At a glance.
- President Trump issues Executive Orders banning transactions with WeChat, TikTok, over risks to user data.
- Canon internal communications said to confirm ransomware attack.
- Security industry comments on Capital One fine, consent decree.
Executive Orders cite TikTok and WeChat as threats to users' privacy.
US President Trump yesterday issued two Executive Orders that impose new limitations on Chinese-owned social media apps TikTok and WeChat. The Wall Street Journal summarized the effect of the orders as prohibiting anyone in the United States or subject to US jurisdiction from conducting “transactions” with the owners of the two services. The ban will become effective on September 20th. Both Executive Orders stated, as an official finding, that “additional steps must be taken to deal with the national emergency with respect to the information and communications technology and services supply chain declared in Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain).” Both of the apps represent a threat because they automatically capture “vast” amounts of information from their users, and the data they collect are in principle accessible to the Chinese Communist Party and Chinese government intelligence services.
TikTok, which has moved data formerly held in US servers to servers in Ireland, objected to the Executive Order in a strongly worded statement it issued this morning. The company sees what it views as a lack of due process as most objectionable. It also explicitly denied turning personal data over to the Chinese government: “We have made clear that TikTok has never shared user data with the Chinese government, nor censored content at its request.”
Report: internal communications confirm Canon ransomware incident.
BleepingComputer reports that Canon confirmed in a communication to employees that the company had sustained a ransomware attack. Canon is still investigating. While some corporate systems have been rendered unavailable, it's unclear what, if any, data may have been compromised.
Comment on the Capital One fine and consent order.
The news we discussed yesterday concerning the fine the US Comptroller of the Currency imposed on Capital One for its 2019 data breach (described here by CNN) has drawn some industry comment. Jayant Shukla, Co-Founder and CTO of K2 Cyber Security sees the principal lesson to be drawn as one concerning risk management, and proper attention to the mitigation of vulnerabilities that arise in the integration of different IT systems:
"Capital One’s fine of $80 million is a good reminder to take a look back at what caused the attack to begin with. The breach was caused by an SSRF (Server Side Request Forgery), that took advantage of a vulnerability that came about because of the interaction of two different components of their application infrastructure.
"This is also why the requirement imposed on Capital One to improve its risk management and governance program is so important. It’s too easy to get caught up in verifying the security of individual components of an application, and too easy to overlook the interaction between components, especially third party access and integration, like the one where the Capital One flaw began. Any effective governance program will need to look at the big picture and overall security, including the interaction of all the components of their application and security infrastructure."
Phil Hagen, digital forensic and incident response (DFIR) strategist at Red Canary finds it worth noting that the breach, fine, and consent decree all hit a company that works in a heavily regulated sector, and one that's accustomed to compliance and auditing:
“What is being asked by the federal government should not be hard for an organization that is already built on a structure of regulatory compliance and related auditing. That said, if COF [the Comptroller of the Currency] already has identified the risks and some of their means of mitigating them, documenting the approach and validation thereof should be pretty straightforward. It’s also possible that COF has already implemented some of these measures and complying with the order would be a process of unifying and documenting those measures.
"The question should not be 'is this enough' but 'is this a sufficient measure to mitigate an appropriate level of threats?' It is far more important to establish sufficient preventive measures for more common attacks, along with a detection capability poised to quickly identify suspicious activity that warrants further investigation and an Incident Response program to track those suspicious actions down quickly. This combination generally represents the best strategy to address both common and rare threats with an appropriate level of investment.
"Other organizations should take note here and understand that before moving aggressively to incorporate any new technology or trend, such as cloud infrastructure, they must take the time to fully understand the associated risks - not just the perceived cost savings or performance improvements. New technology opportunities come with new risks that are not often fully understood by those implementing them. These technical moves incur real business risk, so the decisions should ultimately be made by those with responsibility for the business itself - not just its technology. Organizations in which strategic technical decisions are made at the C-level or equivalent are often better able to grasp the full scope of potential impact should something bad happen as a result of those decisions.”
Casey Kraus, president of cloud security management start-up Senserva sees some work ahead for the bank's board:
“In terms of the plan that is required by the Fed for Capital One's board of directors, this likely will be a tough task for the board to [be] completed and be effective. Companies do not operate with the intention of getting breached, so Capital One may not understand all the possible exposures they had. It would be difficult for them to write a plan for improvement without knowing all the areas in which they can improve.
"Will it be enough for Capital One, the Fed, or the end consumer? If Capital One produces the requested document, it will satisfy the internal security processes they will document and/or establish here. It would likely be enough for the Fed. However, there is always risk to the end consumer because there will always be bad agents out there that are trying to exploit any possible exposure that is available, or will be come available as technology continues to evolve. Other companies can learn from this that when it comes to security, you should always be trying to improve with each and every day. All it takes is one bad guy with one mistake to cause massive problems for an organization.”