Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
First, I just want to remind everyone that the Women in Cybersecurity Capture the Flag event starts Tuesday next week! We’re getting good traction on registrations and very excited about what this means for diversity in the industry. Be sure to help us continue to promote the event - https://www.nashsquared.com/event/capture-the-flag and thank you to all those that have helped us get the message out!
I was out last Friday, so I missed getting a newsletter out… but here’s a quick summary of recent headlines: US DOJ seizes billions in stollen crypto (that’s a topic for an op-ed!); Japan joins NATO’s cyber cooperation center; hackers apparently DoS’ed Mississippi on voting day; US Treasury locks down crypto tumbler Tornado Cash due to links with North Korea and $455m stolen in March alone; Auzzie breached insurer points to Russia and says it won’t pay ransom to protect customer data; French cyber group called Opera1er steels $30m over 4 years from telecom companies across Africa, Asia, and Latin America; SolarWinds reached $26m settlement with shareholders (seems light to me); and finally… an international summit of 36 nations met and finally agreed that crypto needs more control to combat ransomware… um, yep :)
Ok, for this week we have four interesting stories. Here’s how they could relate to your customers and conversations.
Have a great weekend!
The UK’s National Cyber Security Centre (NCSC) recently published an announcement that they are now performing ongoing vulnerability scans for all systems Internet accessible across the entire country. I find this quite interesting from multiple directions. There’s definitely an Orwellian vibe… knowing the government is constantly scanning your systems for flaws in hopes that information is used to your benefit as opposed to against you. Of course, there’s the obvious inverse that data collected will provide a nation-wide perspective on the overall degree of exposure and from that prioritize information and to help improve the country’s posture, thereby helping to improve your posture. The fact is simply this – you’re being scanned constantly by baddies anyway and they’re not going to let you know you have a hole – e.g., Shodan. Nevertheless, like some of the laws forming in the US and other countries concerning government demands for reporting incidents, it does start to challenge the concept of privacy at the organizational level. Frankly, privacy is a battle arguably being lost at the individual level too. No matter, as an organization you can embrace it by not filtering two specific IP addresses used by the NCSC or contact them to opt out.
NCSC Scanning information - https://www.ncsc.gov.uk/information/ncsc-scanning-information
I’ve shared a number of times the broad access to highly sophisticated military-grade tools, which has gained a lot of attention this year with NSO Group’s Pegasus spyware being used against journalists, government officials, and others for political or operational gains. This week a 159-page draft report from an EU committee of the European Parliament, originally tasked with investigating the reach of Pegasus, was published highlighting abuses of spyware within the EU community itself. European Union governments have used “spyware on their citizens for political purposes and to cover up corruption and criminal activity,” according to the report. This year we’ve seen major investigations related to spyware, with Pegasus at the center, in US Congress, UK Parliament and in EU Parliament to name a few. Expect this to result in new laws and regulations, but unsure if it will quell the industrialization and commoditization of cyberweapons in the open market.
EU Committee report - https://www.sophieintveld.eu/download/getFile/5047
EU Committee report author - https://www.sophieintveld.eu/nl/sophie-in-t-veld (it’s the PEGA DRAFT REPORT)
Last Saturday the Danish train system came to a halt for several hours reportedly due to a cyber-attack. However, this story has some interesting lessons. It appears the hackers accessed a testing environment of a third-party provider Supeo, a railway technology vendor, and in response to that incident Supeo shutdown key servers directly impeding train operators at DSB. Unsurprisingly, this has been reported as an example of sophisticated infrastructure hackers and likened to what we’re seeing in the Ukrainian war. In my opinion, that’s a touch overblown, at least from what has come to light about the attack. This may be as simple as Supeo getting ransomware and attempting to stop the spread across their environment and that of their clients. Let’s just say I’m not convinced at this point it was a nation state attacker targeting operational technology (OT) to cause disruption. But I could be wrong.
Initial report - https://www.reuters.com/technology/danish-train-standstill-saturday-caused-by-cyber-attack-2022-11-03/
Article - https://www.securityweek.com/cyberattack-causes-trains-stop-denmark
According to Microsoft’s comprehensive 114-page Digital Defense Report 2022 published last Friday, they have more than 43 trillion signals per day that are processed giving them the widest perspectives on the state of cybersecurity. The report covers a lot of ground, but the element that seems to have most people talking is concerning the interpretations on nation state actors, highlighting concerns that China is hording zero-day exploits. It’s a very good report and it’s great to see MS taking advantage of their unique position to drive cybersecurity – this is a very good thing and kudos to MS! Interestingly, highlighting China for withholding vulnerabilities to develop exploits is a bit “funny” given well documented examples of the same activities in many other governments. Point being… everyone is withholding vulnerability information, and the worse the vulnerability the more likely it is you’re not going to know about it. This is not an inditement of MS’s report, but rather attention seems to be most focused on that element, despite the report having a lot of other great information.
MS report site - https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022
MS article - https://blogs.microsoft.com/on-the-issues/2022/11/04/microsoft-digital-defense-report-2022-ukraine/
Article - https://therecord.media/microsoft-accuses-china-of-abusing-vulnerability-disclosure-requirements/