CyberWire Daily - A battle for digital sovereignty.
Episode Date: May 13, 2024IntelBroker claims to have breached a Europol online platform. The U.S. and China are set to discuss AI security. U.S. agencies warn against BlackBasta ransomware operators. A claimed Russian group at...tacks British local newspapers. Cinterion cellular modems are vulnerable to malicious SMS attacks. A UK IT contractor allegedly failed to report a major data breach for months. Generative AI is a double edged sword for CISOs. Reality Defender wins the RSA Conference's Innovation Sandbox competition. Our guest is Chris Betz, CISO of AWS, discussing how to build a strong culture of security. Solar storms delay the planting of corn. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Chris Betz, CISO of AWS, discussing how to build a strong culture of security. In his blog, Chris writes about how AWS’s security culture starts at the top, and it extends through every part of the organization. Selected Reading Europol confirms web portal breach, says no operational data stolen (Bleeping Computer) US and China to Hold Discussions on AI Risks and Security (BankInfo Security) CISA, FBI, HHS, MS-ISAC warn critical infrastructure sector of Black Basta hacker group; provide mitigations (Industrial Cyber) 'Russian' hackers deface potentially hundreds of local British news sites (The Record) Cinterion IoT Cellular Modules Vulnerable to SMS Compromise (GovInfo Security) MoD hack: IT contractor concealed major hack for months (Computing) AI's rapid growth puts pressure on CISOs to adapt to new security risks (Help Net Security) Reality Defender Wins RSAC Innovation Sandbox Competition (Dark Reading) Solar Storms are disrupting farmer GPS systems during critical planting time (The Verge) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Intel broker claims to have breached a Europol online platform.
The U.S. and China are set to discuss AI security.
U.S. agencies warn against black basta ransomware operators.
Acclaimed Russian group attacks British local newspapers.
Centurion cellular modems are vulnerable to malicious SMS attacks.
A UK IT contractor allegedly failed to report a major data breach for months.
Generative AI is a double-edged sword for CISOs.
Reality Defender wins the RSA Conference's Innovation Sandbox competition.
Our guest is Chris Betts, CEO of AWS, Reality Defender wins the RSA Conference's Innovation Sandbox competition.
Our guest is Chris Betts, CEO of AWS, discussing how to build a strong culture of security.
And solar storms delay the planting of corn.
It's Monday, May 13th, 2024. I'm Dave Bittner, and this is great to have you here with us.
Europol is investigating a security breach of its Europol Platform for Experts, the EPE.
The breach was disclosed after a threat actor known as Intel Broker claimed to have stolen documents labeled for official use only, containing classified data. According to Europol,
the breach affected a closed user group on the EPE, an online platform used by law enforcement
to share knowledge and non-personal data about crime. Europol has assured that no core systems
or operational data was compromised, and the EPE application does not process operational information.
Intel broker, active since December and involved in various government data leaks,
claims the stolen data includes sensitive information
on thousands of Alliance employees and cybercrime experts.
They've also breached other significant data platforms,
like EC3 Space and Sirius within
Europol's networks. The threat actor is now offering the stolen data for sale on dark web
forums. The United States and China are set to commence high-level discussions focused on the
security and risks of advanced AI systems. Biden administration officials say these discussions will not aim at promoting technical cooperation,
but rather at addressing concerns related to AI's impact on national security and anti-democratic uses,
particularly by China.
Recent incidents, including AI-facilitated cyberattacks linked to China, highlight these issues.
The dialogues, part of broader efforts to manage tensions and maintain open channels despite strained relations,
will involve senior officials from both countries discussing the implications of AI in various sectors and governance.
These talks follow direct discussions between Presidents Biden and Xi,
These talks follow direct discussions between Presidents Biden and Xi, who emphasize the need for ongoing dialogue despite not participating directly in the upcoming meetings.
The U.S. Cybersecurity and Infrastructure Security Agency, along with the FBI, HHS, and MS-ISAC, issued a cybersecurity advisory against the Black Basta hacker group. This ransomware-as-a-service organization has affected over 500 entities
across critical infrastructure in North America, Europe, and Australia since April 2022.
The advisory outlines tactics, techniques, and procedures,
and indicators of compromise used by Black Basta,
such as phishing, exploiting vulnerabilities,
and a double extortion tactic involving data encryption and exfiltration.
The advisory stresses the implementation of mitigations like updating systems,
using multi-factor authentication,
and training against phishing to reduce ransomware risks.
Black Basta's operations involve sophisticated tools
for network scanning, lateral movement, privilege escalation, and data exfiltration,
emphasizing the urgent need for comprehensive cybersecurity measures across critical
infrastructure sectors. A group claiming to be first-class Russian hackers defaced websites of British local and regional newspapers
owned by NewsQuest Media Group by posting a fake news story titled,
Pervoklasny Russian Hackers Attack.
The incident, affecting potentially hundreds of sites, suggested a breach in a central or shared content management system,
though there's no proof the attackers
were actually Russian. This breach highlights vulnerabilities in the cybersecurity of UK
local media, particularly with an upcoming election. The style of the attack is reminiscent
of attacks used by Eastern European groups like Ghostwriter, known for inflaming tensions through false stories and
hacking, but no specific group has been confirmed responsible for this incident.
Centurion cellular modems, used extensively across various sectors like industrial,
healthcare, and more, are vulnerable to attacks via malicious SMS messages.
are vulnerable to attacks via malicious SMS messages.
The U.S. National Vulnerability Database reports a severe flaw, rated 9.8 out of 10, that allows remote unauthenticated attackers to execute arbitrary code
and potentially take full control of the modem.
This vulnerability was part of a broader set identified by Kaspersky,
including seven zero-day exploits found in
February 2023. These vulnerabilities also affect the modem's handling of Java-based applications,
enabling unauthorized code execution and compromising network security.
Kaspersky recommends disabling SMS capabilities and enforcing stringent digital signature verification for midlets as mitigation
steps. Telet Centurion, the manufacturer, has yet to comment on patching efforts or specific
mitigation advice. The Guardian reports in an exclusive that Shared Services Connected Limited,
an IT contractor for the UK government,
failed to report a significant breach for months after being hacked,
potentially by a Chinese group.
This breach compromised the payroll data of approximately 270,000 Ministry of Defense staff.
Despite awareness of the breach in February,
the incident was only recently disclosed to the Ministry of Defense.
The UK Defense Secretary, Grant Shops, has criticized SSCL for its slow response and has
initiated a full review of SSCL's government contracts, which include other undisclosed
sensitive cybersecurity roles. This situation has raised concerns over a broader compromise of government
systems. SSCL, now wholly owned by the French company Sopra Steria, was previously partly
owned by the UK government until last October. The Chinese embassy has denied involvement in the hack.
HelpNet Security looks at how the rise of generative AI impacts the role of chief
information security officers, finding that it is increasing both opportunities and challenges
in cybersecurity. Harold Rivas of Trellix emphasizes the critical importance of CISOs
in navigating AI integration while ensuring cyber defense. The widespread accessibility of generative AI has made it a dual-edged sword,
easily utilized by both cybersecurity professionals and malicious actors.
Key statistics from a survey show that 76% of CISOs have already implemented GenAI in their operations,
100% believe Gen AI enhances cybersecurity
processes, 90% of CISOs feel under increased pressure due to AI developments, and 45% are
establishing AI committees to oversee AI use and implement governance. A concerning 99% have faced cyberattacks recently, with 82% noting an increase
The growing reliance on AI has not only heightened the cybersecurity risks
but also placed CISOs under greater scrutiny and liability
With 92% contemplating their future roles
there's a unanimous call for better regulation to manage AI's risks effectively.
For the second consecutive year, an AI-based security startup won the Most Innovative Startup Award at the RSA Conference's Innovation Sandbox competition.
This year, Reality Defender clinched the prize with its tool designed to identify deepfakes and artificial content,
addressing a significant issue highlighted by the judges, especially relevant in an election year.
Reality Defender's platform uses AI to detect fraudulent audio, video, images, and text in real time,
aiming to become the primary detection layer for all AI-generated fraud.
This win reflects the increasing importance of tackling AI-driven security challenges in cybersecurity.
Coming up after the break, Chris Betts, CISO of AWS, discusses how to build a strong culture in security.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact
your Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more Chris Betts is Chief Information Security Officer at AWS.
I recently spoke with him about how to build a strong culture of security.
Every organization I've been with has their own culture,
in particular the cybersecurity.
One of the most important things
is having a culture that matches the company's culture, but also helps make sure that the
company is focused in the right priorities. Security is hard enough. When each organization
is pulling in a different direction, when security is not seen as an organizational imperative,
it makes it really, really hard for security to work correctly. And so I think that the deep
partnership between the business and security is important. I think having the culture,
the power of security throughout the organization really makes a huge difference.
power of security throughout the organization really makes a huge difference.
Well, let's go through some of the details here.
I mean, what are some of the ways that people who are in a leadership position when it comes to security, how can they instill this strong culture of security within their organization?
I don't think it comes just from security leadership.
I think a security culture has to start at the top
and then extend throughout the organization.
The structure we have at AWS is a good example of that.
Adam, our CEO, says in almost every conversation
I see him on stage,
he talks about how security is our top priority
to everybody in the organization.
And he not only says that, he lives it.
As you know, business leaders, CEOs, their time is pulled a million different directions.
Adam dedicates at least an hour a week, sometimes more, to sit down with his leadership, with my leadership, and with engineering teams across
the company to go deep into security topics with that. And so, yes, security leaders are a critical
part of building that culture. But I think security culture starts at the top of an organization.
And so it's having the board, the CEO, the organizational leaders just as invested that makes a real difference.
Well, then how do you go about getting that buy-in to filter down to everyone along the organizational chart?
I've been at multiple companies, the past several, where this has been true, where it's very, very clear from the CEO on down that this is a priority.
And so I think the journey we've been on with cybersecurity over the past few decades has really made this true for many companies.
I think boards and others see the imperative. I think one
of the jobs that we have as security professionals is really partnering with our executive leadership
and helping them make this something that they live, make this an area where they invest in,
make this an area that resonates for the whole of the organization. And so our job is to tap into that passion,
that challenge that companies feel
when it comes to cybersecurity
and to enable those leaders to take the right actions
to show up and set that note for the organization.
How do you instill a sense among all the folks
within the organization
that everyone has an individual
responsibility for security? I think it's really important that everybody feel like security
is their job. One of the ways that I've seen organizations be successful and make that happen
is they tap into the existing ways that organizations think. For example, at AWS
and Amazon, ownership is incredibly important. And leaders throughout the organization at all levels
take the time to reiterate the message and to live the message that they own security.
The ways that I've seen that work most successfully is when each person
feels that independent accountability and leadership across the company does that.
The other piece that I think is so critically important is to recognize and appreciate when
people make security a top priority. One of the concepts we use at AWS is a concept called two-way doors. Two-way doors
simply recognize that many decisions can be unmade, can be changed. And so making a decision
that's a two-way door decision is relatively low risk. People should feel comfortable making those decisions pretty
rapidly because we can turn those off if they were the wrong call. Escalating security issues,
escalating security risk is a perfect example of what I call a two-way door decision,
what we call a two-way door decision. It's a chance where people can say, hey,
It's a chance where people can say,
hey, raise their hand.
We think there's a problem.
And if they're right, great.
We avoided a bad situation.
And if there's wrong,
if there's more there that they didn't recognize,
that's great.
Again, we can recognize and appreciate it and roll that decision back and continue operation.
And so that concept of being willing to take risk,
to say, hey, I think I've got something that looks funny, to recognize that that is relatively
a low-cost decision. It's easy to unmake those in many, many cases. And recognizing people,
whether it was something that needed another look and we did want to stop it, or whether it's something that needed to be rolled back.
Those are things that need to be recognized and appreciated.
And as you say, I mean, speaking of culture, I mean, it sounds to me like what you've
established there is a culture where people feel safe making those decisions, that it's okay to make a mistake because we put in
a process in place here that we can roll it back or make it right together. Exactly. They need to
be able to be safe making a decision and identifying a security problem and really
taking the time and energy to recognize people who are making those decisions consistently is super important.
You know, it's hard to imagine many more high-profile CISO jobs than yours.
Heading up, you know, AWS, having that job, an important position in the world.
How do you deal with scaling this type of security culture? The scale at which you run,
even just that is hard for me to wrap my mind around. But how do you have this through the
thousands of people that you must be working with throughout the year? I feel the same pressure.
to be working with throughout the year?
I feel the same pressure.
And it's something that I, my team,
everybody takes seriously.
Not all clouds are built the same,
especially when it comes to security.
And we've got our own special mechanisms to make that happen.
For us, I've got a central team
that provides training, threat models,
tools, frameworks, design reviews, and really works to build all of those elements into
how the teams develop software wherever possible. Our goal is to make the secure way the easy way
and to make sure that security is built in wherever it
can be. We get to help scale out through things like we've got a security guardians program.
And so our security guardians program are sets of engineers, of deep subject matter experts
around AWS who've developed a passion for security in addition.
And so they come, they work with us.
They're part of each of those two teams to be organizations,
to be security ambassadors, guardians within the product teams.
They act as a security conscience.
They make it much faster and much more successful for us to secure the organization and to come up with the
right solutions. Because everything, all of the tools, every service that's getting launched,
of course, goes through a final security review for each new service and each new feature.
And our goal is to make sure that we hold the bar and those security guardians help us
deepen the organization, set that up
correctly. What's your advice for that person who's been brought in to kind of make order out
of chaos? Someone who's been brought in to lead a security team and they really want to establish
this culture of security. I'm thinking of that person in a smaller, medium-sized business.
Do you have any words of wisdom for how they can come in and really make a difference?
Step one, partner closely with your peers in the business.
Think about who are the right folks to work with so that what you're doing in establishing that security culture is amplified in the way that the organization works.
Secondly, look at your internal and external partners.
There are key partners that you can use.
Your cloud service provider,
your managed security partner,
they've each seen these journeys before.
But overall, keep in mind,
there are, I think, four key principles
to building that strong culture of security. One, make sure it's built into the organizational structure. Make sure it's part of
something led from the top, led from leadership, and also echoes throughout the organization.
Two, make sure that everybody feels like it's their job, that they understand that trust in
the product, that security of the product is everybody's job.
Three, make sure that you've got the right expertise
in the right place.
You take advantage of those passionate security folks
across organizations.
Establish something like a guardians program.
Use that to help scale across the organization.
And lastly, find those opportunities
to build the tools, to build
the capabilities that make achieving security bar much easier and much faster.
That's Chris Betts, Chief Information Security Officer of AWS. Thank you. fault-deny approach can keep your company safe and compliant.
And finally, last Friday, we noted that coming solar storms had the potential to disrupt electronics here on planet Earth, including the electrical grid and GPS satellite signals.
Over the weekend, intense solar storms, the strongest since 2003,
did indeed disrupt GPS systems crucial for self-driving tractors,
causing some farmers in the Midwest to halt planting corn.
causing some farmers in the Midwest to halt planting corn.
This timing is critical, as planting after May 15th can significantly reduce crop yields,
according to the University of Nebraska-Lincoln.
Farmer Tom Schwartz noted that the precision required for his organic farming is so high that only GPS can achieve the necessary accuracy.
Additionally, farmers were warned that future tending to their crops
based on GPS data gathered this past weekend would likely be inaccurate.
The solar storms reached a G5 severity,
indicating potential major impacts on power grids and communications,
although significant disruptions were avoided.
We had clouds here in
the Baltimore area, so no northern light show for us, but some of our colleagues from the Boston
area shared pictures that were spectacular. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please leave a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at N2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music
and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.