Patch Tuesday notes. Cyber mercenaries described. Voice security and fraud. CISA’s update to its Zero Trust Maturity Model. Updates on Russia’s hybrid war against Ukraine.

Dave Bittner: We've got a Patch Tuesday update. Another commercial surveillance company is outed. Voice security and the challenge of fraud. CISA updates its Zero Trust Maturity Model. Effects of the U.S. intelligence leaks. Our guest, Eric Goldenstein, Executive Assistant Director for Cybersecurity at CISA, outlines the agency's role in the cybersecurity community. Andre Keartland of Netsurit makes the case for DevSecOps. And Russian cyber auxiliaries are believed responsible for disrupting the Canadian Prime Minister's website.

Dave Bittner: From the CyberWire's studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 12th, 2023.

Patch Tuesday update.

Dave Bittner: We begin with a quick note about Patch Tuesday which, this month, was yesterday. Companies addressed a large number of vulnerabilities, some of which are undergoing active exploitation. Fortinet released twenty-one vulnerability advisories. Siemens and Schneider Electric patched thirty-eight vulnerabilities. Adobe patched fifty-six vulnerabilities. Apple and Microsoft rolled out their latest security updates, and CISA has issued another round of advisories. Do take a look at the updates. You'll find a summary on our website.

Another commercial surveillance company is outed.

Dave Bittner: Yesterday, Microsoft and the University of Toronto's Citizen Lab announced the discovery that a hitherto little-remarked Israeli firm, Quadream, has been selling its surveillance platform to governments in Europe, North America, the Middle East, and Southeast Asia. And we note that "little-remarked" doesn't mean "unnoticed." Facebook's parent, Meta, this past December, took note of the company in its Threat Report on the Surveillance-for-Hire Industry.

Dave Bittner: Microsoft characterizes Quadream as a private-sector offensive actor and the company has had partners as well as customers. One of these partners is a contentious one. Its activity now attributed to the company had been tracked as DEV-0196. The product it sells is known as "Reign" -- that's R-E-I-G-N, and Microsoft calls the malware the platform deploys against iOS targets as "KingsPawn." The company amounts to a cyber mercenary operation in Microsoft's view and it sells both services and tools to its government customers. Microsoft explains they sell hacking tools or services through a variety of business models, including access as a service. In access as a service, the actor sells full end-to-end hacking tools that can be used by the purchaser in cyber operations. The PSOA itself is not involved in any targeting or running of the operations.

Dave Bittner: Citizen Lab, which cooperated with Microsoft in the investigation, says that Quadream's targets have included journalists, political opposition figures, and at least one NGO worker. The business keeps as low a profile as possible. Citizen Lab says Quadream operates with a minimal public presence, lacking a website, extensive media coverage, or social media presence. Quadream employees have reportedly been instructed to refrain from mentioning their employer on social media.

Dave Bittner: Many are accustomed to thinking of NSO Group and its Pegasus product when the topic of commercial spyware vendors comes up, but it's bigger than just one company as this note indicates. The researchers conclude with the observation that the commercial surveillance market is shifting and evolving and is larger than any single company.

Voice security and the challenge of fraud.

Dave Bittner: Voice technology company, Pindrop, has released their yearly Voice Intelligence and Security Report which analyzed five billion calls and three million fraud catches within financial institutions, insurers, and the like. The report found that states imposing restrictions on biometrics had double the chance of experiencing fraud. Financial institutions were also observed to have a 53% year-over-year increase in fraud in the fourth quarter of 2022, given that there was financial uncertainty. Retail has also been found to have high rates of fraud, with one in every three hundred forty-seven calls identified as fraudulent. Interactive voice response, or IVR, has also been observed to be a target with data from the dark web leveraged and tested in the IVR to identify high-value accounts and attack them.

CISA updates its Zero Trust Maturity Model.

Dave Bittner: CISA yesterday updated its Zero Trust Maturity Model, including recommendations from public commentary and increasing the government's zero trust capabilities. The agency wrote yesterday that the zero trust approach is designed by the agency as an approach where access to data, networks, and infrastructure is kept to what is minimally required and the legitimacy of that access must be continuously verified. The agency has recognized that the architectures implemented by different organizations have different maturity levels and come from different starting points. This maturity model has added a new stage called "Initial" which can be used to identify maturity for each pillar.

Dave Bittner: This updated model is said to provide a gradient of implementation across the pillars which allow for the advancement of zero trust architecture within agencies. The five pillars are: identify; devices; network; data; and applications and workloads. Chris Butera, technical director for cybersecurity at CISA, said, "As one of many roadmaps, the updated model will lead agencies through a methodical process and transition toward greater zero trust maturity. While applicable to federal civilian agencies, all organizations will find this model beneficial to review and use to implement their own architecture.

Effects of the US intelligence leaks.

Dave Bittner: The source and effect of recent U.S. intelligence leaks remains under investigation, but it's increasingly become clear that compromised files, whatever manipulations may have altered them for purposes of disinformation and however opportunistic their collection appears to have been, represent a major problem for the U.S. Ukraine isn't deterred by the leaks which contain relatively little information about operational plans and so Kiev remains confident of the ultimate success of its spring offensive.

Dave Bittner: The Department of Defense and other U.S. government agencies are also working to contain any damage the leaks may have done to relations with friendly countries. The Washington Post has a summary of the nations mentioned in the compromised documents. Many observers are struck by the degree of access to the Russian government U.S. Intelligence Services appear to have achieved. U.S. senators have called for a full briefing on the incident, the Hill reports, and they're likely to receive that briefing.

Russian cyber auxiliaries believed responsible for disrupting the Canadian PM's website.

Dave Bittner: And, finally, Canada is receiving the attention of Russian cyber auxiliaries. A DDoS attack interrupted the availability of Canadian Prime Minister Trudeau's official website for a few hours yesterday. According to IT World Canada, the attack appears to have been timed to coincide with the government's meeting today with Ukrainian Prime Minister Denys Shmyhal. Service was restored by 2 p.m. Eastern time yesterday. The Prime Minister addressed the outage at a press conference saying, "As you know, it's not uncommon for Russian hackers to target countries as they're showing steadfast support for Ukraine, as they are welcoming Ukrainian delegations or leadership to visit, so the timing isn't surprising. But, in case anyone was wondering, Russia being able to bring down an official Government of Canada webpage for a few hours is in no way going to dissuade us from our unshakeable support of Ukraine."

Dave Bittner: Coming up after the break, Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, outlines his agency's role in the cybersecurity community. Andre Keartland of Netsurit makes the case for DevSecOps. Stay with us.

Dave Bittner: Many organizations embraced DevOps, short for Development and Operations, as an effective method of increasing the speed and quality of their software development and delivery. That's all well and good, but it's led many security folks to say, not so fast. DevSecOps is where you need to be, including security as a primary element of your development process from the get-go. Andre Keartland is a solutions architect at Netsurit and I spoke with him about the benefits of a DevSecOps approach.

Andre Keartland: So what we're starting to see a lot is that people are starting to adopt DevOps, so -- which is obviously a combination of Dev and Ops. So they've got integrated processes to not just get their apps written, but to get them deployed into production. What we're still seeing a lot, though, is that people aren't taking security seriously. They're paying lip service to it, trying to do the minimum. Common approach that I see is people leaving security right to the end so that they write their whole app and then they say, okay, what do we need to do to make it secure? And there's also a very common attitude that security is somebody else's job. So it might depend on some infosec department or an external consultant to come in and wave a magic wand and make their app secure. And you're not getting that the dev teams necessarily do that work from the start. And that's the old story of measurement drives behavior, so if your dev team is being measured on how fast can they get the code out the door, how good is the functionality they can build into the app, how good is the app's performance or reliability, but they're not being measured on how security is the app, then they're not really going to pay a lot of attention to the security aspects.

Dave Bittner: And what are the issues there? I mean, if you do save security for the last thing, what are some of the issues that can come into play there?

Andre Keartland: The problem is that you can get vulnerabilities that get right into the app during the dev process. So, for instance, people might make use of a library that contained vulnerabilities in itself that got inherited from somewhere else, and they don't even know that there's insecure codes that they've now put into their application. Or they make the application work, but they don't pay attention to things like the identity, the authentication, the authorization. And now you've got that they have insecure methods for how people actually log on and use the application. Very common that we see apps that make use of things like service accounts that are absolute poison in an environment because if that service account gets compromised then that service account could be used to attack your own environment. We even see cases, still, where inside of the source code in the configuration files you've got things like usernames and passwords and certificates and other credentials, and anybody that manages to get access to the source code can go and [inaudible] read that information and, again, use it to attack your environment. So there's a lot of things that you should be looking out for, and if you don't then you end up with an insecure application. And, unfortunately, if you only discover that you're insecure when you get ransomware or somebody steals your data, then you could be in deep trouble.

Dave Bittner: Well, if we're looking at DevSecOps, how do we incentivize organizations to give the security equal weight over the Dev and the Ops?

Andre Keartland: As I said, it comes down to measurement drives behavior to a certain extent, so you're going to need that right at the top of the organization. So CxO levels -- CIOs, CEOs, CSOs -- that they need to decide that security is important. They need to understand what is the impact to their organization if the application isn't adequately secured. What could happen if data gets stolen, if there's a breach? And, of course, there's plenty of case studies of how businesses have gone under, been destroyed, because they had inadequate security and an application got breached. So your first step is you've got to have awareness and acceptance at executive level, and they need to then become executive sponsors for a program to introduce security. Training and knowledge is part of it. But you have to basically change development culture to a certain extent. Your developers are always going to care more about functionality, making the application cool, than about making it secure. So you can also supplement them by embedding security into your project, having dedicated security people involved in the whole process from beginning to end, and have people testing your application with a security mindset or a security goal from the beginning. So you need to try and get right from the beginning of your process of developing your application when you're still architecting and you're making your decisions about how your app is ultimately going to be constructed. At that point, you need to already be thinking about, ultimately, how is this application going to be made secure? And it's at that point that you could and should be doing things like threat modeling and you should be getting opinions about what are possible things that can go wrong. And the people that -- who's -- you shouldn't just ask your developers what are the potential security risks. At this point, you go and consult external professionals. You maybe do some pentesting. If you're upgrading an existing application, get vulnerability assessment done against it. Get external code review. And then use that to go and base your plans for how you improve.

Dave Bittner: How do you convince your developers that this is something worth spending time on, or even collaborating with the security folks? How do you -- how do you get them to adopt that mindset?

Andre Keartland: It's really difficult and it does take time. Education is a big part of it and, unfortunately, the same way that you're training your end users not to click on emails with phishing links in them, you're going to have to take your devs through a process like that. What I've seen helps is that when they actually practically see examples of how code gets breached. Hackathons is one method that we've used where you get a dev team -- you get them to write some code, you give them some parameters that are possibly going to lead to something insecure, and then you get somebody to go pentest it and find vulnerabilities and come back and say, okay, look at this, but not from a point of view of "you're stupid, we want to make you look bad," but take this as a learning moment. Take this as an opportunity to see how vulnerabilities in your code can lead to insecure applications. And it's at that point where you need to ensure that the people that the developers report to -- their bosses -- have also bought in so that when they're evaluating the effectiveness of the development work, that they're already also acknowledging the importance of security and they're measuring the people on security aspects when they're evaluating how good they're doing at their dev job.

Dave Bittner: That's Andre Keartland from Netsurit.

Dave Bittner: And I am pleased to welcome to the show Eric Goldstein. He is Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency. Eric, welcome to the show.

Eric Goldstein: Thanks so much, Dave. It is great to be here next to you and your team for all you do to keep us informed every day.

Dave Bittner: Well, it is certainly our pleasure. I would love to start out by, just for folks who may not be completely familiar with the mission there at CISA, can you give us a little description of what exactly it is that you and your colleagues there are charged with?

Eric Goldstein: Of course. You know, we at CISA have a really remarkable mission which is, you know, we are a voluntary trust based agency with the mission to advance our nation's cybersecurity, and we do that in a few ways. As we look across our federal civilian government, we exercise some pretty remarkable authorities and resources to gain persistent visibility into threats targeting our government, and drive really timely action to reduce risk. But we also know that adversaries are targeting businesses, critical infrastructure, and local partners every day, and so we work in concert with the cybersecurity industry, with industry, with researchers, with the operators of critical infrastructure, to make sure that we're advancing adoption of the right practices that secure both the enterprises that are being attacked and the products that we're all using every day.

Dave Bittner: Why was CISA spun up in the first place? What -- what -- what prompted the creation of the agency?

Eric Goldstein: You know, it's a really great question, Dave. If we think a little bit about CISA's history, we are, of course, the operational component of the Department of Homeland Security, or DHS. And when DHS was first created, from the very early days, there was a focus on critical infrastructure, on the -- on the services, the functions, the assets that are critical to -- to every American's way of life. And, over time, we realized in the Department that the initial focus of securing critical infrastructure was on -- on terrorism, on physical threats. And while that remains important, we have seen over time adversaries, whether nation-states or criminal groups, begin to also focus on cyber means as a way to undermine, degrade, and render inoperable our critical infrastructure or steal information for financial or geopolitical gain. And so, over time, we saw DHS invest more and more in the cybersecurity arm of the department until, four years ago, we saw Congress really say, you know, this requires a fully-formed, mature operational component like other components in DHS like FEMA or TSA to really stand up and engage in this mission in a -- in a strategic and ongoing way, recognizing that not only do cyber threats remain resonant, but they are only getting more significant as, increasingly, every aspect of our lives depends on the internet and on the technologies and our adversaries, recognizing that dependency, take advantage of it at a return.

Dave Bittner: And what are the tools that you and your colleagues there have at your disposal to -- to make this mission a reality?

Eric Goldstein: You know, the -- the number one tool that we have is partnerships. I will -- I'll get into that a bit more in a moment, but it does bear noting that we have different tools with different stakeholders with whom we work. And so, looking at the federal/civilian agencies, we actually have the ability to deploy our own technology, our own sensors, using leading commercial technology across their own networks and we've made some remarkable advances over the past few years on getting visibility across federal agencies at the host level, the network layer, and in the cloud so we can, in -- in real time, understand the prevalence of different asset types, vulnerabilities, misconfigurations, and adversary activities. And then we can actually direct federal agencies to take actions to reduce risk that we identified. Now those -- we'll call them compulsory authorities are really only resonant with our work with federal/civilian agencies. And so across the broader nation, you know, we really work in a trust-based partnership with the cybersecurity community, with product providers, and with owners and operators of critical infrastructure. We have a large regional field force -- every day is knocking on doors, advancing guidance, advancing best practices. We have grant programs for state and local entities to improve their cybersecurity. And, really, our goal is to be a trusted voice for the cybersecurity community so that we're adopting adoption of the right practices at the right time to reduce the most risk per dollar and, again, doing that in a way that is based on an understanding of what the adversaries are doing, how they are exploiting technology across American's network and in a way that every enterprise can rely on to make the best use of their scarce security dollars.

Dave Bittner: You know, as the agency has taken its place in the cybersecurity community, it struck me that a big part of what you all are doing -- the way that you have wielded your influence has been very much using a carrot approach rather than a stick. Do you think that's an accurate description?

Eric Goldstein: It absolutely is, and it really is foundational to our model here at CISA. You know, what we have found is it's almost never the case that an organization doesn't implement the right security control, doesn't invest in security, or has a breach because they didn't want to do the right thing. It's often the case because they lack the resources, they made a business decision that led to a negative security outcome, or maybe even they lacked the right information. And so our goal at CISA is really be the ally of the security community to inject our voice, our expertise, our perspectives into those business conversations that enable the right investment for pro-security outcomes and help the voice of those CISOs with practitioners be amplified so that, in every organization, they're making those decisions that lead to improved security, and also to help us ask the right questions and help us focus less on, perhaps, the initial access vector and talk a bit more about -- well, was the product that the adversary exploited secure by design and secure by default? Could the victim have reasonably been able to secure their enterprise? Asking the right questions to help and drive strategic investment by the right entities to drive the most change. But we believe we can do a lot of that work in a voluntary, trust-based manner, even as, of course, other partners across government may leverage their unique authorities to drive change through regulation or other means.

Dave Bittner: What's your message to our listeners who -- who may be considering some kind of collaboration with CISA?

Eric Goldstein: The most important message is that there is no organization that can secure their own enterprise alone, whether it is the Fortune 100, the largest federal agencies, our military, or civilian governments. And we all have unique capabilities to bring to bear, unique authorities, unique visibility. And one rule that CISA has, in part through a piece of our organization that we call the Joint Cyber Defence Collaborative, is to bring together partners to say what piece of the puzzle do we each have about what adversaries are doing? What controls actually work to defeat them? And let's drive the right investment in the right way so that we can look back five, ten years from now and see a security environment where we have less intrusions, the intrusions that do exist are less impactful, and we have a lot more trust in the technology that we are using for all of our functions of everyday life.

Dave Bittner: Eric Goldstein is Executive Assistant Director for Cybersecurity at CISA. Mr. Goldstein, thank you so much for joining us.

Eric Goldstein: Thank you, Dave. It's my pleasure.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Trey Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.