Recent Posts

Verizon Data Breach Report: Nine Patterns Cover 92% of Cybersecurity Incidents

Verizon issued this morning its 2014 Data Breach Investigations Report (DBIR) that covers over 63,000 security incidents in 2013 from 50 global participating organizations spanning 95 countries. The top-line finding is that 92% of all security incidents in the past ten years fit into nine categories:  POS Intrusion, Web App Attack, Insider Misuse, Theft/Loss, Misc. Error, Crimeware, Payment Card Skimmer, Denial of Service, Cyber Espionage and Everything Else.  

Based on the 2013 data, public institutions dominate the list of breach or security incidents with nearly 47,500 security incidents, far dominating any other industry, mostly due to the nature of U.S. public agency reporting requirements (see table below, which I created and sorted in Excel).

But filtering out for only those incidents that involved confirmed data loss, the picture looks quite different (again, a sorted table I created in Excel).

Financial institutions rate number one in terms of incidents that feature data loss, with 465 such incidents, followed then by public institutions (175), retail (148), accommodation (137), unknown (126) and utilities (80).

The table above, straight from the report, lists the frequency of type of incidents per victim industry and shows what the graphic at the top of this post more succinctly illustrates - namely that the biggest threats vary from industry to industry.  For 2013, 69% of the threats faced by utilities came in the form of web app attacks or crimeware.  Over half of the attacks (54%) for manufacturing came from cyber-espionage or DOS. Nearly half of the security incidents for healthcare (46%) came from one category:  theft or loss.

In reviewing the past year, Verizon notes a shift in cyber incidents that occurred in 2013, with a well-publicized trend emerging toward attacks on payment systems and away from geopolitical incidents.  "2013 may be remembered as the 'year of the retailer breach,' but a comprehensive assessment suggests it was a year of transition from geopolitical attacks to large-scale attacks on payment card systems.'

SEC Issues NIST-Inspired Cybersecurity Blueprint But Apparently Should Follow One Itself

On April 15, the Securities and Exchange Commission issued an unprecedented blueprint for assessing cybersecurity preparedness in the securities industry, a document that the regulator will use for examining the cybersecurity status of more than 50 broker-dealers and investment advisors.  The SEC issued a detailed but high-level series of questions that will form the basis for the examinations, a document which follows in part the cybersecurity framework issued by the National Institute of Standards and Technology in February, .

The goal is to "help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats." While this effort is aimed at registered financial entities, the SEC has stepped up its interest in cybersecurity matters more broadly over the past few years, starting with guidance issued to publicly traded companies on how they should discuss cyber risks in their required financial filings.

Moreover, some experts who follow the SEC's interest in cybersecurity say that the agency's Division of Corporation Finance has been quietly stepping up its scrutiny of SEC filings to ensure that companies adequately disclose cyber risks, frequently requesting that companies supply additional information about existing or potential cyber risks.  And late last month the SEC held a cybersecurity round table during which several of the agency's Commissioners raised the prospect of  imposing minimum cybersecurity disclosure requirements beyond those contained in the existing guidance.

Aside from indicating increased interest in cybersecurity, the blueprint is notable because it represents one of the earliest efforts by a regulator to incorporate the NIST framework into a quasi-official action or endeavor. "It's one of the first endeavors that a regulatory body has made to actually begin leveraging the framework in an implementation," Patrick Miller, Partner and Managing Principal of cybersecurity consulting firm The Anfield Group, said.

Although the NIST framework is considered to be a voluntary scheme for improving cybersecurity across critical infrastructure industries, many of the participants in the framework's development, particularly Washington representatives of critical infrastructure asset owners, repeatedly asserted concerns about any language in the framework that might hint at possible regulatory requirements.

Most cybersecurity specialists, however, say that there is little to fear in the SEC's partial reliance on the NIST framework. "The SEC has done a good job of developing a broad set of guidelines for a certain set of companies," Jack Whitsitt, Principal Analyst for energy industry cybersecurity consortium EnergySec, said.  "I think you're looking at baseline cybersecurity stuff" that any decent-sized firm should be prepared to handle, he added.

Miller thinks this reliance on the framework by a government agency could help cybersecurity measures by signaling to regulators in other industries that the NIST framework is a previously absent but much-needed template to help cut through the clutter of conflicting cybersecurity schemes.  "The path will open up…now it will go from a dirt road to a paved road to a two-lane highway," he said, referring to the fact that the SEC's move may give other government agencies more freedom to start leveraging the framework.

The SEC itself might do well to follow its own blueprint.  Yesterday the General Accounting Office (GAO) issued a report that found key weaknesses in the security controls in the SEC's own network, servers, applications, and databases.  Specifically the GAO found weaknesses in the following areas:

  • Access controls: SEC did not consistently protect its system boundary from possible intrusions; identify and authenticate users; authorize access to resources; encrypt sensitive data; audit and monitor actions taken on the commission’s networks, systems, and databases; and restrict physical access to sensitive assets. 
  • Configuration and patch management: SEC did not securely configure the system at its new data center according to its configuration baseline requirements. In addition, it did not consistently apply software patches intended to fix vulnerabilities to servers and databases in a timely manner.
  • Segregation of duties: SEC did not adequately segregate its development and production computing environments. For example, development user accounts were active on the system’s production servers. 
  • Contingency and disaster recovery planning: Although SEC had developed contingency and disaster recovery plans, it did not ensure redundancy of a critical server. 
The primary cause of the SEC's failing grade was the agency's failure to adequately oversee the work of a contractor during the migration of a key financial system to a new location.

NIST Privacy Workshop Aims at 'Wherever Privacy Risks Arise'

(Gaithersburg, MD)  The National Institute of Standards and Technology (NIST) hosted the first of a two-day privacy engineering workshop here today as a follow-on to the February release of its Framework for Improving Critical Infrastructure Cybersecurity.  Based on the first day's general sessions, the scope of NIST's privacy focus appears to be far broader than, and perhaps only slightly connected to, its origins in cybersecurity.

Although the penultimate version of the cybersecurity framework included an extensive privacy methodology appendix, the final version featured a more stripped-down privacy approach in response to the objections of critical infrastructure owners who perceived the original appendix as overly prescriptive. The privacy workshop is intended to help fill in the resulting privacy gaps in the framework, aiming to flesh out what NIST says is the paucity of identifiable "technical standards or best practices to mitigate the impact of cybersecurity activities on individuals’ privacy or civil liberties." 

Despite its origins in the development of a cybersecurity framework, the workshop addresses a wide range of privacy issues, with the discussions encompassing privacy protections across a number of disciplines and industries. Specifically, the focus of the workshop is "privacy engineering," namely to "develop reusable tools and practices to facilitate the creation and maintenance of systems with strong privacy postures," Naomi Lefkovitz, Senior Privacy Policy Advisor, Information Technology Lab at NIST said.

When asked during Q and A whether NIST's approach extends beyond the privacy issues surrounding the cybersecurity framework, Lefkowitz said "we hope this is useful in many disciplines, wherever privacy risks arise".  During the development of the framework, she said "we lacked this whole foundational tool and vocabulary for privacy," NIST "need to step back a do a little more foundational work first."

Although most of the privacy-oriented attendees (few of the attendees had attended the earlier NIST cybersecurity workshops, based on a show of hands) seemed pleased by the workshop's discussion topics, a few critical infrastructure privacy representatives again expressed concern about the wide-ranging technical scope of NIST's latest privacy effort, fearing that it might produce far more granular privacy recommendations than they've seen in other, more policy-oriented venues.  Following the workshop, NIST plans to produce a report that is the basis for a NIST Interagency or Internal Report (NISTIR), solicit comments on that document and host a further workshop to refine the draft NISTIR.  

Cybersecurity Stocks Slip in March; Still Beat the Nasdaq for the Month, Market for the Year

Cybersecurity-related stocks slipped at the end of March, after reaching a yearly high during the first week of the month, according to my cybersecurity stock index.  As of the close on March 28, the index dipped to 106.21, down 3% from the close of 109.01 on February 28.

The companies in the stock index (see the table below) still managed to beat the Nasdaq (COMP), which dropped 4% from February 28 to March 28.  (Eight of the thirteen companies in the index trade on the Nasdaq.)  But they were outperformed by the Dow Jones Industrial Average (DJIA) and the S&P 500 (SPX), both of which remained almost exactly flat for the month.

The top performers for the month were AVG Technologies NV(NYSE:AVG), which jumped 23% during the month, and KEYW Holding Corp. (NASDAQ: KEYW) and Palo Alto Networks Inc. (NYSE: PANW), both of which advanced by 21%.  At the bottom were Barracuda Networks Inc. (NYSE: CUDA), which declined by 13% after a major climb in February, and Symantec Corp. (NASDAQ: SYMC), which dropped 14%.

Overall, though, cybersecurity stocks are still well ahead of the markets for the year, posting an index gain of 6%, compared to a 1% decline in the DJIA and a 1% uptick in both the SPX and COMP.

CrowdStrike CRO: NIST Framework, Vulnerability Mitigation Do Not Create Adequate Cybersecurity

On a day jam-packed with high-profile cybersecurity hearings and events in Washington, one expert witness strayed from the usual endorsements of government and corporate party lines to suggest that the cybersecurity strategies embraced by most organizations might actually harm security. Speaking at a hearing held today by the Senate Homeland Security and Government Affairs Committee, CrowdStrike Chief Risk Officer Steven Chabinsky (appearing in a personal capacity) said that the recent cybersecurity framework produced by the National Institute of Standards and Technology (NIST), while improving cybersecurity, "will not result in adequate security of our infrastructure and for our country."

Although praising the framework as a true public-private partnership, Chabinsky said that "improving our security posture requires that we reconsider our efforts rather than simply redouble them." Advocating that U.S. organizations align their cybersecurity efforts more with the strategies used in the physical world, Chabinsky said "we must ensure that our cybersecurity strategies focus on not preventing more intrusions but on more quickly detecting them and mitigating harm."

Specifically Chabinsky, previously a long-time FBI cyber intelligence leader, advocated a shift away from a "vulnerability mitigation" mindset, which he likened to protecting a building by constructing a twenty-foot brick wall around it (only to have the intruder buy a 30-foot ladder as a consequence), to one that focuses on instant detection, attribution, threat response, and recovery while in parallel locating and penalizing bad actors.  "We take reasonable precautions to lock our doors and windows, but we do not spend an endless amount of resources in hopes of becoming impervious to crime."

The growing focus on vulnerability mitigation can lead to decreasing economic returns, or worse, negative returns.  For example, using the analogy of the brick wall, stepped-up vulnerability mitigation might cause the intruder to use powerful explosives instead of buying a ladder. "Our current cyber strategy has had the unintended consequence of proliferating a greater quantity and quality of attack methods thereby escalating the problem and placing more of our infrastructure at greater risk," Chabinsky said.

Threat deterrence would improve if we blame the offenders rather than the victims for not having adequate vulnerability protection.  "It is my hope for the future that the blame for, and the costs of, cybercrime will fall more squarely on the offenders than on the victims, that in doing so we will achieve greater threat deterrence, and that businesses and consumers will benefit from improved, sustained cybersecurity at lower costs," he concluded in his written testimony.

ACLU Technologist: Algorithm to Protect Phone Calls Has Long Been Broken

(Washington, DC)  The algorithm used to protect phone calls is broken and government officials refuse to acknowledge this vulnerability because law enforcement exploits it for their own purposes, ACLU’s Principal Technologist Christopher Soghoian said yesterday.  Speaking at a Carnegie Mellon University forum held here, Soghoian said “it’s been known that the algorithm used to protect our phone calls has been broken. We’re still using that algorithm today.”

“Everyone’s communication is going over the wire in unencrypted form or very weak encrypted form,” which makes anyone who purchases certain equipment –including foreign governments--capable of listening to private calls, Soghoian said. What makes the problem more urgent now is that the easily-purchased equipment needed to eavesdrop on phone calls has plummeted in price over recent years from over $100,000 ten years ago to as low as $1,200 today.

This vulnerability in the phone system has not been acknowledged by either phone companies or the federal government because law enforcement relies on this security hole to eavesdrop on targets. “We haven’t seen any government officials warn the public,” Soghoian said. “The reason for this is that law enforcement is actively exploiting this system.”

This situation is a classic example of where “the offense and defense conflict” in cybersecurity practices and policies in the U.S. according to Soghoian. “You cannot have a system that is easy to spy on that is secure.”

Cybercrime has become the single most pressing cybersecurity problem because of the difficulties in identifying and prosecuting cyber criminals across the globe, Jody Westby, CEO of Global Cyber Risk said. “Cybercrime today has become the perfect crime” because criminals are seldom caught, arrested or jailed due to the lack of harmonized cybercrime laws around the world. “We have a situation where cybercrime has no borders but law enforcement does.”

Internet Security Alliance CEO Larry Clinton agreed.  “The attack team is getting better and better all the time.”

The rapid technological change that has moved the U.S. from a service economy to an information economy has fostered cyber insecurity for the time being, Matt Scholl, Deputy Chief of the Computer Security Division, Information Technology Laboratory at the National Institute of Standards and Technology (NIST) said. “We have not caught up with the consequences of this change in technology.”

The cybersecurity framework released by NIST last month could change the cybersecurity calculus, Earl Crane, Senior Principal of the Promontory Financial Group, said.  “We’re already seeing the impact of the framework where organizations are already adopting the framework and using it.”

A shortage of cybersecurity experts exist, David Brumley, engineering professor at Carnegie Mellon, said, but even with more experts, the U.S. will be outnumbered by countries such as China.  “We need more cyber experts but more security experts are not enough.[W]e’re going to be outnumbered. What are you going to do when there are more of them than there are of you?”

Cybersecurity Stocks Climbed 9% During First Two Months of 2014

With the glaring spotlight placed on cybersecurity breaches during the second half of 2013, I started tracking cybersecurity-related stocks traded on the big exchanges with the assumption that the companies I chose to follow would have a very robust 2014.  So far my assumption has proven to be true.

Of the 13 (mostly pure-play) publicly traded cybersecurity companies I've followed (see table below), only three experienced declines during the first two months of the year, with most gaining double digit boosts between the close on January 3 and the close on February 28.  I created a cybersecurity stock index to see just how well this group of companies performed on the whole in comparison to the broader market.

Based on this index, the cybersecurity companies advanced 9% during the first two months of 2014, more than twice the growth in the Nasdaq Index, four times the performance of S&P Index and almost ten times the rise in the Dow Jones Industrial Average.

And if this week is any indication, cybersecurity-related companies are poised for even bigger gains - two of the newest cybersecurity players on Wall Street soared today - next-gen threat protection company Fireye (NASDAQ: FEYE) soared 8.44% today to close at 95.63 while firewall provider Barracuda Networks jumped 9.29% to close at 38.48.

Stay tuned as I periodically update the trends.

Twitter Delicious Facebook Digg Stumbleupon Favorites More