CyberWire Daily - Equifax agonistes. Kaspersky denies his company's a security risk. Political database for sale found exposed. Trolling the DCI.
Episode Date: September 15, 2017In today's podcast, we hear about how Equifax continues to struggle in the quicksand of wayward patching and clumsy incident response. Congress, the FTC, the CFPB, and DoNotPay are all taking an in...terest. Another unsecured database—this one for sale to political campaigns—is found (Alaska voters are affected). Kaspersky says his company is a bystander that's been hit in the Russo-American political crossfire. The US Navy continues to investigate the USS McCain collision. Justin Harvey from Accenture on what it’s like to be on an incident response team. Luke Beeson from BT on the challenges such a large organization faces protecting themselves and their clients. And Harvard decides Manning won't be a Kennedy School Fellow after all. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Equifax continues to struggle in the quicksand of wayward patching and clumsy incident response.
Congress, the FTC, the CFPB, and Do Not Pay are all taking
an interest. Another unsecured database, this one for sale to political campaigns, is found,
and Alaska voters are affected. Kaspersky says his company is a bystander that's been hit in
the Russo-American political crossfire. The U.S. Navy continues to investigate the USS McCain
collision, and Harvard decides Manning won't be a Kennedy School fellow after all.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, September 15, 2017.
The Equifax breach grows progressively uglier as the company confirms
that a known but unpatched Apache Struts vulnerability
lies at the root of the data theft it disclosed last week.
The patch isn't an easy one to apply.
Doing so would require rebuilding buggy Struts versions and testing them to ensure that the fix doesn't harm any necessary functionality.
But observers tend to think that a well-resourced organization dependent upon the security of the data it holds should have been able to manage.
General outrage continues to mount, as Equifax's incident response and consequent consumer service
have not impressed the millions of people affected by the hack.
People complain of having been unable to get help freezing their credit when they've phoned the
company.
Those who've reached the credit freeze pages of Equifax's website report a variety of glitches and security problems.
Some people had difficulty uploading the documents necessary to prove their identity,
and post-breach were queasy about giving the credit bureau any more data.
One complaint said the screen that was supposed to display the PIN that would enable you to unfreeze your credit simply went blank, thus leaving one with, apparently, a permanently frozen account.
Another got the PIN but noticed that instead of being randomly generated,
it was simply a numerical representation of the date.
That's, of course, an easy PIN to guess.
People also have their noses out of joint about the companies having charged them for imposing a freeze.
Equifax decided late Wednesday to waive those fees and has indicated that people who paid them can have a refund.
No word yet on how many disgruntled customers are turning to the robo-lawyers of Do Not Pay for Representation in Small Claims Court,
but people aren't happy.
Many are calling for regulations to prevent another breach of this magnitude.
Security expert Bruce Schneier, for one,
thinks this isn't the sort of problem for which there's a market solution.
The market is good at solving problems between buyers and sellers,
but that's not what's going on in this case.
We've spoken of consumer data and consumer service
as opposed to customer data and service
because the people
affected by the breach aren't Equifax customers. They are, as Schneier puts it, Equifax's product,
or more precisely, information about them is Equifax's product. Equifax's customers are
businesses engaged in assessing the kind of credit risk individuals they might do business with pose.
The Federal Trade Commission has, as expected, opened an investigation into the incident,
and that's not good news for Equifax,
as the FTC is notoriously one of the more aggressive and punitive regulatory bodies in the U.S. federal landscape.
It's unusual for the FTC to announce that it's begun an investigation.
The Consumer Financial Protection Bureau
has also begun its own investigation.
There's another problem with a misconfigured cloud database.
This one, a CouchDB database,
was found openly accessible on the web,
not even a password needed,
where it stayed until it was secured and taken offline Monday.
Discovered by security researchers at ChromTech,
which has been finding a lot of these lately,
the database was compiled by TargetSmart,
a political campaign data broker.
The compromised information includes name, address,
date of birth, ethnicity, marital status,
voting preferences, political issues,
and causes an individual might be lobbied on,
the ages of a person's children, if any,
household income, and whether or not the voter is a homeowner.
Target Smart says it's not to blame.
A third party that licensed some of the data from Target Smart, Equals 3,
is the outfit that exposed the information.
Returning to Congress, another executive who will be testifying there under challenging
but possibly less hostile conditions,
is Eugene Kaspersky.
The Russian-based security software company that bears his name was this week the subject of a binding operational directive from the Department of Homeland Security,
giving the executive branch as a whole, and remember, that's the really big branch of the federal government,
90 days to find any Kaspersky software they may have and get
it off their networks.
This follows months of quiet FBI warnings, removal of Kaspersky from some federal contracting
vehicles, and the decision by Best Buy to no longer carry Kaspersky's consumer and small
business security tools.
The DHS directive is based on its assessment that the Russian company poses a risk.
The text of the directive is brief and terse, but it emphasizes that Russian law requires Russian companies to cooperate as directed with Russian intelligence and security services.
Kaspersky himself says the hostile scrutiny he's received is unwarranted and that he's simply caught in the crossfire of a Russo-American geopolitical shootout.
The U.S. Navy has dispatched a cyber investigation team to look into the USS McCain's collision
with a merchant ship near Singapore.
No evidence of hacking is so far known, but absence of evidence isn't yet being taken
as evidence of absence.
WikiLeaks is doing some trolling of U.S. DCI Pompeo over Pompeo's
complaint to Harvard that the university's offer of a Kennedy School fellowship to Chelsea Manning
disgracefully honored someone who betrayed the U.S. and the warrior ethos. WikiLeaks' Assange
thinks the outrage is selective. Harvard has since rescinded the offer, the withdrawal accompanied
by a statement from the dean
that it didn't realize a fellowship would be perceived as an honor.
Assange's trolling gets some enthusiastic meta-trolling from RT,
the news organization formerly known as Russia Today.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber. That's vanta.com
slash cyber for $1,000
off.
In a darkly comedic look at motherhood
and society's expectations, Academy
Award-nominated Amy Adams
stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, welcome back. We wanted to take a little different approach to things today. We wanted to sort of take a look behind the scenes.
Share what is it like a day in the life of an incident response team? What can you tell us about that?
Well, a day in the life of an incident responder is there are some similarities between working as an incident responder for a major corporation or the government and working as an incident responder for
Accenture, for a consulting organization. The similarities are that both of the roles,
both consulting and a corporate-based role, are focused on responding to the latest threats that organizations face. And an incident response job is stressful. It is
moving from one cyber attack, from one cyber incident to another. How should I put this?
They're a skilled trade, meaning it's much like detectives for a police department, whereas you
don't see very many rookie detectives. You see detectives
who have spent 5, 10, 15, 20 years as beat cops and they move to be a detective. And it's the
same thing with incident response. It's very difficult to go out and get the necessary training
without having a lot of experience under your belt. One of the true differences between doing incident response for a company
versus a consulting company is that you're exposed to many more environments and you really don't
know what you're getting into from a consulting angle. But both of these types of roles, regardless
of who you work for, you always have to be prepared to respond to basically any type
of incident. I'm not sure if you know this, Dave, but all incidents happen on Fridays after five
o'clock before a three-day weekend. So incident responders have to be very agile or they have to
be flexible from their time perspective. Many weekends are spent
working on problems. And then the last thing I would say would be not all of us or not all
incident responders are always working on an incident. So you have to fill your time with
activities that are either increasing your knowledge of the threats that are out there
or doing threat hunting, essentially
looking for the next incident to respond to. Yeah, I was going to ask you about that, about the notion
of is it purely reactive or is there a proactive side to it as well? Yeah, the proactive side to
incident response is threat hunting. And it is a great means of operating what we call in a continuous response manner. Meaning if we are to
embrace the adage, breaches are inevitable, then organizations need to get better and faster
at finding the next incident or the next breach. And therefore, the incident response team has the
necessary skills, they've got the access, and they also have the methodology in order to find those threats.
A threat hunt program could be searching for anomalous or suspicious activity within a SIEM. indicators of compromise from open source intelligence or closed source intelligence and scanning your organization's endpoints, or it could just simply be working through
the existing caseload and looking for the stuff that doesn't add up.
All right.
Interesting stuff.
It takes a special certain kind of personality, I guess, to succeed, to thrive as a member
of an incident response team.
But glad you guys are out there.
Justin Harvey, thanks for joining us. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Luke Beeson.
Luke Beeson. He's the Vice President for Security in the UK and continental Europe at BT in London,
leading a team who delivers their cybersecurity services to customers while protecting BT's own systems as well. We began our conversation discussing the challenges a large organization
like BT faces when it comes to protecting themselves and their clients. When you're a
company with over 100,000 employees and you're operating across 180 countries, remaining nimble, keeping agile can be difficult.
One of the things we've done which has helped greatly is we've tried to embrace new technology and we've done that through something called our Cyber Assessment Lab. We have a team of people in our research and development center here in the UK in Ipswich,
and they are constantly testing and evaluating new security technology.
And we're then bringing that to play in BT when we deem it appropriate
and when we think the technology has reached a maturity level that we can deploy it.
So that's from a technology perspective, that's what we're doing.
But we're too quick to talk about technology and security. So we should also talk about people.
So from a people perspective, we're investing heavily in bringing in new recruits, specifically
new apprentices, so school leaders who have an aptitude and a way of thinking that we think
fits well in cybersecurity, and also graduates, fresh graduates.
So we're starting to very much build our own human intelligence and human capability.
I think it's really important that we focus on the people side of security
as much as we do on the technology side,
because ultimately this is a people problem and we need people to help solve it.
So, yeah, a focus on new intake and improving the skill set is really important as well.
If we made cars in the same way that we made cars 100 years ago,
for sure we'd have a skills shortage of car makers.
But what we've done, of course, is we've evolved how we make cars
and actually we've introduced a lot of automation and robotics
and we don't need so many people to make cars.
And I think the skills shortage that we will talk about in the security domain no doubt it's a problem uh particularly the very high end of the
skill set but i do believe that a combination of upskilling of existing resource and better
orchestration and automation as we described earlier probably ultimately holds the answer
so i don't think necessarily the answer is getting hundreds and hundreds and thousands and thousands of more people doing computer science
degrees, as much as I'd like that to happen. I think it's probably a combination of that
and more orchestration and automation. How do you personally prioritize your responses
to the various indicators that come in? When your team comes to you and says, you know,
these are the things that are happening in our network, you know, to our customers,
what's your process for choosing what demands your immediate attention?
Yeah, so for us and for our customers, we would go through a process of understanding
the critical aspects and invariably in information security, that's applications.
So we would use that as a taxonomy to then prioritize indicators.
So, for example, if we saw a significant threat against our beauty sport platform
and there was about to be a live football, or I should say soccer match on,
we would jump on that right away.
So it's a combination of operational imperatives and understanding what
your critical assets are and using that to prioritize the indicators. And we do exactly
the same with our customers. So we'd sit down with our customers for a day or longer if it
was required to really understand what it is that's crucial to keep their business running.
And then if we start to see threats or indicators against those particular assets.
What sort of general advice do you have for those who are in the cybersecurity business?
From the vantage point that you have with BT, what sort of advice would you give for
those who are out there fighting the good fight every day, trying to protect themselves
and their customers?
I think, and this might sound counterintuitive, but I would
urge people to try to achieve simplicity. I think in the security domain, we are very good
at overcomplicating situation. And granted, sometimes it can be very complicated.
But in my experience, keeping things very simple, focusing in on your most critical assets,
very simple, focusing in on your most critical assets,
being very clear about the impact of any particular incident so that it gets a proportionate response,
and really bringing things down to their core components to keep them simple
and keep it in the language of the organization that you're working within.
So it makes sense.
And we always talk about security or cybersecurity being a board level agenda item.
It might well be, but if we're speaking a different language to the board,
then we're going to quite quickly get out of alignment. So I think it's about simplicity.
It's about speaking the language of the organization that you're working in.
And it's about focusing in on outcomes to make the organization more secure.
Our thanks to Luke Beeson for joining us, and thanks to Joel Hare from BT for coordinating
the call from the other side of the pond.
You can hear more of my conversation with Luke Beeson on an upcoming episode of the
Recorded Future podcast that'll post this coming Monday.
Among the topics we discuss is the effect the upcoming GDPR regulations may have on
BT and other organizations around the world.
So do check that out.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.