Is cybersecurity by fiat DOA?

2013-09-02

Stephen Cobb

ESET, USA
Editor: Helen Martin

Abstract

‘Government-sponsored efforts to improve cybersecurity are underway ... but will they accomplish their goals?' Stephen Cobb, ESET.


Table of contents

Government-sponsored efforts to improve cybersecurity are currently underway in several parts of the world, including the USA, the UK, and the EU, but will they accomplish their goals? The answer has serious implications for many groups of people, from security practitioners to taxpayers, CIOs and CISOs, intelligence agencies and the military. Depending on your perspective, not all of the implications are positive.

I recently participated in the latest American endeavour to secure all things cyber and critical by attending the Third Cybersecurity Framework Workshop, organized by the National Institute of Standards and Technology (NIST). As you may know, something called Executive Order 13636 directed NIST to ‘work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure’.

I respect NIST as one of the rare government agencies which, like the Federal Trade Commission, just seems to get on with doing useful things, including the distribution of useful information (notably the Special Publication 800 series [1]). A lesser agency might have balked when asked to create a cybersecurity framework ‘in an open manner with input from stakeholders in industry, academia and government, including a public review and comment process, workshops and other means of engagement’. But so far, NIST seems to be rising to that challenge.

At the workshop I attended, over 300 people were spun out into eight working groups, led by a team of facilitators who did a great job of taking input from all sides. The starting point was a draft outline of the framework [2], based on the two previous workshops. As we evaluated the work so far, there was a lot of learned and considered discussion, but one point of friction did emerge: fear that this voluntary framework, once completed and approved, will become a stick to beat companies into compliance. Might a law be passed to punish companies that do not comply with the framework? The folks from NIST insisted they had no interest in seeing this happen, but some attendees eyed the Department of Homeland Security contingent with suspicion.

And that brings us to malware. It might seem like a stretch, but please bear with me and turn to the Code of Federal Regulations 45 CFR 164.308(a)(5)(ii)(B). This is the Health Insurance Portability and Accountability Act (HIPAA) security rule that states that a Covered Entity must implement ‘Procedures for guarding against, detecting and reporting malicious software’. For years now, compliance with this rule has been the law in the USA, enforced with financial penalties running into millions of dollars. Now turn to page 16 of the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security [3]. Larry Ponemon’s team conducted 324 interviews and compiled stats on 80 healthcare organizations.

When the results of the study were published last year, the headline was that 94% of healthcare organizations had experienced at least one data breach in the past two years, and 45% reported more than five incidents in that period. Figure 13 in the report (‘Measures to ensure devices are secure enough to connect to the network’) shows that a staggering 46% of healthcare organizations don’t engage in any of seven listed measures to protect critical systems. Only 23% insist on having anti-malware on mobile devices that connect to the network, and only 21% scan devices for malware prior to connection. Sadly, there are many more data points beyond the Ponemon study [4].

For me, this all adds up to a strong case for saying that you can’t legislate security. A voluntary framework might help, but as several of my fellow attendees at the NIST workshop pointed out: information security requires serious will power and commitment. Take that away, and regulation is apt to do more harm than good.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.