The CyberWire Daily Podcast 10.27.22
Ep 1692 | 10.27.22

CISA releases voluntary CPGs. Trojans and scanners. Cyber venture investing, and some insights into corporate culture. "Opportunistic" cyberops in a hybrid war.


Dave Bittner: CISA releases cross-sector cybersecurity performance goals. Trojans are spreading through scanners. Cyber seed rounds are an exception to a general downtrend in venture investment; whistleblowing and corporate culture; storing enterprise secrets. Robert M. Lee from Dragos explains the TSA Pipeline Security Directive. Our guests are Jenny Brinkley from Amazon AWS and Lisa Plaggemier from the National Cyber Security Alliance with a collaborative educational project. And cyberattacks are seen as opportunistic and disconnected from strategy.

Dave Bittner: From the CyberWire studios DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 27, 2022. 

CISA releases cross-sector cybersecurity performance goals. 

Dave Bittner: CISA has issued voluntary cybersecurity performance goals. CISA explains, the cybersecurity performance goals are a prioritized subset of IT and operational technology cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, especially those developed by NIST, as well as the real-world threats and adversary tactics, techniques and procedures observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations but also to the American people. Described as voluntary and not comprehensive, the goals were formulated to be, first, a baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value, a benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity, a combination of recommended practices for IT and OT owners, including a prioritized set of security practices, and unique from other control frameworks, as they consider not only the practices that address risk to individual entities but also the aggregate risk to the nation. 

Dave Bittner: CISA said that it developed the CPGs with extensive input from industry and that the development and application of standards was a cooperative effort. So what's different about these CPGs? CISA says, they're different in three ways from similar standards, stating, first, the CPGs provide a succinct set of high-priority security outcomes and recommended actions applicable to IT and OT environments. In this way, the CPGs enable organizations to undertake prioritized and targeted investment to address the most significant cybersecurity risks. Second, the CPGs are accompanied by a checklist that allows organizations to prioritize their utilization of each goal based upon cost, complexity and impact, making the CPGs uniquely useful for organizations with limited resources. Finally, the CPGs will be regularly refreshed and updated, allowing them to be used as a continuously effective resource to drive prioritized investments against the most significant threats and critical risks. So they're designed to be easily actionable across the different critical infrastructure sectors. And they're also designed to be adaptable to organizations of varying sizes and resources. 

Trojans being spread through scanners. 

Dave Bittner: You remember flatbed document scanners, right? Sure, they're sort of old school, but these days, they're also connected. And with connectivity comes the potential for trouble. So here is the trouble. Scanners are being used to send Trojans, Avanan says in a report released today. Hackers are using spoofed scanner notification emails to send malicious files. The example email is titled "Commission Receipt," which is something that sounds as if it would have been scanned, and it may well attract people to click as they think this message might affect their paycheck. Check Point Research identified the attachment and verified that there is a Trojan. The file, if clicked, would attempt to take over the end-user's computer. The email may appear benign, but bypassing the sender address to look at the attachment is possible and could result in malware for the victim. The report emphasizes scanning attachments for malware just to be safe. Avanan cautions users to always check the address of the sender when receiving an email. The researchers also implore everyone to be cautious with .HTM files, as they can be used to send malicious content. They also advise asking the original sender if you're unsure about an email. 

Cyber seed rounds are an exception to a general downtrend in venture investment.

Dave Bittner: DataTribe released a report today detailing the state of venture capital investments in cyber startups in the third quarter of 2022. Venture activity is down overall and continues to fall as the years pass. The exception, DataTribe discovered, is cybersecurity seed investment activity, which increased 37.5%, from 24 to 33 deals year over year. Overall, cybersecurity activity is only down 3.3% year over year, compared to a decline of almost 24% across other verticals.

Whistleblowing and corporate culture. 

DataTribe's report also had some observations on how recent cybersecurity events have affected corporate cultures. In the case of Peiter "Mudge" Zatko, for example, a former Twitter employee who filed an SEC report about security practices at Twitter. Zatko has been in the cybersecurity industry for a long time, having testified in front of Congress in the late '90s on cybersecurity issues. Zatko eventually became part of the Twitter team, and discovered they were more lax on cybersecurity than he believed the company should be. Twitter engineer Edwin Chien, quoted in The Washington Post as saying, "many engineers at Twitter had a stance that security measures made their lives difficult and slowed people down." This difference in handling the situation led to Zatko's dismissal and whistleblower report. The report from DataTribe says that it's likely, following the large amount of uncertainty and stress at Twitter between Zatko's report and Elon Musk's bids for the company, that a large number of staff at Twitter will leave, inducing a period of elevated security risk. 

Storing enterprise secrets. 

Dave Bittner: Other cases that have affected the marketplace, DataTribe's report says, include recent breaches and Uber and the Veterans Administration, where some have argued that company secrets were just left out for the taking. The lack of organization and management of company secrets, as well as identification, is an issue for IT at most organizations. The importance of knowing where company information is stored is now generally coming to be understood as central to keeping it secure. 

Cyberattacks seen as opportunistic and disconnected from strategy.

Dave Bittner: And finally, turning for a quick update on the cyber phases of Russia's hybrid war against Ukraine. We see that informed observers and participants continue to look for an explanation of why Moscow's cyber efforts seem to have fallen curiously short. One of the participants on Ukraine's side spoke yesterday at the BlackBerry Security Summit. 

Dave Bittner: Victor Zhora, who leads Ukraine's cybersecurity efforts, said that Russian cyber operations have not succeeded in disrupting Ukrainian infrastructure. That failure is due in part, he thinks, to a lack of integration of cyber ops into Russia's strategy. That failure to coordinate has rendered the attacks opportunistic and ineffective. The attacks continue, but to little effect. 

Dave Bittner: DDoS and commodity ransomware are a nuisance, but they're not war winners. Much of the Russian online activity of late seems to have concentrated on disinformation, on influence operations, some of it directed internationally, but much of it addressed to an increasingly confused and restive domestic audience. 

Dave Bittner: After the break, Robert M. Lee from Dragos explains the TSA Pipeline Security Directive. Our guests are Jenny Brinkley from Amazon AWS and Lisa Plaggemier from the National Cybersecurity Alliance with a collaborative educational project. Stick around. 

Dave Bittner: As Cybersecurity Awareness Month winds down, we want to highlight a collaborative effort from the nonprofit National Cybersecurity Alliance and Amazon, a series of PSAs called Protect and Connect. Jenny Brinkley is director of Amazon Security, and Lisa Plaggemier is executive director of the National Cyber Security Alliance. I started our conversation by asking Jenny Brinkley, what inspired this effort? 

Jenny Brinkley: So my boss, Steve Schmidt, who's our chief security officer at Amazon, had reached out and made mention that he was going to meet at the White House with Andy Jassy, our CEO, and some leaders to really talk about how to inform the everyday American citizen on how to stay safe as they operate online. And we started thinking about the ideas of a public service announcement. So think about, like, Smokey the Bear. You know, how could you create something that galvanized individuals to take action while making it emotional and fun at the same time? And that's what we really started to come up with, is this idea of a public service announcement, and then reached out in partnership with the National Cybersecurity Alliance to think about, how could you create this messaging? How would we want to tell these types of stories? And how could we make it in a way that everybody would pay attention and make it unique, unusual and lighthearted and fun? 

Dave Bittner: And so, Lisa, take us through your participation here. What role did you and your colleagues play? 

Lisa Plaggemier: We do a lot of security education. That's really our reason for being at the National Cybersecurity Alliance. We try to communicate to people in a way that demystifies security, uses a tone of voice that's, you know, welcoming and relatable, like you're talking to a friend. And so, especially when it came to the website and the security quiz and all the other things that went along with those PSAs, we were able to chime in and just make sure that the tone was friendly and welcoming. And, you know, according to some research that we've done, a lot of people feel intimidated and frustrated by cybersecurity, and they worry about being victimized. And I think when you think about those three characteristics - right? - they're frustration, intimidation and worry, sounds like a recipe for an anxiety attack; it doesn't sound like a good motivator for behavior change. And at the end of the day, that's what we want in cybersecurity, is we want individual people to take action. And so making sure that we inspire them rather than intimidate them and maybe put a little bit of edutainment, as I like to call it, in front of them, and instead of pictures of hackers in hoodies and things that are scary - you know, if you want to get people's attention to get your message across, you know, you can't skip that phase of getting their attention first, right? 

Lisa Plaggemier: You can give them all the good advice in the world, but it's all for naught if you fail to get their attention. And so often we think that a security horror story is going to be - you know, we'd go for the shock and awe method of getting people's attention. And I just don't think that's working. I mean, there's documentation on breach apathy and breach fatigue and things like that. So I hope that as a profession, we're leaving the days of shock and awe behind us and realizing that it's really about risk, and in this case human risk, and inspiring people to take action rather than just scaring them. 

Dave Bittner: Yeah, I have to say that looking at the PSAs myself, they really are approachable and - dare I say? - downright funny, which isn't an easy thing to pull off with cybersecurity. So congratulations on hitting those notes and making them accessible. 

Jenny Brinkley: Thank you. You know, we really tried to make it that anyone could walk away feeling a sense of, I know what to do now online but also have some fun with it. Because to Lisa's point, I think that people do become really paralyzed when it comes to a topic of cybersecurity. There is this sense of, it's too big. I don't know where to start. And what we try to do with the public service announcement was really give the sense of, you are your own best internet bodyguard. You have the skills. You have the tools. Here are some fun ways to really think about how you can manage that online. 

Dave Bittner: And so what do you recommend in terms of folks distributing these? If I'm a security person at my organization and I want to make use of these to help spread the word, is it a matter of pointing people to the website? 

Jenny Brinkley: Website is a great place to start. I mean, we worked really closely with the Prime Video team to think about different ways that you can attract individuals to take action quickly. And so that website is really set up in a way to be able to hit different types of situations that can happen to you. And so you don't necessarily have to watch the whole thing, though we'd love it if you did. But if there are certain topics that might be pertinent for your business or for yourself, you're able to dig in and understand more about what multi-factor authentication means, understand how to navigate phishing attempts, being able to manage what it means around this sense of false urgency, which is a big thing that scammers will use today to try to create this sense of, if you don't take action, this bad thing will happen to you. And so we're really there to give you a sense of how to navigate, how to think through it and how to manage it. 

Dave Bittner: And, Lisa, where do you suppose this goes from here? Is this the first step of engagement with people more broadly? 

Lisa Plaggemier: I think so. I think we have some projects in the works at the National Cybersecurity Alliance to do even more campaigns like this. So look for more to come in the future from us. 

Dave Bittner: And, Jenny, why is it important for a big player like Amazon to take part in something like this? 

Jenny Brinkley: You know, I think the biggest thing for us is we just feel this deep responsibility given the consumers that we work with on a day-to-day basis. We really want to be able to give every single person on the planet a way that they can be empowered and protect themselves as they're operating online. So for us, it's really thinking about, how do you make things simple? How do you make them direct? Really give prescriptive guidance on how to enable best practices around security, not only when you're on, but when you are engaging with any type of digital experience, while also thinking about, eventually too, your physical safety; and so there's elements of how we're trying to build a lot of our trainings and education and resources for everyone to be able to stay safe in their day-to-day lives. 

Dave Bittner: That's Jenny Brinkley from Amazon Security and Lisa Plaggemier from the National Cybersecurity Alliance. The website is 

Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, we recently saw the TSA put out a directive when it came to pipeline security, and I wanted to get your insights on this. What's your take on what TSA is trying to do here? 

Robert M Lee: Yeah, I think TSA SD02C - sort of their reiteration of what they did in TSA SD02 - is a really good job overall. It's directionally very accurate. And so to catch everybody up on the drama, because I was pretty vocal about this when it happened, the first and second regulations that TSA rolled out were very dramatic. And this is not to vilify the people at the TSA. I don't want to - I've been very careful to draw that distinction that I think the TSA massively screwed up. But I don't also think that they were well-resourced and empowered to be successful. So there's a balance there. But how and why do I think they screwed up, to give context of where I think they did really well. First thing that I think they did poorly was the pipeline industry has been working with TSA for a long time, and TSA has earned a really good reputation by being out with pipeline operators and working closely with them, even influencing various standards that trade associations like API or AGI or INGO are coming up with. API had security standards that were voluntary that they were putting into place, including TSA's input. 

Robert M Lee: So when Congress kind of reacted to the Colonial Pipeline incident and wanted something on the pipeline industry, TSA ended up rolling out a regulation - and I think it was less than a 24-hour heads up. So a community you've been working with, people you know by name that you show up to conferences every year with - we're here to collaborate, we want your public-private partnership - with a knee-jerk reaction, and here is a regulation coming out and you have 24 hours or less to comment, and then by the time that it got sent out, most people actually had six or seven hours max to review and even think about saying something which - legal at those companies is not even going to be able to authorize any sort of statements back in that time window - it was just damaging to the relationship, regardless of the implications of the regulation. 

Robert M Lee: The second iteration ended up being a lot of IT best practices copy-pasted into an ICS, and it had, like, a three-day heads up and still not enough time to influence any regulation. And they didn't use the years' worth of collaboration they had in the industry. Instead, it was just random CISA-type stuff that was copied and pasted in. And where I was concerned was not that they were trying to work on pipeline security - because let's be candid, the state of pipeline security is not good, by and large. There are some pipeline companies that are doing an amazing job. They talk about industry-wide and the dependence we have on it - we all know there are gaps. But the question is let's align on risk and then let's talk about what to do about it. And instead, what TSA SD02 was, was we're not going to align on the risk. We're not even going to tell you what we're trying to accomplish. We're just going to tell you how to run your business. So it was extraordinarily prescriptive. And I came out publicly and talked about the fact that regardless of the best intentions, if you were to follow TSA SD02 to a T, you would bring down pipelines across the country. The things they were asked to do in the regulation were not physically doable in some of these environments. And TSA spouted the line of, well, don't worry. If you have problems, contact us, and we'll respond. That was never happening. They weren't resourced for all the inbound. So I believe TSA meant it, but they weren't resourced for all the inbounds they got. So most people didn't get responses at all. And now they have this super nebulous, super ambiguous regulatory regime that is specific as you must patch within 90 days and as vague as you must implement Zero Trusts and SOAR. And it's like, what? And so it was a hot mess. So people were very upset. And I think the public got a little bit of a look at that. But it was a lot more heated than I think people realized. 

Robert M Lee: All to say, TSA then listened. They could have buried their head. They could have said, oh, those stupid pipeline operators. Screw all of you. Instead, they kind of did the mea culpa tour of going out and visiting pipeline companies and saying, look, we got it. We had to do a knee-jerk reaction. It didn't get us to where we wanted to go. It's predictable in hindsight. That's fine. But how do we go forward? And it really earned a lot of credit with a lot of the pipeline operators of - OK, you're actually coming to the party now to collaborate. Let's do that. And so TSA SD02C, sure, it has areas to improve, but it's directionally very good with - OK y'all. Here's what we're trying to accomplish. Why don't you tell us your risk management strategy around these things? And you've got to at least address these kind of risks, but give us a plan that you're going to implement. 

Dave Bittner: You mentioned a couple of times that TSA had issues with being properly resourced or being able to apply the resources to some of these issues here. Where do they stand now? I mean, did going through this help TSA realign where they're using the resources they have? 

Robert M Lee: Yeah, I don't think so. But let me also be clear that I'm not inside of TSA, so I don't know for sure where they are today. But what I do know is at the start of all this, there was something, like, three people that focused on cybersecurity as a full-time job at TSA. And TSA was responsible for all interstate pipelines across the country - probably not the right level of resourcing. Later on, TSA came out and made a statement about that because they got called out for it. I don't know if they were being purposely ambiguous or not, but my reading of that statement didn't give me a lot of confidence because they said, look, we just hired another 15 people dedicated towards security. I was like, oh, that sounds good. But they're like, yeah, they do physical and cyber. Like, well, hold on. How many of them are doing physical, and how many are doing cyber? Are you asking them to do both? Like, those are very different skill sets. And so my - I don't want to stand outside the building and throw stones, especially at a group of people that are trying. Like, we get the sense now that they are trying to be collaborative and help out here. But I would tell you from what I have seen, I have no higher confidence that they are properly resourced today. 

Dave Bittner: All right. Robert M. Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.