The CyberWire Daily Podcast 6.12.20
Ep 1108 | 6.12.20

Chinese, Russian, and Turkish domestic influence campaigns. Zoom’s China troubles. Honda, Enil recover from Ekans. Ransomware attacks against a city and an M&A consultancy.

Transcript

Dave Bittner: Twitter's transparency efforts see through accounts being run by Chinese, Russian and Turkish actors. Zoom is working to both comply with Chinese law and contain the reputational damage involved in doing so. Industrial firms recover from EKANS infestations. Caleb Barlow from CynergisTek on how hospital CISOs are dealing with the COVID-19 situation. Our guest is Ronald Eddings from Palo Alto Networks and the "Hacker Valley Studio" podcast on strategies for finding and managing security architects. And it's not Posh Spice who got the attention of Maze; it's just her M&A advisers.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 12, 2020. 

Dave Bittner: Social media continue to work toward transparency, and this seems to be an easier and arguably more productive approach to controlling disinformation than direct content moderation so far appears to be. Twitter this morning has called out three state-run influence campaigns, all with a domestic focus. 

Dave Bittner: Twitter has identified a large number of state-run accounts pushing disinformation. The largest network was Chinese-controlled, 23,750 core accounts that were highly active in distributing Beijing's line on various issues, with special attention given to matters affecting Hong Kong. A large number of amplifier accounts, about 150,000, repeated the core accounts' traffic. The content was, for the most part, in Chinese and evidently addressed to a largely domestic audience. Twitter says that despite the accounts' high level of activity, they enjoyed relatively few followers and had achieved little traction. 

Dave Bittner: Twitter also identified 1,152 Russian accounts associated with the Current Policy state-run news site. These were engaged in distributing messages favoring the Russia United Party in an influence campaign directed toward domestic audiences. Also interested in domestic influence were 7,340 accounts in Turkey whose line favored President Erdogan and the AK Party. 

Dave Bittner: The Telegraph and others report that Zoom, having locked out account holders after they held online discussions commemorating the 31st anniversary of the Tiananmen Square massacre, is drawing criticism for aligning its services with Chinese policy. The Wall Street Journal notes that the activist group affected, San Francisco-based Humanitarian China, had its account quietly restored after the suspension was reported by Axios. 

Dave Bittner: The company has said it pulled the accounts in compliance with local laws - that is, with Chinese law. Zoom has also expressed its regrets and said it, quote, "will not allow requests from the Chinese government to impact anyone outside of mainland China," end quote. The company intends to do this by upgrading its systems to permit it to identify the locations of meeting participants and selectively blocking them on the basis of where they were. So if you were looking to join from Kalamazoo or Pocatello or, for that matter, from Scunthorpe, you'd be good to go. From Shenzhen - sorry, no remote conferencing for you. 

Dave Bittner: Foreseeably, many critics remain unmollified, asking with Security Boulevard, is Zoom the next Huawei? That's strong, but as Security Boulevard's Blogwatch summarizes, Zoom may be headquartered in San Jose and listed on the Nasdaq, but the firm does have significant operations in China, including a large engineering staff and a practice of routing users' traffic through servers in that country. Zoom's security issues drew attention along with the company's swift rise during the COVID-19-driven increase in telework. 

Dave Bittner: The Snake, or EKANS, ransomware strain, which Dragos characterized in its study as having a primitive but distinct capability to hold industrial processes at risk in addition to its more conventional capability against business systems, has been implicated in recent attacks on Honda. Bloomberg Law reports that Honda has begun resuming production in its Ohio plants and elsewhere after Sunday's computer incident. 

Dave Bittner: But according to BleepingComputer, another firm, European power company Enel Group, has disclosed that it's also been hit by Snake, the same ransomware that disrupted Honda. The company's disclosure is belated. Enel says it detected a ransomware infestation on June 7 but that by Monday, it had successfully contained the attack and brought its systems back online. The firm's statement read in part that, quote, "no critical issues have occurred concerning the remote control systems of its distribution assets and power plants and that customer data have not been exposed to third parties. Temporary disruptions to customer care activities could have occurred for a limited time, caused by the temporary blockage of the internal IT network," end quote. 

Dave Bittner: In both cases, the identification of Snake/EKANS as the ransomware involved came from outside researchers, not the affected companies themselves. 

Dave Bittner: By the way, a quick note. It's been brought to my attention by a kind listener that the correct pronunciation is EKANS and not E-cans (ph), as I was saying earlier. Evidently, it's a Pokemon thing, and I appreciate the correction. 

Dave Bittner: And finally, one other ransomware attack has been reported. In this case, the culprit is known, or at least a culprit has claimed responsibility. Infosecurity Magazine says that Threadstone Advisors, a New York firm that specializes in consulting on mergers and acquisitions, has been hit with ransomware. As is the fashion with up-to-date ransomware, the extortionists claim to have stolen data before they encrypted information in Threadstone's possession. 

Dave Bittner: A note of clarification - a lot of the coverage of the Threadstone incident has mentioned one of their famous clients, Victoria Beckham, but the attack was against Threadstone itself, not Ms. Beckham, so you can rest easy. What IT infrastructure Posh Spice maintains herself, as far as we know, is still up and humming. 

Dave Bittner: My guest today is Ronald Eddings. He's a security architect leader at Palo Alto Networks and the co-host of the "Hacker Valley Studio" podcast. He shares his strategies for finding and managing security architects. 

Ronald Eddings: There's a lot of thoughts about what a security architect is and what is security architecture. And it's really the security controls, the policies and guidelines that assist an organization with protecting their data and protecting their users and, really, their entire organization. 

Dave Bittner: Well, I mean, let's come at that together and unpack it. How does that come to fruition in the real world? 

Ronald Eddings: Yeah. So I always like to kind of give an example. And I say imagine that you're a CEO of a company that designs and builds buildings. And your newest client, they hire you to build a bank. Your team, they would need to understand how to build a building that creates a positive experience for the bank staff and the customers. But most importantly, your team will need to understand how to build and design a building with security in mind to protect the crown jewels, which is money. And security architects, we have similar goals and face similar challenges that an architect designing a bank would face but from a technology perspective. 

Dave Bittner: Is that process a bit of a journey in itself? Do you often find that folks may not have a good grasp on exactly what all aspects of the organization really need? 

Ronald Eddings: Yeah, and that's one of the most challenging parts of being a security architect is constantly working with stakeholders, working with directors and leadership to understand what does the organization need? And that also has to relate back to the analysts and engineers that are going to be implementing or maintaining that body of work. It all has to work out for everyone within the organization. 

Dave Bittner: What makes a good security architect? What are the personality aspects, the skills and so forth that makes someone a good fit for this particular job? 

Ronald Eddings: Security architects can be a little synonymous with a few other positions. And the other positions that it's somewhat synonymous with is solutions architect, senior security engineer and sometimes even head of security. And typically, the hero's journey behind these types of individuals is they've served their time working as an analyst, working as an engineer, and they've accrued a lot of information to start to begin to understand the high-level needs of security for an organization. So a lot of the architects that I work with today, they have a background and a history of security engineering, working in SOCs and sometimes even leading and managing teams that deal with security. 

Dave Bittner: How much of the work that you do involves diplomacy, of serving as that translation layer between the various parts of an organization that all have their specific needs and desires? 

Ronald Eddings: It's a lot like playing a game of tower defense. I'm using requirements, users and technology to create a secure environment. So there's a lot of translation I have to do for stakeholders that are the ones really supporting a project. And there's a lot of translation I have to do for the engineers to understand the requirements that need to be implemented and the real importance behind them. So I'm all - I'm constantly playing a game of tower defense and moving pieces around and asking more questions, going back to the game. And you know, moving - really, in my situation as technology, it's security controls. It's applications and hardware. 

Ronald Eddings: So I'm constantly moving these components around to fit needs. Sometimes, when I move an application or a control from one place to another or I create one from scratch, it could cause a negative impact on the business. And that's a problem. So that's another thing that security architects have to keep in mind is, how can I implement this secure process that's going to help the organization while not impeding business operations? 

Dave Bittner: You know, as someone in a leadership position, when you're out there providing mentorship for folks who are coming up in the organization, what sort of tips do you have for folks who are pursuing a career and perhaps want to be a security architect? 

Ronald Eddings: That's a great question. And the nuggets and wisdom that I would give anyone that's interested in being a security architect is explore and be curious. There's a lot of aspects of security. And to be a security architect, you really have to have a holistic view on the threat and security landscape. 

Ronald Eddings: You have to understand a bit about networking, a bit about cloud solutions and also a bit about endpoint security. There's just so many topics to cover. And I think the best way and the best strategy to get closer to becoming a security architect is just by becoming more curious about all the technologies that exist and all the technologies that need to be secured. 

Dave Bittner: Our thanks to Ronald Eddings for joining us. If you want to hear an extended version of this interview, head on over to the CyberWire.com. You can find it there in the CyberWire Pro section. If you've not checked out the "Hacker Valley Studio" podcast, I recommend it. It's worth your time. 

Dave Bittner: And joining me once again is Caleb Barlow. He is the CEO at CynergisTek. Caleb, always great to have you back. I was hoping you could share some insights with us. You have a unique view inside many health care organizations right now. And I was hoping you could share with us what's going on behind the scenes. 

Caleb Barlow: Well, Dave, as you can imagine, look; these are unprecedented times. And if we look at what's happening, particularly with CISOs, which is largely the audience here, it varies greatly amongst institutions. Most CISOs in hospitals are not clinicians. There are a few that are. And of course, you can imagine, if they're clinicians, they've really been called to the front lines in this. But not only have the CISOs likely left the hospital and are working from home, but also, dozens, if not, hundreds of non-clinical workers are working from home, you know, are enabled with, in a lot of cases, BYOD. 

Caleb Barlow: One of the real challenges they're dealing with is routing phone calls, you know, because you can imagine every hospital has a very robust phone system. And it was never designed to have people working remotely in most cases. So communication is becoming a bit of a difficulty. But also, when we get into individual systems, depending on whether or not they have COVID patients, we're seeing really different types of activities, as well as kind of new vulnerabilities that are emerging. 

Dave Bittner: I'm curious, you know, even just the bringing of newer additional devices online within, say, a hospital itself as they're shifting the pattern of treatment and preparing for what could be a rush of patients, how does that play out on the ground there? 

Caleb Barlow: Well, the most important thing for a hospital is - I mean, their crown jewel is the EHR - the electronic health care records. And in most cases, especially if you see temporary facilities getting stood up or people suddenly working from home, this is getting extended through various tools like laptops and iPads - in some cases, BYOD devices. And they're leveraging the remote access features usually of the EHR. 

Caleb Barlow: And you know, so this certainly gets easier if their EHR is cloud-based. But the challenge is that, in many - and I would probably venture to say most - health care institutions, they're missing what I call the big three - network segmentation, endpoint detection. And they probably have some multi-factor, but it's not necessarily widely deployed. So any security professional listening to this podcast realizes that, you know, not only has the threat landscape grown, but the threat - the attack surface has grown just, you know, in a very significant way and in just a matter of weeks. 

Dave Bittner: Is it reasonable to say that the security folks may be appropriately put to the side at the moment while doctors are trying to save lives? 

Caleb Barlow: Well, I think that is a reasonably accurate depiction. Now, that being said, that doesn't mean the concern level isn't rising, you know, as we've seen this - you know, in some cases, they're literally standing up, you know, additional hospitals in tents, extending EHR into the parking lot. And you know, that brings with it a significant concern, along with, you know, increases in phishing attacks and the fact that it's going to be a whole lot easier to get your way into any institution today with everybody working from home. 

Caleb Barlow: Now, we haven't seen a real rise in ransomware yet. In fact, if anything, we've seen a decline. If you go back to 2019, it was pretty much every week either a state or local government or a, you know, decent-sized hospital was getting locked up with ransomware. There's been very little of that activity. Now, that being said, we do see tons of the precursor of that activity. If anything, that's probably on the rise. So the concern here of a lot of CISOs is they don't want this to happen on their watch. You know, when a hospital is impacted by ransomware, they have really no choice but to divert patients, and the last thing we need to see is that happening in the middle of this crisis. 

Caleb Barlow: So I would say, yes, they're operating a little bit on the sidelines today. In many cases, they're part of the incident response and kind of command center teams. But the worry level is growing. And you know, I think there is time to shore up some defenses, but it means people need to move a lot faster than normal. And that then brings us to the challenge of budget. 

Dave Bittner: Well, let's talk about where do we stand when it comes to being able to pay for these things? 

Caleb Barlow: Well, there's actually a bigger problem, and that is that you have to realize that not all hospitals - I mean, funding levels across hospitals varies differently. Like, children's hospitals are typically very well-funded through donations and things like that. Academic medical centers often have, you know, large-size endowments. But, you know, you get into more regional hospitals, and well, in many cases, they're nonprofits. You even have - nowadays, you even have for-profit publicly traded hospitals. 

Caleb Barlow: Well, you know, the medical industry as a whole doesn't run with very large margins. And we're now in a situation where pretty much every institution has been told to implement their emergency plan, which means stopping elective procedures, moving as many patients as possible out of the hospital for anything that was elective and being prepared to handle the influx of COVID-19 patients. Well, the challenge is, you know, you're not billing for all those lucrative services that you normally were. In fact, you're not even conducting that work. In addition to that, you've got this onslaught of additional costs as you kind of prepare and ramp up for COVID-19. We've even seen, even in the last week or two, several hospitals starting to lay off or furlough workers. 

Caleb Barlow: And you know, this becomes a kind of a perfect storm where you've got increases in costs, increase in the threat level at the same time, you know, you're eating through your cash reserves. Now, there is the hope of stimulus funding coming in to really help in this. But, of course, when and how is that allocated, what can you spend it on really puts these CISOs in a very tough position. 

Dave Bittner: Yeah. I mean, I guess a sort of a ghoulish play on words, but it really is kind of an unmasking of our system of sort of revealing where the cracks are as we go through this stress test. 

Caleb Barlow: It is. But I do think that forward-leading CISOs, there's a lot they can do. You know, I think, generally speaking, the health care community has not - has been as close to their vendors as, let's say, the financial services community, and that's just kind of a cultural thing. But you know, the reality here is that many if not all vendors are willing to step forward, there's lots of offers for free services or capabilities. And I do think there are ways that smart CISOs can navigate through this storm. But what they're going to need to do is not only shore up their defenses but you know, frankly, also kind of make sure there are - their incident response plans are in place. 

Caleb Barlow: And I'll tell you one of the biggest things we've been looking at. And now let's fast-forward, Dave, six months or so. Right? Let's say we're on the other side of this. Now, my company, we go do assessments for hospitals. We - it's required. You know, they have to assess their security posture. And here's the thing - the way I would assess one of these institutions three weeks from now versus three weeks prior is totally different because both the threat landscape and the attack surface is completely changed. And that's really going to change how people have to approach things. 

Dave Bittner: Yeah. All right. Well, Caleb Barlow, thanks for joining us. 

Caleb Barlow: Thank you, sir. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro - save you time and keep you informed. Listen for us on your Alexa smart speaker, too. Don't forget to tune in this Saturday for a Research Saturday. I'm speaking with Brad Stone and Nate Beach-Westmoreland from Booz Allen on the logic behind Russian military cyberoperations. That's Research Saturday. Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.