Monthly Archives: February 2018

Third Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way

Larry Ponemon

In a world of increasingly stealthy and sophisticated cyber criminals, it is difficult, costly and ineffective for companies to defend themselves against these threats alone. As revealed in The Third Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, more companies are reaching out to their peers and other sources for threat intelligence data. Sponsored by Infoblox, the study provides evidence that participating in initiatives or programs for exchanging threat intelligence with peers, industry groups, IT vendors and government results in a stronger security posture.

According to 1,200 IT and IT security practitioners surveyed in the United States and EMEA, the consumption and exchange of threat intelligence has increased significantly since 2015,

This increase can be attributed to the fact that 66 percent of respondents say they now realize that threat intelligence could have prevented or minimized the consequences of a cyber attack or data breach.

Despite the increase in the exchange and use of threat intelligence, most respondents are not satisfied with it. The inability to be actionable, timely and accurate is the most common complaint about threat intelligence.

Following are 12 trends that describe the current state of threat intelligence sharing.

  1. Most companies engage in informal peer-to-peer exchange of threat intelligence (65 percent of respondents) instead of a more formal approach such as a threat intelligence exchange service or consortium (48 percent and 20 percent of respondents, respectively). Forty-six percent of respondents use manual processes for threat intelligence. This may contribute to the dissatisfaction with the quality of threat intelligence obtained.
  1. Organizations prefer sharing with neutral parties and with an exchange service and trusted intermediary rather than sharing directly with other organizations. This indicates a need for an exchange platform that enables such sharing because it is trusted and neutral.
  1. More respondents believe threat intelligence improves situational awareness, with an increase from 54 percent of respondents in 2014 to 61 percent of respondents in this year’s study.
  1. Sixty-seven percent of respondents say their organizations spend more than 50 hours per week on threat investigations. This is not an efficient use of costly security personnel, which should be conducting threat hunting and not just responding to alerts received.
  1. Forty percent of respondents say their organizations measure the quality of threat intelligence. The most often used measures are the ability to prioritize threat intelligence (61 percent of respondents) and the timely delivery of threat intelligence (53 percent of respondents).
  1. Respondents continue to be concerned about the accuracy, timeliness and ability to be actionable of the threat intelligence they receive. Specifically, more than 60 percent of respondents are only somewhat satisfied (32 percent) or not satisfied (28 percent) with the quality of threat intelligence obtained. However, this is a significant decrease from 70 percent in 2014, which indicates some improvement as the market matures. Concerns about how threat intelligence is obtained persist because information is not timely and is too complicated, according to 66 percent and 41 percent of respondents, respectively.
  1. Companies are paying for threat intelligence because it is considered better than free threat intelligence. Fifty-nine percent of respondents also believe it has proven effective in stopping security incidents.
  1. Seventy-three percent of respondents say they use threat indicators and that the most valuable types of information are indicators of malicious IP addresses and malicious URLs.
  1. The value of threat intelligence is considered to decline within minutes. However, only 24 percent of respondents say they receive threat intelligence in real time (9 percent) or hourly (15 percent).
  1. Forty-five percent of respondents say they use their threat intelligence program to define and rank levels of risk of not being able to prevent or mitigate threats. The primary indicators of risk are uncertainty about the accuracy of threat intelligence and an overall decline in the quality of the provider’s services (66 percent of respondents and 62 percent of respondents).
  1. Many respondents say their organizations are using threat intelligence in a non-security platform, such as DNS. The implication is that there is a blurring of lines in relation to what are considered pure networking tools and what are considered security tools. Security means defense-in-depth, plugging all gaps and covering all products.
  1. Seventy-two percent of respondents are using or plan to use multiple sources of threat intelligence. However, 59 percent of respondents have a lack of qualified staff and, therefore, consolidate threat intelligence manually.

Click here to read the rest of this report from Infoblox.

Consumers average 150 passwords; when your credit card expires, you need to remember ALL of them

Bob Sullivan

I recently had to undertake one of the most arduous, perilous tasks consumers face — updating all my credit card automatic payments. My card had expired of natural causes — rare in the age of account hacking —  so off I went, chasing after every card-paying account I have. These kinds of things make me skin-crawling, hair-raising, blood-pressure exploding, whiskey-shot needing anxious. And I’m sure I’m not alone.

I only had to update my expiration date, but as I’m sure all of you know, this process is fraught with disaster. I once failed to properly update an EZPass account, and faced a whopper of cascading penalty fees.  That’s the perilous part.

The arduous part is logging into every freaking account I had and….well, I mean trying to log into every account I have…and making the small change.  That means dealing with all those user names, all those passwords, and a different process every time.

Taking inventory of every auto-payment isn’t as easy as it sounds.  Some accounts are charged monthly. Some quarterly. Some just occasionally, if I use them rarely.  My bank (USAA) provides a helpful, but incomplete, list of possible automated payments. So I scan through about 6 months of bills, eyeballing potential accounts that USAA might have missed.   Some services have arrangements with banks to ease the expiration change, but you just can’t count on that.

Next, I go through the process of logging into (hacking into?) all these accounts. At some sites, it was enough to just change the expiration. Other places required removing the old card and adding it back in with the new expiration. And at still others, (I’m looking at you, SlingTV) the web update simply didn’t work. Try as I might, the tool wouldn’t let me update my account. So I logged into an online chat, and after an authentication song and dance…well, they told me to call. About half an hour or my day, vaporized.

All this hassle is sort of my own fault, as all these firms are rightly paranoid about credit card security, thanks to journalists like me writing so many stories about credit card hacking.  So I’m glad it wasn’t easy.  But here’s the rub: A recent report claims that consumers now have an average of 150 passwords to remember.  ONE HUNDRED AND FIFTY!!

No wonder I need some whiskey.

More about passwords in a moment, but before I leave the topic of anxiety, let me say that these kinds of stories are precisely why The Red Tape Chronicles came to be.  My anxiety isn’t really about the passwords. I know one way or the other I’d be able to get into these services and update my card.  The stress comes from my assumption that behind every one of these accounts lie the potential for a massive GOTCHA.  If my card were declined, perhaps I’d face a late fee. Perhaps my account would be cut off at a critical time. Perhaps I’d be bumped off whatever discount plan I’d arranged, and end up paying a higher price.  These are not imagined fears. These are real booby traps that create real anxiety, born of experience, and maybe just a little PTSD from all those hacked credit card accounts I’ve had to update during the past few years.  If I could assume that these providers would handle the situation reasonably, then I’d be a lot less on edge.  But you know better than that. It only takes one mistake in the wrong transaction to cost you, bigtime.

So, I’m paranoid. And while I think I updated every account correctly, I don’t trust any of them. I’ll go through the same process in 30 days and make sure all those payments went through. Hey, it’s not paranoia if it’s real.

Now, as for passwords — IBM is out with a password report this week showing that consumers are willing to suffer a little inconvenience in exchange for security, and they are open to use of biometrics (enough with passwords already). Not surprisingly, people are most open to fingerprints, but fully 87% said they were open to other kinds of biometrics, like voiceprints. Companies should take this to heart. Every biometric has its special problem (like in the movies, when an iris scan is foiled by cutting out a victim’s eyeball. ew).  But while we keep arguing about imperfections, security still lags in the password/poorly-implemented-two-factor-authentication world.

Since we have to live in that world, here’s IBM’s tips for now: Note that passphrase recommendation, which is probably the best you can do right now.

IBM’s consumer Tips:
§ Use Multi-Step Authentication: Where possible, enable two-factor authentication (2FA) that confirms a login on multiple levels, such as password + a mobile alert or email confirmation. 
§ Opt for Passphrases vs. Passwords: Skip complex passwords and instead use longer “passphrases” – several unrelated words tied together, at least 20 characters. These are actually harder to crack and easier to remember. 
§ Choose a Password Manager: Rather than try to memorize multiple passwords or store them insecurely, use a password manager, which not only acts as a vault for existing passwords, but can also generate stronger passwords for you