CyberWire Daily - UK’s newest cybersecurity MVPs.
Episode Date: September 12, 2024The UK designates data centers as Critical National Infrastructure. Cisco releases patches for multiple vulnerabilities in its IOS XR network operating system. BYOD is a growing security risk. A Penns...ylvania healthcare network has agreed to a $65 million settlement stemming from a 2023 data breach.Google Cloud introduces air-gapped backup vaults. TrickMo is a newly discovered Android banking malware. GitLab has released a critical security update. A $20 domain purchase highlights concerns over WHOIS trust and security. Our guest is Jon France, CISO at ISC2, with insights on Communicating Cyber Risk of New Technology to the Board. And, could Pikachu be a double-agent for Western intelligence agencies? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Jon France, CISO at ISC2, sharing his take on "All on "Board" for AI – Communicating Cyber Risk of New Technology to the Board." This is a session Jon presented at Black Hat USA 2024. You can check out his session’s abstract. Also, N2K CyberWire is a partner of ISC2’s Security Congress 2024. Learn more about the in-person and virtual event here. Selected Reading UK Recognizes Data Centers as Critical National Infrastructure (Infosecurity Magazine) Cisco Patches High-Severity Vulnerabilities in Network Operating System (SecurityWeek) BYOD Policies Fueling Security Risks (Security Boulevard) Healthcare Provider to Pay $65M Settlement Following Ransomware Attack (SecurityWeek) Google Unveils Air-gapped Backup Vaults to Protect Data from Ransomware Attacks (Cyber Security News) New Android Banking Malware TrickMo Attacking Users To Steal Login Credentials (Cyber Security News) GitLab Releases Critical Security Update, Urges Users to Patch Immediately (Cyber Security News) Rogue WHOIS server gives researcher superpowers no one should ever have (Ars Technica) Pokémon GO was an intelligence tool, claims Belarus military official (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential security leaders in the industry. Learn more about our network sponsorship opportunities and build your brand where industry leaders get their daily news. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. operating system. BYOD is a growing security risk. A Pennsylvania healthcare network has agreed to a
$65 million settlement stemming from a 2023 data breach. Google Cloud introduces AirGap backup
vaults. Trickmo is a newly discovered Android banking malware. GitLab has released a critical
security update. A $20 domain purchase highlights concerns over who is trust and security.
Our guest is John France, CISO at ISC2,
with insights on communicating cyber risk and new technology to the board.
And could Pikachu be a double agent for Western intelligence agencies?
Today is Thursday, September 12th, 2024.
I am Trey Hester, filling in for Dave Bittner,
and this is your CyberWire Intel Briefing.
Greetings all, and thank you for joining us today.
The UK has designated data centres as critical national infrastructure,
placing them alongside energy and water systems.
Announced by Technology Secretary Peter Kyle on September 12th,
the move aims to bolster cybersecurity and prevent IT disruptions.
A dedicated government team will provide support, monitor threats,
and coordinate
with security agencies like the National Cybersecurity Center to protect data centers
from attacks. This comes alongside a proposed $3.75 billion investment in a new data center
and an $8 billion investment in Amazon Web Services. Industry leaders welcome the move,
noting that many centers already meet CNI security standards.
Cisco has released patches for eight vulnerabilities in its iOS XR network operating system,
including six high-severity flaws.
The most critical, with a CVSS score of 8.8,
could allow attackers with low privileges to elevate their access to root by executing crafted commands.
Another major issue affects the mTrace2 feature
and could be exploited remotely to trigger
a denial-of-service attack. Cisco also disclosed two high-security command injection vulnerabilities
in the routed passive optical network controller software. These and two other flaws, including two
medium-severity issues, have been patched. Cisco is unaware of any active exploitation of these
vulnerabilities.
Verizon's 2024 Mobile Security Index highlights the growing security risk posed by employee mobile device use at work, known as Bring Your Own Device, or BYOD.
The report reveals that 37% of employees use public Wi-Fi despite organizational bans, increasing vulnerability. Mobile device threats surged in 2023, with 85% of organizations
seeing more risks, while 77% fear AI-driven attacks like deepfakes and SMS phishing.
Critical infrastructure sectors, including energy and healthcare, are particularly at risk,
with 86% reporting heightened mobile and IoT security issues.
Verizon's Mike Karelis stresses the importance
of comprehensive security strategies,
including mobile device management,
network access control,
and employee training on phishing and AI-driven threats.
He warns that unmonitored devices and security connections
can lead to severe security breaches.
Most organizations are boosting mobile security spending,
but a united effort between public and private sectors is essential to counter evolving threats.
Lehigh Valley Health Network in Pennsylvania has agreed to a $65 million settlement in response to a class-action lawsuit stemming from a 2023 data breach.
The breach, attributed to the Black Hat ransomware gang, began in January of 2023 and impacted over 130,000 patients and employees. Stolen data
included personal and medical information, social security numbers, and, in some cases,
clinical images and nude photos. LVHN disclosed the attack in February and confirmed the involvement
of the ransomware group in July. Affected individuals were offered two years of identity
protection. The class action suit,
filed in March of 2023, accused LVHN of failing to safeguard patient data. Settlement payments
will range from $50 to $70,000, with the highest amounts awarded to those whose photos were leaked.
A final approval hearing is scheduled for November 15.
Google Cloud has introduced air-gapped backup vaults as part
of its enhanced backup and disaster recovery
service, now available in preview.
These vaults provide robust
protection against ransomware and
unauthorized data manipulation by
creating immutable and indelible
backups, preventing modification
or deletion until a set retention
period elapses. Isolated
from the customer's Google Cloud project,
these air-gap vaults reduce the risk of direct attacks on backups.
Trickmo is a newly discovered Android banking malware
identified by Cleafee's Threat Intelligence team
that targets financial institutions and customers.
Derived from the Trickbot malware,
Trickmo uses advanced evasion techniques like broken zip files
and broken apps to avoid detection. the TrickBot malware, Trickmo uses advanced evasion techniques like broken zip files and
broken apps to avoid detection. Disguised as Google Chrome, it exploits Android accessibility
services to gain admin controls. Once installed, Trickmo can capture one-time passwords, record
screens, log keystrokes, and remotely access infected devices. It also conducts HTML overlay
attacks to steal credentials.
The malware communicates with its command and control server,
which stores exfiltrated data, including logs, credentials, and images,
but lacks authentication, leaving victims vulnerable to multiple attackers.
Initially discovered in 2019 by CertBund,
TRICMO primarily targets European banking apps with a focus on German-language users.
A recent leak exposed 12 gigabytes of stolen data, Trickmo primarily targets European banking apps with a focus on German-language users.
A recent leak exposed 12 gigabytes of stolen data, raising concerns about future exploitation.
GitLab has released a critical security update addressing multiple vulnerabilities.
The most severe flaw has a CVSS score of 9.6 and could allow attackers to trigger pipelines as other users. GitLab urges all users to upgrade to the latest patched versions immediately
to prevent security risks, including unauthorized access,
privilege escalation, and data compromise.
GitLab.com has been patched,
and no action is required for GitLab-dedicated customers.
Security researcher Benjamin Harris, CEO of Watchtower,
exploited a $20 domain purchase to gain control of a previously authoritative Whois server for the.mobi domain, leading to significant security concerns.
After discovering the original domain,.mobiRegistry.net had expired. Harris registered it and set up a rogue Whois server.
and set up a rogue Whois server.
Within days, his server received millions of queries from high-profile organizations,
including governments, security tools,
and certificate authorities.
This allowed Harris to potentially issue
counterfeit HTTPS certificates,
track email activity,
and execute malicious code on querying devices.
The vulnerability exposed flaws in trust systems
and outdated infrastructure,
which could be exploited by attackers.
Harris's findings highlight the fragility of internet trust and security processes,
and the incident led to discussions with security organizations
to prevent further misuse of the domain.
The issue underscores broader concerns about the recycling of infrastructure and expired domains.
Coming up after the break,
Dave Bittner's conversation with John France, CISO at ISC2.
John shares his Black Hat USA 2024 session
on All on Board for AI,
communicating cyber risk
of new technology to the board.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating. Too icy. We could book hot yoga. Too sweaty. We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter. Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.com or contact your Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
John France, CISO at ISC2, sits down with Dave Bittner to discuss his insights on communicating cyber risk of new technology to the board.
It's actually a conjunction of two very topical things.
And they sit quite nicely together, which is, some people call it an emerging.
It's an emerged technology in AI that's
really hitting the mainstream now. And that has lots of promise. Speaking to some people, it has
lots of peril potentially with it. And those kind of risk balances, the risk reward need to be
communicated to the right stakeholders and leadership. And that happens to also intersect
with the board needs to be made aware.
So, board-level communications from a cybersecurity practitioner's point of view or from a CISO's
point of view is being able to articulate somewhat highly technical things in a language
that resonates with leadership, and so they can understand it and make the correct decisions
around it.
So, that's why the two topics together. So topical, tackling two
interesting facets that are of the moment.
Well, let's go through some of the highlights from the presentation together.
I guess I'm curious, where do we find
a typical board member coming to this conversation?
What is their perception of AI?
Yeah, I mean, it's a great question.
So, you know, if you listen to the drums of what's going on,
AI is either going to solve the world's problems
or going to eat the world.
Business leaders are kind of looking to leverage
the solve the world problems,
I think.
And they're really focused on
really trying to get value
out of new technologies
to keep competitive advantage
or to gain efficiency in operation.
So they're sort of viewing,
in essence,
what's hitting them in the face
daily these days.
AI is going to make you more efficient.
It's going to enable you to do things you haven't done before
as a good business opportunity.
And so they're looking to exploit that.
Some of them are aware of some of the risks also as well.
So that's the counterpart to that.
Is it the security professional's job to say,
not so fast here, there could be potential peril ahead?
I think a really good security pro or a CISO
is what I love to call the balance engine.
So we never want to be the department of no,
and nor should we be.
We're the department of let's take a look at it,
and it's yes, maybe, but here are some guidelines.
So a really good see-saw especially
in the in light of ai um which by the way um through some of our surveys is showing that
there's not a huge amount of depth of knowledge in ai out there um in terms of some of the some
of the risks and rewards that it uh in happens to present but a really really good CISO is that balance of saying,
look, we need to be a little more risk cautious around here.
Here are some of the pitfalls.
Now we can talk about AI and that might be hallucination
and data usage rights of model training and biasing
and those kind of things.
And here's how you've got to watch out for those kind of things
if we're going to make it part of our decision matrix.
But also the other balance is,
and here's where you can probably take a little more risk
than you think you might be able to take.
So, you know, it's not all downside and beware.
It can be upside and actually I'll come and bust some myths
and let's have a look at it in a balanced way.
And we may be able to take a little more risk here if it's not, you know,
it's not life mission critical or critical to our actual infrastructure.
We could take a little more risk.
If it is, then we might need to be a little safer on that side of how we incorporate.
So it's that kind of balance and communicating that to the board.
So what you really want to be is a business leader and a partner to the board offering sage advice in your expert area in a language that the board actually can digest.
How do you handle that translation layer there?
You say communication is key and that can be a challenge of bridging that gap.
of bridging that gap.
Yeah, and I hope I'm not an outlier in this case.
My CEO tends to say,
you're a bit weird for a techie because you actually understand business.
But I think that's it.
Flippantly, she makes an important point,
which is a lot of CISOs
have come through a very technical background
and use jargon.
That doesn't really resonate well with people that have come from the business angle.
So we're a little bit of a translation there.
We've got to be able to translate technical concept into business language.
The language of business, as we know, is risk, reward, sometimes regulation and responsibility,
a sort of fiduciary responsibility, as well as business opportunity.
And that can be money competitive advantage.
So understanding those broad levers and that's how that world works and then converting into the technical world, I think, is key.
We can use data and evidence where applicable, but we make it digestible.
Prioritization is also something that we can bring to the table, i.e. options.
There are three ways of doing this, and we think option A is probably the best
for a number of reasons, but you've got other options there.
As you were preparing this Black Hat presentation,
you were doing the research for it.
Were there any particular things that were kind of eye-opening to you?
Any surprises that you unearthed along the way?
Yeah, I mean, we run,
ICT runs a workforce study year on year
and it involves,
and I can't remember the exact number,
but it's sort of tens of thousands
of security practitioners
to get their opinion.
And the data is actually telling us
something quite interesting,
which is AI as a technology really wasn't on the on the radar a couple of years ago in terms of um top topics to take note of um and i think it's now um i think it's number two or
number three so it's really rockies it up the ranks and as we know it's only really been in the public
consciousness for 18 months two years ish so that that's not surprising but but we confirmed through
data that you know that it is a big topic of discussion uh amongst practitioners as well as
leadership uh the other thing we found was um you know there's a little bit of uncertainty of how to sometimes control new technologies and AI in specific.
So 29% of the respondents said they didn't have hard controls in place for the use of AI.
And 10% didn't know how their organizations are going to handle access to AI-based systems.
are going to handle access to AI-based systems.
So that was kind of an interesting,
whilst it's a topic of discussion and opportunity,
policy controls and general sort of level stuff hasn't really caught up with it.
I mean, how I tackled that in our organization
is sort of we tried to use some simple language
of if you wouldn't put it into a Google search engine,
don't put it into a generally available AI.
You know, so people can go, oh i would i wouldn't put my social security number into google um yeah don't put it into an ai then um so there's some simple simple easily
understood things that you can start building some guardrails around um especially on the usage
angle so that's a couple of stats that came out of the survey
that were, like I said, not shocking,
but confirmatory is that it is a really good issue of the day
and it's getting the creative juices of how do we tackle it flowing, I think.
Are security folks finding themselves having to deal with kind of a hype cycle here.
I mean, everything these days is AI, AI, AI,
to the point where I think it's kind of lost some of its meaning.
You know, like, what do you mean by that?
And I'm just imagining a board member coming and saying,
listen, we're all in on AI.
Okay, like, what do you mean by that?
Good question.
So what I'm seeing as a practitioner myself
and through conversation is there's a couple of modes
that AI is really starting to express itself
into the business world.
One is probably the data-driven larger companies
where they can actually invest in direct usage of AI themselves,
whether that be instigating a model on their own infrastructure
or even if they're really big training their own model
because it takes lots of data, lots of money to do that.
They're the kind of companies that are starting to have to tackle
with how do I securitize the AI models itself
and how do I look around the infrastructure.
A lot of good cyber hygiene practice comes to play here.
So if you look at some of the stuff that we do around education and certification,
our lifecycle certificate covers a lot of good practice around that,
whether it's AI or whether it's general code.
So those are those are the implementing models.
That's one thing pushing into business.
Then there's just the general consumption,
probably where you've seen it come to the fore
of the tooling that you use.
You know, one day you'll be using an Adobe product,
for instance, and quite happily using it.
And the next day, oh, there's this weird AI button
that's just appeared on my tool belt.
What's that?
So we're kind of seeing AI come to the fore,
as I'm going to call it,
that general sort of feature creep,
whereas lots of vendors are starting to add it
into their existing tool sets.
There's a little bit of, as a practitioner,
you go, I might need to have a look
at where that data goes and how it's used
and what the contract says and the T's and C's.
But that's probably about 80% of where we started to express itself.
And sometimes we purchase tooling specifically
because it is AI-enabled or machine learning-enabled.
For instance, if we're doing voiceovers on video production in multi-language,
you might want to buy into some AI tooling
to do either translation or voice acting,
those kind of things.
So point use cases, feature creep in that,
and then the larger companies are integrating
into their core product and workflow and business flow.
Are we finding that along with the enthusiasm
for this technology that there's appropriate budgeting happening as well?
I can only speak from personal experience
and that we do have generally sort of an R&D budget
that we utilize and some of it is going towards looking at AI.
For me and my team personally, that's for efficiency gain in security tooling and security stance.
On behalf of the organization, we are looking at some AI-based things and whether they would be a good fit.
So for us, yes, we've got a budget to do that.
Yes, we've got a budget to do that.
One of the good suggestions I've heard, and I will jump on the same bandwagon,
is you've got to start experimenting with these things, even if it's in the sandbox,
to understand them, to understand how to deploy them and get the best out of them.
So I think it's good practice that you should have some experimentation and change budget around emerging technology,
not just AI. So what are your recommendations then? I mean, for folks who have the responsibility of presenting to the board and managing that relationship, what are your words of wisdom here?
I kind of said them at the head, but I'll reiterate them, speak in a language that they understand.
I kind of said them at the head, but I'll reiterate them, speak in a language that they understand.
So that's the language of business.
That's risk-reward, efficiency, those kind of things rather than core technology.
But be the good translator, I think, is number one.
Number two, don't be the department of no.
Be the department of yes, maybe.
And that's a balancing act.
So that would be a balancing act so there'll be that that balancing act um and then um really i think the third one is is listen to what um what questions are going to come back
um and and take them back and if if you need a bit of decoding take the time to do that as well
um so that you can go back with the correct answer.
You know, cybersecurity and business leadership is kind of a team game, and it requires all the players to understand each other and sort of move forward.
But headline is there's opportunities in technology, and we've just got to make sure it's a safe
and secure way of exploiting those opportunities.
We're not there to stop them.
Well, before I let you go, John, anything coming up on the calendar that our listeners can benefit knowing about?
Yeah, sure. I mean, hopefully lots of our listeners are members.
And those of you who are not, do consider joining.
But you can always join us at Security Congress that's being held this year in Las Vegas in October. If you
head on over to IRC2, there's an event scheduled there and some of these topics will be discussed
at that forum as well. Look forward to seeing you there. That's our own Dave Bittner speaking
with John France. Thank you. thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And finally, in a move that might leave Pikachu shocked, a Belarusian defense official,
Alexander Ilanov, claimed Pokemon Go was a sneaky tool
of Western intelligence agencies.
Appearing on local TV, Ilanov said the game's digital creatures conveniently popped up near
military runways at the height of its popularity.
While Pokemon Go had its share of privacy concerns and scammers, the idea of it being
an intelligence tool has been widely debunked.
Russia once called it a CIA scheme,
and countries like Indonesia, Egypt, and China weren't fans either.
Niantic, the game's developer,
insists it follows local laws and does not spy on players,
so no need to worry about Pikachu peeking into military bases.
Still, military officials worldwide urge caution when sharing location data,
whether you're catching Charmander or taking a jog near classified sites.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Hey, Cyber Wire listeners, as we near the end of the year, it's perfect time to reflect on your company's achievements and set new goals to boost your brand across the industry next year. Thank you. and rest assured that Mr. Bittner will be back on the mic tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can
channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.