Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, September 29th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes David Shipley of Beauceron Security will be here to discuss recent as well as upcoming news.
That includes Cyber Security Awareness Month, which starts Sunday. David will have thoughts on what makes effective employee awareness training. Security awareness training also has to take place in the home and in schools, so we’ll talk about teenage hackers. We’ll look at the possibility that ransomware can lead to the destruction of a company.
Also in the news in the past seven days, industrial control manufacturer Johnson Controls suffered a ransomware attack last weekend, a source has told Bleeping Computer. In a regulatory filing the company said it “experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident.”
A Russian-based company that buys and sells zero-day exploits is offering a US$20 million bounty for new Android and iPhone vulnerabilities. The company is called Operation Zero. Its website says it sells the bugs to Russian private and government organizations. Other companies buy zero-day exploits found by researchers. But these firms then alert the software companies about the holes so they can be closed.
Warning to listeners wanting to download the Bitwarden password manager: Someone has created a lookalike download page that distributes malware instead of legitimate software. The lesson: Be careful downloading anything from the internet. Make sure the download site is the one you want.
Organizations are still not taking all the precautions needed to prevent data from being stolen. According to a report from Censys, network administrators allow too many open directories. They link to files on severs, creating a roadmap for hackers.
In the ongoing cyber war between Russia and Ukraine, there’s a report that Russia is targeting Ukrainian law enforcement agencies. Ukraine said the hackers are looking for evidence it is collecting into war crimes. Russia is also hunting for possible spies and collaborators within its borders.
Cisco Systems released patches for devices using its IOS and IOS XE operating systems. Affected devices have a certain protocol enabled.
And Google and Mozilla issued updates for the Chrome and Firefox browsers. The Chrome update closes a zero-day vulnerability. The Firefox update fixes six high-severity vulnerabilities.
(The following transcript has been edited for clarity and is the first part of the discussion with David Shipley. Play the podcast to hear the full conversation with discussion on teen hackers, ransomware and the beginning of debate at a parliamentary committee on proposed Canadian privacy and AI legislation)
Howard: On Sunday, October Cyber Security Awareness Month starts. This has been an annual observance since 2004 in the U.S. and has spread to other countries. The goal is to make people in their homes and at work more aware that things they do — or don’t do — can lower the odds of being victimized by a cyber attack. But if the yardstick is cutting into the number of data breaches, we don’t seem to be making much progress. Is that the right yardstick?
David Shipley: I think we are making progress, because I think if we weren’t moving in the right direction the data breach story would even be worse than it is now. The volume of attacks that we’re seeing is unprecedented. The tides continue to get higher. So our precautions, defenses, etc. have to continue to improve.
We don’t need more generalized awareness about cybersecurity anymore. What I mean by that is people know cybersecurity is a thing; they have heard about data breaches. They have been lectured to ad nauseum about passwords. But what we’re struggling with as as a global society is transitioning from awareness to careness to accountability. How we marry these things together in such a way that people don’t just sit through the 30-minute training and check a box [that it’s done]? How do we provide training as a measurable performance metric to individuals in organizations? How do we actually measure within an organization how our cyber safety programs are leading to incident reduction? This is hard, manual effort and it requires more investment of human capital into this process than companies have traditionally been willing to do. Ninety-nine cents out of every cyber spent goes to technological solutions to work around the human problem. Only a penny of every dollar spent is actually spent working on the human side. So much more needs to be spent, and so much more research needs to be done, because it is so important to maximize the human side of the cybersecurity equation.
Howard: From what you hear are employees anymore aware of what they should or shouldn’t do?
David: When measured, yes. In our annual report earlier this year we looked at a sample of 7,000 folks [on cyber knowledge] from when they started 12 months prior to where they are now. We saw double-digit improvements in knowledge and attitude, which are two things that you can measure qualitatively related to cybersecurity. We saw improvements related to [not] sharing passwords. We saw improvements related to not storing sensitive organization information in personal cloud. We saw acknowledgments that cybersecurity is more than just an IT issue. So when you properly educate and measure and reinforce, you have a positive security culture. You can see good returns from security awareness. If you are just designing a security awareness program to satisfy a checkbox for a regulator or a specific ISO or SOC 2 compliance exercise and everyone knows this is check-the-box [that it’s one], you’re wasting their time and your time.
Howard: I want to mention two stories that I reported on in an earlier podcast this week that show the importance of employee awareness of things they should and shouldn’t do. A cybersecurity company reported that luxury hotel chains and resorts are specifically being targeted this month with the goal of tricking victims into downloading malware that steals information from computers like passwords. What these crooks are doing is sending emails and instant messages to hotel employees with phony room booking requests. But in the follow-up messages the hacker sends an infected attachment that they hope the employee is going to download. The attachment would be a photo of food or a list of cleaning products that the supposed guest is allergic to. The crooks are hoping that the hotel employee is going to say, ‘Gee I want to make sure that this potential guest is satisfied. So I’ve got to click on this attachment.’
Here’s another one that’s going around: A threat actor is impersonating the U.S. Red Cross, sending out phishing messages with an attachment that relates to a supposed blood drive in September. They’re hoping that the employee is going to click a button to disable macros so the document can be read. IT departments are supposed to make sure that in all employees’ systems, macros are disabled [because macros help malware run]. But the attackers are hoping that the employee is going to click on the button that will disable that protection and the document will be downloaded along with malware. These are examples of things employees have to be aware that they shouldn’t do.
David: One of the things that we need to get better at in educating employees is to stop being so focused on [teaching about] the delivery mechanism of social engineering email, text message phone. Instead we need to make sure they truly understand that core of social engineering: Why the attack on the luxury hotel works so well is it taps into human emotions and desires. So your desire to do your job well, to make sure that customers are happy is being leveraged. It uses fear or safety as the lure: A potential customer allergy. If we don’t take the time to explain how at the the emotional cognitive level social engineering works and then give employees practical examples — these are the things you need to be on the lookout for — we are going to continue to have a very bad time.
Howard: What makes an effective cyber security Awareness program?
David: A couple of things: Number one, you can’t just buy a training platform and all your security awareness problems go away. We can help, but you need to build it into your business culture. You need to deploy training and reinforce it in regular team meetings. Managers need to talk about it in terms of how people are doing their job. Leadership needs to give examples of why people should care about this. [Some think] security awareness month is a fun activity: You put some stickers and things and posters out and got your training and you think you’re done — but you’re not building building a secure culture. You have to create security conversations. One of the things that frustrates me the most right now is we teach people to report phishing emails they get, and only a fraction of IT shops and security operation centers ever give users any feedback. That de-motivates people. When people report stuff, give them feedback so they know they’re doing the right thing.