Saturday, January 21, 2017

A useful post on the taxonomy of security breaches.  (You can’t tell the players without a scorecard.)
For the past year, I’ve been criticizing entities that describe their data leaks as “hacks” (cf, this article of mine on The Daily Dot or this post as examples).  More recently, Zack Whittaker has also forcefully raised that issue on ZDNet.  Whether other journalists will adapt their language and correctly report incidents as “leaks” instead of “hacks” – regardless of what the entity may claim – remains to be seen over time.  But there’s a second language issue that this blogger would also like to see addressed: overuse or misuse of the word “ransomware.”
[Much more follows.  Bob]

Satan RaaS Promises Large Gains With Zero Coding Needed
A newly discovered family of ransomware is being offered via the Ransomware-as-a-Service (RaaS) business model, allowing cybercriminals to easily customize their own versions of the malware, researchers explain.
Dubbed Satan, the new ransomware family was discovered by security researcher Xylitol and is available for any wannabe criminal, as the service only requires the creation of an account to get started.  The profits are split with the malware authors, who claim to retain only a 30% cut, thus making the RaaS sound highly interesting to many.

This is not a good thing!  It means anyone can attack your systems!
Cyber Threat Intelligence Shows Majority of Cybercrime is NOT Sophisticated
It’s a new year and while some things change, some things stay the same (or similar).  There’s lots of FUD about the sophisticated cyber attacks that are multi-threaded and obfuscated.  Certainly there are attacks that fall into this category, but if you look at all of the cybercrime activity from the past year, it’s clear that the majority of threats do not have the level of sophistication that is often talked about. 
Rather, what cyber threat intelligence is showing us is that most threats simply exploit a series of well-documented vulnerabilities and other weak points to move along the path of least resistance – and the most profit.  Let’s look at some of the top threats out there today through the prism of the threat triangle, which is the actor’s capability, intent and opportunity: 

What Computer Security managers should be thinking about.
Sami Paracha of Taylor Wessing has an article on cyber-extortion and ransom demands from a UK perspective.  It makes for interesting reading.  The article begins:
Cyber Security is an omnipresent risk for most businesses.  And it is a growing risk given the more frequent and serious cyber attacks, higher costs for proactively managing these risks (or curing a cyber security breach), and potentially higher fines following a breach with implementation of the GDPR [General Data Protection Regulation  Bob] on the horizon.  The approximately 500 million recently compromised Yahoo accounts are a pertinent reminder of these risks.  CFC Underwriting has also recently commented that it is being notified of claims under its policies at a rate of more than one a day, particularly from SMEs with revenue under £50m and “ransomware” is behind a significant number of claims[1].
Cyber extortion, including threats and/or ransom demands connected with cyber attacks, is a risk which can cause great uncertainty for businesses – particularly in relation to how the extortion threat should be handled, for example, whether a ransom demand should be paid, whether such payment is legal and whether insurers may cover the ransom payments.
Read more on Lexology, and ask yourself whether you know if your insurance policy would cover a ransom or extortion demand, and under what conditions.  Of course, that’s a somewhat separate question of whether entities should pay a ransom demand, and the questions Paracha raises are the same ones we’ve seen elsewhere, i.e., they do not appear to be country-specific.

My students were discussing this last week.  I don’t think they are ready to give up banks altogether, but I did get them thinking.
Much has been made of the fact that a new breed of financial technology (or fintech) companies is unbundling banks in the developed world.  Startups are attacking all of the components of the traditional bank value proposition (e.g., accounts, portfolio management, mortgages, car loans, person-to-person payments).  Over the past five to six years there has been a rush of capital and talent into startups; investment in them has grown nearly eightfold since 2011.  While their innovative products have been a boon to consumers in mature economies, the resulting efficiency and security benefits have largely bypassed the 2 billion consumers in the developing world who lack formal banking services altogether.
However, there are signs that this is changing.  Encouraged by the dramatic increase in the number of people with mobile phones in the developing world, new fintech players are attempting to disrupt the existing financial order in these markets: the money lenders and informal remittance services that often have been the only option for much of the population.
Our initiative, the Digital Financial Services Lab, is trying to be a catalyst for this transformation.  To that end, it is working with entrepreneurs to introduce innovative solutions to the developing world.  A number of the companies mentioned in this article are in DFS Lab’s portfolio.

Because, yes you really do need one.
You’ve heard it a thousand times: you need antivirus protection.  Macs need it.  Windows PCs need it. Linux machines need it.  Modern antivirus apps have gotten so easy to download and run that you barely need to do anything at all.  Plus you can get some of the best ones for free.  You really have no excuse.  So grab one of these ten and start protecting your computer!

No comments: