Here's what I’m reading this week:
Don’t Pay Ransoms, Don’t Negotiate with Terrorists, Don’t Feed Trolls: The ShadowBrokers have now announced that for the low-low price of $21,000, you too can see their next vulnerability dump before anyone else. This is being presented as an “ethical dilemma” for security teams, who have to decide between encouraging the hackers but getting a jump on addressing these threats and waiting with everyone else.
The problem is that framing it as an ethical dilemma misses two essential points.
First, there’s no evidence as to whether the ShadowBrokers will actually follow through on their promise. There may be an ethical element to the decision, but a bigger question is whether those considering paying can really trust the mysterious hacker group. (In case you’re wondering, I see no reason to trust that a group like this would stay true to its word).
Second, getting “ahead” of this dump would only encourage more dumps like this in the future. Which means that paying up now isn’t just about ethics – it’s about short-term gain vs. long-term gain. In other words, paying now might get you ahead tomorrow, but it will also make it more likely that you find yourself in the same situation again in the future.
Put these together and it’s pretty clear that framing the problem as an “ethical” dilemma misses the point. It’s about trust, and about long-term risk. Both of these questions suggest that paying is a pretty bad idea, for exactly the same reason that governments have long held the position that they do not negotiate with terrorists.
Understanding and Control as the Foundation for Your Cybersecurity Strategy: Over the past several months, Dan Woods has been outlining how to think about a cybersecurity “portfolio” – all the components you need to build an effective security strategy. Last week, he and I sat down to discuss where understanding and controlling your environment fit in.
The primary point of our conversation was that many security teams today force themselves to choose between prevention (keeping the bad guys out) and detection (finding them once they get in). This is a pretty bad choice, because there are serious problems with both of these approaches. No security team will ever prevent every breach, and detection efforts today continue to be buried under avalanches of alerts and false positives. Understanding your environment better than your attacker, and using your control over your environment to stop them and force them to make a mistake, is a third approach that we pay too little attention to. In addition to being effective, it also makes for more effective prevention and detection. In other words, it’s a win-win-win.
The LA Port Solves Some Security Problems and Creates Others: The Los Angeles Port is one of the busiest in the United States (nearly 58 million short tons of cargo passed through it in 2013 alone), and its shipping manifests are largely handled manually. At least, until now. In a new effort, the Port is digitizing its entire data flow. This creates security benefits – the Port will be much better able to review the goods that flow through it, identify warning signs, and work to stop contraband. But it also creates security risks – by connecting the shipping portals and networks of thousands of shipping companies, wholesales, and other organizations, the port is creating a perfect target for a clever intruder looking to spread through many systems.
The final security impact of the digitization project is still up in the air, but the effort itself is an important reminder that the security of our networks has never been more closely tied to the security of our cities, ports, and institutions – and they’re only becoming more intertwined as time passes.
I'm reading: "Port Gets Moving on Data Plan."
Understanding the Cybersecurity Policy Ecosystem. A new study from ITR and Hewlett assesses the cybersecurity policy community, its ties with government, and what could be done to make the two groups work more effectively together.
Why the cloud is harder for enterprise. If you’re wondering why moving to the cloud can be more challenging for larger, legacy enterprises, this graphic pretty much sums it up. (Hint: It’s about complexity. And dragons.)