 2020, released recently, marks the fourth edition and provides some interesting insights that may help organisations assess and benchmark their security posture. Over 5,500 respondents participated in this year’s report.

Spending on cyber security increased by 39% in the last twelve months across respondents, with UK firms reporting 12%, and US firms 14%, of IT budget being spent on cyber security. Micro businesses, with <10 employees, spend $13,000 on cyber security, while 1,000+ employee organisations averages $8 million.

The number of cyber events was split out this year between incidents (any event that does not succeed in compromising the confidentiality, integrity or availability of information) and breaches (successful compromises of the confidentiality, integrity or availability of information, that result in a material loss). The median numbers where an event was reported are 50 incidents and 15 breaches. Including those who did not report an event and “don’t knows” this drops to 20 incidents and 6 breaches.

The median total financial impact of cyber incidents across all respondents is $57,000, representing a six-fold increase, and with a median largest single incident of $4,200.

I was interested to see other consequences of cyber incidents being explored with 15% reporting difficulty in attracting new customers, 11% reporting losing customers, and 12% losing partners following a cyber incident.

Ransomware remains a common issue faced by organisations and 350 of respondents reported having paid a ransom and their combined losses totalling $381 million. A clear indication of the lucrative payday being chased by cyber-criminals.

Comparing cyber to other business risks (and with an insurance spin on it) Hiscox reckon that UK organisations are 15x more like to have a cyber incident (~1/3) than fire or theft (~1/20)., PDF

Interesting stats

18.59% of typo squatting domains distribute malware or conduct phishing attacks, according to Palo Alto Networks

… in related news… 78% of phishing sites now use SSL, meanwhile $80,183 average attempted wire transfer in Business Email Compromise scams in Q2 2020, up from $54,000 in Q1 2020, according to Anti-Phishing Working Group (APWG) (PDF)

81% of consumers will share basic personal information in exchange for personalisation from a brand

Direct costs of the digital divide: $1.8BN the cost to replace Huawei and ZTE equipment used within US mobile networks, according to the FCC, with 88% being funded by taxpayers, or just over $11 per person

Other newsy bits

Gartner: CEO’s will increasingly be personally liable for cyber-physical incidents

A research paper from Gartner forecasts that 75% of Chief Executive Officers will be personally (rather than corporately) liable for serious incidents from cyber-physical systems in the next four years. “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure [cyber-physical systems],” says research VP, Katell Thielemann. Cyber-physical systems include the increasing amount of connected IT, operational technology and IoT being used by organisations to improve efficiency. The financial impact from serious incidents, including compensation, fines and litigation, but excluding loss of human life, is expected to top $50BN by 2023, according to the analyst. Existing regulations, across a variety of sectors, build on the concept of the fiduciary duties to act with due care, diligence and skill. The balance of risk and opportunity of connected industrial systems is not always properly understood, especially retrofitting new technologies and remote access to heritage industrial processes installed decades ago.

CISA mandates Vulnerability Disclosure Policy for all US federal agencies

The US Cybersecurity & Infrastructure Agency has issued a memo requiring all federal agencies to implement a Vulnerability Disclosure Policy (VDP) within 180 days. VDP’s provide a way to publicly explain and engage good samaritans and security researchers that identify weaknesses in the organisation’s systems. Often they may be pair with a ‘bug bounty’ scheme that offers a financial reward, though the two are distinct concepts. The challenge for agencies will be to ensure the policies are backed up by the appropriate resource and process. Creating a page on your website and email address is a far cry from being able to effectively and efficiently deal with submissions. Luta Security has a neat maturity model for organisations looking to apply more structure around public engagement on their security posture.,

SCRAM: Secure Cyber Risk Aggregation and Measurement

Researchers at MIT have published an interesting sounding paper on a platform they have developed to help enterprises with their cyber security investment decisions. The SCRAM platform aims to quantify and benchmark security postures and analyse if cyber security is being given an appropriate budget. Partly it’s a design in secure information sharing (allow potential competitors to share sensitive cyber information without the other being able to read the juicy details). I haven’t had a chance to read the whole paper yet, drop me a line if you do and have any thoughts: @RTO.

In brief

Attacks, incidents & breaches

  • Warner Music Group online store compromised with MageCart style malware for almost four months
  • Thanos ransomware deployed against Middle East and North African government targets in July had master boot record wiper, pointing at cover to more destructive attack

Threat intel

  • DNS DDoS attacks targeting European internet service providers in the Benelux region motivated by financial ransom demands
  • Phishing campaigns, focussing on fake ‘quarantined email’ are loading company websites behind login overlays to try and increase legitimacy
  • Threat group Pinoneer Kitten believed to be contracted to the Iranian government, is selling access to networks on underground forums, presumably when no-longer needed for intelligence purposes


  • Bug in SonicWall’s cloud-based Global Management System potentially allowed access to any customer’s network administration interface
  • Critical vulnerability in 300,000 installed WordPress’ file manager plugin being exploited in over 300,000 installs
  • Cisco working on fix for bug in routers with IGMP enabled ‘ASAP’

Internet of Things

  • Interesting write up of a bug report three years ago that gave control over every Tesla in the world
  • Voluntary code of practice for Securing the Internet of things for Consumers released by Australian government


  • Threat intel firm HYAS is buying location data to track attackers ‘to the doorstep.’ Attribution of cyber-attacks is often an art, rather than science, and this strikes me as a more extreme form of TI that’s rooted in pretty murky privacy practices
  • Amazon’s Ring Doorbell’s gives law enforcement significant surveillance capabilities through its Neighbours programme (vol. 2, iss. 50). Now the FBI is warning police of risk scenarios to them from the same devices where law enforcement are consider ‘unwanted visitors.’
  • Apple has blinked on privacy changes to app-tracking, delaying the introduction to 2021 following pressure from advertising companies like Facebook who warned last week that “Apple’s updates may render Audience Network so ineffective on iOS 14 that it may not make sense to offer it on iOS 14”

Public policy

  • Recommendations made to overhaul ‘antiquated’ UK Official Secrets Act that covers confidentiality of sensitive UK government information

Law enforcement

  • Bryan Herrell has been given an eleven-year prison sentence for running the dark web marketplace Alphabay

Mergers, acquisitions and investments

  • BGH Capital-backed CyberCX has acquired New Zealand pen test firm Insomnia Security

And finally

Protecting space systems

The White House has published new rules to establish a baseline of cyber security protections to spacecraft and systems. Top marks to Catalin Cimpanu at ZDNet for pointing out that they are missing a crucial aspect: the protecting thermal exhaust ports.

I am not a robot

Thanks to Ed for sending me this one: Perhaps captchas - the widgets that ask you to prove you are a human - are approaching this all wrong?

“I am sick and tired of ticking the “I am not a robot” box on internet sites. It should be a changed to “I am a robot”, so that only robots need to bother with it, saving humans valuable time. It’s why we build the bloody things, after all.


  Robin's Newsletter - Volume 3

  Hiscox Cyber Readiness Report Security spending Massachusetts Institute of Technology (MIT) Secure Cyber Risk Aggregation and Measurement (SCRAM) Cyber risk Quantification Vulnerability Disclosure Policy (VDP) Cybersecurity and Infrastructure Agency (CISA) Gartner CEO liability Personal liability Fiduciary responsibility