CyberWire Daily - Updates on US-Iranian tensions, and especially on hacktivism and possible power grid battlespace preparation. Researchers complain of preinstalled malware said to be in discount Android phones.
Episode Date: January 10, 2020Amid indications that both Iran and the US would prefer to back away from open war, concerns about Iranian power grid battlespace preparation remain high. Recent website defacements, however, increasi...ngly look more like the work of young hacktivists than a campaign run by Tehran. Phones delivered under the FCC’s Lifeliine Assistance program may come with malware preinstalled. And we’ll take Cybersecurity for six hundred, Alex. Tom Etheridge from Crowdstrike on having a board of directors’ playbook. Guest is Curtis Simpson from Armis on CISO burnout. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_10.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Amid indications that both Iran and the U.S. would prefer to back away from open war,
concerns about Iranian power grid battle space preparation remain high.
Recent website defacements, however,
increasingly look more like the work
of young hacktivists
than a campaign run by Tehran.
Phones delivered under the FCC's
Lifeline Assistance Program
may come with malware pre-installed
and will take cybersecurity for $600, Alex.
Take cybersecurity for $600, Alex.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 10, 2020.
Both Iran and the U.S. appear to have signaled a desire for de-escalation of the ongoing conflict punctuated earlier this week by a retaliatory Iranian rocket barrage
in response to last week's drone strikes against Quds Force Commander General Soleimani,
which was itself retaliation for Quds Force attacks against U.S. forces in the theater.
As the Washington Post reports, both sides remain mutually wary but have toned down talk of kinetic violence.
sides remain mutually wary but have toned down talk of kinetic violence. One occasion of a rapprochement is the tragic crash of Ukrainian International Airlines Flight 752, a Boeing 737
airliner en route from Tehran to Kiev. U.S., Canadian and British authorities say the aircraft
was shot down by an Iranian surface-to-air missile battery. Canada's interest comes from the large number of
Canadian citizens on board. The U.S. and Canada in particular have said that the intelligence they
have suggests that the shoot-down was accidental, a case of mistaken identity. Iran had initially
said it would exclude both the U.S. and Boeing, the airliner's manufacturer, from the accident
investigation. It's customary that the manufacturer and the manufacturer's government participate in such
inquiries, but yesterday CNBC reports, Iran formally invited the participation of the
U.S. National Transportation Safety Board, and the U.S. promptly agreed to send representatives
to the investigation.
But a partial softening of public rhetoric and even the reality of some
bilateral cooperation don't mean the end of tension in cyberspace. The report Dragos issued
yesterday about Magnalium, also known as APT33, Elfin, or Refined Kitten, has kept alive concerns
about North American power grid security. Dragos, a matter-of-company policy doesn't attribute threat groups to nation-states,
but others haven't hesitated to do so.
Magnalium is generally regarded as an Iranian unit.
Wired points out that what's worrisome is the prospect
that a long-running password-spraying campaign Magnalium has conducted against U.S. electric utilities,
which can be regarded effectively
as battle space preparation, has enabled Iranian operators to establish persistence in systems
associated with electrical power generation and distribution. That threat is consistent
with CISA's warnings that industrial control systems would be particularly attractive targets.
So far, however, no significant offensive Iranian moves against U.S. networks have been reported.
The Verge reports that pro-Iranian hackers, who left their mark on a variety of lightly defended sites over the past week,
increasingly look more like angry script kitties sympathetic to Tehran than they do Iranian cyber operators.
The websites defaced with bellicose images included not just the government printing
office's helpful library site, but also one website belonging to a California dentist,
another run by the University of Maryland, and yet another operated by an Oklahoma manufacturer
of steel livestock feeding troughs. One of those who claimed responsibility, a Mr. Bizaad,
told The Verge he was 18 and added,
I do not work for the government. I work for my home country of Iran,
and then highlighted the name Iran with a heart emoji.
CrowdStrike's VP of Intelligence, Adam Myers, told The Verge that hackers who contacted the journalists
were people with a security awareness who operate in Iran, typically teenagers and young men in their 20s,
who are engaged in security and the hacker scene.
They largely engage in defacement
and tend to be more focused on web-based technology like PHP and WordPress.
So, in all probability, they are from neither the IRGC nor the Mabna Institute.
Las Vegas declared victory over the attempted cyber attack it sustained early Tuesday, ZDNet reports.
There was immediate speculation about an Iranian operation,
but now the incident is being compared to earlier criminal attacks on Atlanta and Baltimore.
Security firm Malwarebytes warns that the UMXU686CL Android phones,
the U.S. Federal Communications Commission Lifeline Assistance Program provides low-income users, come with pre-installed Chinese malware.
Specifically, the suspect program is a wireless updater,
but that updater is a product of the notorious AdOps,
a Chinese software outfit whose tools have been flagged as malware before.
The phone is solid and serviceable, Malwarebyte says,
and at a price of only $35, it's a bargain too, but they add,
what it comes installed with is appalling.
The AdUps updater can install programs without user consent.
Forbes received comment on the issue from Sprint,
the parent company of provider Assurance Wireless.
Sprint said,
We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause.
However, after our initial testing, we do not believe the applications described in the media are malware.
The FCC says, The Lifeline program has provided a discount on phone service for qualifying low-income consumers
to ensure that all Americans have the opportunities and security that phone service brings,
including being able to connect to jobs, family, and emergency services.
Lifeline is part of the Universal Service Fund.
The Lifeline program is available to eligible low-income consumers
in every state, territory, commonwealth,
and on tribal lands. End quote. Various members of Congress have already rounded on the FCC to
demand it do something about this. And finally, cybersecurity got its own category on Jeopardy's
greatest of all time tournament of champions last night, but all three of the champions were stumped by the $600 answer.
Companies consider cybersecurity when instructing with a policy on BYOD.
Not one so much as buzzed in.
Here's what they should have buzzed in with.
The question is, Alex, what is bring your own device?
Here are the other answers in the cybersecurity category.
For $200, this type of hacker referred to by a colorful bit of headwear
helpfully tests computer systems for vulnerability.
What is a white hat?
For $400, a website with a site certificate is one that uses encryption.
This letter after HTTP is one sign of it.
What is the letter S?
For $800, a ransomware attack that encrypted 3,800 City of Atlanta computers
demanded six of these digital items to unfreeze them.
What is Bitcoin?
And for $1,000, beware of these types of programs that track
every stroke you make while typing in an effort to glean your password. What is a keylogger?
We do think that had the three champions, Rutter, Jennings, and Holzhauer been regular
Cyberwire readers or listeners, they'd have knocked these five cognitive gopher balls
out onto Utah Street, as we say here in Baltimore.
Of course, all of you got the questions right.
We knew it. hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Visit usforce.com slash careers to learn more. on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Tom Etheridge.
He is the VP of Services at CrowdStrike.
Tom, it's always great to have you back. I wanted to touch today on a recent publication that you all put out at CrowdStrike.
This is your Board of Directors playbook. There's a lot of good information in here. Can you take
us through what are some of the key elements here? Excellent, Dave. Thanks for having me back.
Regarding the Board of Directors playbook, this is a publication that we released a while back. The premise of which was to provide a tool set for executives and for
board members to understand and appreciate more fully the value of cybersecurity preparedness
and understanding the risk and regulatory requirements that may impact their
organization should they experience a breach. One of the things that we tried our best to highlight
in the board of directors playbook is that the changing regulatory environment that we exist in
new state, federal, and other regulations requiring organizations to provide better controls and incident handling procedures,
to be able to report incidents in a timely manner to key stakeholders and regulatory concerns.
Those things are really critical for the C-suite and for board of directors members to understand. And the playbook
really is designed to provide capabilities for boards to have questions that they should be
asking their C-suite while they're understanding the regulatory and cyber risks associated with
the business that they're supporting, to be able to have a playbook of questions that they can
ask the organization that they're supporting in the event that a breach is actually happening,
to better understand when reporting should happen and what the requirements are,
and then also to have considerations for the executives and the board members themselves
to understand that they may be high value targets for threat
actors to target in order to gain information. The exec staff and board members typically have
access to very privileged information. And that is certainly something that threat actors would
want to target if they're trying to understand more about the value of a company or of an
organization or target the critical assets that they have.
Yeah, I mean, it strikes me that these days cybersecurity touches so many areas
that certainly the board would be interested in or even be responsible for.
I'm curious, in your estimation, who is responsible for being that translator,
for making sure that both sides understand what's going on? The technical team at the organization and the board of directors, that nothing's getting lost in that translation.
Great question.
try to outline in the board of directors playbook and in our presentations to many boards is that it's really important for them to get access to and have the security staff, typically the CISO,
provide regular updates to the board about the status of the organization's preparedness,
their ability to respond to a breach, what types of tools they're leveraging, where are the gaps,
where are investments required in order for them to improve their overall preparedness and their
overall ability to respond in the event that an incident happened. In an earlier session that we
did, Dave, I mentioned the 110-60 rule, the ability to be able to respond, to be able to
detect a breach, to be able to triage that breach, and to be able to respond, to be able to detect a breach, to be able to triage
that breach, and to be able to respond to that breach within an hour. That type of metric data
is really important for executives and board members, quite frankly, to understand where
organizations may be able to do that and where they may be falling short. So using that as a
governor, if you will, to understand where investments are required to do that and where they may be falling short. So using that as a governor, if you will,
to understand where investments are required to improve that, that operating metric allows the
board and the C-suite to be able to make better investment decisions to improve that capability
for their organization. All right. Well, Tom Etheridge, thanks for joining us.
Thanks for having me.
Thanks for having me. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
My guest today is Curtis Simpson.
He's Chief Information Security Officer at Armis,
a company that focuses on the security of unmanaged and IoT devices.
Prior to joining Armis, Curtis was the global CISO at Cisco Foods, a Fortune 54 organization. Our conversation centers on the notion of CISO burnout, the changing expectations
of people in that position in a world where they are increasingly finding themselves in the business
and risk management spotlight. Some folks check out after a given period of time of trying to fit in,
struggling with the politics, not necessarily making the progress that needs to be made.
The reality is that there's not always a lot of visibility into what actually needs to be done
within security. There's not a great understanding of what this space looks like from an executive
team perspective or from a leadership perspective. So what I find a lot of leaders that have faced this for some time and struggle with this,
what a lot of them will do is they'll check out, as I said, from the perspective of they're not
not doing anything, but what they're not doing is taking risks and putting their neck on the
line to take the business in another direction that requires support from a number of different
channels, a number of different functions, a number of different leaders. A number of these
folks have failed at those exercises over the years, have been potentially penalized as a result
of failing in those situations, and in turn have just kind of hunkered down and focused on
operations and have become more so order takers waiting for the business to tell them that there's
a risk they want to manage, as opposed to telling the business that there's risks that need to be
managed. And so what's the solution here? How do we make sure that these folks don't fall into that
mode? For most CISOs that I've talked to in this situation, or that have started to kind of
gravitate towards this model where, you know what,
I'm not taking risks anymore. I'm not bringing things that are going to put my neck on the line.
I'm just running operations and I'll move on from there. The reality is it is painful. You're going
to have more failures than you do success because gone are the days where you can talk to one
individual and have that individual actually do the things that you need them to do. Because when you're looking at these massive organizations, the reality is that functional leaders within a massive organization are not being rewarded for making things secure.
They're not being rewarded for either doing or not doing the things that will help reduce risk within their space.
They're being rewarded for business outcomes.
reduce risk within their space, they're being rewarded for business outcomes.
Right.
So the reality is this, is that I like to think that a lot of my success as a CISO comes from this continued understanding of this will be hard, but it still needs to be done.
And also recognizing the fulfillment that you get from the job and the fulfillment is
accomplishing those difficult tasks.
It's not having everyone say, yes, I'll do what youishing those difficult tasks. It's not having everyone
say, yes, I'll do what you need me to do. It's actually managing that risk and really overcoming
those hurdles along the way and knowing that you achieved at the end of that. I personally find the
greatest fulfillment in that regardless of those hurdles and those pains experienced along the way.
So I personally try to coach people through this and help people understand that that is the
bigger picture. And honestly, some folks within the organization, or if they look at the organization
they're working with right now, if this just continuously doesn't work, sometimes it is time
to move on. The reality is, is we're not a perfect fit for every job. We're not a perfect fit within
every organization. And sometimes we need to acknowledge when the reality is that maybe we're not a perfect fit for every job. We're not a perfect fit within every organization. And sometimes we need to acknowledge when the reality is that maybe we're not at the right
company because we're doing all the right things. We're thinking all the right way. It's just not
really playing out as I would expect it to. Sometimes it is important to stand up and
realize that maybe a change is required. It's interesting how you mention this,
sort of switching into this order-taking mode. A colleague of mine refers to something similar to that.
He calls it malicious obedience, which is, you know, yeah,
I will do what you asked me to do,
even though I know it might not be the right, you know, the best thing to do.
I'm curious from a leadership point of view in the organization itself,
how much of this falls on them to be checking in with the
people in these roles to make sure that they're going to get the training that they need so that
they can communicate in these diplomatic ways, that as these roles expand, that they're given
the opportunities to learn and to get the enrichment that they need to keep functioning
in a rapidly evolving environment?
Yeah, it's a really great question.
The short answer to that is no.
What you're seeing happen over time is these jobs, these roles have drastically evolved.
Organizations and leaders just expect those leaders to evolve along with the role and to
figure it out. So when you start getting into these senior positions, what often happens is
there's little to no coaching that is happening. There's little to no guidance or really
conversations around how this is a challenge and maybe what additional education is required.
And I would also argue that because there's a limited understanding of the space on the level of
effort required, the level of support required, et cetera, a lot of folks are also fearful to
admit that maybe they need the help because they're thinking that this is going to be a
sign of weakness in a space that people barely understand to begin with, which will maybe cause
them to start thinking, maybe I need someone else in this role.
Isn't it interesting how, I mean, to me, this is a human factor situation here.
We're talking about technical things.
And I think most people in the business would think about what are the things that the CISO
is responsible for?
They're technical things.
But this vulnerability, this person in this very important role perhaps checking out, as you say, that's all about a real-life human being with feelings and thoughts and insecurities and fears.
And how little do we check in with people on those important things that in this case could lead to a security shortcoming?
That's exactly right. And the other piece to this conversation is we talked about some of the things
the CISOs can do. The reality, though, at the end of the day is from a CIO and executive leadership
position, we have to make sure that we are supporting security. There's a number of
different ways of tackling that. I've even seen things like ensuring that company goals are aligned to actually managing the risks that are important to the company to manage and that there's different business and technology functions stacking up to that. those goals include managing risk. Because if this continues to be this Lone Ranger scenario,
where they're not being supported by their leadership team actively, not just from a
verbal perspective, they're having to do all of this on their own. They're receiving less and
less support. There's more and more challenges being faced. The eventual outcome isn't good.
The eventual outcome is look like things like this CISO just leaves
and gets another job. This company's breached and experiences a significant event that was
very much avoidable, but now affects their brand and everything else. This is our time and
opportunity to truly look at this risk and make sure that we're supporting the function
that manages this risk for us on a daily basis.
That's Curtis Simpson from Armis.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity
leaders who want to stay abreast of this rapidly
evolving field, sign up for CyberWire
Pro. It'll save you time and
keep you informed. Listen for us on
your Alexa smart speaker, too.
The CyberWire podcast is proudly
produced in Maryland out of the startup studios of
DataTribe, where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing CyberWire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Bond, Tim Nodar, Joe
Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter
Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here
tomorrow. that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.