The U.S. Department of Homeland Security this month will start sharing threat information with a small number of hand-picked companies under the newly enacted Cybersecurity Information Sharing Act.
DHS hopes to collect threat indicators from companies and redistribute them to other companies so everyone gets a better view of threats and can use that knowledge to bolster defenses.
The CISA removed a significant obstacle to that kind of sharing: liability. Now companies don’t have to sweat the risk of lawsuits for sharing information with Uncle Sam.
“Taking the liability issue out of the road is a huge step forward,” said Kobi Freedman, CEO ofComilion.
Nevertheless, companies may be reluctant to share data with DHS. At a recent CIO conference, a little more than half of the execs (58 percent) said CISA would make it more likely for them to share information with the feds.
“There is a lot of concern about the ability of DHS to reshare data with other law enforcement agencies if the data being shared is relevant to a criminal investigation,” Freedman told TechNewsWorld.
“Potentially, it could expose the initiator of the shared data to be part of an investigation that it didn’t want to be part of,” he noted.
Soft Touch
The CISA employs a soft touch for information sharing. “CISA doesn’t have any disclosure requirements or obligations. It creates a framework for meaningful sharing,” Freedman said.
“The main obstacle to meaningful sharing is trust between the participating parties — government and the private sector,” he noted. “The private sector has to be confident that the government is not only receiving, but sharing, too.”
Only time will tell if the government can build the necessary trust in order to share at scale with the private sector, Freedman said.
“The question is, will the government exploit the trust the private sector gives it or not?” he said.
“What the DHS is doing now is taking a step forward in building trust between the private sector and government,” Freedman added.
Quality Control
Another problem dogging information sharing in the past has been the quality of the data the government is willing to share with companies. DHS’ announcement that it initially would share information on threat indicators may not sit well with some in the private sector.
“Sharing threat indicators and not contextual data could become a joke,” Freedman said.
“Threat indicators have very short life expectancy. By the time that information is shared, it could become irrelevant,” he continued.
“The government needs to show it can add value to the existing threat intelligence feeds that are being consumed,” Freedman said. “There is real skepticism about whether what the government provides the private sector will be meaningful or not.”
IoT Problems
Connecting the home to the Internet of Things is supposed to be a watershed for the electronics industry, but the market just seems unable to build any momentum.
The reason for that? “The IoT is not consumer friendly,” declared Cyril Brignone, CEO ofArrayent.
“Right now, all these IoT products are done in silos. Breaking those silos is key to the success of the market,” he told TechNewsWorld.
All devices should communicate with each other and participate in the security of the home, Brignone said.
For example, if a security system is armed and someone opens your smart fridge, the alarm system should sound. Even if the alarm isn’t armed, if the house is uninhabited from 8 a.m. to 3 p.m. every day and the fridge is opened during those hours, the IoT devices should alert the homeowner that something is amiss.
Barriers to Integration
“We’re still in a divergent market,” Brignone noted.
“Every week I see a new consortium, a new group, trying to create a new standard to make all these products compatible. At the end of the day, we end up with many, many standards, and the number is growing,” he said.
“That’s preventing adoption by the consumer because a mass-market consumer trying to buy a home security or home automaton solution right now has so many options it’s too confusing, even if you’re a geek,” Brignone added.
That confusion can lead to consumer frustration. One-third of smart home devices never make it out of the box after they’re bought, a third get unpacked but not installed, and a third get installed but half are disconnected in a week, he said.
Security, though, appears to be an exception in the connected home market.
“Security companies have been successful in this market,” Brignone said, “because they come with a simple use case, which is, we’re going to protect your home, and they come with a service in addition to the connected device.”
Porous Perimeter
It’s been evident for years now that trying to keep attackers out of an organization’s network is a losing cause. Perimeter defenses alone aren’t adequate to protect the precious data of an enterprise. That became painfully clear to the federal government last week as the IRS and the departments of Justice and Homeland Security all lost data after being penetrated by hackers.
In the case of the IRS, a robot army armed with Social Security numbers obtained from a source outside the agency — plenty of SSNs are floating around the Internet from numerous data breaches over the last few years — managed to access 101,000 electronic filing PINs. Those PINs are used by taxpayers to file electronic tax returns.
The attackers could use the PINs to file bogus tax returns and try to collect a refund check from the IRS for taxes they never paid.
In the case of the DOJ and DHS, a hacker used a compromised email account and some social engineering to get into the DOJ’s computer systems and exfiltrate data. He posted the results of his mischief on the Internet, although much of the information on the 20,000 FBI and 9,000 DHS employees exposed on the Net appeared to be outdated.
What allowed these attacks to succeed was, in all the cases, that the intruders had legitimate credentials — Social Security numbers or a username and password — to penetrate the perimeter of these systems.
“Access controls and passwords work — until someone gets in,” said Zoltan Gyorko, CEO ofBalaBit.
“It’s easier to do social engineering than write a zero-day exploit,” he told TechNewsWorld. “Once an intruder is in, only behavior analytics helps.”
Breach Diary
- Feb. 7. Digital currency lending platform Loanbase informs its users that it has reset all their passwords following the discovery of a security breach in which four accounts were compromised and from eight to 20 bitcoins stolen.
- Feb. 8. A hacker posts to Web personal information of more than 9,000 Department of Homeland Security and more than 20,000 FBI employees.
- Feb. 8. Redspin releases healthcare data breach report for 2015 showing hacking incidents leading to a data breach increased to 98 percent from 53 percent in 2014.
- Feb. 8. Jonathan Torres of Orlando, Florida, files a proposed class-action lawsuit against Wendy’s for unauthorized charges to his payment card resulting from data breach at the restaurant chain.
- Feb. 9. The U.S. Internal Revenue Service announces data thieves, using personal data obtained outside the IRS, obtained e-file PINs for 101,000 taxpayers. E-file PINs are used to electronically file tax returns with the IRS.
- Feb. 9. Blogger Troy Hunt reports VTech, following a data breach in November that exposed personal data for 12 million people, including 6.4 million kids, has amended its terms-of-use agreement to require its users to “acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.”
- Feb. 9. British law enforcement arrests a 16-year-old suspected of hacking into the personal email account of U.S. CIA Director John Brennan.
- Feb. 9. President Obama requests US$19 billion from Congress for improvements in the federal government’s cybersecurity.
- Feb. 9. Wendy’s states cybersecurity experts investigating a data breach at its restaurants found malware on the systems at some of its locations.
- Feb. 9. Jackson Health System reports it has fired an employee for inappropriately accessing as many as 24,000 patient records over a five-year period.
- Feb. 9. Financial institutions ask federal court in Minnesota for $20 million in attorneys’ fees and expenses incurred in a lawsuit resulting from a data breach at Target in October 2013 in which 42 million people had their payment card information stolen.
- Feb. 9. The Washington State Health Care Authority begins informing 91,000 Medicaid clients their personal information is at risk after two state employees exchanged client files in violation of the 1996 Health Insurance Portability and Accountability Act.
- Feb. 9. Business Insider reports Apple employees in Ireland are being offered “thousands of euros” for their login credentials.
- Feb. 10. Auditing firm Seim Johnson notifies nearly 4,200 patients of Community Hospital in McCook, Nebraska, that some of their personal information is at risk after a laptop of one of its employees was stolen in Nashville, Tennessee.
- Feb. 11. A UK parliamentary committee reviewing a proposed bill to increase government surveillance powers releases a report rejecting provisions in the measure requiring encryption backdoors in software.
- Feb. 11. Thomas Berry, a former Water Resource Department employee in Dakota County, Minnesota, pleads guilty to violating state’s data privacy laws when he illegally forwarded a report about two state legislators having a romantic encounter in a park.
- Feb. 11. Missoula County Public Schools in Montana releases report revealing information on alumni and former, transfer and deceased students was included in a data breach at Hellgate High School in December. The breach occurred when information about students was accidentally emailed to 28 parents.
Upcoming Security Events
- Feb. 18. Will the Real Advanced Threat Stand Up? Attack Campaigns in 2016 and Beyond. 1 p.m. ET. Webinar sponsored Arbor Networks. Free with registration.
- Feb. 20. B-Sides Seattle. The Commons Mixer Building, 15255 NE 40th St., Redmond, Washington. Tickets: participant, $15 plus $1.37 fee; super awesome donor participant, $100 plus $3.49 fee.
- Feb. 23. Rethinking Layered Security. 1 p.m. ET. Webinar sponsored by Dark Reading. Free.
- Feb. 23. Surviving 2016: Protecting Your Business From Advanced Cyber Threats. 2 p.m. ET. webinar sponsored by Dark Reading. Free.
- Feb. 24. Email Security Protection: Predictions and Pivots for 2016. 12 p.m. ET. Webinar sponsored by Agari. Free.
- Feb. 24. Application Control Observations and Strategies for Success. 1 p.m. ET. Webinar sponsored by Dark Reading. Free.
- Feb. 28-29. B-Sides San Francisco. DNA Lounge, 375 11th St., San Francisco. Registration: $25.
- Feb. 29-March 4. RSA USA 2016. The Moscone Center, 747 Howard St., San Francisco. Registration: full conference pass before Jan. 30, $1,895; before Feb. 27, $2,295; after Feb. 26, $2,595.
- Feb. 29-March 4. HIMSS16. Sands Expo and Convention Center, Las Vegas. Registration: before Feb. 3, $865; after Feb. 2, $1,165.
- March 10-11. B-Sides SLC. Salt Palace Convention Center, 90 South West Temple, Salt Lake City. Registration: $65.
- May 11. SecureWorld Houston. Norris Conference Center, 816 Town and Country Blvd, Houston. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits & open Sessions, $30.
- March 12-13. B-Sides Orlando. University of Central Florida, Main Campus, Orlando, Florida. Registration: $20; students, free.
- March 14-15. Gartner Identity and Access Management Summit. London. Registration: 2,550 euros plus VAT; public sector, $1,950 plus VAT.
- March 17-18. PHI Protection Network Conference. Sonesta Philadelphia, 1800 Market St., Philadelphia. Registration: $199.
- March 24. Massachusetts Attorney General’s Office Forum on Data Privacy. Ray and Maria Stata Center, Kirsch Auditorium, Room 32-123, 32 Vassar St., Cambridge, Massachusetts. RSVP required.
- March 29-30. SecureWorld Boston. Hynes Convention Center, Exhibit Hall D. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- March 31-April 1. B-Sides Austin. Wingate Round Rock, 1209 N. IH 35 North (Exit 253 at Hwy 79), Round Rock, Texas. Free.
- April 9. B-Sides Oklahoma. Hard Rock Cafe Casino, 777 West Cherokee St., Catoosa, Oklahoma. Free.
- April 15-16. B-Sides Canberra. ANU Union Conference Centre, Canberra, Australia. Fee: AU$50.
- April 16. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
- April 20-21. SecureWorld Philadelphia. Sheraton Valley Forge Hotel, 480 N. Guelph Road, King of Prussia, Pennsylvania. Registration: conference Pass, $325; SecureWorld Plus, $725; exhibits & open sessions, $30.
- May 4. SecureWorld Kansas City. Overland Park Convention Center, 6000 College Blvd., Overland Park, Kansas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open Sessions, $30.
- June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: before April 16, $2,950; after April 15, $3,150; public sector, $2,595.
- June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.