Security Bytes - Issue 3
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
As with last week’s Security Bytes, we’re going to look at three news items and dig a little deeper. First, we look at Marriott’s data breach and wonder for a moment is something more worrisome happening here and can we do a better job educating people on cybersecurity. Next week look at Apple and Microsoft, both making interesting announcements this week that show indications of how we may be approaching security. Lastly, and the most telling (IMHO), is the directors for the MI5 and FBI give a joint address at Thames House this week concerning China and, indirectly, their 14th five year plan.
It's a bit long this week, but I hope you find it interesting.
Mountain or Mole Hill
Unless you’ve been under a rock, or staying at a Marriott, you’ve most certainly have heard about the data breach – the third Marriott has suffered in the last 4 years. The previous attack was in 2020 when 5.2 million loyalty program member’s PII was stollen. Conversely, despite the rash of media attention, only 300 to 400 individuals appear to be affected this time around. However, the attackers appear to be very specific, targeting BWI airport in Baltimore obtaining flight crew information, among other things. And for those who might not know, Baltimore is, well, let’s just call it a hub of US agencies, including but not limited to sensitive operations that sees their fair share of people flying in and out of BWI. The information must be interesting because the attackers are apparently extorting the company. Whenever I see things like this my tinfoil propeller hat starts to spin.
On a more practical level, yet still tinfoil-hat-worthy, the attack was a straight up, old school social engineering attack where a single employee was tricked into turning over access credentials. A well-crafted social engineering attack is extraordinarily difficult to counter. Humans are typically trusting and genuinely want to help others. Sadly, this is exploitable and makes for a target rich environment.
In cybersecurity we tend to focus on security training and annual required courses and the like. But we’re missing on a couple points. First, security awareness training is boring, with a capital “B”. Secondly, we try to cover too many topics and overwhelm people, making for nearly zero levels of retention. Next, we don’t make it personal or practical for them as individuals. We should aways be thinking about the person and not just as an employee. Lastly, we tend to put an unnecessarily heavy responsibility on the individual, as opposed to establishing practices everyone can follow so they’re not the “bad guy” when someone is attempting to exploit their kindness.
Taking a pragmatic view of cybersecurity and embracing the true value team members represent to the company’s security posture is a key feature of the vCISO practice. Our vCISO services are about providing cybersecurity strategy, vision, roadmaps, and helping organizations maximize investments to enable the business… and helping to empower their employees as contributors to the effectiveness of their security posture is, frankly, critical. We can help companies do exactly that. Not only are we security experts, but no one knows talent like Harvey Nash!
Lock it Down
This week we saw two interesting security related announcements from two of the biggest players in the technology space: Apple and Microsoft. Apple announced they were releasing a preview of a capability they’re calling “Lockdown Mode” that is designed to protect the user from highly targeted threats, especially “state-sponsored mercenary spyware.” First, no surprise. Apple sued NSO group late last year, which included a $10 million contribution to cybersurveillance research. Second, I think this is an interesting development, but I honestly think it can go much farther – and frankly needs to. Mobile devices are, in a word, dangerous. As users we should have a set of lockdown modes that make it easy(ier) to control the device.
Microsoft appears to be rolling back a capability in Office that blocks VBA Macros by default. The messaging from MS appeared to suggest that the roll-back was based on feedback. The cybersecurity community generally welcomed the change to block-by-default macros because they are a popular method in spreading malware using phishing attacks with attachments.
The change appears to be seeking to find a balance between usability and exposure to Internet threats. The notification from Microsoft specifically highlights the blocking of macros in files from the Internet. With more and more security controls and capabilities consolidating into the Cloud, the differentiation between the internet and the cloud, especially at the scale of Microsoft is thought provoking. On the surface this change seems like two steps backwards, but within the context of O365 and Azure environments, there’s a tangible differentiation they’re looking to obtain. It more than implies that macros are essential to the business and should be permitted within the extended trusted environment, as opposed to files coming in from the Internet. I didn’t get into the details of how trust was applied/implied in the differentiation, but I sense there’s more to come.
In both these cases we have huge technology companies attempting to find that balance between usability and security. We all deal with this on a personal level, at work, and at the corporate level. From a vendor perspective, it’s difficult to be all things to everyone. I respect the challenge.
Microsoft Announcement: https://docs.microsoft.com/en-us/deployoffice/security/internet-macros-blocked
Path to Self Sufficiency
Amidst the pandemic and when people we’re trafficking computer chips in their underwear, China announced it’s 14th five-year plan (FYP) and vision, with emphasis on technical leadership and independence from western companies. It’s interesting to note that the first FYP was launched in September 1953, coinciding with Stalin’s death and the end of the Korean war. By many accounts and according to Chinese media, the 13th plan (2016-2020) was a huge success.
The current FYP was met with a degree of concern by western nations, especially with the FYP’s emphasis on self-reliance in science and technology, noting “key core technologies will achieve major breakthroughs and enter the forefront of innovative countries.” (translated). Within the context of technology, the history of cyberespionage performed by nation state actors is well documented, brining credibility to the unease.
In an arguably rare occurrence (I’m not aware of when this has happened in the past) the director of the UK Military Intelligence, Section 5 (MI5) Ken McCallum and the director of the US Federal Bureau of Investigation (FBI) Chris Wray performed a joint address on Wednesday this week to express heightened concern and expectations for an increase in China’s espionage activities against the two countries’ interests. "It means that if you are involved in cutting-edge tech, AI, advanced research or product development, the chances are your know-how is of material interest to the CCP.” said McCallum.
The concerns stem from the observed activities and evolution of targets in concert with the stated objects of the 14th FYP. In short, to become independent you must first obtain the ability. The directors noted that President Xi said that in areas of core technology where it would otherwise be impossible for China to catch up with the West by 2050, they “must research asymmetrical steps to catch up and overtake”. To gain a foundational perspective of the meaning of his comment, I recommend reading Unrestricted Warfare. Not the recent popular publications, but rather the original (aka: warfare beyond bounds) from 1999 written by PLO colonels Qiao Liang and Wang Xiangsui… it’s - what’s the word - chilling.
Links: (Use with extreme caution)
MI5 Joint address: https://www.mi5.gov.uk/news/speech-by-mi5-and-fbi
14th FYP from Xinhua News: http://www.xinhuanet.com/politics/2021lh/2021-03/05/c_1127172897.htm
The vCISO (Virtual Chief Information Security Officer) practice is comprised of a global community of highly experienced security professionals that we can connect with customers looking to address challenging cybersecurity pressures in a cost effective and resource efficient delivery model. This provides organizations flexible and focused access to cybersecurity expertise in a time when finding, attracting, and affording skills at this level is virtually impossible or impractical.