Security Bytes - Issue 16
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
First, I just want to remind everyone that the Women in Cybersecurity Capture the Flag event starts Tuesday next week! We’re getting good traction on registrations and very excited about what this means for diversity in the industry. Be sure to help us continue to promote the event - https://www.nashsquared.com/event/capture-the-flag and thank you to all those that have helped us get the message out!
I was out last Friday, so I missed getting a newsletter out… but here’s a quick summary of recent headlines: US DOJ seizes billions in stollen crypto (that’s a topic for an op-ed!); Japan joins NATO’s cyber cooperation center; hackers apparently DoS’ed Mississippi on voting day; US Treasury locks down crypto tumbler Tornado Cash due to links with North Korea and $455m stolen in March alone; Auzzie breached insurer points to Russia and says it won’t pay ransom to protect customer data; French cyber group called Opera1er steels $30m over 4 years from telecom companies across Africa, Asia, and Latin America; SolarWinds reached $26m settlement with shareholders (seems light to me); and finally… an international summit of 36 nations met and finally agreed that crypto needs more control to combat ransomware… um, yep :)
Ok, for this week we have four interesting stories. Here’s how they could relate to your customers and conversations.
- UK Scanners – In short, this is not a bad thing and companies shouldn’t overthink it. At the very least, it’s a free vulnerability scan! The keys are 1) knowing it’s happening and 2) keeping an eye out for notifications from the NCSC. From a resource perspective… do organizations have the right skills on staff to interpret the findings and mobilize meaningful remediation? Threat and Vulnerability management skills are in demand and increasing.
- Absolute power – Military grade tools are now the norm and being used in an ever-expanding spectrum of politically driven conditions. If you thought you were being watched by Google, there’s a new kid in town. What does this mean? What once was a limited threat capability and used in highly sophisticated and highly targeted attack scenarios is now accessible to basically anyone.
- Train stationary – The message here is there are times when things can be overblown from a cyber-attack perspective. Cyber attacks make big news these days. In this scenario it was likely poor incident response (IR) practices by a company that unwittingly impacted a client. This is not uncommon. The conversation with customers is it’s always important to look past the potential hype to find the kernel of insight. In short, make certain your IR plan is tested. If you’re a provider, don’t forget about your client’s reliance on your systems.
- MS’s report – First, everyone should at least scan the report. It’s really a lot to try to digest, but great to look through and pick items that catch your attention. The good news is if you want to know more about it… well, it’s right there in the report. My secondary point about China and the concept of withholding vulnerabilities… this is not unique or a new practice – not by a long shot. The message here is there’s always a vulnerability… and this is why Threat Hunting skills are increasing in demand. So, keep an eye out for candidates moving in that direction because they’re going to become more and more in demand.
Have a great weekend!
UK Scanners
The UK’s National Cyber Security Centre (NCSC) recently published an announcement that they are now performing ongoing vulnerability scans for all systems Internet accessible across the entire country. I find this quite interesting from multiple directions. There’s definitely an Orwellian vibe… knowing the government is constantly scanning your systems for flaws in hopes that information is used to your benefit as opposed to against you. Of course, there’s the obvious inverse that data collected will provide a nation-wide perspective on the overall degree of exposure and from that prioritize information and to help improve the country’s posture, thereby helping to improve your posture. The fact is simply this – you’re being scanned constantly by baddies anyway and they’re not going to let you know you have a hole – e.g., Shodan. Nevertheless, like some of the laws forming in the US and other countries concerning government demands for reporting incidents, it does start to challenge the concept of privacy at the organizational level. Frankly, privacy is a battle arguably being lost at the individual level too. No matter, as an organization you can embrace it by not filtering two specific IP addresses used by the NCSC or contact them to opt out.
NCSC Scanning information - https://www.ncsc.gov.uk/information/ncsc-scanning-information
Absolute Power Corrupts Absolutely
I’ve shared a number of times the broad access to highly sophisticated military-grade tools, which has gained a lot of attention this year with NSO Group’s Pegasus spyware being used against journalists, government officials, and others for political or operational gains. This week a 159-page draft report from an EU committee of the European Parliament, originally tasked with investigating the reach of Pegasus, was published highlighting abuses of spyware within the EU community itself. European Union governments have used “spyware on their citizens for political purposes and to cover up corruption and criminal activity,” according to the report. This year we’ve seen major investigations related to spyware, with Pegasus at the center, in US Congress, UK Parliament and in EU Parliament to name a few. Expect this to result in new laws and regulations, but unsure if it will quell the industrialization and commoditization of cyberweapons in the open market.
EU Committee report - https://www.sophieintveld.eu/download/getFile/5047
EU Committee report author - https://www.sophieintveld.eu/nl/sophie-in-t-veld (it’s the PEGA DRAFT REPORT)
Train Stationary
Last Saturday the Danish train system came to a halt for several hours reportedly due to a cyber-attack. However, this story has some interesting lessons. It appears the hackers accessed a testing environment of a third-party provider Supeo, a railway technology vendor, and in response to that incident Supeo shutdown key servers directly impeding train operators at DSB. Unsurprisingly, this has been reported as an example of sophisticated infrastructure hackers and likened to what we’re seeing in the Ukrainian war. In my opinion, that’s a touch overblown, at least from what has come to light about the attack. This may be as simple as Supeo getting ransomware and attempting to stop the spread across their environment and that of their clients. Let’s just say I’m not convinced at this point it was a nation state attacker targeting operational technology (OT) to cause disruption. But I could be wrong.
Initial report - https://www.reuters.com/technology/danish-train-standstill-saturday-caused-by-cyber-attack-2022-11-03/
Article - https://www.securityweek.com/cyberattack-causes-trains-stop-denmark
Microsoft's 43 Trillion
According to Microsoft’s comprehensive 114-page Digital Defense Report 2022 published last Friday, they have more than 43 trillion signals per day that are processed giving them the widest perspectives on the state of cybersecurity. The report covers a lot of ground, but the element that seems to have most people talking is concerning the interpretations on nation state actors, highlighting concerns that China is hording zero-day exploits. It’s a very good report and it’s great to see MS taking advantage of their unique position to drive cybersecurity – this is a very good thing and kudos to MS! Interestingly, highlighting China for withholding vulnerabilities to develop exploits is a bit “funny” given well documented examples of the same activities in many other governments. Point being… everyone is withholding vulnerability information, and the worse the vulnerability the more likely it is you’re not going to know about it. This is not an inditement of MS’s report, but rather attention seems to be most focused on that element, despite the report having a lot of other great information.
MS report site - https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022
MS article - https://blogs.microsoft.com/on-the-issues/2022/11/04/microsoft-digital-defense-report-2022-ukraine/
Article - https://therecord.media/microsoft-accuses-china-of-abusing-vulnerability-disclosure-requirements/
