Phishing still king

Again this last year phishing lead the charge in most data breaches.  According to the latest phishme “2016 Enterprise Phishing Susceptibility and Resiliency Report” 91% of data breaches begin with spearphishing.  This is supported by the 2016 Verizon Data Breach Report.

Both companies warn that phishing attacks are a significant threat, potentially the most significant.

Phishing has reportedly been at the heart of many high profile data breaches including Anthem, JP Morgan, and others.

Unfortunately there are not great technological solutions to prevent phishing.  Spam tools or anti-virus may help, but phishers continually evolve their messages and approaches.

Training, in my opinion, is still the best way to prevent phishing or any type of social engineering.  Through targeted training and testing, organizations have the ability to reduce a persistent threat

Data classification: Attempting to solve for x without knowing a, b, and c. has an interesting post on federal government security classifications and cloud provisioning.  The TLDR is that many federal agencies are paying too much, because they are classifying information incorrectly and vendors are happy to upsell protections.

In my experience in state government, the problem is very different.  To begin with few agencies have strong data classification policies.  In Texas, the Department of Information Resources published a data classification template that agencies can use to develop a classification scheme.  Personally, I think the template (and associate white paper) is a marvelous piece of work :).  It is unclear how many actually used the template, though.

The problem isn’t limited to Texas.  Based on discussion with the CISOs from other states, data classification is a difficult problem for many.

The issue raised is how to determine the appropriate protections for data when classification programs don’t exist.  The result is agencies will either over protect public data or under protect sensitive data.  Several states have a de facto policy of requiring all data to be hosted in the continental United States (conus).  While this is appealing, it also drives up prices for cloud services.

Many of the regulations that affect states (most recently CJIS) have dropped the conus requirements.  Requiring conus storage for “public” data is probably not the best use of taxpayer money.  Without a strong data classification program, though, it is hard to make informed decisions.

From the “Should we have to say this” department: Security firms ‘overstate hackers’ abilities to boost sales’

In a recent speech at the Usenix Enigma security conference, the technical director of the UK’s National Cyber Security Centre, Dr. Ian Levy, stated that security companies are overstating the abilities of malicious attackers.  To anyone that has

  1. worked in the security world for any significant amount of time and
  2. has ever met a sales person

this should not be surprising news.  Not only do vendors like to sell their “magic bullet” for security, many sell the “boogieman” of the über 1337 hacker.  With such skilled and relentless attackers, you are crazy to not buy their product or service.

There are some amazingly skilled hackers in the world and virtually nothing will stop them cold, definitely not a single product.  Real security is based around a layered security architecture (aka Defense in Depth) with multiple products, procedures, and processes mitigating the shortcomings of each of the other layers.

How many layers?  That really depends on the classification of the data you are trying to protect, not the boogieman that you are being sold.

For more to the story, check out the BBC story.

Uber keeps driving forward (see what I did there :)

As Peter Vogel blogged about yesterday (24 Jan 2017), Uber added Amit Singhal to its leadership.  Mr. Singhal, formerly the VP for Search at Google, will run the mapping division.  He will also work with the self-driving cars group.

For the security folks reading this, you may remember that Uber hired Charlie Miller and Chris Valasek into the self-driving cars group back in 2015 (after they demonstrated taking control of a vehicle remotely and presented the vulnerability at DefCon.)

The addition of Mr. Singhal’s brain to the team already flush with really, really, really smart people means we are one step closer to the machines rising up and I, for one, welcome our new autonomous driving overlords.

Read Peter’s much more professional and adult blog here:

Uber will likely get smarter since they hired Google’s former head of search!