Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday May 20th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by David Shipley, head of Beauceron Security, to talk about some of the news from the past seven days. Here are some of the headlines:
Cyber intelligence agencies from five countries including the U.S. and Canada issued another reminder that attackers routinely exploit poor security configurations, unpatched software and weak login controls. David and I will discuss their recommendations to IT leaders.
We’ll also look at an international survey of CISOs about ransomware and other things that are important to them.
And we’ll analyze the latest proposal by the European Union to update cybersecurity standards for critical infrastructure sectors in the 27 EU countries. Can we do that here?
Elsewhere, the Conti ransomware gang continues trying to pressure Costa Rica with its multi-million dollar financial demands. The gang, which struck some government departments last month, now says it’s trying to overthrow the government with help from insiders.
Microsoft warned database administrators that hackers are going after SQL Server installations. They’re using brute force attacks to break passwords for initial compromise which isn’t new. What is new is they are leveraging a server tool called sqlps.exe instead of PowerShell to run malicious commands.
Hiring IT staff over the internet is risky, especially if they are to work in a foreign country and never come into the office. The U.S. government said this week that’s more true than ever because North Korea is directing its IT-trained citizens to apply for jobs in countries around the world. The goal, the U.S. alleges, is for them to get privileged access to IT systems for either espionage or to help hacking. Some North Koreans have been seen pretending to be teleworkers from South Korea, China, Japan or Eastern European countires, the U.S. says.
And IT managers whose building doors have smart locks that use Bluetooth Low Energy fobs should be worried. That’s because researchers at the NCC Group have discovered there’s a way to defeat the short-range wireless system and unlock doors. The trick works on some models of Tesla cars and home door locks.
(The following transcript has been edited for clarity)
Howard: Let’s start the show with the cyber intelligence advisory from the U.S., the U.K., Canada, the Netherlands and New Zealand. It’s a reminder that commonly used tactics are favoured by most threat actors. Things like exploiting unsecured applications open to the internet, poorly configured remote access services like VPNs, employees falling for phishing emails and taking advantage of trusted relationships by impersonating employees or partners through hacked passwords. David, what did you get out of this report?
David: It’s the laundry list of the continual sins that bring us down. The ones that I think still need the most attention — and I’m surprised that we’re still struggling with this given the current environment– start off with failure to implement strong password policies. This is bare-bones basics, and I think part of this may still be tied up into old advice: Uppercase, lowercase special characters — guidelines from NIST [the U.S. National Institute of Standards and Techology] from years ago, which we talked about back on World Password Day. I think it’s really important that people adopt strong, long random passwords and encourage the use of password managers. This [weak passwords] is is a problem we have the technological tools to solve. If IT leaders really want to go the extra mile get something like Troy Hunt’s pawned password database and make sure your users aren’t setting passwords that are already in known brute force lists. This should be basic. Maybe this is the summer we can finally cross that threshold. Secondly, I think it’s really important that we get multifactor authentication rolled out where it’s truly needed, properly enforced and properly administered. MFA is not a silver bullet. It can’t guarantee you absolute security from criminals. But it can reduce brute force attacks by 99.9 per cent, which is amazing. That was one of the takeaways. The last one that I found particularly interesting was failure to detect or block phishing emails. What I find interesting about that is in the work that we have done. Make it easy for people to report suspicious emails. Quite a few phishing emails still get by secure email gateways, so your people are your best line of defense. But a lot of organizations, even if they have a ‘report a fish’ button, aren’t triaging and dealing with these really important signals that a control is failing.
Howard: One thing I’d like to stick in here about multifactor authentication is you’ve got to have backing from the CEO. Employees have to see that the CEO and all the vice-presidents are enrolled in the multifactor authentication program, because if they’re not, if they think, ‘Listen we got lots of work to do. We’ve got to log into things fast. Don’t bother us. Leave us out of the multifactor authentication program,’ the rest of your staff are going to say why should I be enthusiastic about it?
David: Absolutely. And this goes back to security isn’t a project, security isn’t a piece of technology you buy, security is not even a strategy. Security is a culture. It’s a mindset and you have to lead by example. The best thing you can do is have your senior executives do a two-minute video and say, ‘I use this every day and it’s important to use. Thank you for helping us be safer.’ I think the power of ‘Thank you’ is so so underappreciated. It can make all the difference in setting the right tone for your organization. The last thing about multifactor authentication — particularly for large enterprises and critical industries — that they use the app-based notification. It can quickly be approved for a smartphone. If you remember back to the Okta breach and their third-party supplier getting hit. A one-time passcode that people enter is the best way to MFA. Give users a sufficient login time. Don’t make them re-authenticate every hour.
Howard: How do you encourage people to choose proper passwords?
David: I think it’s just absolutely vital for enterprises and small and medium-sized businesses to adopt enterprise password managers. The average American, I heard yesterday at a conference, has 150 passwords. Canadians aren’t that different. There is no way you can remember that many strong, random, unique passwords. So use a password manager. And the best part is many enterprise password manager solutions offer an opportunity to protect employees’ personal accounts as well, keeping them separate from the enterprise. That encourages people to be safe 24 hours a day, 365 days a year.
Howard: You spoke of the failure to detect and block phishing, which is both a technology and human problem. How do you get to to the heart of that?
David: The reality is there is not a single product on the market that can block all of phishing emails out there. Phishing emails evolve, they use all kinds of ever-creative tactics. Sometimes they use island hopping, which is using a trusted partner’s email to attack your people. So it’s a constant game of cat and mouse on the technological side. You can reduce the volume of attacks with good email controls. But even in large complex organizations no inline solutionsI’ve seen stop all phishing emails. They still had phishes go through. But what was great for one organization is that their report rate of suspicious emails — both simulations and, by assumption, real ones, was north of 50 per cent. So there was a better chance that people were going to report suspicions faster than fall victim, which gives you critical intelligence to your incident response and triage teams to deal with. This whole idea of doing phishing testing and just looking at click rates is yesterday. The new metric is how many people are reporting it. And when they report in a test, celebrate it. They’re going to report the real attacks that get through, and that’s going to give you critical minutes to get ahead of a potentially devastating social engineering attack.
Howard: Looking at a number of the issues raised by these cyber intelligence agencies, they aren’t really hard for IT departments. Implementing tough multifactor authentication for some users, like requiring senior management and IT staff to use security keys, isn’t inexpensive. But it’s not a crippling cost?
David: No. What is interesting about this report is that it highlights that people, process and culture are what hold us back in security — not a lack of technological know-how or solutions. And what I mean by the people side is management allocating sufficient resources to deal with cybersecurity. We still have a nasty human tendency to downplay risk — ‘It’s not going to happen to me.’ If there’s a CIO or a senior leader listening to this podcast today you have to understand in in cybercrime every single organization is getting hit. Numerous studies consistently show the threat is there. This is not fear-mongering. It’s just a reality and you have to invest. Because if you don’t invest in the front end you will pay $10 plus for every dollar you could have spent in prevention on cleanup from an attack.
Howard: One of the mitigations that this report mentions is that IT needs to limit the ability of local administrator accounts to log in from a remote session. The purpose of that is if somebody gets a hold of an administrator account they can’t take advantage of access. Mitigations like access control are really important.
David: Absolutely. But the thing about access control is not the technology, it’s the process. How often are you reviewing your access controls? How often do you check that you didn’t introduce human error? How are you revising access when people change roles? This is the Great Resignation — there’s a massive amount of employee turnover. This is where the pressures come on identity and access management.
Howard: Another mitigation that’s mentioned in this report is adopting a zero trust model. Arguably, that’s the most expensive mitigation that these experts recommend.
David: Yes. Zero trust is easy if you’re just starting a business and you’re using only cloud services all your devices are untrusted to begin with. But if you’re a legacy business that has on-prem servers, data centers, network structures etc., this is both technologically expensive but also really complex from a planning and implementation standpoint … Please don’t just fall into the latest cybersecurity trend and just dive onto the next shiny thing because we think that that’s going to be the silver bullet that we don’t have to worry about security anymore. Get the basics right first.
Howard: Next on the list of issues that I want to look at is an international survey of chief information and security officers done for Proofpoint … I’ll briefly summarize some of the responses in this survey of 1,400 people, 100 in each country. Here are the the the global results: 59 per cent of all of the CISOs said prevention rather than detection is the focus of their organization’s defense against ransomware; 40 per cent said their organization doesn’t have a policy on whether it would pay a ransom if it was successfully hit ransomware; 60 per cent respondents think that their employees understand the role they play in protecting their organization against cyber threats; and 56 per cent of CISOs think that human error is their organization’s biggest cyber vulnerability.
David: First, I am encouraged that almost 60 per cent of folks said that they wanted to focus on prevention rather than detection and response for ransomware. I think that’s is smart, because it’s is far less expensive to put a fire out with a fire extinguisher before it spreads and burns the entire building down. It’s nice to see this proactive push. We’re seeing ransomware crews get faster and faster, and in under a couple of hours go from initial access to running rampant through an organization.
I am discouraged that only about 40 per cent said the organization doesn’t have a policy on whether they would pay a ransom. What that tells me is that the organization actually isn’t taking the threat seriously, because it’s fine for the business to decide, ‘Well, this is where we are as a business, these are all of our different risks and we can’t afford to be proactive. So we’re just going to roll the dice and pay the ransomware.’ But if you have that uncomfortable conversation around your board and senior management it gives people an opportunity to question that, to challenge and say, ‘What if we put in place a plan to eventually not rely on the roll the dice?’
In very few contexts do I ever think it’s it’s ethically and morally okay to pay a ransom, aside from healthcare. I would much rather see organizations have a board policy that says they’re not going to pay. Draw the line in the sand. Let’s take that take the gasoline that organizations have poured in the fire of ransomware away. Then, because they make that decision, they have to have a robust cyber security strategy and resourcing to reduce the risk of ransomware. They’ve aligned their security investments with their approach to risk management. Maybe we need to have regulations, particularly for publicly-traded companies, saying they need to have a board policy on this — but not necessarily dictate that you can’t pay the ransoms. Maybe that’s a bridge too far right now. But say what your public policy is. It’s an uncomfortable conversation and it may be slightly unrealistic to expect them to be transparent about what their policy is because that could be like a giant sort of ‘Come hack me’ sign to attackers. But maybe they have to have a confidential submission to a regulator.
Sixty per cent of respondents say that their employees understand the role they play. Here’s what’s interesting: We actually surveyed our employees as part of the work we do within our actual platform, and 90 per cent-plus of employees understand the role they play. What they feel very strongly about is whether organizations are actually providing them with contextual security training related to how their business works, not just the generic vendor phishing video. They want to know why security is important to senior management. They want to know what tools are provided to them and they want to know what to do when they see a threat. If the organization isn’t being specific enough they don’t feel empowered.
And finally, 56 per cent of CISOs think human errors are the organization’s biggest cyber vulnerability. Well, 85 per cent of incidents always can be traced back to people not necessarily making a mistake but the people processing culture. I’ve read a fascinating study healthcare that showed the employees cared about security, they knew how to be secure but because they were so overworked stressed and tired and the organization sent them far too many internal emails they had a startlingly high phishing click rate. In that case it’s not beating more training into the employees’ heads, it’s how are we communicating to our employees through whatever channels so that they’re not overwhelmed.
Howard: You thought that the fact that 40 per cent of respondents said that their organization and doesn’t have a policy on whether it would pay ransom means that those companies don’t take ransomware seriously. I would disagree I put the following suggestion to you: What it means is they want to keep their options open. They’re just not sure what to do, and in some cases they’re thinking, Maybe we would pay in other cases we won’t pay it depends on the situation.’ So they can’t have a policy.
David: Not making a decision before a gun gets put to your head is making a decision. So if you’re going to have a policy that says we may pay under the following circumstances, then make a policy. That’s our policy and then on the people, resources and strategy make that a reality. I think waiting till your board is up at three o’clock in the morning and you’re getting minute-by-minute updates and conflicting reports from your IT team about how bad is the situation is the worst possible environment to try and make a decision.
Howard: Issue Three: The European Union Parliament is recommending its 27 countries adopt an updated cybersecurity directive covering critical infrastructure organizations. The new standard aims to remove differences in cybersecurity requirements and implementations in each of the 27 countries. It would do this by setting minimum rules for a regulatory framework. It would lay out ways for cross-country co-operation for large cyberattacks affecting more than one country and it would give participating EU regulators the ability to impose sanctions. You see a lot of merit in this plan.
David: I do. Let’s be honest, countries are moving towards mandatory reporting frameworks, risk-based management frameworks and being able to demonstrate that you’re dealing with cyber in a sane and appropriate way. So in the European context you can either have 27 different ones or you can have a standardized, harmonized approach, and that makes a lot of sense to me. What was interesting in the proposal is you’ve got a month to file a report, so this is going to be interesting for large, complex ransomware attacks like we’ve seen in Ireland and Newfoundland. In other places, which typically can take months to actually fully play out, how’s that going to reflect the reality? Two other things are interesting: If you don’t actually clean up your cybersecurity house the fine is. 10 million euros or two per cent of global revenues, whatever’s higher — which is half of what they’ve set for the fines for privacy violations under the GDPR. Also, senior management can be held personally liable for negligence when it comes to cybersecurity. I like this. It turns up the temperature. And it creates the right incentives where clearly the market hasn’t necessarily done so.
Howard: Could this be done in Canada or the U.S.? In Canada the federal government doesn’t have to deal with the provinces on on some things. It directly regulates banks, telecom carriers airlines, railways. So could could the federal government here set minimum cyber security standards?
David: I think so and I think it’s going to be an important evolution of Canadian federalism to start recognizing that the constitution didn’t contemplate the digital world that we live in today. I think it’s time to have that conversation. We can’t have 13 different jurisdictions [the provincies and territiroies] in this country overseeing cybersecurity. We’re already heading down that way in privacy right now which is an absolute dumpster fire. Quebec hs basically adopted a very similar privacy law to GDPR. So if you’re doing business across Canada you’ve got different frameworks for privacy, different conditions etc. The winners of that conflict will be lawyers and privacy experts and security firms. But that’s just a tax on businesses. So we need a clear common national cybersecurity standard. We are too small of an economy and too small of a country to have 13 different response agencies. We need one well-resourced federal government response agency that can help. The Newfoundland healthcare system attack is an example. Healthcare is critical infrastructure and we need a common national standard and resourcing to protect those institutions.
Howard: But the other way of looking at it is why not put pressure on the provinces to look after things and in their jurisdictions? Businesses, retailers, law firms, municipalities, police departments all of these come under the jurisdiction of provinces — and provinces like to be independent. Why shouldn’t they have to show the public that they’re responsible for cybersecurity in their realm?
David: My issue with that is the provinces in Canada are not equal in the resources they have. How could we reasonably expect Prince Edward Island to have the same robust ability to do this kind of work that Ontario could have?
…We have and have-not provinces for cybersecurity now. If you are a victim of a cyber crime and you are fortunate enough to live in Toronto, Calgary, Halifax or a decent size city the quality of police response you get is dramatically different than in other parts of this country. We need to scale cybersecurity at a national level.
Howard: Last, the finals of the annual Canadian cybersecurity competition for middle and high school students called CyberTitan were held this week. It’s based on the CyberPatriot program in the U.S. One hundred and thirty teams from across Canada enrolled to participate this year. It’s a great way to encourage teams to think about a career in IT generally and cybersecurity in particular.
David: I love the CyberTitan Program. We were a sponsor of the regional competition here in Atlantic Canada. It gets teens thinking about careers in IT security. It’s fun, It’s challenging, it’s attracting a lot of groups who don’t traditionally consider cyber security careers, particularly young women, to get experience. And I think this is going to be key to meeting the massive talent shortage, and also the lack of diversity in this field. I’m super proud that a team from Macadam, New Brunswick — which is a very small town — made it to the final. I think this is a program we should be celebrating in the same way that we celebrate when high school and middle school teams make it to the nationals in sports.