CyberWire Daily - NSA says it warned France of election influence ops. Deterrence and retaliatory capability. SLocky ransomware rising. Patch Tuesday. FBI Director Comey dismissed.
Episode Date: May 10, 2017In today's podcast, we hear that NSA says it warned its French counterparts about Russian cyber ops targeting France's elections. Next up for Fancy Bear? Probably German elections, but in the meantime... there's also some phishing with zero-days. The NSA Director also advocates calling out Russia for bad behavior in cyberspace, and says that US Cyber Command is ready and able to hold targets at risk, so deterrence and retaliation are available options. Microsoft, Adobe, and Cisco issued significant patches yesterday. Accenture Labs' Malek Ben Salem shares results from their security survey. Rohit Sethi from Security Compass outlines managing application security. And President Trump has told the FBI Director, "you're fired." Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
NSA says it warned its French counterparts about Russian cyber-ops targeting France's elections.
Next up for Fancy Bear, probably German elections,
but in the meantime, there's also some fishing with Zero Days.
The NSA director also advocates calling out Russia for bad behavior in cyberspace
and says that U.S. Cyber Command is ready and able to hold targets at risk,
so deterrence and retaliation are available options.
Microsoft, Adobe, and Cisco issued significant patches yesterday.
We learn about managing application security.
And President Trump told the FBI director, you're fired.
Oh, we went there.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, May 10, 2017.
We open with some news about Le Faire Macron
and the just-concluded French presidential election.
U.S. NSA and cybercom head Admiral Michael Rogers
told Congress yesterday that Russian actors
penetrated French election infrastructure
and that NSA tipped off its French counterparts
that the Russians were actively targeting their political system.
Rogers also noted that NSA tipped off the FBI in the summer of 2015,
that the Russian intelligence services were seeking to meddle in U.S. elections.
Infrastructure was left vague, but most read it as referring to the now well-known compromise
and release of En Marche emails. And again, it's worth noting that nothing particularly scandalous
has emerged from the emails dumped so far. Observers believe the Russian services are
turning their principal attention to September's German federal elections. Why not the upcoming
British general elections, called for June? Because the long-term Russian goal is thought
to be disruption of the European Union, and Brexit has made that moot with respect to the UK. Still, British authorities aren't complacent and are preparing
for hacking and influence operations over the next month. Admiral Rogers also urged public
confrontation of Russia over its cyber activities. He said, quote, in the case of the Russians,
we need to publicly out this behavior. We need to have a public discourse on this, end quote. In response to questions from Senator McCain, Rogers outlined a worst-case cyber attack,
describing it as outright destructive attacks focused on some aspects of critical infrastructure
and data manipulation on a massive scale.
He supported splitting NSA from U.S. Cyber Command with an independent command
receiving appropriate budget and acquisition authorities. As it stands now, Admiral Rogers
assured Congress that Cyber Command's cyber mission forces are ready to hold targets at risk
and that their ability to do so is increasing steadily, which sounds like an announcement of
a retaliatory and thus a deterrent capability. What else have the bears been up to? Well, Slovakia-based security firm
ESET has been tracking Sednet, aka Fancy Bear, aka Russia's GRU, for some time. During the time
Fancy Bear was believed to have been rummaging through OnMarsh email servers. Fancy was also distributing two zero days in phishing emails.
The fish bait had a Trump's attack on Syria theme.
Microsoft fixed both vulnerabilities in yesterday's Patch Tuesday.
In addition to the Microsoft patches,
Adobe yesterday addressed seven issues in Flash Player,
and Cisco closed the Vault 7 zero day, affecting a number of its switch models.
Many companies place a high priority on application security, especially financial
institutions. Rohit Sethi is COO at Security Compass, where they recently published results
from a research project looking at managing application security. The general thesis of the report, or premise of the report,
is that we wanted to see what are organizations doing
to scale their application security programs effectively.
See, we have been working in the application security
and secure software development lifecycle space for a number of years.
What we found is that there are a number of best practice frameworks
that were quite exhaustive in the number of years. What we found is that there were a number of best practice frameworks that were quite exhaustive
in the number of controls that they would ask people to do
or specify.
And what we saw at the ground though,
is that it was a real struggle for most large organizations
to do most of these activities.
And there were really only a handful
that were scaling effectively.
And we wanted to bring light to that, but also get a better understanding of how this differs between industries.
So take us through some of the key findings.
You know, we asked questions in a couple of different areas.
We had strategy sort of related questions and we had technical questions.
And in the strategy related questions, you know, I would say that sort of the top finding was around metrics. And there's a
saying that what's measured matters. The numbers are sort of what drive behavior, and it makes it
clear what the goals should be for the various units who are working together. And so we asked
people, tell us how you measure your application security programs. And when you look at the
financial institutions, 77 77 specified the number of
vulnerabilities found right so that's the primary tool that they use they look at the results of
static analysis testing the results of dynamic analysis testing and the results of penetration
testing and they aggregate these things together and they say this is the metric that we're going
to use our meant to measure application security Now, there were other metrics people cited. 62% talked about
compliance to internal standards. So, for example, thou shalt do penetration testing
as a standard. Surprisingly, only 62% of organizations measured the compliance
to those standards. So, you can imagine there's a large swath of companies who will create information security
policy and come up with standards.
People may not be following those standards and they really don't have a way to track
it.
After that, we couldn't find anything that more than half of our FI respondents were
doing.
So for example, measuring the length of remediation or the number of development teams
who are using tools or training, both of these things were done by 46 to 38 percent respectively
of the respondents. So really, you know, the key metric people are using is number of vulnerabilities
found. That's Rohit Sethi from Security Compass. The report is called Managing Application Security. You can download
it from their website. In ordinary cybercrime news, researchers at Wanderer report a dramatic
rise of S-Locker Android ransomware variants and infections over the last six months.
A flaw in Android 6.0.0 Marshmallow permissions could allow malicious apps to download directly from Google Play,
according to a report by security firm Checkpoint.
And finally, U.S. President Trump dismissed FBI Director Comey late yesterday
over Comey's handling of campaign season email security investigations.
Sources indicate that the FBI's need to correct the director's inaccurate testimony
before the Senate last week was the proximate cause of the firing, but that termination was likely in any case,
as the president is said to have lost confidence in and fallen out with the now former director.
The Justice Department continues its investigations of Russian operations in the U.S.,
particularly alleged connections to former National Security Advisor Flynn.
particularly alleged connections to former National Security Advisor Flynn. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And I'm pleased to welcome back to the show Malek Ben-Salem.
She's the Senior Manager of Security and R&D at Accenture Labs.
Malek, welcome back. It's been too long. We Security and R&D at Accenture Labs. Malek,
welcome back. It's been too long. We are excited to have you back on the Cyber Wire.
Thank you. And I'm excited to be back too.
So you have some survey data you wanted to share with us. Accenture did a security survey and you wanted to share some of the results.
Sure. Yeah. So Accenture has completed a study recently aiming at redefining security performance and how to achieve effective security.
Now, defining high performance security is not a simple task.
Companies can measure successful security outcomes. What we wanted to focus on is specific cybersecurity capabilities that can help business leaders
understand the interlock of security and business outcomes.
So we focused on certain capabilities like security aligned to the business, cyber response
readiness, strategic threat context, investment efficiency, things
like the cybersecurity capabilities of the extended ecosystem.
And so we surveyed about 2,000 security executives, senior security executives across 12 industries
globally.
And these were from companies that had revenues in excess of
$1 billion. And the findings were interesting. What we found out is that in some categories,
there was a lot of room for improvement. A particular concern was the identification
of high value assets and business processes within the company.
This was basically the capability that most companies scored very low on. Only about 27%
of those companies had scored high basically in that capability.
And just describe to me, what does that capability entail?
So that entails that an enterprise or an organization would know what are its key assets,
the assets that need to be protected, whether these assets are data or business processes
or infrastructure, which is alarming, right? You'd think that,
you know, that's something that they would start with.
If there's one thing you're going to know.
Exactly, that they build their security strategy on. But it seems that that is not the case.
We've also noticed a significant difference across industries. So we've seen that the communication industry,
the high-tech industry,
and the financial services industry
scored pretty high
in most of the cybersecurity capabilities
versus industries like life sciences, for example,
scored really, really low
when it came to cybersecurity capabilities.
Interesting.
So if people want to check out more of the data,
where can they find the results of the survey?
They can go to the Accenture website, Accenture.com,
and search for the Accenture Security Index.
All right. Terrific.
Malik Ben-Salem, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.