CyberWire Daily - Elemental election meddling spooks US campaigns. CISA’s email advice. Remote workers behaving badly. Momentum Cyber’s state of the Sector. The SINET 16. And remember 9/11.
Episode Date: September 11, 2020Kittens and Pandas and Bears, oh my. Ransomware gets its skates on, but it still has loose idiomatic control. CISA has some advice on email. While at home on pandemic lockdown, a lot of people (not yo...u) are spending too much time on unedifying sites. Momentum Cyber looks at the state of the cybersecurity sector in 2020. The SINET 16 have been announced. Chris Novak from Verizon on understanding the complexities of PFI breach investigations. Our guest is Steve Vintz from Tenable on why CFOs should lean into cybersecurity issues. And, finally, take a moment today to remember 9/11. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/177 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k code n2k. pandas and bears? Oh my. Ransomware gets its skates on, but it still has loose idiomatic control.
Syssa has some advice on email. While at home in pandemic lockdown, a lot of people,
not you, are spending too much time on unedifying sites. Momentum Cyber looks at the state of the
cybersecurity sector in 2020. The sign at 16 have been announced. Chris Novak from Verizon on
understanding the complexities of PFI breach investigations.
Our guest is Steve Vince from Tenable on why CFOs should lean into cybersecurity issues.
And finally, take a moment today to remember 9-11.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, September 11th, 2020.
Well, everybody, the bears are back, and so are the pandas and the kittens.
Microsoft yesterday described evidence it's developed that indicate extensive Russian, Chinese, and Iranian efforts to penetrate or impede U.S. political campaigns.
The target selection is about what one might expect, given the three governments' general policy objectives.
Tehran really doesn't like President Trump at all.
The Iranian group Phosphorus, Microsoft uses elemental names for threat actors,
others call this one APT35 or Charming Kitten,
is hitting personal accounts of people associated with President Trump's campaign.
Beijing, on the other hand, seems interested in former Vice President Biden's campaign for the presidency.
It also wants to keep a close eye on the U.S. foreign policy establishment,
probably because of the extent to which American sanctions against
and wolfing in the direction of Chinese companies have become a thorn in the
panda's paws. The Chinese group Zirconium, APT31 or Hurricane Panda, is most interested in high-profile
individuals associated with the election, including some having to do with the Biden campaign,
as well as prominent leaders in the international affairs community.
as prominent leaders in the international affairs community.
Moscow is looking for opportunistic trouble.
Russia's strontium, APT-28, the GRU's very own fancy bear, has bipartisan interests and has gone after more than 200 targets.
Their list runs to campaigns, consultants, political parties, and advocacy groups.
Most of the attacks the groups mounted, Microsoft says,
were unsuccessful. But as Han Solo would say, don't get cocky, kid. The activities Microsoft
describes seem to involve intelligence collection and battle space preparation
for influence operations. There are, however, more direct threats to voting.
Since elections depend upon the high availability of voting systems and databases,
the publication Governing sees the tendency toward widespread criminal use of ransomware
as a problem for election officials.
Whether the threat is ransomware or the campaigns Microsoft described in its own warning,
much of that threat is email-borne.
The U.S. Cybersecurity and Infrastructure Security Agency yesterday offered advice to all election-related entities
on steps they might take to counter email-based attacks.
CISA says, quote,
Email systems are the preferred vector for initiating malicious cyber operations.
Recent reporting shows 32% of breaches involving phishing attacks
and 78% of cyber espionage incidents are enabled by phishing, end quote. For present purposes, CISA divides email attacks into two general categories,
phishing and credential stuffing.
Their general advice is directed at election officials and the IT people who support them,
but it's generally applicable to any organization that uses email.
They include, if you're using cloud email, use the protections your cloud provider offers,
secure the user accounts on high-value services, use email authentication and other best practices,
and if you're running your own email gateway, secure it.
Speaking of ransomware, as we heard yesterday,
data center provider Equinix was hit with NetWalker over the Labor Day weekend.
Bleeping Computer reports that the attackers demanded some $4.5 million in ransom in exchange for a decryptor and a promise not to release stolen information.
Payment, of course, is demanded in Bitcoin.
The hoods want Equinix to understand what they've taken,
and so took what Bleeping Computer describes as the unusual step of sending a screenshot of stolen
data to their victim. Their ransom note stylistically represents a sample of low-grade
shadow broker E's, quote, look at this screenshot. If you not contact us, we will publish your data to public access.
You can take a look at our blog.
You have three days to contact us, or we will make post in our blog.
Contact all possible news sites and tell them about data breach.
Yowza.
It's all caps in the original, probably more because the cyber goons are too lazy to use a shift key
than for the typographical effect of shouting that caps-locked text conveys.
Equinix's blog, updated yesterday,
has nothing new to report.
They're continuing to serve their data center clients,
and investigation remains in progress.
Late this morning, Momentum Cyber
released its cybersecurity market review
for the first half of 2020.
As one might expect, it represents a tale of two quarters,
with swift growth in the first quarter and pandemic-driven retrenchment in the second.
That second quarter, however, also saw a tremendous increase in organizations' attack surfaces
that has built up a considerable demand for cybersecurity services and solutions
that should provide large
opportunities for companies in the sector as their customers emerge from their present state
of fiscal caution. We'll have more on Momentum's Cyber Market Review next week.
A study of user behavior Netscope released yesterday offers a glimpse into how remote
work and the blurring of the lines between home and office have increased enterprise risk. There's the expanded attack surface, to be sure, but there's
also the matter of people's behavior online. It's not good, and a lot of people really ought to be
ashamed of themselves. Not you, of course. We mean other people. Those other people are spending a
lot more time thrashing around in eight categories of risky sites Netscope identifies.
We won't name them all for reasons of decency and the sort of search engine optimization a family show like ours wants,
but the biggest leaders were gambling and adult content other.
Content other.
And visits to adult content, not other, what we'll call saucy pictures and videos,
have increased six-fold over the course of the pandemic.
We're pretty sure that the activities of China's ambassador to the court of St. James can't account for all of that,
and so some people should be ashamed.
Not you, of course, those other people.
With its annual recognition of innovative cybersecurity firms coming up at the beginning of November,
Synet has released the names of the finalists, its annual Synet 16.
The firms recognized this year include Alcid, Axonius, Beyond Identity, Bolster, CypipherTrace, CloudKnox, Psycognito, KeyFactor, Medigate, OrcaSecurity, Order,
RefirmLabs, Salt, SecureCodeWarrior, ShiftLeft, and StackRox.
Congratulations and best of luck to all the finalists.
And finally, today is the 19th anniversary of the 9-11 attacks that took so many lives in New York, Arlington, and Shanksville.
Pause for a moment and spare a thought for victims of terrorism and for those they left behind.
We remember, too, the many acts of sacrifice, valor, and compassion that followed in terror's Train. Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
Look at this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with BlackCloak.
Learn more at blackcloak.io.
There's that old saying that much of what's done in the world
is done for love or money.
And it's fair to say that cybercriminals targeting businesses
are focused on the money side of that particular phrase.
The Cyber Wire's chief security officer and chief analyst Rick Howard spoke with Steve Vince,
chief financial officer of Tenable, on why CFOs should lean in to cybersecurity issues.
In terms of the essay that I wrote that appeared in CFO Magazine in Australia, we talked a lot about the maturation of the role of the chief security officer, the chief information security officer, and how the security team needs to evolve their strategy and become better partners with the C-suite. In turn, I believe the C-suite needs to also evolve and recognize the value and the contributions of the chief security officer as an important executive on the team.
And I believe there's a disconnect in how businesses understand and manage security risk.
Well, I totally agree.
And I've been part of that problem myself in my former CSO roles, right?
That my peers and I have always had trouble conveying or transforming cyber risk into
business risk.
We just didn't have the language to do it.
And I was wondering if the CFOs of the world could help us figure that out.
Well, I think we need to. I think it's important. to do it. And I was wondering if the CFOs of the world could help us figure that out.
Well, I think we need to. I think it's important. If you think about it, cyber security threats are thriving amidst the climate of uncertainty, making it a topic certainly worthy of board level
visibility. This move to work from anywhere. Digital transformation was well underway, and it was a major secular change in the industry.
But COVID has probably catapulted digital transformation 10, 15 years into the future.
And so with that comes a whole host of problems.
The compute's changing.
The attack surface is expanding as companies undergo digital transformation, malicious activities on the rise. There's more sophisticated bad actors,
and there's an increasingly complex threat environment. And all this creates the perfect
storm, if you will, for cyber threats. In terms of business leaders, what I can tell you is
business leaders want
a clear picture of their organization's cybersecurity posture, but their security
counterparts struggle to provide one. And so as a CFO, the organization's risk profile is
something that's important to me. I report to the CFO, but I spend a lot of time with the
audit committee, and the audit committee often, for companies of our size, has the de facto responsibility for risk. And it's a simple
question. How secure are we? But the answer is seemingly complex. And as I thought about that,
what I realized is that most every major functional department within the enterprise has a common language that's universally understood throughout the organization.
And so when we look at security, I think the problem today, given all of this that we just talked about, is that there's no common language.
When you pose that question, how secure are we, you don't typically get an answer that's based on
the maturity framework of an organization and a couple of key metrics. There's not a clear
articulation on that. I would pose to you that that's the wrong question, or at least a hard
question to answer. The real question that CISO should be answering to people like you, the CFO,
is what's the probability that we are going to be materially impacted by a cybersecurity event in,
say, the next three years? I think that's an answerable question. I don't know, what do you
think about that? Rick, I agree with where you're coming from because you cannot, I'm not proposing that you
can eliminate security risk. By the way, I'm the CFO. I'll stay in the shallow end of the pool
when it comes to technical matters on security. But I do think that I understand, you know,
business risk. And you can't, the only thing you can do, I believe, is do a series
of things that reduces risk to a relatively
acceptable level.
Often, CFOs are on the sidelines as a passive observer
of security. One of the things I've learned since I've been
at Tenable, I've been here for five and a half years. And while I have, you know, I've worked with technology growth companies
most of my career in the past 30 years, I'm a bit of a neophyte when it comes to security. You know,
I've just, I've spent the last five years in security. I've learned a lot about it.
And one of the things I'm encouraging my CFO counterparts and really the rest of the C-suite
is to take an active role.
I think CFOs have a responsibility to ensure security teams are resourced, understand the struggles within those departments, become better partners.
People like me who don't speak the technical language and other executives will look at things like maturity frameworks.
You know this better than anyone, but you can pick one. language, and other executives will look at things like maturity frameworks.
You know this better than anyone, but you can pick one. It could be NIST. It can be
SOC 2. It can be ISO 27001. And then the next logical question is like, what's the effect of this, of that? And I don't think there's a clear articulation. I think we're becoming better as an organization.
I think boards are becoming better.
But I think there's a long ways to go in that regard.
That's our own Rick Howard speaking with Steve Vince from Tenable.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm pleased to be joined once again by Chris Novak.
He's the director of the Verizon Threat Research Advisory Center.
Chris, it's always great to have you back. I wanted to touch on some of the complexities that you and your team track
when it comes to certain breach investigations.
What sort of things can you share with us today?
Yeah, sure.
I'd say probably the area that sometimes is a bit new and different for organizations
is the realm of PFI or payment card industry forensic investigations.
You know, a lot of organizations tend to look at the incident response world in a purely technical perspective.
But obviously, as I think people are kind of growing to become more familiar with,
there's a lot more laws and regulations that dictate how a number of those things really need to take place.
And PFIs are sometimes a type of investigation that can get
organizations a little tangled up if they don't quite know what they're doing. Well, walk us
through, what does an investigation look like? Sure, yeah. So typically, many PFI investigations
are actually not discovered by the victims themselves. So if you're a merchant, for example,
or an e-commerce shop,
you obviously deal with credit cards in order for your customers to make purchases.
And in many cases, the way that someone may identify the fact that you've had a breach is typically that, think about it, if you've ever gotten a credit card statement and you noticed
a charge that you didn't make, and you call up your credit card company and say,
this wasn't me, they say, okay, no problem. We'll take care of it. Well, what happens behind the scenes that a lot of
people don't realize is they amass all the data on all those charges that people called in and said,
this wasn't me. And they start doing analytics across all of those fraudulent charges to try
to identify something that they refer to in the industry as a common point of purchase or a CPP.
And once they've identified that, kind of think of that as these are the only things in common across all these fraudulent transactions.
Usually what happens is it triangulates and points back to a specific merchant,
maybe an e-commerce shop, maybe brick and mortar, it could be any kind of organization.
And in some cases, what's surprising
to many is that they can typically come to that analysis with a very small number of transactions.
It may only take three, four, five. Now, they may also amass thousands of fraudulent transactions,
and that only makes their triangulation easier. But sometimes organizations will push back because
they'll go,
ah, it's only two or three transactions.
I do, you know, a hundred transactions,
a thousand transactions a day.
What's a couple, you know, fraudulent transactions?
How does that identify that I've had any kind of breach?
And so that's usually one of the first stumbling points that organizations will face is that pushback
and that denial that it can't be right.
It can't be them.
You know, I'm imagining you standing in front of a big bulletin board with three by five cards and
strings of yarn with tacks, you know, connecting all the different points together. I suspect it's
probably a bit more complex and automated than that. But when it comes to making these connections,
you know, behind the scenes, when the connections are made, do the credit card companies, is it a matter of going after the people who are doing this or shutting them down?
In other words, do we inform law enforcement?
Do we try to cut them off so they can't do it anymore?
What's the spectrum of responses?
Yeah, so it can be varied.
It depends typically on the size and scope of the losses that
they're seeing. But usually the first step that they'll do is they'll usually reach out when that
triangulation has pointed to Merchant ABC, for example. They will typically reach out to Merchant
ABC's bank and say, hey, this is what the triangulation has pointed to. We'd like to get
in contact with your merchant to see whether or not they know
what's going on and maybe conduct a PFI investigation to figure out if they've had a
breach and if so, what the scope of it is. And that would typically be the first foray
into the incident response and investigative side of things. And then typically as an offshoot of
the investigation, you know, in the course of our work, if we find that, hey, we can actually
identify who may be behind this or, you know, we can link it to other cases that we may be
working, much like you would see in a typical law enforcement investigation. You know, we see a
common fingerprint across 10 or 20 cases. We may actually be able to tie this breach back to a
potential threat actor. And when we have the opportunity to do things like that,
you know, quite often the merchant, the bank, the credit card companies will often,
you know, encourage the possibility of actually working with law enforcement to see what we could
do in terms of actually prosecuting that. And, you know, to be honest, the success rate of that
has only gotten better over the years. So it really sounds like it's a collaborative process when you
get to that point. Yeah, I would say it absolutely is. And, you know, I would say that the other
thing that a lot of organizations struggle with there in terms of understanding even how to start
that process and who to collaborate with is how they even find PFIs. Because that's one area where
it's a, I'd say it's a rather specialized area of incident response and investigations because the investigative team needs to actually understand how the payment card process works. their card, that transaction data may hop through 10 or 20 different points across the world
and back in a split second in order to get your transaction approved. And when you do the
investigation, you kind of need to understand how all those linkages work so that you can investigate
and figure out where along those chains might that problem actually be. So many of the organizations
that actually work in that industry
are actually known as PFIs and certified accordingly.
And so it's important that when organizations suffer,
you know, from a potential breach of a credit card
or debit card kind of situation,
that, you know, they know what to look for
when they're looking at PFIs to pick from.
All right. Well, Chris Novak, interesting insights, of course.
Thanks so much for joining us. My pleasure. All right. Well, Chris Novak, interesting insights, of course. Thanks so much for joining us.
My pleasure.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed, no assembly required.
Listen for us on your Alexa smart speaker, too.
assembly required. Listen for us on your Alexa smart speaker too. Be sure to check out this weekend's Research Saturday and my conversation with John DiMaggio from Symantec. We'll be talking
about Sodinokibi. That's Research Saturday. Check it out. The Cyber Wire podcast is proudly produced
in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation
of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Your business needs AI solutions Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.