Up Times • Sept. 2023

Business Continuity Mixtape – Bryley-curated stories from around the internet:

We Do Not Negotiate with Terrorists, or Do We? The FBI is taking a hard line against the proposal in Congress that would make ransomware payments illegal. No one would argue with Congress’ goal of stopping ransomware. But if payments become illegal, as the FBI’s Bryan Vorndran says, you’re putting US companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities.

The government’s proposed scenario would play out something like this: a business would be compelled to report a cybercrime to the FBI. The FBI then shares the data with the IRS, who would audit the business to ensure payments were not made to criminals; if the business, to try and resolve its ransomware problem, falsely denied it had made payments, the IRS would prosecute the crimes of ransomware payment and false reporting.

Maybe there is a better solution than to put businesses under this added duress? Dealing with ransomware is difficult enough for a business to survive.

But currently what happens in business a lot is the ransomware payment burden is laid at the feet of the Chief Information Security Officer (CISO) or someone in an equivalent role in smaller organizations – aka the fall guys. Gary Barlet writing for the Harvard Business Review explains: a breach occurs, often due to some kind of misconfiguration or lax security practice within the organization or a third-party software provider, and, to save face with customers … a new CISO is swapped in for the old. And the stakes are growing higher, Barlet shows, with the example of Uber’s CISO Joe Sullivan’s conviction for under-reporting a cyberattack. So Barlet is in favor of outlawing ransomware payments to pressure organizations to take the threat of ransomware more seriously before a breach. Breaches, he argues, reflect not one department, but the business’ priorities. Did the CEO fully fund the CISO’s recommendations?

Strangely the original hard line, about no negotiations with terrorists goes back to a kidnapping-for-ransom event during the Nixon administration. Not negotiating at that time ended in the deaths of the hostages.

Do you think the government should bar ransomware payments? Or do you think payments are at least a path to negotiate the unlocking of data? (please send your thoughts) [3 min. read] cnn.com

An Actual Cybersecurity Rule Change — The SEC this month enacted its Cybersecurity Disclosure Rules. And while these changes may not yet affect your business, what happens at SEC-governed companies has a way of trickling down to smaller organizations – so the business can continue to be in compliance with industry regulatory boards and so it remains attractive to investors.

According to Marc Gaffan of Ionix the most important change is the shift in responsibility for cybersecurity to the board room: CISOs [Chief Information Security Officers) might have anxiety about presenting to the board because they are the only C-level executives without a tool of their own to measure ROI. From Salesforce to Workday to Marketo, C-suite executives have platform solutions aggregating, analyzing, and reporting on every aspect of the operation. There is no such solution for the CISO, making it harder to measure security program ROI or to demonstrate business value.

The SEC rule change, Gaffan continues, is an opportunity to place cybersecurity in the context of business decisions that the board understands … [to] talk about the cyber consequences of business decisions that are made every day. [For example] the use of SaaS apps that make employees more productive in a hybrid work environment also leaves the organization more exposed to risk, as critical business data is now [under the] control of a third party. Business partnerships that drive geographic expansion, rushing new apps to market as fast as possible to capture market share, or acquiring [another business in order] to scale the engineering team all have tremendous cybersecurity consequences … When you acquire a company, you also inherit its attack surface. It is not only a new group of employees who need access to enterprise resources, but all their contractors, partners, suppliers, and so on. It is a tangled, extended digital web of connected assets and implications … [5 min. read] darkreading.com

Rule of Least Power — Strange as it seems, simplicity was canon at the World Wide Web’s beginning. On choosing the web’s code language so that it grants the broadest distribution of information, Tim Berners-Lee (the web’s inventor) wrote there is a tradeoff in choosing between languages that can solve a broad range of problems and languages in which programs and data are easily analyzed [Berners-Lee gave a print “2+2” example as something very easy for a person to analyze].

Computer Science in the 1960s through 1980s, Berners-Lee explained,  spent a lot of effort making languages that were as powerful as possible. Nowadays we have to appreciate the reasons for picking not the most powerful solution but the least powerful … Less powerful languages [increase] the flexibility with which information can be reused: the less powerful the language, the more you can do with the data stored in that language.

He added, less powerful languages are usually easier to secure … [it’s] easier to analyze … easier to identify the security problems …

Well, I suspect you’ve noticed the web has become a lot more complicated and so has securing it, too. Here’s a reminiscence from Daniel Kehoe about the root of the web in simply sharing information … have we lost the thread? [5 min. read] hackernoon.com

Why make things easy for the bad guys? A credential stuffing attack is when criminals get ahold of login credentials and then they try those out (including with variations like just swapping in dollar signs for the letter S [per CSO Magazine]) on many other sites.

Bryley partner Microsoft reports a rise in credential stuffing attacks, some of which they ascribe to criminal use of AI tools that can be used to almost instantly generate password variations, known in the credential trade as mangling.

Multi-factor authentication and strong passwords (usually achieved in an organization with a password manager) can decrease the likelihood that this type of attack will do harm … [5 min. read] msn.com

^{Note: The Mixtape section is Bryley’s curated list of external stories. Bryley does not take credit for the content of these stories, nor does it endorse or imply an affiliation with the authors or publications in which they appear.}