Ah, the end of the year. The time when everyone posts their ‘Top 10’ lists

Every year the last week of December is filled with ‘Top 10’ lists or ‘Year in Review’ lists.  The information security community is no different.  Whether it is threatpost’s 2016 Year in Review, DarkReading’s 21 Biggest Cybercriminal Busts of 2016, or even the University of San Diego’s Top Cyber Security Blogs and Websites of 2016 (sadly not including JurisHacker.com), everyone seems to look back at the year to see what has happened or changed.

Unfortunately, not enough has changed.  If we look back at esecurityplanet.com’s Top Five Security Threats for 2006 (no, that’s not a typo.  The list is from 10 years ago) we see:

Targeted Phishing Scams
Self-Contained Electronic Devices
Voice over IP
and Microsoft vulnerabilities.

With the exception of Microsoft vulnerabilities (36 critical vulns over the past year), we are still fighting many of the same battles.  Now we call it spear-phishing, BYOD, and IoT.  We still face insecure vendor defaults (now in IoT devices), vendor backdoors, and increasingly clever spear-phishing attacks.  At least two of these issues can be fixed by the vendor community.

I hope that in 2017 the vendor community will finally understand that poor default security hurts the consumer and that backdoors are only useful to attackers.  My fear is that I’ll still be talking about these in 2026, though.

Personally, I think I’ll drown my sorrows watching the worst movies of 2016.



U.S. Attorney Announces Arrest of Three Individuals for Insider Trading Based On Information Hacked from Prominent U.S. Law Firms

The Manhattan U.S. Attorneys’ office announced they had charged three individuals with insider trading using information they gleaned from hacked U.S. law firms (unnamed).  The individuals used M&A (Mergers and Acquisitions) information from prominent firms to select investments.

This should be a wakeup call to law firms across the country.  It is clear, as I’ve long held, that law firms are particularly prime targets for all types of financial criminals.  Family law firms will have extensive personal information on their clients and the opposing party.  Criminal firms will have very sensitive data on the alleged actions of their clients.

And yes, M&A, corporate, transactional, VC, and emerging markets firms will have the type of data criminals can use for financial gain.

Attorneys should read this indictment, take a deep breath, and then go talk to your firm’s CISO.  You know what a CISO is right?  Your firm does have one right?