CybX Daily Digest, 04/02/16
Hello and welcome to todays edition of the daily digest! Articles that didn't make the cut but I still found worth a mention are How Yahoo Hacks Itself, a story about the red team agenda. Microsoft has allegedly got a Linux sub system built into Windows 10 which, given their change of direction in recent years does seem plausible. (Also check out 'Data Centre under the Sea which is linked in that article, fascinating stuff!). Researchers have also claimed that the Dark Web is mostly illegal, surprising nobody at all.
Today's first article however comes from the Infosec Magazine and is titled "Cyber Resilience Capabilities Often in Ad-Hoc Plans." The research carried out echoes what we have seen in the industry ourselves, while nearly all companies are aware of the risk that cyber presents, they are not prepared to deal with that risk. Often having policies that are outdated, untested or simply non-existent. Even where policies exist, they are used in an ad-hoc basis, or are only referred too in passing - is this a failure from the company? Possibly, it could also be indicative of the nature of cyber attacks. The tone of of the article also echoes many of the points we have been trying to push in the last two years here at cybX. Policies are only as good as the practice that's been put into them.
The Register has reported on a new open source tool to allow business to create and manage phishing campaigns. "Go phish your own staff: Dev builds open-source fool-testing tool". I am behind this idea wholeheartedly, large enterprises and successful businesses can afford to run their own campaigns but the smaller businesses can't and they are often the ones who find themselves the least well prepared, developed and capable of dealing with cyber attacks. Any initiative to help 'the little guys' has my support!
The tripwire blog, State of Security has a topic on "How to Build a Remote Security Team". Reminding us what we all know in the industry, there is a shortage of cyber security specialists and offering an interesting solution to that. (It also has an info-graphic from ISACA, we all love a good infographic). Their idea is to allow security professions to work remotely to prevent the geographic limitations on the shortage of staff in a given area and I have to say although not a new idea it is a novel one. There are of course a number of advantages to this however not without it's limitations, I wonder how well this model would operate under sustained DDOS attacks to the management network in which the remote users login too for example. With today's technology, this is definitely an option worth considering though and who doesn't want to work from home these days?
Microsoft's Cyber Trust Blog has has a posting on "The Continued importance of cybersecurity capacity building" which lends itself from the previous article somewhat in that there is a shortage of talent and how they are approaching ways to deal with that. The key takeaway being collaboration, working together for a common goal and just as importantly information sharing between stakeholders. I applaud initiatives like these in order to get talent where it needs to be and for Microsoft to work with countries outside of Europe and the Americas, allowing for talent to be nurtured all over the world.
"The thirst for knowledge we see is immense, it is time to work together to quench it."
/signed
Finally we take a look at The Inquirer and "Google lumps Malwarebytes with a bad security report and a lot of homework". If you aren't aware, google has a project called "Project Zero" which discovers zero (previously undiscovered) day vulnerabilities in consumer software. They allow for 90 days for the vendors to fix the bugs they find, then release them to the public - without mercy. There was some ruckus over this project and Microsoft last year among other vendors as seen in the article. The principle I consider a good one, how long you give a vendor to fix a bug you find though I don't believe to be a 'one size fits all' option, but by now everyone knows Googles zero tolerance policy on the matter and they are prepared to upset even the big boys in the schoolyard.
That's it for today! Thank you for reading and I'll be back again tomorrow.