Welcome to Cyber Security Today. This is the Week in Review edition for Friday October 29th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes guest commentator Dinah Davis, Canadian-based vice-president of research and development at Arctic Wolf, will join me to discuss some of the news. But first a look at highlights from the past seven days:
At least 14 cloud service providers and resellers of technology products have been compromised since May by the Nobelium threat group. Microsoft said these victim firms are part of more than 140 companies that have been targeted by this group. According to U.S. intelligence, Nobelium is part of Russia’s foreign intelligence service. Dinah and I will talk about this latest version of supply chain hacking.
Despite the pandemic, the number of cybersecurity pros in Canada and the U.S. jumped by double digits this year, according to a report. But that’s not enough to cover the demand for information security staff. Dinah and I will look at what the numbers mean.
The Conti ransomware gang has added a new tactic for raising money. It’s offering crooks the ability to buy the IT network access of organizations it has already hacked into. The crooks can then do the stealing of data and threaten the organization instead of the Conti gang. Security experts aren’t sure what to make of this strategy.
Approximately 400,000 users of Scoolio, a student community app widely used in Germany, could have had sensitive information exposed due to an application programming interface flaw in the platform. A researcher discovered the problem rather than a hacker. But this comes as Akamai released a report this week saying sloppy work by developers is increasingly making APIs a way threat actors can hack into companies. APIs connect different platforms. I have a longer story on this on ITWorldCanada.com.
Remember the embarrassing hack last year of Twitter employees that led to the take-over of accounts of celebrities? Twitter wants to make sure it won’t happen again. This week Twitter said every employee now has to plug in a USB security key to log into their work computers and access the platform. If a crook gets an employees’ username and password, they can’t log into that account without the physical key. For some organizations a USB security key is the best form of multi-factor authentication, particularly for those with access to sensitive systems like IT workers. By the way, Twitter subscribers also have the choice of using a security key.
Fake Android apps with spyware have been discovered that apparently target people in Israel. That’s because some are spread by social media messages in Arabic. One is a radio player. Another purports to be a guide to Jerusalem. One masquerades as the legitimate end-to-end encrypted instant messaging application called Threema. None of fakes were available in the Google Play store, where the legitimate versions of these apps were available. People got the fakes by clicking on links in other app stores or from social media posts.
In addition, Lookout Threat Labs said it found seven Android apps with malware that could dig into the root of the operating system. One was in the Google Play store, the others were in the Amazon Appstore and the Samsung Galaxy Store. Once a hacker has root access to a device they can do almost anything. The bad apps pretended to be utilities like password managers and system tools like app launchers or data savers.
(The following is an edited transcript. To hear the full discussion play the podcast)
Howard: I want to bring in Dinah Davis now. I thought we’d wind up Cybersecurity Awareness Month by discussing common ways organizations fail in educating employees. First of all, why is awareness training so important?
Dinah: Awareness training is so important because the biggest hole in corporate security right now is the people: One wrong click of a link and you’ve now installed malware. So if you’re not doing awareness training you’re not teaching your people how to react properly and how to protect their company properly.
There are five main reasons employees often fail: The first is infrequent training. People forget about 80 per cent of the new things they learn within four weeks unless they aren’t frequently re-engaged with it. So you want to make sure you’re doing awareness training in little chunks every couple of weeks, so it stays in the forefront of their mind. I said little chunks because too much data all at once and people can’t digest it.
Another thing: Trainers shouldn’t trainers shame the learners. ‘You clicked the link that was bad,’ or ‘You’re not learning fast enough.’ You really have to promote a culture of understanding and learning. You want people to come to you when they make a mistake and say, ‘I’m sorry, I made a mistake. I’m learning. I’m trying.’ If they’re going to be shamed they’re going to keep their mouth shut. And you’re not going to know about a lot of bad things that have happened. Right.
Similarly, you don’t want to build a culture of distrust. That happens if your programming’s not consistent. This month’s training is 30 minutes long, and then you don’t have anything for six months. It makes it look like [the organization] doesn’t really care. Another thing is sometimes IT staff want to make phishing tests so hard no one in the organization actually can tell it’s a fake. You want to make them difficult, but not too hard because you want people to spot them. And when they don’t click the link and they report it, you get to say, ‘You correctly identified fishing,’ and then people feel good about it. It’s a positive feeling.
The last one is to make sure you’re not just checking a box. Make sure you’re not just doing training for compliance reasons and finding like the most boring, easiest, one-hour training session that you can send out once a year. You’re going to pay for that later in breaches and other problems.
Howard: In all the years that you’ve been receiving training can you recall what most made the effect on you?
Dinah: It was the first time I had been trained on phishing emails. I just remember them pointing out five big things that you need to look for, and I still look for them today: Hovering over the URL. Is it right? Looking for spelling mistakes, checking the link that they’re sending you. Does it have a weird characters in it? Checking the [sender’s] email address at the top. Is that actually real? It just had such a big effect on me. It just gave me tangible things to look at. I think that’s one of the most important things when you’re building awareness training: What are tangible, real things people can do. Show them and they can grasp that.
Howard: Let’s turn to the Microsoft report on the Nobelium hacking group. It says that this allegedly Russian government-backed gang is attacking tech companies that sell products and services to governments and companies. Why is this so dangerous?
Dinah: It‘s the supply chain attack again. If you can get into the companies that governments trust and can get your malicious code into their software, the government will download it because they trust the companies that it’s coming from. It’s exploiting the trust that governments and companies have with their suppliers.
Howard: Supply chain attacks aren’t new. Listeners may remember the huge theft of credit card data in 2013 from the Target department store chain. That started when crooks hacked into the heating and air conditioning supplier to Target. Because that supplier had direct access to Target’s IT systems they could leap from the air conditioning system into the point of sale system and siphon off credit card numbers. What’s new in this Nobelium attack?
Dinah: They’re not actually exploiting a lot of security vulnerabilities. They’re using a diverse set of tools to get in. You’ve got to remember, these guys are also the ones that are responsible for the SolarWinds supply chain attacks. So they’re very resourceful.
Howard: And as I understand part of the Nobelium attack involves once again, password spraying, which is guessing passwords using lists of stolen passwords and assuming that some people are reusing the same password over and over again. And this circles back to awareness training, because people need to be trained not to do that. What should organizations in the supply chain do to protect themselves?
Dinah: They need to review and audit the access privileges [off employees]. Always go with the principle of least trust. Give staff only as much access as they need to be able to do their work. You also need to review and audit the logs and configurations for all applications and devices for [unapproved] changes in access. A lot of the time, we’ see attackers go after accounts that were created a long time ago and the employee is no longer there. But their account wasn’t de-activated. That’s how the attacker gets in.
Howard: I’m going to move on to the cybersecurity jobs report. Cybersecurity jobs have never been more in demand than they are today and a report this week by the International Information Security Certification Consortium, which among IT pros is known as the ICS2, estimates the number of people in the cybersecurity workforce in Canada this year is up 21 per cent over 2020, and up 30 per cent in the U.S. But IT departments still want to hire more. So there’s this talent gap. Is this report, good news or bad news?
Dinah: I think it’s a bit of both. We took the global job openings from 3.12 million down to 2.7 million. So that’s good news. Bad news: We need to grow by 65 per cent to fill that gap for next year. That might be a little difficult. But I generally think it’s good news because it means that the field is opening up, that people are more aware of it and more people are choosing roles in this area. As an employer to really try and get more people in, I think you need to look at your hiring practices differently. How are you hiring? Who are you hiring? And one big thing I think you can do, which is just good for other reasons as well, is to diversify your job ads.
There are a few key ways that you can do that. You can make sure you’re using inclusive language – not using jargon or pop culture references or violent expressions. A big one that I really like is listing qualifications, not credentials. Avoid listing specific degrees or years of experience or other requirements that may cause qualified candidates to self-select out, when you can just list very clearly the responsibilities in the job. And if somebody can do that, then they’ll self-select in. You want to make sure you’re describing the position and not the profession. For example, how this job will work for your company, not just how does this job work in general.
Howard: But the report still talks about a gender and diversity gap, which has long existed in IT in general, in information security in particular. Can you talk about the importance of having a diverse it staff?
Dinah: The importance of a diverse staff in anything is multiple different ideas, viewpoints, build stronger solutions. It’s been proved over and over again in company output. The more diverse a senior leadership is the better the profits are. You don’t want a whole bunch of people who think the same way who have the same culture, because they’re only going to look at the attack surface one way, and figure out how to defend it one way. But when you bring in people with different backgrounds, different schooling, different ways that they’ve made their way into cybersecurity, you’re going to get a more holistic approach to things. And in the end, be far more secure for it.