CyberWire Daily - WannaCry wraps up its first week. No patches for Marshmallow. Women in Cybersecurity survey results.
Episode Date: May 19, 2017In today's podcast we learn that crooks are interested in home IoT. Twitter outages aren't just you. Android Marshmallow won't be getting a patch, just a replacement. WannaCry observers focus on North... Korea as a possible source. Palo Alto Networks' Rick Howard has research on Shamoon. Joyce Brocaglia from Alta Associates and the Executive Women's Forum shares results from the 2017 Women in Cyber Security Survey. And no one, yet, knows who the ShadowBrokers are with any certainty. (Or it they do, they're not talking.) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
IoT risks at home. The crooks are interested.
Twitter outages aren't just you.
Android Marshmallow won't be getting a patch, just a replacement.
WannaCry observers focus on North Korea as a possible source.
Results from the 2017 Global Survey on Women in Cybersecurity.
And no one yet knows who the shadow brokers are with any certainty.
Or if they do, they're not talking.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, May 19, 2017.
WannaCry is closing out its first week in the wild.
We'll get to WannaCry shortly, but first, some of the other developments we're seeing in cybersecurity.
Prague-based security company Avast warned this week of new risks in the Internet of Things as it's realized in homes.
Routers, obviously, and also such devices as Internet-enabled televisions are being increasingly prospected by criminals.
They advise taking precautions. There's little safety in being small fry.
You, if you're a small fry, may not be interested in cybercriminals, but small fry crooks are interested in you.
Twitter has sustained widespread outages due to unknown causes over the past 24 hours.
Japan, the United Kingdom, outages centered in London, and the United States, mostly the Middle Atlantic region from Washington through New York, are being reported as principally affected.
So if Twitter's not working for you, be aware that you're not alone,
and that is, as they say, a known issue.
Another known issue is exploitation of known but unpatched vulnerabilities.
WannaCry hit machines for which patches existed but to which patches weren't applied.
Security company Checkpoint Software last week warned of a different unpatched vulnerability,
this one affecting Android systems.
The flaw appeared with the Marshmallow version of Android and has exposed many devices to malware.
According to Checkpoint, about three-quarters of ransomware and some 14% of banking malware affecting Android exploit this bug.
Google says it will address the issue in this fall's coming release of a new Android version, but that they won't patch older versions. Many in the security industry have criticized Google for this decision, contrasting it with Microsoft's response to the Eternal Blue exploits.
Android has become what some call a tangled ecosystem, but on the other hand, Google has
been notably aggressive in pushing other vendors to patch the vulnerabilities Google researchers find in those vendors' products.
This hasn't gone unnoticed, and many are suggesting the Google gander take a dip in the sauce it's been ladling onto the geese.
Shortly after the shadow brokers dumped Eternal Blue last month,
a number of security companies warned that unpatched and old Windows systems were seriously vulnerable to exploitation, yet a disappointingly small number of enterprises
took steps to protect themselves. Some security industry introspection at week's end mulls the
possibility that too much crying wolf has numbed users against such warnings.
Turning to WannaCry proper, the consensus at the end of the ransomware's first
week in the wild is that it's been a considerable nuisance but not a catastrophe. Most observers
continue to think it was poorly executed North Korean effort to get badly needed cash,
but this preliminary attribution awaits confirmation. China and Russia were hardest hit,
and the infestation that struck the UK's
National Health Service was worrisome in that it interfered with patient care.
Machines running legitimate and up-to-date versions of Windows were essentially immune
to WannaCry. Going forward, consider following some of the advice on sound digital hygiene the
security industry is offering to protect your systems from ransomware. Patch, install all updates, back your data up to an offline hard drive,
and use reputable security software.
The eternal blue exploits used by the unknown actors behind WannaCry
do remain a potentially serious risk.
Rumors circulate of a related DNS campaign
apparently aimed at establishing persistence in its targets.
Its command and
control is said to have gone dark when WannaCry went public. Sedco reports early, evasive
EternalBlue exploitation that spawns malicious threads inside legitimate applications. Whatever,
if anything, may be up with what Sedco's observing, it appears to be laying the groundwork for
some future campaign.
observing, it appears to be laying the groundwork for some future campaign.
The shadow brokers, of course, are the ones who leaked the Eternal Blue exploits last month.
By consensus, those were NSA-discovered exploits, and the agency has attracted considerable criticism since their release. It appears NSA tipped Microsoft off to the vulnerabilities
earlier this year, which prompted Microsoft not only to move
out of its regular patch cycle in February, but to issue patches for vulnerable software that's
beyond its end of life and no longer supported. No one knows who the shadow brokers are, although
there's plenty of speculation that they're either highly skilled hacktivists or Russian intelligence
service operators. No one is saying either how the shadow brokers got their hands
on the equation group tools they've been leaking.
That's one investigation whose results the security community awaits with close interest.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting. Thank you. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Only on Disney+. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Rick Howard. He's the chief security
officer at Palo Alto Networks, and he also heads up their Unit 42 threat intel team. Rick, welcome
back. You all had some recent research into the Shamoon attack that you wanted to share with us.
Yeah, you know, back in 2012, cyber adversaries used a nasty piece of malware called Shamoon
to infect one of the world's largest oil companies, Saudi Aramco, and destroyed 30,000 endpoints.
And since then, somebody has been upgrading the code with new functionality and attacking new victims.
Somebody has been upgrading the code with new functionality and attacking new victims.
Unit 42, the Palo Alto Network's threat intelligence team, tracked the first update back in November of 2016.
Since then, there have been two more updates.
The latest, though, is a case study on one way that cyber adversaries attempt to move laterally within a network once they've established a beachhead.
Now, a couple of things here.
Unit 42 is still a little bit unclear on the entire adversaries playbook here, but they now know a few more plays.
Somehow, the adversaries use legitimate credentials, most likely admin credentials,
to log into existing endpoints within the victim's network. We don't know how they obtained the
credentials, so that's one of our blank spots. But once they legitimately logged into the first endpoint, they used that as their beachhead. They then connected to a set of
host names used within the victim's network that they already had. And again, we don't know how
they got that list either. But the host names belong to machines not on the local subnet.
So this is how they spread their tentacles. Once on a different local subnet, they would scan for
all the machines on that subnet and legitimately log into all of them and destroy or to install the
destructive payload. Right. So that is simple, but ingenious. And you and I have talked before about
how most cyber adversaries do not compromise machines with zero day exploits a lot. You know,
they try to steal credentials instead of and use them to legitimately log into endpoints.
This third wave of Shamoon attacks demonstrates the technique. So to protect yourselves from these
kinds of attacks, here's my recommendation at a high level. Seek vendors who help you install
two-factor authentication into your systems and who help prevent your employees from being
socially engineered into giving up their credentials to some fake website. But fascinating attack
sequences that Unit 42 is discovering. And once again, I mean, we come back to this
critical nature of credentials and the importance of training your employees,
you know, where people might be trying to trick them out of giving them up.
I know. And this is one of my pet peeves, too. You know, I really balk at that. We have to train the grandmas of the world to be careful about
their passwords because, you know, I have trouble with this. I can't believe my mother-in-law is not
going to have trouble with it. Right. So there is technology out there. We've talked in a previous
interview about some of the things you can do that kind of reduce the attack surface.
And there is technology in your that your security vendors have that can force you to use two-factor authentication using the firewall as an enforcement mechanism. So
that's great. That makes it a lot easier to deploy that stuff in your applications you have
internal to your employees and the ones that are external. There's even technology out there that
looks for employees being tricked into giving their legitimate credentials to fake websites. So seek those vendors out and get that installed in your network.
All right, Rick Howard, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
My guest today is Joyce Bricoglia.
She's the CEO of Alta Associates and founder of the Executive Women's Forum.
She returns to the Cyber Wire to review the results of the Biennial Women in Cyber Security Report, which was generated using data from the 2017 Global Information Security Workforce Study,
which is a project of the Center for Cyber Safety and
Education and ISC Squared. The main thing that I took away from this is that it's not really just
one thing. The survey was conducted by almost 20,000 cybersecurity professionals, of which over
2,000 were women, and they answered various questions. And I think some of the results are pretty eye-popping.
Unfortunately, the numbers haven't changed much in terms of the representation of women in cybersecurity.
This is a biennial study.
It was done in 2013 and 2015.
And consistently in 2017, women still represent globally about 11% of the total population. So as you know, since women
make up about 50% of the total population, 11% in cybersecurity is not a great representation.
And the fact that it hasn't changed is very troubling. What I also found troubling is that 51% of women reported various forms of discrimination in the workplace. And
that 51% escalated all the way to 67% as women rose through the ranks. And that is compared to
15% discrimination cited by men. And I'll be curious when the diversity study comes out, how many of those 15% are actually
diverse men. So I think the gap is probably larger than that. The other thing that is important to be
noted is that although women across the board have higher levels of degrees, they have much
less representation in senior executive and management positions. Men are four times more
likely to hold C-level positions or executive positions than women, and nine times more likely
to hold managerial positions than women. Kind of the final straw, if you will, is that women
at every single level from the staff through the C-level are still reporting that they are earning less than men are.
So when you say kind of what's the one big thing, I think the one big thing is that it's not just one thing.
It's really the confluence of all of these events that make this a problem that really, really needs to be actively addressed.
What does the survey point out in terms of what's driving the gap?
It sounds like it's not education.
Well, I think one of the things that's driving the gap is that
when you look at the combined statistics and also the statistics
that 28% of women indicated that their opinions are not valued.
When you look at the fact that their opinions aren't valued,
they're being discriminated against at high numbers, they're paid less, it's kind of a bad
trifecta. It's the combination of those things that if it's not addressed, we're never going
to shorten or close that gap. I think that there are some highlights to the report. Women who feel
valued in their organizations report that they have a higher level of access to sponsorship and mentorship-type programs.
The people that feel valued, the women that feel most valued and also very supported and successful in their roles feel that they also have benefited from leadership development programs.
So I think that there's a clear correlation that you might be able to draw from engaging women earlier on in their careers and providing them access to stretch assignments, providing them access to both internal and external leadership development programs, peer and mentoring programs, that all of that makes a difference in their ability to be selected and noted as high potential women.
Of course, that helps with the retention of the women in the field.
The report lists what it refers to as actionable solutions.
Can you take us through some of those?
Well, first of all, we talk about really creating and being aware of the need to create an inclusive workplace that really supports women.
So some of that has got to do with evaluating the unconscious and the conscious bias in your recruiting practices and looking at performance evaluations on an ongoing basis.
ongoing basis. Gaining data and making that data available to both women and men in the organization of what the female pipeline is and ensuring that you include women in those
succession plans to executive and seat level roles. Sometimes I've seen companies that I do
recruiting for being successful because they actually tie gender equality goals to their business objectives
as well as to their executive compensation. That seems to get people's attention.
You know, I think being transparent in terms of salary ranges and, you know, areas of opportunities
for promotion gives opportunities for women to know that, hey, this is where I stand in that median
range if I'm above it or below it, and maybe I do need to step forward and negotiate on
my own behalf.
We see many companies having employee resource groups, but that's kind of a shotgun approach.
I don't know that that's having the effect that is going to be strong enough to really
close this gap.
You know, unfortunately, I think that companies really have to kind of put their money where their mouth is
and step up to the plate and spend time and energy and dollars to invest in sponsorship programs,
mentorship programs, training, giving women access to conferences and events and areas where they can be mentored by women,
either internally and externally, and certainly be mentored by men.
We have, I know at the Executive Women's Forum, we have a tremendous amount of men that are
corporate ambassadors who do an awesome job of not just building diversified workforces,
but really supporting and mentoring the women on their team.
You know, this is a problem that needs to be solved from the top down.
The executives of a corporation really set the goals and the standards,
and that it's up to cybersecurity executives, which are predominantly male,
to really take conscious actions and talk to their
hiring managers and their teams about the importance of really bringing the 50% of the
population, that is women, into their organizations. Because every study shows that when women are
added to teams, their effectiveness increases. That's Joyce Brocoglia from Alta Associates and the Executive Women's Forum.
The Biennial Women in Cybersecurity Report can be found on the Center for Cyber Safety
and Education website.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.