This week
YOLOsec, FOMOsec, business value and reducing the cost of control
A great read from Kelly Shortridge this week on #YOLOsec (careless disregard for future security issues) and #FOMOsec (the need to perfectly protect everything). There are plenty of astute observations about infosec as a profession* (and that personally frustrate me when I come across them!) Ultimately both are presented as either end of a spectrum, where neither contributes successfully to business strategy.
It reminded me of a post by Phil Huggins (on his Black Swan Security blog) about the ‘value of security’. People that generate value do it by either sustaining existing value (operating current systems), improving existing value (increasing resilience or efficiency), or by creating new forms of value (creating new products or services).
I often see a split of security responsibilities in clients. ‘IT’ security teams have an internal organisational lens and focus on protecting current value generation (sustain and improve), with ‘product’ security teams more closely engaged in protecting future generation (improve and create).
Many businesses do not have software engineering teams and no need for ‘product’ security in the engineering sense. I see it as a sign of maturity where organisations do have an ‘IT’ security team looking a software engineering, or have an established function for that purposes.
Kelly’s rallying cry is to eschew the trappings and lures of YOLOsec and FOMOsec for a better focus on business outcomes. I see that correlating well with a shift from what Phil describes as protecting current to future value generation (a more strategic outcome).
‘Nailing the basics’ should be core to sustaining current value generation. This is where not reinventing the wheel comes in and practising core competencies until they become second nature. This should throw up plenty of ways that security controls can be improved thereby improving current value generation.
Phil Venables’ explores the concept of raising the baseline level of control by reducing its cost: commoditising controls by relentlessly focussing on improving — be it adoption, effectiveness or efficiency — of a smaller set of things that allow you to flood your environments with these controls. (This is also the basic premise behind all of Elon Musk’s ventures: relentlessly focus on improvements and stimulating demand to the point where it becomes cost-effective, even for space travel).
This frees up more resource (time, management attention, effort) to focus on future value generation and the longer-term, strategic outcomes of the business.
Good reads, all three of these!
* I think there is plenty we can learn from the healthcare profession, some of this is well summed-up in analysis of the “Vulnerability Hypetrain”: The stated motivation for the vulnerability hypetrain is to protect users in the surrounding countryside. But, well, COVID-19 was not named LungTempest, and we do not see pharmaceutical companies publishing blog posts by self-proclaimed rockstars about how to improve the scalability or functionality of LungTempest so amateurs can DIY their own virus with a bit of copy pasting and tweaking
swagitda.com, blackswansecurity.com, philvenables.com
Interesting stats
65% reduction in ransomware insurance claims after an insurance company started scanning and reporting on exposed RDP servers of insureds bleepingcomputer.com
Other newsy bits
A couple of couple of interesting reads this week looking at the impact of cyber security in life and conflict and evolution of hacktivism…
Nile cyber wars and ‘nationalism’ cyber threat
H/T to Tim for this interesting read on how citizens and activist groups are taking to cyberspace as tension grows of water security in the Nile basin. Examples of hacktivism and website defacements and TikTok meme-warfare abound in the first few paragraphs.
Water security is a significant regional issue for the countries through which the Nile River flows. Controlling water flows (and conversely crop yields and avoiding drought) is a big deal. Far from the corridors of the United Nations, embassies or other foreign relations discussions, it’s an interesting reminder of how national pride and personal capability can manifest as a low-level pseudo-national cyber threat. foreignpolicy.com
Details of 1K Belarus police officers leaked
Sticking with civic participation… In Belarus, where disputed national election results have led to over a month of protests, with the police have been used by incumbent President Alexander Lukashenko to crackdown on protestors, with widespread reports of police violence and unwarranted detentions.
Now details of 1,003 ‘high ranking’ police officers have been leaked. Names, dates of birth and job titles were included, with people being invited to share “personal information (addresses, phones, car numbers, habits, mistresses/lovers)” about those listed so that “No one will remain anonymous under a balaclava.”
This is a more evolved form of hacktivism aimed squarely at holding law enforcement accountable. That is, of course, a good thing, though once the information is out, it’s out, and data leaks and anonymous speculation are not equivalent to due process. zdnet.com
In brief
Attacks, incidents & breaches
- Tyler Technologies, a Texas-based government technology services company, has experienced a ransomware outbreak and is asking customers to reset support desk passwords krebsonsecurity.com
- Shopify has fired two helpdesk employees for stealing names, addresses and order details from ‘less than 200 merchants’ on the platform techcrunch.com
- Gym company Town Sports left spreadsheets including personal data and billing history of 600,000 customers on unprotected server techcrunch.com
- KuCoin the latest cryptocurrency exchange to get compromised, attackers made off with $150M of virtual currency zdnet.com
Threat intel
- Microsoft reporting vulnerability dubbed ZeroLogon being exploited in the wild krebsonsecurity.com
- Israel and United Arab Emirates announce cyber-defence pact cyberscoop.com
- UK can “degrade, disrupt and even destroy” enemy critical infrastructure, according to top general in rare public acknowledgement of offensive cyber capabilities ft.com, theguardian.com
- New ransomware group, dubbed OldGremlin, targeting Russian businesses cyberscoop.com
- CISA warns of ‘notable increase’ in use of LokiBot malware since July zdnet.com
Vulnerabilities
- 25 high-severity vulnerabilities in September’s IOS and IOS XE software updates from Cisco, get patching zdnet.com
Security engineering
- Lesson to learn from TikTok: multi-factor authentication needs to apply everywhere your users log in (it only applied to the app, not web logins, and has pledged to fix it) zdnet.com
- Some useful tips here from ContextIS for those of you using WSUS, the enterprise tool that lets organisations select and manage Windows patches. Check that you have HTTPS configured, but, crucially, if you use user-level (as opposed to system-level) proxy settings then updates may not work following the September update contextis.com
Internet of Things
- Hacking Smarter’s connected coffee pots: funny, but low-threat arstechnica.com
Privacy
- Spainish highways agency using mobile phone data to monitor speeding hotspots theregister.com
- Strava ‘FlyBys’ link you with other people you cross paths with while exercising, on by default bleepingcomputer.com
Law enforcement
- Former Cambridge Analytica CEO, Alexander Nix, has received a seven-year ban from being a company director after not disputed that his companies offered ‘potentially unethical services’ interfering in elections techcrunch.com
- Polish law enforcement arrest four members of ‘super-group’ for ransomware, SIM swapping, malware distribution, banking fraud and bomb threats zdnet.com
- UK national Nathan Wyatt, aka The Dark Overlord, gets five-year US prison term, ordered to pay $1.5M in restitution, after pleading guilty to cyber crimes cyberscoop.com
Mergers, acquisitions and investments
- CrowdStrike to acquire Preempt Security for $96M to boost zero trust and conditional access tech zdnet.com
And finally
Windows XP source code leaked
What appears to be a significant portion of Microsoft’s Windows XP source code has been leaked on 4chan. While the operating system is well past its sell-by date it wouldn’t be surprising if significant parts of it are still present under the hood of more recent Windows OS’. That may make it easier to find vulnerabilities, especially as the (well commented) code seems to point out where these can be found, with @tamas_boczan quickly pointing to the function that was exploited by the NSA’s infamous EternalBlue exploit. theregister.com