Press "Enter" to skip to content

Government security movements, stats on the landscape, and other side’s smarts

Brazil has created a cyberattack response network aimed at promoting faster response to cyber threats and vulnerabilities through coordination between federal government bodies. 

Created through a presidential decreesigned on July 16, the Federal Cyber Incident Management Network will encompass the Institutional Security Office of the presidency as well as all bodies and entities under the federal governing administration. Public companies, mixed capital companies and their subsidiaries may become members of the network voluntarily.

President Biden has sent a warning in an address to the US intelligence community.    “”I can’t guarantee this, and you’re as informed as I am, but I think it’s more likely we’re going to end up — well, if we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence.  And it’s increasing exponentially — the capabilities., he said.  

In hearings on Capitol Hill on Tuesday, the Justice Department, FBI, Secret Service, and CISA all stated Congress should consider passing a bill forcing companies that have been hit by a cyberattack to report it.    The FBI also weighed in that ransomware payments should not be banned, as it might lead to further extortion efforts.   In those hearings, lawmakers focused on how small companies are taking the brunt of the damage, without the deep pocked of large companies to absorb the breach.  

Google has a new bug bounty program.     The new site brings together all of their Vulnerability Rewards Programs into a single intake form, and includes gamification features and options for interaction and competition.    There is also an education program called Bug Hunter University.  

That said, data from the latest AppSec Stats Flash says that the remediation rate for severe vulnerabilities is on the decline, while the average time to fix is on the rise.    The time to fix vulnerabilities has dropped 3 days, from 205 days to 202 days. The average time to fix is 202 days, the report found, representing an increase from 197 days at the beginning of the year. The average time to fix for high vulnerabilities grew from 194 days at the beginning of the year to 246 days at the end of June.

Remediation rates have also decreased across all vulnerability severities, with rates for critical vulnerabilities falling from 54% at the beginning of the year to 48% at the end of June. Rates for high vulnerabilities decreased from 50% at the beginning of the year to 38% at the end of June.  Of note – many of these are considered “pedestrian”, and are easy to fix.

Security teams report directly to the CISO in half (48%) of organizations, whereas 25% report to the CIO, followed by 12% that report to the CEO, according to the ISACA survey, State of Cybersecurity 2021 Part 2.  The differences lie in how other executives view cyberrisk assessments and the board’s prioritization of cybersecurity. The majority of organizations (76%) perform risk assessments to ensure their regulatory compliance, followed by data loss prevention (54%) and improved communication of security policies and procedures (51%).

And, HP reports email is still the most popular way for malware to be delivered – it’s 75% of all threats. 

On the other side, malware developers are increasingly using unusual or exotic programming languages in an effort to hamper analysis.  From a new report on Monday, there’s an escalation of the use of Go, D, Nim, and Rust, which are being used to evade detection or address specific problems in the development process.  

There’s also new MacOS malware… available for as low as $49. 

Why do we care?

It feels like it’s something of a foregone conclusion that breach notifications are coming.    There’s a marketing angle to this too – the oldest lesson on mistakes is that you over communicate and overcorrect.  

With being breached inevitable, and disclosure inevitable, and all evidence suggesting that there is no actual long term reputational damage due to breach, savvy providers are going to be preparing themselves and their customers for the when of breach both from a technology perspective and a communications perspective.    Clear public announcement, coordination with law enforcement, and organized remediation plans that are built before the breach.   

This isn’t to promote lowering your guard or not emphasizing prevention.   It just seems that all the prevention discussions ignore the obvious statement – in the current landscape, you’re going to be breach, so having that plan is just as important as the prevention plan.