Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday, February 24th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to discuss recent news. But first a summary of some of what happened in the last seven days:
Twitter users will soon have to pay to get their two-factor authentication (2FA) codes by SMS. They’ll have to subscribe to the premium Twitter Blue service. Is this logical? Terry and I have opinions.
More malware has been discovered in the open-source NPM and PyPI code repositories. We’ll ask why repository operators can’t put a lid on this.
Game developer Activision acknowledged it was hacked in December after an employee fell for a text messaging scam. That will be part of our discussion.
In France five people were indicted for using a device normally only accessible to police. They used it to capture hundreds of thousands of mobile phone numbers for spam.
And Gartner predicts there may be upheaval in infosec departments. Stress is causing cybersecurity leaders to re-evaluate their careers, the company said, predicting that over the next two years nearly half of them will change jobs. Terry will have some thoughts on the pressure on leaders.
Researchers at ESET suspect North Korea’s Lazarus threat group is deploying a new backdoor. It’s part of malware discovered in 2021 capable of downloading Windows binaries. The new backdoor is one of the payloads. The backdoor module collects system information and provides ways of deleting or exfiltrating files.
Fruit and salad processor Dole had to temporarily shut its production plants in North America earlier this month because of a ransomware attack.
And a new information-stealing malware is being marketed to threat actors. According to researchers at the French firm Sekoia, the malware is called Stealc. It’s similar to other code that steals data from infected computers like Vidar, Raccoon, Mars and Redline. One way Stealc is spreading is through infected software and mobile apps pretending to be utilities.
(The following is an edited transcript of part of the discussion. To hear the full talk play the podcast)
Howard: Gartner published research this week about how worn out cyber security leaders are. By 2025, it predicts, half of the cybersecurity leaders will have changed their jobs, and of them 25 per cent will just leave the IT profession for different roles entirely due to multiple work-related stressors. These include low executive support for cybersecurity and making IT focus on compliance rather than risk management. What are you hearing from cybersecurity leaders that you talk to?
Terry Cutler: I’m not sure if you’ve ever seen this meme on the internet where day one of your cybersecurity job you looked like baby Yoda, and two years or three years later, you looked like 900-year-old Yoda. The burnout’s real. It’s very, very, very difficult this field, especially if you’re not passionate about it. You’re gonna burn out even quicker. How many times have you heard folks say, ‘Cybersecurity is paying really, really well.’ But if you’re a plumber, for example, and you want to switch over to cyber, it’s very, very difficult. So you have to be passionate about this field to get in. But there’s a lot of high pressure to manage consistent, evolving threats. Then you got limited resources and conflicting priorities.
For example, you’ll have issues in cybersecurity, but then other business leaders are not on the same page as you. They’re not going to prioritize your requests. And that’ll leave you with a sense of frustration and isolation because you’ll say, ‘This is a threat. It’s a zero-day [vulnerability]. We have to deploy these patches right away.’ I actually experienced this often in healthcare: There was a vulnerability out and we said let’s scan the [IT] environment. I’m still waiting four months later to get the approval to scan the environment for vulnerabilities. There’s so much red tape in some of these companies. it’s crazy. You have to wait for all the groups to be on the same page and give you permission. As an advisor and such you’re always faced with these delays. And if you’re not on the same page as the other folks, because they don’t understand the risk level, you’re just going to feel like you’re banging your head against the wall. And that’s why people just leave.
You know what? You wanna get hacked? Don’t blame me. Here, sign this paper. That’s what I think CISOs are going to have to do to cover their butts: ‘I’m advising you of this threat. You don’t want to do it, sign here.’
Howard: What will it take for CEOs to prevent cybersecurity leaders from leaving their company?
Terry: CEOs need to prioritize cybersecurity as a critical business function and provide the necessary resources and support to help cybersecurity leaders be successful. The biggest is provide adequate funding. How many times do we try to do audits that are really inexpensive, that could save the company hundreds of thousands, if not millions, of dollars? It probably would’ve just cost 10 grand to avoid headaches. The other thing is the CEOs need to build a cybersecurity culture. Even if the janitor has access to the network to check his email he can click on a ransomware link and infect the whole company. So everybody needs to be on the same page that cybersecurity is really important and understand if the firm gets hit with a cyber attack it could cost their jobs.
One of the bigger things is to bring the CISO to the [executive] table as a respected thought leader. It’s important that the CISO is able to articulate the risks. And provide career paths [for infosec leaders] … If you don’t do these things you’re not going to attract the top talent to your company.