How can you defend yourself when you don’t know where your enemy will spring from?
Don’t worry, this isn’t the start of some kind of military basic training, it’s a valid question that any self-respecting board member will ask when considering how to address their cyber security issues.
The answer is of course: threat intelligence. Gaining information from trusted sources on what to be aware of. In the past, this has been provided by major software vendors and some independent analysis companies. The newly formed National Cyber Security Centre, a part of GCHQ, is now providing a weekly threat report on their website. They have in all fairness been doing this since the early Autumn of last year, and as the weeks have ticked by I have found it to be a worthy addition to my weekly review of the ever-changing cyber landscape.
They blend both technical issues, with more analytical commentary on what issues are causing the most concern. They have also commented on prosecutions that have brought cyber criminals to justice. It may not be definitive, but coming with the voice of authority and reverence of GCHQ it is a highly recommended bellwether on cyber security.
Despite the depth and breadth of analysis that National Cyber Security Centre can undertake, one threat that they cannot accurately predict is that of a very specific target. One where a lone attacker wishes to cause harm, or profit from targeting just one single organisation.
One such threat was reported on this week by SC Magazine. They explained how an attacker attempted to extort $50,000 from E-Sports Entertainment Association (ESEA) in exchange for keeping silent about a hack.
ESEA is an esports competitive video gaming community and part of the $30 billion gaming industry. With so much money changing hands between players, the credit card data held by such organisations is a highly attractive target for hackers.
The extortion attempt failed and the database containing 1.5 million player profiles was released online. ESEA stated that they have identified the vulnerability that allowed this hack to take place and have issued a patch to fix it. They have also notified the FBI of this incident.
This incident does beg the question why in such a cash rich digital industry do vulnerabilities still exist, especially as cyber crime has been rising for a handful of years and its awareness at both managerial and technical levels is regarded as high. Perhaps the website Dark Reading can provide some explanation thanks to the piece they posted recently about the ‘sorry’ state of cyber security awareness training.
They highlighted that although awareness is high and many organisations will publicly state that cybersecurity is now a top priority for them, so few of them are not actually undertaking any training. They point out that while employees are getting some sense of what to look out for when they receive training, the threat landscape changes so quickly that the information becomes obsolete within weeks or months and, without regular reminders, it’s out of employees’ minds quickly. In other words, the information is no longer at the forefront of their minds.
May I suggest that they all possibly subscribe to the weekly threat bulletin from the NCSC? Just a thought.
For links to all these stories and more, or to contribute with some comments join us by searching for the National Cyber Skills Centre on our social channels of FaceBook, LinkedIn and Twitter, or just click the relevant links from our website.