CyberWire Daily - CISA and its partners warn of threats to water and wastewater treatment facilities. The curious case of Missouri teachers’ Social Security Numbers.
Episode Date: October 15, 2021A CISA-issued Joint Advisory warns of threats and vulnerabilities at water and wastewater treatment facilities. CISA issues twenty-two other industrial control system advisories. Andrea Little Limbago... from Interos on trends in the human element of security. Our guest is Gidi Cohen from Skybox with Vulnerability and Threat Trends. And the Governor of Missouri intends to prosecute the Saint Louis Post-Dispatch to the fullest extent of whatever the law turns out to be. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/199 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A CISA-issued joint advisory warns of threats and vulnerabilities at water and wastewater treatment facilities.
CISA issues 22 other industrial control system advisories.
Andrea Little-Limbago from Interos on trends in the human element of security.
Our guest is Gidi Cohen from Skybox with vulnerability and threat trends.
And the governor of Missouri intends to prosecute the St. Louis Post-Dispatch
to the fullest extent of whatever the law turns out to be.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
October 15th, 2021.
The U.S. Cybersecurity and Infrastructure Security Agency, that's CISA, yesterday published a joint advisory warning of ongoing malicious activity by both known and unknown actors directed against water and wastewater treatment facilities.
The advisory, issued in conjunction with the FBI, NSA, and EPA, emphasizes the threat of spear phishing as well as exploitation of outdated operating systems and vulnerable control system firmware. The advisory, while noting that the water and
wastewater sector hasn't seen a higher rate of attacks than other critical infrastructure sectors,
takes note of five incidents at water facilities since March of 2019.
In August 2021, malicious cyber actors used ghost variant ransomware against a California-based
WWS facility. The ransomware variant had been in the system for about a month and was discovered
when three supervisory control and data acquisition, that's SCADA servers, displayed a ransomware
message. In July 2021, cyber actors used remote access to introduce
Zucano ransomware into a Maine-based WWS facilities wastewater SCADA computer. The
treatment system was run manually until the SCADA computer was restored using local control and more
frequent operator rounds. In March 2021, cyber actors used an unknown ransomware variant against
a Nevada-based WWS facility. The ransomware affected the system's SCADA system and backup
systems. The SCADA system provides visibility and monitoring, but is not a full industrial
control system. In September 2020, personnel at a New Jersey-based WWS facility discovered potential
backup ransomware had compromised files within their system. In March 2019, a former employee
at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety
by using his user credentials, which had not been revoked at the time of his resignation,
to remotely access a facility computer. So, in total, four ransomware attacks and one insider threat case. Control systems have been in the news elsewhere this week. CISA yesterday
released more than 20 industrial control system advisories. Operators would do well to take a serious look at them.
Finally, in a long and odd story, Missouri Governor Mike Parson has denounced the St.
Louis Post-Dispatch for what he characterized as the newspaper's hacking of the Department of Elementary and Secondary Education, DISA. The Post-Dispatch had found some teachers' social security numbers
coded into the HTML of a publicly accessible DISA website where citizens could check teachers'
credentials. The paper informed DISA, waited until DISA had taken the information down,
and then published its story. At a press conference yesterday,
Governor Parson described the offending incident.
As many of you are aware, on October the 12th,
the Department of Elementary and Secondary Education, DESE,
was made aware of a vulnerable on one of its websites
storing personal information of Missouri teachers.
Through a multi-step process, an individual took the records of at least three educators,
decoded the HTML source code, and viewed the social security number of those specific educators.
He went on to say that he was referring the hacker, that is, the post-dispatch reporter, to the Cole County prosecutor for alleged violations of Missouri laws that prohibit tampering with computer data.
My administration has notified the Cole County prosecutor of this matter.
The Missouri State Highway Patrol's digital forensic unit will also be conducting an investigation of all of those involved.
Governor Parson added that dealing with the incident could cost the citizens of Missouri $50 million.
The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so,
in accordance with the Missouri law allows and requires.
A hacker is someone who gains unauthorized access to information or content.
This individual did not have permission to do what they did.
What motivated the Post-Dispatch to do what it did?
They were engaged in a political hatchet job, the governor says.
This individual is not a victim.
They were acting against a state agency to compromise teachers' personal information
in an attempt to embarrass the state and sell headlines for their news outlet.
KMBC 9 has made the governor's press conference available on the station's website where you can listen to it and watch it in its entirety.
Governor Parson has since doubled down via Twitter, claiming that the post-dispatch story
places them on the wrong side of tampering with computer data, which is a Class A misdemeanor,
unless the tampering involves theft of $750 or more,
in which case it becomes a Class E felony.
The governor's tweet also points out that
tampering with computer data, computer equipment, or computer users is a civil tort.
It's difficult to see why the governor believes a crime has been committed or
even why the Post-Dispatch's reporting involved what might be seen as hacking. After all,
the reporter simply inspected the site's HTML, and the paper responsibly disclosed what they found
there to the responsible state office. The governor's Twitter thread insists that there's more going on than just that.
As the governor, or his writers, put it, quote,
We want to be clear, this DISA hack was more than a simple right-click.
The facts, an individual access source code,
and then went a step further to convert and decode that data
in order to obtain Missouri teachers' personal information.
This data was not freely available, and by the actor's own admission,
the data had to be taken through eight separate steps in order to generate a social security number.
Sick, as the editors say.
No one commenting in the Twitter thread seems to have any idea of what those eight separate steps might have been,
and the Post-dispatch's
story doesn't include any admission that we could find. Most of those covering or reacting to the
governor's press conference aren't buying it. See Ars Technica for a representative discussion.
Our staff has reached out to the governor's office for clarification.
We'll let you know if we hear back from them.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The team at Skybox Security recently published a report tracking trends in operational technology vulnerabilities.
It's probably not surprising that OT threats are on the rise.
Giddy Cohen is CEO at Skybox, and he joins us with highlights from their report.
So there are a lot of very, very important trends, but I would probably focus on a few important ones.
One is what we call the threat death. At the end of the day, organizations with their complex IT infrastructure, it can be cloud, virtual, physical environment, is growing in its complexity
in an exponential way.
Organizations are accumulating sometimes hundreds of thousands or sometimes millions of vulnerabilities
or unpatched systems that actually put organizations at high risk.
And this accumulation of what we call threat debt is just growing over time.
This accumulation of what you call again threat debt is just growing over time.
And with the acceleration of number of vulnerabilities, acceleration of the level of exploitation,
the number of vulnerabilities exploiting the wild, ransomware attacks, and other type of threat vectors,
it seems organizations need to start taking vulnerability management, managing this exposure in a much more seriously way than before.
So I would say that this is probably the most glaring insight of trends
that we see over the last few years that are just intensifying in 2021.
Was there anything in the data that you gathered that was surprising?
Anything that wasn't expected?
I would say that what seems to be one of the more interesting trends and more dangerous trends is actually to a subset of the vulnerabilities that we are tracking on OT, operational technology environments. by utilities, energy producers, manufacturing lines, supply chain-related vulnerabilities.
And there's a specific acceleration of number of exposures,
number of vulnerabilities that are being found in those environments.
So as our reports show, about 46% year-over-year growth
of the number of new vulnerabilities reported on those environments
is actually a very scary number because it accumulates fast.
And a lot of those environments, there is not an easy fix
or easy remediation to those types of exposures.
So what are your recommendations then,
based on the information that you've gathered here?
What sort of tips do you have for security professionals?
I would say, first of all, take vulnerability management much more seriously than before.
I mean, the concept of scanning and finding vulnerability was invented 25 years ago, right?
Mid-90s.
And organizations ever since are scanning and getting more and more piles of reports that they're not doing anything about.
Why?
Because it's complex. It requires a lot of collaboration,
requires a lot of work,
and traditional approaches
to try to fix everything
results in fixing nothing
or fixing everything
but way too late
in terms of window of exposure.
So we really believe
that probably the best
investment organization can make
in actually tightening down
their cyber risk
is putting a vulnerability management program
together, which will provide visibility, prioritization, track and drive remediation
in a much more surgical and intelligent way such an organization doesn't need to sweat every time
there's a new vulnerability as they can focus on what's critical, where they're the most exposed.
And therefore, if they fix or mitigate those vulnerabilities,
where they have the biggest return on investment in risk reduction.
So basically putting a real vulnerability measurement program in place with commitment
to execute on its finding on an ongoing basis.
That's Gidi Cohen from Skybox.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLimbago.
She is Vice President of Research and Analysis at Interos.
Andrea, it's always great to have you back.
You know, we often talk about all of the ones and zeros
and the electronic stuff,
and I know on the research side of the house,
that's something that you are obligated to deal with
a lot yourself.
But there is a human side to this,
and that's really important as well, yes?
No, absolutely.
And this is something that we saw RSA a few years ago
highlight the human element as their core theme. And it is something that we're increasingly seeing
integrated, which is great. Better late than never is sort of how I look at it. But at the same time,
we still have a long ways to go. So there are some interesting aspects that we're starting to see.
We're finally, I think, as an industry moving a bit away from the notion of the human is the
weakest link and just sort of relying on that as just the truth, but then just kind of taking that as it is and not thinking about, well, what can we do about that?
And so I feel like it's almost been like a cop-out that's been used to explain why we're not evolving our technology and be able to point at the human instead of the technology as being what's fallible. And so while certainly humans make errors,
but at the end of the day,
that is something we need to take account of
and then build systems that know that these kind of errors,
know that these kind of behaviors are what humans do
and build the technology to take that into account
and build the defenses accordingly.
Yeah, I think that's a really fascinating aspect,
this notion of using the human element as an excuse. You know,
I think it's still important to have guardrails on things, you know, high walkways have railings,
right? That's right. Don't drink a hot coffee because it's going to tell you how hot it is.
Right, right. Which might have been going too far, but yeah, I mean, absolutely. And that's where we are seeing a change away from that.
And part of it, I do think, is that we are bringing some more disciplines into the cybersecurity infosec community, which is great.
And then those folks that have been in the community and helping grow for a long time are really evolving what they are doing as far as perhaps integrating usability, for instance, user experience as part of the software that's being built for security. And that's something that is so essential. I mean,
we've seen usability and user experience be such a big deal on the tech side. It's how everything
from using your finances, more simply, to every aspect of your life to calling a taxi. But security
was kind of a bit behind on that. But that is changing. We really are starting to see a larger drive towards design and usability, both within
everything from how we're training falls in areas of gamification for training, as opposed
to just having us click through PowerPoint slides and assuming everyone's going to actually
be reading those and listening to them.
So there's a lot of elements going on there where we're leveraging, where technology still matters, but technology becomes part of the solution to help humans understand
and help inform human behavior and to build those guardrails in there as well.
Are you optimistic that we will be able to move past this mode of kind of finger pointing
at each other and each side blaming the other for the security breaches?
You know, I actually am. I think in many ways,
there are days where it's very hard to be optimistic within information security, just with a constant barrage. But this is an area where I am. I do see, whether it's at conferences and
looking at how they have tracks for the human element now, looking at really some of the
technical talks that still are very, very technical, but they also integrate social science and technical aspects from other fields
as well to really help lead to greater innovation.
And there's just, I think, a growing demand for that, both on the consumer side for wanting
just easier tools and easier ways to figure it out, and frustration as well.
I mean, you can just think about how hard it used to be to find some of the privacy
tools in our phones.
And some of that still is hidden.
But it's starting to become almost a competitive advantage by some of the big tech companies basically saying that they provide privacy better than you.
And here's how easy it is for you.
And so when the market pressures start pushing it, I think that is a good sign for us.
Yeah, absolutely.
All right.
Well, Andrea Little-Limbago, thanks for joining us.
Thank you, Dave.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Michael DeBolt from Intel 471.
We're discussing their research, how Groove Gang is shaking up the ransomware as a service market to empower affiliates.
That's Research Saturday. Do check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karpf, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.