What will the state of cyber security look like under the Donald Trump administration?

The election is over, the votes have been counted, and thankfully, other than a few isolated reports of malfunctioning voting machines, Election Night was unremarkable from a cyber security perspective. Now, it’s time to turn our attention to President Elect Donald Trump and what a Trump Administration will mean for cyber security in the U.S.

Donald Trump’s Official Stance on Cyber Security

Cyber security is the only tech-related topic Trump addresses directly on his official website. At this point, his plan has four main points:

• Appoint a “Cyber Review Team” composed of “individuals from the military, law enforcement, and the private sector” to perform “an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure” and “provide specific recommendations for safeguarding different entities with the best defense technologies tailored to the likely threats.” The Cyber Review Team will also be tasked with establishing protocols and setting up “mandatory cyber awareness training” for government employees.
• “Instruct the U.S. Department of Justice to create Joint Task Forces throughout the U.S. to coordinate Federal, State, and local law enforcement responses to cyber threats.”
• “Order the Secretary of Defense and Chairman of the Joint Chiefs of Staff to provide recommendations for enhancing U.S. Cyber Command, with a focus on both offense and defense in the cyber domain.”
• “Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.”

Much like HIPAA, Trump’s plan focuses on procedural generalities as opposed to technical specifics. However, this is to be expected of a presidential candidate who comes from a business background, not a tech background. The positive thing about the plan is its focus on taking proactive measures to prevent attacks, not just responding to them after they occur.

What to watch out for: Who Trump appoints to his Cyber Review Team. President Elect Trump should seek out experienced cyber security professionals with deep knowledge of the industry and the issues to hammer out the technical details of his plan.

The End of the H-1B Visa?

As a candidate, Trump famously took a hardline stance on immigration, including an initial pledge to eliminate the H-1B visa program that is heavily used by the tech industry. This has alarmed many tech employers, who claim that the H-1B is necessary because there is a shortage of qualified IT workers in the U.S., and that without being able to import talent from overseas, critical positions would go unfilled. This is an important issue in the cyber security field, which faces a severe skills shortage; there are approximately 200,000 unfilled cyber security jobs in the U.S., and demand is expected to increase by 53% by 2018.

However, it is important to note that Trump softened his stance on the H-1B at a Republican debate in March, claiming, “I’m changing. I’m changing. We need highly skilled people in this country.” Additionally, since his election, he has backed off from his initial zero-tolerance immigration stance overall.

What to watch out for: Whether Trump will abolish the H-1B is debatable. As a businessman, he used it to hire foreign workers, and his wife, soon-to-be-First-Lady Melania Trump, came to America on an H-1B. However, it is likely that Trump will make some changes to the H-1B program, and it is up to cyber security companies to ensure that our voices are heard as he makes decisions on this issue.

Cyber Security as Part of National Security

Throughout his campaign, Donald Trump referred to cyber security in the context of national security. At a debate against Hillary Clinton in September, he spoke of the gravity of the threat of foreign cyber terrorism against the U.S.:

…when you look at what ISIS is doing with the Internet, they’re beating us at our own game. ISIS.

So we have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable.

But I will say, we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, Lester, and certainly cyber is one of them.

What to watch out for: It is possible that a Trump Administration will increase spending on cyber security at the federal level and impose more stringent requirements on state and local governments. Since the number and severity of data breaches and ransomware attacks are intensifying, these would be welcome changes.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

IoT manufacturers should take heed from the recent Mirai DDoS attacks.

Recently, a widespread attack on Dyn’s DNS “Managed DNS” infrastructure wreaked havoc across the internet and brought down a number of major websites, including PayPal, Twitter, Amazon, Netflix, GitHub, and Reddit. Instead of going after the sites directly, Mirai targeted the web’s domain name system (DNS), which acts as an “address book” that matches common domain names, such as Amazon.com, with their corresponding DNS addresses, which are what browsers use to locate the site’s web server and load its content. The source of the attack was an open source malware strain called Mirai, which works by infecting vulnerable IoT devices, such as routers, printers, webcams, even DVRs.

How does Mirai infect IoT devices?

The Mirai malware takes advantage of a very serious vulnerability in IoT devices: the fact that most users do not change the default passwords their devices are shipped with, either because they don’t know how, they don’t realize the importance of doing so, or both. In some cases, the login credentials may be encoded in the device’s firmware, making it difficult or impossible for end users to change them. Meanwhile, manufacturer default passwords are widely available online. There are 68 user name and password combinations in the Mirai botnet source code, many of which are used for multiple IoT devices made by the same manufacturers. Therefore, just one set of credentials could allow a hacker to access hundreds, possibly thousands of devices.

Hackers use Mirai to scan the internet for specific devices, then attempt to access them using their manufacturer default credentials. Once hackers access a device, they turn it into a “zombie” – often without the device’s owner even realizing it. Once a large number of “zombie” devices have been amassed, they are used to flood specific web servers with so many junk requests that they slow to a crawl or crash.

IoT Manufacturers Have Been Put on Notice

Cyber security issues have plagued the IoT industry for years, and as these devices proliferate, cyber attacks that involve connected devices are becoming more frequent and more serious. Yet, as discussed in a previous blog, only 10% of organizations have a cyber security plan to address the Internet of Things, and 68% have no methods for testing IoT devices. Meanwhile, nearly 60% of consumers report being “very” or “highly concerned” about IoT security.

As a result of the Mirai malware attack, Chinese manufacturer Hangzhou Xiongmai voluntarily recalled its home webcams, and it’s possible that we’ll see more recalls if and when Mirai rears its head again. Of course, IoT manufacturers could and must take proactive steps to prevent these sorts of attacks in the first place. IoT devices should be configured to require users to change the default credentials the first time they log in, preferably to a strong password, and manufacturers should never hard-code credentials into a device’s firmware.

Unfortunately, the Mirai malware isn’t going anywhere, and if IoT manufacturers do not step up to the plate, it could be altered for use in even more insidious attacks in the future.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

For Years, Yahoo Put Usability Ahead of Cyber Security

The massive Yahoo data breach, which compromised 500 million user accounts and has put its planned acquisition by Verizon at risk, happened because the company repeatedly put product user experience ahead of security, the New York Times reports:

Six years ago, Yahoo’s computer systems and customer email accounts were penetrated by Chinese military hackers. Google and a number of other technology companies were also hit.

The Google co-founder Sergey Brin regarded the attack on his company’s systems as a personal affront and responded by making security a top corporate priority. Google hired hundreds of security engineers with six-figure signing bonuses, invested hundreds of millions of dollars in security infrastructure and adopted a new internal motto, “Never again,” to signal that it would never again allow anyone — be they spies or criminals — to hack into Google customers’ accounts.

Yahoo, on the other hand, was slower to invest in the kinds of defenses necessary to thwart sophisticated hackers that are now considered standard in Silicon Valley, according to half a dozen current and former company employees who participated in security discussions but agreed to describe them only on the condition of anonymity.

The Times goes on to describe how CEO Marissa Mayer, after having taken over the troubled search engine in 2012, decided to focus Yahoo’s efforts on developing new products and creating better user experiences for existing products such as Yahoo Mail. Even though Mayer was aware of multiple information security issues, those took a back seat. Yahoo’s internal security staff, including former CISO Alex Stamos, warned Mayer about security vulnerabilities but found their efforts stymied due to “concerns that the inconvenience of added protection would make people stop using the company’s products.” Mayer cut the team’s budget and refused to approve the proactive cyber security initiatives Stamos pushed for, including end-to-end encryption, intrusion-detection mechanisms, and automatic resets of passwords on accounts that had been compromised. Even now, Mayer is still declining automatic password resets for the accounts compromised during this most recent breach – again, all in the name of not inconveniencing users.

Cyber Security vs. the User Experience

It’s common for tech companies to worry about how information security measures will affect the user experience. Often, developers must sacrifice speed and ease of use for a more secure product, and, while the majority of Americans claim to be highly concerned about data breaches, fickle customers may resist or become frustrated over security measures. A recent study found that one-third of Americans engage in risky behaviors to remember online passwords, and an ethnographic study of healthcare workers found widespread, flagrant disregard of cyber security practices in hospital settings.

While these are valid concerns, the answer is not to simply release unsecured products and hope for the best, as Yahoo apparently did. The burden of protecting customer data does not lie solely on software developers and data storage companies, and it cannot. The overwhelming majority of data breaches occur not as the result of external hacking but because hackers obtain legitimate login credentials, usually through social engineering schemes such as phishing. Manufacturers must build proactive security measures, such as multi-factor authentication, into their products, and get their customers accustomed to using them, even if the features are inconvenient or frustrating. The cost of a data breach is much higher than the cost of customer frustration, to both the breached company and the compromised customers.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.