CyberWire Daily - Securing secrets: The State Department's cyber hunt.
Episode Date: April 4, 2024The State Department investigates an alleged breach. The FCC looks at regulating connected vehicles. A big-tech consortium hopes to mitigate AI-related job losses. Google aims to thwart cookie-thieves.... SurveyLama exposes sensitive info of over four millions users. Omni Hotels & Resorts is recovering from a cyberattack. A national cancer treatment center suffers a breach. How cyber is approached on both sides of the pond. In our Industry Voices segment , George Jones, CISO at Critical Start, discusses strategies for maximizing cybersecurity investments to achieve optimal risk reduction. Playing the identity theft long-game. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On Industry Voices, guest George Jones, CISO at Critical Start, joins us to share thoughts on the topic "Spend Smarter, Risk Less: Cybersecurity ROI Strategies for Security Leaders." George discusses strategies for maximizing cybersecurity investments to achieve optimal risk reduction. Selected Reading Threat Actor Claims Classified Five Eyes Data Theft (Infosecurity Magazine) Automakers and FCC square off over potential regulations for connected cars (The Record) Big tech companies form new consortium to allay fears of AI job takeovers (TechCrunch) Amazon is cutting hundreds of jobs in its cloud computing unit AWS (NPR) Google Proposes Method for Stopping Multifactor Runaround (GovInfo Security) Google fixes two Pixel zero-day flaws exploited by forensics firms (Bleeping Computer) SurveyLama data breach exposes info of 4.4 million users (Bleeping Computer) Omni Hotels confirms cyberattack behind ongoing IT outage (Bleeping Computer) The US or the UK: Where Should You Get a Cybersecurity Job? (GovInfo Security) US Cancer Center Data Breach Impacting 800,000 (SecurityWeek) Iowa sysadmin pleads guilty to 33-year identity theft of former coworker (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. The State Department investigates an alleged breach.
The FCC looks at regulating connected vehicles.
A big tech consortium hopes to mitigate AI-related job losses.
Google aims to thwart cookie thieves.
SurveyLlama exposes sensitive info of over 4 million users. Thank you. segment, George Jones, CISO at Critical Start, discusses strategies for maximizing cybersecurity
investments to achieve optimal risk reduction. And playing the identity theft long game.
It's Thursday, April 4th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you for joining us here today. It is great to have you with us.
The U.S. State Department has launched an investigation after a hacker group, Intel Broker, claimed to have leaked documents from Acuity, a technology consulting firm serving federal security customers.
Intel Broker alleges these documents contain sensitive information from the
Five Eyes Intelligence Alliance, including personal details of government, military,
and Pentagon employees. Acuity, with nearly 400 employees and over $100 million in annual revenue,
specializes in services like DevSecOps and cybersecurity for national security customers.
As for the hacker group Intel Broker, this isn't their first major breach.
Their history includes unauthorized access to data from various U.S. government agencies
and notable companies like Hewlett-Packard Enterprise.
The State Department has confirmed it's looking into the breach but has not disclosed specifics, citing security concerns.
The overlap of leaked data in previous Intel broker disclosures
hints at a potential connection between this and earlier incidents.
There is a clash brewing between automakers and the FCC
over whether connected vehicles should be regulated as telecom entities.
FCC Chairwoman Jessica Rosenworcel questioned if cars' technological advancements necessitate new regulations.
This inquiry aligns with increasing concerns over connected cars' data practices,
including law enforcement's use of such data without consent,
issues like stalking, and automakers selling information to third parties.
Rosenworcel's focus is on whether automakers qualify as mobile virtual network operators,
MVNOs, potentially subjecting them to stricter data handling and sharing rules.
potentially subjecting them to stricter data handling and sharing rules.
Most automakers deny operating as MVNOs, but the debate raises critical questions about privacy, transparency, and regulatory authority in the era of connected vehicles.
Artificial intelligence's role in the workforce presents a dual narrative. On the one hand, companies like UPS and IBM are adjusting their workforce strategies due to AI's growing capabilities, with some roles being cut
or hiring paused in anticipation of automation. On the other hand, a notable consortium led by
Cisco, including tech giants like Google and Microsoft,
is focusing on mitigating AI-related job losses through reskilling and upskilling initiatives.
This AI-enabled ICT workforce consortium aims to assess AI's impact on job roles within the ICT industry,
providing training recommendations and connecting businesses with skilled workers.
Despite these efforts, skepticism remains regarding the actual availability of AI roles in the future,
as demand appears to be declining.
The tech industry's challenge lies in delivering tangible solutions and actions beyond mere promises to address the evolving landscape of work in the AI era.
Meanwhile, Amazon announced yesterday it would cut hundreds of jobs within its cloud computing division, AWS,
aligning with a strategic realignment.
This decision affects the technology team for physical stores,
following Amazon's choice to abandon its just-walk Walkout technology in U.S. groceries.
Further job reductions span AWS's sales, marketing, and global service teams,
particularly impacting AWS training, certification programs, and sales operations. These layoffs are
part of Amazon's broader strategy to refocus resources and drive innovation,
despite recent layoffs across Prime Video, MGM Studios, Twitch, and Audible.
Google is developing a security feature called Device-Bound Session Credentials, DBSC,
to counter hackers who bypass multi-factor authentication by stealing authentication cookies.
This feature binds cookies cryptographically to a user's device,
making them useless on a hacker's computer.
Leveraging trusted platform modules in computers for storing encryption keys,
DBSC aims to make stolen cookies valueless for account hijacking.
Google proposes this mechanism as a web standard,
envisioning an API for servers to initiate at each browsing session start,
enhancing security without compromising privacy.
With interest from identity providers Okta and Microsoft's Edge browser,
Google seeks to convince other major browser makers to adopt this approach,
potentially establishing a new standard in web security.
Google has addressed two critical vulnerabilities in its Pixel devices,
exploited by forensic firms to bypass PIN security and access device data. These zero days,
involving the bootloader and firmware, were distinctively patched in Pixel's April 2024 update,
separate from the general Android patches due to Pixel's unique hardware and features.
Graphene OS researchers who discovered the exploitation highlighted that Google's fixes aim to block unauthorized access to memory and factory reset bypasses,
though they note that the latter fix may be partially effective. Fixes aim to block unauthorized access to memory and factory reset bypasses,
though they note that the latter fix may be partially effective.
SurveyLlama, an online survey platform rewarding users for participation,
experienced a data breach in February of 2024, exposing 4.4 million users' sensitive information.
Have I Been Pwned reported the breach,
which included dates of birth, email, and physical addresses,
full names, passwords, phone numbers, and IP addresses.
SurveyLlama, owned by Globe Media,
confirmed the incident and notified affected users.
Despite passwords being hashed, vulnerabilities exist, and users are advised to change their passwords immediately.
Omni Hotels and Resorts is dealing with the aftermath of a cyberattack that led to a national IT outage, disrupting its operations.
The attack, identified on March 29, prompted Omni to shut down its systems to contain the breach.
on March 29th prompted Omni to shut down its systems to contain the breach. Most systems have been restored thanks to efforts from their IT teams and a cybersecurity response unit.
The nature of the attack has not been officially confirmed by Omni, but sources suggest it was a
ransomware incident. The company is currently restoring encrypted servers from backups,
with no ransomware group yet claiming the attack.
The cyber attack has impacted reservation and payment systems,
but all Omni locations continue to operate,
accepting guests while manually restoring systems.
This incident follows a 2016 breach
where malware compromised Omni's point-of-sale systems.
City of Hope, a comprehensive cancer center with locations across the U.S.,
experienced a data breach between September 19th and October 12th of 2023,
affecting over 800,000 individuals.
Unauthorized access to their systems resulted in the theft of sensitive data,
including personal and medical
information. Despite no current evidence of identity theft or fraud, the center has taken
steps to contain the breach, informed law enforcement, and engaged a cybersecurity firm
to enhance system security. Impacted individuals are being offered two years of identity monitoring services. Notifications began in December of 2023 with ongoing efforts to identify all affected parties.
A piece in GovInfo Security by CyberTheory's Steve King examines the cybersecurity landscape in the UK and the US
and how they diverge due to differences in national security
priorities, regulatory environments, and cultural attitudes toward privacy and surveillance.
In the UK, King says, the emphasis is on data protection, heavily influenced by EU regulations
like GDPR, leading to a stringent compliance culture within cybersecurity. Conversely, the U.S. focuses more on protecting critical infrastructure
against espionage and cyberattacks with a fragmented regulatory framework.
Cultural attitudes also vary,
with the U.K. displaying a certain acceptance of surveillance for security,
whereas the U.S. shows polarization,
emphasizing individual freedom and privacy rights.
Moreover, the U.K. and U.S. prioritize different aspects of national security in their cybersecurity
strategies. The private sector's role and the approach to career development and education
in cybersecurity also differ, reflecting each country's unique approach to combating cyber
threats and advancing cybersecurity practices. also differ, reflecting each country's unique approach to combating cyber threats
and advancing cybersecurity practices.
Coming up after the break, George Jones, Chief Information Security Officer at Critical Start,
discusses strategies for maximizing cybersecurity investments
to achieve optimal risk reduction. Stay with us. winter blues. We could try hot yoga. Too sweaty. We could go skating. Too icy.
We could book a vacation. Like
somewhere hot. Yeah, with pools.
And a spa. And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on
Transat South packages, it's easy to
say, so long to winter.
Visit Transat.com or contact your Marlin
travel professional for details. Conditions apply.
Air Transat.com or contact your Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
In today's sponsored Industry Voices segment, my conversation with George Jones, CISO at Critical Start. We're talking about strategies for maximizing cybersecurity investments to achieve optimal risk reduction.
I think that we're at an inflection point where folks are taking a much greater ROI perspective on their investments and finding ways to ensure that they're effectively spending money within their budget. budgets. So we've reached a point in the economy from an economic perspective where money that
used to be quote-unquote free at incredibly artificially low interest rates is not available
anymore. And so organizations, both large and small, have to think about how they manage debt and spend. cashflow neutral, or in fact can generate in terms of internal dollars, generate revenue,
then those are going to be platforms or implementations that I'm going to look at
with a much more kind eye than I might otherwise.
You know, I'm reminded of that old, I suppose you could say old chestnut
from the madmen advertising days of,
you know, the executive would say,
I know that half of the money
I'm spending on advertising is wasted.
The problem is I don't know which half.
And I, you know, I wonder if some of that
has been at play with folks in cybersecurity
of, you know, buying all the tools so that we feel as though we're covered.
I think that's a large part to it is, you know, just almost a spray and pray type mentality where more tools are better.
And what I'm seeing in the marketplace now, and one of the things that I'm looking at is less is better.
Because from an ROI perspective, if I can go to a single vendor and get five tools, I have to manage one vendor.
I've got one platform from an ROI perspective.
I've got one organization that I have to put through a pretty
extensive third-party risk management process. That's one vendor where I know my data is safe
and secure, so I don't have to worry about being spread across five different vendors and five
different platforms. I can leverage an economy of scale by working with that one vendor
and bundling packages and getting a better deal.
And so taking an approach similar to that,
and it doesn't even,
I pulled the number five out of the hat.
It could be three.
But the more that I can effectively minimize the number of locations
where my data exists and the I reduce our attack surface.
And so anytime I can do that,
then putting that security conscious approach first
allows me to operate in a more cost-effective manner
simply by minimizing the depth and breadth of locations that I have to
be concerned about where my data resides. Can we talk about some of the strategies for coming at
that approach? I mean, let's say I'm out there and I'm shopping at these various platforms.
How do I evaluate which features are most important to me and what combination is going to give me the best bang for my buck?
That's a great question.
And that's certainly going to be very dependent upon the nuances of your environment.
But a great way to effectively evaluate your cyber risk
and make sure that it aligns with your business strategy is to conduct,
before you even start looking at what those vendors are, understanding risk assessments on your environment.
So you need to conduct comprehensive risk assessments on your environment to understand what your assets are,
what your vulnerabilities are, what the threats are, what the potential impact of those threats are. So identifying those critical assets and their vulnerabilities, evaluating potential threats,
determining the likelihood and impact of those threats, and then understanding what is your
appetite for risk? So if you are incredibly risk a you have or you have minimized the exposure
to critical parts of your data through any number of technical means, then you may have a larger
appetite for risk for specific environments. So understanding how your risk appetite
aligns with your business strategy
is first before you can really start to wade
into the pool of available tools.
What about balancing the advantage
of having a bunch of functionality in one platform,
coming from a single provider,
balancing that against the potential risk of putting all of your eggs into one security basket?
Well, so there's certainly that.
And I think we've learned that through some pretty impactful events that have occurred to specific cybersecurity companies in recent history.
But, I mean, that's a calculated risk that you take. So I would still stand to the statement that if I do my due diligence and I look at
the assessments that the vendor I'm considering has undertaken and actually read their assessment reports and understand what their risks and vulnerabilities
are, and they show me that they have no corrective action plans in place or no significant findings
in their attestations from their third-party assessment organizations,
then I'm going to have some faith in those organizations
and in the fact that that organization does what they say they're doing.
If, in fact, they are blatantly misleading in those statements, I don't know that there's
a whole lot I can do about that.
I don't know that there's a whole lot I can do about that.
And I think that's what we saw in the past was that organizations that we thought were secure were, in fact, not doing what they said they were doing.
If you have one vendor or 10 vendors, I don't know how you protect against that. Because at that point, it becomes, you fall back into the, well, I need 27 platforms because if this one fails, I've got one that does the same thing it does to back it up.
And then you run into the sprawl that we're trying to avoid.
Once you get a program like this up and running, what are your tips and recommendations for keeping it up and running, for fine-tuning it, for making sure that it's working the way that you intended?
The key thing from that perspective is, well, I'll step back from that.
There are a couple of key things in that.
Relationships with your vendor are critical. And so for me, I have typically, depending upon the vendor and what I do with them, and a quarterly business review, sometimes it's semi-annual. But I think having that relationship in place helps me stay in tune with how well that organization is staying ahead of the emerging threats that exist. sure that not only am I monitoring my environment continuously to make sure
that I stay ahead of emerging threats and zero-day threats and
vulnerabilities that exist and occur and update every day, but I
want to make sure that my vendors are doing the same thing. And so I do that through regular touch points and through those relationships.
And I can have conversations with someone and ask them very direct and very pointed
questions about specific things that are occurring.
specific things that are occurring. So if I have, I may have a quarterly business review with a vendor, but something, a critical vulnerability comes out that I have concerns about given
potential exposure to my environment. I might send my technical account manager an email and say, hey, I just saw this zero-day vulnerability that occurred.
What's the impact to me with your tool?
Or what's the impact to your organization?
And start those conversations.
So keeping that open channel of communication with your vendors is always critical to making
sure that they can stay ahead of emerging threats.
Because if your vendor's not ahead of emerging threats, you're not ahead of emerging threats.
What about communicating this approach to, let's say, your board of directors,
to the powers that be at an organization and making sure that they understand
that they're on board with this kind of approach of maximizing your ROI.
That involves, again, some regular touch points. So I have monthly calls with investors for our organization.
But what I would say the general public should do is have those regular touch points with your investors and with your board.
Because what those key stakeholders are going to want to understand is,
are going to want to understand is, can you quantify the financial benefits that you gain by implementing these initiatives? And can you quantify that relative to the costs that are
incurred? So you can achieve that by measuring the reduction in data breach costs, which is a projection,
but including that, the avoidance of regulatory fines depending upon your industry,
preservation of brand reputation and goodwill with your customers,
potential revenue growth because of enhanced customer trust.
Something else that I've started to focus on is that ROI, or I can say I could have leveraged a 20% reduction by renewing an agreement with a vendor, that's a cost avoidance. I'm not necessarily saving money
to the organization because my annual cost might go up 5% because that's the price that the vendor
gave me. But I avoided a 20% increase. So by default, I've saved the organization money even though I'm spending more.
So focusing on that perspective as well, that's what your board is going to want to see and what those key stakeholders are going to want to see is, that I'm saving our organization money by improving our security posture and keeping
our employees safe, our customers safe, and our intellectual property safe,
and doing so by saving the organization money at the same time. So at the end of the day, it's being able to provide that quantifiable benefit
that you gain from the initiative.
That's George Jones, Chief Information Security Officer at Critical Start. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And finally, in a tale that reads like the plot of a crime thriller,
one Matthew David Keerans executed one of the most audacious
acts of identity theft spanning over three decades. At 58 years old, Kearns admitted to a series of
crimes that not only defrauded financial institutions, but also irrevocably changed
the life of William Donald Woods, the unsuspecting victim of this elaborate scheme.
After meeting Woods at a hot dog stand in Albuquerque, New Mexico in the late 1980s,
Kearens embarked on an elaborate scheme, fully assuming Woods' identity within two years.
Utilizing forged documents, he secured employment at the University of Iowa Hospital and Clinics, amassing over $700,000 over 10 years.
The extent of Kieran's deceit included taking out loans, purchasing vehicles, and even entering a marriage under Woods' name.
However, the cruelty of his actions was most starkly revealed in 2019,
The cruelty of his actions was most starkly revealed in 2019,
when Woods, then homeless and unaware of the debt accrued in his name,
attempted to clear up the confusion at a bank.
This led to his arrest and wrongful imprisonment for 428 days,
followed by a forced stay in a mental hospital for 147 days, all while Kearns continued his deception. The unraveling of Kearns' fraud
began with Wood's complaint to Kearns' employer, leading to a police investigation that used DNA
evidence to expose the truth. Kearns now faces up to 32 years in prison.
years in prison.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us
at cyberwire at n2k.com. N2K Strategic Workforce Intelligence optimizes the value of your biggest Thank you. by Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilpie
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.