CyberWire Daily - US Energy Department alludes to March cyber incident. BND 19-02 is out. Facebook likes privacy. Assange gets a short nickel.
Episode Date: May 1, 2019In today’s podcast, we hear that a US Energy Department report alludes to a March cyber incident. Citycomp refused to yield to blackmail, so now its client data is being leaked. The US Department of... Homeland Security has issued Binding Operational Directive 19-02. A UK judge sentenced Julian Assange to fifty weeks jail for bail jumping. Facebook the privacy-focused initiatives it plans to implement. And notes on the Global Cyber Innovation Summit. Robert M. Lee from Dragos on the pros and cons of conferences like RSA. Guest is Bert Grantges from Vera on cyber security as a business enabler. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_01.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindelet.com slash N2K, code N2K.
A U.S. Energy Department report alludes to a March cyber incident.
Citicomp refuses to yield to blackmail, so now its client data is being leaked. The U.S.
Department of Homeland Security has issued Binding Operational Directive 19-02. A U.K. judge sentenced
Julian Assange to 50 weeks jail for bail jumping. Facebook reveals the privacy-focused initiatives
it plans to implement and notes on the Global Cyber Innovation Summit.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 1, 2019.
E&E News reports that the U.S. Department of Energy has said that four counties in California, Utah, and Wyoming experienced a cyber event that interrupted electrical system operations briefly on March 5th. The incident was disclosed in an electric disturbance and emergency report released yesterday.
The Western Electricity Coordinating Council confirmed that the event affected a single entity, but few other details
have been made public. The counties affected were Kern County and Los Angeles County in California,
Salt Lake County in Utah, and Converse County in Wyoming. Motherboard notes that there's no reason
to panic based on this information, as the department's definition of a cyber event is
expansive. While it's possible that remote hacking or malware was
involved, it's far more likely to be due to human error or a hardware or software bug.
E&E News points to a similar filing after a blackout in Michigan last year,
which turned out to be an accident caused by an employee in training.
German IT infrastructure provider CityComp says a hacker stole a large amount of
information from its customer database and threatened to leak the data unless the company
paid a ransom. CityComp refused to pay, so the hacker has started publishing the data on a
dedicated website. CityComp's customers include Oracle, Airbus, British Telecom, Hugo Boss,
Porsche, Volkswagen, and many others.
The register says that most of the data that's been leaked so far is the type of information
that would be useful to someone who wanted to hack one of Citicomp's clients, such as
detailed lists of installed IT equipment and hardware specifications.
ZDNED notes that the dump also includes financial records, meeting schedules, and some contact information.
The U.S. Department of Homeland Security has issued Binding Operational Directive 19-02,
which establishes vulnerability remediation requirements for Internet-accessible systems.
The directive builds on and supersedes Binding Operational Directive 15-01.
Agencies will have to fix faster.
The new directive requires that critical vulnerabilities be remediated within 15 calendar days of initial detection.
Agencies will have 30 calendar days to remediate high vulnerabilities.
Binding Operational Directives apply to U.S. federal agencies,
with exceptions for the Defense
Department and the intelligence community. It almost goes without saying these days that
encrypting your data can be an effective way to protect it from prying eyes, whether that data is
in transit or at rest. The challenge is maintaining control over that encryption so it doesn't get in
the way of the data being useful. A number of companies are developing data-centric encryption solutions,
what they refer to as always-on file security. VeriSecurity is one of those companies,
and Bert Grantjes is their vice president of solution engineering.
In today's economy of collaboration with multiple different organizations and entities outside of your business,
there's really no way to protect data once it leaves your perimeter, once it leaves that
physical control, quote unquote. And where they're changing the model is how encryption
and data centric security can really be leveraged to allow the control that they've been clamoring after for the past 15 to
20 years, right? How can I exchange data freely with a third party, but ensure that I still have
control over that data no matter where it travels? So it's a much more proactive measure of how they
want to protect data in order to respond to just general business concerns,
but also consumer and internal privacy regulations that are popping up all over the world,
like GDPR, the California Privacy Act, NYDFS, Cybersecurity Act, and things of that nature,
really require that level of control.
And you see these breaches with large enterprises
from Marriott to HBO to Sony way back in the day. And it's apparent that the technology to really
give that power of control of your data hasn't been there in the past. And that's something that
Vera and other companies like us are trying to change that.
that Vera and other companies like us are trying to change that.
And so what's the change there? How are companies like yours using encryption to better protect data?
It's a good question because encryption has been around a long time, right? It's not like encryption's new. But what we're looking at in terms of how encryption can enable the business
is really around redesigning how people work with encrypted
data.
One, we talk about digital rights management controls.
So how can I work with encrypted content, do so securely, but not change the way that
I work?
As an example, if I get an encrypted Word document, I shouldn't have to think about
having to go get a proprietary viewer or, you
know, how is this going to change my relationship to the data? I should be able to work with inside
Word or even AutoCAD, work within the native tools that I'm used to while doing so securely.
So new technologies are coming up that allow us to have that low friction experience and dynamic relationships to the data can change
in real time.
So if I'm a third party manufacturer working on a CAD drawing
that you provided me as an example,
if you decide to move to another manufacturer,
you literally have a kill switch button
that prevents me from ever opening that content again,
so that you can enforce that level of control.
What about for that organization who's looking to get started with something like this?
What is the transition period like?
It's actually pretty straightforward to get started with data-centric encryption,
what we like to call always-on file security.
What's great about the nature of secure files
is they tend to travel, right?
You know, when you have information that you need to share
with somebody in your organization,
you'll send them an email,
you'll drop it in a network file share.
Somebody is going to pick that up.
If they don't have appropriate access rights,
they can't access the data, but if they do,
they can just start to use it.
And people see how they can be productive and secure. And it creates a great relationship between the business
and IT. One of the most interesting things I found about our work with customers is that they
develop a dialogue around the data because they actually get to see how data is used.
around the data because they actually get to see how data is used.
Because it's not just about the protection.
It's also about being able to see what happens to data in a way that you can audit that defensively against breaches, against regulatory compliance issues that may be coming into
business, or even for legal reasons with additional third parties you may have.
So giving a full 360 degree view
of what people can do with the data, as well as being able to visualize that, is extremely powerful
and can be implemented in a very short amount of time to where you start to see value in the
business. That's Bert Grantches from Vera Security. Julian Assange will serve 50 weeks in jail at Her Majesty's Pleasure for jumping bail in 2012.
The judge said his bail violation was particularly egregious,
saying that he, quote,
exploited his privileged position to flout the law
and advertised internationally his disdain for the law of this country, end quote.
He entered the Ecuadorian embassy in London
to avoid being extradited to Sweden,
and he remained there for seven years.
The judge also noted that Assange's extended residence
at the Ecuadorian embassy and his subsequent arrest
had cost taxpayers 16 million pounds.
Assange apologized in a letter to the court,
saying he did what he thought was best at the time.
He still faces federal conspiracy charges in the U.S.
Facebook, at its F8 shindig, announced that the future is private.
CNET quotes CEO Zuckerberg as acknowledging the skepticism that will meet the new direction.
Quote, I get that a lot of people think we're not serious about this.
I know we don't have the biggest move toward privacy.
Other changes, like the new prominence of groups and initiatives to suggest unknown people likely to become friends, seem likelier to lead the social network into data temptation.
And finally, we have a correspondent at the Global Cyber Innovation Summit,
which opened this morning in the Fells Point neighborhood at Baltimore's Inner Harbor.
One of the principal organizers, Allegis Cyber's Bob Ackerman,
explained the choice of venue.
The group that put the summit together wanted to create a Davos-like atmosphere
that would cater to the needs and interests of CISOs.
They chose to hold the summit in Baltimore
because the cybersecurity community needed this kind of engagement on the American East Coast.
And Baltimore, being at the center of what Ackerman called
an unparalleled pool of cyber engineering talent
that's grown in
Maryland universities with the support of massive U.S. federal investment was a natural choice.
That massive federal investment, of course, has long been centered on the National Security Agency,
whose Fort Meade home is in the Baltimore suburbs. Ackerman's introduction was followed by remarks
delivered by Maryland's Governor Larry Hogan, who was particularly concerned to point out the state's engagement with international cybersecurity development,
particularly in the United Kingdom and Israel.
He also alluded to the emergence of an apprenticeship model around the University of Maryland, Baltimore County.
This morning's final keynote was by Dave DeWalt, now of Momentum Cyber,
formerly CEO of both FireEye and McAfee.
He delivered his account of what he called a perfect cyber storm,
created by the speed of innovation and the swift evolution of vulnerabilities and threats
such innovation brings with it.
We'll have more updates from the summit over the course of the week.
The proceedings will continue through tomorrow.
over the course of the week.
The proceedings will continue through tomorrow.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. And I'm pleased to be joined once again by Robert M. Lee.
He's the CEO at Dragos. I want to touch today on conferences and particularly how organizations
like yours can get the most out of their attendance of conferences like RSA, for example.
What are your thoughts there?
I think it's just expectation management.
If you're going to RSA to find the latest research and O-Day dropping stuff,
you're not going to have a good time.
But I've been really pleasantly surprised at the RSA.
I went not expecting for, quote-unquote, my community to be there in industrial security.
I was like, well, maybe it'll be like CISOs like others but i don't know there's like a lot of like practitioners
are going to come and what we did last year and what we did this year is is we're a big sponsor
of the ics village it's the ics village it comes around to a lot of different locations but it's
got a big presence at rsa and bryson and tom the norman run it with a lot of support for the
community it's not a booth it's just a village and it's with a lot of support from the community. It's not a booth.
It's just a village.
And it's got a bunch of industrial control systems in it to show people what type of
equipment's running their modern world of power and manufacturing and others.
And so a lot of the talks we did were actually at the village.
And I was really surprised with not only how many of ICS security community was there,
but also just how many people were so excited about industrial security.
I think my biggest takeaway from RSA this year and last year has been,
there's like a movement forming around ICS security.
And a lot of the folks that have never thought about it before are now getting
excited about it,
which means really good things for our folks.
I think obviously we did go and have some talks as well.
And I got up on the,
one of the main stages or whatever they call it and did that as well. My big message to folks was a lot of industrial security over the years has been copy and pasted enterprise security.
We take frameworks and regulations from IT and whatever doesn't break the ICS, we just move it
into ICS. Like, oh, you should have a patch program. That makes sense. Say we should have a patch program. Let's have a patch program. But like why we have a patch program or what the ICS, we just move it into ICS. Like, oh, you should have a patch program. Makes sense. Hey, we should have a patch program.
Let's have a patch program. But why we have a patch
program or what the ICS implications are
or if it's even valuable at all, never
gets questioned. And so
this year, all I did is I looked at
the various attacks that we've seen as well as some
of the threats that we track at Dragos and said,
okay, let's break them down step
by step. These aren't novel events. There
is no such thing as a novel attack. There's a series of steps and maybe some of those steps are novel, but many of them are not.
And let's look at each one of those steps across the ICS kill chain and evaluate it and say what
could have been done and what could we learn from these steps? And so I took kind of this
intelligence driven approach to say, okay, well, over these last six major events, here are the controls that kind of bubbled up to the top of things that actually are important for environments, things around visibility and threat detection and being able to respond, multi-factor authentication, like certain things that we might have thought anyways, but we have proof and we have evidence to show that this is impactful.
have proof and we have evidence to show that this is impactful and here's how you can go do this kind of analysis yourself um to actually make sure that you're adapting your requirements to your
threat landscape instead of quote-unquote best practices and i thought that was a lot of fun
and it seemed to resonate with a bunch of people and um i really hope the industrial community
takes more of an intelligence-driven approach because historically again it's taken more of a
copy and paste or regulation-based
approach i don't i don't think that's getting us where we need to get to and to what do you
attribute the increased interest there is is it awareness is it that more of these systems are
becoming integrated or what do you what do you see things that coming from i think there's a lot of
factors um for one i think you know attacks do get attention and we hear about like oh wow a power grid went
like portions of a power grid in Ukraine went down
what is that like there's a story
aspect that sucks people in
and we saw this post Stuxnet
in 2009-2010 like a lot
more interest in the community and so
attacks do have that ability
but I think more of it
has been the people
that have been in this community are becoming evangelists
and have been pushing it way forward I think obviously I have a very biased view but but like
the sans community over the years with what Mike Asante and Alan Pollard started and Tim Conway
and those guys are over doing and and me authoring one of the courses over there I think I think we
we're training people in capacities that have
never been done before. So it's more accessible than it's ever before. You look at the ICS
Village as being accessible to show people. A lot of people don't even know where to get started.
They may have heard about ICS or SCADA or, God forbid, SCADA. And they're moving in and they're
going, man, I like this. But it's daunting to see how you could even get started without spending a
lot of money. I don't want to pat ourselves too far on the back, but I think my
folks at Dragos have done a really good job of educational and content-driven to the community.
And hey, here's free reports and insights. We're a tech company and half the time people think
we're a services company because we're out showing people more about the ICS world than we are
pitching our product. I think this combination of these folks at the asset owners doing the mission, SANS, ICS Village, companies like
Dragos, I think this combination with the attacks is drawing massive amounts of interest, but also
returning us back to norm of, hey, don't freak out. This is doable. We can absolutely invest
in our people and our infrastructure and do good things.
And I think there's a compelling story that just sucks people in,
because you may not care about your local bank. Many do. But there's something special about
industrial. When you talk about your bank, it's your bank. When you talk about infrastructure,
it's our infrastructure. That's our power company. That's our manufacturing industry.
There's this,
there's something special about industrial. And I think that just resonates with people.
Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Alexa Smart Speaker 2.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.