Monthly Archives: September 2015

Volkswagen software tricked emissions tests, feds say; hacking of customers is the real problem

Bob Sullivan

Bob Sullivan

A Volkswagen executive recently proclaimed that by 2020, all the automaker’s cars will be smartphones on wheels.

Turns out, Volkswagen cars were a little too smart for their own good. The Environmental Protection Agency on Friday accused the firm of using software to evade U.S.. emissions testing.  Computer code known as a “defeat device” recognized when the car was being tested and kicked on full emissions control systems.  The rest of the time the car chose…let’s say … “performance mode” over Earth-friendly mode.

The Obama administration has ordered the German automaker to recall half a million 4-cylinder Volkswagen and Audi cars from model years 2009-2015 cars and reprogram them.  The firm could also face fines that could range into the billions.  (At the moment, the firm hasn’t issued a statement.)

If accurate, such brazen use of software to evade federal law not only shocks the senses, it raises serious consumer protection issues. Many drivers are today rightly horrified that they were tricked into polluting the planet.  They also were driving cars with with performance that was artificially boosted — perhaps drivers would have chosen other cars if test drives of competitors’ models had been a fair fight.

In short, consumers have been hacked. Their cars’ software was doing things without their knowledge, just as if a virus writer had dropped a Trojan on their machines.

Recently, we talked about the very real fear drivers expressed to Kelley Blue Book — 4 out of 5 said car hacking will be a real problem in the next three years.

The survey referred to hacking by outside criminals, but there’s another kind of hacking going on here — when companies hack their own consumers.  Products we buy are now full of mysterious software, often instructed to do things we never imagined. TVs listen to our conversations; dating sites trick us into flirting with bots; our social networks and grocery stores talk about us; our web software tattles on us to the highest bidder;  and our cars trick emissions officials.

During an age when the very nature of advertising is constantly under siege, it makes sense that firms which already have a presence in our lives try to get a few more pieces of data out of us, and monetize that relationship just a little bit more. The temptation, if not desperation, is great.

But Friday’s Volkswagen story should be the beginning of some really serious soul searching, perhaps even a turning point for the Internet of Things.  It’s inevitable: our light bulbs, toasters, door bells, and our cars will all communicate some day soon.  We need a rock-solid ethic — not just laws, but a social morality — that machines should never do things unless people know all about them.  People should run the gadgets, not the other way around.

If we build a world of sneaky machines, we will deserve the consequences.

Learning to thrive against threats

Larry Ponemon

Larry Ponemon

With cyber attacks growing increasingly frequent and complex, cybersecurity strategies are shifting: while prevention is still important, it is more about prevailing. Cyber resilience supports businesses efforts to ensure they’ll continue to thrive despite the increased likelihood of a data
breach.

That’s the essence of cyber resilience – aligning prevention, detection, and response capabilities to manage, mitigate, and move on from cyberattacks. But are businesses ready today to face cyber threats head on? To find out, Ponemon Institute, with sponsorship from Resilient Systems, surveyed 623 IT and IT security practitioners about their organizations’ approach to becoming resilient to security threats. The findings are presented in the study, The Cyber Resilient Organization: Learning to Thrive against Threats.

In the context of this research, we define cyber resilience as the capacity of an enterprise to
maintain its core purpose and integrity in the face of cyberattacks. A cyber resilient enterprise is
one that can prevent, detect, contain and recover from a plethora of serious threats against data, applications and IT infrastructure. A cyber resilient enterprise successfully aligns continuity management and disaster recovery with security operations in a holistic fashion.

thrive graphic

Figure 1 shows why cyber resilience is emerging as the standard for which to strive. The
protection of high-value intellectual property and compliance with laws and
regulations are best achieved with cyber resilience, according to 91 percent and 90 percent of respondents, respectively. Cyber resilience also is considered to enhance brand value and reputation (75 percent of respondents) and maximize employee productivity (72 percent of respondents).

Key takeaways include the following:
The state of cyber resilience needs improvement. Only 25 percent of respondents rate their
organizations’ cyber resilience as high (7+ on a scale of 1 = low resilience to 10 = high resilience)
based on the definition described in the introduction. Moreover, a key component of cyber
resiliency is the ability to recover from a cyber attack and only 31 percent rate this as high.
Prevention is also rated fairly low at 33 percent. The ability to detect and contain cyber attacks is rated much higher by 45 percent and 47 percent of respondents, respectively.

Only 25 percent of respondents rate their organizations’ cyber resilience as high based on the definition described in the introduction. Moreover, a key component of cyber resiliency is the ability to recover from a cyber attack and only 32 percent rate this as high. Prevention is also rated fairly low. The ability to detect and contain cyber attacks are rated much higher by 44
percent and 47 percent of respondents, respectively.

Human error is the enemy of cyber resiliency. The IT-related threat believed to have the
greatest impact on an organization’s ability to be cyber resilient and the most likely to occur is
human error. Persistent attacks are considered to have the second greatest impact on cyber
resiliency but are less likely to occur. Planning and preparedness is key to cyber resiliency. It is interesting that a lack of knowledgeable staff or enabling technologies is not as much a hindrance as not devoting the necessary time and resources to planning and preparedness (65 percent of respondents) or insufficient risk awareness, analysis and assessments (55 percent of respondents).

The majority of companies are not prepared to respond to a cyber security incident.
Despite the importance to preparedness to cyber resilience, 60 percent of respondents either say their organization either does not have a cybersecurity incident response plan (CSIRP) (30
percent of respondents) or it is informal or “ad hoc” (30 percent of respondents). Only 17 percent of respondents have a well-defined CSIRP that is applied consistently across the entire
enterprise.

A high level of cyber resiliency is difficult to achieve if no one function clearly owns the
responsibility. Only 24 percent of respondents say the Chief Information Officer (CIO) is
accountable for making their organizations’ resilient to cyber threats. This is followed by 20
percent who say it is the business unit leader and 10 percent who say no one person has overall
responsibility.

Collaboration among business functions is essential to a high level of cyber resilience but it rarely happens. Only 15 percent of respondents say collaboration is excellent. Almost one third of respondents (32 percent of respondents) say collaboration is poor or non-existent.
Leadership and responsibility are critical to improving collaboration.

Organizational factors hinder efforts to achieve a high level of cyber resilience. The
importance of cyber resilience is often not recognized by senior management. Only 44 percent of respondents believe their organizations’ leaders recognize that cyber resilience affects enterprise risks and brand image. About half (50 percent of respondents) say cyber resilience does affect revenues. Other factors that are a hindrance are insufficient funding and staffing.
Preparedness and agility are most important to achieving a high level of cyber resilience.
Respondents were asked to rank those factors considered important to achieving a high level of
cyber resilience. Once again preparedness to deal with cyber threats is critical followed by agility and a strong security posture.

Technologies that enable efficient backup and disaster recovery operations are by far
most important to building a cyber resilient enterprise. Seventy-seven percent of
respondents say technologies that support efficient backup and disaster recovery operations are essential or very important. Also important are technologies that provide advance warning about threats and attackers (59 percent of respondents) and those that provide intelligence about the threat landscape (58 percent of respondents).

Read more about resilience, and a Q&A with Larry, at ResiliantSystems.com