Security Bytes - Issue 18
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
Honestly, it’s been overwhelming. We have TikTok getting banned and now fined $5m by France, Twitter leaks 200 million user’s data, PayPal leaks 35k personal details, Aflac and Zurich insurance leaks million of personal records for people in Japan, British semiconductor maker – top 350 most valuable businesses listed – suffered massive attack, Nissan notifies thousands of customer due to data leak, JP Morgan getting sued by Ray Ban for having $272m stolen from their online account, Ireland fines Meta $414m for using personal data without asking while Apple is being sued for tracking people despite them opting out, and believe it or not, Costa Rica’s government agencies get slammed again by ransomware – and this is just from the first few weeks of January!
Ok, now that we have that out of the way, let’s touch on some specific news items and what you can take from it.
Basket of Eggs
Highlighted this week was a 48% year over year increase in cyber attacks against the cloud where researchers suggest that 98% of global organizations use the cloud. This in and of itself isn’t unexpected. If you move to the cloud, well that’s where your ‘stuff’ is and hackers want your stuff. But, one has to ask what are the controls available to you in the cloud, are they being managed effectively by you and your providers, and are you getting visibility into attacks and even vulnerabilities. Add to this that cyber insurance providers are starting to more than float the idea that they will not cover ‘systemic events’, which a multi-company-impacting cloud event classifies as an uncovered event, potentially leaving you with millions in expenses. Interestingly, I suspect this is why Beazley launches the first ever cyber bond to cover claims over – get this - $300M. Very interesting times. I wonder how long this (unstoppable hacks, companies being impacted by the cauldron of hackers, government, law enforcement, compliance, insurance, markets, etc.) can last, frankly.
Links:
Cloud hacker report - https://www.theregister.com/2023/01/20/cloud_networks_under_attack/
Beazley press release - https://www.beazley.com/en-us/news/beazley-launches-markets-first-cyber-catastrophe-bond?utm_content=233948841&utm_medium=social&utm_source=linkedin&hss_channel=lcp-15991
Beazley article - https://therecord.media/in-an-industry-first-insurance-firm-announces-cyber-bond-to-cover-claims-over-300-million/
Pound Sand
According to a report released this week by blockchain research firm Chainalysis there’s been a measurable drop in the amount of ransom being paid by victims. But, if anything, ransomware attacks have increased – so what gives? Well, I think it’s a combination of things, and as with everything in life, there’s more to it than meets the eye. First, people are saying no to paying! But let us not forget that a huge portion of ransomware attacks are drive-by’s and will grab data from organizations that don’t care what they got or have done the risk assessment and accepted it. Second, backups are getting better, and people have finally picked up on what IT people have known for like… 50 years, back up your stuff. Why pay when you have a copy. Not always possible, but a reality for some. Third, and this is the most important. There are thousands of crypto platforms out there and not all these are being analyzed. The bigger part here is what will the option for payment even be in the future? Governments are exploring making it illegal to pay ransom. Think about that for a moment and while adherent to have to pay, some companies are left with no other option. With a change in the laws, it could make law biding executives felons overnight.
Links:
Chainalysis report - https://blog.chainalysis.com/reports/crypto-ransomware-revenue-down-as-victims-refuse-to-pay/
Article - https://www.theregister.com/2023/01/19/ransomware_payments_down/
Law takes down Russian exchange used to launder $15m - https://therecord.media/law-enforcement-takes-down-crypto-exchange-allegedly-used-to-launder-15-million-in-ransomware-payments/
Early OFAC ransomware advisory (setting the tone) - https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf
Legalities of paying - https://www.cybereason.com/blog/what-are-the-legal-implications-from-a-ransomware-attack#:~:text=It%20is%20currently%20not%20illegal,should%20be%20paid%20for%20not.
Hard Hardware Security
It’s one thing to have your software experience end-of-life and as a result receive no more support and especially no more security updates. In short, when your OS or app hits EOL, you’re an instant target. But software has an intangible characteristic, unlike, for example, a router. You buy a box that performs a function, admittedly because it’s running software, but there is a physical component. Let’s for the moment assume that the device is performing adequately and although old, it’s meting expectations. Ok, so wat do you do when the manufacturer says no more. This week Cisco warns of two vulnerabilities in a router that they stopped selling in 2020 and says they won’t offer updates or workarounds but do offer some support until 2025. I’m not going to pick on Cisco here. That’s a whole can of worms. But I’d have you think about the concept of permanence and vendor responsibilities. For example, the auto industry is highly regulated concerning support – specifically for safety – of their products for years. Ever had a recall? How will this manifest in technology and with regards to cybersecurity? In this case, some are recommending replacing the hardware. Imagine if you just bought it in late 2020? The odds of you being prepared to make that investment again within a 5-year horizon is virtually nil. So, some will remain potentially insecure.
Links:
Article - https://therecord.media/cisco-warns-of-two-vulnerabilities-affecting-end-of-life-routers/
EOL For the routers - https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-743070.html
FAA Jump Seat
As you know, the FAA’s Notice to Air Missions (NOTAM) safety alerting system went down last Wednesday causing all kinds of havoc and delays. The FAA referred to it as cyber related, but didn’t specify. Of course, the world assumed a hacker got control and the FAA’s announcement was the start of a cover up. This week US politicians called for investigations while the White House and Transportation Secretary were quick to tamp down concerns that the issues were caused by a cyberattack, creating a great deal of agitation resulting in a slew of tweets by, well, everyone. The most recent news of this saga came yesterday with an announcement from the FAA that it determined a contractor unintentionally deleted files while working to correct synchronization between the live primary database and a backup database. My take-away here is that systems have grown extraordinarily complex, and they’re all interconnected in some way. Moreover, the constant news of hacks and attacks naturally leads to assuming when a computer hiccups it’s a cyber-attack. In this case, however, it appears that human error was the culprit. Which, ironically, is why most cyber-attacks are successful :)
Links:
Last weeks news - https://www.cnn.com/travel/article/faa-computer-outage-flights-grounded/index.html
Call for investigation - https://therecord.media/congressman-calls-on-cisa-to-investigate-air-travel-vulnerabilities-after-outage/
FAA (former) Contractor - https://www.faa.gov/newsroom/faa-notam-statement
