Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, October 7th, 2022. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by David Shipley, head of New Brunswick’s Beauceron Security, to discuss cybersecurity issues. But first a look back at some of what happened in the past seven days:
A Montreal-area defence supplier is one of the latest Canadian firms to be hit by ransomware. Simex Defence acknowledged it was hit by the AlphV/BlackCat gang after the threat actor listed the company on its data leak site.
A Canadian man was sentenced this week to 20 years in prison and ordered to forfeit $21.5 million today for his role in NetWalker ransomware attacks. Sebastian Vachon-Desjardins, who pleaded guilty to ransomware-related charges in this country earlier this year, received that sentence after being extradited to the U.S. and pleading guilty to charges there.
Speaking of ransomware, buggy application drivers are the latest targets. According to researchers at Sophos, the BlackByte gang compiled a list of over 1,000 drivers it can exploit on the way to installing its ransomware strain. Sophos says one example is the drivers used in Micro-Star’s ASI Afterburner graphics card. IT administrators are urged to keep track of all the drivers installed on systems they oversee.
Want to know the Top 20 commonly-exploited vulnerabilities targeted by Chinese hackers in the past two years? American cyber intelligence agencies have compiled a list. At the top is the Apache log4j vulnerability, which can be found in a wide range of applications. The second is a VPN from Pulse Secure. Four of holes are in Microsoft Exchange Server. Three involve load-balancers — two from F5 Networks, one from Citrix. These 20 applications should be on the priority list of any organization. And the fact is that patches for most of them were issued a while ago and therefore should be installed by now.
Finally, insurer Lloyd’s of London was forced to disconnect and reset some IT systems this week. It told SecurityWeek that it did so after detecting unusual activity on the network.
(The following transcript has been edited for clarity)
Howard: October means one thing to infosec pros: It’s Cybersecurity Awareness Month. Well, maybe that’s what it only means to those in the industry. But it’s been around since 2004. In fact, the President of the United States and Congress officially declared October to be a month of consciousness-raising. Largely, I think, it’s aimed at reminding employees and consumers that they have to take responsibility for cybersecurity as well as IT and corporate leaders. David, you lead a cybersecurity awareness company. After 18 years what does it mean to you?
David Shipley: It’s a complicated month for me. On the one hand, this is the start of our busiest season of the year, so many of our customers have poured their hearts and soul into launching really engaging programs, projects, events, and initiatives.
But ultimately there’s something I hate about Cybersecurity Awareness Month: It still paints us as ‘people don’t know that cybersecurity is a thing.’ But after 18 years, after countless headlines, after escalating breaches people generally know cybersecurity is a thing. Our challenge in 2022 is no longer telling people, ‘Cybersecurity is a thing.’ It’s helping people know more and care more about their role, their choices, the decisions they make and how they can actually play an important part in protecting an organization. Helping them understand that this isn’t just the IT team’s job, it’s not just relying on antivirus or firewalls or email filters. They have a role to play.
I do talks around the world and I often start by asking if people know what the word ‘cyber’ means. Maybe six times out of hundreds of talks someone actually knows. It comes from a Greek word called Kybernettes which means the helmsman of the steersman. The reason it was chosen to be the root word of the field of cybernetics is because it illustrated the concept of people in control of technology. This idea is that the person at the back of the boat with the rudder in their hand was people in technology and control. So ‘cyber’ is about people in control of technology and doing that securely — and we won’t do that just by telling people, ‘Phishing tests is a thing we do.’ We help to better contextualize what’s going on.
Howard: It’s hard to make training engaging. Is that too high a standard? Let me put it to you another way: When math is taught in high school, should it be engaging and if the answer is no, how can cyber security training be engaging?
David: The most important part for me when I was doing math was getting examples that I could contextualize and understand the relevancy and the reason for it. Then it all kind of made sense — and that’s when I did best at my math. One of the things that frustrate me is a lot of folks do cybersecurity as a compliance-oriented activity, and they check the box: ‘Yeah, we bought vendor X, Y or Z. Yes, we threw training at our employees. They completed the training — whether within a certain time frame or we nagged them into doing it — eventually, and we’re done.’ But here’s the thing: The most effective companies I’ve ever seen put some work into the education they deliver. Their senior leaders actually record a short video or do an in-person presentation or virtual town and talk about why cybersecurity matters to the organization. And they make it engaging when they provide real examples, either from within their own organization or from their industry, of how an incident impacted an organization. One of the best leaders I ever saw do this was the president of a small Canadian brewery. At a town hall for employees the president said, ‘I fell victim to to a phishing simulation. I thought I was too smart to fall victim to one of these. But here’s what I learned from that experience.’ That’s how they made it engaging.
But one of my deep fears now is a trend toward the entertainment of security awareness training. Some providers make Netflix-like drama series to get employees to watch. But is it effective? Do staff believe it is relevant to their organization? It’s challenging because people don’t have the time or resources into creating their own content.
Training has to be contextual, relevant, and I think it has to have real-world examples that matter. People also need to see that cybersecurity actually benefits them in their job. I worked with academic researchers at the University of New Brunswick when they were doing research with the RCMP. They wanted to make sure that they were protecting the sensitive information they had. That was important to them both as a value, but also a source of research revenue etc. We were able to make their training relevant: ‘Here’s why a criminal or others might want to try and steal and hold the research you’re doing to ransom.’ We made it relevant and contextual, and it mattered. Recently one of our team members did an online presentation for the executive assistants of a major Canadian company. They talked about the role of the EA and how that puts them at greater risk for social engineering because of the pressures around timely response [to an email or social media request], about them being the gatekeeper to many other people with privileged access. They talked about how people could still do their job well, but securely.
Howard: A survey of students released at the end of last month showed that almost 80 per cent feel their university or college should be responsible for protecting students from cyber attacks. Nearly half of those responding said it would influence their decision to attend a university or College if the school was known to have experienced the data breach or had a reputation for weak cyber security. You headed the IT department at the University of New Brunswick. What does the survey say to you?
David: It’s interesting because cyber security doesn’t have an impact with senior leadership across universities across Canada that it needs to have. Some of the big ransomware attacks on universities have been a wake-up call. They’re doing better at protecting administrative systems, but they’re still not doing great at protecting research or information that individual faculty members may be collecting. When I think about the importance of educating students about cybersecurity, very few Canadian colleges or universities make cybersecurity training in the first year a compulsory requirement. But all kinds of different phishing attacks and employment scams get fire-hosed at students now. We’ve worked with many universities and colleges on voluntary training, but uptake by students is extremely low. But students should see that cybersecurity is key to their careers.
Some are attempting to compensate for that low voluntary uptake by just doing phishing simulations. The challenge with that is if you don’t give someone a chance to train and learn how to play the game and you just throw them on the field with phishing, it can result in a very negative feeling towards the university’s attempt to educate them. Schools that want to reduce their risk could prioritize on student segments that matter more than others, like graduate students, teaching or research assistants.
But in general, make participation in cybersecurity awareness a key part of getting IT access for the school. Then compliment that with positive opportunities for meaningful prizes [for winning awareness or phishing tests]. It helps students see the value of cybersecurity, and the university is doing a service for them when they go to work for an employer because they’ll have foundational skills. I’d love to see this expanded into high schools. There’s a huge opportunity for universities, colleges and high schools to play a more positive role in awareness education.
Howard: Employees, including chief executives, falling for phishing is a big problem. There are all kinds of phishing lures — about possible bonuses, overdue invoices, tempting job offers. But not all phishing lures look the same. How should cybersecurity awareness trainers deal with that?
David: Phishing remains the top of the list in every report that I read for getting into an organization. Even if you look at last week’s American Airlines story, that’s how they got in. But here’s what a lot of organizations are getting wrong about phishing education: We keep focusing on teaching people to look for what I call the technical cues or language mistakes and weird links in an email. But the brain tends to fill in the blanks and sees what we want to see in messages. It’s called system one, or automated thinking. So it doesn’t matter if sometimes there’s a typo in ‘Microsoft’ in a phishing email about your IT access allegedly expiring. The brain is used to quickly reading emails it will read it like it was correctly spelled. What we have to do is spend more time educating people about the difference between an emotional reaction to a message and technical processing. Slow down and ask, ‘What is this email trying to get me to do? Is it trying to put me in a place where I’m overly afraid stressed, angry or excited? Use that as a ‘tell.’ [Editor: A ‘tell’ is a sign a someone reads in their opponent’s face, voice, or mannerism that tips off a person’s real thoughts or intent ]. There’s some wonderful research that using a mindfulness approach, which has traditionally been applied for mental health, can dramatically reduce the likelihood someone will fall victim to a second, third or fourth phishing simulation in a given year.
The other thing I think we’re getting wrong about phishing simulations is we keep focusing on the click rate. [The rate at which people in tests click on links they shouldn’t]. Click rates are highly variable depending on the difficulty of the actual phish. But organizations that are the most resilient focus on the report rate: What percentage of employees caught and reported the phishing simulation [to IT or to a superior]. That can be such a more positive way to look at these exercises.
Howard: I think that this month should not just focus on employees. It’s also a month that business. IT and security leaders should also reflect on their policies and strategies.
David: Absolutely. When it comes to executive thinking on cybersecurity they look at compliance. Making sure employees get their mandatory training is seen as the floor. It’s not the ceiling — like getting executives to get more involved in security and thinking about this, truly understanding the implications of the technology and business choices that they make. There’s a recent story of an IT manager who abused his financial institution by hijacking their DNS and misdirecting the company’s email traffic. This was an attempt to try and convince the firm he deserved a greater salary, But I would ask if the employers even understood what DNS is, how it works, and the different ways they could have mitigated their risk for that kind of an insider threat. We can go back to the Uber breach that we talked about a few weeks ago — did executives understand what the business process was for storing scripts that access some of the company’s key information systems? Did they understand what people’s roles and responsibilities were? Did they think through these issues? A really good example is the Colonial pipeline ransomware attack in the United States. It wasn’t a crippling of critical pipeline infrastructure. It was the business systems inside the pipeline that ran the billing. The pipeline was closed because executives didn’t really understand the criticality of that business asset. [Without billing the pipeline couldn’t stay open]. They didn’t appropriately protect it. They met their compliance obligations as they existed at that time but they didn’t think about the importance of the business that runs in their IT systems. That’s the obligation of executives: To really truly understand how their business works and where IT is so critical.
Howard: You mentioned an incident involving a man who was caught playing around with his company. He pleaded guilty in Hawaii to charges that he deliberately misdirected a financial company’s email traffic and prevented customers from reaching its website. He was a former employee, and apparently this was a failed attempt to convince the firm to rehire him ah with an increased salary. Isn’t this an example of a company not revoking an employee’s password after he left? It’s an example of how Cybersecurity Awareness Month has to look at both employees and a company’s cybersecurity policies.
David: I completely agree. They probably didn’t even understand who their DNS provider was. What would one would hope for financial services company is they have central password management and identity authentication tools. But I guarantee you almost every other company on the planet has highly privileged users that have passwords on third-party systems domain registries, you name it, that are absolutely vital to their business that are not protected appropriately. We do a really cool exercise with executives where we use the NIST cybersecurity framework to quickly walk through a closed-end questionnaire with a heat map of their problems are, and most organizations do really well in detecting and protecting information — they’ve got antivirus and firewalls and the basic stuff. But they die on the cybersecurity hierarchy of Maslow’s needs for identity and access management, their business policies for instant response and reaction and communication, and understanding what their cyber insurance actually requires them to do.
Those are the gaps that we consistently see when it comes to executive decision-making and that’s the awareness we need to raise within that group. But we also need them to care more about this. They can’t just see cybersecurity as the IT department’s problem alone. It is a business decision to choose how to run your business, and on which technologies. IT is there to help support you and give advice, but the choices are yours to make. This goes back to the very meaning of cyber: You as a business leader are in control. The reality is every organization has a security culture. It’s either one that executives are involved in shaping, evolving and growing. Or it’s one that exists without any executive input. It may reflect the neglect that you as an executive have towards this area.