CyberWire Daily - The Supreme Court is bringing a judicial shakeup.
Episode Date: July 3, 2024The Supreme Court overturning Chevron deference brings uncertainty to cyber regulations. Stolen credentials unmask online sex abusers. CISA updates online maritime resilience tools. Patelco Credit Uni...on suffers a ransomware attack. Spanish and Portuguese police arrested 54 individuals involved in a vishing fraud scheme. Splunk patches critical vulnerabilities in their enterprise offerings. HHS fines a Pennsylvania-based Health System $950,000 for potential HIPAA violations related to NotPetya. CISOs look to mitigate personal risks. On the Learning Layer we reveal the long-awaited results of Joe Carrigan’s CISSP certification journey. Avoiding an Independence Day grill-security flare-up. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Learning Layer On today's Learning Layer segment, we share the results of Joe Carrigan's CISSP exam attempt! Hint: the test ended at 100 questions...Tune in to hear host Sam Meisenberg and Joe reflect on his test day experience and what advice he has for others who are in the homestretch of their studies. Note, Joe's ISC2 CISSP certification journey used N2K’s comprehensive CISSP training course. Selected Reading US Supreme Court ruling will likely cause cyber regulation chaos (CSO Online) Stolen credentials could unmask thousands of darknet child abuse website users (The Record) CISA updates MTS Guide with enhanced tools for resilience assessment in maritime infrastructure (Industrial Cyber) American Patelco Credit Union suffered a ransomware attack (Security Affairs) Dozens of Arrests Disrupt €2.5m Vishing Gang (Infosecurity Magazine) Splunk Patches High-Severity Vulnerabilities in Enterprise Product (SecurityWeek) Feds Hit Health Entity With $950K Fine in Ransomware Attack (GovInfo Security) How CISOs can protect their personal liability (CSO Online) Traeger Grill D2 Wi-Fi Controller, Version 2.02.04 (Bishop Fox) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. The Supreme Court overturning Chevron deference brings uncertainty to cyber regulations.
Stolen credentials unmask online sex abusers.
CISA updates online maritime resilience tools.
The Telco Credit Union suffers a ransomware attack.
Spanish and Portuguese police arrest 54 individuals involved in a vishing fraud scheme.
Splunk patches critical vulnerabilities in their enterprise offerings.
HHS finds a Pennsylvania-based health system $950,000 for potential HIPAA violations related to NotPetya.
CISOs look to mitigate personal risks.
On the Learning Layer, we reveal
the long-awaited results of Joe
Kerrigan's CISPI certification journey
and avoiding an
Independence Day grill security
flera. It's Wednesday, July 3rd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel briefing. Thanks for joining us here today. It is great to have you with us.
The U.S. Supreme Court has dramatically shifted the regulatory landscape with its decision in Loper Bright Enterprises v. Raimondo,
undermining nearly 40 years of established law by overturning the Chevron deference.
This precedent had allowed courts to defer to regulatory agencies' interpretations of ambiguous congressional statutes.
Now the courts are the final arbiters,
statutes. Now, the courts are the final arbiters, potentially destabilizing federal regulations across various sectors, including cybersecurity. Chief Justice John Roberts stated that courts
must independently determine if agencies have exceeded their statutory authority.
This decision does not overturn past cases, but encourages new challenges to existing regulations.
For cybersecurity, this means recent regulations might face significant legal hurdles.
Potentially impacted regulations include SEC cyber incident reporting, FCC data breach reporting
rules, CISA cyber incident reporting, TSA cybersecurity directives, and many others.
Pending regulatory actions such as Coast Guard maritime cybersecurity rules
and FCC requirements related to the Border Gateway Protocol could also be affected.
Furthermore, long-standing rules like those from NERC and the Nuclear Regulatory Commission
may face fresh judicial reviews. This decision
introduces uncertainty for CISOs who must navigate conflicting judicial decisions across
different circuits. Existing regulations remain in effect, but the likelihood of deregulation
and inconsistent application of laws will complicate compliance efforts.
CISOs should prepare for a turbulent regulatory environment and potential shifts in cybersecurity requirements
due to increased litigation and judicial scrutiny.
So hold on to the bar.
We may be in for a bumpy ride.
Researchers at Recorded Future have discovered that thousands of users on darknet websites
sharing child sexual abuse material can be identified using stolen credentials.
InfoStealer malware, typically used to steal banking logins,
also captured credentials for CSAM sites on the Tor network.
These logs link anonymous CSAM site users to clear web accounts, like Facebook,
revealing real names and personal data.
Recorded Future analyzed this data and identified around 3,300 users with CSAM site accounts
and shared their findings with U.S. law enforcement.
Case studies include a previously convicted child exploiter and a
volunteer at children's hospitals with multiple CSAM site accounts. The research highlights how
InfoStealer data, which also includes various other criminal activities, can aid law enforcement
in uncovering offenders and protecting children. The report aims to demonstrate the potential of such data
in criminal investigations. The U.S. Cybersecurity and Infrastructure Security Agency has enhanced
its Marine Transportation System Resilience Assessment Guide, that's the MTS Guide,
with a new web-based tool for maritime stakeholders. The updated guide, incorporating expertise from partner agencies,
offers resources and methodologies to evaluate and strengthen the resilience of port networks
and inland marine transportation systems.
It uses sophisticated techniques like Bayesian network analysis
and provides a systematic framework for resilience assessments.
The MTS guide is customizable and scalable, similar to other planning frameworks,
and helps identify issues, focus assessments, and implement findings.
The guide emphasizes a holistic view of infrastructure, people, and organizations
to develop strategies for reducing losses during disruptions.
It also features a resilience assessment resource matrix,
a web-based library with over 100 tools,
and resources to support maritime resilience assessments.
Patelco Credit Union, serving Northern California,
shut down several banking systems following a ransomware attack on June 29th.
Patel Co., with over $9 billion in assets, is working with cybersecurity experts and has reported the incident to regulators and law enforcement. Affected services include online
banking, the mobile app, and outgoing wire transfers, while ATMs and cash deposits remain functional.
The ransomware type is undisclosed, and it's unclear if any data was stolen.
No ransomware group has yet claimed responsibility.
Spanish and Portuguese police arrested 54 individuals involved in a $2.7 million vishing fraud scheme targeting senior citizens.
The coordinated operation on June 4, led by Europol, involved the Spanish National Police
and the Portuguese Judicial Police. Nineteen properties were searched, resulting in the
seizure of computers, mobile phones, SIM cards, and drugs. The gang used vishing and social engineering tactics,
posing as bank employees to extract information
before visiting victims' homes to steal cards, bank details, and pins.
Some victims were forcibly robbed.
Stolen funds were laundered through a network of money mules.
The urgency of the operation was due to intercepted communications indicating planned severe violence.
Phishing is increasingly used by cybercriminals as text-based scams become less effective.
Splunk has released security updates to fix critical vulnerabilities in Splunk Enterprise versions 9.0, 9.1, and 9.2,
which could allow remote code execution, command injection, and crashes. Users are urged to update
immediately. Federal regulators fined Pennsylvania-based Heritage Valley Health System, $950,000 for potential HIPAA violations
after a 2017 ransomware attack involving NotPetya. This is the third HIPAA enforcement action by the
U.S. Department of Health and Human Services linked to ransomware. The number of ransomware-related
breaches reported to HHS has nearly tripled since 2018. HHS found that Heritage Valley failed to
conduct a HIPAA security risk analysis, implement a contingency plan, and restrict access to
electronic protected health information. The settlement requires Heritage Valley to undertake
a corrective action plan, including a thorough risk analysis and workforce training on HIPAA policies.
Heritage Valley stated there was no unauthorized data access and that they have implemented
safeguards to prevent future incidents. Court cases against CISOs like Joe Sullivan of Uber
and Timothy Brown of SolarWinds have highlighted the severe personal risks for
security leaders, including potential jail time and hefty fines. A thoughtful report from CSO
Online looks at the steps CISOs are taking to mitigate these risks. First, they're ensuring
clear definitions of roles and responsibilities within their organizations. Transparent corporate
standards help prevent misunderstandings about accountability in risk management.
Meticulous documentation has become essential. CISOs like David Cross of Oracle SaaS Cloud
are keeping detailed records of all decisions and actions to reduce personal liability and
provide evidence of compliance with corporate policies.
Maintaining a risk register is another critical strategy.
By recording cyber risks and stakeholder acceptance,
CISOs ensure high-level acknowledgement of these risks,
protecting themselves from repercussions if breaches occur.
CISOs are also seeking legal protection through indemnification
agreements and engaging independent legal counsel. Monitoring public statements about their company's
security practices is crucial to avoid legal consequences from discrepancies. By adopting
these strategies, CISOs can balance securing their organizations while safeguarding themselves from personal liability.
Coming up on our Learning Layers segment, host Sam Meisenberg and Joe Kerrigan reflect on his test day experience and what advice he has for others who are in the homestretch of their studies.
Stay tuned to see how Joe did.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy. We could book a vacation. Like sweaty. We could go skating. Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat self-packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
On today's Learning Layer segment, our host Sam Meisenberg teams up with Joe Kerrigan,
my co-host over on Hacking Humans, to see how Joe did on his CISPI certification exam. So I start every learning layer,
SysB journey with Joe the same way.
And I say, we are bringing Joe on
to talk about his experience
as he gets ready for a CSSP.
Right.
But this is a different one because, Joe, you are done.
I'm done.
You have taken the test.
I took the test.
Congratulations on even taking it.
Right.
But, you know, we're not here to just win by showing up.
Right.
How'd it go?
It was not what I expected.
Joe, hang on.
Hang on.
People are dying to know the binary yes or no.
Did you pass?
Well, spoiler alert.
Yes, I passed.
Hey, congratulations.
So thank you.
Round of applause.
That's incredible.
But it was, I was in there. I started taking the tests and started looking at the questions.
And very quickly, I get a lot of questions that are like, I haven't ever seen this before. Sure, sure. So I started taking the
questions. I'm like, all right, let's get this done. And the first question comes up and I'm like,
huh, I don't, you know, haven't seen this in the study materials. Let me think about it.
And I take my time and I think about it. And I get the impression that there's a lot of questions I'm just getting wrong as I'm taking this test.
And then after about question 50, there are a bunch of questions that were just right up straight out of the knowledge set that were very easy for me to get.
Awesome.
Now I got this one.
I got this one. Okay.
Here's another one I don't have, but I would sit down and think about it. Think about the
perspective. Think about what the manager would think about. And I get to the hundredth question
and I click next and I'm like, and it goes, your test has ended. Oh. I'm like, I was not expecting the test to end here.
So, Joe, you passed and ended a question 100.
Yes.
You know what that means?
Well, I know what I thought it meant.
I thought it meant, get out of here.
But no, apparently it means you have demonstrated enough knowledge
by 100 questions that you passed the test.
You crushed it.
That's what you literally saw the minimum number of questions.
The test was like, I don't want this anymore.
Right.
I have two interns that work for me.
They taught me this new slang word called cooked.
Cooked.
The test was cooked.
Cooked.
How you spell cooked?
Is that C-O-O-K-E-D?
I think so.
Okay, cooked.
But I'm going to use that with my kids.
You crushed it is what the test is like.
I don't want Joe to be around anymore. I give
up early. Right. So that's incredible. Yes. I answered it into submission. Well done.
Fendi vidi vici. How long did it take you? How many hours? It took me, let me think here. I was
keeping track of that because I got the first 50 questions in about an hour.
Okay.
So I was, you know, because I knew I had three hours to take the test.
Sure.
And I was pacing myself to be, I was a little bit ahead of an hour at the end of 50 questions.
Okay.
At the end of 100 questions, I was probably about 10 minutes ahead of two hours.
Great.
Okay.
So about an hour and 50 minutes.
Sure.
That's, you know, probably a little faster than you needed to, but it sounds like what
you did do as you described around question 50,
when you got just straight up content question, you can go predict the right answer.
Right.
You can go faster on those.
Yeah.
Again, you would have used all that time for 101 to 150 if it had happened.
Right. So, yeah, and that's a good point.
So, when I was able to do the answer prediction stuff, and it was right there,
and I knew the answer was part of it.
Yeah, those questions,
I probably took maybe 15 to 30 seconds a piece on those.
Nice.
I'm curious,
given now that you're on the other side,
both on the test itself and the studying,
what is like one piece of advice
you would give to somebody
who's gearing up for their SISB?
It's more about the way you think about things than it is about, you know, the knowledge.
The knowledge is good.
The knowledge is very important.
Yeah.
But it's more like you've been saying the entire time.
It is about the managerial way of thinking.
And I really tried to apply that in the test- taking part is you have to think like a manager
and I've heard not just you
but a bunch of other people say that.
So that is not a lie.
That is not people telling you something.
That is exactly what you need to do
and I like to think that I thought like a manager
and I was done with the test and 100 questions.
I got some other questions for you.
I had somebody on my team pull some stats on your studying.
Okay.
So let's do Joe Kerrigan's SISB pass by the numbers.
How many total questions do you think you did in the LMS?
How many total questions?
I should know this because it has them listed there.
I'm going to guess I did close to 400.
690. 690.
690.
Okay.
Okay.
How many, we also calculated the amount of hours you spent just on the question.
So again, this is not reviewing, this is not studying, literally just sitting down doing
questions.
Okay.
Um, I'm going to guess six hours?
No, it can't be six hours.
It's got to be longer than that, like probably 10 hours.
You're in between six and 10.
Eight hours.
Eight hours.
Okay.
That's pretty good.
You actually spent just one hour
just doing identity access management questions.
Yes.
You were deep in those.
I was worried about that.
Which domain do you think
you did the most questions in with 170? That was probably domain one. Nice. Security risk
management. Right. Some other stats to share with you. First of all, your first QuizBank quiz was in
March and your last one, you know, went through June. So that's a lot of months of studying.
Yep.
Your worst QBank quiz was 50%. 50% and that was in domain seven.
Okay.
And what was your best?
Do you know?
I'm going to say it was 85.
Well done, 86.6.
86%.
So I have a commentary on that stat,
which is supposed to show you the volatility.
It's normal to maybe score a little bit lower
in some stuff and then score really high. You're never like as good as you look,
you're never as bad as you look. So volatility happens in the questions. In your final exam,
I love this because let me ask you, what domains were your best in the final? Do you remember?
ask you, what domains were your best in the final? Do you remember?
I think
domain one was my best.
There was one that I, no.
Yeah, I think it was, there was one
that gave me the green circle and all the rest of them
gave me a yellow circle. Correct. So you were above
proficiency and actually two of them. Okay.
It was identity access management
to five and then domain eight.
Domain eight.
Oh, software development.
And why does that make me smile?
Because I'm a software engineer.
Well, and yes.
And because on your diagnostic.
My diagnostic, I did not do well in software development.
That's what I'm talking about.
And that is so beautiful.
It makes me so happy.
Things have come full circle.
Your weakness in the diagnostic
all of a sudden became the strength in the final.
Right.
And that's something to be proud of.
Yeah.
Yeah, it was good.
So I asked you what a takeaway was from your perspective.
I have a takeaway I want to share with the listeners.
Okay.
All of the stats that I just shared, 690 questions.
It takes a lot to pass this test.
Yeah.
Like all the hard work you put in, that's what it takes.
There are no shortcuts when
you're studying for certification exams, especially the CSSP. I would agree with that 100% with this.
So congratulations again, Joe. And also on a personal level, I have to thank you because
if you imagine you hadn't passed, I will look really bad. You made me look good. You and me both.
So congratulations. It was great working with you. I knew from the beginning you were going to be fine,
but to actually watch it happen
and you put in all the hours and effort was fun to watch.
Yeah, I'll tell you this, Sam.
I didn't have that level of confidence
in how I was going to pass this test
all the way up to the point where
right before I picked up the piece of paper
and said, you passed.
Yeah.
I was not 100% confident until I saw that,
but that's just my nature.
Yeah. But yeah, I don't know. saw that, but that's just my nature. Yeah.
But yeah,
I don't know.
Maybe it's imposter syndrome.
Who knows?
Congratulations.
Thank you.
You can't fudge your way
around being fully certified
at SISB.
So congratulations again.
And whenever you're ready
for the next cert,
let me know.
Okay.
I will let you know.
It's worth mentioning that Joe's ISC2 CISPI certification journey
made extensive use of N2K's comprehensive CISPI training course.
You can find out more about that on our website.
Thank you. Why? ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, as we head into the July 4th holiday,
many will be firing up their grills for some festive fun.
However, beware of the Traeger Grill D2 Wi-Fi controller's latest vulnerabilities,
revealed by Bishop Fox. These critical flaws, if exploited, allow hackers to control your grill remotely, potentially turning your perfectly cooked steak into a charred disaster.
Bishop Fox discovered that the grill's API lacked sufficient authorization controls,
allowing attackers to hijack other users' grills by obtaining their 48-bit identifiers.
Imagine your neighbor cranking up the heat on your grill mid-cook. To exploit this,
attackers can capture network traffic or scan the grill's QR code. Fortunately, Traeger has released updates to fix these issues.
To stay safe, ensure your grill's firmware is up to date
and consider turning it off when not in use.
Enjoy your holiday grilling,
but do keep an eye on your Wi-Fi-connected devices.
I'll take my steak medium-rare.
No password required.
And that's the Cyber Wire.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at
n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies
n2k makes it easy for companies to optimize your biggest investment your people we make you smarter
about your teams while making your teams smarter learn how at n2k.com this episode was produced by
liz stokes our mixer is trey hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
We are taking a few days off to enjoy the July 4th holiday weekend.
We will see you back here this coming Monday.
Have a great weekend. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.