Skip to content

The security industry is usually very quiet about how security affects their products.

So in the new 3rd Quarter IBM threat intelligence Quarterly for 3rd quarter.

the following 2 charts are very interesting:

heartbleed affects

heartbleed attack activity

April 8, 2014 is when Heartbleed vulnerability was revealed as one can see from the US-CERT.

Which stated that the OpenSSL versions 0.9.8 and 1.0.0 does not have the  vulnerability whereas the version 1.0.1g has the vulnerability, as well as 1.0.2 beta as in this Note.

Knowing when the heartbleed vulnerability came into being one sees an almost immediate scan activity from hackers.In fact in one week  by 4/15 the activity reached 300k scans/attacks.

In case you are in denial of potential Internet attacks to your infrastructure... here is some evidence that shows the attacks from hackers after a vulnerability was exposed. And the top graph shows the continuing attacks on infrastructure many months after the vulnerability was exposed.

Hacker attacks occur for many reasons:

#1 Highest reason for an attack is to make money from the attack

8/19 Hackers hack Medical company - 4.5 million data sets stolen

8/5 Synology devices get ransomware

8/2 Jimmy John's credit card breach investigation

7/15 NASDAQ was owned 2005 - 2012 Arstechnica story

#2 2nd reason to attack your systems and network is to use your computers on the network to attack other computers (to make money or for political ends)

7/28 elasticsearch vulnerability could cause DDOS attacks

3/15 WordPress vulnerability can be used to attack other sites

#3 next reason to hack computer networks:  Just because the hacker can -

The hacker may just want to test their computer skills

 

Can a business afford to take a chance?

As Bruce Schneier frequently talks about in his speeches and blog

The You tube video linked is a good review of the issues of incident response.

The most interesting item to me is the psychology of security that is included near the end of the video:

Humans are naturally risk averse in gains and risk seeking in losses.

This means that most people will not pay for a vulnerability scan or other security cost. The initial inclination is to take the risk.

Also if there is a risk in a potential gain we will not go the riskier route.

 

Here are the actual areas in Bruce Schneier's web blog:

Prospect theory:

"

Prospect Theory

Here's an experiment that illustrates a particular pair of heuristics.12 Subjects were divided into two groups. One group was given the choice of these two alternatives:

  • Alternative A: A sure gain of $500.
  • Alternative B: A 50% chance of gaining $1,000.

The other group was given the choice of:

  • Alternative C: A sure loss of $500.
  • Alternative D: A 50% chance of losing $1,000.

These two trade-offs aren't the same, but they're very similar. And traditional economics predicts that the difference doesn't make a difference."

 

 

It is an old security  methodology to review what is necessary in a Security Strategy:

 

People = we know people can cause security holes, give out security secrets, or perform unknown(and known) security problems

Process = this is a set of events that hopefully will prevent some of the people problems, such as changing a critical system requires a second pair of eyes (peer review)

Technology = Use technology to prevent as many potential problems (including people).

we use Anti-virus, anti-malware, intrusion prevention, incident response software.

At Fixvirus, we have helped sompanies with all 3 pieces of a security strategy