Dave Bittner: [00:00:00] Hey, everybody. Dave here. We here at the CyberWire are excited to announce our new subscription program, CyberWire Pro. That'll be coming out in early 2020. For those whose interests and responsibilities lead them to be concerned with cybersecurity, CyberWire Pro is an independent news service you can depend on to stay informed and to save you time. This offer includes such valuable content as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. And you can rely on us to separate the signal from the noise. Sign up to be one of the first in the know about the CyberWire Pro at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out.
Dave Bittner: [00:00:49] Amid indications that both Iran and the U.S. would prefer to back away from open war, concerns about Iranian power grid battlespace preparation remain high. Recent website defacements, however, increasingly look more like the work of young hacktivists than a campaign run by Tehran. Phones delivered under the FCC's Lifeline assistance program may come with malware pre-installed. And we'll take Cybersecurity for 600, Alex.
Dave Bittner: [00:01:21] And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:02:16] Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment; insights empower you to change it. Identify with machine learning, defend and correct with deep learning, anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:41] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 10, 2020.
Dave Bittner: [00:02:49] Both Iran and the U.S. appear to have signaled a desire for de-escalation of the ongoing conflict punctuated earlier this week by a retaliatory Iranian rocket barrage in response to last week's drone strikes against Quds Force Commander General Soleimani, which was itself retaliation for Quds Force attacks against U.S. forces in the theater. As The Washington Post reports, both sides remain mutually wary, but have toned down talk of kinetic violence.
Dave Bittner: [00:03:18] One occasion of a rapprochement is the tragic crash of Ukrainian International Airlines Flight 752, a Boeing 737 airliner en route from Tehran to Kyiv. U.S., Canadian and British authorities say the aircraft was shot down by an Iranian surface-to-air missile battery. Canada's interest comes from the large number of Canadian citizens on board. The U.S. and Canada in particular have said that the intelligence they have suggests that the shootdown was accidental, a case of mistaken identity.
Dave Bittner: [00:03:49] Iran had initially said it would exclude both the U.S. and Boeing, the airliner's manufacturer, from the accident investigation. It's customary that the manufacturer and the manufacturer's government participate in such inquiries. But yesterday, CNBC reports, Iran formally invited the participation of the U.S. National Transportation Safety Board, and the U.S. promptly agreed to send representatives to the investigation.
Dave Bittner: [00:04:15] But a partial softening of public rhetoric and even the reality of some bilateral cooperation don't mean the end of tension in cyberspace. The report Dragos issued yesterday about Magnallium - also known as APT33, Elfin or Refined Kitten - has kept alive concerns about North American power grid security. Dragos, as a matter of company policy, doesn't attribute threat groups to nation-states, but others haven't hesitated to do so. Magnallium is generally regarded as an Iranian unit. WIRED points out that what's worrisome is the prospect that a long-running password-spraying campaign Magnallium has conducted against U.S. electric utilities, which can be regarded effectively as battlespace preparation, has enabled Iranian operators to establish persistence in systems associated with electrical power generation and distribution. That threat is consistent with CISA's warnings that industrial control systems would be particularly attractive targets.
Dave Bittner: [00:05:14] So far, however, no significant offensive Iranian moves against U.S. networks have been reported. The Verge reports that pro-Iranian hackers who left their mark on a variety of lightly defended sites over the past week increasingly look more like angry script kiddies sympathetic to Tehran than they do Iranian cyber operators. The websites defaced with bellicose images included not just the Government Printing Office's helpful library site, but also one website belonging to a California dentist, another run by the University of Maryland, and yet another operated by an Oklahoma manufacturer of steel livestock feeding troughs.
Dave Bittner: [00:05:53] One of those who claimed responsibility, a Mr. Bezhad, told The Verge he was 18, and added, I do not work for the government, I work for my home country of Iran, and then highlighted the name Iran with a heart emoji.
Dave Bittner: [00:06:07] CrowdStrike's VP of intelligence, Adam Meyers, told The Verge that hackers who contacted the journalists were people with a security awareness who operate in Iran, typically teenagers and young men in their twenties who are engaged in security and the hacker scene. They largely engage in defacement and tend to be more focused on web-based technology like PHP and WordPress. So in all probability, they are from neither the IRGC nor the Mabna Institute.
Dave Bittner: [00:06:36] Las Vegas declared victory over the attempted cyberattack it sustained early Tuesday, ZDNet reports. There was immediate speculation about an Iranian operation, but now the incident is being compared to earlier criminal attacks on Atlanta and Baltimore.
Dave Bittner: [00:06:51] Security firm Malwarebytes warns that the UMX U686CL Android phones the U.S. Federal Communications Commission Lifeline Assistance program provides low-income users come with pre-installed Chinese malware. Specifically, the suspect program is a wireless updater, but that updater is a product of the notorious Adups, a Chinese software outfit whose tools have been flagged as malware before. The phone is solid and serviceable, Malwarebytes says, and at a price of only $35, it's a bargain, too, but they add, when it comes installed with is appalling. The Adups updater can install programs without user consent.
Dave Bittner: [00:07:33] Forbes received comment on the issue from Sprint, the parent company of provider Assurance Wireless. Sprint said, quote, we are aware of this issue and are in touch with the device manufacturer, Unimax, to understand the root cause. However, after our initial testing, we do not believe the applications described in the media are malware," end quote.
Dave Bittner: [00:07:53] The FCC says, quote, "the Lifeline program has provided a discount on phone service for qualifying low-income consumers to ensure that all Americans have the opportunities and security that phone service brings, including being able to connect to jobs, family and emergency services. Lifeline is part of the Universal Service Fund. The Lifeline program is available to eligible low-income consumers in every state, territory, commonwealth and on Tribal lands," end quote. Various members of Congress have already rounded on the FCC to demand to do something about this.
Dave Bittner: [00:08:27] And finally, cybersecurity got its own category on Jeopardy's Greatest of All Time tournament of champions last night. But all three of the champions were stumped by the $600 answer.
0:08:44:(SOUNDBITE OF TIMER)
Dave Bittner: [00:08:44] Companies consider cybersecurity when instructing with a policy on BYOD.
Dave Bittner: [00:08:49] Not one so much as buzzed in.
0:08:51:(SOUNDBITE OF BUZZER)
Dave Bittner: [00:08:53] Here's what they should have buzzed in with. The question is, Alex, what is bring your own device?
Dave Bittner: [00:08:59] Here are the other answers in the Cybersecurity category. For $200, this type of hacker, referred to by a colorful bit of headwear, helpfully tests computer systems for vulnerability.
Dave Bittner: [00:09:11] What is a white hat?
Dave Bittner: [00:09:13] For $400, a website with a site certificate is one that uses encryption. This letter after HTTP is one sign of it.
Dave Bittner: [00:09:22] What is the letter S?
Dave Bittner: [00:09:24] For $800, a ransomware attack that encrypted 3,800 city of Atlanta computers demanded six of these digital items to unfreeze them.
Dave Bittner: [00:09:34] What is Bitcoin?
Dave Bittner: [00:09:35] And for $1,000, beware of these types of programs that track every stroke you make while typing in an effort to glean your password.
Dave Bittner: [00:09:44] What is a keylogger?
Dave Bittner: [00:09:46] We do think that, had the three champions - Rutter, Jennings, and Holzhauer - been regular CyberWire readers or listeners, they'd have knocked these five cognitive gopher balls out onto Eutaw Street, as we say here in Baltimore. Of course, all of you got the questions right. We knew it.
Dave Bittner: [00:10:10] And now a word from our sponsor, BlackCloak. Do you worry about your executive's personal computers being hacked? How about their home network, with all those IOT goodies they got over the holiday - or credential-stuffing attacks because of their password reuse? Executives and their families are targets, but unlike the corporate network, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cyber controls, hackers have turned their attention to the executive's home network and devices which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to deploy their specialized controls that protect your executives and their families from hacking, financial loss and privacy exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show.
Dave Bittner: [00:11:29] And I'm pleased to be joined once again by Tom Etheridge. He is the VP of services at CrowdStrike. Tom, it's always great to have you back. I wanted to touch today on a recent publication that you all put out at CrowdStrike. This is your board of directors' playbook. There's a lot of good information in here. Can you take us through, what are some of the key elements here?
Tom Etheridge: [00:11:50] Excellent, Dave. Thanks for having me back. Regarding the board of directors' playbook, this is a publication that we released a while back, the premise of which was to provide a toolset for executives and for board members to understand and appreciate more fully the value of cybersecurity preparedness and understanding the risk and regulatory requirements that may impact their organization should they experience a breach. One of the things that we tried our best to highlight in the board of directors' playbook is that the changing regulatory environment that we exist in - new state, federal and other regulations - requiring organizations to provide better controls and incident handling procedures to be able to report incidents in a timely manner to key stakeholders and regulatory concerns. Those things are really critical for the C-suite and for board of directors members to understand.
Tom Etheridge: [00:12:57] And the playbook really is designed to provide capabilities for boards to have questions that they should be asking their C-suite while they're understanding the regulatory and cyber risks associated with the business that they're supporting, to be able to have a playbook of questions that they can ask the organization that they're supporting in the event that a breach is actually happening, to better understand when reporting should happen and what the requirements are, and then also to have considerations for the executives and the board members themselves to understand that they may be high-value targets for threat actors to target in order to gain information. The exec staff and board members typically have access to very privileged information, and that is certainly something that threat actors would want to target if they're trying to understand more about the value of a company, of an organization or target the critical assets that they have.
Dave Bittner: [00:14:00] Yeah. I mean, it strikes me that, you know, these days, cybersecurity touches so many areas that certainly the board would be interested in or even be responsible for. I'm curious, in your estimation, who is responsible for being that translator, for making sure that both sides understand what's going on - the technical team at the organization and the board of directors - that nothing's getting lost in that translation?
Tom Etheridge: [00:14:30] Great question. So one of the things we try to outline in the board of directors playbook and in our presentations to many boards is that it's really important for them to get access to and have the security staff, typically the CISO, provide regular updates to the board about the status of the organization's preparedness, their ability to respond to a breach, what types of tools they're leveraging, where are the gaps, where are investments required in order for them to improve their overall preparedness and their overall ability to respond in the event that an incident happened.
Tom Etheridge: [00:15:07] In an earlier session that we did, Dave, I mentioned the 1-10-60 rule. The ability to be able to respond - to be able to detect a breach, to be able to triage that breach and to be able to respond to that breach within an hour, that type of metric data is really important for executives and board members, quite frankly, to understand where organizations may be able to do that and where they may be falling short. So using that as a governor, if you will, to understand where investments are required to improve that, that operating metric, allows the board and the C-suite to be able to make better investment decisions to improve that capability for their organization.
Dave Bittner: [00:15:49] All right. Well, Tom Etheridge, thanks for joining us.
Tom Etheridge: [00:15:52] Thanks for having me.
Dave Bittner: [00:15:57] And now a word from our sponsor, Dragos. Don't miss next week's free webinar introducing the MITRE ATT&CK for ICS on Tuesday, January 14. You can register at dragos.com/webinars. The just-released framework organizes and codifies the malicious threat behaviors affecting industrial control systems and defines 11 behavioral techniques. The webinar is hosted by Dragos principal adversary hunter, Joe Slowik, and MITRE cybersecurity engineer Otis Alexander, who collaborated on the ICS framework. Register today at dragos.com/webinars and get a head start on implementing ICS attack in your organization. That's dragos.com/webinars. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:16:51] My guest today is Curtis Simpson. He's chief information security officer at Armis, a company that focuses on the security of unmanaged and IoT devices. Prior to joining Armis, Curtis was the global CISO at Sysco Foods, a fortune 54 organization. Our conversation centers on the notion of CISO burnout, the changing expectations of people in that position in a world where they are increasingly finding themselves in the business and risk-management spotlight.
Curtis Simpson: [00:17:21] Some folks check out after a given period of time of trying to fit in, struggling with the politics, not necessarily making the progress that needs to be made. The reality is, is that there's not always a lot of visibility into what actually needs to be done within security. There's not a great understanding of what this space looks like from an executive team perspective or from a leadership perspective.
Curtis Simpson: [00:17:44] So what I find a lot of leaders that have faced this for some time and struggle with this, what a lot of them will do is they'll check out, as I said, from the perspective of they're not not doing anything. But what they're not doing is taking risks and putting their neck on the line to take the business in another direction that requires support from a number of different channels, a number of different functions, a number of different leaders.
Curtis Simpson: [00:18:06] A number of these folks have failed at those exercises over the years, have been potentially penalized as a result of failing in those situations, and in turn have just kind of hunkered down and focused on operations and have become more so order-takers waiting for the business to tell them that there's a risk they want to manage as opposed to telling the business that there's risks that need to be managed.
Dave Bittner: [00:18:31] And so what's the solution here? How do we make sure that these folks don't fall into that mode?
Curtis Simpson: [00:18:38] For most CISOs that I've talked to in this situation or that have started to kind of gravitate towards this model where, you know what? I'm not taking risks anymore. I'm not bringing things that are going to put my neck on the line. I'm just running operations, and I'll move on from there. The reality is, it is painful. You're going to have more failures than you do success because gone are the days where you can talk to one individual and have that individual actually do the things that you need them to do because when you're looking at these massive organizations, the reality is, is that functional leaders within a massive organization are not being rewarded for making things secure. They're not being rewarded for either doing or not doing the things that will help reduce risk within their space. They're being rewarded for business outcomes, right?
Curtis Simpson: [00:19:25] So the reality is this - is that I like to think that a lot of my success as a CISO comes from this continued understanding of this will be hard, but it still needs to be done, and also recognizing the fulfillment that you get from the job. And the fulfillment is accomplishing those difficult tasks. It's not having everyone say yes, I'll do what you need me to do. It's actually managing that risk and really overcoming those hurdles along the way and knowing that you achieved at the end of that. I personally find the greatest fulfillment in that regardless of those hurdles and those pains experienced along the way. So I personally try to coach people through this and help people understand that that is the bigger picture.
Curtis Simpson: [00:20:07] And honestly, some folks within the organization or if they look at the organization they're working with right now, if this just continuously doesn't work, sometimes it is time to move on. The reality is, is we're not a perfect fit for every job. We're not a perfect fit within every organization. And sometimes, we need to acknowledge when the reality is that maybe we're not at the right company because we're doing all the right things, we're thinking all the right way, it's just not really playing out as I would expect it to. Sometimes it is important to stand up and realize that maybe a change is required.
Dave Bittner: [00:20:38] It's interesting how you mention this - sort of switching into this order-taking mode. A colleague of mine refers to something similar to that. He calls it malicious obedience, which is...
Curtis Simpson: [00:20:50] I like that.
Dave Bittner: [00:20:50] ...You know - yeah, I will do what you asked me to do even though I know it might not be the right - you know, the best thing to do. I'm curious from a leadership point of view in the organization itself, how much of this falls on them to be checking in with the people in these roles, to make sure that they're going to get the training that they need so that they can communicate in these diplomatic ways, that they're - as these roles expand, that they're given the opportunities to learn and to get the enrichment that they need to keep functioning in a rapidly evolving environment?
Curtis Simpson: [00:21:27] Yeah, it's a really great question. The short answer to that is no. What you're seeing happen over time is these jobs, these roles have drastically evolved. Organizations and leaders just expect those leaders to evolve along with the role and to figure it out. So when you start getting into these senior positions, what often happens is there's little to no coaching that is happening. There's little to no guidance or really conversations around how this is a challenge and maybe what additional education is required.
Curtis Simpson: [00:22:03] And I would also argue that because there's a limited understanding of the space on the level of effort required, the level of support required, et cetera, a lot of folks are also fearful to admit that maybe they need the help because they're thinking that this is going to be a sign of weakness in a space that people barely understand to begin with, which will maybe cause them to start thinking maybe I need someone else in this role.
Dave Bittner: [00:22:26] Isn't it interesting how - I mean, to me, this is a human-factor situation here. We're talking about technical things, and I think most people in the business would think about what are the things that the CISO is responsible for, they're technical things. But this vulnerability, this person in this very important role perhaps checking out, as you say, I mean, that's all about a real-life human being with feelings and thoughts and insecurities and fears and, you know, how little do we check in with people on those important things that, in this case, could lead to a security shortcoming.
Curtis Simpson: [00:23:04] That's exactly right. And the other piece to this conversation is we talked about some of the things that CISOs can do. The reality, though, at the end of the day is from a CIO and executive leadership position, we have to make sure that we are supporting security. Part of - there's a number of different ways of tackling that. I've even seen things like ensuring that company goals are aligned to actually managing the risks that are important to the company to manage and that there's different business and technology functions stacking up to that.
Curtis Simpson: [00:23:35] So at the end of the year when people are paid bonuses and such like that for accomplishing goals, those goals include managing risk because if this continues to be there's a lone-ranger scenario where they're not being supported by their leadership team actively, not just from a verbal perspective, they're having to do all of this on their own, they're receiving less and less support, there's more and more challenges being faced, the eventual outcome isn't good.
Curtis Simpson: [00:24:03] The eventual outcome is - look like things like this CISO just leave and gets another job, this company is breached and experiences a significant event that was very much avoidable but now affects their brand and everything else. This is our time and opportunity to truly look at this risk and make sure that we're supporting the function that manages this risk for us on a daily basis.
Dave Bittner: [00:24:25] That's Curtis Simpson from Armis.
Dave Bittner: [00:24:36] And that's the CyberWire, or what do we always say at the end of a show, Alex? For links to all of today's stories, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:24:41] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management solution. Learn more at observeit.com.
Dave Bittner: [00:24:53] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.