CyberWire Daily - China hacks to track. Turning the enemy’s weapons against them? Notes from the Billington CyberSecurity Summit. Anti-trust investigations for Facebook and, probably, Google.
Episode Date: September 6, 2019Chinese intelligence and security services have been busy in cyberspace. A third-party customer leaks data it received from Monster.com. There’s a Joker in the Play Store. Some notes from the Billin...gton CyberSecurity Summit: a military look at cyber ops, what CISA’s up to, and some advice from the NCSC. Anti-trust investigations are on the way for Facebook, and it seems likely that Google will be next. Malek Ben Salem from Accenture Labs on leveraging the blockchain for AI. Guest is Doug Grindstaff from the CMMI institute, who makes the case that CISOs need to think more like VCs. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Chinese intelligence and security services have been busy in cyberspace.
A third-party customer leaks data it received from Monster.com.
There's a Joker in the Play Store. Some notes from the Billington Cybersecurity Summit, a military look at cyber
ops, what CIS is up to, and some advice from the NCSC. Can CISOs learn a thing or two from VCs?
Antitrust investigations are on the way for Facebook, and it seems likely that Google could be next.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 6, 2019.
More reports have emerged on China's extensive work to track and monitor its predominantly
Muslim Uyghur minority.
State security services, Reuters says,
have compromised telecommunications networks in several Asian countries
with a view to keeping track of the activities of Uyghur travelers.
The affected networks have been found in, at least,
Turkey, Kazakhstan, India, Thailand, and Malaysia.
Other notes on Chinese activity focus on what appears to be a systematic
effort to turn leaked equation group tools to Beijing's operational advantage. A checkpoint
study of China's Buckeye Group, also known as APT3 or UPS team, has followed up earlier work
by Symantec and taken a look at Buckeye's Bemstower tool. Checkpoint concludes, with appropriate reservations about the inevitable uncertainty of such assessments,
that Bemstower has adapted the Equation Group's eternal romance exploit to its own purposes.
As the researchers put it in their conclusion,
quote,
of a rival, i.e. Equation Group, were used as the basis and inspiration for establishing in-house offensive capabilities.
The job search service Monster.com has been affected by a data breach at an unnamed third
party, a recruiting firm that's a Monster customer.
TechCrunch notes that Monster did not notify affected individuals of the breach because,
in their view, the data, once sold, becomes the responsibility of that third party,
and Monster says it did notify the errant customer that they had a problem.
TechCrunch also observed that there is no particular unanimity on the topic of whom to notify.
Other companies faced with similar third-party data exposure have taken it upon themselves to notify affected individuals.
Others, like Monster, see a line to be drawn here
and argue that at some point the data you buy becomes your responsibility.
A researcher with CSIS Security Group describes Joker Android spyware,
computing reports that Joker has been found in 24 Play Store apps.
The 10th annual Billington Cybersecurity Summit concluded yesterday in Washington, D.C.
We've got some notes on three of Thursday's keynotes. Major General Dennis Krall, U.S. Marine
Corps, presently serving as Deputy Principal Cyber Advisor and Senior Military Advisor for
Cyber Policy in the Department of Defense,
framed military cyber policy thusly. This is all about outcomes. He offered three salient
considerations for U.S. military cyber policy. First, lethality. This has three aspects.
Getting the right authorities, and these need to be not only the right ones to authorize sound
operations, but they also need to be not only the right ones to authorize sound operations,
but they also need to be deep enough to enable forethought and anticipation. Processes which need to be repeatable and to enable operators to use the authorities they've been given.
In the context of process, General Krall quoted fellow Marine and former Secretary of Defense
General Mattis, who said, quote, when good people meet bad process, bad process wins, end quote.
And finally, of course, capabilities, a trained force with tools necessary to accomplish a mission.
We should note that General Krall didn't discuss actual lethality.
His usage seemed more metaphorical than literal.
It would, our reporters thought, be a mistake to have heard him advocating a general shift of cyberactivity toward killing.
Effectiveness might be a useful gloss on what he called lethality.
Second, partnerships.
Such partnerships, General Kroll said, are both domestic, where partners often have authorities the military lacks, and international, where allies cooperate to share information within a framework
that affords a common level of protection.
Finally, reform.
At bottom, General Kroll saw this as a commitment to keeping faith and trust
by applying scarce resources in the most effective and affordable ways possible.
The conference also heard from Christopher Krebs,
Director of the Cybersecurity and Infrastructure Security Agency in the U.S. Department of Homeland Security.
He discussed the vision of his agency,
which is familiarly known by its acronym, CISA.
Krebs said CISA is best thought of as the nation's risk advisor.
He explained the agency has five principles of execution.
First, operate with the statutory authority to lead critical infrastructure protection in a collaborative fashion.
Second and third, CISA is committed to remaining results-driven and risk-focused.
Fourth, the agency is determined to work consistently within the framework of constitutional rights and national values.
And finally, CISA intends to execute and engage as one agency in one fight as one team.
What this means in the short term is that the youngest agency in DHS will face its defining
challenge next year, during the 2020 election season.
Krebs concluded, quote, in 2020, we're going to lead.
We're not going to let the Russians or the Chinese in, end quote.
And the final keynote speaker was Kieran Martin, CEO of the UK's National Cybersecurity Center.
He began with a description of the realities of the environment in which we live.
We find ourselves, Martin argued, defending open digital societies.
Prosperity is a social concern and critical infrastructure presents a serious national risk.
Cybersecurity is at its core about defending a way of life.
We face a formidable set of adversaries.
Russia is a determined, aggressive, disruptive opponent.
Our commercial environment today is one in which our businesses are under routine, continuous Chinese assault.
North Korea and Iran are active and hostile.
Transnational cybercrime has become cumulatively a grave threat to the digital economy.
And state actions have come to have serious collateral effects,
quite apart from the effects they're designed to have on their intended targets.
Both WannaCry and NotPetya illustrate this.
And it's worth noting that none of the four state bad actors
or the many criminal gangs have any particular stake
in an open, reliably useful Internet.
Operating in this world has led Martin to three conclusions.
First, government matters.
The Internet is a public good,
but well-intentioned calls for public-private partnership
have proven, he argued, a recipe for inaction.
Instead, governments should take responsibility for detection, resilience, and making technology safer.
That third responsibility, he emphasized.
It's too easy, Martin said, to succumb to what he called producer capture,
the sort of Hobson's choice of security design big companies, in his view,
too often offer their customers.
Second, we must, quote,
think carefully about our own footprints,
and quote,
cyberspace may be an operational domain,
but fundamentally it's a peaceful domain,
and we must act in cyberspace with this in mind.
Finally, governments need to look to the future,
and that means looking for
effective deterrence. And finally, it seems that antitrust investigators are circling closer to
big tech. The Wall Street Journal reported this morning that state attorneys general are opening
antitrust investigations of Facebook. New York's attorney general is leading the effort to be
joined by Colorado, Florida, Iowa, Nebraska, North Carolina, Ohio, Tennessee, and the District of Columbia.
On Monday, it's expected, the journal says,
that Texas will announce that it and some three dozen other states are opening an investigation of Google.
The inquiries seem to be about as bipartisan as such things can be nowadays.
As an indication of public sentiment,
they suggest that big tech is about where big steel and big oil were
about a hundred years ago.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado cozy up with the familiar flavors of
pistachio or shake up your mood with an iced brown sugar, oat shaken espresso, whatever you choose. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Malek Ben-Salem.
She's the Senior R&D Manager for Security at Accenture Labs.
It's always great to have you back. You and I have been talking about the trip you recently
made to RightsCon. And one of the topics of discussion there was how to deal with
disinformation campaigns online. What can you share with us?
Yeah, so one of the interesting conversations in that conference was about, you know,
freedom of expression on the
internet versus censorship, the voices that are asking now for more control and more moderation
of what gets published on the internet. In particular, after the of all the disinformation
campaigns that we've seen throughout election cycles, for instance, that video of Nancy Pelosi a few months ago. So the question is, how can we
fight disinformation, whether there are any viable approaches, techniques, and can we do it without
censorship, right? Without turning into, while keeping the internet the way we know it, as a
platform for free expression. So what were some of the ideas tossed around?
It seems that there is a consensus that we definitely need to develop standards of internet
transparency and integrity. We also need to limit space for impersonators. Existing platforms,
anybody can create an unlimited number of accounts in an anonymous manner. The question is, do we need to
have more checks to check that the people creating accounts are really, you know, physical people as
opposed to bots, right, that can start building or propagating information without them representing people in the real world. So they don't reflect the public
opinion in the real world. Right. But then I suppose there are legitimate needs for anonymity
online as well. Absolutely. Yeah. And that's really one of the advantages of the internet.
That gets also, I guess, reflected by the development of platforms like
blockchain and Ethereum, where you see platforms being created that are decentralized, distributed,
and people can join anonymously. That reflects the need for anonymity. It's still a trade-off.
I don't think anybody would say that we need to completely remove the ability for people
to interact in an anonymous manner, but limiting the space for impersonators is what's needed.
Limiting that space, meaning checking for bots that really have more harmful impact.
Yeah, I mean, what a challenge to try to have community standards when you have truly a global community.
Especially as we see also that the impersonation techniques are changing and are evolving, right?
Now you see these bots infiltrating the more closed groups and domestic social media dialogue.
How do you detect that?
It's not straightforward, but I think we need to do more research and come up with some ways of, again, not completely limiting this, but perhaps limiting the space for these impersonators.
Yeah, it strikes me too that there's one of the things that by automating, the ability to automate these things, that that enables an asymmetry that I don't know that we had to deal with before.
That the scale and velocity at which folks who are out there to spread misinformation and so forth can do so. It's a different ballgame than it used to be.
Absolutely.
The automation of the fast propagation of this misinformation is at an unprecedented scale.
But also the automation of generating misinformation, automatically generating defakes, right?
We've never seen that before, automatically generating videos that mimic a real person,
that look really like a real person
and that are hard to detect in real time.
That's an absolutely new challenge
and it will continue to grow
as we make use of GANs,
General Adversarial Networks,
to perform or to build these deepfakes.
So it's a challenge that will continue to grow. And we need to work with the social media companies
to come up with some common standards where we can identify these deepfakes and synthetic data.
Interesting stuff for sure. Malek Ben-Salem, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
My guest today is Doug Grindstaff.
He's the Senior Vice President of Cybersecurity Solutions for the CMMI Institute,
an organization that was originally established by the Department of Defense
to assess organizational capability around software development.
My conversation with Doug Grindstaff centers on his notion that CISOs would do well to adopt some of the techniques commonly associated with VCs.
He thinks they've got a lot in common.
It is very similar to what the VCs face in that it is a very fast-paced and dynamic environment.
It is an environment in which there are multiple threats and the risks are very high.
And so being able to understand those risks, develop a methodology to de-risk those threats,
and to focus the organization on very specific outcomes, I think is really critical to the
success of a VC, and in this case, also a CISO.
And so what are some of the unique things that VCs face that you think could be brought over to the world of CISOs?
From a VC perspective, I think understanding what are the steps that are necessary to start to de-risk an investment.
In the case of a CISO, how do we understand the risks facing my
business? Maybe that's a function of my business model. Maybe it's a function of my threat
environment, my competitors. How do I understand those threats and then develop a very precise way
of prioritizing those risks and then start to mitigate those risks? I think from a VC perspective,
one of the issues that is critical is to understand what are the steps to de-risk my investment.
As I start to de-risk my investment, I start to increase the value of that investment and increase the further likelihood of future investment.
From a CISO perspective, being able to understand what are the most significant inherent risks to my business,
what are those things that could be terminal, have a terminal impact on my business,
and then start defining what are the necessary steps to mitigate those risks?
It could be building new capabilities.
It could be focusing on developing people, acquiring new technologies.
But that sense of prioritization, both from a VC perspective and from a CISO perspective,
is, I think, really job one and mission critical.
The second after that starts to become alignment.
And if you're as successful as a VC, you have clear organizational alignment from the stakeholders,
maybe the other stakeholders that are in the investment with you, all the way through the
organization. What is the next crucial step, next crucial milestone we need to achieve in order to
continue to build this business and generate the returns we expect. From a CISA perspective, it's very much an analog. They also need to understand how do I create
organizational alignment so my board understands and has defined our risk tolerances and the team
that's supporting the security program understands exactly what are the most important security
controls, what are the most important processes and technologies that are going to be part of
mitigating those critical, those terminal risks. And then I think finally, and this one is what I
often talk about as a Copernican shift for the CISO. From a VC perspective, I think it's very
easy to think about focusing on outcomes, right? There are very basic metrics that determine
whether or not you're generating the kind of return. Am I elevating my revenues to levels
that are sufficient? Am I able to demonstrate growth in EBITDA that allows me to demonstrate
increases in value? From a CISA perspective, it's a little bit different. And the reason I refer to
this as a Copernican shift is that I think it's important to focus not so much on process,
not so much on do I have sufficient control systems? Am I using the right standards?
But am I focused on the outcomes?
How do I know, how am I measuring whether or not the level of activity,
the level of capability I have is sufficient to mitigate those key risks?
We often think of sufficient capability as maturity.
Do you have sufficient maturity in those critical capabilities
that will start to mitigate the risks that your organization is facing?
And obviously, those risks are informed by all those things we mentioned earlier, the threat landscape, the competitive landscape, that broad array of risks facing your business.
operationalizing it such that now I know what are those key steps and key investments I need to make to start to address those terminal risks, I think is just as important. And I think it's a valuable
analog because the VC works in a very dynamic, constantly shifting threat environment where the
likelihood of success is not high and the downside risk is actually quite significant. It could
result in loss of investment, loss of business.
Yeah, it's really interesting to me, as you point out, the CISOs, in my mind, they sort
of sit between two groups.
They quite often have the board above them, and then they have their team and the rest
of the organization below them.
So they sort of sit in the middle of, I don't know if tension is the right word, between
those two groups. I wonder, is the VC sitting in the middle of, I don't know if tension is the right word, between those two groups.
I wonder, is the VC sitting in a similar position?
Is there someone above them?
What are the different sides they're aiming to please?
Yes, they're trying to please their shareholders.
They have stakeholders.
They have individuals who have pooled money to potentially create a fund where they're expecting certain returns.
And so the threshold returns are quite high and the timeframe quite narrow for the VC. That generates a significant
amount of tension as they start to try and support organizations to achieve the de-risking process,
generate increases in value, and hopefully future investment. And what you described at the CISO,
I think is spot on. And I think it is an enormous challenge. VCs are used to working with the financial stakeholders, are used to building funds and generating specific targeted returns. But you look at a lot of the folks that move into these roles of CISO and CSO, there is not a lot of training, whether it's how to put cybersecurity into a business context and think of it as a kind of key strategic plank for the business, whether it's
defining the risk not as an IT risk, but as an enterprise risk, you know, those kinds of strategic
skills and that kind of board interaction are not commonplace in terms of their career path
development. So gaining those skills and building that capability, I think, is one of the really
significant challenges facing most CISOs. I can't help noticing, I mean, the emphasis that you're putting on this whole notion of framing everything in terms of risk.
And I really, I think we've tracked that trend over the past year or more, that that's really a direction folks are headed.
I would say that's true intellectually.
We engage a lot of organizations across sectors, and I think there is a desire to understand risk, although unfortunately, a lot of organizations think of risk as the threat landscape.
And when we think of risk, we think of it as enterprise inherent risk. So we look across
all elements of a security program, from the physical security, to risks of natural disaster,
to, of course, network and data integrity issues. So when we think of risk, we think of it
holistically and use that understanding of the holistic risk put into the context that the
company uses to find their risk tolerances is important. And so once I can get a sense of what
are the inherent risks, make sure that in the same context that the organization thinks of all other
risks on the business, and then create an operational plan that seeks to
mitigate those risks. I think that is still evolving. It's not an easy process to work with
the, let's say, an ERM and try to operationalize an ERM, an enterprise risk management tool that
organizations use. Operationalizing that is quite challenging. And in fact, for the CMA Institute,
we actually developed a methodology
that creates a relational database that connects risk to capability to understand which capabilities
matter most given your organization's unique risk tolerances and risk profile.
That's Doug Grindstaff from the CMMI Institute. And that's the Cyber Wire. For links to all of today's stories, check out our daily
briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for Cyberire Pro. It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.