CyberWire Daily - Daily & Week in Review: VIPs scrub email, cyber war vs cold war, industry news and more.
Episode Date: September 16, 2016In today's podcast, we hear about VIPs everywhere rushing to delete their emails before Fancy Bear gets her paws into them. Opinion leaders rumble about the Cyber War having picked up where the Cold W...ar left off. Election security concerns may prompt US Senate hearings. British companies take a look at operations in the Baltimore-Washington area. Other industry notes include VC rounds, M&A activity, a new automotive cyber security venture, and the announcement of 2016's SINET 16. Dale Drew from Level 3 Communications offers tips on protecting medical data. We speak with IBM's Shelley Westman about encouraging more women to join the industry. And the US House doesn't think too much of a Snowden pardon. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
VIPs everywhere rush to delete their emails before Fancy Bear gets her paws on them.
Opinion leaders rumble about the cyber war having picked up where the Cold War left off.
Election security concerns may prompt U.S. Senate hearings.
British companies take a look at operations in the Baltimore, Washington area.
Industry notes include VC rounds, M&A activity, a new automotive cybersecurity venture,
and the announcement of 2016's Cynet 16.
And the U.S. House doesn't think too much of a Snowden pardon.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, September 16, 2016.
Nearly every prominent person with a Gmail account has been well and properly spooked
by the hacking of former U.S. Secretary of State Powell's emails. The New York Times reports that a news anchor, a senator,
a former national security official, and others are busily deleting emails, changing passwords,
and so on. The emerging consensus of observers is that the Powell doxing is the work of Fancy Bear,
the nom de hack U.S. security vendors have given Russia's GRU.
Such breaches are seen by observers as involving failures of digital hygiene,
or less charitably what eSecurityPlanet calls infosec hubris. A senior NSA official pointed
out earlier this week that the high-profile breaches various enterprises have sustained
over the past two years involved basic oversights and not exotic zero days.
A Washington Post op-ed tells us that the cyber war has replaced the Cold War and that the two
conflicts have a certain similarity. One difference is that information operations have probably grown
markedly more effective. We heard a good bit about this at Invincia's Beat the Breach session in
Washington yesterday. Richard Clark, former White House cyber advisor, said,
The Russians are clearly very active in this election, and they don't seem to care that we know it.
They're increasingly bold, and this is a disturbing change.
He noted the new possibilities of deception.
If the first set of emails leaked are genuine, as it appears the Powell emails are,
that predisposes people to regard the other leaks as also authentic.
But why should they be?
Releasing the real documents is just the first move in an information ops confidence game.
In any case, there are calls in the U.S. Senate for a full investigation
of alleged Russian attempts to affect the November elections.
The U.S. electoral system is sufficiently diverse and distributed
that its global subversion is very far-fetched,
but many observers fear effective local hacking.
On Tuesday, we attended the Billington Cybersecurity Summit, which also met in Washington.
There was a striking emphasis on the part of many speakers that cybersecurity would most benefit from attention to basic digital hygiene and sound management practices.
attention to basic digital hygiene and sound management practices.
Those who spoke this way prominently included Kieran Martin, CEO of the UK's new National Cyber Security Centre,
and Tony Scott, the US Federal CIO.
Scott, in particular, called out the need to modernize, upgrade, and replace legacy IT systems as both a matter of economy and security.
Such upgrades would, Scott hoped, free information technology from old technology,
organizational and budgetary paradigms
that have impeded progress toward better security.
This week has seen a fair bit of industry news.
Not only are companies from the UK
clearly looking into establishing a presence
in the Baltimore, Washington area,
but several startups have attracted
fresh rounds of venture funding.
LogRhythm has picked up $50 million, risk rating shop BitSight $40 million,
industrial control system security vendor Clarity $32 million, Cato Networks $30 million,
and DDoS mitigation outfit Zenege $6.2 million. There's also been some M&A activity.
Verizon has bought IoT security company Sensity,
and Ant Financial has picked up biometric shop E-Verify.
Arian Pro Solutions has finalized its acquisition of Los Gatos-based CyberInc.
And there's an interesting new automotive cybersecurity company forming.
Volkswagen is teaming up with three
Israeli experts to form Cymotive, which will address the security of connected cars. Rod
Schultz, VP of Product at Rubicon Labs, told the CyberWire he applauded the decision to form
Cymotive. He thinks they should focus on creating a secure identity for the hundreds of electronic
control units now built into cars everywhere.
Search and analytics company Elastic has bought Prealert, an innovator in behavioral analysis.
The play is thought to represent Elastic's bid to disrupt big data house Splunk. The acquisition is interesting also because Prealert was announced today as one of 2016's
Cynet16, the Security and Innovation Network's annual honor roll of cyber innovators.
The other winners are, in alphabetical order,
BlackRidge Technology, Contrast Security,
CyberX, DataVisor, Digital Shadows,
InterSET, Menlo Security, Entrepid,
Phantom CyberCorp, PostQuantum,
ProtectWise, RiskSense, SafeBreach,
ThreatQuotient, and Vera.
Congratulations to them all.
You'll find links to accounts of the Cynet 16 and why they won in today's issue of the CyberWire daily news briefing.
And finally, Oliver Stone's film Snowden.
It was shot in color, but according to Wired's review, it offers a black- white story quite devoid of so much as a shade of gray. Oliver Stone Snowden has convinced some that its eponymous subject
deserves a presidential pardon. Some, but far from all. Among the unconvinced are the Republicans
and Democrats of the House Permanent Select Committee on Intelligence, who've just sent
the president a letter expressing strong exception to the petition for pardon.
So what's the betting? Which is likelier?
A pardon for Ed Snowden, or the replacement of the Star-Spangled Banner by City Escape from Sonic the Hedgehog?
Remember, Sonic fans, make America fast again. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. are thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications.
Dale, it seems like every day we're seeing more
news about healthcare record leaks. What are some things that enterprises can be doing to protect
these particularly valuable assets? Healthcare records are actually 10 times more valuable
than credit card data on the black market. There is a definite, tangible market for
gaining unauthorized access to medical records and selling them on the
black market. We really recommend a few things. We recommend some fairly traditional security
mechanisms in the healthcare industry. More and more healthcare devices are being connected to
the healthcare ecosystem, more and more diagnostic systems. All those systems run versions of relatively vanilla
operating systems, and they come with exposures. So making sure that those systems are properly
patched and up to date and monitored for security access and security controls.
Not many people and practitioners really put a lot of thought into making sure that healthcare monitoring systems are being properly patched and properly monitored.
They're using them as appliances.
The other one is that we're recommending, especially in cases like this, is to ensure that the healthcare monitoring appliances are really separated from the healthcare user population.
People are being able to get access to these devices.
The vector is these healthcare devices.
And then from there, they're then able to gain access to things like desktops
where then the healthcare records are stored.
So we really recommend segmenting or separating those sort of networks
so that they can't talk to each other
or they talk to each other through a
security policy enforcement infrastructure that can properly check the security of those systems.
And what about from the other direction? I mean, what about as a consumer? What can I do to make
sure that my health care records are as protected as they can be?
You know, as a consumer, what I would say is, you know, is you can reach out to your healthcare provider and ask
them what security controls that they have in place. Ask them if there's any third-party auditing
that's being done on the healthcare provider to validate the controls, and if there's any serious
or significant findings as a result of that last audit. You'll be surprised how forthcoming those
healthcare providers will be
on how transparent they are, and it really helps provide some education to the end user
about how that information is properly protected. All right, Dale Drew, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Shelley Westman.
After a few years as a lawyer,
she spent most of her career at IBM,
where she's Vice President of Operations and Strategic Initiatives in IBM's security business.
She's a popular keynote speaker
and a champion for attracting and retaining more women and minorities into cybersecurity. So as you were coming up
through IBM, were there any particular challenges that you face by virtue of being a woman?
Well, what's interesting is for most of my career at IBM, I gave no thought to the fact
that I was a woman. I would say for 15 of the 17 years.
I came in every day.
Of course, I noticed that there was not as many women in a lot of the meetings,
but I didn't belong to any women's group.
I didn't pay any particular emphasis on it.
I came in, did a good job, and expected to be rewarded and was rewarded.
It wasn't until I got into IBM security
and started hearing about the
dismal numbers overall in the industry where there's only 10% of women in the
security space that I really figured as a female leader I need to step up and
start being a vocal advocate to improve these numbers. So let's talk about those
numbers. Why do you think we do so poorly in cybersecurity
when it comes to hiring women? Well, first of all, there's not as many women available to hire.
That's really the heart of the problem. Women are not choosing overall STEM careers, number one,
and cybersecurity, number two, and that's for a variety of reasons. A lot of them don't know about it. So
the ones that I'm speaking with that have gotten into the field have gotten into it almost by
accident, where they saw something or they participated in a hacking contest and really
fell in love with it. We're not doing a good job of educating these young women that this is a
viable career opportunity. You touched on the importance of having mentors and people supporting you along the way.
How important was mentorship to you as you made your way up through your career?
Mentorship is very, very important as a sponsorship.
And there's really a difference that I don't know that everyone understands.
You know, a mentor, you can pick your own mentor.
You can say, will you mentor me? Will you help me? A sponsor has to pick you. They have to be willing to put
their career on the line and say, I know Shelly, she's going to do a good job in this next role.
And both mentors and sponsors are critically important. And for me, interestingly enough,
I've only had one female mentor my whole career because I've always wanted
to get that difference of thought. I know how I think being a woman. I want to make sure that,
you know, I've got another point of view guiding me and saying, have you thought about it from this
perspective? So I've typically gravitated toward male mentors because they can give me that
different point of view. What about for men who want to be more supportive of getting women into the field,
but then also want to support women once they're in the field?
What advice do you have for men who want to contribute and try to equalize the situation more?
You know, and that's a really important question because we absolutely need men as allies.
Well, and that's a really important question because we absolutely need men as allies.
So if you think about it, the field of security has 90% men and 10% women.
This is across the board.
And we can't change that without men stepping up and saying,
I've got to be one that's going to help this situation.
And I think it's hard for men to understand some of the unique problems that a woman might face in a very male-dominated field until they start thinking about it on a personal level and start thinking about their wife or their daughter
and what they want it to be like for future generations.
And I think none of this is really done, you know, nothing that happens is done with
malicious intent. We just tend to gravitate towards people like us. So for a male to really
stop and say, how am I going to help change this? How am I going to get people that look different
than me so I can get this diverse perspective is really powerful. And the other
thing I tell my teams is that, you know, we don't want diversity just because it's nice to have.
We want diversity because it's been proven time and time again that diversity leads to better
business results. And that when you have people that think different from you, you come up with different solutions.
And that is really important.
If you surround yourself with people that think like you only, you're all going to come up with the same answer.
And that's why it's important.
And that's what we've got to get men to realize, that this benefits all of us.
If we do better, we get better bonus, more money, more room for advancement for all of us.
It's not just a nice-to-have.
It's a business imperative.
And just for career advice in general,
for the young woman who may be heading into college
or heading out of college and is considering a career
in a technical field or cybersecurity,
what would your advice be for her?
My advice for anybody considering a career is find something that you love doing.
And I speak from practical experience because when I was practicing law, I hated it.
And it was very sad.
I thought that's what I wanted to do my entire life.
And I didn't feel the energy from it.
It didn't make me happy.
And so you have to go and find something you like doing. And don't
give up on that. If you try something and don't like it, find something else. You spend too much
of your time at work to be doing a job you don't like. In terms of the STEM careers and fields in
cybersecurity, my advice is try it. You might like it. And, you know, I've heard from young women who have gotten involved in some of these external clubs
and they've participated in a Capture the Flag contest,
and they're absolutely amazed at how much they enjoyed it.
So until you try something, you don't know whether or not you like it.
So go for it. Try it. Give it a chance.
And if you don't like it, find something else.
IBM is teaming up with the International Consortium of Minority Cybersecurity Professionals, the ICMCP, for an event in October.
What can you tell us about that?
I'm so excited about this event.
We're having this October 4th at 590 Madison Avenue, which is one of our IBM buildings.
And we're having a town hall style event where we're focused on how do we get more women and underrepresented minorities into cybersecurity.
And we've brought together three panels consisting of some of the top leaders in business and security and academia to really talk about what they're doing, what works
and doesn't work, and share ideas. That's Shelley Westman from IBM. You can see a video of her
keynote presentation at this year's Women in Cybersecurity Conference on our website, thecyberwire.com. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.