10 Jun The 2016 Cyber Risk Report by HPE
Hewlett Packard Enterprises recently released its 2016 Cyber Risk Report delving into the nature of common vulnerabilities that leave companies exposed to risk, and how cyber criminals take advantage of those vulnerabilities.
Following are some key themes in the HP Cyber Risk Report 2016:
2015- The Year of Collateral Damage
If 2014 was the Year of the Breach, 2015 was the Year of Collateral Damage as certain attacks touched people who never dreamed they might be involved in a security breach. Both the United States Office of Personnel Management (OPM) and the Ashley Madison breaches affected those who never had direct contact with either entity, and whose information resided in their networks only as it related to someone else—or, in the case of the Ashley Madison breach, did not appear at all but could be easily deduced from revealed data. With the OPM breach, the true targets of the breach may be people who never themselves consented to inclusion in the OPM database—and who may be in danger thanks to its compromise. Data compromise is no longer just about getting payment card information. It’s about getting the information capable of changing someone’s life forever
————————————————————————————————————————————————-
-The EIMF organizes two seminars in June on Cyber Security
-Managing Cyber Security on the 22-23 June – Learn more
-Online Investigations for Non-Technical Audiences on the 24 June – Learn More
————————————————————————————————————————————————-
Over Regulating Pushes Research Underground
When horrific events occur impacting the lives of many, there is a natural reaction to do something to try to prevent future occurrences. Too often, the “something” (legislation) incurs unwanted consequences to go along with the intended result. This is the case with various proposed regulations governing cybersecurity. While the intent to protect from attack is apparent, the result pushes legitimate security research underground and available only to those denizens who dwell there. To be effective, regulations impacting security must protect and encourage research that benefits everyone.
Vendors Shifting from Point Fixes to Broad Impact Solutions
While it is laudable that Microsoft and Adobe both released more patches than at any point in their history, it remains unclear if this level of patching is sustainable. It strains resources of both the vendor developing the patch and the customer deploying the patch. Microsoft has made some headway with defensive measures that prevent classes of attacks. It and others must invest in these broad, asymmetric fixes that knock out many vulnerabilities at once
Political Pressures Attempt to Weaken Privacy & Security Efforts
A difficult and violent year on the global scene, combined with lingering distrust of American tech initiatives in the wake of revelations by Edward Snowden and other whistleblowers, led to a fraught year for data privacy, encryption, and surveillance worldwide. Many lawmakers in the US, UK, and elsewhere claimed that security was only possible if fundamental rights of privacy and due process were abridged—even as, ironically, the US saw the sunset of similar laws passed in the wake of the September 11, 2001, attacks. This is not the first time that legislators have agitated to abridge privacy rights in the name of “security” (more accurately, perceived safety), but in 2015 efforts to do so could easily be compared to the low success of previous efforts made after the attacks of 2001. Those evaluating the security of their enterprises would do well to monitor government efforts such as adding “backdoors” to encryption and other security tools
Industry Learned Nothing about Patching in 2015
The most exploited bug from 2014 happened to be the most exploited bug in 2015 as well—and it’s now over five years old. While vendors continue to produce security remediations, it does little good if they are not installed by the end user. However, it’s not that simple. Applying patches in an enterprise is not trivial and can be costly—especially when other problems occur as a result. The most common excuse given by those who disable automatic updates or fail to install patches is that patches break things. Software vendors must earn back the trust of users— their direct customers—to help restore faith in automatic updates.
Attackers Shift Focus to Applications
The perimeter of your network is no longer where you think it is. With today’s mobile devices and broad interconnectivity, the actual perimeter of your network is likely in your pocket right now. Attackers realize this as well and have shifted their focus from servers and operating systems directly to applications. They see this as the easiest route to accessing sensitive enterprise data and are doing everything they can to exploit it. Today’s security practitioner must understand the risk of convenience and interconnectivity to adequately protect it.
Monetization of Malware the New Focus for Attackers
Just as the marketplace has grown for vulnerabilities, malware in 2015 took on a new focus. In today’s environment, malware needs to produce revenue, not just be disruptive. This has led to an increase in ATM-related malware, banking Trojans, and ransomware
You can find the report here.
