Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, July 14th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
In a few minutes Terry Cutler, head of Montreal’s Cyology Labs, will be here with commentary on recent news. But first a look at some of the headlines from the past seven days:
An IT former contractor who managed a California water treatment plant has been accused of deleting software that ran the operation’s IT network. Terry and I will discuss insider threats.
We’ll also look at the pace of cybersecurity spending by the private sector, how hackers are creating voice fakes and the responsibilities of CEOs during a cyber attack.
In other news, The number of organizations victimized by the hack of the MOVEit file transfer application continues to climb. It’s now at least 272 organizations. (UPDATE: After this podcast was recorded we were told the number as of Thursday was 311.)
One of the companies, Pension Benefit Information, which handles data from a wide range of American organizations, said this week in a regulatory filing that data it held on over 370,000 persons was copied by MOVEit attackers.
Another victim is Massachusetts-based Rockland Trust, which said this week it is notifying over 14,000 bank customers that some of their personal data was copied when an unnamed third-party supplier that uses MOVEit was hacked.
Separately, the Accreditation Commission for Education in Nursing is sending data breach notification letters to almost 12,000 people after someone compromised its file transfer service in February.
Big American income tax preparation firms like H&R Block and TaxAct have been recklessly sharing with Google and Meta the personal and financial information of millions of people using their websites. That’s the finding released this week by a group of members of Congress. The data collection is being done through the use of tools like Meta Pixel and Google Analytics embedded in websites. The politicians called on federal regulators to investigate.
Curious security researchers who downloaded a supposed Linux vulnerability proof of concept exploit from GitHub were victimized by malware. Researchers at Uptyics say the download installed a backdoor. It’s now removed from GitHub, but not from victims’ computers.
The Washington Post says the U.S. Federal Trade Commission has launched an investigation into how the company that created ChatGPT handles data privacy and other issues. The FTC isn’t commenting on the report.
Administrators with SonicWall devices are urged to install the latest security patches. The most serious is an authentication bypass vulnerability affecting the GMS and Analytics products. And administrators with Fortinet devices running version 7.0 and up of FortiOS operating system are urged to update to the latest versions to close a stack-based overflow vulnerability.
(The following transcript has been edited for clarity)
Howard: What should a CEO do during a cyber attack? Regular listeners will recall that on Wednesday’s podcast I talked about a Wall Street Journal article on how the CEO of a German biotech company handled a cyber attack. Which raises a question? What should the CEO do? Leaving everything in the hands of the IT department or the incident response team? Wait for the team to ask for a decision? Reassuring customers and partners?
Terry: They should be in charge of immediately initiating the response plan and the process to co-ordinate the effort across different departments — if they actually have an incident response plan. A lot of times they’re like, ‘What do we do?’ and then they rely on the insurance company or the breach coach to guide them.
One of the CEO’s primary responsibilities during a cyber attack is to communicate with the internal and external stakeholders. This includes employees, customers, partners and investors, regularly updating them on what’s happening. Be transparent and provide a commitment to resolving the company’s issues.
The CEO has to work closely with the IT department and the incident response team to understand the scope and severity of the cyber attack. This includes learning what machines were compromised, if what data was affected, and any potential vulnerabilities. This will help them understand the impact of making informed decisions around allocating resources and budgets, how to talk to the media, and whether he may have to involve law enforcement.
One thing that the CEO should do, because they’re not technical, is stay out of the technical side. Make employees feel reassured.
Howard: Should the Ceo be part of the incident response team?
Terry: The CEO is going to be definitely involved, but they should be focused on strategic decision-making and communication rather than working in the technical part. Remember, incident response requires specialized technical skills. The CEO probably doesn’t have a deep understanding of the technical details that are going to be involved. If you get hit with a ransomware attack you’re going to be down for a good hundred hours so. During that time the CEO’s going to be trying to figure out what systems do we get online first? What’s most critical for the business?
How hands-on? I think it’s going to vary depending on the nature of the cyber attack and the size of the organization … When we do IR we’re usually on two phone calls a day explaining [to the CEO] what’s going.
Howard: What’s the worst response from a CEO to an incident that you’ve seen?
Terry: ‘How could this have happened? My IT guy says we have it covered?’ But in a lot of cases when we dig deep we find out that IT guy asked continuously for technologies like EDR (endpoint detection and response solutions] and other you know higher-end systems and was always told no.
Howard: Is it common for an insurance company to dictate incident response, to take some decisions out of the hands of the CEO?
Terry: Yes. The insurance policy is going to outline the specific terms and conditions under which the insurance company may have a say in the response plan. This will include requirements for engaging specific incident response providers. They’re going to have a list of IR companies, breach coaches, here’s all the steps. Remember insurance companies have a vested interest in minimizing the financial impact of a cyber attack …
Howard: Experts say that incident response teams need to have a playbook — if we’re hit by a DDoS attack we do this, if we’re hit by a data theft do to this, if we’re by ransomware we do this. That way the IR team’s ready to make recommendations to the CEO. Recommendations shouldn’t come as a surprise to the CEO.
Terry: A lot of companies don’t have playbooks and that’s why a lot of these CEOs are so surprised at how their systems got so infected and the amount of downtime … That’s why having a well-defined and documented incident response playbook is going to be so effective. Make sure you have a bunch of scenarios set up.
Howard: One decision the CEO is going to be faced with is whether to call the police.
Terry: I think the police need to be informed … It’s very important CEOs realize the police are not going to do anything [immediately] for you. They don’t have time or resources. But you need to report anyway. I was at a conference where the FBI talked about how they took down some gangs, and it was because companies reported the crime and they were able to build a case.
(This is one of four news stories we discussed. To hear the full conversation play the podcast.)