CyberWire Daily - CISA releases voluntary CPGs. Trojans and scanners. Cyber venture investing, and some insights into corporate culture. "Opportunistic" cyberops in a hybrid war.
Episode Date: October 27, 2022CISA releases cross-sector cybersecurity performance goals. Trojans are spreading through scanners. Cyber seed rounds are an exception to a general downtrend in venture investment. Whistleblowing and ...corporate culture. Storing enterprise secrets. Robert M. Lee from Dragos explains the TSA Pipeline Security Directive. Our guests are Jenny Brinkley from Amazon AWS and Lisa Plaggemier from the National Cybersecurity Alliance with a collaborative educational project. Cyberattacks seen as opportunistic and disconnected from strategy. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/207 Selected reading. Cross-Sector Cybersecurity Performance Goals (CISA) CISA unveils voluntary cybersecurity performance goals (Federal News Network) Sending Trojans via Scanners (Avanan) DataTribe Insights - Q2 2022: Economic Storm Makes Landfall (DataTribe) Ukraine: Russian cyber attacks aimless and opportunistic (SearchSecurity) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA releases cross-sector cybersecurity performance goals.
Trojans are spreading through scanners.
Cyber seed rounds are an exception to a general downtrend in venture investment.
Whistleblowing in corporate culture, storing enterprise secrets.
Robert M. Lee from Dragos explains the TSA pipeline security directive.
Our guests are Jenny Brinkley from Amazon AWS
and Lisa Plagemeyer from the National Cybersecurity Alliance
with a collaborative educational project.
And cyber attacks are seen as opportunistic
and disconnected from strategy.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 27th, 2022. CISA has issued voluntary cybersecurity performance goals. CISA explains, operational technology cybersecurity practices that critical infrastructure owners and operators
can implement to meaningfully reduce the likelihood and impact of known risks and
adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance,
especially those developed by NIST, as well as the real-world threats and adversary tactics,
techniques, and procedures observed by CISA and its government and industry partners.
By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people.
Described as voluntary and not comprehensive, the goals were formulated to be, first, a baseline set
of cybersecurity practices broadly applicable across critical infrastructure with known
risk reduction value, a benchmark for critical infrastructure operators to measure and improve
their cybersecurity maturity, a combination of recommended practices for IT and OT owners, including a prioritized set of security practices,
and unique from other control frameworks as they consider not only the practices that address risk to individual entities,
but also the aggregate risk to the nation.
CISA said that it developed the CPGs with extensive input from industry
and that the development and application of standards was a cooperative effort.
So what's different about these CPGs?
CISA says they're different in three ways from similar standards,
stating,
First, the CPGs provide a succinct set of high-priority security outcomes
and recommended actions applicable to IT and OT environments. In this way,
the CPGs enable organizations to undertake prioritized and targeted investment to address
the most significant cybersecurity risks. Second, the CPGs are accompanied by a checklist
that allows organizations to prioritize their utilization of each goal based upon cost, complexity, and impact,
making the CPGs uniquely useful for organizations with limited resources.
Finally, the CPGs will be regularly refreshed and updated, allowing them to be used as a
continuously effective resource to drive prioritized investments against the most
significant threats and critical risks.
So, they're designed to be easily actionable across the different critical infrastructure sectors,
and they're also designed to be adaptable to organizations of varying sizes and resources.
You remember flatbed document scanners, right?
Sure, they're sort of old school, but these days they're also
connected. And with connectivity comes the potential for trouble. So here's the trouble.
Scanners are being used to send Trojans, Avanon says in a report released today.
Hackers are using spoofed scanner notification emails to send malicious files. The example email is titled Commission Receipt,
which is something that sounds as if it would have been scanned,
and it may well attract people to click,
as they think this message might affect their paycheck.
Checkpoint Research identified the attachment
and verified that there is a Trojan.
The file, if clicked, would attempt to take over the end user's computer.
The email may appear benign,
but bypassing the sender address to look at the attachment is possible
and could result in malware for the victim.
The report emphasizes scanning attachments for malware just to be safe.
Avanon cautions users to always check the address of the sender when receiving an email.
The researchers also implore everyone to be cautious with.htm files, as they can be used to send malicious content.
They also advise asking the original sender if you're unsure about an email.
DataTribe released a report today detailing the state of venture capital investments in cyber startups in the third quarter of 2022.
Venture activity is down overall and continues to fall as the years pass.
The exception DataTribe discovered is cybersecurity seed investment activity, which increased 37.5% from 24 to 33 deals year over year.
7.5% from 24 to 33 deals year-over-year. Overall, cybersecurity activity is only down 3.3% year-over-year compared to a decline of almost 24% across other verticals. DataTribe's report also had some
observations on how recent cybersecurity events have affected corporate cultures. In the case of Peter Mudge Zotko, for example,
a former Twitter employee who filed an SEC report about security practices at Twitter.
Zotko has been in the cybersecurity industry for a long time, having testified in front of
Congress in the late 90s on cybersecurity issues. Zotko eventually became part of the Twitter team and discovered they
were more lax on cybersecurity than he believed the company should be. Twitter engineer Edwin Chen
quoted in the Washington Post as saying, many engineers at Twitter had a stance that security
measures made their lives difficult and slowed people down. This difference in handling the situation led to Zotko's dismissal and whistleblower report.
The report from DataTribe says that it's likely,
following the large amount of uncertainty and stress at Twitter
between Zotko's report and Elon Musk's bids for the company,
that a large number of staff at Twitter will leave,
inducing a period of elevated security risk.
Other cases that have affected the marketplace, DataTribe's report says, include recent breaches
at Uber and the Veterans Administration, where some have argued that company secrets were just
left out for the taking. The lack of organization in management of company secrets, as well as identification, is an issue for IT
at most organizations. The importance of knowing where company information is stored
is now generally coming to be understood as central to keeping it secure.
And finally, turning for a quick update on the cyber phases of Russia's hybrid war against
Ukraine, we see that informed observers and participants
continue to look for an explanation
of why Moscow's cyber efforts
seem to have fallen curiously short.
One of the participants on Ukraine's side
spoke yesterday at the BlackBerry Security Summit.
Viktor Zora, who leads Ukraine's cybersecurity efforts,
said that Russian cyber operations have not succeeded in disrupting Ukrainian infrastructure.
That failure is due in part, he thinks, to a lack of integration of cyber ops into Russia's strategy.
That failure to coordinate has rendered the attacks opportunistic and ineffective.
The attacks continue, but to little effect. Thanks for watching. but much of it addressed to an increasingly confused and restive domestic audience.
After the break, Robert M. Lee from Dragos explains the TSA Pipeline Security Directive.
Our guests are Jenny Brinkley from Amazon AWS and Lisa Plagemeyer from the National Cybersecurity Alliance with a collaborative educational project.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
As Cybersecurity Awareness Month winds down, we want to highlight a collaborative effort from the
nonprofit National Cybersecurity Alliance and Amazon, a series of PSAs called
Protect and Connect. Jenny Brinkley is director of Amazon security and Lisa Plagemeyer is executive
director of the National Cybersecurity Alliance. I started our conversation by asking Jenny Brinkley
what inspired this effort. So my boss, Steve Schmidt, who's our chief security officer at Amazon,
had reached out and made mention
that he was going to meet at the White House
with Andy Jassy, our CEO,
and some leaders to really talk about
how to inform the everyday American citizen
on how to stay safe as they operate online.
And we started thinking about the ideas
of a public service announcement.
So think about like Smokey the Bear.
How could you create something that galvanized individuals to take action while making it
emotional and fun at the same time?
And that's what we really started to come up with is this idea of a public service announcement
and then reached out in partnership with the National Cybersecurity Alliance to think about
how could you create this messaging? How would we want to tell these types of stories? And how
could we make it in a way that everybody would pay attention and make it a unique, unusual,
and lighthearted and fun? And so Lisa, take us through your participation here. What role did
you and your colleagues play? We do a lot of security education.
That's really our reason for being at the National Cybersecurity Alliance. We try to
communicate to people in a way that demystifies security, uses a tone of voice that's, you know,
welcoming and relatable, like you're talking to a friend. And so, especially when it came to the
website and the security quiz and all the other things that went along with those PSAs,
we were able to chime in and just make sure that the tone was friendly and welcoming. And, you know,
according to some research that we've done, a lot of people feel intimidated and frustrated by cybersecurity and they worry about being victimized.
And I think when you think about those three characteristics right there, frustration, intimidation and worry, sounds like a recipe for an anxiety attack.
It doesn't sound like a good motivator for behavior change.
And at the end of the day, that's what we want in
cybersecurity is we want individual people to take action. And so making sure that we inspire them
rather than intimidate them, and maybe put a little bit of edutainment, as I like to call it
in front of them, and instead of pictures of hackers and hoodies and things that are scary,
of pictures of hackers and hoodies and things that are scary. You know, if you want to get people's attention to get your message across, you know, you can't skip that phase of getting
their attention first, right? You can give them all the good advice in the world, but it's all
for naught if you fail to get their attention. And so, so often we think that a security horror story is going to be, you know,
we'd go for the shock and awe method of getting people's attention. And I just don't think that's
working. I mean, there's documentation on breach apathy and breach fatigue and things like that.
So I hope that as a, as a profession, we're leaving the days of shock and awe behind us and realizing that it's really about risk, and in this case, human risk,
and inspiring people to take action rather than just scaring them.
Yeah, I have to say that looking at the PSAs myself,
they really are approachable and, dare I say, downright funny,
which isn't an easy thing to pull off with cybersecurity.
So congratulations on hitting those notes and making them accessible.
Thank you.
You know, we really tried to make it that anyone could walk away feeling a sense of,
I know what to do now online, but also have some fun with it.
Because to Lisa's point, I think that people do become really paralyzed
when it comes to a topic of cybersecurity.
There's this sense of it's too big.
I don't know where to start.
And what we tried to do
with the public service announcement
was really give the sense of
you are your own best internet bodyguard.
You have the skills, you have the tools.
Here's some fun ways to really think about how you can manage that online. And so what do you recommend in terms of folks
distributing these? If I'm a security person at my organization and I want to make use of these
to help spread the word, is it a matter of pointing people to the website? Website is a great place to
start. I mean, we worked really closely with the Prime Video team to think about different ways
that you could attract individuals to take action quickly.
And so that website is really set up in a way
to be able to hit different types of situations
that can happen to you.
And so you don't necessarily have to watch the whole thing,
though we'd love it if you did,
but if there are certain topics that might be pertinent
for your business or for yourself, you're able to dig in and understand more about what multi-factor authentication means, understand how to navigate phishing attempts, being able to manage what it means around this sense of false urgency, which is a big thing that scammers will use today to try to create this sense of, if you don't take action, this bad thing will happen to you. And so we're really there to give you a sense of how to navigate, how to think through it,
and how to manage it. And Lisa, where do you suppose this goes from here? Is this the first
step of engagement with people more broadly? I think so. I think we have some projects in the
works at the National Cybersecurity Alliance to do even more campaigns like
this. So look for more to come in the future from us. And Jenny, why is it important for a big player
like Amazon to take part in something like this? You know, I think the biggest thing for us is we
just feel this deep responsibility given the consumers that we work with on a day-to-day basis.
given the consumers that we work with on a day-to-day basis.
We really want to be able to give every single person on the planet a way that they can be empowered and protect themselves
as they're operating online.
So for us, it's really thinking about how do you make things simple?
How do you make them direct?
Really give prescriptive guidance on how to enable best practices around security,
not only when you're on amazon.com, but when you're engaging with any type of digital experience,
while also thinking about eventually to your physical safety. And so there's elements of
how we're trying to build a lot of our trainings and education and resources for everyone to be
able to stay safe in their day-to-day lives.
That's Jenny Brinkley from Amazon Security and Lisa Plagemeyer from the National Cybersecurity Alliance. once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, we recently saw the TSA put out a directive when it came to pipeline security.
And I wanted to get your insights on this.
What's your take on what TSA is trying to do here?
Yeah, I think TSA SD2C,
sort of the reiteration of what they did in TSA SD2,
is a really good job overall.
It's directionally very accurate.
And so to catch everybody up on the drama,
because I was pretty vocal about this when it happened,
the first and second regulations that TSA rolled out
were very dramatic.
And this is not to vilify the people at the TSA.
And I've been very careful to draw that distinction
that I think the TSA massively screwed up,
but I don't also think that they were well-resourced
and empowered to be successful.
So there's a balance there. But how and why do think that they were well-resourced and empowered to be successful.
So there's a balance there.
But how and why do I think they screwed up,
to give context of where I think they did really well.
First thing that I think they did poorly was the pipeline industry has been working with TSA
for a long time.
And TSA has earned a really good reputation
by being out with pipeline operators
and working closely with them.
Even influencing various standards that trade associations
like APA or AGI or INGO were coming up with.
API had security standards that were voluntary
that they were putting into place, including TSA's input.
So when Congress reacted to the Colonial Pipeline incident
and wanted something on the pipeline industry,
TSA ended up rolling out a regulation,
and I think it was less than a 24-hour heads-up.
So a community you've been working with,
people you know by name,
that you show up to conferences every year with,
we're here to collaborate,
we want your public-private partnership,
with a knee-jerk reaction,
and here is a regulation coming out and you have 24 hours or less to comment.
And by the time that it got sent out, most people actually had six or seven hours max to review and even think about saying something,
which legal at those companies is not even going to be able to authorize any sort of statements back in that time window.
It was just damaging to the relationship
regardless of the implications of the regulation.
The second iteration ended up being
a lot of IT best practices
copy-pasted into ICS
and it had a three-day heads up
and still not enough time
to influence any regulation. And they didn't use the
year's worth of collaboration they had in the industry. Instead, it was just random CISA-type
stuff that was copy and pasted in. And where I was concerned was not that they were trying to
work on pipeline security. Because let's be candid, the state of pipeline security is not good by and
large. There are some pipeline companies that are doing an amazing job. We talk about industry-wide
and the dependence we have on it. We all know there are gaps. But the question is, let's align
on risk, and then let's talk about what to do about it. And instead, what TSASD2 was,
was we're not going to align on the risk.
We're not even going to tell you what we're trying to accomplish.
We're just going to tell you how to run your business.
So it was extraordinarily prescriptive.
And I came out publicly and talked about the fact
that regardless of the best intentions,
if you were to follow TSASD2 to a T,
you would bring down pipelines across the country.
But things they were asked to do in the regulation were not physically doable in some of these environments. And TSA spouted the
line of, well, don't worry if you have problems, contact us and we'll respond. That was never
happening. They weren't resourced for all the inbounds. So I believe TSA meant it, but they weren't resourced for all the inbounds they got. So most people didn't get responses at all. And
now they have this super nebulous, super ambiguous regulatory regime that is specific as, you must
patch within 90 days, and as vague as, you must implement zero trusts and SOAR. And it's like,
what? And so it was a hot mess.
So people were very upset,
and I think the public got a little bit of a look at that,
but it was a lot more heated than I think people realized.
All to say, TSA then listened.
They could have buried their hand.
They could have said, oh, those stupid pipeline operators,
screw all of you.
Instead, they kind of did the mea culpa tour of going out and visiting pipeline companies and saying, look, we got it. We had to do a knee-jerk reaction.
It didn't get us to where we wanted to go. It's predictable in hindsight, that's fine.
But how do we go forward? And it really earned a lot of credit
with a lot of the pipeline operators of, okay, you're actually coming to the party now
to collaborate. Let's do that.
And so TSS-D2C, sure, it has areas to improve,
but it's directionally very good with,
okay, y'all, here's what we're trying to accomplish.
Why don't you tell us your risk management strategy around these things?
And you've got to at least address these kind of risks,
but give us a plan that you're going to implement.
You mentioned a couple times that TSA had issues with being properly resourced or being
able to apply the resources to some of these issues here.
Where do they stand now?
I mean, did going through this help TSA realign where they're using the resources they have?
Yeah, I don't think so.
But let me also be clear that I'm not inside of TSA,
so I don't know for sure where they are today.
But what I do know is at the start of all this,
there was something like three people
that focused on cybersecurity as a full-time job at TSA,
and TSA was responsible for all interstate pipelines
across the country.
Probably not the right level of resourcing.
Later on, TSA came out and made a statement about that
because they got called out for it.
I don't know if they were being purposely ambiguous or not,
but my reading of that statement didn't give me a lot of confidence
because they said, look, we just hired another 15 people
dedicated towards security.
I was like, oh, that sounds good.
But they were like, yeah, to do physical and cyber.
Like, well, hold on.
How many of them are doing physical?
How many are doing cyber?
Are you asking them to do both?
Like, those are very different skill sets.
And so I don't want to stand outside the building
and throw stones,
especially at a group of people that are trying.
Like, we get the sense now
that they are trying to be collaborative
and help out here.
But I would tell you from what I have seen,
I have no higher
confidence that they are properly resourced today. All right. Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks. The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Varmatsis, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.