Third-Party Risk Management & Cyber News
Written by: Black Kite
With Jeffrey Wheatman and Bob Maley, of Black Kite
At Black Kite, we believe a big part of a strong cyber security program is staying aware of current events and talking about them with your colleagues. We want to help facilitate this, as the more we understand the bad actors, the better we can defend against them.
Every Friday we will be publishing “quick hits” of three cyber attacks or incidents we think people should be talking about from the week. Hear from CSO Bob Maley of Black Kite and SVP Cyber Risk Evangelist Jeffrey Wheatman of Black Kite as they comment on these events. Check back every Friday for new topics to learn from and discuss.
Friday Aug 12, 2022
1. Cisco Patches High-Severity Vulnerability in Security Solutions | SecurityWeek.Com
Jeffrey Wheatman: We frequently assume that our security tools are safe and secure. Their job is to keep us safe, right? But at the end of the day your security tools are just another part of your ecosystem and need to be managed.
2. The Hacking of Starlink Terminals Has Begun
Jeffrey Wheatman: It cost a researcher only $25 worth of parts to create a tool that allows custom code to run on the satellite dishes. The small dishes, named Dishy McFlatface (not actually relevant to the story but I couldn’t just ignore the name) proved themselves vulnerable to compromise. There are a few scary things here. It only cost 25 bucks in hardware, this Pwnage could lead to more incursions as attackers follow the chain, and this system has been integral to the defense effort in the Ukraine.
3. Cyber-Insurance Fail: Most Businesses Lack Ransomware Coverage
Jeffrey Wheatman: Interesting survey by Blackberry has a lot of great data, but the thing that caught my attention was the fact that even though cyber insurance isn’t new, most buyers are arbitrarily picking coverage amounts that are not related to their actual needs.
At Black Kite, we’ve been saying that one of the biggest causes of unhappiness with Cyber Insurance is the fact that buyers aren’t really sure what they are buying or why. Ask yourselves this simple question – ‘why are you buying cyber insurance?’ Once you know what your goals are, then you can look at coverages.
Friday Aug 5, 2022
1. Experts Warn of Hacker Claiming Access to 50 U.S. Companies Through Breached MSP
Jeffrey Wheatman: Setting aside the question that if you can’t trust your MSP, who can you trust – well, you CAN trust me. This is YATPB (yes I coined a new acronym, because we tots don’t have enough of those) until people get a better handle on (1) the scope and scale of their digital ecosystem and (2) the cyber risk posture of same, we are going to continue to see these issues. Look, nobody can be perfect, but most organizations don’t really have any visibility into this problem. Don’t worry, Black Kite can help – ask any of our customers!
2. Hackers Deploy New Ransomware Tool in Attacks on Albanian Government Websites
Jeffrey Wheatman: The future of cyber warfare is here (well let’s face it, it’s been here for a while). In what appears to be another politically motivated state sponsored attack, the government of Albania is the latest locale to be hit. Mandiant researchers have indicated the attack may have included a previously unknown backdoor called “ChimneySweep,” and a newly discovered ransomware tool known as “RoadSweep” to attack the systems. You may say ‘we aren’t a government, so we are safe …’ but based on history, once these new attacks hit ‘the wild’ they are tweaked by bad actors and turned loose on everyone – collateral damage in the cyber. I don’t know about you, but I have a headache.
3. Hacked Crypto Startup Nomad Offers a 10% Bounty for Return of Funds After $190 Million Attack
Jeffrey Wheatman: I saw this on LinkedIn earlier this week and commented. This is another example of bad actors seeing an opening and acting on it. I am not a fan of over regulation, especially in technology, where lawmakers often have an understanding of what they are trying to regulate that is tenuous at best. That said, Crypto currency tools/platforms/exchanges/etc. are taking money, often from people that have no business investing in crypto in the first place. Maybe the time has come for the government to at least start looking.
Friday Jul 29, 2022
1. Spree of Multimillion Dollar Hacks Creates Booming Business for Blockchain Security Experts
Jeffrey Wheatman: While investing in cryptocurrency might not be the road to wealth that everyone (at least almost everyone) thought, cyber professionals that have expertise in securing BlockChain are making serious bank. Lots of new firms that focus on Blockchain security are cropping up and the death of cybersecurity experts is even more pronounced in the Blockchain space. …so dare I say ‘Blockchain security is the new plastic*’ *Watch The Graduate
2. The Beautiful Lies of Machine Learning in Security
Jeffrey Wheatman: Yet again this week I get to highlight an article from a former Gartner Colleague. Anna Belak takes the opportunity here to eloquently say what I’ve thought for a long time: AI and ML aren’t going to fix cybersecurity. They should be used as part of your toolkit, but you shouldn’t throw out your hammer and screwdriver because … AI. On another note, 80% cat is too much cat for me. I’m more of a dog person.
3. CSA Issues Guidance on Third-Party Risk Management in Healthcare
Jeffrey Wheatman: So, yeah – apparently managing third party risk is important in healthcare, and to no surprise, healthcare providers are struggling. Recent guidance from the Cloud Security Alliance (CSA) offers some excellent suggestions – amongst which is a recommendation to use the NIST framework to guide managing third party risk (great news, we at Black Kite knew this ages ago and heavily leverage NIST guidance in our platform.)
Friday Jul 15, 2022
1. Travelers Wants Out of Contract With Insured That Allegedly Misrepresented MFA Use
Jeffrey Wheatman: If you don’t do what you say you do, you aren’t going to get what you think you deserve. In other words, if you don’t actually implement the controls you tell your cyber insurance providers, don’t expect them to pay off on your claims. I see two issues here.
- The CEO signed off on a document that said MFA was used to protect critical assets…when in fact it wasn’t. So either the CEO didn’t understand the document they signed, or the cybersecurity ‘owner’ was being less than honest.
- Insurers aren’t just going to pay claims without investigating. As we indicated in our insurance report earlier this year claim payments are going down and this is part of the reason why.
2. Homeland Security warns: Expect Log4j risks for ‘a decade or longer’
Jeffrey Wheatman: Think we are out of the woods with Log4J? Think again. The US Department of Homeland Security (DHS) recently issued a report indicating that Log4j issues will likely linger for a decade or more. Two pieces of good news:
- The report provides 19 things organizations can do to at least limit the impact
- Black Kite’s FocusTags™ help show you which parties in your extended ecosystem are exposing themselves AND YOU to this now endemic issue
3. Hey you! Do you do SBOMs?
Jeffrey Wheatman: We have started to hear more and more about risks within the software supply chain. One of the biggest challenges to understand your risk(s) is the lack of visibility into the myriad elements that comprise said software stacks. SBOMs declare the inventory of components used to build a software artifact such as a software application. So, do you SBOM? Do you think you should? We think you should. At least start with an investigation.
Friday Jul 8, 2022
1. North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector
Jeffrey Wheatman: Dear healthcare CISOs, it ain’t just about HIPAA anymore! For far too long, cybersecurity in healthcare has been about HIPAA compliance … and ONLY HIPAA compliance. Don’t get me/us wrong, you need to be HIPAA compliant. But the recent warnings from US agencies – HHS, FBI, CISA – regarding an aggressive state-sponsored strain of ransomware (Maui) targeting healthcare providers in the US means healthcare CISOs must take a much more comprehensive approach to ransomware (and other malware for that matter). By taking a programmatic, process-based approach, healthcare CISOs will be in a much better position today…tomorrow … and in perpetuity.
2. Apple’s New Lockdown Mode for iPhone Fights Hacking, Spyware
Jeffrey Wheatman: In an effort to combat state-sponsored spyware (among other malicious spying) Apple has announced Lockdown Mode to activate “extreme” protections on its phones. This includes blocking attachments and link previews in messages, potentially hackable web browsing technologies, and incoming FaceTime calls from unknown numbers. The new feature will be released for free publicly in the fall as part of iOS 16, iPadOS 16 and MacOS Ventura. Yay Privacy!
3. What Do All of Those Cloud Cybersecurity Acronyms Mean?
Jeffrey Wheatman: Black magic, witchcraft, super secret handshake … sometimes (well often) cybersecurity practitioners use a secret language to make what we do seem that much harder and more complicated than it is. We keep out people that really need to know what’s going on, out of the proverbial loop. Our good friend Jonanthan Care opens the curtain and the emperor is wearing no clothes (sorry for mixing my references 🙂 ) by providing this handy cheat sheet for cloudsec acronyms.
Friday Jul 1, 2022
1. A Record-Breaking Year for Ransomware Attacks Predicted | MSSP Alert
Bob Maley: I am not a big fan of predictions (unless the prognosticator has a published track record of accuracy), but this may be one that it is difficult to argue with, unless, as the author states, people actually implement critical measures. Black Kite Research shows those measures are simple things, like implementing email security (DMARC/DKIM/SPF), truly using multi-factor authentication everywhere, and paying close attention to what assets you are exposing on the Internet.
2. Securing your organization by recruiting, hiring, and retaining cybersecurity talent to reduce cyberrisk | McKinsey
Bob Maley: There is a lot to unpack in this article, but it is worth the read. Identifying your most valuable assets is crucial in any cybersecurity program, but where things can be complicated is when you “apply” controls. NIST SP 800-53 has over 900 unique controls. Understanding which controls have the greatest efficacy in reducing risk (and by risk I mean probable financial impact from an incident) is a fundamental element in success.
3. Third party risk management: Half of firms are underprepared | Digital Journal
Bob Maley: I can agree with the statement that half are underprepared, but what isn’t addressed is why? The author points out multiple areas in TPRM are lagging and that third party related incidents are on the rise. I believe the “why” is the state of “best practices”. The rise of third party incidents is not new, it has been increasing year over year, so is it possible that the existing best practices just aren’t cutting it? It is time to transform those practices into an agile methodology that takes into account how the bad actor thinks, learning their tactics, techniques and procedures, and use that to drive our focus.
Friday Jun 24, 2022
1. CISA warns over software flaws in industrial control systems | ZDNet
Jeffrey Wheatman: I, for one, after spending the last two decades working with security leaders in Energy & Utilities, Mining, Manufacturing, etc. don’t find this even remotely surprising. What I do find upsetting is that things don’t seem to be getting any better.
Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) released a warning about five new OT vulnerabilities, and a strong suggestion to security teams to stay on top of announcements. Of course, if these devices were not open to the public internet, it would be less of an issue … but don’t get me started.
2. These hackers are spreading ransomware as a distraction – to hide their cyber spying
Jeffrey Wheatman: As if Ransomware wasn’t a big enough problem by itself, two crews, Bronze Riverside and Bronze Starlight, are now using Ransomware to hide their spying and espionage. This isn’t your same old, same old. Are you susceptible to ransomware, or are your partners? Black Kite’s RSI™ (Ransomware Susceptibility Index™) can help you understand how exposed you might be, and will tell you exactly what to do to limit your exposure.
3. Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data
Jeffrey Wheatman: Really people? Six months after the fact and organizations are still not protecting themselves from this well known and very dangerous vulnerability. Stop whatever you are doing and follow this guidance from CISA and protect yourselves .. right now!
Friday Jun 17, 2022
1. U.S., EU Plan Joint Foreign Aid for Cybersecurity to Counter China
Jeffrey Wheatman: One of the key learnings of the Russian invasion of Ukraine is that cyber attacks are going to run side by side with kinetic attacks in future warfare. In anticipation of future nation-state attacks, the US and EU are planning efforts to support national defense against attacks. Take a look at our recent federal report for some thoughts from Bob Maley and me about the role of the government in protecting cyberspace.
2. New federal bill would compel key industries to bolster cyber security — or pay a price
Jeffrey Wheatman: Potential new legislation out of Ottawa would give the Canadian federal government much more control over how private companies react to cyberattacks. In theory, I am OK with these types of moves, but in practice, I’m not sure how useful they are. If I were running a company that got hit, for example with ransomware, I would do whatever I had to do to get back up and running – and deal with government finger wagging and fines once the dust settled. But maybe that’s just me.
3. Sophisticated Android Spyware ‘Hermit’ Used by Governments
Jeffrey Wheatman: Let’s make it a hat trick of news out of the public sector. Researchers have been analyzing Android based malware (spyware) created by an Italian based security firm that provides tools to law enforcement. Well, it looks like this tool has found its way into the hands of some nation states with … well, let us say … not the best reputations with regard to human rights violations. It isn’t that fun out there people.
Saturday Jun 11, 2022
1. #RSAC: How to Manage the Supply Chain in the Modern Age | Infosecurity Magazine
Bob Maley: When I read the article, I was caught off guard as the title says ‘the Modern Age’. Many of the points made are “good practice”, but good practice just doesn’t cut it in the modern age.
As an example, focusing on your critical third parties was best practice when technology did not exist that allows you to monitor all third parties that can be impactful. Ask Target if they wish they would have been watching their non-critical HVAC vendor back in 2013.
2. Agrifood cyber attack threats on the rise | WATTPoultry
Bob Maley: Sadly the article is behind a paywall, but really, what more can the article tell me? It isn’t just Agrifood cyberattacks on the rise, but attacks across the board are on the rise and have been. The criminal organizations know cash cows when they see them, and will continue to exploit the weakest links.
3. National Defense looking at potential ‘impacts’ after cyberattack on military contractor | Globalnews.ca
Bob Maley: Potential impacts, eh? It is interesting to read that they believe there will be no pilfering of state secrets, when it is common knowledge that Ransomware attacks have gone beyond the pay for decryption keys phase.
If you can encrypt a thing you can steal a thing (bad Dune paraphrase). And since they are stealing the data, they get a second round of payments!
Friday Jun 3, 2022
1. Conti ransomware targeted Intel firmware for stealthy attacks
Jeffrey Wheatman: The hardware level has generally been thought of as inviolable. While there have been some hardware level exceptions, for the most part malware writers have focused on software. Researchers that have reviewed leaked chats from the infamous Conti gang that show that they were making a concerted effort to create malware that subverts virtually all controls and gains privilege at ring-0 level privileges on Intel chips. Conti may be no more, but their work lives on. Keep an eye on this one folks.
2. Navy looks to turn cybersecurity into a game, literally | Federal News Network
Jeffrey Wheatman: Talk about war games! Recently the Navy and the National Security Innovation Network (NSIN) wrapped up its Reality Bytes: Visualizing Cyber Operations Hackathon. The goal was to create a system that shows intrusions visually rather than as long lists filled with cryptic names and numbers. The NSIN team heard a bunch of pitches – now comes prototyping. Maybe we’ll see those beautiful 3D, floating, hand gesture driven hacking interfaces from the movies one day – yes, I’m talking to you, Hugh Jackman (Swordfish). Let the games begin.
3. NASA to reveal Hell-like planet that rains lava at night
Jeffrey Wheatman: This has nothing at all to do with Cybersecurity or risk management but it’s so cool, I couldn’t resist. Apparently NASA is using the James Webb telescope to take a deeper look at a planet 55 Cancri e, where an umbrella won’t do you much good since it rains lava instead of plain old rain. Can you say Road (space) Trip anyone?
Saturday May 28, 2022
1. Ransomware attack exposes data of 500,000 Chicago students
Jeffrey Wheatman: In YATPB (yet another third party breach) Chicago public school systems is being held accountable for the loss of ~500,000 student records, even though the system itself wasn’t hit with ransomware. Their vendor, Battelle for Kids, was hit, and Chicago K-12 is left holding the bag. Did they know how exposed they were due to a partner’s cybersecurity posture? I bet they didn’t.
2. Third-Party Scripts on Websites Present a ‘Broad & Open’ Attack Vector
Jeffrey Wheatman: Almost half of the biggest websites across the world are using third-party, externally generated scripts that leave them wide open to attack. This could lead to stolen data, credit cards, and execution of malicious actions. I would bet your personal or company data are probably exposed on at least one of these sites … might be a good idea to start asking some questions.
3. Verizon: Ransomware sees biggest jump in five years | The Register
Jeffrey Wheatman: It’s late spring in the U.S. The flowers are blooming, the temps are rising, and my highlight of the year: the Verizon DBIR has just been released. You should most definitely download and peruse this excellent piece of work. If you are too busy, the tl;dr is that some stuff has changed and some has not. Ransomware is up, human beings are still a weak link, and the better we get at defense, the better the attackers get.
Friday May 20, 2022
1. Your iPhone can be hacked with malware even when it’s switched off, new research finds | Euronews
Jeffrey Wheatman: The fun never ends. Researchers out of the Technical University of Darmstadt in Germany have demonstrated that your iPhone can be hacked. Why is this news? Because this attack works even if your phone is OFF! The good news is this attack doesn’t seem to have exploit code in the wild yet, but ‘bad guys’ love taking proof of concepts and turning them into real world attacks. Yet another reason why we must remain ever vigilant.
2. US won’t prosecute ‘good faith’ security researchers under CFAA
Jeffrey Wheatman: Some good news! The US DoJ has announced they will no longer go after security researchers that act in ‘good faith.’ While this is a step in the right direction in freeing researchers to … do research, more needs to be done. The new guidance still leaves researchers, many of whom I know personally, reluctant to publish research in fear of persecution under the Computer Fraud and Abuse Act (CFAA). I guess taking baby steps forward is better than nothing. On another note, the new guidance does seem to indicate that lying on your dating profile is OK.
3. Costa Rican president claims collaborators are aiding Conti’s ransomware extortion efforts | CyberScoop
Jeffrey Wheatman: Make no bones about it. The future of Cyber Warfare is here. The notorious Conti ransomware group is holding the government of Costa Rica digital hostage. They tweeted a not so thinly veiled threat that they have the effective power and backing inside Costa Rica to overthrow the government if the ransomware isn’t paid. Think about the ramifications of that!
Friday May 13, 2022
1. Risk management programs don’t address today’s risk environment | Security Magazine
Bob Maley: The results of this survey do not surprise me at all. When we build risk management programs that are qualitative in nature, we can never truly measure risk, nor effectively develop metrics. Metrics are quantitative measures.
You can not assign numbers to risk colors (red, yellow, green) , do math, and call it a metric. The author makes a great point: invest in technology to help analyze data and provide clear and defensible metrics. As my friend Jack Jones frequently says, “if there isn’t a unit of measurement (%, frequency, time, $$, etc.), then it isn’t quantification — period.”
2. You Can’t Eliminate Cyberattacks, So Focus on Reducing the Blast Radius | Threatpost
Jeffrey Wheatman: We’ve been saying for a long time that no matter how much we spend, no matter how many people we hire, we are never going to be anywhere near 100% successful at stopping attacks. I love the concept outlined in this piece – if we cannot stop the attacks, at least we can do things to limit the impact.
The good news is many of the tips and techniques to do this aren’t exorbitantly expensive or excessively difficult to implement. Shift your mindset – if we cannot stop the attackers, let’s limit the blast radius!
3. Protecting Against Cyber Threats to MSPs and Their Customers
Jeffrey Wheatman: The vendor ecosystem is the biggest risk most organizations face – there I said it. I might be somewhat hyperbolic, but I am increasingly moving toward this belief.
And what do you know? The cybersecurity authorities in the UK, USA, Australia, Canada and New Zealand, otherwise known as Five Eyes security alliance, agree. Take a look at this press release from the alliance regarding the risks and steps to take to limit the exposures due to your service providers – and don’t forget to implement continuous monitoring of your digital supply chain. If only there was a way to do so … oh wait there is … Black Kite!
Friday May 6, 2022
1. Cybersecurity Maturity Models Can Be Immature
Jeffrey Wheatman: Maturity models have been the bane of security and risk folks for as long as I can remember. Not to say they provide no value, but they cannot be the be-all end-all. Unfortunately they are often treated as such. I spent a lot of time in my previous role at Gartner reviewing maturity scores and reports and telling CISOs that the discussions around the scores are far more valuable than the actual scores themselves.
Maturity models break down at the ‘extremes,’ very low scores generally mean the organization has too much to do, and the models don’t guide action and prioritization. At the high end, it’s no longer about improvement across the board – rather it’s about focus, balance and prioritization and not about going from a 4.1 to a 4.2. They are surely one view, but cannot be the only view.
2. Tech Giants Unite in Effort to Scrap Passwords
Passwords are finally going away! Unfortunately, we’ve heard this all before. Maybe, with the three of the biggest tech giants out there (Apple, Google, and Microsoft) behind the initiative, we may get somewhere. But boy oh boy, do people love their passwords. I suppose we will see what we see. By the way, in case you haven’t heard, 2022 is the year of PKI … again.
3. NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks
Whee, doggie! Hot off the press, NIST SP 800-161r1 (in plain language – Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.) We at Black Kite have been well aware of the cybersecurity risks to the supply chain (physical and digital) for quite some time and it’s nice to know others are becoming more aware of these risks.
As digital ecosystems continue to become more complicated and expand, the impact of an Nth party on YOUR ability to deliver on your business goals becomes ever more common and more severe. The need to gain more visibility into your exposures is becoming a much more strategic risk with CxO and Board visibility. Good news- Black Kite can help!
Friday Apr 29, 2022
1. In the DMV, the future of cybersecurity is a people problem | Technical.ly
Jeffrey Wheatman: There aren’t enough cybersecurity people!!! That is what we keep hearing…but I don’t think this is the case, or at least not as bad as ‘they’ (you all know who ‘they’ are) say. The reality is, we need to expand our horizons. Look in other areas in the business, look for people that don’t look like you, and look in places where you never thought to look. See more in our latest blog about this phenomenon.
2. 24 Hours: Government Likely to Require Notice of Ransomware Payments from Banks, Other Key Businesses
Jeffrey Wheatman: The Cyber Incident Reporting for Critical Infrastructure Act of 2022: While there is still much to be ironed out in this act, the general gist is this: if you are part of the group defined as a “covered entities (we don’t know exactly who fits in here, but we do have a pretty good idea as to what industries are usually part of CI)” you will need to report to CISA within 36 hours if a breach has occurred. You also must report any ransomware payments within 24 hours. This could be very interesting.
3. NIST revamps aging enterprise patch management guidance | The Daily Swig
Jeffrey Wheatman: We all know patching has been a huge bugaboo for a looooooooong time. While I can’t tell you how to fix that problem, I can tell you that there is a brand new version of NIST SP 800-40 – GUIDE TO ENTERPRISE PATCH MANAGEMENT PLANNING: PREVENTIVE MAINTENANCE FOR TECHNOLOGY. A key point is that the new Rev 4 is more about the process than the tool. We are big fans of standards-based approaches to all things cybersecurity. Hopefully this will fix the patching problem perfectly and soon.
Friday Apr 22, 2022
1. All at sea: the shipping industry’s cybersecurity problem | CyberNews
Bob Maley: Transport and logistics companies are not more vulnerable to attack today than in the past, but the likelihood of becoming victims is definitely on the rise. Bad actors focus on victims that can easily be compromised and have a high motivation to pay ransom to get systems working again. Due to the pressure on the global supply chain those attacks will likely increase in this sector.
A number of other sector specific alerts have been published in recent days as well and given the heightened tensions in the world, those days of security through obscurity (thinking that you are worth attacking) are over.
2. LinkedIn Brand Now the Most Abused in Phishing Attempts
Jeffrey Wheatman: Trust is everything and brand is inextricably connected to trust. A recent study from CheckPoint found that more than half of global phishing attacks in Q1 2022 were related to LinkedIn as a brand. People know LinkedIn, they trust LinkedIn, and therefore trust communication that says it’s coming from, or through LinkedIn. And NONE of this has anything to do with LinkedIn or their cybersecurity posture. It has everything to do with the brand.
While it is nice to be trusting, it’s not wise to trust digital communication. Generally speaking, if someone is offering you something for nothing, you should think twice or thrice before clicking or acting. Ask questions, and if you have any doubts, check with your security team. Former US President Ronald Reagan famously said, “trust but verify.” Great advice to follow.
3. Does Your Company Need a Chief ESG Officer? | Harvard Business Review
Jeffrey Wheatman: Does Your Company Need a Chief ESG Officer? Yes, probably, maybe! I could stop there and move along, but numerous recent conversations have made me aware of the fact that ESG, while becoming more visible, is still not on everyone’s radar and it really needs to be.
ESG is the acronym for Environmental, Social, and Governance. ESG covers a wide range of ‘softer’ elements of running an enterprise. There is a lot of data out there that shows the growing importance of ESG, but one that jumps out at me comes from an HBR study – nine out of ten employees said that they would trade a portion of their life’s earnings for greater meaning at work. And by extension, ESG in your partner ecosystem will become more important as well. Given the choice between two partners, one of whom ‘does the right thing’ vs one that doesn’t … all other things being equal, who would you choose?
Friday Apr 15, 2022
1. US Agencies: Industrial Control System Malware Discovered | Business News
Jeffrey Wheatman: Cyber Warfare is most definitely no longer theoretical. Multiple U.S. government agencies issued a joint alert this week regarding the discovery of advanced malicious attack tools that target industrial control systems. The tools appear to be state sponsored – although the official announcement did not point fingers. Researchers involved in the discovery and investigation didn’t hold back – and the tools are quite advanced and dangerous, likely capable of gaining full access to ICS systems within the energy sector.
Thankfully, the attack(s) were thwarted before any damage was done … this time. Unfortunately, this risk isn’t going away any time soon. The energy and utilities sector continues to be exposed, relying on old technology, systems that were not designed with security in mind, and a misplaced belief that security by obscurity is a viable approach to protecting critical infrastructure.
If these tools somehow get out into the public domain, which is not unlikely, and a broader range of attackers start to tweak them … well, it could be … not good.
2. Survey Sees Little Progress on Securing Software Supply Chains | DevOps.com
Jeffrey Wheatman: In spite of recent high profile software supply chain ‘issues,’ a recently published survey from CyberArk indicates that we have a long way to go in securing the digital supply chain. Some lowlights:
- 64% respondents said their organizations couldn’t stop a supply chain related attack
- 88% of energy and utilities have already been nailed with successful software supply chain-related attack
I am not sure what more needs to happen before people start to take this risk seriously. While buyers and users of software may not be able address the direct issue of problematic code, they can address the associated concentration risk, by discovering the when, where, and how about dependencies on software. Not just internally, but also in their 3rd, 4th, and nth party landscape.
3. Creating a Security Culture Where People Can Admit Mistakes | Dark Reading
Peter Drucker famously said “Culture eats strategy for breakfast.”
Jeffrey Wheatman: You know the best way to get people to do what you want? Scream at them when they make a mistake. Oh, wait – that is a terrible way to influence behavioral change. If people get in trouble whenever they own up to mistakes, guess what happens? They will sweep it under the rug and walk away, hoping it never gets tracked back to them.
Instead, we want to create a culture where people feel empowered, and when mistakes get made, they are turned into a lesson for improvement going forward. This is true in all areas of business, but maybe more so in cybersecurity, where impacts of mistakes may take time to cascade into big problems. The quicker the security team knows you clicked that link for the free iPhone, the better shot they have at keeping the danger from snowballing out of control.
Instead of punishing people for mistakes, encourage them to be open and communicate when something has gone wrong. Long term, we are all better off.
Friday Apr 8, 2022
1. Nearly 40% of Macs Left Exposed to 2 Zero-Day Exploits
Bob Maley: “Between 35% and 40% of all supported Macs might be at heightened risk of compromise from two zero-day vulnerabilities that Apple has said are being exploited in the wild, but for which the company has not yet issued a patch.
I wish I could say that this is surprising, but I can’t. It is not just macOS, but thousands of systems with unpatched or out-of-date systems. In our recent research article on the top 250 technology companies, 77% of those vendors have at least one high-severity vulnerability due to out-of-date systems.
This is simply a symptom of a bigger issue, and that is software such as operating systems are complex to build (from the developer side) and complex to maintain (from the end-user side). The bottom line is that for whatever reason Apple has, they have not yet patched the older versions of the OS. In the not-too-distant past, Microsoft was viewed as the buggiest system, causing them to introduce the idea of Trustworthy Computing. The times they are a-changin. (Bob Dylan)”
2. US government launches Bureau of Cyberspace and Digital Policy | TechRadar
Jeffrey Wheatman: “The US State Department has announced the creation of a new bureau – Bureau of Cyberspace and Digital Policy (CDP), with a mandate to ‘address the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy.’ Comments withheld, but if they weren’t, I might ask why the powers that be are creating new functions when we have quite a few agencies, bureaus, and committees that are still struggling to protect our cyber domain.”
3. PCI DSS v4.0 Resource Hub
Jeffrey Wheatman: “Hot off the press: version 4.0 of the PCI standard has been released. The update will, as usual, take effect on a rolling schedule (the current version 3.2.1 will be retired in March 2024).
There are plenty of small tweaks, but the four major updates are
- New and updated controls to support the changing threat landscape
- A shift to continuous process as an integral part of the security program
- Increased flexibility with regard to the ‘how’ objectives are accomplished
- Enhanced validation to support compliance and transparency
Get started, assess what the changes mean to you, and start to look at plans to transition.”
Friday Apr 1, 2022
1. Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests” – Krebs on Security
Jeffrey Wheatman: “When I was a pen tester, I often called targets and ‘alluded’ to the fact that I may have been a member of law enforcement. With a little bullying, I rarely, if ever, was rebuffed.
When the question comes from law enforcement or the government, most of us answer without a thought or hesitation. The same goes for telco providers and social media platforms. While there is a normal process involving court orders and/or subpoenas in place when law enforcement requests personal information on subscribers and customers, there is a legal bypass in case of emergency. Called an Emergency Data Request (EDR), these requests bypass the need for any court-approved documents in cases involving imminent danger.
Attackers only need access to a legitimate email from a single LE email address, little bluster, and voila – hackers get PII records and personal information.
Trust is important but it’s also dangerous – people tend to make assumptions based on the source of the request.”
2. Bugs in Wyze Cams Could Let Attackers Takeover Devices and Access Video Feeds
Jeffrey Wheatman: “IoT (Internet of Things) is wonderful thing – we can see who is at the front door, even if we aren’t at home, we can adjust the temperature without climbing out from under the covers, and we can (maybe one day) hop in the car, tell it where to go and go back to sleep. Fabulous, amazing and beneficial – YES! Dangerous and risky – also YES!
IoT companies focus on getting cool products out the door, with often nary a thought to safety or security. Software and firmware vulnerabilities dating back almost three years have plagued Wyze. The latest firmware issue (Still not fixed on Version 1 cameras – which were still being sold as of January 2022) could allow remote access to the storage card on the device.
What’s plugged into your network at home and at work? And are you exposed? Do the bad actors know you left on vacation? And we are pretty sure you don’t have Kevin McCallister at home setting traps, or do you?”
3. Zero-Day Vulnerability Discovered in Java Spring Framework
Bob Maley: “Spring4Shell is no Log4JShell! The potential for abuse of this vulnerability is not as great as Log4JShell due to other factors needing to be present to make it exploitable; it should be patched as soon as practicable.”