Dave Bittner: [00:00:00:03] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.
Dave Bittner: [00:00:12:05] NSA says it warned its French counterparts about Russian cyber ops targeting France's elections. Next up for Fancy Bear? Probably German elections, but in the meantime there's also some phishing with zero-days. The NSA Director also advocates calling out Russia for bad behavior in cyberspace, and says that US Cyber Command is ready and able to hold targets at risk, so deterrence and retaliation are available options. Microsoft, Adobe, and Cisco issued significant patches yesterday. We learn about managing application security. And President Trump has told the FBI Director, "You're fired." Oh we went there.
Dave Bittner: [00:00:53:04] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and if it helps us, we're confident it can help you too. Subscribe today and stay a step or two ahead of the threat. Go to Recorded.Future.com/Intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/Intel and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:50:06] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, May 10th, 2017.
Dave Bittner: [00:02:00:02] We open with some news about l'affaire Macron and the just-concluded French presidential election. US NSA and CYBERCOM head Admiral Michael Rogers told Congress yesterday that Russian actors penetrated French election "infrastructure," and that NSA tipped off its French counterparts that the Russians were actively targeting their political system. Rogers also noted that NSA tipped off the FBI in the summer of 2015 that the Russian intelligence services were seeking to meddle in US elections.
Dave Bittner: [00:02:31:07] "Infrastructure" was left vague, but most read it as referring to the now well-known compromise and release of En Marche emails. And, again, it's worth noting that nothing particularly scandalous has emerged from the emails dumped so far.
Dave Bittner: [00:02:45:02] Observers believe the Russian services are turning their principal attention to September's German Federal elections. Why not the upcoming British general elections, called for June? Because the long-term Russian goal is thought to be disruption of the European Union, and Brexit has made that moot with respect to the UK. Still, British authorities aren't complacent, and are preparing for hacking and influence operations over the next month.
Dave Bittner: [00:03:10:12] Admiral Rogers also urged public confrontation of Russia over its cyber activities. He said “In the case of the Russians we need to publicly out this behavior. We need to have a public discourse on this.” In response to questions from Senator McCain, Rogers outlined a worst-case cyber attack describing it as "outright destructive attacks focused on some aspects of critical infrastructure" and data manipulation "on a massive scale". He supported splitting NSA from US Cyber Command, with an independent Command receiving appropriate budget and acquisition authorities. As it stands now, Admiral Rogers assured Congress that Cyber Command's Cyber Mission Forces are ready to "hold targets at risk," and that their ability to do so is increasing steadily, which sounds like an announcement of a retaliatory and thus a deterrent capability.
Dave Bittner: [00:04:03:21] What else have the Bears been up to? Well, Slovakia-based security firm ESET has been tracking Sednit (aka Fancy Bear, aka. Russia's GRU) for some time. During the time Fancy Bear was believed to have been rummaging through En Marche email servers, Fancy was also distributing two zero-days in phishing emails. The phishbait had a "Trump's Attack on Syria" theme. Microsoft fixed both vulnerabilities in yesterday's Patch Tuesday.
Dave Bittner: [00:04:32:19] In addition to the Microsoft patches, Adobe yesterday addressed seven issues in Flash Player, and Cisco closed the Vault7 zero-day affecting a number of its switch models.
Dave Bittner: [00:04:44:04] Many companies place a high priority on application security, especially financial institutions. Rohit Sethi is COO at Security Compass, where they recently published results from a research project looking at managing application security.
Rohit Sethi: [00:04:59:04] The general thesis of the report, or promise of the report is that we wanted to see what are organizations doing to scale their application security programs effectively? See, we have been working in the application security and secure software development Lifecycle space for a number of years. And, what we found is that there are a number of best practice frameworks that were quite exhaustive, in the number of controls that they would ask people to do, or specify. And you know what we saw on the ground though, is that it was a real struggle for most large organizations to do most of these activities, and there were really only a handful that were scaling effectively. And we wanted to bring light to that, but also get a better understanding of how this differs between industries.
Dave Bittner: [00:05:45:08] So take us through some of the key findings.
Rohit Sethi: [00:05:47:14] You know, we ask questions in a couple of different areas, and we had strategy sort of related questions and we had technical questions. And in the strategy related questions, you know, I would say that sort of the top finding was around metrics. And there's a saying that What's measured matters. The numbers are sort of what drive behavior and it makes it clear what the goals should be for the various units who are working together. And so we ask people, "Tell us how you measure your application security programs?" And when you look at the financial institutions, 77 percent specified a number of vulnerabilities found, right. So, that's the primary tool that they use. They look at the results of static analysis testing, the results of dynamic analysis testing and the results of penetration testing. And they aggregate these things together. And they say, this is the metric that we're going to use to measure application security baseline. Now, there were other metrics people cited. 62 percent talked about compliance to internal standards, so for example, thou shalt do penetration testing, as a standard.
Rohit Sethi: [00:06:54:00] Surprisingly only 62 percent of organizations measured the compliance to those standards. So, you can imagine there's a large swath of companies who will, you know, create information security policy and come up with standards. And people may not be following those standards and they really don't have a way to track it. After that, we couldn't anything that more than half of our FI respondents were doing. So for example, measuring the length of remediation or the number of development teams who are using tools, or training. Both of these things were done by 46 or 38 percent respectively of the respondents. So really, you know, the key metric people are using is number of vulnerabilities found.
Dave Bittner: [00:07:35:24] That's Rohit Sethi from Security Compass. The report is called Managing Application Security, and you can download it from their website.
Dave Bittner: [00:07:44:08] In ordinary cybercrime news, researchers at Wandera report a dramatic rise of SLocker Android ransomware variants (and infections) over the last six months.
Dave Bittner: [00:07:55:06] A flaw in Android 6.0.0 (Marshmallow) permissions could allow malicious apps to download directly from Google Play, according to a report by security firm Check Point.
Dave Bittner: [00:08:06:05] And finally, US President Trump dismissed FBI Director Comey late yesterday over Comey's handling of campaign-season email security investigations. Sources indicate that the FBI's need to correct the Director's inaccurate testimony before the Senate last week, was the proximate cause of the firing, but that termination was likely in any case, as the President is said to have lost confidence in and fallen out with the now former-Director. The Justice Department continues its investigations of Russian operations in the US, particularly alleged connections to former National Security Advisor Flynn.
Dave Bittner: [00:08:45:07] Time for a message from our sponsors at E8 Security. They'd like to invite you to take a joyride. But it's not the kind of bad behavior that you'll find in the joyrides of say, the French Connection or Gone in 60 Seconds. It's a joyride into behavioral analytics, the indispensable tool for being able to tell good behavior from bad behavior. You'll know the bad actors by what they do, how they behave and not by who they say they are. The experts at E8 are offering you a first hand look on a small scale with no obligation, at what behavioral analytics can do for you. Go to E8Security.com/JoyRide and hop on in. Seeing is believing. So check out E8Security.com/JoyRide and let E8 show you what they can do. And we thank E8 for sponsoring our show.
Dave Bittner: [00:09:35:07] And I'm pleased to welcome back to the show Malek Ben Salem, she's the Senior Manager of Security and R&D at Accenture Labs. Malek, welcome back. It's been too long, we are excited to have you back on the CyberWire.
Malek Ben Salem: [00:09:46:16] Thank you, and I'm excited to be back too.
Dave Bittner: [00:09:48:18] So, you have some survey data you wanted to share with us. Accenture did a security survey and you wanted to share some of the results.
Malek Ben Salem: [00:09:56:17] Sure, yes. So Accenture has completed a study recently aiming at redefining security performance and how to achieve effective security. Now defining high performance security is not a simple task. Companies can measure successful security outcomes, but what we wanted to focus on is specific cybersecurity capabilities that can help business leaders understand the interlog of security and business outcomes. So we focused on certain capabilities like, is security aligned to the business? Cyber response readiness. Strategic threat contacts. Investment deficiency. Things like the cybersecurity capabilities of the extended ecosystem. And so we surveyed about 2,000 security executives, senior security executives, across 12 industries globally. And these were from companies that had revenues in excess of $1 Billion.
Malek Ben Salem: [00:11:07:11] And the findings were interesting. What we found out is that, in some categories, there was a lot of room for improvement. Of particular concern was the identification of high value assets in business processes within the company. This was basically the capability that most companies scored very low on. Only about 27 percent of those companies had scored high basically, in that capability.
Dave Bittner: [00:11:39:07] And describe to me what does that capability entail?
Malek Ben Salem: [00:11:43:05] So that entails that, an enterprise or an organization would know what are its key assets, the assets that need to be protected. Whether these assets are data or business processes or infrastructure. Which is alarming, right, you'd think that that's something that they would start with.
Dave Bittner: [00:12:02:20] Sure.
Dave Bittner: [00:12:05:21] [LAUGHS] If there's one thing you're going to know--
Malek Ben Salem: [00:12:08:09] Exactly, that they build their security strategy on. But it seems that that is not the case.
Dave Bittner: [00:12:15:12] Hmm.
Malek Ben Salem: [00:12:16:02] We've also noticed a significant difference across industries. So we've seen that the communication industry, the high tech industry and the financial services industry scored pretty high in most of the cybersecurity capabilities, versus industries like life sciences, for example, scored really, really low, when it came to cybersecurity capabilities.
Dave Bittner: [00:12:44:23] Interesting. So if people want to check out more of the data, where can they find the results of the survey?
Malek Ben Salem: [00:12:51:07] They can go to the Accenture website, accenture.com and search for the Accenture Security Index.
Dave Bittner: [00:13:00:03] Alright, terrific. Malek Ben Salem, thanks for joining us.
Dave Bittner: [00:13:05:06] And that's the CyberWire. For links to all of today's stories, along with the interviews, our glossary, and more, visit TheCyberWire.com. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance protects you using artificial intelligence, visit cylance.com.
Dave Bittner: [00:13:23:04] If you enjoy The CyberWire every day we hope you'll consider leaving a review of us on iTunes. It is one of the best ways that you can help other people find our show. And of course you can show your support for The CyberWire by supporting us on Patreon. Visit patreon.com/TheCyberWire to find out about how to become a contributor, and all of the benefits we've put together for those who give.
Dave Bittner: [00:13:44:06] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.