CyberWire Daily - Chinese, Russian, and Turkish domestic influence campaigns. Zoom’s China troubles. Honda, Enil recover from Ekans. Ransomware attacks against a city and an M&A consultancy.
Episode Date: June 12, 2020Twitter’s transparency efforts see through accounts being run by Chinese, Russian, and Turkish actors. Zoom is working to both comply with Chinese law and contain the reputational damage involved in... doing so. Industrial firms recover from Ekans infestations. Caleb Barlow from CynergisTek on how hospital CISOs are dealing with the COVID-19 situation. Our guest is Ronald Eddings from Palo Alto Networks and the Hacker Valley Studio Podcast on strategies for finding and managing security architects. And it’s not Posh Spice who’s got the attention of Maze; it’s just her M&A advisors. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/114 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Twitter's transparency efforts see through accounts being run by Chinese, Russian, and Turkish actors.
Zoom is working to both comply with Chinese law
and contain the reputational damage involved in doing so.
Industrial firms recover from Ekans infestations.
Caleb Barlow from Synergistech on how hospital CISOs
are dealing with the COVID-19 situation.
Our guest is Ronald Eddings from Palo Alto Networks
and the Hacker Valley Studio podcast
on strategies for finding and managing security architects. And it's not Posh Spice who got the attention of Mays, it's just her M&A advisors.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 12, 2020.
Social media continue to work toward transparency, and this seems to be an easier and arguably more productive approach to controlling disinformation than direct content moderation so far appears to
be. Twitter this morning has called out three state-run influence campaigns, all with a domestic
focus. Twitter has identified a large number of state-run influence campaigns, all with a domestic focus.
Twitter has identified a large number of state-run accounts pushing disinformation.
The largest network was Chinese-controlled 23,750 core accounts that were highly active in distributing Beijing's line on various issues, with special attention given to matters affecting
Hong Kong. A large number of amplifier accounts, about 150,000, repeated the core account's traffic. The content was,
for the most part, in Chinese and evidently addressed to a largely domestic audience.
Twitter says that despite the account's high level of activity,
they enjoyed relatively few followers and had achieved little traction.
enjoyed relatively few followers, and had achieved little traction.
Twitter also identified 1,152 Russian accounts associated with the current policy state-run news site. These were engaged in distributing messages favoring the Russia United Party
in an influence campaign directed toward domestic audiences.
Also interested in domestic influence were 7,340 accounts in Turkey, whose line favored President Erdogan and the AK Party.
The Telegraph and others report that Zoom, having locked out account holders after they held online discussions commemorating the 31st anniversary of the Tiananmen Square massacre, is drawing criticism for aligning its services
with Chinese policy. The Wall Street Journal notes that the activist group affected,
San Francisco-based humanitarian China, had its account quietly restored after the suspension
was reported by Axios. The company has said it pulled the accounts in compliance with local laws,
that is, with Chinese law.
Zoom has also expressed its regrets and said it, quote,
will not allow requests from the Chinese government to impact anyone outside of mainland China, end quote.
The company intends to do this by upgrading its systems to permit it to identify the locations of meeting participants and selectively blocking them on the basis of where they were.
So, if you were looking to join from Kalamazoo or Pocatello, or for that matter, from Scunthorpe,
you'd be good to go. From Shenzhen? Sorry, no remote conferencing for you.
Foreseeably, many critics remain unmolefied, asking with Security Boulevard,
is Zoom the next Huawei? That's strong, but as
Security Boulevard's blog watch summarizes, Zoom may be headquartered in San Jose and listed on
the NASDAQ, but the firm does have significant operations in China, including a large engineering
staff and a practice of routing users' traffic through servers in that country. Zoom security
issues drew attention,
along with the company's swift rise during the COVID-19-driven increase in telework.
The Snake or Ekans ransomware strain, which Dragos characterized in its study as having
a primitive but distinct capability to hold industrial processes at risk, in addition to
its more conventional capability against business
systems, has been implicated in recent attacks on Honda. Bloomberg Law reports that Honda has
begun resuming production in its Ohio plants and elsewhere after Sunday's computer incident.
But according to Bleeping Computer, another firm, European power company Enel Group,
has disclosed that it's also been hit by Snake,
the same ransomware that disrupted Honda. The company's disclosure is belated. Enel says it
detected a ransomware infestation on June 7th, but that by Monday it had successfully contained
the attack and brought its systems back online. The firm's statement read in part that, quote,
no critical issues have occurred concerning the remote control systems of its distribution assets and power plants,
and that customer data have not been exposed to third parties.
Temporary disruptions to customer care activities could have occurred for a limited time
caused by the temporary blockage of the internal IT network."
In both cases, the identification of Snake, Ekans, as the ransomware involved,
came from outside researchers, not the affected companies themselves.
By the way, a quick note, it's been brought to my attention by a kind listener
that the correct pronunciation is Ekans and not Ekans, as I was saying earlier.
Evidently, it's a Pokemon thing, and I appreciate the correction.
And finally, one other ransomware attack has been reported. In this case, the culprit is known,
or at least a culprit has claimed responsibility. InfoSecurity Magazine says that Threadstone
Advisors, a New York firm that specializes in consulting on mergers and acquisitions,
has been hit with ransomware.
As is the fashion with up-to-date ransomware,
the extortionists claim to have stolen data
before they encrypted information in Threadstone's possession.
A note of clarification,
a lot of the coverage of the Threadstone incident
has mentioned one of their famous clients, Victoria Beckham.
But the attack was against Threadstone itself, not Ms. Beckham.
So you can rest easy.
What IT infrastructure Posh Spice maintains herself, as far as we know, is still up and humming.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Ronald Eddings.
He's a security architect leader at Palo Alto Networks and the co-host of the Hacker Valley Studio podcast.
He shares his strategies for finding and managing security architects.
There's a lot of thoughts about what a security architect is and what is security architecture. really the security controls, the policies and guidelines that assist an organization with
protecting their data and protecting their users and really their entire organization.
Well, I mean, let's come at that together and unpack it. How does that come to fruition in
the real world? Yeah. So I always like to kind of give an example. And I say, imagine that you're a CEO of a company that designs and builds buildings.
And your newest client, they hire you to build a bank.
Your team, they would need to understand how to build a building that creates a positive experience for the bank staff and the customers.
and the customers. But most importantly, your team would need to understand how to build and design a building with security in mind to protect the crown jewels, which is money. And security
architects, we have similar goals and face similar challenges that an architect designing a bank
would face, but from a technology perspective. Is that process a bit of a journey in itself?
Is that process a bit of a journey in itself? Do you often find that folks may not have a good grasp on exactly what all aspects of the organization really need?
Yeah, and that's one of the most challenging parts of being a security architect is constantly working with stakeholders, working with directors and leadership to understand what does the organization need. And that also has to relate back to the analysts and engineers that are going to be implementing or maintaining that body of
work. It all has to work out for everyone within the organization. What makes a good security
architect? What are the personality aspects, the skills and so forth that make
someone a good fit for this particular job?
Security architects can be a little synonymous with a few other positions.
And the other positions that it's somewhat synonymous with is solutions architect, senior
security engineer, and sometimes even head of security.
senior security engineer, and sometimes even head of security.
And typically, the hero's journey behind these types of individuals is they've served their time working as an analyst,
working as an engineer, and they've accrued a lot of information to start to begin to understand the high-level needs of security for an organization.
level needs of security for an organization. So a lot of the architects that I work with today,
they have a background and a history of security engineering, working in SOCs, and sometimes even leading and managing teams that deal with security. How much of the work that you do
involves diplomacy, of serving as that translation layer between the various parts of an organization
that all have their specific needs and desires? It's a lot like playing a game of tower defense.
I'm using requirements, users, and technology to create a secure environment. So there's a lot of
translation I have to do for stakeholders that are the ones
really supporting a project.
And there's a lot of translation I have to do
for the engineers to understand the requirements
that need to be implemented
and the real importance behind them.
So I'm constantly playing a game of tower defense
and moving pieces around and asking more questions, going back to
the game and, you know, moving really in my situation as technology, it's security controls,
it's applications and hardware. So I'm constantly moving these components around to fit needs.
Sometimes when I move an application or control from one place to another or I create one from scratch, it could cause a negative impact on the business.
And that's a problem.
So that's another thing that security architects have to keep in mind is how can I implement this secure process that's going to help the organization while not impeding business operations?
going to help the organization while not impeding business operations.
You know, as someone in a leadership position, when you're out there providing mentorship for folks who are coming up in the organization, what sort of tips do you have for folks who
are pursuing a career and perhaps want to be a security architect?
That's a great question.
And the nuggets and wisdom that I would give anyone that's interested in being a security architect is explore and be curious.
There's a lot of aspects of security.
And to be a security architect, you really have to have a holistic view on the threat and security landscape.
You have to understand a bit about networking, a bit about cloud solutions, and also a bit about endpoint security. There's just so many topics to
cover. And I think the best way and the best strategy to get closer to becoming a security
architect is just by becoming more curious about all the technologies that exist and all the
technologies that need to be secured. Our thanks to Ronald Eddings for joining us.
If you want to hear an extended version of this interview,
head on over to the cyberwire.com.
You can find it there in the CyberWire Pro section.
If you've not checked out the Hacker Valley Studio podcast,
I recommend it.
It's worth your time.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Caleb Barlow. He is the CEO at Synergistech.
Caleb, always great to have you back. I was hoping you could share some insights with us.
You have a unique view inside many healthcare organizations right now. And I was hoping
you could share with us what's going on behind the scenes. Well, Dave, as you can imagine,
look, these are unprecedented times. And if we look at what's happening, particularly with CISOs,
which is largely the audience here, it varies greatly amongst institutions. Most CISOs in
hospitals are not clinicians. There are a few that are,
and of course you can imagine if they're clinicians, they've really been called to
the front lines in this. But not only have the CISOs likely left the hospital and are working
from home, but also dozens, if not hundreds of non-clinical workers are working from home, are, you know, are enabled with, in a lot of cases,
BYOD. One of the real challenges they're dealing with is routing phone calls, you know, because
you can imagine every hospital has a very robust phone system, and it was never designed to have
people working remotely in most cases. So, communication is becoming a bit of a difficulty.
But also, when we get into
individual systems, depending on whether or not they have COVID patients, we're seeing
really different types of activities as well as kind of new vulnerabilities that are emerging.
Yeah, I'm curious, you know, even just the bringing of newer additional devices online
within, say, a hospital itself as they're shifting the pattern of treatment
and preparing for what could be a rush of patients. How does that play out on the ground there?
Well, the most important thing for a hospital is, I mean, their crown jewels is the EHR,
the electronic health care records. And in most cases, especially if you see temporary facilities getting stood up
or people suddenly working from home, this is getting extended through various tools like
laptops and iPads, in some cases BYOD devices, and they're leveraging the remote access features
usually of the EHR. And this certainly gets easier if their EHR is cloud-based.
EHR. And, you know, this certainly gets easier if their EHR is cloud-based. But the challenge is that in many, and I would probably venture to say most healthcare institutions,
they're missing what I call the big three, network segmentation and point detection.
And they probably have some multi-factor, but it's not necessarily widely deployed.
So any security professional
listening to this podcast realizes that that, you know, not only has the threat landscape grown,
but the threat, the attack surface has grown just, you know, in a very significant way in
just a matter of weeks. Is it reasonable to say that the security folks may be appropriately put to the side at the moment while doctors are trying to save lives?
Well, I think that is a reasonably accurate depiction.
Now, that being said, that doesn't mean the concern level isn't rising.
You know, as we've seen this, you know, in cases, they're literally standing up additional hospitals
and tents, extending EHR into the parking lot.
And that brings with it a significant concern, along with increases in phishing attacks and
the fact that it's going to be a whole lot easier to get your way into any institution
today with everybody working from home.
Now, we haven't seen a real rise in ransomware yet.
In fact, if anything, we've seen
a decline. If you go back to 2019, it was pretty much every week, either a state, local government,
or a decent-sized hospital was getting locked up with ransomware. There's been very little of that
activity. Now, that being said, we do see tons of the precursor of that activity. If anything,
that's probably on the rise.
So the concern here of a lot of CISOs is they don't want this to happen on their watch.
You know, when a hospital is impacted by ransomware, they have really no choice but to divert patients.
And the last thing we need to see is that happening in the middle of this crisis.
So I would say, yes, they're operating a little bit on the sidelines
today. In many cases, they're part of the incident response and kind of command center teams.
But the worry level is growing. And, you know, I think there is time to shore up some defenses,
but it means people need to move a lot faster than normal. And that then brings us to the
challenge of budget.
Well, let's talk about that. Where do we stand when it comes to being able to pay for these things?
Well, there's actually a bigger problem. And that is that you have to realize that not all hospitals, I mean, funding levels across hospitals varies differently. Like
children's hospitals are typically very well funded through donations and things like that.
Academic medical centers often have, you know, large size endowments, but, you know,
you get into more regional hospitals and, you know, in many cases they're nonprofits.
You even have, nowadays, you even have for-profit publicly traded hospitals. Well, you know,
the medical industry as a whole doesn't run with very large margins. And we're now in a situation where pretty much every institution has been told to implement
their emergency plan, which means stopping elective procedures, moving as many patients
as possible out of the hospital for anything that was elective, and being prepared to handle
the influx of COVID-19 patients.
Well, the challenge is, you know,
you're not billing for all those lucrative services
that you normally were.
In fact, you're not even conducting that work.
In addition to that,
you've got this onslaught of additional costs
as you kind of prepare and ramp up for COVID-19.
We've even seen, even in the last week or two,
several hospitals starting to lay off or furlough workers.
And this becomes a kind of a perfect storm where you've got increases in costs, increase
in the threat level.
At the same time, you're eating through your cash reserves.
Now, there is the hope of stimulus funding coming in to really help in this.
But of course, when and how is that
allocated? What can you spend it on? Really puts these CISOs in a very tough position.
Yeah, I mean, it's sort of a ghoulish play on words, but it really is kind of an unmasking
of our system of sort of revealing where the cracks are as we go through this stress test.
It is. But I do think that forward-leading CISOs,
there's a lot they can do.
You know, I think generally speaking,
the healthcare community has not,
has been as close to their vendors
as let's say the financial services community.
And that's just kind of a cultural thing.
But, you know, the reality here is that many,
if not all vendors are willing to step forward.
There's lots of offers for free services or capabilities.
And I do think there are ways that smart CISOs
can navigate through this storm.
But what they're going to need to do
is not only shore up their defenses,
but frankly, also kind of make sure
their incident response plans are in place.
And I'll tell you, one of the biggest things we've been looking at, and now let's fast forward, Dave, six months or so, right?
Let's say we're on the other side of this.
Now, my company, we go do assessments for hospitals.
It's required.
They have to assess their security posture.
And here's the thing.
The way I would assess one of these institutions three weeks from now versus three
weeks prior is totally different because both the threat landscape and the attack surface has
completely changed. And that's really going to change how people have to approach things.
Yeah. All right. Well, Caleb Barlow, thanks for joining us.
Thank you. rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com