CyberWire Daily - Investigation, introspection, watchdogs, and leakers. The risk of collecting and storing data.
Episode Date: June 21, 2017In today's podcast, we hear that nation-state influence operations against elections prompt investigation, introspection, and policy studies. We also hear about the implications of a major voter datab...ase exposure in the US, and about what might be done to mitigate such risks. Lancaster University's Awais Rashid shares research on security stakeholder biases. Arlen Frew from Nominum on small business vulnerabilities. Leaks from intelligence services seem to be inflicting collateral damage on Internet users as they find their way into criminal hands. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Nation-state influence operations against elections prompt investigation, introspection, and policy studies.
We hear about the implications of a major voter
database exposure in the U.S. and about what might be done to mitigate such risks. Leaks from
intelligence services seem to be inflicting collateral damage on Internet users as they
find their way into criminal hands. I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, June 21, 2017.
Today's news involves consideration of nation-state cyber conflict.
U.S. Senators push the Department of Homeland Security to release a full report on its investigation into U.S. election influence operations.
Former Homeland Security Secretary Johnson calls for more federal assistance
with election security. New York State isn't waiting. Their governor has announced a major
statewide study of election security. One election-related incident is the exposure of a
voter database by Deep Root Analytics, disclosed last week. We heard from Cybernance, whose CEO
Mike Schultz shared his perspective on the incident.
The exposure occurred when the data were hung out on an Amazon S3 account.
This reminded us of another recent exposure, that of National Geospace Agency sensitive but unclassified information,
similarly left out for inspection in S3 by an NGA contractor.
We asked Schultz, and he said the two incidents were coincidental but not surprising.
Quote, more than 80% of data breaches are a result of the breakdown of internal practices,
policies, process, and people.
End quote.
He thinks this most recent case probably shows a lack of executive commitment
to proper cybersecurity protocols.
If either contractor had applied the NIST cybersecurity framework to
this aspect of their practice, Schultz thinks, the exposures might not have occurred. He said,
quote, the federal government is finally beginning to lead the way through the latest
cybersecurity executive order requiring all federal agencies to assess cyber maturity
and report the gaps and remediation plans to ONB, alongside a new statement confirming agency heads will now
be held accountable in the case of a breach or attack, end quote. We assume that voter information
of the kind left exposed is largely a matter of public record. If that's so, why are we so
concerned about this exposure? Schultz told us, the expectation of privacy, a rational belief or
not, is part of the American foundation of voting and political freedom. The greatest risk for organizations is not the data itself, but how the data is strung
together. In one place, there might be an individual's name and address, along with
others who share the address, gun ownership, opinions about abortion, religion, and other
highly personal matters. However, the manipulation of that data to granularly segment society,
However, the manipulation of that data to granularly segment society, segmentation of us-versus-them issues, groups, and categories of people, can be very unsettling and even illegal.
You cannot publish the name and address of a person with a license to carry a concealed handgun.
If an organization knows this information, they can target them to their benefit or detriment, which is not permitted in the U.S. No matter the purpose the data collector has at the time of collection,
there must exist a minimum moral obligation to apply effective controls
in the protection of individuals and their data.
But this exposure, while it shows the risks that come with big data,
shouldn't necessarily scare enterprises away from cloud services.
As Schultz puts it,
Most hosting companies have invested heavily in processes and policies
to provide the best data security available.
Typically, hosting companies have outstanding security,
oftentimes better than individual corporations.
This data circumstance was an internal failure
to adequately apply policy, process, and personal training
to secure the data internally in this context for deep root analytics.
It's akin to parking your car in the street and leaving the keys in the ignition, end quote.
At this stage of the investigation, it seems to Schultz that the problem lies with DeepRoot Analytics' use of S3 Cloud
and not with the Amazon service itself.
According to UpGuard's report of the discovery,
it appears the security controls for this data repository were
not activated. He drew two lessons from the incident. First, data should be collected with
ethical oversight and clear consideration of security. Second, hosting of and access to data
should be done under national standards for cybersecurity. We often speak of companies
having teams of IT and security professionals defending their networks round the clock, 24-7.
But what about small businesses, the mom-and-pop shops or one-off companies who lack the resources for a dedicated security team?
Arlan Frew is General Manager of Security Solutions and Applications at Nominum, a core DNS services company,
and he gave us an overview of the cybersecurity challenges small businesses
can face. The first and foremost is that they generally, by definition in their small size,
lack dedicated IT resources. So as more and more of the world is technically based and our
communication and business is more done on the internet these days, it's really just tough for a small business owner to keep up on literally what the latest exploits
and trends for the various bad actors on the Internet are.
And when they do get hit, do they get particularly hard relative to their size?
It can be. It can be devastating for a small business.
One of the biggest threats to small business these days is ransomware.
What they have found is that small business owners, because when that happens,
they probably don't have really good backup systems or even the technical skill
to quickly and effectively recover the laptop from even a good backup systems and or even the the technical skill uh to quickly and effectively
recover the laptop from even a good backup and so it's often more cost effective to simply pay
the ransom and in some of the the biggest uh security consultants the world simply recommend
even from you know the the fbi and nsa is like look you know you should just pay the ransom if
it's three four hundred, you really need to
value what your time is and the impact to your business of just having that machine out of
rotation. And it can affect more than just the person who downloaded the ransomware because it
can spread. It can spread to network devices and network drives where I know of small law firms,
for instance, where you have three or
four attorneys that all their machines are locked out for a period of time where it can be half a
day, a full day. And it's just simply more cost effective to pay the ransom and move forward
and take more protective actions going forward than try to roll it back as a very concrete
example of why it's
impactful for small businesses.
And so what are your recommendations for small businesses to protect themselves?
Multiple.
I think that first and foremost is get some visibility.
And by that, I mean some kind of capability of generating a report of what is happening
on your network, what devices are
connected, what they're connecting to. And that's especially true of, you know, as more and more of
our business is done on the internet, what applications are, is your phone pinging out to
and your laptop and all the other various devices that are on our networks today, one, where are
they going? Just that pure visibility of understanding that traffic goes a long way towards helping people build very simple,
but very effective control mechanisms on where traffic should or should not be going. So
they say sunlight is often the best disinfectant. And that's, I think, a good place to start is get some good reporting. Two is kind of up-level your game in terms of just understanding that a lot of links are bad.
The statistics I've seen lately, upwards of 30% of links in emails are somehow related to malware.
malware. Be aware that if you don't know the source of that email sender explicitly, you know, not clicking on something would probably be the best course of action just in general. So,
and then third, I think you really try to get an understanding of what's available in terms of
security products and software that can protect your endpoints and everything that's connected
to your network. So there are tools and products that are available today that can protect your endpoints and everything that's connected to your network.
So there are tools and products that are available today that can work at a level that's very easy to maintain,
very easy to deploy, and it really doesn't take a lot of technical knowledge or technical skill to run them pretty effectively.
The Internet is more and more a part of our lives.
We do a majority of our communication via the internet.
Small businesses are doing most of their business on the internet.
And whether that's their accounting or their purchasing, everything is really in the kind of the digital domain these days.
You know, fortunately, unfortunately, all the power and convenience and goodness that comes from being so connected also means that there's a level of risk in those connections as well that bad actors are learning to take advantage of.
So I think the importance was just one awareness that every time you're on the Internet, you need to be aware what you're doing and why you're doing it. I think as more and more people in our lives continue to move in that direction, it's just going to require a greater
amount of diligence on a business owner's personal level. That's Arlen Frew from Nominum.
The U.S. Congress also wants some answers about what appear to be, and are generally regarded as,
leaks from within the U.S. intelligence community.
The House Armed Services Committee is looking into establishing closer oversight of the intelligence community,
particularly with respect to cyber operations.
NSA itself seems likely to receive an enhanced Inspector General's Office
as the agency responds to a Defense Department investigation into past leaks, including progress made since the Edward Snowden affair.
Leaks from U.S. agencies are also regarded as having produced significant collateral damage
as tools and information found their way into criminal hands.
Dr. Webb, for one, is tracking the progress of such tools
as they're used to infect machines with Bitcoin mining software.
Trustwave has received its 2017 Global Security Report, which looks back at the past year's
security trends. There's some good news. Enterprises are detecting intrusions faster,
for example, but more trends are negative than positive.
Calling all sellers! Salesforce is hiring account executives to join us on the cutting Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. And I'm pleased to be joined once again by Professor Owais Rashid.
He heads the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor, welcome back. Rashid. He heads the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor, welcome back. You know, I think when a security expert comes to a board of directors with advice, generally that board is going to take that advice. That, after all, is what the security
person was hired for. But you all have been doing some research that shows that perhaps maybe they
shouldn't think so fast. Yes, I mean, so I'm not suggesting, of course,
that boards of directors should not listen to security experts,
but the research that we have been doing
looks at how different stakeholder groups
within an organization approach security decisions
and what are the perhaps tacit biases
that underpin those decisions,
because that helps us understand the how and the why
behind security decision processes.
So what we actually did was we designed a tabletop game.
It's effectively a Lego board where people are charged with protecting a cyber-physical environment,
basically a small utility company.
And we've been playing this game with homogenous groups of players.
So some are groups of security experts, some are managers, and some are regular IT people,
and studying their decision processes
and how they come up with the various decisions
and do they always make good decisions.
What we've found very interestingly
is that the security experts are not, if so factual,
better at making security decisions.
In some cases, they make very questionable decisions
because they are often attracted by the big shiny box, the best technology, when sometimes simpler approaches,
such as providing appropriate security training and awareness to your staff, can be a much better
alternative. What we learn from this is that different stakeholders within an organization
tend to have their own biases. And sometimes, you know, listening to others in an organization can actually tell you more about the security problems or potential vulnerabilities that you may have to tackle as a security expert than just simply relying on your own judgment and background experience.
Professor Awais Rashid, thanks again for joining us.
Thanks again for joining us. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.