CyberWire Daily - Emergency Directive 19-01 versus DNS hijacking. 2019 US National Intelligence Strategy on cyber. France says cyber war is upon us. Courts in UK have email trouble. Hacks and lulz.
Episode Date: January 23, 2019In today’s podcast, we hear that Emergency Directive 19-01 has told US Federal civilian agencies to take steps to stop an ongoing DNS-hijacking campaign. The US National Intelligence Strategy is out..., and it prominently features cyber as a “topical mission objective.” France says that war has begun in cyberspace, and that the enemy should be en garde. British barristers scramble to restore secure email. A metals firm sustains an attack on business systems. And some clown cuts Australian telecoms cables. Justin Harvey from Accenture on blocking incoming threats. Guest is Tom Huckle from Crucial on closing the skills gap. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_23.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Emergency Directive 19-01 tells U.S. federal civilian agencies
to take steps to stop an ongoing DNS hijacking campaign.
The U.S. National Intelligence Strategy is out, and it prominently features cyber as
a topical mission objective.
France says that war has begun in cyberspace and that the enemy should be on guard.
British barristers scramble to restore secure email.
A metals firm sustains an attack on business systems.
And some clowns cut Australian
telecoms cables.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Wednesday, January 23, 2019.
The U.S. Department of Homeland Security yesterday
issued an emergency directive to non-national security agencies
enjoining them to secure their networks against a DNS hijacking campaign
widely, if unofficially, attributed to Iran.
The warning, Emergency Directive 19-01,
was issued by the Department's Cybersecurity and Infrastructure Security Agency, CISA.
It tells the civilian agencies whose security CISA oversees to mitigate DNS infrastructure tampering.
The unnamed threat actor operates, the emergency directive says, in discrete stages to redirect and intercept web and mail traffic.
Other network services are also presumed to be vulnerable.
The attack begins by compromising user credentials to an account that can change DNS records.
Then it proceeds to use those credentials to alter DNS records,
replacing the legitimate address of a service with an address the attacker controls.
Thus, traffic can be directed for
manipulation or inspection, depending upon the attacker's purpose, before the traffic is passed
to the legitimate destination. The ability to set DNS record values also enables the attackers to
get valid encryption certificates for the affected domain names. This exposes user-submitted data to
decryption and does so in a fashion that doesn't
generate error warnings for the users. Agencies are directed to respond to the threat with four
actions they are to take within 10 business days. First, audit their DNS records and report any that
don't resolve to their intended location. Second, change all their DNS account passwords. Third,
add multi-factor authentication
to all DNS accounts. If the agencies have some systems where they can't accomplish this,
they are told to alibi them to CISA. Finally, after they receive new certificates via CISA's
cyber hygiene service, begin monitoring certificate transparency logs and report any
unauthorized certificates to both the issuing
certificate authority and CISA. The Washington Post reports that defense and intelligence systems
were unaffected. They are in any case outside the responsibilities of CISA.
Security organizations continue to struggle with the so-called skills gap, the shortage of qualified workers to fill
open positions. Crucial Academy in the UK is one of many organizations looking to help close that
gap. Tom Huckle is head of the Crucial Academy. Over here in the UK in Parliament and the UK
Joint Committee, they concluded that the shortage of specialist skills and deep technical expertise
was one of the greatest challenges faced by the UK's critical national infrastructure operators and regulators
in recent times. And so it's being discussed at the very highest levels. And despite, for example,
over here in Europe, we have GDPR, where the potential penalties now are so much more than
what they used to be under the old data protection Act 98.
The question is really that goes to companies really and industry and governments is,
can we really rely on taking this risk of not filling the skills gap, which is so apparent with kind of every kind of report that comes in saying that there's a requirement for it.
We have over here in the UK something called the National Security Strategy, which I mentioned. And it just, it says that two of the main reasons that we're
up against here in the UK is that there is a lack of young people entering the profession in the
first place. And there's also an absence of established career and training pathways into
the profession. But really then the solutions you've got as a business is you've got to kind of
recruit talent yourself, which is really difficult in this area because there's not many people out
there. You've either got to train or upskill your current workforce who are already kind of in the
cybersecurity arena, or you've got to try and uncover hidden talent within the business with
transferable skills. So my real question when I came to you was like, how can we solve this?
What's one of the reasons, especially with Brexit looming ahead,
which is only going to impound the issue for the UK?
Yeah, I know one of the points that you made is that perhaps there's a pipeline
to be mined there from the military.
I think there is.
I was military myself.
I served in the Royal Marines for eight years. So I've been there,
and I'm very much a product of this pipeline that when I was going through, it didn't exist.
You just got to look currently at the state of the UK military at the minute. I mean,
just in the last 12 months, nearly 15,000 people have left the armed forces. So there's an
incredible amount of people coming out who are probably asking this same question in regards of what do i do but actually a lot of
the skills that they have are really good into moving into cyber security so you've got a really
a really good untucked resource because military personnel as as we all know i mean they're very
used to be able to go up against an adaptive and skilled adversaries who are very much used to
changing the way they operate to try and get around the defenses as the good guys put in place.
Their skill transference, which they may not realize, is they're very good at strategic
thinking.
They're team workers.
They can operate very well under pressure.
They are very good and like problem solving.
They're happy with responsibility, making those kind of decisions, and they're very
adaptable, which in the cybersecurity arena is fantastic.
A lot of the military personnel that I speak to don't realize that you don't have to be super technical to do well in this industry.
Yes, there are the kind of very technical roles that you can eventually start to mold into. But in regards to going in at some of these levels in cyber threat
intelligence, information assurance, cyber project management, cyber risk, cyber defense, and
penetration testing, they can, and it has been proven through what Crucial Academy does, is you
can take these individuals, you can train them over a period of two to three weeks, and at the
end of it, they can get past the tests and accreditation and come out the other end and go into really successful jobs in
cybersecurity and start to fill this gap that we are obviously experiencing in the UK and
worldwide as well. I mean, everyone is kind of talking about that the solution to cybersecurity
is automation, is bringing in artificial intelligence, machine learning, and this will kind of be the holy grail
for the solution of cybersecurity, which
to an extent, yeah, it may be
and it may start to shrink this
gap of the demand
for people to come in. But at the end
of the day, you've got to realize is that
the people who are going to implement artificial
intelligence and machine learning, who
are going to understand the anomalies that are going to be
detected as a point of these kind of technologies. And the individuals at the end of the day who are
going to have to work with this program technology and interpret and then act on its outputs are
going to be people. And so that's why we still need to address this situation and this demand
that technology is only going to solve some of the, and that we need to invest in our people.
That's Tom Huckel from Crucial Academy.
The 2019 U.S. National Intelligence Strategy is out, warning of diverse and interconnected threats.
That's a wars and rumors of wars kind of warning.
Threats have been diverse and frequently interconnected for a long time, but it's noteworthy that cyber threats are particularly called out
right after emerging threats dealing with space.
The strategy notes that cyber threats have already affected
confidence in our global institutions, governance, and norms
while imposing numerous economic costs domestically and globally.
Adversaries are getting better at this, ODNI notes,
and rapidly advancing and proliferating technology is finding its way not only into American hands,
but into hands not necessarily well disposed toward the U.S.
The document outlines three foundational mission objectives and four topical mission objectives.
At the top of the topical objectives
is cyber threat intelligence, whose goal is to, quote, detect and understand cyber threats from
state and non-state actors engaged in malicious cyber activity to inform and enable national
security decision-making, cyber security, and the full range of response activities, quote.
Broadly speaking, the intelligence community will do three things to meet that objective. of response activities.
The U.S. is far from alone in calling attention to conflict in cyberspace and in expressing a determination to do something about it.
France has been even blunter and more direct.
Speaking yesterday in Lille, French Armed Forces Minister Florence Parly re-emphasized
that nation's determination to engage across the spectrum of conflict in cyberspace,
specifically including offensive cyber operations.
She said last week in Paris that cyber war had begun and that France is determined to be
ready to fight it. Her remarks in Lille included discussion of a coming bug bounty program
and a significant investment in the cyber industrial base, including small businesses,
and there was no mitigation of the assertiveness heard so recently in Paris.
Clearly dissuasion is on the Republic's mind.
Criminal Justice Secure Email, a system widely used by British barristers,
went down last Friday and isn't expected to be fully restored for a week and a half, at least.
The outage is impeding the work of the country's criminal courts. According to the Register,
the reasons for the outage remain unclear, but it's bad news for the courts. It's probably not going to be the case, as the Times of London
somewhat breathlessly suggests, that the jails will be open and pandemonium unleashed upon the
realm, but it's inconvenient to say the least, and another indication of how brittle institutions
can prove when they rest on a foundation of ones and zeros.
Belgian metals firm Neerstar disclosed a cyber attack yesterday that affected email systems,
but not mining or production.
Recovery is said to be proceeding.
The company's statement suggests that business systems only were affected,
which, if correct, is a good thing and a useful reminder of the
importance of network segmentation. Think about it, there's no particular reason why Leopold in
HR should be able to share his thoughts with a blast furnace. Finally, a CRN story reminds us
that traditional vandalism remains a threat to connectivity. One such Visigoth cut Telstra cables in New South Wales
for no particular reason.
We hope, first, that they enjoyed themselves,
and second, that they will also soon receive a visit
from the New South Wales heat.
Preserve us from the skids who roam the earth
seeking nothing more than the lulls. faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back. You know, when it comes to folks trying to block incoming threats, I think sometimes people wonder, what's my biggest
concern? Do I have to be on the lookout for criminals? Do I have to be the lookout for
nation states? What's your take on this? Well, my take on it is you hear a lot of
news and you see products that center around either cyber criminal or nation state activity.
In my opinion, I think you need to build a strong cyber defense program that is able to
handle both cyber criminals and nation states. In my humble opinion, you're not going to weigh
based upon what industry or geography and you're not going to make architectural changes. It's not
going to drive your product selection. You need to have a very strong base. Criminals, clearly, in the continuum of time, yes, there are
breaches and incidents where commercial companies are hit, they lose information, their stock goes
down, some people get fired over it, they offer identity protection, but those are really blips.
The big major attacks are nation-state. While cyber criminals can create problems for commercial
companies like having it affect your brand or by having to pay regulatory fines or identity
monitoring, nation states really have that capability to effectively turn your lights out.
They do that through things like intellectual property theft, where a nation state can steal a
company's secrets, they can build their own product, and then they can introduce those
products into the same market from the exact same people that they stole that information from.
And that can cost tens of millions, hundreds of millions. Or if you think about some of the
high-tech providers of chips out there and
computers, it could have multi-billion dollar consequences. And let's also not forget that
nation states have also been dabbling in the OT, the operational technology front. So things like
utilities and critical infrastructure providers, those nation states have the capability
to do destructive attacks, which could result in the loss of human life.
Now, what about for the smaller or mid-sized businesses? I think it's not unusual for them
to say, well, I don't really have much here. Why should I worry about nation states?
You know, I don't have have much here. Why should I worry about nation states? You know, I don't have anything worth taking. Well, you've got to have something. You may have personal information on
your employees. You may have information on your customers or on other organizations. And at the
very least, you could be a jumping point for cyber criminals or nation states to launch other attacks to which you could potentially be liable.
Yeah, you think about the target attack, you know, getting in through an HVAC contractor.
Even if you don't think you have anything, like you said, you could be the jumping off point for something beyond your own scale.
Exactly. And in certain countries, you could be liable for not having your security
up to snuff. All right. Well, it's good stuff to think about. Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.