The HPE Cyber Risk Report 2016 is out and at 90+ pages it’s a serious read with a lot of very strong points to be made. Unlike other vendors security reports this one is not just focused on breaches and malware. It looks at regulation, court cases and the whole industry around cyber security. Nobody is spared by the report authors when it comes to blame for poor security with users, vendors, governments and enterprises all taking a slap or several on the wrist.
The report can be downloaded from the HPE web site free of charge although you will have to fill out the usual form and accept some form of marketing call. Refreshingly the URL for the report actually contains the word leadgen just to make sure people know they will be followed up.
Seven key themes to cyber security
There are seven key themes to this report which are covered in brief at the beginning. Each of these are returned to later in the report under different sections and make for some interesting if disturbing reading. The seven themes are:
- The year of collateral damage
- Overreaching regulations push research underground
- Moving from point fixes to broad impact solutions
- Political pressures attempt to decouple privacy and security efforts
- The industry didn’t learn anything about patching in 2015
- Attackers have shifted their efforts to directly attack applications
- The monetization of malware
What is interesting about these themes is that they are not focused on the types of attacks in play but the broader and even political scene around cyber security. While each one is brief they are all thought provoking, something that few security reports achieve. What is notable is the impact of regulations and political pressure hinted at here and covered in more detail later in the report.
The business of bugs
Most people have read reports about security researchers discovering bugs and bounties being paid to them. However, understanding the scope of how bugs are monetised and the options for researchers from claiming bounties to selling out to the bad guys are less clear. This section not only looks at the options for researchers but takes a hard look at the impact of legislation on future security research.
The latter refers to the Wassenaar Arrangement which was setup to deal with export controls to combat terrorism. One example of where it can be seen as being used recently is in the US decision to stop Intel selling its Xeon E7 chips to certain organisations in China. Another is the long standing control on restrictions on what can be supplied to Iran. It is this latter that has caused a problem for Chinese telecoms equipment maker ZTE who has been hit by sanctions for shipping dual-use technology to Iran.
The report highlights the increasing concern among researchers that they will find access to tools and information restricted through tighter interpretation of the Wassenaar Arrangement. It would also restrict information sharing which is seen as critical in the fight against cyber crime which is not restricted by the sharing of data.
Privacy at risk of being lost
Unsurprisingly the report looks at the risks to privacy. It covers the risks from the recent Safe Harbor problem between the US and the EU and access to data. There is a view on the risk of surveillance and the ongoing battles around encryption. Like many companies HPE is concerned at government attempts to weaken security by requiring technology companies to provide routes to access data.
It calls out the problems for Google, Microsoft and Facebook but as it looks at 2015 it has sidestepped the issue of Apple and the FBI. What is clear from the authors is that they believe legislators and law enforcement are a major threat to corporate and personal data and companies need to take this into account when setting their security policies.
When it comes to personal data the authors settle on two major cases to show that data breaches have consequences far beyond those people directly involved. The Ashley Madison hack and data dump has led to a lot of collateral damage to people who were not users of the site but who know someone who was.
In the case of the OPM the data was more serious. The information held on many people came about simply because they were listed as a contact on someone else’s job application with US Government agencies. Few had consented or even knew that the OPM was storing the data. The breadth of the data gathered will make it easy for cyber criminals to create detailed profiles of people, making subsequent identity theft more likely and, in the view of the authors, a long term threat. How long? The report suggests that the damage could go on for 40 years.
Conclusion
Every large IT vendor and security company releases their assessment of the previous years security challenges. Most of them focus purely on the attacks and their impact. This report is notable and worth reading if only because it takes a different approach. Yes the speeds, feeds and threats are covered along with HPE’s approach to security. For many readers there is a wealth of information in the first quarter of the report as we’ve touched on above.
[…] HPE Cyber Risk 2016 Report has been published. The first part of the report provides a good view into regulation, how the security market works and the risks of over reaching legislation. The second part covered […]