At Black Kite, we believe a big part of a strong cyber security program is staying aware of current events and talking about them with your colleagues. We want to help facilitate this, as the more we understand the bad actors, the better we can defend against them.
Every Friday we will be publishing “quick hits” of three cyber attacks or incidents we think people should be talking about from the week. Hear from CSO Bob Maley of Black Kite and SVP Cyber Risk Evangelist Jeffrey Wheatman of Black Kite as they comment on these events. Check back every Friday for new topics to learn from and discuss.
Friday May 20, 2022
1. Your iPhone can be hacked with malware even when it’s switched off, new research finds | Euronews
Jeffrey Wheatman: The fun never ends. Researchers out of the Technical University of Darmstadt in Germany have demonstrated that your iPhone can be hacked. Why is this news? Because this attack works even if your phone is OFF! The good news is this attack doesn’t seem to have exploit code in the wild yet, but ‘bad guys’ love taking proof of concepts and turning them into real world attacks. Yet another reason why we must remain ever vigilant.
Jeffrey Wheatman: Some good news! The US DoJ has announced they will no longer go after security researchers that act in ‘good faith.’ While this is a step in the right direction in freeing researchers to … do research, more needs to be done. The new guidance still leaves researchers, many of whom I know personally, reluctant to publish research in fear of persecution under the Computer Fraud and Abuse Act (CFAA). I guess taking baby steps forward is better than nothing. On another note, the new guidance does seem to indicate that lying on your dating profile is OK.
3. Costa Rican president claims collaborators are aiding Conti’s ransomware extortion efforts | CyberScoop
Jeffrey Wheatman: Make no bones about it. The future of Cyber Warfare is here. The notorious Conti ransomware group is holding the government of Costa Rica digital hostage. They tweeted a not so thinly veiled threat that they have the effective power and backing inside Costa Rica to overthrow the government if the ransomware isn’t paid. Think about the ramifications of that!
Friday May 13, 2022
Bob Maley: The results of this survey do not surprise me at all. When we build risk management programs that are qualitative in nature, we can never truly measure risk, nor effectively develop metrics. Metrics are quantitative measures.
You can not assign numbers to risk colors (red, yellow, green) , do math, and call it a metric. The author makes a great point: invest in technology to help analyze data and provide clear and defensible metrics. As my friend Jack Jones frequently says, “if there isn’t a unit of measurement (%, frequency, time, $$, etc.), then it isn’t quantification — period.”
Jeffrey Wheatman: We’ve been saying for a long time that no matter how much we spend, no matter how many people we hire, we are never going to be anywhere near 100% successful at stopping attacks. I love the concept outlined in this piece – if we cannot stop the attacks, at least we can do things to limit the impact.
The good news is many of the tips and techniques to do this aren’t exorbitantly expensive or excessively difficult to implement. Shift your mindset – if we cannot stop the attackers, let’s limit the blast radius!
Jeffrey Wheatman: The vendor ecosystem is the biggest risk most organizations face – there I said it. I might be somewhat hyperbolic, but I am increasingly moving toward this belief.
And what do you know? The cybersecurity authorities in the UK, USA, Australia, Canada and New Zealand, otherwise known as Five Eyes security alliance, agree. Take a look at this press release from the alliance regarding the risks and steps to take to limit the exposures due to your service providers – and don’t forget to implement continuous monitoring of your digital supply chain. If only there was a way to do so … oh wait there is … Black Kite!
Friday May 6, 2022
Jeffrey Wheatman: Maturity models have been the bane of security and risk folks for as long as I can remember. Not to say they provide no value, but they cannot be the be-all end-all. Unfortunately they are often treated as such. I spent a lot of time in my previous role at Gartner reviewing maturity scores and reports and telling CISOs that the discussions around the scores are far more valuable than the actual scores themselves.
Maturity models break down at the ‘extremes,’ very low scores generally mean the organization has too much to do, and the models don’t guide action and prioritization. At the high end, it’s no longer about improvement across the board – rather it’s about focus, balance and prioritization and not about going from a 4.1 to a 4.2. They are surely one view, but cannot be the only view.
Passwords are finally going away! Unfortunately, we’ve heard this all before. Maybe, with the three of the biggest tech giants out there (Apple, Google, and Microsoft) behind the initiative, we may get somewhere. But boy oh boy, do people love their passwords. I suppose we will see what we see. By the way, in case you haven’t heard, 2022 is the year of PKI … again.
Whee, doggie! Hot off the press, NIST SP 800-161r1 (in plain language – Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.) We at Black Kite have been well aware of the cybersecurity risks to the supply chain (physical and digital) for quite some time and it’s nice to know others are becoming more aware of these risks.
As digital ecosystems continue to become more complicated and expand, the impact of an Nth party on YOUR ability to deliver on your business goals becomes ever more common and more severe. The need to gain more visibility into your exposures is becoming a much more strategic risk with CxO and Board visibility. Good news- Black Kite can help!
Friday April 29, 2022
Jeffrey Wheatman: There aren’t enough cybersecurity people!!! That is what we keep hearing…but I don’t think this is the case, or at least not as bad as ‘they’ (you all know who ‘they’ are) say. The reality is, we need to expand our horizons. Look in other areas in the business, look for people that don’t look like you, and look in places where you never thought to look. See more in our latest blog about this phenomenon.
2. 24 Hours: Government Likely to Require Notice of Ransomware Payments from Banks, Other Key Businesses
Jeffrey Wheatman: The Cyber Incident Reporting for Critical Infrastructure Act of 2022: While there is still much to be ironed out in this act, the general gist is this: if you are part of the group defined as a “covered entities (we don’t know exactly who fits in here, but we do have a pretty good idea as to what industries are usually part of CI)” you will need to report to CISA within 36 hours if a breach has occurred. You also must report any ransomware payments within 24 hours. This could be very interesting.
Jeffrey Wheatman: We all know patching has been a huge bugaboo for a looooooooong time. While I can’t tell you how to fix that problem, I can tell you that there is a brand new version of NIST SP 800-40 – GUIDE TO ENTERPRISE PATCH MANAGEMENT PLANNING: PREVENTIVE MAINTENANCE FOR TECHNOLOGY. A key point is that the new Rev 4 is more about the process than the tool. We are big fans of standards-based approaches to all things cybersecurity. Hopefully this will fix the patching problem perfectly and soon.
Friday April 22, 2022
Bob Maley: Transport and logistics companies are not more vulnerable to attack today than in the past, but the likelihood of becoming victims is definitely on the rise. Bad actors focus on victims that can easily be compromised and have a high motivation to pay ransom to get systems working again. Due to the pressure on the global supply chain those attacks will likely increase in this sector.
A number of other sector specific alerts have been published in recent days as well and given the heightened tensions in the world, those days of security through obscurity (thinking that you are worth attacking) are over.
Jeffrey Wheatman: Trust is everything and brand is inextricably connected to trust. A recent study from CheckPoint found that more than half of global phishing attacks in Q1 2022 were related to LinkedIn as a brand. People know LinkedIn, they trust LinkedIn, and therefore trust communication that says it’s coming from, or through LinkedIn. And NONE of this has anything to do with LinkedIn or their cybersecurity posture. It has everything to do with the brand.
While it is nice to be trusting, it’s not wise to trust digital communication. Generally speaking, if someone is offering you something for nothing, you should think twice or thrice before clicking or acting. Ask questions, and if you have any doubts, check with your security team. Former US President Ronald Reagan famously said, “trust but verify.” Great advice to follow.
Jeffrey Wheatman: Does Your Company Need a Chief ESG Officer? Yes, probably, maybe! I could stop there and move along, but numerous recent conversations have made me aware of the fact that ESG, while becoming more visible, is still not on everyone’s radar and it really needs to be.
ESG is the acronym for Environmental, Social, and Governance. ESG covers a wide range of ‘softer’ elements of running an enterprise. There is a lot of data out there that shows the growing importance of ESG, but one that jumps out at me comes from an HBR study – nine out of ten employees said that they would trade a portion of their life’s earnings for greater meaning at work. And by extension, ESG in your partner ecosystem will become more important as well. Given the choice between two partners, one of whom ‘does the right thing’ vs one that doesn’t … all other things being equal, who would you choose?
Friday April 15, 2022
Jeffrey Wheatman: Cyber Warfare is most definitely no longer theoretical. Multiple U.S. government agencies issued a joint alert this week regarding the discovery of advanced malicious attack tools that target industrial control systems. The tools appear to be state sponsored – although the official announcement did not point fingers. Researchers involved in the discovery and investigation didn’t hold back – and the tools are quite advanced and dangerous, likely capable of gaining full access to ICS systems within the energy sector.
Thankfully, the attack(s) were thwarted before any damage was done … this time. Unfortunately, this risk isn’t going away any time soon. The energy and utilities sector continues to be exposed, relying on old technology, systems that were not designed with security in mind, and a misplaced belief that security by obscurity is a viable approach to protecting critical infrastructure.
If these tools somehow get out into the public domain, which is not unlikely, and a broader range of attackers start to tweak them … well, it could be … not good.
Jeffrey Wheatman: In spite of recent high profile software supply chain ‘issues,’ a recently published survey from CyberArk indicates that we have a long way to go in securing the digital supply chain. Some lowlights:
- 64% respondents said their organizations couldn’t stop a supply chain related attack
- 88% of energy and utilities have already been nailed with successful software supply chain-related attack
I am not sure what more needs to happen before people start to take this risk seriously. While buyers and users of software may not be able address the direct issue of problematic code, they can address the associated concentration risk, by discovering the when, where, and how about dependencies on software. Not just internally, but also in their 3rd, 4th, and nth party landscape.
Peter Drucker famously said “Culture eats strategy for breakfast.”
Jeffrey Wheatman: You know the best way to get people to do what you want? Scream at them when they make a mistake. Oh, wait – that is a terrible way to influence behavioral change. If people get in trouble whenever they own up to mistakes, guess what happens? They will sweep it under the rug and walk away, hoping it never gets tracked back to them.
Instead, we want to create a culture where people feel empowered, and when mistakes get made, they are turned into a lesson for improvement going forward. This is true in all areas of business, but maybe more so in cybersecurity, where impacts of mistakes may take time to cascade into big problems. The quicker the security team knows you clicked that link for the free iPhone, the better shot they have at keeping the danger from snowballing out of control.
Instead of punishing people for mistakes, encourage them to be open and communicate when something has gone wrong. Long term, we are all better off.
Friday April 8, 2022
Bob Maley: “Between 35% and 40% of all supported Macs might be at heightened risk of compromise from two zero-day vulnerabilities that Apple has said are being exploited in the wild, but for which the company has not yet issued a patch.
I wish I could say that this is surprising, but I can’t. It is not just macOS, but thousands of systems with unpatched or out-of-date systems. In our recent research article on the top 250 technology companies, 77% of those vendors have at least one high-severity vulnerability due to out-of-date systems.
This is simply a symptom of a bigger issue, and that is software such as operating systems are complex to build (from the developer side) and complex to maintain (from the end-user side). The bottom line is that for whatever reason Apple has, they have not yet patched the older versions of the OS. In the not-too-distant past, Microsoft was viewed as the buggiest system, causing them to introduce the idea of Trustworthy Computing. The times they are a-changin. (Bob Dylan)”
Jeffrey Wheatman: “The US State Department has announced the creation of a new bureau – Bureau of Cyberspace and Digital Policy (CDP), with a mandate to ‘address the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy.’ Comments withheld, but if they weren’t, I might ask why the powers that be are creating new functions when we have quite a few agencies, bureaus, and committees that are still struggling to protect our cyber domain.”
Jeffrey Wheatman: “Hot off the press: version 4.0 of the PCI standard has been released. The update will, as usual, take effect on a rolling schedule (the current version 3.2.1 will be retired in March 2024).
There are plenty of small tweaks, but the four major updates are
- New and updated controls to support the changing threat landscape
- A shift to continuous process as an integral part of the security program
- Increased flexibility with regard to the ‘how’ objectives are accomplished
- Enhanced validation to support compliance and transparency
Get started, assess what the changes mean to you, and start to look at plans to transition.”
Friday April 1, 2022
Jeffrey Wheatman: “When I was a pen tester, I often called targets and ‘alluded’ to the fact that I may have been a member of law enforcement. With a little bullying, I rarely, if ever, was rebuffed.
When the question comes from law enforcement or the government, most of us answer without a thought or hesitation. The same goes for telco providers and social media platforms. While there is a normal process involving court orders and/or subpoenas in place when law enforcement requests personal information on subscribers and customers, there is a legal bypass in case of emergency. Called an Emergency Data Request (EDR), these requests bypass the need for any court-approved documents in cases involving imminent danger.
Attackers only need access to a legitimate email from a single LE email address, little bluster, and voila – hackers get PII records and personal information.
Trust is important but it’s also dangerous – people tend to make assumptions based on the source of the request.”
Jeffrey Wheatman: “IoT (Internet of Things) is wonderful thing – we can see who is at the front door, even if we aren’t at home, we can adjust the temperature without climbing out from under the covers, and we can (maybe one day) hop in the car, tell it where to go and go back to sleep. Fabulous, amazing and beneficial – YES! Dangerous and risky – also YES!
IoT companies focus on getting cool products out the door, with often nary a thought to safety or security. Software and firmware vulnerabilities dating back almost three years have plagued Wyze. The latest firmware issue (Still not fixed on Version 1 cameras – which were still being sold as of January 2022) could allow remote access to the storage card on the device.
What’s plugged into your network at home and at work? And are you exposed? Do the bad actors know you left on vacation? And we are pretty sure you don’t have Kevin McCallister at home setting traps, or do you?”
Bob Maley: “Spring4Shell is no Log4JShell! The potential for abuse of this vulnerability is not as great as Log4JShell due to other factors needing to be present to make it exploitable; it should be patched as soon as practicable.”