The IL Lottery is immune to hackers…really

Beginning October 1^st, the lottery will no longer consist of ping pong balls flying up tubes to pick the winner numbers. Instead, the numbers will be generated by digital format, on a system that is in a secure room with 24-hour surveillance plus other security layers and no connection to the Internet. In that case is hacker safe, they claim? http://www.illinoislottery.com/dailydrawings

Well then, let's start the stop watch…how long before the first hack to occur (not if but when).
How this is PC going to software updates/patches? Is it connected to other machines in the office? Does it have Wi-Fi or Bluetooth connection? How about IoT (Internet of Things)?

Sign of the times: “If you don’t know where you are going, you’ll end up someplace else” Yogi Berra

Is baseball still America's pastime, or, is Cybersecurity? Perhaps not a good comparison but the message from the late Yogi has some synergy as cybercurity has become discussion at all levels now i.e. hackers to board of directors…
Couple key points on "Definitive Guide to Cyber Threat Intelligence" by Friedman and Bouchard's book:

• 3 Levels that require specific message depending on audience: Tactical, Operational and Strategic – what not to fear vs. what to react to
• Cast a wide net when looking at assets since threats, adversaries, targets and weapons vary
• Large volumes of data does NOT equate to intelligence but instead, know your indicators, realize the threat feeds, understand the tactics, motivation and intent
• Good validation and prioritization leads to accurate / dissemination of intelligence and message
• Pivot from attack/detect to analysis of complex attacks via right balance of triage, prioritization, remediation, and management (investment and communication)
• Strategic roadmap must value gap analysis with investment priorities, central knowledge repository with automated workflow, and "hunt mission" capability – anticipate hosts likely threats and aggressively search indicators and reveal attacks in the earliest stage
• Finally, considering various levels of partnership since no one can do it alone 

#trending - The business of Ransom(ware): Money Extortion

Ransomware – Computer/Data Encrypted vs. Ransom – Employee Kidnapped. And, both have demand for funds in common.

Total numbers are bleak since reporting to law enforcements may not necessarily be the 1^st step and can compromise situation/safety or brand, etc. But kidnapping stats show an increase in hot spots including Nigeria, Mexico, Colombia, Venezuela and India ("for employees of consumer goods, mining and oil-services companies"); and respectively a spike shown with enterprises resulting from malware, spear phishing, etc. A popular ransomware program called CryptoWall recorded 600,000 computers affected in just 6 months of 2014 and held 5 billion files hostage which generated $1MM for the creators [researchers found].

While no situation is alike, response should be methodical and agile i.e. a common thread being, a strategy to prevention / detect / respond effectively. Based on an IT perspective, ensure detection capabilities, data backup, access of least-privileges, sound response policy and procedure (e.g. no payment of demands), eradication (isolation to forensics), and finally, notification of authorities / regulatory bodies. www.resilientsystems.com

Regarding the non-IT scenario (kidnapping), I'll leave that to the expects blogs.wsj.com

Target resulting in 40M debt/credit card accounts breached [Kerbs on Security]

Confidential report now published revealed Target had "no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers" according to Verizon's assessment: krebsonsecurity.com
Recall the attack source (though never confirmed nor denied) resulted from a Pennsylvania heating and air conditioning company that worked for Target – was hit with a malware via email which lead to the hack of Target's private network credentials. Target has since changed management/leadership, invested in security, etc. in the tunes of hundreds of millions of dollars (but does not believe rehashing possible scenario that is now 2 years old). An updated penetration test performed in Feb 2014 revealed stronger security controls and continued progress in remediating vulnerabilities on more timely basis.
Key penetration attack source / penetration testing concluded:

• Default and/or weak passwords store in servers even though password policy was in place. Combined with misconfigured services, allowed 86% (472,308) password to be cracked within a week
• System patching also were missing critical security patches, outdated or simply unpatched systems which was a patch way to gaining full access to the network / data

Finally, Target has not shared lessons learned but analysis would tell you the following: segment your network, limit access to sensitive networks, establish a system to finding and fixing vulnerabilities, and conduct penetration testing.

M&A – Mexico’s Rimsa for generic and in Emerging markets

Rimsa (Mexico City-based drugmker) drawing interest to the tune of $1 Billion for the company of generic-drugs. The spark is fueled by low rates of health-care spend for emerging markets – Brazil, Chile, etc. where paying for brand-name drugs is not the norm.  In the hunt is also Abbott, Teva, Pfizer, Sanofi, etc.  www.bloomberg.com

“America’s computers and networks are under attack.”, The Economist

Only when cyber security threats are recognized/altered (and impact understood), can organizations act accordingly. http://www.economist.com/news/united-states/21664145-americas-computers-and-networks-are-under-attack-retaliation-against-chinese-hackers Top 3 main threats to America’s computers and networks are listed – according to The Economist article this week on cybersecurity:

1) Commercial hacking (trade secrets / financial gain) 

2) Attacks on intelligence agencies (intellectual property / competitive advantage) 

3) Digital weapons (kinetic sabotage / nuclear damage) 

Whether its theft or cyber-espionage, the topic needs to be addressed (before, during and after). The Economist uses the US and China topic: Obama’s (to-be) economic sanctions against China would band named Chinese companies from doing business in America. Of course this comes on the heels of numerous diplomatic attempts, security firm Mandiant’s report pointing to the People’s Liberation Army for stealing huge volumes of American intellectual property; and conversely, episodes such as Snowden’s suggestion that the agency had been spying on Chinese companies, etc. On the upshot, agencies (and organizations) are working closer together then ever; and The Economist article concludes with, a “sense of urgency is growing” but “until people in charge of sensitive data and computers see the threats more clearly, attackers will have a field day.”  

Critical Top 20 Security Controls - SANS

Minimizing dwell time (duration for security incident/malware identification through resolution/eradication) is essential in the Cyber security Era. Damage/Risks can be minimized by considering the implementation and audit of SANS Institute’s Top 20 Critical Security Controls: inventory of authorized/unauthorized devices and software, secure configuration of mobile devices, continuous vulnerability assessment/remediation, malware defenses, application software security, wireless access control, data recovery capability, security skills training, secure network engineering and security network configuration, limitation of ports/services, controlled use of Admin privileges and need-to-know access basis, boundary defense, audit log monitoring/maintenance, data protection, incident response/management, and penetration testing. http://www.sans.org/critical-security-controls