CyberWire Daily - Log4j updates, including one deadline. Other, non-Log4j, challenges. RSAC postpones itself until June. A German court awards pain-and-suffering damages in a breach case.
Episode Date: December 23, 2021An update of where things stand with respect to the Log4j vulnerabilities, and a reminder that there are other matters to attend to as well. RSAC postpones its annual security shindig to June, hoping ...to avoid the COVID. A German court awards pain-and-suffering damages for a data breach. Carole Theriault looks at hiring challenges in cyber. Robert M. Lee from Dragos with insights from his own entrepreneurial journey. And a new start-up seeks to take lemons and make them into lemonade. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/245 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An update of where things stand with respect to the log4j vulnerabilities and a reminder that there are other matters to attend to as well.
RSAC postpones its annual security shindig to June, hoping to avoid the COVID.
A German court awards a pain and suffering damage for a data breach.
Carol Terrio looks at hiring challenges in cyber.
Robert M. Lee from Dragos with insights from his own entrepreneurial journey,
and a new startup seeks to take lemons and make them into lemonade.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire
summary for Thursday, December 23rd, 2021.
The Five Eyes, Australia, Canada, New Zealand, the United Kingdom, and the United States
have updated their guidance on mitigating the risk Log4J vulnerabilities pose.
Their high-level advice has remained pretty stable.
They recommend identifying assets affected by Log4Shell and other Log4J-related vulnerabilities,
upgrading Log4J assets and affected products to the latest version as soon as patches are available
and remaining alert to vendor software updates,
and initiating hunt and incident response procedures to detect possible Log4J exploitation.
They offer details on how to do all three of those things.
Today is the deadline for U.S. federal civilian agencies to mitigate Log4J vulnerabilities
in compliance with the Cybersecurity and Infrastructure Security Agency's Emergency
Directive 22-02. The first deadline falls at 5 p.m. Eastern Standard Time today.
We're not going to list the requirements verbatim here, but they include enumerating solution stacks,
evaluating and updating software assets, mitigating risks, and, when affected software is identified, assuming compromise.
CISA encourages all organizations to take similar steps.
This, as we mentioned, is the first deadline.
The second one arrives at 5 p.m. next Wednesday when the U.S.
federal civilian agencies under CISA's supervision are to report on the affected applications they've
found and to confirm, quote, that your agency's internet accessible IP addresses on file with
CISA are up to date as required by CISA binding operational Operational Directive 19-02, end quote.
CISA has also published an open-source scanner designed to detect Log4J vulnerabilities,
quote, this tool is intended to help organizations identify potentially vulnerable web services
affected by the Log4J vulnerabilities, end quote.
The scanner was developed from a variety of other open-source
tools developed in response to the discovery and disclosure of Log4J issues. It's available on
GitHub. Engineers and online retailer Alibaba were the ones who discovered and disclosed Log4Shell,
but Chinese authorities have taken issue with the way Alibaba disclosed it.
The Ministry of Industry and Information Technology has suspended its data-sharing
agreement with Alibaba Cloud to be lifted, Reuters reports, in six months if Alibaba
mends its ways. The South China Morning Post explains that while disclosing vulnerabilities to vendors first
has long been the normal industry practice, a new law encourages Chinese companies to share
such discoveries first with the Chinese government. Reuters suggests that such
encouragement is of a piece with Beijing's policy of bringing IT infrastructure under
government control. The Wall Street Journal's brief account of why that courtesy we've come to call responsible disclosure
has become an industry norm is clear.
Quote,
Cybersecurity experts say the general etiquette for researchers who find software flaws
is to privately report the vulnerabilities to developers who can fix the issues.
Making software flaws or updates
public before such patches are in place can set off a race among hackers to take advantage of
such issues, end quote. The Conti ransomware gang is actively exploiting Log4Shell. VentureBeat
quotes AdveIntel to the effect that signs point to a useful diversification,
useful from Conti's point of view, in the gang's arsenal.
TechRepublic reminds its readers that Conti's style is the now-familiar double extortion attack,
steal the data, render the data inaccessible to their owners,
and threaten to both withhold decryption and release stolen files unless
the victims pay up. With all the attention Log4J issues are rightly receiving, it's worth recalling
that other vulnerabilities continue to undergo exploitation. Nation-state intelligence services
remain active and persistent. IT World Canada cites Mandiant to the effect that Nobelium, famous
over the past year for having hit the now-fixed issues in solar winds, has maintained its high
op tempo. APT29 has compromised multiple technology solutions, services, and reseller
companies since 2020. Nobelium is also known as APT29, Cozy Bear, Russia's foreign
intelligence service, the SVR, according to MITRE's ATT&CK scorecard. Positive Security has reported
discovering four vulnerabilities in Microsoft Teams. Quote, the vulnerabilities allow accessing
internal Microsoft services, spoofing the link preview,
and for Android users, leaking their IP address and dozzing their team apps and channels.
End quote.
Leaping Computer says that Microsoft has considered the severity of the reported vulnerabilities
and concluded that they don't represent an immediate risk that requires urgent remediation.
They'll be addressed in due time.
We note in disclosure that Microsoft is a CyberWire partner.
Concerns over COVID have postponed the annual RSA conference until June.
An email from the cybersecurity conference's organizers said,
quote,
said, quote, in the interest of the health and safety of our community, RSA Conference has made the difficult decision to move RSAC 2022 from February 22 to June 6 through the 9th, 2022,
end quote. By then, the organizers hope it will be possible to hold their customary in-person
event in San Francisco. We hope so too. It's nice to see you all there.
event in San Francisco. We hope so too. It's nice to see you all there.
It may be a first for Europe, J.D. Supra writes, and it's surely unusual. A German court has awarded a plaintiff damages in the amount of 2,500 euros for pain and suffering experienced
as the result of a data breach. Finally, is America a great country or what? It's the land of second
chances where you can put up a shingle and blammo, you're in business. Hey, we did it.
So consider, if you will, the career of Mr. Peter Leveshoff, who gives us an appropriate
hallmark moment in which to close out our podcasting year. You may remember Mr. Leveshov
as the self-proclaimed spam king, a Russian hoodlum who was incautious enough to vacation
in Spain, which has a good extradition treaty with the U.S. While there, Spanish authorities
arrested him on a U.S. warrant and, after a hearing, extradited him stateside, where he
copped a guilty plea to charges that included
wire fraud and aggravated identity theft. In July, a U.S. federal judge sentenced him to time served
plus three years supervised release, which is far short of the torment and death Mr. Leveshoff told
the Spanish magistrate he faced if he were to be turned over to the Americans.
Anyhoo, Time Magazine reports that Mr. Leveshoff, now living it up in New Haven, Connecticut,
says he's seen the error of his ways, gone straight, and given up hacking.
He's working on a new venture, a startup he calls Sievero DAO, a fintech outfit working on an automated approach to stock picking. He said, quote,
the U.S. government gave me lemons. I'm selling the lemonade. He looks happy in the photograph,
as he should be, since we hear New Haven is nicer than, say, Chelyabinsk. And good luck to him in
his new life. May he be happy and not defraud anyone. We won't be customers, but we'll lift a glass of
lemonade to him. And speaking of celebration, this episode closes out our regular 2021 podcasting
season. We'll have plenty of extras for you next week to amuse and inform, so don't be a stranger,
and we'll be back to our usual schedule on January 3rd. As tomorrow is Christmas Eve, we end with holiday
wishes to all of you. May Santa Claus or Died Moros be good to you, and may your year end with
happiness, health, and prosperity that carries forward into 2022. And now, feds, get patching.
If you're not done by five o'clock, Director Easterly will have you on the naughty list.
like right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
blackcloak.io.
The hiring situation in cybersecurity remains complicated.
On the one hand, you've got organizations desperate to hire qualified candidates.
On the other hand, you've got qualified candidates lamenting the fact that so many job listings include unrealistic requirements for entry-level jobs. So why all the confusion? Our UK correspondent
Carol Terrio has this report. Being employed in cybersecurity can be exciting, engaging,
lucrative, and yet there's a global shortage of expertise. Around the world, we are hearing the call for cybersecurity king
and queen pins to make themselves known. Now, it's not down to a lack of interest,
and there have been strong drives to get the next generations to think of cybersecurity as
a viable career opportunity. In fact, the number of graduates in cyber is apparently set to double
in the next two years in the EU alone. But ENISA, the EU's transnational cybersecurity agency,
has raised a flag and said that despite a doubling of the number of graduates
in the next two years, the problem will not be resolved.
Meanwhile, over the pond in the US,
the Department of Homeland Security has just launched
its cybersecurity talent management system, CTMS,
and its job is to help recruit, develop, and retain cybersecurity pros.
Microsoft also announced a campaign to bring 250,000 more people
into the U.S. cybersecurity industry by 2025
by offering colleges and students alike the support they need to enter the field.
So what is the problem?
Why is there a shortage of cybersecurity good folk out there?
According to PCMag, one third of America's cybersecurity related jobs remain unfilled
due to lack of qualified applicants, even though some of those positions offer six figure salaries.
So lack of training seems to be an issue even for the top level jobs. And here's my two pence view
here. Organizations, especially
those entrenched in the digital world, are ever more reliant on algorithms to help with the
recruiting process. That means a human might only see the short list that meet every single criteria.
And in entry-level positions, jobs often require several years of work experience, proficiency in
multiple programming languages, and prior involvement in online security communities. I mean, how is a typical new
graduate supposed to have all these qualifications? Not everyone can do a degree, get advanced
certifications, work experience, and provide three references of past work. Or if you're looking at a
more senior role, the same problem can happen. You might not have all the exact qualifications listed in the job description, and the algorithm dumped you.
Now, if you're looking to work alongside a gaggle of other cybersecurity folks,
maybe in a cybersecurity company that builds tools to protect others,
training opportunities might exist in-house.
Plus, there are oodles of people on hand to help the recruiter write a sensible job description.
What if you're looking to be hired in a company
outside the cyber world?
The HR team won't necessarily know
what you need to know in order to do the job.
So they may get an external affiliate,
and that external affiliate might pile on
a lot of different requirements in a CMA sort of way.
My rather long-winded point here is that the job description and the AI used to sort the wheat from the chaff
in terms of candidates might actually be compounding the problem. To those of you out there
looking for people with cyber security chops Review your job descriptions, people.
Remember that good, smart people
who are engaged and excited to learn
may be exactly the kind of people
that you want looking after your cybersecurity.
So they may not have all the nous right now,
but once trained, they'll be unstoppable.
And so will you.
This was Carol Theriault for The Cyber Wire. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to have you back.
You all recently completed your D round of funding.
And I have to say, I remember, I think I first crossed paths with you back when it was just a handful of you and your colleagues in the Data Tribe incubator.
Oh, how far you've come.
Congratulations on all of your success.
I thought you would have screwed it up by now.
I mean, of all people.
Yeah, really, of all people.
I really would have thought it would have been someone else.
But congratulations on all of your success.
But I was hoping we could get some insights from you.
One of the things I appreciate
our conversations is what a straight shooter you are. So a D round, what does that mean in terms
of where a company like yours stands and what you hope to do by bringing on the funding that is,
you know, there's two sides to that, right? From what it normally means for a company in general,
as you well know and on your own journey,
the seed to A is, hey, we've got a good idea.
We think there's a market there.
We want to put something towards it.
The B, maybe even the C round is,
hey, we've got product market fit.
Let's start building out the sales teams.
Let's go after this.
I think it's happening.
By the time that you get to a D and you haven't been taken out or acquired yet or something like that,
which I still also think a lot of people have misconceptions.
I get that question all the time.
Why isn't Dragos good and acquired?
Because we don't want to be.
By the time you get to the D round,
that is a signal.
This is a huge market.
This is a huge opportunity.
We've got great traction.
We can pour the proverbial fuel on the fire.
I think people hear an A round,
like, oh, we're pouring fuel on the fire.
Like, what fuel? What fire?
You've got a lot of work to do ahead of you.
But the D round is, okay, we're there.
And I think that this is a large enough market
to go and do something like an initial public offering
or an IPO.
And for us, we were very fortunate
to not only have Koch Industries,
who was in our C round,
has been phenomenal partners for us,
but also have BlackRock come in and lead.
And when you look at what that means and what it means to me, phenomenal partners for us, but also have BlackRock come in and lead.
And when you look at what that means and what it means to me,
there's been so many companies out there
that have downplayed OT,
this operation technology
or industrial control systems discussion.
Every single turn of the corner
for the last decade
have been told by people
how it's irrelevant or it's going away
or, oh, there's this IT-OT convergence thing
as some crappy excuse on not to do it.
There's always some reason, oh, you can't make it happen,
oh, the asset owners and operators don't care enough to move,
blah, blah, blah, blah.
And I think we've been able to show that's not true,
but when BlackRock comes in,
they're the largest investor in the world
and over $9 trillion under management.
When they come in, it's a statement.
This is a huge market opportunity.
And yeah, this whole OT thing is something
that's not only worth doing,
but it's the right thing to do and it's valuable.
And so anyways, I was very excited about
what that says for the entirety of the market,
not just the Dragostas of the world.
And I think we're very fortunate
to have those type of players around the table
so that on our journey, we've got the stability and ability to go where very fortunate to have those type of players around the table so that on our journey we've got the stability
and ability to go where we want to go
which to me is being as independent
and sticking around as long term as possible
there's no scenario where I don't want to be protecting people
and safeguarding civilization
so yeah, that's what it meant for us
and yeah, the resources are all about doing
more of the same, building out the teams, doing more internationally. We had our office open in
Melbourne, got our office opening in Dubai and Riyadh. You know, it's just, you want in UK,
it's just about hitting the global community. What about the obligations that come with taking
on that kind of investment? How does that affect the day-to-day running of the company?
Yeah, so nothing management-wise changes.
And this is another thing that's hard for people to understand
outside these companies.
I always get questions like, when do you lose control?
Or like there is control to be had for the first question.
That assumes there's some control on this.
But what we've always been is governed by our board,
myself included, where we think thoughtfully together about the path we want to go down
and we get consensus in doing that.
And so none of that changes.
Even the D-Round didn't add a new board member.
We've been doing really well.
And so if you start a company and you have a lot of promises
but not a lot of delivery,
you're going to make some concessions in those term sheets
and the terms you sign.
If you're a company that's doing really well
and your customers have your back,
you don't have to make a lot of concessions.
For us, we've always been very fortunate
to have a clean path ahead of us
and nothing management-wise changes.
The obligation changes a little bit.
When you're taking a $200 million loan,
because that's how I view it,
when you're taking a $200 million loan,
you're telling that person,
hey, the market is so big, we're so capable,
we're so dedicated that we can return
3 to 10x on your loan for you
and it'd still be a good investment
for the company to go and scale.
I want to say it's no different, but it really is.
It's just an increase in the obligation to you,
your employees, your customers,
making sure that you've got to be in it for the long haul.
And a lot of companies start out with a good vision
and belief when you get into year five, six, seven years of that journey, it can be taxing.
And you've got to be fully dedicated when you're doing those numbers and those goals
and recruiting a bunch of people onto your staff.
We've got like 400 people now on the team.
It's just a commitment.
Do you ever find that you have to pinch yourself and take stock when you had this seed of an idea way back when
and here you are with this success, this scale?
It seems like you're onto something, right?
Maybe.
I don't know.
I'm very fortunate that we've been able to recruit the people we have. And so I think there's probably too much
credence given, if that's the right word,
too much credibility given to founders of tech companies.
Oh, look at the founder.
Oh my gosh.
Obviously I'm biased.
I obviously believed in this thing.
I wouldn't have started it.
I'm probably the one that can't see the best. My bias tells me that, of course, this needs done. So for me to be able
to recruit the type of quality of people that we have that come in and go, no, no, I see it too.
And I'm not as biased, but I see this needs to get done and this is important and I believe in this.
To me, that's the humbling factor. To me, that's the pinch yourself, like, wow,
look at the people we've been able to recruit
look at the customers that have come along with us on that journey
I think the series D
and the money raised is more of the
validation after the fact
and less the exciting piece of it
with no offense of course to the investors
well interesting insights as always
Rob thanks so much for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of the
startup studios of DataTribe, where they're co-building the next generation of cybersecurity
teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening.
We'll see you back here next year. Thank you. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.