Security Bytes - Issue 14
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
In this week’s Security Bytes we ask ourselves, are the DDoS attacks from Killnet cyberwar or are a cyber nuisance? The UK government more than suggests anti-fraud policing, especially the cyber division, is unfit. This week we have another attack gone sideways in Australia. With new cloud infrastructure vulnerabilities, are we seeing the beginning of a new reality for cyber? And finally, the CISA in the US is doing some great stuff, frankly better than it’s ever been, but not sure about the advisories.
#1 – Cyberwar-ish - A lot of organizations are coming to grips with nation-state actors and acts of war in cyberspace. Much of this is driven by changing in cyber insurance coverage. If you’re a victim related to such things, it’s very likely you’re not covered. It’s helpful to understand how much organizations lean on cyber insurance and noting that security programs can benefit greatly from well-structured teams.
#2 – Unfit - This is ultimately a story about fraud. And for those in the UK this makes for a compelling conversation given the numbers. Cyber fraud is quite real and impactful. Moreover, it can come from all directions. What are some of the cyber fraud concerns they have?
#3 Down under – The underlying note here is today’s cyber is primarily about response and recovery. This recent attack is a case study in the importance of responding and – most importantly – preparing to respond. It’s one thing to prepare for an attack, with the intend of deflection. But that’s just table stakes in today’s cyber game. You have to prepare to respond and recover. And unsurprisingly, to do this well you need 1) a strategy and 2) great people.
#4 The Norm – This isn’t a story about MS or the cloud, but rather a story about risks. Operating in the cloud completely changes the calculous of security requiring an expanded view of threats and vulnerabilities within the context of trust, authority, and accountability. As companies rely more and more on a diversified portfolio of technical capabilities, the ability to understand, categorize, and plan for risk is simply more difficult and different.
#5 Returns – Admittedly a rant, but the conversation can be around where are they getting their threat intelligence and how are they putting it to use. While most organizations have this locked up, many small and medium sized businesses don’t. With the introduction of talented resources, especially those with threat intelligence, vulnerability management, and even threat hunting skills, can dramatically improve an organization’s security posture. Certainly food for thought.
Ok, on to the news. Enjoy!
Cyberwar-ish
Understandably there is a great deal of cyber-related tension relative to the war in Ukraine. There have been a number of cyberattacks that have been well documented, but admittedly I believe we all expected it to be much worse. (NOTE: Please note that I’m not saying they weren’t bad, and the war is far from over, I’m just saying Russia has a history of wielding serious cyber capabilities.) Nevertheless, the threat of a devastating attack has reached feverish levels and the bad guys are taking advantage. This week, pro-Russian hacker group, Killnet launched a DDoS attack against Bulgaria government temporarily impacting the websites of the presidential administration, the Defense Ministry, the Interior Ministry, the Justice Ministry, and the Constitutional Court. Killnet claimed responsibility pointing out it was a punishment “for betrayal to Russia and the supply of weapons to Ukraine.” This isn’t new. Last week Killnet got press for attacking US government sites. Before that they attacked airport websites across 24 states, which was after targeting state governments of Colorado, Connecticut, Kentucky and Mississippi – giving initial concerns of election tapering. They also tried to take out Eurovision song contest because it excluded Russia but were thwarted.
Is this cyberwar? No, it’s more like cyber-based insurgency based on skirmishes used at best to unsettle the political landscape or at worst to provide cover. Regardless, it’s a very smart move to get attention and get the press working for you. DDoS attacks can be devastating, but they’re becoming less so thanks to various technical capabilities. It’s headline grabbing and plays into fears, which some are well-founded.
Article about Bulgarian attack - https://therecord.media/cyberattack-disrupts-bulgarian-government-websites-over-betrayal-to-russia/
Unfit for Purpose
A scathing report on the failure of law enforcement to address fraud was published Tuesday by the UK’s House of Commons Justice Committee, noting “a wholesale change in philosophy and practice,” is needed. Quoting from the article (because I can’t write it any better:) ‘Despite a commitment to make the U.K. “the safest place in the world to live and work online” the government has presided over a 25% annual increase in reported fraud cases, more than half of which are driven by cybercrime.’ The report targeted on Action Fraud, a national center for reporting cybercrime that it says is unfit for purpose proposing a new system, and further pointed out that only 2% of police funding was directed at fraud despite it representing 40% of the crime. We can learn a few things here. First, good intentions not implemented meaningfully not only don’t help, but can actually hurt. Second, failing fast is one of the most important things you can do in cybersecurity, and a skill that’s rarely employed. In this case, while the UK government has identified the problem, the real test is are they going to pivot and implement change.
Article - https://therecord.media/uk-anti-fraud-efforts-have-failed-and-need-wholesale-change-lawmakers-say/
House of Commons report - https://committees.parliament.uk/publications/30328/documents/175363/default/
Down in Down Under
Earlier this month we learned that /Australian telco Optus was hacked resulting in the exposure of a most recently reported 1.2 million customer’s data. Of course the number is a moving target ranging from 10 million to a 1000. The company says 7.7 million people’s data wasn’t current or valid – a bold statement. And now they’ve boiled it down to 10,200 customers that had private data stolen. There’s a lot of “whodoneit” when it comes to how sophisticated the attack was, but by all indications it’s a total mess. There are many lessons to be learned here concerning how people are notified of breaches and what the breach actually did.
Which brings us to round two – Medibank, one of the largest privately health insurance providers in Australia servicing nearly 4 million members got hacked last week. On Oct 13th the company issued a press release noting unusual activity that resulted in some down time. Ok, may be a bit quick on the trigger, but I get it. This week, they issued an additional press release on the 17th pointing out that it was a cyber attack and – this is where things get sticky – reassuring that there was no evidence data was taken. They also state that it wasn’t a state-based actor (interesting) and that data wasn’t encrypted, so it wasn’t ransomware. Hmmm. The ink was still wet on the 17th press release as hackers claimed to have 200 GB of data, which they then confirmed Tuesday the 18th by offering hundreds of examples of policies and even medical procedures, validated by Medibank. Armed with that sample, the company believes it came from a specific database that houses 1 million of the 3.9 million customer’s data – hmmm. At this point, predictably, politicians jump in and cyber-security minister, Clare O’Neil, has warned of a new world “under relentless cyber-attack”… hmmm. And at that point trading of Medibank was halted on the Australian stock exchange, unsurprisingly followed quickly by negotiations with the cyber thugs. This isn’t over.
Medibank’s site on updates - https://www.medibank.com.au/livebetter/newsroom/post/medibank-cyber-incident-update-19-October
Good summary article - https://www.theregister.com/2022/10/20/medibank_data_breach_worsens/
Article about O’Neal’s warning - https://www.theguardian.com/technology/2022/oct/19/health-insurer-medibank-enters-trading-halt-after-purported-cyber-attack
Press release #1 – https://yourir.info/resources/229150fa807ea4f2/announcements/mpl.asx/3A604459/MPL_Medibank_cyber_incident.pdf
Press release #2 - https://yourir.info/resources/229150fa807ea4f2/announcements/mpl.asx/3A604675/MPL_Medibank_cyber_incident_and_trading_update.pdf
New Norm
I vividly recall giving a keynote at an event in New York back in the very early 2000’s talking about the cloud… was it “more of the same”, “evolutionary”, or was it “revolutionary”? It made for an interesting discussion. The point of the presentation was that everything has at least two sides – positive and negative - and this is unsurprisingly true for security. Security programs can gain a lot from the cloud, but there are new risks and challenges as well. In recent months we’ve seen a number of cloud scenarios that speak to exposure on a grand scale. Of course, if all of everyone’s eggs are in the same basket the level of trust – implied or assumed – is significant. This week a researcher from Orca Security performed a proof-of-concept concerning a vulnerability in Microsoft’s Azure Service Fabric Explorer that can be fooled into providing admin level access to a platform used for building, deploying, and managing distributed microservices-based cloud applications. The cloud clearly represents a paradigm shift for IT and business, but it has completely changed how cyber risks need to be interpreted – and I think we’re still far from figuring that problem out.
Article - https://www.theregister.com/2022/10/19/azure_service_fabric_vulnerability/
Orca POC - https://orca.security/resources/blog/fabrixss-vulnerability-azure-fabric-explorer/
The vulnerability - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-35829
CVE detail - https://nvd.nist.gov/vuln/detail/CVE-2022-35829
Diminishing Returns?
I have high regard for the US government's Cybersecurity and Infrastructure Security Agency (CISA), who have been making phenomenal strides in establishing a new levels of cybersecurity activities and collaboration – especially with the UK. In fact, the CISA recently published their strategic plan for 2023-2025, the first since 2018, which left a bit to be desired. It’s comprehensive and a great start on what needs to be done. So, what’s the issue? There is one aspect where I see things getting lost and that’s in the CISA’s advisories. There have been a lot lately (no surprise) and essentially reflect information that’s already out there, such as CVE’s from the National Vulnerability Database (NVD) managed by NIST. It leaves me with… what’s the point? These advisories are piling up and don’t really add new information. In fact, in the most recent advisory the links to the CVS on NIST’s site are a dead end. We don’t need another source of the same vulnerability information as an industry – put that time, money and energy into NVD and CVE.
Article about the advisory - https://www.theregister.com/2022/10/20/cisa_flaws_advantech_hitachi/
This week’s advisory - https://www.cisa.gov/uscert/ics/advisories/icsa-22-291-01
CISA Strategy (a must read) - https://www.cisa.gov/sites/default/files/publications/StrategicPlan_20220912-V2_508c.pdf
CVE - https://cve.mitre.org/
NVD - https://nvd.nist.gov/
