Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday February 5th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
To hear the podcast click on the arrow below:
In a few minutes Dinah Davis, vice-president of research and development at Arctic Wolf will talk with me about creating effective security metrics. But first a look back at some of the big news from the past seven days:
The number of complaints of cyber-related fraud in Canada in 2020 jumped by one-third over the previous year, according to new numbers from the Canadian Anti-Fraud Centre. There were just under 31,000 allegations of cyber-fraud incidents last year, compared to just under 21,000 reports in 2019. In dollar terms, the reported cyber-related fraud losses last year were over $101 million. By comparison the reported cyber losses to fraud in 2019 were over $83 million.
The number of reports of identity theft in the United States last year hit 1.4 million, according to the Federal Trade Commission. That’s double the number for 2019. The biggest cause of the increase related to fraudulent unemployment insurance claims, as well as phony claims for pandemic relief funds.
Canada’s four privacy commissioners spared almost nothing in their criticism of the image collection practices of American facial recognition software maker ClearviewAI. All four said Clearview’s practice of scraping photos of Canadians from the internet without their consent to use in its application violated federal and provincial privacy laws. It amounted to mass surveillance, they said. For its part Clearview said its business interests were more important than privacy, and that people freely put their faces on websites. The privacy commissioners asked Clearview to remove the images of Canadians from its databases. Clearview said it would try to limit the collection of images of Canadians. For the time being it has stopped selling its facial recognition to Canadian police.
IT companies don’t do a very good job when they create security patches for previously unknown zero-day vulnerabilities, Google says. It’s not enough to issue a patch, researchers said. The patch has to completely close the vulnerability. However, Google says, often zero-day patches solve only part of a problem, leaving hackers a window into exploiting the bug. Developers of patches have to do a better job.
More data breaches to report: A database of hundreds of thousands of subscribers to the DriveShare roadside assistance program in the U.S. is being shopped around a criminal hacking forum. Washington State admitted the personal data of 1.4 million unemployment insurance applications was stolen. In Europe security researchers found an unprotected database on the internet with copies of passports and other personal information of reporters and athletes belonging to a volleyball association. Personal data of employees of the IT company Wind River Systems was stolen. A crook is selling what they claim is a stolen database of contact and donor information on 1.7 million people from Oxfam Australia. And a database of over 400,000 subscribers to a forum for rating female escorts in the U.S. and Mexico is being offered on a hacking forum.
With the never-ending reports of successful hacking I thought I’d ask Dinah Davis about security metrics, because metrics are the heart of a cybersecurity program, which, of course, tries to limit hacking. I started by asking if she agreed if you can’t measure what’s going on in your environment you can’t improve your protection.
(The following is an edited transcript. To hear the full discussion play the podcast.)
Dinah: Absolutely. If you’re not measuring anything, if you’re not looking at how things are trending you don’t know if your getting better. If the attackers are being more aggressive you can’t tell any of that. You really need to track so that you can evaluate what your next move is.
Start with your firm’s risk profile
Howard: What’s a good metric?
Dinah: The first thing you need to do is actually look at your organization’s risk profile. What’s a good metric for you may not be the same as a good metric for another company, because it really depends on what your risks. The first risk you want to look at is your threat landscape. What are your vulnerabilities? You need to be able to identify what you have in your system before you can decide what you’re going to measure. You’re going to need a vulnerability assessment tool .. [which] looks through your system, all the software and hardware … evaluates the version of that software. And then it goes back to the national vulnerability database, or NVD, to determine if there’s any vulnerabilities in that database. There is a list of common vulnerabilities and exposures are commonly called CVEs. And each of those CVEs are given scores …
Then you want to categorize your vulnerabilities into four categories, critical high, medium, and low. The score of a CVE is between one and 10. Anything that is a nine or a 10 is, ‘Drop everything, it’s critical, fix it.‘ … The next one would be high and that’s anything between a seven and an 8.9, and that’s still fix everything, but it might wait till tomorrow morning ... Anything between a four and a 6.9, you can fix that in a planned maintenance window.
When you’re tracking that as a metric, what you want to know is how many critical and high vulnerabilities do you have in your system? How fast do you fix them? What’s the meantime to patch? ,,,
Another, another metric you can watch is your account takeover risk … You can get a service that will scan the dark web for email addresses with your company domain name or your employees‘ names. … You’re going to get four levels of risk: Critical, High, Medium, and Low … Anything that’s a critical risk is when the user has a lost their email information, their password‘s probably in plaintext, maybe some PII (personally identifiable information) with it.
Howard: One expert told me that a metric has to be actionable. ‘We’re seeing 300 suspicious login attempts a week.’ That isn’t important, but a good metric is something like, ‘The number of suspicious login attempts has increased by X percent over the last three quarters.’ And therefore you can say, ‘We’d better be doing this about it.‘
Dinah: Yes. Anytime you have a metric you want to make sure it’s actionable. If you look at that metric every week and you go, ‘Oh, that’s interesting. It changed‘ [but] …if your response is, ‘I don’t know what to do about it,’ it’s not a good metric.
Different metrics for different groups
Howard: Should you show different metrics to the IT staff, for department heads and, and for the executive and board?
Dinah: Absolutely. IT staff needs all the gory details, everything you’re gathering, they need to really be able to understand that so they can figure out what they need to do. Department heads probably just need aggregates of the gory details: The trends where things are going, maybe a little bit of a deeper explanation, what their departments can do to help improve those trends. And then for the exec board, you’re really looking at more high–level trending data. You might report on the number of critical CVEs you’ve fixed, or just the general trending: Are we, are we getting better? Is it looking worse? [The report would show] more of a red, green, yellow kind of thing, potentially.
Metrics for small business
Howard: If I’m a small organization with just a couple of IT people, how do I know which metrics are important?
Dinah: Go for the biggest bang for your buck. For me, patching is always going to give you a leg up. So watching your CVEs and what you might have as risk there, and user awareness, training. Those two things. If you could track those two things, and you’re a really small organization, you’re going to be doing a lot better than most.
Free resource
Howard: Where can you get detailed advice on creating security metrics for your firm? Your hardware and software partners might help. Also, here’s a link to getting a document that includes two papers with advice from the Center for Internet Security. The document you’re going to download is actually a list of all of their free benchmark papers. The two on creating security metrics are at the bottom.