Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, March 29th, 2024. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
\
 |
 |
 |
In a few minutes David Shipley of Beauceron Security will be here to discuss recent news. That includes a U.S. Senator’s call for the healthcare sector to meet minimum cybersecurity standards, whether the Canadian military’s Cyber Force needs more resources, what World Backup Day should mean to IT leaders and Beauceron Security’s new State of Security Awareness report.
But before we get to the discussion a quick look at other news from the past seven days:
You might think that financially motivated hacking gangs, or countries like Russia, North Korea and China are responsible for most of the zero-day vulnerabilities exploited in the wild. Nope. According to the latest numbers compiled by Google, commercial surveillance software companies that make spyware for governments were responsible for at least 58 of the 97 exploited zero-day vulnerabilities discovered last year. China was the biggest source of government-backed exploits with 12. Another trend, which may come as no surprise from my reporting: Attackers are increasingly planting zero-day vulnerabilities in open source components and libraries like GitHub, where it is hoped they can be widely spread in finished applications. Among the report’s recommendations: Software and product vendors should prepare for how they will respond when an in-the-wild zero-day is discovered targeting their applications.
At least 17,000 Microsoft Exchange servers in Germany are vulnerable to attack because they don’t have the latest security patches or are running outdated versions. That’s according to the country’s information security agency. Threat actors are already exploiting some of these servers, the agency adds.
A Chinese-language phishing-as-a-service platform called Darcula has been detailed in a report by researchers at Netcraft. The platform has been used for many high-profile email and text phishing attacks over the past year, including package scams pretending to be from the United States Postal Service. The site sells monthly subscriptions to hundreds of templates for phishing messages, abusing the names of airlines, utilities, financial institutions, government departments and telecom companies.
A number of organizations admitted this week to being hit by ransomware:
The INC ransomware gang threatened to publish data allegedly stolen from two districts in Scotland’s health service.
The Qilin ransomware gang says it hit The Big Issue, a street newspaper distributed in the U.K. The publication’s chief executive told the news site The Record that it is dealing with a cyber incident.
In this country the town of Huntsville, Ont., said the March 10th cyber attack it suffered was ransomware. Some data was “compromised,” the town said. But it couldn’t say at this point whether that included personal information.
In the U.S., the Tarrant County Appraisal District in Texas said it was hit by a ransomware attack on March 21st. The authority appraises property for an area that includes the city of Fort Worth. The Medusa ransomware gang is demanding US$700,000.
Gilmer County in Georgia said it took some IT systems offline in response to a ransomware attack.
The city of St. Cloud, Fla., told a local news service that municipal files were locked by ransomware.
And Harvard Pilgrim Health Care has updated the number of Americans it is notifying about a 2023 ransomware attack. That number is now just over 2.8 million people, an increase of several hundred thousand over the original notification.
(The following is an edited transcript of part of the discussion. To hear the full converstation play the podcast)
Howard: Your company, Beauceron Security, just released its second annual State of Security Awareness report. One of the biggest weapons that threat actors rely on is tricking employees into doing something that they shouldn’t — Click on an infected attachment, download corrupt software, allow a password to be changed and so on. These all lead to the installation of malware and data theft. So employee cybersecurity awareness is one of the biggest defences an organization can mount. Are there encouraging numbers in this report?
David Shipley: There are very encouraging numbers that look at organizations that have been running [awareness] programs that have become progressively more mature year after year. One of the most hopeful things that I saw over three years of study we’ve done with more than 150,000 people — most of them here in Canada — was double-digit improvements in attestations by employees. They go through a process where they’re surveyed annually about their attitudes and their knowledge levels — which for the record is the only way to get insight into that: You have to ask people these questions. We see major rises in adoption and use of password managers, in avoiding risky behaviours like reusing passwords or storing organizational information in personal clouds. People will change over time, but I can back it up with quantitative data in that we’ve seen year-over-year continuous improvements in almost every single industry that we work in. There’s a few exceptions, but we can see that consistent [awareness] programs that deliver education and simulations show great results. I’m really encouraged. There’s lots in the report that helps people sort of understand what maturing looks like, what going from a compliance-oriented, ‘check the box awareness program’ to one that actually can provably, demonstrably, reduce risk and drive return on investment looks like.
Howard: What about discouraging numbers in the report? I saw, for example, that only 22 per cent of respondents said that they report a phishing email or text the day is received.
David: Report rates are an underused metric across this industry. The report rate is the number of people who were sent to a [phishing] simulation who looked at it, decided something was wrong and took an active action — clicked a button or forwarded it — to say, ‘This looks like a phish.’ It’s a far more reliable and less manipulable metric for [measuring] security program effectiveness than a click rate, which which can be subject to chance and all kinds of fun things. Report rates are a metric of resilience and educational efficacy. What’s really cool is the higher you drive that number the more confident you are that people are more likely to catch and stop something than fall victim, the more likely you are to catch a bunch of stuff that are getting by email filters.
I just ran an internal test for Beauceron and we were able to look at what our email filter provider said they stopped for phishes and then we found out how many phishes got by thanks to reporting. We realized that we had a 20 per cent leakage rate last month for all the phishes that the email filter said it had stopped. But that still left a lot of phishes landing on us. There are things there to pay attention to.
The other thing in the report we’re highlighting is we are seeing a tightening of security budgets as a result of the continued economic waves from the pandemic. One of the areas that get squeezed is security awareness, and it’s such a shortsighted move.
Howard: Metrics are vital for each organization to understand where its employees are weak in awareness and the training they need. How do you gather these metrics and what are the most important metrics to measure employee security awareness?
David: In our industry oftentimes the metrics that are most cited are activity-based or point-in-time click rates, training completion percentage success rates — What was the average score? These are useful, but they are not outcome-based. What’s extremely valuable is a qualitative survey where people tell you how they feel about things and whether they’re getting the knowledge they need. You might think you can’t trust people. Listen, if your organization is so broken that you cannot trust people at all to tell you the truth your biggest problem isn’t cybersecurity. Surveys have to be balanced, but social sciences have proven a lot of different ways that we can gain value and confidence levels from human responses. So we need to do more listening [to staff].
The other thing is we need to start coming up with really good return-on-investment models for security awareness. We’re one of the few companies saying unlimited training does not yield the business benefits that some are advocating. We’ve seen some of our sector say that you should be spending 60 minutes annually and five minutes per month. That works out to be more than two hours of security awareness training per year, and we think that that is really expensive. The incremental benefit of that versus 30 minutes spread throughout the year is pretty damn small. We’re going to work on proving that because the biggest cost of a security awareness program is not licensing a [training] platform It’s the time you’re taking from employees from their regular jobs that really adds up.
Howard: What’s effective in getting employees to change behaviour so they do things that are more cyber safe?
David: One of the most important things that we’ve learned from the work we’ve done is saying, ‘Thank you.’ Saying, ‘Job well done.’ is the most powerful motivator. The system that we design is built around the concept of a personal cyber risk score. We give people positive incentive points when they do the right thing, and demerit points when they make mistakes. We give them a chance to learn from those mistakes. We’ve seen our [suspicious email] report rates skyrocket — we’ve get an increase in report rates of 90 per cent in the first 90 days because we changed the phishing simulation game. Right now in most phishing simulation exercises there are only two states: An employee either clicked the [test] phish and they lost the exercise, or they didn’t click on it. But when you have a positive recognition when people report the phish, they succeed. Even if they report it after they fall victim to a phish you still give them some kind of a win … Then you can do some cool things like give gift cards tied to random draws for the people that reported all 12 simulations.
…
Howard: One final thing: Expecting your staff to be perfect 100 per cent of the time isn’t realistic. No matter how much awareness training you do the organization also has to have defence in depth, multifactor authentication to protect logins, robust patch management network segmentation and the list goes on.
David: Absolutely. I will be the first to say to any organization out there if you think that just buying a security awareness platform solves all of your problems and all of your dreams are going to come true — No, But we [training platforms] are an absolutely important part of driving that.
The other part is it’s not just about telling employees about password strength or what phishing is. It’s about explaining their role in protecting their organization recognizing them for doing the right thing and giving them new tools to improve their digital literacy — particularly those who are managers. That actually drives the buy-in to achieve defence in depth. So many organizations are missing the opportunity to use their awareness campaign to generate [executive] buy-in to drive their security maturity. You can’t just do that with vendor content. It is not a fire-and-forget approach. But you can do it over time. We’ve worked with lots of organizations who’ve done that. I hope folks who are listening consider downloading the report. There’s lots of great advice in there and it doesn’t matter what platform you’re using. If you take some of these practices that we’re recommending into your program I guarantee 100 per cent it’s going to improve results for you.
