CyberWire Daily - Russia does the info ops dance. An indictment of a Lazarus Groupie. FOIA shares too much. British Airways breaches. Silence makes some noise. Notes from the Billington Cybersecurity Summit.
Episode Date: September 7, 2018In today's podcast we hear that Russia says it had nothing to do with the Salisbury nerve agent attacks, but no one really seems to be buying the denial. The US indicts a North Korean hacker in matter...s pertaining to the Lazarus Group. FOIA.gov overshares. British Airways sustains a data breach. The "Silence" gang makes some noise in the underworld. Notes from yesterday's Billington Cybersecurity Summit. And Twitter bans a grandstander…for life. Dr. Charles Clancy from VA Tech’s Hume Center describes the Virginia Commonwealth Cyber Initiative. Guest is Rich Baich, CISO at Wells Fargo with insights on protecting a major financial institution. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russia says it had nothing, nothing to do with the Salisbury nerve agent attacks,
but no one really seems to be buying the denial.
The U.S. indicts a North Korean hacker in matters pertaining to the Lazarus Group.
British Airways sustains a data breach. The Silence Gang makes some noise in the underworld.
We've got notes from yesterday's Billington Cybersecurity Summit.
And Twitter bans a grandstander for life.
And Twitter bans a grandstander for life.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 7th, 2018.
Russian authorities responded to British accusations before the UN that the GRU carried out an attempted assassination in England by doubling down on increasingly implausible denial and counter-accusation.
The Moscow Times reports that Ambassador Vasily Nebyanzya said of the Skripal incident that,
quote, we take it very seriously and we have been asking for cooperation from the UK authorities
from day one, end quote.
As if the aggrieved party here is Russia and no one else.
The information operation may be wearing thin,
but it would probably be a mistake to regard the apparent recklessness of the GRU operation
as evidence that Moscow's hoods are stumble bums.
The brutal directness of the attack carries a message of
its own. The UK and in all probability its closest allies are preparing to strike back in cyberspace.
It's all lies, says Moscow, but the US, France, Germany and Canada at least,
are all in full official agreement that Putin done it.
One clarification, Mr. Nyebyenza did tell the press that,
quote, there is no GRU, by the way, I forgot to tell the UK ambassador.
It was renamed to the Chief Directorate of the General Staff.
It's no GRU anymore, end quote.
The proper acronym would be GU, that is Chief Directorate,
as opposed to Chief Reconnaissance Directorate.
People reporting on Russia know this, but most of them have preferred to hold on to the former
letters, not only for familiarity, but for the three-letter genre common to many intelligence
services like SVR, FSB, and so on. So, pedantically noted, but we're going to keep saying GRU.
The name change barely amounts to a rebranding.
We'll continue to say we're going to Dunkin' Donuts,
even after they rename themselves Dunkin'.
It's the same reliable product.
Some observers think the GRU, yes, we'll say it again,
is becoming an embarrassment for Russian President Putin
Disdainful accounts of the GRU officers' carefree wanderings
In front of British surveillance cameras by UK authorities
Have fed this line
Other observers aren't so sure
And think it means instead that the GRU has become Mr. Putin's preferred tool
For instilling shock and fear
The second alternative seems likelier. GRU operations
have attracted international attention, while those of the KGB heirs SVR and FSB have been
much less obtrusive. The GRU has certainly become the noisy one of the trio. Fancy Bear is often in
the headlines, but Cozy Bear usually is not, And when cozy is, it's usually by association with fancy.
The GRU's motto may be,
The greatness of the motherland in your glorious deeds,
but odorant doom timorant,
let them hate us as long as they fear us,
might be better.
And we'd be willing to bet that when Mr. Putin is among friends,
he calls them GRU, just like us.
The U.S. indicted a North Korean hacker yesterday in conjunction with Lazarus Group attacks
on Sony and the Bangladesh Bank, and also in connection with WannaCry.
Park Jin-hyuk worked for Chosun Expo Joint Venture,
a reconnaissance general bureau front with offices in both North Korea and China.
This marks the first indictment of a named North Korean for state-sponsored hacking offenses.
Now agents of each of the familiar four, Russia, China, Iran, and North Korea, are under U.S. indictment.
It's unlikely that any of them, of course, will appear in a U.S. court,
but the indictments are part of the naming and shaming process.
Of these regimes, at least three of them seem pretty shameless.
On occasion, Beijing looks a little red-faced.
There are other red faces elsewhere
for reasons having to do with carelessness over data.
FOIA.gov, an information site administered by the U.S. Environmental Protection Agency,
inadvertently exposed inquirers' personal information.
This issue was a self-inflicted misconfiguration, not a hack.
British Airways has reported a data breach.
380,000 sets of payment details were obtained by criminals
who hacked into the airline's data.
Group IB is tracking an underworld development.
The small, two-person, but scrappy gang called Silence
is giving the Cobalt Group a run for its ill-gotten money
in the ATM jackpotting field.
The 9th annual Billington Cybersecurity Summit was held yesterday in Washington, well
attended by roughly 1,000 registered participants.
The theme was partnership and partnerships' place in strengthening cyber defenses.
A number of senior U.S. federal IT and cybersecurity executives presented overviews of their agency's
priorities.
There was a general consensus that cybersecurity increasingly pervades everything their enterprises Thank you. to improve security, and that the government competes for cyber talent at a disadvantage
and must look for creative ways of attracting people into federal service.
There's a more nuanced approach to cyber deterrence emerging in both British and American
official thinking. It must become, several speakers said, more graduated and proportionate
than the mutual assured destruction of the Cold War's nuclear deterrence regime,
Mark Sayers, Deputy Director for National Security Strategy at the UK Cabinet Office,
pointed out that there are a great many different actors with many different motivations,
and they operate against an expansive attack surface.
So cyber requires agility and nuance.
Consensus among the speakers was that retaliation must be calibrated to the threat.
Lawfare remains very much a part of that complex deterrent.
A number of speakers expressed satisfaction at the U.S. indictment of a North Korean Lazarus
groupie.
Senior representatives of the intelligence community wanted everyone to understand very
clearly that they were fully committed to securing the upcoming U.S. elections. Senior representatives of the intelligence community wanted everyone to understand very clearly
that they were fully committed to securing the upcoming U.S. elections.
General Nakasone was particularly direct.
He closed his keynote by saying there is no higher priority for U.S. Cyber Command and NSA
than the security of the midterm elections.
And recent proposals that companies be permitted or even encouraged to
hack back at their tormentors in cyberspace? Nobody on either side of the Atlantic seemed
to like that idea very much, so if you're among those who've yearned for privateering in cyberspace,
you may have to wait a bit for your letter of mark and reprisal. But if those privateers
eventually do sail, we're betting they'll homeport in Baltimore, just as they did in 1812.
And finally, InfoWars' Alex Jones, best known for his repellent theory that the parents of children murdered at Sandy Hook Elementary School were faking it for political reasons, was last seen vigorously tugging on Superman's cape as he vamped for the
camera in the background during testimony by Twitter CEO Jack Dorsey before the Senate Wednesday.
Mr. Jones got his wish yesterday. Twitter just banned him for life.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Dr. Charles Clancy.
He's the executive director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, welcome back.
I saw some news recently about the state of Virginia.
In their annual budget, they included $25 million for a Virginia Tech-led Commonwealth Cyber Initiative
that you all at Virginia Tech are going to be a key part of.
Can you sort of walk us through this? What does the state of Virginia see that they think this
is a good place to invest their money? Well, there's two major things that the
Commonwealth is looking to accomplish with this investment. First is the workforce gap.
And I know we've talked about this on prior shows in the past.
There is a total of 43,000 open jobs in the Washington, D.C. metro region in cybersecurity.
And the Commonwealth is looking for how they can make some targeted investments in university programs that will shrink that gap by increasing the pipeline of students coming out of universities.
And it's not just coming out of four-year degrees or coming out of master's programs.
It's really a whole pipeline.
So looking at K-12, how those students go into either community college or four-year degrees,
and from there, post-baccalaureate training, master's programs, advanced degrees,
and professional certifications, which are obviously critical to the workforce in this area. So figuring out how to map that pipeline, identify the hot
spots and the bottlenecks to really make sure that we're producing as many people as possible is sort
of the first objective of the overall initiative. The second objective is around innovation. So
if you look at the Washington, D.C. cyber economy, it's heavily driven by government services contracts.
For the most part, we're not selling software licenses in this region.
We're selling man hours of labor on government contracts.
And that provides for a stable economy, but it doesn't provide an economy with a lot of upside potential and commercial scale. So the idea is that if we can amp up the university research that's happening in cyber,
we can connect that with a growing venture capital ecosystem and really try and foster
and support and nurture the startup ecosystem and bring some of the larger tech companies from the
West Coast in to augment the defense contractor base that we already have,
then we can begin to start to push this economy more towards commercial products,
certainly continuing to support the government ecosystem that's critical to the region.
So $25 million certainly sounds like a sizable sum of money.
How do you spread that around?
How do you calibrate where it goes to get the best
effect for the taxpayers' dollars? Well, we're looking at a couple of targeted investments
with those resources. And the goal really is to invest in programs that will be able to sustain
themselves long term. Keep in mind, this is only one time money, and once it's spent, it's spent. So the goal is to use it to stand up new degree programs that will ultimately be self-sustaining with tuition revenue
and stand up new research programs, which will ultimately be viable based on grants and contracts that those teams are able to win.
So it's really about sort of focused investments in certain areas that will build these self-sustaining programs. Dr. Charles Clancy, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can
keep your company safe and compliant.
My guest today is Rich Bache. He's a graduate of the United States Naval Academy and the
Naval War College. Following his service, he was a principal at Deloitte,
where he led their global cyber threat and vulnerability management practice.
Today, he's the chief information security officer at Wells Fargo,
where he manages a security organization with over 2,000 staff,
securing and enabling Wells Fargo's enterprise.
Responsibility here at Wells Fargo includes kind of the overall strategy and execution
of our information security program.
And that's kind of looked at in different facets and capabilities.
So that would include things such as access management, technology engineering, or I should say information security engineering,
network security, cryptologic services, distributed engineering, policies, security awareness,
governance, risk assessments, third-party information security, and we call cyber defense, which would be things
such as a traditional security operations center, which we call our cyber threat fusion center,
our red teams, our operational security, cyber threat intelligence, and then, of course, all the governance that goes into running a program.
Now, it's a lot going on there, as you describe it.
What is your strategy for keeping an eye on all of that?
What's your management style?
Yes, so from a management style standpoint, we really focus on risk management.
At the end of the day, when I think about how we make decisions and where we invest and how we define good,
the best analogy I can think of is the decisions either you make as a personal investor, like a portfolio management, or something like a credit
risk. When a financial institution grants somebody credit, they are granting credit with the
possibility and a risk that an entity may not pay it back. But you come up with guidelines and
data points that allow you to accept that risk.
So when we look at what we're doing here,
we're trying to make sure that we understand the risk
and allow to make good decisions on that risk.
You could keep buying more.
You can keep doing things differently,
but the risk will probably always
remain because we're connected to the internet. Right. And so the people who are working for you,
what are your expectations in terms of the way that they communicate things to you,
the way they describe their needs, set their budgets and their priorities and things like that?
the way they describe their needs, set their budgets and their priorities, and things like that?
Great question.
So my expectation of my leadership team is to run their organizations like a business.
And what I mean by a business is I want them to feel ownership and accountability of the capability portfolio that they establish and to understand that the capabilities that
they're designing, that they are funding, what risks are they trying to address? And I encourage
them to, when they're thinking about it, to use, you know, kind of a formula to help drive their
decision. And that formula is risk equals vulnerabilities. There are always
vulnerabilities. And by the way, not just technical vulnerabilities, human vulnerabilities. You and I
fall victim to a phishing email. There are vulnerabilities associated with where you decide
to put your data center. If it's in the path of a hurricane, you incur some risk. So, vulnerabilities times the threat, the threat
changes pending what's going on geopolitically, what's going on with vendors, what's going on
with customers, the threat changes, which means the risk change, times the asset value. We want
to obviously understand and protect our highest value assets, maybe more so than a lower classified asset.
And then the most important thing, which really I think drives the decision process of where you
invest your money and the actions that you take is what's called the probability of occurrence.
And what that means is, is that particular risk, that particular security issue,
is that particular risk, that particular security issue, that vulnerability, that exploit,
is it being capitalized out anywhere else? Because there's a lot of theory associated to information security risks about what you can do. And then there's the actual reality of somebody,
for lack of better terms, weaponizing something.
So when that becomes kind of weaponized,
the risk goes to what I would call the actionable level of risk.
You have to make it a priority because if another entity has fallen victim
as a result of a particular action or exploit,
it's just a matter of time before they potentially turn
and focus it on your organization.
So that should help them with their priorities.
My goal is to know about it, get it, and use it.
The most important thing is a lot of people like to know about things, but they may not get it. Or they may know about it and get it and not use it. The most important thing is a lot of people like to know about things,
but they may not get it, or they may know about it and get it and not use it.
And then some people may use it, but not the right people get to use it.
At the end of the day, if that information can help us get awareness, whether that be proactive,
preemptive, situational, to the right decision maker in the organization,
the right risk manager, because everybody should be a risk manager when you're making decisions.
If we can get the information to the right person and help them make the best risk-based decision that they can,
we've done the best that we can do.
But that ultimately is the real value of threat intelligence.
It's how does it get baked back into the decision process and where.
And what's nice about intelligence these days, at least what we're able to do, is it's across
many disciplines.
You may help the fraud teams make
better decisions. You may help the AML team make better decisions. You might help the social
networking team make better decisions, physical security make decisions, and of course your
traditional information security teams. So, you know, ultimately it's how you use that information that's most important.
That's Rich Bache. He's the chief information security officer at Wells Fargo.
We'll have an extended version of this interview over on our Patreon page.
That's patreon.com slash the cyber wire.
Our Patreon supporters will get access to it first, and then in a few days it'll be available to everyone.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and
adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.