From Zero-Day to Zero Privacy
I recently participated in a panel hosted by ITSP Magazine about #Vault7.
For background, on March 7, WikiLeaks posted the “largest ever publication of confidential documents” from the CIA, that suggests the government has been spying on people using smartphones from all major vendors like (Apple, Google, Microsoft) and even microphones in Samsung TVs.
This is the latest news sparking the privacy/ “big brother” conversation that is for obvious reasons, very concerning. A lot is being written about this topic and here are some of my thoughts.
The bigger story here is not that our government is spying, the story is that someone managed to compromise a “TOP SECRET” CIA development environment, ex-filtrate a whole host of material (8,000+ documents), and is now sharing it with the world. The compromise appears to have happened a year ago, in the first quarter of 2016, and is likely caused by contractors.
In 2017’s world there should be no expectations of privacy to anyone. But, many people, especially in the United States, believe they have the right to personal privacy, while failing to practice the proper security measures to keep their data private — posting on social media, not using encryption properly, etc.
Cybersecurity is a shared responsibility. In terms of responsible disclosure, Wikileaks appears to be breaking rules by “extorting” the vendors, refusing to give details to vendors to patch, unless they commit to a 90-day patch window. It appears that Wikileaks has its own agenda here, to impair nation states that are using and benefiting from these zero-days by forcing vendors to quickly acknowledge and release security patches.
To me there is no doubt that Vault 7 dealt a big blow to national security of the United States. In the wake of this breach it’s a good time for all corporations to review their incident response tools and breach detection tactics. Here are my top 5 recommendations:
1. Upgrade your breach detection tools to include a platform that has visibility into web, email and lateral vectors for threats payloads and communication, can catch zero-day attacks by behavior; uses deep learning analytics and correlates alerts from all security vendors into a timeline view.
2. Train your staff on recognizing phishing. I talked to a large company in Florida recently where phishing open rate decreased from 30% to 5% after cybersecurity training.
3. Use multi-factor authentication by default, stop using passwords alone.
4. Backup data offsite to be safe from ransomware.
5. Obtain data breach insurance, you will need it.
I touched on some of my thoughts on this hot topic, and I encourage you to check out the full panel on demand. It was a good discussion covering a lot of angles of ‘Vault 7’ including:
- Who is impacted, how are they impacted, and what’s at risk?
- What the government can do to help?
- What the commercial InfoSec community can do to help?
- What consumers need to know to help (protect) themselves?
A special thanks to ITSP Magazine and the host of panel, Sean Martin for putting this together. Here is the link to listen to BrightTalk Panel on-demand.