CyberWire Daily - The cost of a data breach as an economic drag. Personal apps as a potential business risk. Why so little ransomware in Ukraine? Employee engagement study reaches predictably glum conclusions.
Episode Date: July 27, 2022IBM reports on the cost of a data breach. Personal apps as a potential business risk. Over on the dark side, there’s help wanted in the C2C labor market. An employee engagement study reaches predict...ably glum conclusions. Betsy Carmelite from Booz Allen Hamilton on reducing software supply chain risks with SBOMs. Our guest is Elaine Lee from Mimecast discussing the pros and cons of AI in cybersecurity. And Why so much attempted DDoS, but not so much ransomware? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/143 Selected reading. IBM Report: Consumers Pay the Price as Data Breach Costs Reach All-Time High (IBM Newsroom) Cost of a Data Breach Report 2022 (IBM Security) Netskope Threat Research: Data Sprawl Creating Risk for Organizations Worldwide as Personal App Use in Business Continues to Rise (PR Newswire) Financial Incentives May Explain the Perceived Lack of Ransomware in Russia’s Latest Assault on Ukraine (Council on Foreign Relations) Tessian | 1 in 3 Employees Do Not Understand the Importance of Cybersecurity at Work, According to New Report (RealWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
IBM reports on the cost of a data breach.
Personal apps has a potential business risk.
Over on the dark side, there's help personal apps as a potential business risk. Over on the
dark side, there's help wanted in the C2C labor market. An employee engagement study reaches
predictably glum conclusions. Betsy Carmelite from Booz Allen Hamilton on reducing software
supply chain risks with S-bombs. Our guest is Elaine Lee from Mimecast, discussing the pros
and cons of AI in cybersecurity,
and why so much attempted DDoS, but not so much ransomware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Wednesday, July 27th, 2022.
IBM Security has released its 17th annual Cost of a Data Breach report. The research,
conducted by the Poneman Institute
and sponsored, analyzed,
and published by IBM Security,
analyzed 550 organizations
that fell victim to a data breach
between March of 2021
and March of 2022.
Researchers found that
83% of organizations
had more than one data breach.
It was discovered that 60% of the breaches led to increases in customer prices,
with the costs of a data breach averaging $4.35 million.
The critical infrastructure sector was disproportionately impacted financially by breaches,
with impacted organizations averaging costs of $4.82 million.
It pays, however, to have protection in place.
Just over $3 million was saved, on average, by companies with fully deployed security
AI and automation systems.
And $2.66 million was saved by companies with an incident response team and plan.
$6 million was saved by companies with an incident response team and plan.
IBM thinks data breaches are having an effect upon economic conditions in general.
The company said, The findings suggest these incidents may also be contributing to rising costs of goods and services.
In fact, 60% of studied organizations raise their product or services prices due to the breach
when the cost of goods is already soaring worldwide amid inflation and supply chain issues.
The toll breaches exact amounts to an invisible cyber tax. Netscope has released a report
detailing the common use of personal apps in business. Cloud app use has seen an increase of 35% just since the beginning of 2022,
with the average mid-sized business with between 500 and 2,000 employees using 138 different apps.
Personal app and personal instance usage increases in the 30 days before employees leave an organization,
with 20% of users uploading
unusually high amounts of data before their departure. This might be innocent, but it does
inevitably raise suspicions. Netscope explains the distinction between a personal app and a
personal instance. They say, a personal app, such as WhatsApp WhatsApp is an app that only sees personal usage from personal
accounts. A personal instance is a personal account of an app that is also managed by the
organization. For example, someone's personal Gmail account in an organization that uses Google
Workspaces is a personal instance. A current trend represents an increase of 33% from the same time last year.
Personal app usage is most prevalent in the retail sector, with nearly 4 in 10 employees using them,
and it's least prevalent in the financial sector, where fewer than 1 in 10 employees were found to be uploading, creating, sharing, and storing data.
Interestingly, it was found that many organizations use apps with overlapping
functionalities. Mid-sized companies on the average use four webmail apps, seven cloud storage apps,
and 17 collaboration apps. This obviously suggests an unnecessary expansion of an organization's
attack surface. The Council on Foreign Relations looks at the recent record of Russian cyber operations,
particularly from the country's privateers,
and asks why ransomware attacks against Ukrainian targets seem to have fallen off
after an initial wave of pseudo-ransomware wiper attacks.
After all, it's not like gangland isn't connected to the organs.
tax. After all, it's not like gangland isn't connected to the organs. Conti is, or at least was, tight with the FSB and Evil Corp danced with both the FSB and the SVR, so it's not as if there's
a lack of either juice or direction. They suggest a range of reasons for this, but come down in the
end to the privateers' profit motive. But Ukrainian victims are unlikely to have much incentive to pay their ransom
and may have small ability to do so even in the unlikely event that they wish to.
None of this minimizes the ransomware gang's connections to the Russian security services,
nor should it be taken as a counsel of complacency, rather the opposite.
If you look like you could pay, you can expect to be regarded as a counsel of complacency, rather the opposite. If you look like you could pay,
you can expect to be regarded as a potential target. Tessian has shared the results of an
employee engagement study detailing that nearly one in three employees, on average, do not believe
that they play a part in the cybersecurity of their company. Reportedly, only about 39% of employees surveyed
say that they're very likely to report a security incident,
with 42% of respondents reasoning
that they wouldn't know if they caused a security incident
and 25% saying that they just don't care enough
about cybersecurity.
About three quarters of organizations
have experienced a security incident in the last year,
despite IT and security leaders ranking their security posture as 8 out of 10 on average.
Nearly half of all security leaders say training is one of the most important parts of the cybersecurity puzzle,
but only 28% of employees in the United Kingdom and United States report that they find the training engaging,
and alarmingly, only 36% pay full attention to the training. We don't want to throw the first
stone here. After all, we all remember our high school careers, and 36% of our full attention
would have made our teachers proud. But maybe an hour of PowerPoint once a year in the break room
isn't the royal road to practical wisdom in these matters,
even if donuts and coffee are provided.
And finally, maybe this great resignation we keep hearing about is a problem for the criminal market as well.
Huntress contacted us yesterday with a note about the way they're seeing threat actors target managed service providers in their supply chain attacks.
They said,
Huntress researchers discovered a beeper thread from July 18, 2022,
looking for a partner to help process stolen data from over 50 American MSPs, 100 ESXi, and more than 1,000 servers.
The hacker boasted a high profit share
with only little left to do before exploiting the data.
Huntress reminds us that this also seems to corroborate
the threat to MSPs the Five Eyes warned of on May 11th of this year,
the Five Eyes being Australia, Canada, New Zealand,
the United Kingdom, and the United States.
Their observations also confirm something about the C2C market.
Its criminal players suffer from the same human resources challenges the rest of us do.
Here's the text of what amounts to a criminal's help-wanted ad.
Looking for a partner for MSP processing.
I have access to the MSP panel of 50- companies, over 100 ESXi, 1000 plus servers.
All companies are American and approximately in the same time zone. I want to work qualitatively,
but I do not have enough people. In terms of preparation, only little things are left,
so my profit share will be high. Please send me a message for details and suggestions.
Well, friend, here's a suggestion.
Your profit share might be high,
but why would your prospective employees care about putting Dogecoin in your wallet,
cold, virtual, or otherwise?
I mean, they have expenses and obligations too.
What about their profit share?
Well, things are tough all over.
Here's a thought.
Promise the goons you hire that you'll never make them sit through a quarterly PowerPoint in the break room.
People hate that, or so we hear.
We don't do break room training at the CyberWire headquarters, but if we did, we'd certainly
provide donuts and coffee.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Elaine Lee is a principal data scientist at Mimecast's CyberGraph team,
and I caught up with her for her take on artificial intelligence for cybersecurity,
where it works well and where it's still got a ways to go.
AI does very well at picking up on anomalies.
So basically with AI systems, they have a lot of computing power
and capacity at their disposal. So it is able to just leverage all of that to be basically
super vigilant, hyper vigilant. So an average human can only pay attention to so much at the
same time, can only incorporate and make use of so much data about its environment
at the same time. Theoretically, an AI system does not have as strict limitations as a human would,
so it's able to pay attention to much more. And as a result, it makes AI systems very suited
for anomaly detection. So basically just looking for anything that's out of the ordinary. So that's what it's
very good at. And I think a lot of adaptive AI and ML systems are built around this sort of idea
that it's, you know, just look for something that's a little odd and then alert a human about it.
And where does it come up short these days?
So kind of going back to something I said earlier about generative systems, just basically new stuff entering the scene.
I don't think we're quite there yet, but AI systems might not be very adept at identifying new threats, new and emerging threats.
a lot of existing current AI systems are built around recognizing known attack vectors and known just basically things that have been seen before, attack types that have been seen before. So if you
try to do something new, it would take a while for an AI system to pick up on it if it ever picks up
on it. So oftentimes you still need that human in the loop to train the AI system to
recognize a new threat type. So that is, long story short, it's not very good at detecting
very, very novel threats. So where do you suppose we're headed then? I mean, as you look at some of
the things that are on the horizon or where the technology is headed, what does the future hold?
I think AI ML systems will get better at detecting
novel threats, kind of touching upon something I said earlier about generative types of models.
Maybe if the quality ends up being good enough, those generative models, those outputs from those
generative models could be used to inform new AI ML systems for defense. So that could be where we're headed.
In terms of people integrating this into their security defenses,
how should they best calibrate the part that artificial intelligence plays?
It varies by organization, by team, by company, by culture.
So the best advice I give is to just make sure the human is in the loop.
Make sure you have a human that's involved in the calibration.
Also understand the organization that you're trying to protect.
The IT admin is definitely the best person for that.
That would then be their job to understand the population, the group of users that they're trying to protect,
and therefore utilize the tools that's available to them, you know, be it AI, ML enabled, or just
your average, just your ordinary cybersecurity tools, just utilize them effectively to protect
your team.
It's not one size fits all advice.
But maybe the only advice, the only general advice I could give is make sure that the
humans remains in the loop and can calibrate and adapt
their security solutions to meet the needs of their teams. That's Elaine Lee from Mimecast.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Betsy Carmelite.
She is a principal at Booz Allen Hamilton,
as well as being the Federal Attack Surface Reduction Lead. I want to touch base today on Software Bill of Materials,
also known by the catchy name S-bombs.
I wanted to get your take on where we stand with this and what are some of the things that this is potentially going to do for us?
Yeah, thanks, Dave. Glad to be back.
Following cyber events like SolarWinds and Log4Shell, S-bombs have gained massive attention as a solution for warding supply chain attacks.
And so just for a definition of terms and understanding, an SBOM is like an itemized
receipt for software to give software producers, buyers, operators a greater understanding
of the supply chain so they can better track down vulnerabilities and risks,
enable security by design, and make informed choices about software supply chain logistics and acquisition issues.
So in terms of integration, I mean, what do organizations have to do to be in compliance here?
how SBOMs fit into an effort to counter software supply chain risks in a more integrated way,
we're recommending starting with a well-known military symbol. And so we've created a framework around this, the Trident. So this represents the cross-functional effort needed to counter
software supply chain threats. So if you look at the Trident, the longest prong in the center
is a set of techniques used for hunting advanced persistent threats.
And on each side is another prong.
One is SBOM implementation on the left and augmented data risk management on the right. within that Trident include ensuring your organizational policies and procedures allow
for fast-moving implementation of the framework across software that touches all segments of
your organization and consistently applying it. Also, engaging your employees regularly around
ways to detect malicious activity through cyber awareness programs. This is really your basic
cyber hygiene approach. Always educate and inform. Third, use APT techniques to discern
vulnerabilities in tandem with your SBOM analyses. And then use the data collected from the SBOM
analysis process and incorporate it directly into your risk management processes.
Finally, we can't forget, we talk about it all the time, adopt the SBOM concept in concert
with a zero-trust security mindset.
So is the notion here with SBOMs that, for example, the next log for J comes out or something
like that, that's deep within the code of things I might be using,
that I can just look through that software bill of materials and see whether or not I've got a
problem? Well, this is going to be one of the challenges. So cataloging and understanding
all of the information that SBOMs contain is really going to be one of the first things that agencies will need to do.
So finding that software, you're really going to have to make sure your cataloging
is accurate and valid. So we see that as one of the challenges. There are a couple other
challenges around implementing this, especially on the regulatory front. Just to back up a little
bit, there is an entire section of the executive order devoted to software supply chain security,
and we also expect forthcoming OMB guidance on secure development practices to make SBOM the standard for vendor self-attestation. And so basically the OMB guidance will be put
into contractual terms by agencies and depending on the release date of that guidance,
we may see some proofs of concept appear before the end of fiscal year 2022, but that guidance
is likely not to be overly prescriptive. Going back to some of the
challenges there, right now, agencies currently don't have the staff to meet OMB's guidance and
requirements. The cataloging, again, cyber fatigue, there are constantly new developments rolling out
and new guidelines to follow. Sometimes it can be difficult to keep up with every new development,
especially as we see OMB previously requiring agencies to comply with NIST's secure software development framework.
That was precipitated by SolarWinds in 2020.
Eventually, software vendors will be eventually expected to prove their compliance with that NIST framework.
And vendors prefer self-attestation rather than third-party verification.
So for the SBOM to be standardized and practically used, it's going to require deadlines for vendors and a concrete process that can be reapplied over and over again
for using the information those SBOMs contain.
And what sort of timeline do you suppose that we're on here?
So we've seen the Biden administration at least put a clear timeline in place
for complying with the adoption of zero trust and other measures.
So we know that whatever timeline will be
practically applied, and it's going to be helpful for federal contractors to allow them
enough time to budget for the changes. So we're expecting at some point within this fiscal year
for that guidance to come out. All right. Well, Betsy Carmelite, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brendan Karp, Eliana White, Liz Ervin, Thanks for listening.
We'll see you back here tomorrow. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.