CyberWire Daily - CISA on running critical sectors during an emergency. Disinformation, phishbait, and rumor. What’s Fancy Bear up to these days? Distinguishing altruism from self-interest.
Episode Date: March 20, 2020CISA describes what counts as critical infrastructure during a pandemic, and offers some advice on how to organize work during the emergency. Iran runs a disinformation campaign--apparently mostly for... the benefit of a domestic audience--alleging that COVID-19 is a US biowar operation. Intelligence services, criminals, vandals, and gossips all flack coronavirus hooey in cyberspace. Fancy Bear is back. And what would provoke good behavior among thieves? (A hint: not altruism.) Malek Ben Salem from Accenture on mobile tracking and privacy, guest is Thomas Quinn from T Rowe Price on the job of protecting a financial institution. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_20.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA describes what counts as critical infrastructure during a pandemic
and offers some advice on how to organize work during the emergency.
Iran runs a disinformation campaign, apparently mostly for the benefit of a domestic audience,
alleging that COVID-19 is a U.S. biowar operation.
Intelligence services, criminals, vandals, and gossips all flack coronavirus hooey in cyberspace.
Fancy bear is back.
And what would provoke good behavior among thieves?
I'll give you a little hint.
It is not altruism.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, March 20th, 2020.
The COVID-19 virus, of course, continues to affect most aspects of life in most parts of the world.
And that includes, of course, those parts of life that touch cyberspace.
There's been a great deal of discussion of how the public and private sectors will need to organize their work during the pandemic.
As the Voice of America and others point out, the risk of cyber attack rises with the incidence of telework, and so security considerations assume a correspondingly greater importance.
But what about telework? Not everybody's work can be done remotely, and as the White House put it Monday,
With that in mind, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA, has issued guidance for how organizations should consider organizing their work and employees during the present COVID-19 emergency.
CISA stresses that the recommendations are advisory in nature,
but they do suggest how organizations might decide who needs to report physically to the job and who might work remotely.
They also suggest ways of arranging workplaces and work schedules to reduce the likelihood of spreading the disease.
A number of the jobs the recommendations discuss are directly concerned with cybersecurity.
The sectors CISA discusses include health care and public health, law enforcement, public safety
and first response, food and agriculture, energy, and that includes not only electrical power but
oil, gas, and renewables,
water and wastewater, transportation and logistics, public works, communications and information technology,
other community-based government operations and essential functions.
One example CISA discusses is hospitality.
If local governments and organizations are given access to hotels for quarantine or emergency housing,
then these assume a criticality they wouldn't normally have.
Critical manufacturing, that is, manufacturing that supports the other critical sectors,
hazardous materials, financial services, the chemical industry,
and finally, the defense industrial base.
CISA encourages some specific measures,
including letting people work remotely wherever possible,
but the document is careful to emphasize that there's an important element of decentralization in any effective response.
As CISA puts it, quote,
response efforts to the COVID-19 pandemic are locally executed, state-managed, and federally supported, end quote.
And quote, to place responsibility for the pandemic on its two usual suspects, the U.S. and Israel, the great Satan and the lesser Satan.
The virus originated, the disinformation says, as a U.S. biowar program
that Zionists have moved to the U.S. to use in a campaign of biological terror against Iran.
The U.S. this week unambiguously told Iran that it had no intention of relaxing sanctions imposed on the regime
for what the U.S. has long characterized as Tehran's support of terror.
Iran called the decision cruel, coming as it did during a pandemic.
The Wall Street Journal's report notes that yesterday,
the U.S. Treasury Department added five companies to the list of those sanctioned,
in this case, Emirati-based
firms accused of serving as conduits for Iranian oil exports. Some of the fictions circulating
about the pandemic are disinformation. Others promote fraud, while still others are popular
bits of misinformation. Tenable has a rundown of fake cures, phony government statements,
and simple panicky mistakes,
often amplified by fearful conspiracy theories. Cash app scammers have been busy on the legitimate peer-to-peer payment app. They make their approach with tweets, and they've found some marks willing
to fall for their COVID-19 fraud. Others are making bogus offers of COVID-19 test kits.
This particular scam seems to be particularly
common around Toronto. Some are opportunistic variations on familiar scams, like the one
claiming to be from a grandchild or other relative. Instead of the customary car accident or drunk
driving arrest, the hoods are now telling people that a close relative has tested positive for
COVID-19 and that the usual financial help is required.
And some of the misinformation is either deliberate disinformation, either state spread or the work of
chaos artists, or it's just the work of what the Middle Ages would have called rattles, gossips who
must, for reasons deep in their personal nature, keep up a steady flow of information, true, false,
or unknown. These
have recently been text messages from people who say they've heard from a friend who knows a guy
who said the lady heard from someone really high up in the government that a national quarantine
was about to be declared, or something like that. In any case, the Martians have landed and the man
is about to get you. If the text message or tweet is saved and circulated as
an image, the better to evade text-based filters, well, you may be seeing something that's hostile
government work. But don't underestimate the ability of your friends, connections, co-workers,
and that guy down the street who seems nice enough and kind of keeps to himself to come up with stuff
like this. As is so often the case, we have met the enemy and he
is us. Some of the misinformation, of course, is the work of organized crime. IBM has found one
set of hoaxed communiques that pretend to be from the World Health Organization. They're vectors for
Hawkeye malware. With all the pandemic-themed badness in circulation,
it's almost with relief that one turns to a familiar cyber espionage campaign.
Remember Fancy Bear?
Sure you do.
That's the Russian GRU, the noisy sister of the more discreet Cozy Bear.
Trend Micro reports that APT28, that is, Fancy Bear,
is using previously compromised corporate email accounts to spearfish for credentials in the defense sector.
Over the past year, most of the targets have been in the Middle East,
with the United Arab Emirates being a particular target.
In addition to spamming and phishing, Fancy Bear is also scanning servers
looking for vulnerable instances of Microsoft SQL Server and directory services.
And finally, what is one to make of the cyber gangs
who've said that they won't target hospitals
or other healthcare providers during the pandemic?
If you believe them, the crooks who run the Doppelpamer
and maze ransomware operations,
that's what they've said they'll do.
We don't entirely believe them.
Although Bleeping Computer, which is in email contact
with the ransomware impresarios,
does share convincing-sounding avowals. But if we do see a wave of relatively good behavior,
we think Forbes probably has the best explanation. It's not out of honor or sympathy, but rather
out of self-preservation. The hoods think that during the pandemic, the cops will come down on
them like the proverbial ton of bricks if ransomware gets into hospital systems.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. My guest today is Thomas Quinn.
He's Chief Information Security Officer at T. Rowe Price, a global investment management firm headquartered
in Baltimore. His career includes service as an officer in the United States Navy,
as well as stops at Prudential, Goldman Sachs, and JPMorgan Chase. Tom Quinn joined us in our studios.
I think financial services, you know, is just a terrific industry to be in. It really, to me, the purpose of those firms are to enable people's
dreams. So without money, without financing, without the capital markets, sometimes that
becomes problematic to enable people to achieve them. Where I am now in a retirement focused
company, it's other kinds of dreams. It's what you do when you finish those great ideas and those great those companies.
How much collaboration goes on between you and your colleagues who are in other financial services organizations?
Is there a lot of information being shared?
There's quite a bit of information being shared. And thankfully it is. Bad actors share regularly and robustly. And for defenders,
and I'll talk about financial services in particular, it's a daily sharing of information.
And I think thankfully there are organized sharing mechanisms in place that makes it easier to do so. People are used to sharing in those organizations.
But bilateral and other kind of sharing is important too.
Because I do find that, like, I think the phrase is politics is, you know, all politics is local.
Right.
It's helpful to know your colleagues in and around the area that you're in.
I regularly meet with my peers in the Baltimore region.
There's a variety of large firms, not all financial services,
and they all have similar problems.
And I think being able to know who those people are,
building that trust, building the bridge,
allows for robust communication as well.
Does that even extend down to, for
example, community banks who could benefit from the knowledge and resources of a larger institution
like your own? There are. One of the organizations that does quite a bit of this organized sharing
is the Financial Services Information Sharing and Analysis Center, FSISAC.
Yeah.
And there are a variety of subgroups in there to help sharing because each group is a little bit different.
But I will share with you one example of some of that sharing at a local level that I think is important.
So the legal profession has a concept of pro bono.
think is important. So the legal profession has a concept of pro bono. So they're part of the being a lawyer is being able to give yourself, give of yourself to the community to help people
for free. Right. So I've embarked upon a similar kind of process for pro bono cyber support. So I call it CISO for a day. And this is through my firm. So most
large firms, most firms allow for volunteering. And there's a set of protections, right, that
firms also have through this volunteering effort. And I was able to volunteer at a nonprofit in
Baltimore City to help them with their cyber security. So, and it was instructive,
you know, again, technology is opaque, cybersecurity looks like magic. And for this very small firm,
about 10 people, they just were trying to help other people. And it seemed challenging at the
very least to figure out what to do to protect themselves.
But I sat down with them for a few hours, for a few months.
And at the end of it, they felt comfortable that they could ask the right questions.
And there was some specific guidance that I provided, but it really was an opportunity
for them to comfortably share with somebody that didn't have an agenda,
wasn't looking to sell anything to them, and was really there to provide help for them.
And it was a great experience. And certainly I've encouraged some of my peers to do similar
kinds of things because everyone can use a little bit of help. Yeah. Are there any specific insights that you think you have
that you'd want to share with folks
who are in other parts of the cybersecurity world?
Anything from the view that you have
from the financial side of things,
the tools you have available to you, those resources.
Are there any specific areas that you think
aren't getting the attention they deserve?
So that really is a great question.
We continue to see that third-party risk is a concern, is a real threat. One of the things I
find is the more outsourcing that one does to achieve the goals that you need, and I think
many of us do out of necessity. You can't be perfect at everything. Doing proper due diligence is
important. And I think understanding what those risks are and having a strategy to mitigate any
risks that you may have with a third party, I really think it's key. It's much more than just
having a contract in place. It's much more than just saving money. And we see regularly where some firms that are doing these outsourced practices are being targeted, whether it's for malware and ransomware or for infiltration.
And I think for certainly my peers, just another reminder that, you know, something that appears to be trusted and maybe even innocuous may actually be an entry point to
attacking your firm. In the time that you have been serving as a CISO, how have you seen that
role change? I've heard many people say that there's been an elevation of that role and the
things that are required of people in that role have evolved over the years. It has.
Gary McGraw, another security luminary, has a great paper on the four tribes of the CISO, I think.
And it's well worth reading.
I think early day heads of security were really focused on running security products like intrusion detection systems
and firewalls. And it really was a technology oriented role. That started to expand when
the internet started connecting more and more things together. You started seeing the CISO go
up the stack. Right. You'll find that there are CISOs that are much more focused on risk and compliance.
That skill set is critically important as well, but it's only part of it.
And I think you'll find CISOs that are focused on program project management,
another critical skill and capability, but you'll see a whole tribe of folks
that do that. And I think as you build a team, you need to consider what you do well and then how you
surround yourself with talent to fill in some of the things that you do less well. That's Thomas
Quinn. He's Chief Information Security Officer at T. Rowe Price.
Security Officer at T. Rowe Price. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and And joining me once again is Malek Ben-Salem.
She's the America's cybersecurity R&D lead for Accenture.
Malek, it's great to have you back.
We wanted to talk today about mobile tracking and privacy and some things that have been on your mind when it comes to that.
What can you share with us today?
Yeah, so, Dave, when you download an app, the permission requests and privacy policy are
usually the only warnings you get about the data that it's collecting.
Usually you just have to take the app's word that it's grabbing only the data you've agreed
to give it.
Well, it turns out that some security researchers have taken a deeper look at those apps
and they've identified more than 1,000 apps that have been fined to take data even after you've
denied them permissions. It's interesting that some of the more widespread apps and more well-known
ones like AccuWeather are collecting data that is more than what you've
agreed to and is more than just your location. How does this work? I mean, it's a matter of,
I don't know, the feature creep equivalent of data collection?
Exactly. Yeah. The privacy policy does not necessarily reflect the actions taken by that app.
All we have as users is trusting that security, that privacy policy.
But if it's not doing what it's telling us it's doing, then we don't have control over it.
Even, you know, simple apps like those apps trying to block spam calls have been found to share phone data with analytics firms.
So the question is, what can we do as users? Obviously, the best thing is not to download
those apps in the first place. But once we've downloaded them, we don't have much we can do.
Well, obviously, we can download some tools to
look at the traffic that those apps are or the data that those apps are sharing. But that's not
at the, you know, that's not something that every person can do. So there are tools like Charles
Proxy that are available to download and intercept the network traffic from your device.
But learning how to use them is more complex. Sure. And that's not probably not something
the average user is going to be able to do. I've noticed that some folks like Apple, for example,
have tried to be a little proactive about this, letting their users know when an app is requesting their location data, for example.
Correct. Yeah. So with location data, it's easier. But the thing is, even if your location data is
not shared, what has been found is that just by the analytics firms who are collecting this data
from the various apps can reconstruct your behavior just by getting snippets from each
app. So you may share your location data just with one app and you share some other type of data with
another app and yet another type of data with another app. The analytics firm can take all of
those bits and pieces of your data and reconstruct your entire behavior.
So the concern is not just the app that you're sharing the data with, right? But it's all of
these research analytics firms that are trying to understand how you behave and reconstruct
your behavior. So what's a person to do here? Any suggestions? Well, I think we definitely need some watchdog groups to monitor what these apps are actually doing.
There is a startup called AppSensus that's trying to analyze all of these apps and perhaps create another app that watches what's happening or what's being shared on your mobile device. I don't think that app is
available now, but that's something to be on the lookout for if you want to understand more
what's being shared. Or for the more networking savvy people, I mentioned this Charles Proxy tool
that can be used to intercept network traffic and to analyze it and to understand better what's happening under the hood.
Yeah. All right. Well, it's good information.
Malek Ben-Salem, thanks for joining us.
Thank you, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.