The CyberWire Daily Podcast 1.5.22
Ep 1488 | 1.5.22

CISA reports progress on Log4j. The FTC warns US businesses about taking Log4j risk mitigation seriously. Gangland updates, and some notes on hybrid war.

Transcript

Elliott Peltzman: CISA says U.S. federal agencies are now largely in compliance with Log4j risk mitigation guidance. The FTC issues advice and a warning on Log4j to U.S. businesses. A skimmer is installed through cloud-delivered video. The Vice Society's ransomware is meddling with supermarket operations in the U.K. The Atlantic Council offers advice on strategy for the grey zone. Hacktivists are expected to punish greenwashing in 2022. Caleb Barlow on recent FBI PIN about how ransomware operators are looking for material nonpublic information to improve their chances of being paid. Our guest is Helen Patton from Cisco on her book, "Navigating the Cybersecurity Career Path." And James Pond is the CEO of hybrid war.

Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman, filling in for Dave Bittner, with your CyberWire summary for Wednesday, January 5, 2022. 

Elliott Peltzman: Hey, everybody. Have you seen the latest video from Xinhua, in which the Chinese organs poke some fun at Anglo-American animadversions about the security risk Huawei gear imposes on its customers? If not, hop over there and give it a listen. It's called "No Time to Die Laughing," and it's a swell James Bond parody. 

(SOUNDBITE OF VIDEO, "0.07: NO TIME TO DIE LAUGHING") 

Unidentified Actor #1: (As Agent 0.06) What a beautiful castle for a secret rendezvous, Agent 0.07. 

Unidentified Actor #2: (As Agent 0.07) Why the American accent, Agent 0.06? 

Unidentified Actor #1: (As Agent 0.06) I'm practicing for my new mission in America. By the way, why do you own nothing, Pond? I mean, no house, no property, no stocks, shares or bonds. 

Unidentified Actor #2: (As Agent 0.07) Because a super-spy always prefers to stay low-key. 

Unidentified Actor #1: (As Agent 0.06) Ah. Is it because M has asked us to become more open to stay secret? 

Unidentified Actor #2: (As Agent 0.07) Exsqueeze (ph) me? 

Elliott Peltzman: So, OK, the respective American and British accents are pretty indistinguishable. But, hey, we'd be utterly hopeless if we took a shot at Mandarin and Cantonese, so we're certainly not going to throw the first linguistic stone. That would be, what would you say, Agent 0.07? 

(SOUNDBITE OF VIDEO, "0.07: NO TIME TO DIE LAUGHING") 

Unidentified Actor #2: (As Agent 0.07) You're pedantic. 

Unidentified Actor #1: (As Agent 0.06) And you're pathetic. 

Elliott Peltzman: Pedantic and pathetic. Anyway, this stuff totally kills. If it were on TikTok, it would be the CEO of comedy gold. 

Elliott Peltzman: All right, back to the news you can use. 

Elliott Peltzman: CISA says that large U.S. federal agencies met the risk mitigation deadlines of ED 22-02. The U.S. FTC gives businesses a warning that they're at risk of regulatory and legal action if they're not comparably diligent in approaching the problem. 

Elliott Peltzman: CISA has reported good progress toward federal agency risk mitigation. The U.S. Cybersecurity and Infrastructure Security Agency - that's CISA - has told MeriTalk that the federal agencies it oversees have substantially complied with Emergency Directive 22-02, which required that they take specified actions to mitigate risk by December 23 and that they report their status by December 28. 

Elliott Peltzman: A CISA spokesperson said, quote, "agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support solution stacks that accept data input from the internet. CISA has received status reports from all large agencies which have either patched or deployed alternate mitigations to address the risk from thousands of internet-connected assets, the focus of the recent Emergency Directive," end quote. 

Elliott Peltzman: Full mitigation of the risk remains, of course, a work in progress, and no one expects an overnight resolution of this complex, widespread and deeply rooted issue. 

Elliott Peltzman: The FTC isn't about to let businesses forget their responsibility to address the Log4j vulnerabilities, either. In what might be regarded as doing for the U.S. private sector what CISA did for the country's public sector, the U.S. Federal Trade Commission yesterday gave the businesses it regulates - and that's most of them - some direct advice on how seriously they ought to take the recently discovered Log4j vulnerabilities. 

Elliott Peltzman: Quote, "the duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm-Leach-Bliley Act. It is critical that companies and their vendors relying on Log4j act now in order to reduce the likelihood of harm to consumers and to avoid FTC legal action," end quote. 

Elliott Peltzman: The commission's advisory includes a pointed reminder of what happened to Equifax when the credit bureau's failure to patch Apache Struts was implicated in a data breach that compromised information on some 147 million individuals. You'll recall that Equifax eventually agreed to pay 700 million to settle claims by the FTC, its sister agency the Consumer Financial Protection Bureau and regulatory bodies in each of the 50 states. 

Elliott Peltzman: With that regulatory hammer poised, the FTC suggests that companies scan their systems for vulnerable instances of Log4j. Once that's done, they recommend updating Log4j software to the most current version and then following CISA's guidance on mitigation. Having done that, businesses should, quote, "ensure remedial steps are taken to ensure that your company's practices do not violate the law.  Failure to identify and patch instances of this software may violate the FTC Act," end quote. 

Elliott Peltzman: And, finally, businesses should distribute this information to what the FTC characterizes as, quote, "any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable," end quote. 

Elliott Peltzman: You can follow the CyberWire's full coverage of the Log4j story on our website. 

Elliott Peltzman: Researchers at Palo Alto Networks' Unit 42 have found criminals exploiting a cloud video platform to infect a real estate company's websites with formjacking skimmer malware. The skimmer was so placed in a video that it was injected into sites that downloaded the content. Researchers assess the skimmer itself as highly polymorphic, elusive and continuously evolving. The data the skimmer collected included names, email addresses, phone numbers and credit card information. Palo Alto identified neither the platform nor the company, but Recorded Future did, reporting that the video platform was Brightcove and the affected business was Sotheby's real estate unit. 

Elliott Peltzman: The relatively new ransomware gang Vice Society, first observed in 2021, has claimed responsibility for an attack against about 600 SPAR supermarkets in the U.K. Tech Monitor says that observers believe the gang uses the PrintNightmare vulnerability as its preferred mode of access to its victims. 

Elliott Peltzman: Young though they may be, the Vice Society has already acquired a reputation for ruthlessness and lack of discrimination in its target selection, hitting schools and hospitals as often as it hits commercial enterprises. We're not saying, of course, that ransomware attacks against supermarkets are somehow OK, but it's been part of conventional gangland hypocrisy to claim, often falsely, that, oh, no, we'd never meddle with health care. The Vice Society isn't even paying that much tribute to virtue. 

Elliott Peltzman: Where are the hoods located? It's unclear, but they may have some connection to the longer-established HelloKitty group, and that outfit is believed to operate from Ukraine. 

Elliott Peltzman: As Presidents Putin and Biden prepare to meet next week in Switzerland, Reuters reports that NATO's foreign ministers also intend to meet to develop the Atlantic Alliance's response to the threat Russia currently poses to Ukraine. An Atlantic Council policy paper recommends that the U.S. recognize that, like it or not, this is effectively a period of hybrid war, both cyber and kinetic, and the U.S. ought to act accordingly. Quote, "the U.S. Department of Defense needs to compete now and engage in offensive hybrid warfare actions. The United States must respond where competition with China and Russia is taking place today, primarily by playing an enhanced role in gray-zone competition," end quote. 

Elliott Peltzman: There is and has been, it must be noted, a lot of loose talk about war and cyberwar, where the concept of conflict is difficult to apply literally and unhelpful as a metaphor. But the Atlantic Council is thinking here in terms of the old spectrum of conflict in which hybrid war occupies a kind of gray zone, falling between espionage and clear, undeniable kinetic military operations. 

Elliott Peltzman: Hybrid war includes some deniable kinetic action. But more importantly, it includes offensive cyber operations that go beyond simple surveillance and collection to more directly disruptive action. The Atlantic Council explains, quote, "accordingly, the Pentagon must embrace the paradigm of competition as a continuum from cooperation through competition to armed conflict. But embracing the continuum is not enough. The DOD, working with interagency partners where appropriate, must defend more aggressively and take offensive actions in the gray zone, consistent with American values," end quote. 

Elliott Peltzman: From the Russian and Chinese points of view, of course, the U.S. is probably up to no good here already, right alongside the mother country of the U.K. and the other three of the Five Eyes as well. You can get that message from Agents 0.07 and 0.06, courtesy of Xinhua. 

(SOUNDBITE OF VIDEO, "0.07: NO TIME TO DIE LAUGHING") 

Unidentified Actor #1: (As Agent 0.06) M has even named our single greatest priority at MI6. 

Unidentified Actor #2: (As Agent 0.07) Russia? 

Unidentified Actor #1: (As Agent 0.06) Nyet. 

Unidentified Actor #2: (As Agent 0.07) Assange escaped? Snowden's arrested? 

Unidentified Actor #1: (As Agent 0.06) Nope and nope. For now, China is our top priority. 

Unidentified Actor #2: (As Agent 0.07) And what have the Chinese done? 

Unidentified Actor #1: (As Agent 0.06) Well, according to this dossier, their National Security Agency was authorized to monitor all phone and internet use in 193 countries. 

Unidentified Actor #2: (As Agent 0.07) That's bloody outrageous. Is there anything China doesn't watch over? 

Unidentified Actor #1: (As Agent 0.06) Indeed, it's preposterous. And it says here that China's propaganda machine was already very mature since World War I. And today, it broadcasts in 47 languages and releases over 700 English-language films every year. 

Unidentified Actor #2: (As Agent 0.07) I didn't know China produced English-language films. 

Unidentified Actor #1: (As Agent 0.06) Oh, wait, wait. Good grief. That's not China we're talking about. That's America. 

Unidentified Actor #2: (As Agent 0.07) Exsqueeze me, again. 

Elliott Peltzman: And finally, a University of Delaware study suggests that hacktivists may, in 2022, increasingly hit companies they feel are guilty of greenwashing - that is, falsely and publicly claiming corporate social responsibility as a core value but then failing to live up to their pious brand placement. So if you're going to talk the talk, think about walking the walk. What do you say to that, Agent 0.07? 

(SOUNDBITE OF VIDEO, "0.07: NO TIME TO DIE LAUGHING") 

Unidentified Actor #2: (As Agent 0.07) Yabba dabba doo. 

Dave Bittner: Helen Patton is an advisory CISO at Cisco and author of the new book "Navigating the Cybersecurity Career Path." The book provides guidance and advice for cybersecurity pros at all levels, from those just starting out to those looking to move up the ladder. Helen Patton joins us with these insights. 

Helen Patton: I started writing it about two years ago while I was the CISO at the Ohio State University. And one of the things about being a CISO in higher ed is, more than other verticals, I think, people reach out to you and say, how do I get into cybersecurity? How do I deal with this? 

Helen Patton: And I found myself doing lots of mentoring sessions, having coffee with people, not only about getting into cyber, but also, how do I deal with this thing now that I'm in cyber? Or I'm just taking on a new team for the first time - how do I do that? How do I run a security program? - that kind of thing. And I was drinking too much caffeine. I was jittery all the time. Like, it - (laughter) there weren't enough coffee shops to be able to deal with the volume. 

Helen Patton: So I thought it would be a good thing for me to do to write down the questions I'm always getting asked - and I'm sure every cyber mentor out there gets asked the same questions - and to put my thoughts down on paper about the answers to those questions. And so that was the genesis of the book - was really mentoring at scale. And I had a lot of help from a lot of other security people along the way. So I'm really excited the book's coming out now. It's a good thing. 

Dave Bittner: Why do you suppose there is, I guess you could say, a certain amount of ambiguity when it comes to people navigating their career path in cybersecurity? It strikes me that it's different than, say, the pathway to becoming an accountant or a doctor or... 

Helen Patton: Sure is. 

Dave Bittner: You know, there are more - there's more clarity in those. Is it - why do you suppose people aren't quite so sure of how to set up down that pathway? 

Helen Patton: I think there's a few things that are going on. And you're right. First of all, we don't have a professional structure like other business professional things - doctors, accountants, lawyers and so forth. So there's no clear learning path or certification path for cybersecurity people to follow. That's the first thing. 

Helen Patton: I think the second thing is, of course, it's a comparatively younger - it's a comparatively younger profession, and it's growing. So, you know, for example, when I talk to college students, they're often saying things like, I want to work in security. And my first question is - when you say the word security, what comes to mind? When you say you want to work in security, what does it mean? And more often than not, they have to take a step back and go, oh. 

Helen Patton: And depending on what kind of technology background they have, that's the - that's their entry point. So if they're in software development, they think of software security. If they're doing engineering building, they might think IoT security, for example. Very few people come to me and say, I want to work in security, and they're thinking about it in terms of compliance or public policy or GRC. And when you say those things are out there, they're like, oh, I didn't even realize that was part of the profession. 

Helen Patton: So I think there's this big misunderstanding outside of the security profession of what's in cybersecurity. And just like a blind man and the elephant, depending how you first come into contact with cybersecurity, that's what you think cybersecurity is. And it's much bigger than that. 

Helen Patton: So I think that the questions that I and other mentors get is really just people trying to better understand what the profession is and what the pathways to the profession might be because there is no commonly understood way of dealing with getting into or moving within cybersecurity as a career. 

Dave Bittner: Did you find that you had any revelations of your own going through the process of writing the book, you know, clarifying, organizing your own thoughts? Were there any surprises for you? 

Helen Patton: Yeah, there were, actually. And it did come about because even though it took me a couple of years to write it, I'd been blogging for a number of years before that. And so some of the genesis of the book was me trying to formalize what I'd already blogged about for a while. 

Helen Patton: One of the things that I had to learn as a security person and as a CISO was how to tell stories that were meaningful to the people listening, not the stories that were meaningful to me. But how do I tell a story that the audience wants to hear? And I started using that as an influencing tool and a leadership tool. 

Helen Patton: But as I was writing the book, it really became reinforced to me that this is a core skill for working in security, whether you're just starting out and you've got to tell your story about why you want to work in security or whether you're in the middle of dealing being a single contributor, but you've got to influence people who don't report to you about the kinds of things you need them to be doing as a security pro or as a leader leading a team or trying to develop a security program in an organization. 

Helen Patton: So I had known before I started writing that storytelling was important, but it helped clarify for me how important it is and also how to do the storytelling. It's easy to say, go tell a story, but not everybody is inherently a storyteller. So there are skills to learn about how do you structure what you talk about. And that was really important and a big learning thing for me, too. And it actually helped me land this job that I have now, now that I've moved away from being an operational CISO as well. 

Dave Bittner: That's Cisco's Helen Patton. She's author of the new book "Navigating the Cybersecurity Career Path." 

Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. Caleb, it's always great to have you back on the show. You know, we've gotten some recent notices from the FBI about ransomware operators and how they're looking for information from public companies. I wanted to check in with you - this is a world you're familiar with - about, if I'm a board member on a company, should I be concerned about this? 

Caleb Barlow: Well, so this was a recent private industry notification from the FBI. It was marked TLP white, so that means we can talk about it. In this case, the incident discusses where ransomware operators are focusing on public companies. But before locking up the workstations, during the reconnaissance phase, they're doing intensive searches for keywords, including things like Newswire, Marketwire and 10-K, to look for specifically financial documents and announcements of things that haven't yet been publicly released. 

Caleb Barlow: Now, some of these draft documents would probably become public over time, but the timing of which is critical, as material nonpublic information can have a pretty dramatic impact on a company's stock price and trading activity. And the point here is that these ransomware operators are starting to recognize that releasing material nonpublic information about a company can put, well, additional pressure on the C-suite and the board to likely pay a ransom. 

Dave Bittner: Is this the kind of thing - and forgive me, this is not a world that I'm terribly familiar with. Could an organization get in trouble, say, with the SEC if information is released prematurely? 

Caleb Barlow: Well, absolutely. And I can tell you, as a public company CEO, these documents are drafted all the time, and many of them never see the light of day - acquisitions that don't go through, strategies that change, deals that don't close. The point here is nothing's done until it's done. And when it's done, the whole idea is everybody at a public company finds out about the news at the same time so people can trade the company equally and fairly. 

Caleb Barlow: So when information leaks out, even if it's a rumor, it might stop an acquisition from occurring. It might change something that a company is going to do because the last thing that company wants to do is have a leak of material information about what they're going to do next that only gets to a certain subset of their investors. Somebody, you know, initiates trading activity on it, and now we've got a problem. 

Dave Bittner: So how should organizations prepare for this possibility? 

Caleb Barlow: Well, first of all, I think what we've got to recognize is this represents a real escalation in the level of sophistication of bad actors. You know, I mean, you joke on the CyberWire all the time about bad actors that can, you know, speak in broken English. These are folks that can read a 10-K, understand the legal and privacy and investment risks and understand how boards are going to react to it. So that's the first thing we've got to recognize. 

Caleb Barlow: I think some things people need to do - so first off, boards need to use your corporate systems, not the systems, the emails or storage from their other companies or efforts. And this is a big deal because boards are usually made up of people from other places. So consider issuing them specific iPads or other equipment only used for their work on the board so that your board information is not sitting in some other company. And, of course, encrypt everything, multifactor, EDR and XDR and everything. 

Caleb Barlow: And, you know, probably the biggest thing - and boards are usually in tune to this - think about what you put in an email. You know, boards are usually in tune to this because everything can get - you know, become discoverable that a board does. 

Dave Bittner: Right. 

Caleb Barlow: But old documents are nuclear assets, right? So you've got to have record retention in place. Get rid of things when it's legal to get rid of them, and be careful about what you keep and what you put in an email. 

Dave Bittner: All right. So worst-case scenario, this does happen to my organization. What do you do next? 

Caleb Barlow: Well, this is where crisis communication comes in place. And I'm not talking about normal communication, Dave. I'm talking about crisis communication. If something like this happens, you want to control the message. You want to be able to get your message out to overcome that of the adversary or whatever information they're pedaling. Whether it's true or not, you need to have the ability to get in front of this in a hurry and communicate what's going on. 

Dave Bittner: So plan ahead of time, right? This is not a game-time call you want to be making. 

Caleb Barlow: No, it's another thing you want to have in your runbook is a - you know, a plan for what happens if someone tries to manipulate our material nonpublic information or release it. 

Dave Bittner: All right. Well, Caleb Barlow, thanks for joining us. 

Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Dave Bittner. And I'm Elliott Peltzman. Thanks for listening.