Welcome to Cyber Security Today. This is the Week In Review for the week ending Friday, November 4th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes David Shipley of Beauceron Security will join me to discuss words of wisdom I recently spotted on Twitter. But first a look back at some of the headlines from the past seven days:
Thirty-six nations agreed to form a joint task force to fight ransomware. The countries, including Canada, first met a year ago in Washington. After a year of work they agreed this week to create a formal framework for sharing information, setting priority targets and working closely with cybersecurity companies.
Dropbox suffered a data breach this month, the company admitted. An employee of Dropbox fell for a phishing scam from a hacker pretending to be from the CircleCI integration platform. Dropbox developers can log into CircleCI and GitHub with their credentials, including a one-time passcode. With the employee’s credentials, the hacker accessed some of the Dropbox code it stores on GitHub. The hacker was able to get some credentials—primarily, API keys—used by Dropbox developers, as well as a few thousand names and email addresses of Dropbox employees, current and past customers, sales leads and vendors.
Apple has created a special iPhone for security researchers to work on. Called the Security Research Device, is a fused iPhone that allows researchers to plumb the depths of the iOS operating system looking for vulnerabilities. They have to be reported to Apple. Developers have until November 30th to apply for a unit. Apple also announced the creation of a Security Research website to make it easier for others to get bounties for finding bugs in Apple products.
Security researchers were apparently wrong in concluding the Yanluowang ransomware gang’s core members are Chinese. Leaks of the gang’s internal chat logs are in Russian. Whoever cracked the gang’s chat server also compromised their dark web victim leak site, and posted a screenshot allegedly of the ransomware’s decryption source code. If true, the gang’s reputation could be seriously damaged among crooks looking for partners.
Aurubis, the second largest copper producer in the world, said it was forced to shut down several IT systems last week after a cyber attack. The company said it took that action as a preventative measure.
Covid lockdowns and law enforcement crackdowns have made it harder for crooks to get hold of pharmaceutical drugs they sell online. According to researchers at Cybersixgill the number of posts on underground markets for popular prescription drugs, including painkillers, plunged 79 per cent last year and has remained at the same level this year. Still, these drugs continue to be pedaled online by crooks at inflated prices.
Finally, administrators of the Splunk security event management platform should install the latest patches. The company issued fixes for eight high-severity vulnerabilities for Splunk Enterprise and one for Splunk Secure Gateway.
(The following transcript has been edited for clarity)
Howard: Joining now from Fredericton, New Brunswick is David Shipley. Twitter is on our minds today, and only partly because it has a new owner. I recently spotted some nuggets of wisdom from Twitter users I follow that are thought-provoking. Here’s one: “There is no talent shortage in cybersecurity. There’s a talent development shortage.”
David Shipley: I completely agree. I think there is a ton of amazing, talented people out there that have a place in cyber. Our biggest challenge is we get in the way of ourselves. I’ve seen ridiculous job requirements for entry-level positions, some requiring expertise with a decade in the industry — and the reality is a really good internship program could get the job done and get you that talent. I’m a great example of what happens when you create a talent development pipeline. I’m a journalist, I’ve been a soldier, I was a marketer. My university saw in me the latent potential, the curiosity, the baseline of technical skills they could invest in to make me a cybersecurity professional. The CIO who I worked with recruited me from marketing into his team, helped get me into professional development programs through ISACA, and got me out to conferences. Meta Network provided specific technical tool training on things like QRadar — and I became a cybersecurity professional. Now, It took years to develop that talent but it paid dividends for the university, and it paid certainly paid dividends for me.
The reality is we have so many different roles in cybersecurity. We have deep technical roles all the way to ones that require more communications and marketing skills, like awareness or auditing skills. There’s a ton of talent out there, and really smart organizations are doing things like finding out who in their organization is curious about this stuff. That curiosity is the first, critical step to identifying talent. Then you can invest in them. There’s an old cartoon that asks, ‘What if we invest in our people and they leave?’ [and someone asks] ‘What if we don’t invest them and they stay?’ There’s this weird paradox where we’re afraid to create value in people.
Howard: This is cyber security. Why shouldn’t an employer say, ‘I’m looking for experience?’
David: The challenge is if we’re chasing the same limited pool of people who have experience we create a talent shortage. The threat environment has accelerated, expanding the threat surface, whether it’s from digital transformation etc. It has outpaced the available talent pools, so all you’re doing is chasing the same people and escalating salaries. Thank you, but you have a job vacancy requirement. You’re going to have to fill that. It’s time for a trades approach to cyber. Get this out of people’s heads that you need to have a four-year computer science degree to be in cybersecurity. There are some great folks that come out of community college. There are great, professional schools. Toronto Metropolitan University has phenomenal women in cyber and newcomer to Canada in cyber programs [through the Rogers Cybersecure Catalyst]. They partner with the federal government, they provide SANS Institute courses, really solid, edgy professional education. And they are graduating people right into Canada’s biggest frontline jobs. They’ve figured out the talent pipeline, but we need to scale that across the country because we need to benefit more than just Canada’s five or 10 largest enterprises.
Howard: So what do those who are looking for a security talent want? What do they need? Experience, certifications, a university degree?
David: They basically want an entire security team in a single person, which is crazy. No one cyber security professional can cover all the different things you might need in a team. If you’re a small or mid-sized business you need a cybersecurity lead. Okay, get somebody that actually understands the fundamentals, understands governance and management. A certified information security manager is a great role. And you might be like me, an MBA graduate that has a CISM. They can make your plan, your strategy, help build your budget, find out what other skills make sense to hire internally, or develop the talent pipeline, or outsource. But so many times they want to hire a junior analyst at a junior analyst’s salary but they expect them to be the CISO, which is crazy.
Howard: This week Technation Canada, which represents big IT companies, told me that they’ve asked Ottawa to create a public-private task force to work on the cyber security talent shortage. It would be governments — provincial, territorial, federal — the private sector tech companies and academics. Is that needed? Do the federal and provincial governments really need to get involved? Why can’t the industry talk directly to universities and colleges?
David: I think we need federal government money to make it affordable for students to take a period of time, whether they’re in school now or they want to change careers. That’s what we need Ottawa’s money for. We don’t need another task force to reinvent a model. Toronto Metropolitan University’s Rogers Cybersecure Catalyst has figured it out. It’s there. Pop one of these in every major city in this country, backed by a top-tier university and start ramping it up. Free tuition — with some kind of acceptance criteria, but not necessarily a computer science degree. I love the Toronto Metropolitan University program and how it’s taught people cyber fundamentals, right up to the skills to be a junior SOC analyst or a risk auditor put them right into jobs. There’s your talent strategy. I just saved millions of dollars. Go and get it done.
Howard: You didn’t save millions of dollars: You said the f-word in there — free tuition. That costs money.
David: Sure, but look at the payback back to the Canadian economy. We talked two weeks ago that Canadian businesses lost $600 million to cybercrime. That comes directly out of the economy. If you have a program to start filling the talent pipeline across this country with a 10 times ROI, isn’t that a good spend?
Howard: Here’s another clip from a Twitter user that’s job-related: He wrote, ‘I’ve been promoted to staff security engineer. That’s two promotions in the year and a half that I’ve been at my company versus the zero promotions that I have in the two and a half years at’ and here he named a huge tech company that begins with the letter ‘O’, ‘and the zero I promotions that I had in the four years at,’ and here he named another huge tech company that begins with the letter ‘I’. I can’t verify how that this person was treated at those companies, but the interpretation of this tweet is some companies treat their staff better than others which may be common sense — but isn’t that also a key to keeping your existing talent?
David: Exactly, and it goes back to the point I was making at the start: Sometimes companies are terrified of investing in their own people because they’re going to lose them. But the reality is if you don’t invest them they are going to jump to other employers, just like this. This anecdote from Twitter shows you got to believe in your people, you got to believe in building up a talent pipeline. The job of every leader and every manager is to make sure there’s someone below them that’s ready to take over when they move up the chain or move to another organization. Within our company as part of the ISO 27001 standard that we have for security we have train every employee to make sure that they know how to be successful in their role. This isn’t what you would traditionally think is attached to a security certification, but it robustly makes our business more secure and resilient. If you’re not investing in your people, you’re missing out because it’s the people in any given organization that make it competitive, that makes it amazing. The technology that you use, the things that you produce, those are the outputs. The things that accelerate that, whether it’s cyber or anything else, are people. You have to invest in that. I think the Great Resignation, the great transition that we’ve gone through over the last 12 months as part of the pandemic really highlighted exactly that point: People people are finding it easier to get recognition in other organizations, and that’s pretty damning.
Howard: Can you show appreciation in ways other than with money or a title?
David: Absolutely. Within our organization we regularly canvass our employees and ask what new courses, what new skills do you want to develop? When I was at the university they paid 50 per cent of my MBA, and I was given time during work hours to go to classes. They didn’t increase my salary. And frankly, the 50 per cent coverage of the tuition didn’t really cost them that much. But it was immensely valuable to me. The other thing you can do inside of your organization is to challenge people: Give them new problems, new opportunities. And that’s why cyber is such an exciting talent development theme for today’s podcast is. We survey a lot of people, we got some cool data coming soon. The amount of people that want to do the right thing is well above 90 per cent in every organization, and within that pool of your employees are people who would thrive in cyber.
Here’s a challenge to those listening: In your annual security awareness and training and compliance, are you using that as an opportunity to identify people that really get excited about cyber? They are the first ones to complete the training, or always report phishes or are always showing up to [cybersecurity] town halls. Are you reaching back to them through your HR teams and saying, ‘We notice you’re pretty keen on this stuff. Did you know we have vacancies in cyber security and privacy and information handling? Would you be interested in that? Let’s have a conversation.’ But that’s hard, long work. That’s the kind of talent farming that we need to do — but we’re much more comfortable headhunting. Talent farming yields greater results over time, but you got to put the work in.
Howard: Here’s a third pearl of wisdom that I saw on Twitter. This person wrote, ‘If you have a burdensome process, if your machines are overloaded with agents, if you have alert fatigue, you’ve got a culture problem. Not a tech problem.’
David: I really, really enjoyed that point. When we set out to do cybersecurity, when we’re trying to do objectives and governance for organizations, the first thing to look at is what are we trying to protect? why are we trying to protect it? and what are the systems and processes to do that make the most sense for our organization? That starts with leadership. For example, for our ISO process we specifically said the protection of customer data is the most important. From there, what are all the system processes etc. to achieve that particular standard? what kind of culture do we want to create around that so we don’t have a billion and one tools? how do we have a culture where everyone understands what we’re doing? If everyone in your organization is doing things that are setting off fire alarms — whether they’re going to websites with malware, they’re clicking on every phishing link, they’re insecurely sending data out to other individuals — you have a culture problem. You’re not going to out-tech your way out of that problem.
Howard: And while we’re on Twitter, we can’t get away from Elon Musk. You’ve seen an uptick in Twitter phishes and scams, including attacks on verified accounts since the Musk takeover. What do you think is going on here?
David: Social engineering thrives in elements of controversy and confusion, and that’s Elon’s brand. Right now we’ve got mass confusion over people with verified status, which are highly valuable accounts. They don’t know if they’re going to be getting a $20 a month bill for this [as of the time this podcast was recorded] or if they’re going to keep their status or how things are changing. This is the perfect time for scammers to kick in. We’re also hearing that Twitter’s trust and security teams are taking an awful potential beat down in terms of job cuts, layoffs etc. So it’s never been a better time to be a scammer targeting Twitter. They’ve dived on this like ravenous animals on a wildebeest. And this can have consequences. There was a trial run of an attack in the Southern United States about a decade and a half ago where a social media disinformation account said there was a natural gas leak. They wanted to see if they could create panic. Imagine a bunch of verified news organizations falling victim to social engineering by a nation-state to push something. … And we’re watching it just be thrown into utter chaos. Criminals are having a field day.
Howard: Do you think he knows what he wants to do?
David: I think Elon Musk is like Heath Ledger’s Joker [in Batman: The Dark Knight] I think he is just an absolute agent of chaos. Sometimes I think his intelligence outpaces his actions. I think at his core he still a red meat-eating capitalist who wants to make money — he sure paid a lot of money for Twitter — so he’s got to figure out how to do that. Which directly conflicts with a vision of what exactly free speech moderation means in a platform that depends on advertisers for 90 per cent of its revenue. I think he’s a lot like the dog that caught the car and now he doesn’t know what to do with it …
Howard: I think that Elon is only partly a free-speech libertarian. The other part, I’m just guessing, is he’s a bottom-line capitalist. I wonder if he’s looking at the 1,500 people around the world at Twitter who are content moderators — that is, they delete objectionable images and words — and he probably thinks they really don’t contribute to the bottom line. There’s no end to the demand that all platforms, be they Linkedin or all sorts of other social media platforms, do more to delete or block hateful speech disinformation and misinformation.
And if the owners of these platforms give in to these demands, well, they’re going to have to hire thousands of people as moderators. Not many businessmen think is a really good business model.
David: It’s an interesting problem. I deeply remember the messages of Ray Bradbury’s book Fahrenheit 451 and the cautious warnings about the rise of censorship at the time it was published. Letting people say absolutely hateful, harmful things about identifiable groups … We’ve seen this show before, when we give platforms to hate-mongers. It results in real tragedies and real crimes. So what do we do? It’s interesting that companies want to yield tremendous profits from online advertising. They have displaced traditional media like newspapers, radio and television, which were held to a higher standard. Newspapers could be sued for printing libelous or defamatory things. Radio stations and broadcast stations had publicly-granted spectrum licenses and were held to account by a regulator or their own industry, so there were checks and balances. I’m old enough to remember when we called social media ‘New media.’ … Well guess what? You created the world’s largest letter-to-the-editor platform ever, and the awfulness that comes with this is your accountability now. Maybe the counterpoint to this is some of the ideas that Musk has about people having to prove their identity and thus making it easier for them to be held to account by each country’s laws with respect to libel hate speech defamation etc. Maybe that’s the answer. A lot of smarter people say that’s a giant pitfall for free speech.
Howard: The last item I want to talk about is whether CEOs should be held accountable for data breaches, and if so how far. I raise this because the U.S. Federal Trade Commission recently sanctioned an online alcohol marketplace called Drizly and its CEO over allegations that poor customer data protection resulted in the theft of 2.5 million customer records. Drizly and the CEO were allegedly alerted to security problems two years ago before the breach but they failed to improve the security.
The FTC’s proposed order not only restricts what the company can retain and collect going forward, but it also orders the CEO personally to implement security programs not only at Drizly but at any company he runs in the future if it collects data from 25,000 people or more. An appeal court may not find that part of the order lawful. But what do you think about this. If the CEO is paid big bucks why shouldn’t they pay the price?
David: I there is a really compelling case to be made here. The parallels are in securities trading. We’ve also seen examples where consequences can follow executives when they do bad things. We’ve seen this in the Elizabeth Holmes case and the fraud around her medical technology biotech company [ Holmes was convicted in January and is awaiting sentencing, although this is not a cybersecurity case] Applying that to cyber makes some sense. In the FTC case I think the important facts here are the lack of a due diligence defense. This was a risk and they allegedly chose to prioritize businesses other areas or other risks over this. They allegedly made the choice and with that choice came consequences. I think the punishment for CEOs and breaches should be commensurate with the actual risk of significant harm to individuals.
I remember the LifeLabs breach here in Canada, where people’s private medical records, disease screening tests and other things were captured by a criminal gang. If [in a similar case] the CEO had known for years and chosen to disregard security the penalty should be more severe than, say, the loss of information that’s not nearly as sensitive — like usernames and passwords for an online ordering site. It makes sense, I think, to send the right signal to CEOs that there are professional consequences. This is not the first time we’ve seen C-suite executives held to account for their decisions. One example is the post-Enron series of legislation around accountability and signing off on financial statements. They make a lot of sense.
I don’t think it should just stop at the CEO. There are other key roles inside an organization. This is a nice bookend to the Uber case, where the chief security officer was just convicted last month for the cover-up of a breach. It’s nice to see CEOs being held to account — although the disparity between the chief security officer getting criminal consequences in possible jail time and a fine for a CEO and some covenants if they go to create future businesses is worth noting as well.