This week we saw an attempt from the federal government to put a little more wood behind its arrow in pursuit of effective ways to monitor and combat cyber security threats. While the issue has clearly become a priority for the Obama administration – there does seem to be some disagreement around what the law should allow for in terms of research. Particularly concerning to security researchers and hackers alike are the president’s proposals to change the Computer Fraud and Abuse Act. In addition to keeping our eyes on the policy side of the house, there were also some great perspectives on just how big an issue malware can be to even the most sophisticated of security systems. We also take a closer look at some interesting approaches for companies to consider to close their cyber security skills gap. Here’s a look what caught our eye:
Cybersecurity Tracking—U.S. starts new agency
This week Warren Strobel took a look at why the U.S. government is creating a new agency to monitor cybersecurity threats. A senior Obama administration official shared on Tuesday, “The Cyber Threat Intelligence Integration Center (CTIIC) will be an intelligence center that will ‘connect the dots’ between various cyber threats to the nation so that relevant departments and agencies are aware of these threats in as close to real-time as possible.” The official spoke on condition of anonymity only. Obama has moved cybersecurity to the top of his 2015 agenda after recent hacking attacks against Sony Pictures, Home Depot Inc, Anthem Inc, Target Corp and the federal government itself.
In the Name of Research—Required or reckless?
In light of Barrett Brown, a journalist and online activist whose jail time was increased for linking to hacked material, tensions about possible policy changes from the Obama administration have journalists and hacktivists concerned. The worrying new cybersecurity proposals appear to outlaw the everyday activities of researchers, making both hacks and hackers anxious about the possible chilling effect on their work. Quinn Norton, a long-time security writer, said she would no longer report on leaked information for fear of arrest. Errata Security’s Robert Graham said there was a war being waged on professional hackers who have only been trying to make the Internet safer.
Malware—How it can get even the best of us
Virtually every week a new report surfaces about a large, blue chip company with deep financial resources that has been breached. These companies typically invest in and deploy state-of-the-art security tools, yet attackers are still able to penetrate their lines of defense. To make matters worse, many attacks often go undetected for months. Every breach must exploit at least one attack vector in order to install persistent malware on the organization’s network. Advanced attackers often use multi-stage malware, which would initially only install a small backdoor. This enables more complex tools to be deployed on the machine and network later on.
3 Steps Forward—Bridging the cybersecurity gap
There is a dangerous dearth of qualified Information Security talent in the industry today. In the face of mounting threats and an unprecedented number of data breaches, organizations and governments simply aren’t coping. Cybercrime is growing rapidly as sophisticated, targeted attacks flood in from diverse sources. The exploitation of vulnerabilities has a very real economic toll that’s often underestimated. Economic growth is restricted and job losses are common. For example, a study by the Center for Strategic and International Studies put the loss to business from cybercrime between $375 billion and $575 billion in 2013 alone. And yet, the industry is singularly unprepared to meet the challenge.
We welcome your thoughts about what stories caught your eye this week.