CyberWire Daily - CISA reports progress on Log4j. The FTC warns US businesses about taking Log4j risk mitigation seriously. Gangland updates, and some notes on hybrid war.
Episode Date: January 5, 2022CISA says US Federal agencies are now largely in compliance with Log4j risk mitigation guidance. The FTC issues advice and a warning on Log4j to US businesses. A skimmer is installed through cloud-del...ivered video. The Vice Society’s ransomware is meddling with supermarket operations in the UK. The Atlantic Council offers advice on strategy for the grey zone. Hacktivists are expected to punish greenwashing in 2022. Caleb Barlow on recent FBI PIN about how ransomware operators are looking for material non-public information to improve their chances of being paid. Our guest is Helen Patton from Cisco on her book, Navigating the Cybersecurity Career Path. And James Pond is the CEO of hybrid war! For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/11/3 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA says U.S. federal agencies are now largely in compliance with Log4J risk mitigation guidance.
The FTC issues advice on a warning on Log4J to U.S. businesses.
A skimmer is installed through cloud-delivered video.
The Vice Society's ransomware is meddling with supermarket operations in the U.K.
The Atlantic Council offers advice on strategy for the gray zone.
Hacktivists are expected to punish greenwashing in 2022.
Caleb Barlow on recent FBI PIN about how ransomware operators are looking for material, non-public
information to improve their chances of being paid.
Our guest is Helen Patton from Cisco on her book,
Navigating the Cybersecurity Career Path.
And James Pond is the CEO of Hybrid War.
From the Cyber Wire studios at DataTribe, I'm Elliot Peltzman, filling in for Dave Bittner,
with your Cyber Wire summary for Wednesday, January 5th, 2022.
Hey everybody, have you seen the latest video from Xinhua,
in which the Chinese organs poke some fun at Anglo-American anime diversions
about the security risk Huawei gear imposes on its customers?
If not, hop over there and give it a listen.
It's called No Time to Die Laughing, and it's a swell James Bond parody.
What a beautiful castle for a secret
rendezvous agent 0.07 why the american accent agent 0.06 i'm practicing for my new mission
in america by the way why do you own nothing punk i mean no house no property no stocks shares
rebounds because the super spy always prefers to stay low-key. Ah, is it because Emma has asked us
to become more open to stay secret? Exquisite. So, okay, the respective American and British
accents are pretty indistinguishable, but hey, we'd be utterly hopeless if we took a shot at
Mandarin and Cantonese, so we're certainly not going to cast the first linguistic stone.
That would be, what would you say, Agent 0.07?
You're pedantic.
And you're pathetic.
Do you know what's pathetic?
Pedantic and pathetic.
Anyway, this stuff totally kills.
If it were on TikTok, it would be the CEO of Comedy Gold.
All right, back to the news you can use. CISA says that large U.S.
federal agencies met the risk mitigation deadlines of ED22-02. The U.S. FTC gives businesses a warning that they're at risk of regulatory and legal action if they're not comparably diligent in approaching the problem.
CISA has reported good progress toward federal agency risk mitigation.
The U.S. Cybersecurity and Infrastructure Security Agency, that's CISA,
has told Meritok that the federal agencies it oversees
have substantially complied with Emergency Directive 22-02, which required
that they take specified actions to mitigate risk by December 23rd, and that they report their
status by December 28th. ASISA's spokesperson said, quote, agencies have reacted with significant
urgency to successfully remediate assets running vulnerable
Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications
identified that support solution stacks that accept data input from the internet.
CISA has received status reports from all large agencies, which have either patched or deployed
alternate mitigations to address the risk from thousands of internet-connected assets. status reports from all large agencies, which have either patched or deployed alternate
mitigations to address the risk from thousands of internet-connected assets, the focus of
the recent emergency directive, end quote.
Full mitigation of the risk remains, of course, a work in progress, and no one expects an
overnight resolution of this complex, widespread, and deeply rooted issue.
The FTC isn't about to let businesses forget their responsibility to address the log for J.
Vulnerabilities either. In what might be regarded as doing for the U.S. private sector what CISA
did for the country's public sector, the U.S. Federal Trade Commission yesterday gave the
businesses it regulates,
and that's most of them, some direct advice on how seriously they ought to take the recently
discovered log for J vulnerabilities. Quote,
The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws
including, among others, the Federal Trade Commission Act and the Graham-Leach-Bliley
Act. It is critical that companies and their vendors relying on Log4J act now in order to
reduce the likelihood of harm to consumers and to avoid FTC legal action. End quote.
The commission's advisory includes a pointed reminder of what happened to Equifax when the credit bureau's failure to patch Apache's struts was implicated in a data breach that compromised information on some 147 million individuals.
agreed to pay $700 million to settle claims by the FTC, its sister agency, the Consumer Financial Protection Bureau, and regulatory bodies in each of the 50 states. With that
regulatory hammer poised, the FTC suggests that companies scan their systems for vulnerable
instances of Log4J. Once that's done, they recommend updating Log4j software to the most current version,
and then following CISA's guidance on mitigation.
Having done that, businesses should, quote,
ensure remedial steps are taken to ensure that your company's practices do not violate the law.
Failure to identify and patch instances of this software to what the FTC characterizes as,
quote,
You can follow the CyberWire's full coverage of the Log4j story on our website.
Researchers at Palo Alto Network's Unit 42 have found criminals exploiting a cloud video platform
to infect real estate companies' websites with form-jacking skimmer malware.
The skimmer was so placed in a video that it was injected into sites that downloaded the content.
Researchers assessed the skimmer itself as highly polymorphic, elusive, and continuously evolving.
The data the skimmer collected included names, email addresses, phone numbers, and credit card information.
Palo Alto identified neither the platform nor the company,
but Recorded Future did, reporting that the video platform was Brightcove,
and the affected business was Sotheby's Real Estate Unit.
The relatively new ransomware gang Vice Society, first observed in 2021, has claimed responsibility for an attack against about 600 spa or supermarkets in the UK.
Tech Monitor says that observers believe the gang uses the print nightmare vulnerability as its preferred mode of access to its victims.
Young though they may be, the Vice Society has already acquired a reputation for ruthlessness and lack of discrimination in its target selection,
hitting schools and hospitals as often as it hits commercial enterprises.
We're not saying, of course, that ransomware attacks against supermarkets are somehow okay,
but it's been part of conventional gangland hypocrisy to claim, often falsely,
that, oh no, we'd never meddle with healthcare,
the vice society isn't even paying that much tribute to virtue.
Where are the hoods located?
It's unclear, but they may have some connection to the longer-established Hello Kitty group,
and that outfit is believed to operate from Ukraine.
As Presidents Putin and Biden prepare to meet next week in Switzerland,
Reuters reports that NATO's foreign ministers also intend to meet to develop the Atlantic
Alliance's response to the threat Russia currently poses to Ukraine. An Atlantic Council policy paper
recommends that the U.S. recognize that, like it or not, this is effectively a period of
hybrid war, both cyber and kinetic, and the U.S. ought to act accordingly.
The U.S. Department of Defense needs to compete now and engage in offensive hybrid warfare actions.
The United States must respond where competition with China and Russia is taking place today,
primarily by playing an enhanced role in gray zone competition.
End quote.
There is and has been, it must be noted, a lot of loose talk about war and cyberwar,
where the concept of conflict is difficult to apply literally and unhelpful as a metaphor.
But the Atlantic Council is thinking here in terms of the old spectrum of conflict,
in which hybrid war occupies a kind of grey zone,
falling between espionage and clear, undeniable kinetic military operations.
Hybrid war includes some deniable kinetic action,
but more importantly, it includes offensive cyber operations that go beyond simple
surveillance and collection to more directly disruptive action. The Atlantic Council explains,
quote, accordingly, the Pentagon must embrace the paradigm of competition as a continuum from
cooperation through competition to armed conflict. But embracing the continuum is not enough. The DOD,
working with interagency partners where appropriate, must defend more aggressively
and take offensive actions in the grey zone, consistent with American values, end quote.
From the Russian and Chinese points of view, of course, the US is probably up to no good here
already, right alongside the
mother country of the U.K. and the other three of the Five Eyes as well. You can get that message
from Agents 0.07 and 0.06, courtesy of Xinhua.
Sam has even named our single greatest priority at MI6.
Russia?
Yes.
Assange escaped? Snowden's arrested?
Nope.
And nope.
For now, China is our top priority.
And what have the Chinese done?
Well, according to this dossier, the National Security Agency was authorized to monitor all phone and internet use in 193 countries.
That's bloody outrageous. Is there anything Canada doesn't watch over? Indeed, it's preposterous.
And it says here that China's propaganda machine was already very mature since World War I,
and today it broadcasts in 47 languages and releases over 700 English language films every year.
I didn't know China produced English language films.
Oh wait, wait, good grief, that's not China we're talking about, that's America!
Excuse me again?
And finally, a University of Delaware study suggests that hacktivists may, in 2022,
increasingly hit companies they feel are guilty of greenwashing.
That is, falsely and publicly claiming corporate social responsibility as a core value,
but then failing to live up to their pious brand placement.
So if you're going to talk the talk, think about walking the walk.
What do you say to that, Agent 0.07?
Yabba dabba doo.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Helen Patton is an advisory CISO at Cisco and author of the new book, Navigating the Cybersecurity Career Path.
The book provides guidance and advice for cybersecurity pros at all levels,
from those just starting out to those looking to move up the ladder.
Helen Patton joins us with these insights.
I started writing it about two years ago while I was the CISO at The Ohio State University.
And one of the things about being a CISO in higher ed
is more than other verticals,
I think people reach out to you and say,
how do I get into cybersecurity?
How do I deal with this?
And I found myself doing lots of mentoring sessions,
having coffee with people,
not only about getting into cyber,
but also how do I deal with this thing now that I'm in
cyber or I'm just taking on a new team for the first time? How do I do that? How do I run a
security program? That kind of thing. And I was drinking too much caffeine. I was jittery all the
time. There weren't enough coffee shops to be able to deal with the volume. So I thought it would be a good thing for me to do to write down the questions I'm always
getting asked.
And I'm sure every cyber mentor out there gets asked the same questions.
And to put my thoughts down on paper about the answers to those questions.
And so that was the genesis of the book was really mentoring at scale.
And I had a lot of help from a lot of other security
people along the way. So I'm really excited the book's coming out now. It's a good thing.
Why do you suppose there is, I guess you could say, a certain amount of ambiguity when it comes
to people navigating their career path in cybersecurity? It strikes me that it's different
than, say, the pathway to becoming an accountant or a doctor. There's more clarity in cybersecurity. It strikes me that it's different than, say, the pathway to becoming an
accountant or a doctor. Sure it is. There's more clarity in those. Why do you suppose
people aren't quite so sure of how to set up down that pathway?
I think there's a few things that are going on. And you're right. First of all, we don't have
a professional structure like other business professional
things, doctors, accountants, lawyers, and so forth. So there's no clear learning path or
certification path for cybersecurity people to follow. That's the first thing.
I think the second thing is, of course, it's a comparatively younger profession and it's growing. So for example, when I talk to
college students, they're often saying things like, I want to work in security. And my first
question is, when you say the word security, what comes to mind? When you say you want to work in
security, what does it mean? And more often than not, they have to take a step back and go, oh,
and depending on what kind of technology background
they have, that's their entry point. So if they're in software development, they think of software
security. If they're doing engineering building, they might think IoT security, for example.
Very few people come to me and say, I want to work in security, and they're thinking about it in
terms of compliance or public policy or GRC. And when you say those things are out there, they're like,
oh, I didn't even realise that was part of the profession.
So I think there's this big misunderstanding
outside of the security profession of what's in cyber security.
And just like eight blind men and the elephant,
depending how you first come into contact with cyber security,
that's what you think
cybersecurity is.
And it's much bigger than that.
So I think that the questions that I and other mentors get is really just people trying to
better understand what the profession is and what the pathways to the profession might
be, because there is no commonly understood way of dealing with getting
into or moving within cybersecurity as a career. Did you find that you had any revelations of your
own going through the process of writing the book, clarifying, organizing your own thoughts?
Were there any surprises for you? Yeah, there were actually. And it did come about because even though it took me a couple of years to write it,
I've been blogging for a number of years before that.
And so some of the genesis of the books was me trying to formalize
what I'd already blogged about for a while.
One of the things that I had to learn as a security person and as a CISO was how to tell stories that were
meaningful to the people listening, not the stories that were meaningful to me, but how do I tell a
story that the audience wants to hear? And I started using that as an influencing tool and a
leadership tool. But as I was writing the book, it really
became reinforced to me that this is a core skill for working in security, whether you're just
starting out and you've got to tell your story about why you want to work in security, or whether
you're in the middle of dealing, being a single contributor, but you've got to influence people
who don't report to you about the kinds of things you need them to be doing as a security pro or as a leader leading a team or trying to develop a security
program in an organization. So I had known before I started writing that storytelling was important,
but it helped clarify for me how important it is and also how to do the storytelling.
It's easy to say, go tell a story, but not everybody
is inherently a storyteller. So there are skills to learn about how do you structure what you talk
about. And that was really important and a big learning thing for me too. And it actually
helped me land this job that I have now, now that I've moved away from being an operational CISO as
well. That's Cisco's Helen Patton.
She's author of the new book, Navigating the Cybersecurity Career Path.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Caleb Barlow.
Caleb, it's always great to have you back on the show.
You know, we've gotten some recent notices from the FBI about ransomware operators
and how they're looking for information
from public companies.
I wanted to check in with you.
This is a world you're familiar with
about if I'm a board member on a company,
should I be concerned about this?
Well, so this was a recent
private industry notification from the FBI
that was marked TLP White.
So that means we can talk about it.
In this case, the incident discusses where ransomware operators are focusing on public companies,
but before locking up the workstations during their reconnaissance phase, they're doing intensive
searches for keywords, including things like Newswire, Marketwire, and 10K, to look for
specifically financial documents and announcements of things that haven't yet
been publicly released.
Now, some of these draft documents would probably become public over time, but the timing of
which is critical as material non-public information can have a pretty dramatic impact on a company's
stock price and trading activity.
And the point here is that these ransomware operators are starting to recognize that releasing material, non-public information
about a company can put, well, additional pressure on the C-suite and the board to likely pay a ransom.
Is this the kind of thing, and forgive me, this is not a world that I'm terribly familiar with,
could an organization get in trouble, say, with the SEC if information is released prematurely?
Well, absolutely.
And I can tell you, as a public company CEO,
these documents are drafted all the time.
And many of them never see the light of day.
Acquisitions that don't go through,
strategies that change, deals that don't close.
The point here is nothing's done until it's done. And when it's done, the whole idea is everybody at a public company finds out about
the news at the same time, so people can trade the company equally and fairly. So when information
leaks out, even if it's a rumor, it might stop an acquisition from occurring. It might change something that a company is going
to do because the last thing that company wants to do is have a leak of material information
about what they're going to do next that only gets to a certain subset of their investors.
Somebody initiates trading activity on it, and now we've got a problem.
So how should organizations prepare for this possibility? Well, first of all, I think what we've got to recognize is this represents a
real escalation in the level of sophistication of bad actors. You know, I mean, you joke on the
cyberware all the time about bad actors that can, you know, speak in broken English. These are folks
that can read a 10K, understand the legal and privacy and investment risks, and understand how boards
are going to react to it.
So that's the first thing we've got to recognize.
I think some things think people need to do.
So first off, boards need to use your corporate systems, not the systems, the emails, or storage
from their other companies or efforts.
And this is a big deal because boards are usually made up of people from other places.
efforts. And this is a big deal because boards are usually made up of people from other places.
So consider issuing them specific iPads or other equipment only used for their work on the board so that your board information is not sitting in some other company. And of course, encrypt
everything, multi-factor, EDR and XDR and everything. And, you know, probably the biggest
thing, and boards are usually in tune to this. Think about what you put in an email. You know, boards are usually in tune to this because
everything can get, you know, become discoverable that a board does. But old documents are nuclear
assets, right? So you've got to have record retention in place, get rid of things when
it's legal to get rid of them, and be careful about what you keep and what you put in an email. All right, so worst case scenario, this does happen to my organization.
What do you do next?
Well, this is where crisis communication comes in place.
And I'm not talking about normal communication, Dave.
I'm talking about crisis communication.
If something like this happens, you want to control the message.
You want to be able to get your message out to overcome that of the adversary or whatever information they're peddling.
Whether it's true or not, you need to have the ability to get in front of this in a hurry and communicate what's going on.
So plan ahead of time, right?
This is not a game time call you want to be making.
No, it's another thing you want to have in your runbook is a plan for what happens if someone tries to manipulate our material non-public information or release it. All right. Well, Caleb Barlow,
thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland, out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing Cyber Wire team is Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Thanks for listening. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your