SecureState Blog

Read SecureState's award winning blog.

Unearthing industry predictions for 2015

Somewhere, in a dark quiet room, they sit and stare into their cathode ray tube monitors. The smoke cloud from spent cigarettes lingers. Someone coughs. The sound of a toilet flush upstairs cuts through the dull quiet, indicating the cheapness of the building’s construction. The glow of their screens keeps their attention, the high of caffeine drinks and sleepless euphoria.

No, I’m not talking about the attackers. They usually live in pretty nice places. I mean, you don’t get the name Cyber Threat Actor by being a slob. I’m picturing the poor souls that have to come up with information security headlines.

‘Major’ hacking attack in US looms: expert survey
http://www.msn.com/en-us/news/technology/major-hacking-attack-in-us-looms-expert-survey/ar-BBbVzhY

There’s a strong push in our industry around Threat Intelligence, the concept that when an attack is observed by one participant, the other participants can react accordingly. On the far other end of the spectrum is this type of article, created from surveys and supposition that creates a buzzword-compatible heap of words and imagery, and gets the job done just before deadline. In summary, 1600 people were asked whether a cyber attack would cause Bad Things in the next 11 years. And most of them said: yes.

Well I tend to agree with the majority. Mainly because the Bad Things are indeed happening now. From the article:

“Widespread harm,” the survey explained, would mean significant loss of life or property losses, damage, theft in the tens of billions of dollars.

Turns out that the Center for Strategic and International Studies (CSIS) ran the numbers, and “tens of billions” turns out to be an optimistic number.

Cyber crime costs global economy $445 billion a year: report
http://www.reuters.com/article/2014/06/09/us-cybersecurity-mcafee-csis-idUSKBN0EK0SV20140609

And in case you are wondering, that picture is of a man in Warsaw with binary numbers projected on him. Actually I’m pretty sure it’s the same guy that came up with the headline. CRTs and cigarettes, I’m telling you.

None of this is to say that we don’t need frequent reminders of how bad it is. But we need to focus on facts. Blocking and tackling the stuff hitting our networks today. Visibility – who they are, where are they coming from, why they want our data, what they will do to get it, how we stop them before they get in – or even after they get a foothold.

Without solid data, without specific actions to take, it’s just another sign that says “Watch for Falling Rocks”. And other than worrying about a freak boulder accident, it doesn’t do us much good. Get people scared enough, they’ll buy boulder insurance.

Cyber-insurance becomes popular among smaller, mid-size businesses
http://www.washingtonpost.com/business/capitalbusiness/cyber-insurance-becomes-popular-among-smaller-mid-size-businesses/2014/10/11/257e0d28-4e48-11e4-aa5e-7153e466a02d_story.html

While that’s fine and good for those that get stuck in the rubble, there other roads to take us where we’re going. We don’t have to rely solely on fear and uncertainty to get us heading down the right path. As we have learned by studying actual attacks, there are defensive advantages to be gained by tuning our processes and tools. Start thinking about the kill chain and consider how your team can start to get ahead of the threat.

And for those of you who still need those security headlines to drive internal change, we’ve made a special tool for you to tailor your message accordingly.

Officials believe that advanced persistent threats originating fromwho are secretly funded byare poised tohigh-profile targets in thesector.

Just be careful. It’s a slippery slope, I’m telling you.

Let us know what you think! Where do you find valuable stories, and how do you decide which articles to read? And is there such a thing as boulder insurance?