The CyberWire Daily Podcast 5.19.17
Ep 353 | 5.19.17

WannaCry wraps up its first week. No patches for Marshmallow. Women in Cybersecurity survey results.

Transcript

Dave Bittner: [00:00:00:09] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:12:21] IoT risks at home, the crooks are interested. Twitter outages aren't just you. Android Marshmallow won't be getting a patch, just a replacement. WannaCry observers focus on North Korea as a possible source. Results from the 2017 Global Survey on Women In Cybersecurity and no one, yet, knows who the ShadowBrokers are with any certainty, or it they do, they're not talking.

Dave Bittner: [00:00:41:12] Time to take a moment to tell you about our sponsor Recorded Future. You've heard of Recorded Future. They're the real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give info sec analysts unmatched insights into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:45:20] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, May 19th, 2017.

Dave Bittner: [00:01:55:00] WannaCry is closing out its first week in the wild. We'll get to WannaCry shortly, but first some of the other developments we're seeing in cybersecurity.

Dave Bittner: [00:02:04:00] Prague-based security company Avast warned this week of new risks in the Internet-of-things as it's realized in homes. Routers, obviously, and also such devices as Internet-enabled televisions are being increasingly prospected by criminals. They advise taking precautions. There's little safety in being small fry. You, if you're a small fry, may not be interested in cybercriminals, but small-fry crooks are interested in you.

Dave Bittner: [00:02:31:08] Twitter has sustained widespread outages due to unknown causes over the past twenty-four hours. Japan, the United Kingdom, outages centered in London, and the United States, mostly the Middle Atlantic region, from Washington through New York, are being reported as principally affected. So if Twitter's not working for you, be aware that you're not alone and that it is, as they say, "a known issue."

Dave Bittner: [00:02:54:18] Another known issue is exploitation of known-but-unpatched vulnerabilities. WannaCry hit machines for which patches existed but to which patches weren't applied. Security company Check Point Software last week warned of a different unpatched vulnerability, this one affecting Android systems. The flaw appeared with the Marshmallow version of Android, and has exposed many devices to malware. According to Check Point about three-quarters of ransomware and some 14 percent of banking malware afflicting Android exploit this bug. Google says it will address the issue in this Fall's coming release of a new Android version, but that they won't patch older versions. Many in the security industry have criticized Google for this decision, contrasting it with Microsoft's response to the EternalBlue exploits. Android has become what some call a "tangled" ecosystem, but on the other hand, Google has been notably aggressive in pushing other vendors to patch the vulnerabilities Google researchers find in those vendors' products. This hasn't gone unnoticed, and many are suggesting the Google gander take a dip in the sauce it's been ladling onto the geese.

Dave Bittner: [00:04:00:18] Shortly after the ShadowBrokers dumped EternalBlue last month, a number of security companies warned that unpatched and old Windows systems were seriously vulnerable to exploitation, yet a disappointingly small number of enterprises took steps to protect themselves. Some security industry introspection at week's end mulls the possibility that too much crying "wolf" has numbed users against such warnings.

Dave Bittner: [00:04:26:17] Turning to WannaCry proper, the consensus at the end of the ransomware's first week in the wild, is that it's been a considerable nuisance, but not a catastrophe. Most observers continue to think it was a poorly executed North Korean effort to get badly needed cash, but this preliminary attribution awaits confirmation. China and Russia were hardest hit, and the infestation that struck the UK's National Health Service was worrisome in that it interfered with patient care. Machines running legitimate and up-to-date versions of Windows were essentially immune to WannaCry. Going forward, consider following some of the advice on sound digital hygiene the security industry is offering to protect your systems from ransomware. Patch and install all updates, back your data up to an offline hard drive, and use reputable security software.

Dave Bittner: [00:05:15:11] The EternalBlue exploits used by the unknown actors behind WannaCry do remain a potentially serious risk. Rumors circulate of a related DNS campaign apparently aimed at establishing persistence in its targets. Its command-and-control is said to have gone dark when WannaCry went public. Sedco reports early, evasive EternalBlue exploitation that spawns malicious threads inside legitimate applications. Whatever, if anything, may be up with what Sedco is observing, it appears to be laying the groundwork for some future campaign.

Dave Bittner: [00:05:50:00] The ShadowBrokers, of course, are the ones who leaked the EternalBlue exploits last month. By consensus, those were NSA discovered exploits, and the agency has attracted considerable criticism since their release. It appears NSA tipped Microsoft off to the vulnerabilities earlier this year, which prompted Microsoft not only to move out of its regular patch cycle in February, but to issue patches for vulnerable software that's beyond its end-of-life and no longer supported. No one knows who the ShadowBrokers are, although there's plenty of speculation that they're either highly skilled hacktivists or Russian intelligence service operators. No one is saying either, how the ShadowBrokers got their hands on the Equation Group tools they've been leaking. That's one investigation whose results the security community awaits with close interest.

Dave Bittner: [00:06:42:23] As our sponsors at E8 Security will tell you, Bliss is not only knowing what's going on in your networks, but being able to distinguish the goodness from the badness. That's their promise for their behavioral analytics and they're willing to show you too. So, go to e8security.com/joyride for a small scale checkout where you can see for yourself. Their behavioral analytics platform gives you insight into every stage of the attack life cycle across your network, users and end points, even those often overlooked little things in the Internet of things. The bad actors can spoof an identity, they can steal a credential, but their crimes will betray them. That's what behavioral analytics can do for you. You can check it out for yourself at e8security.com/joyride. Don't let the data trees get in the way of seeing the risk forests and enjoy the ride. And we thank E8 for sponsoring our show.

Dave Bittner: [00:07:41:23] And I'm pleased to be joined once again by Rick Howard. He's the Chief Security Officer at Palo Alto Networks and he also heads up their Unit 42 Threat Intel Team. Rick, welcome back. You all had some recent research into the Shamoon attack that you wanted to share with us?

Rick Howard: [00:07:56:05] Yes. You know, back in 2012, cyber adversaries used a nasty piece of malware called Shamoon to infect one of the world's largest oil companies, Saudi Aramco, and destroyed 30,000 in points. Again, since then, somebody has been upgrading the code with new functionality and attacking new victims. Unit 42, the Palo Alto Network's Threat Intelligence Team tracked the first update back in November of 2016. Since then, there have been two more updates. The latest though is a case study on one way that cyber adversaries attempt to move laterally within a network once they've established a beachhead. Now, a couple of things here. Unit 42 is still a little bit unclear on the entire adversaries play book here, but they now know a few more plays. Somehow, the adversaries use legitimate credentials, most likely admin credentials, to log into existing in points within the victim's network. We don't know how they obtain the credentials, so that's one of our blank spots. But once they're legitimately logged into the first in point, they use that as their beach head.

Rick Howard: [00:08:58:15] They then connect it to a set of host names used within the victim's network that they already had. And, again, we don't know how they got that list either. But the host names belong to machines not on the local subnet. So this is how they spread their tentacles. Once on a different local subnet, they would scan for all the machines on that subnet and legitimately log into all of them to install the destructive payload. So, that is simple but ingenious. You and I have talked before about how most cyber adversaries do not compromise machines with zero day exploits a lot. You know, they try to steal credentials and use them to legitimately log into in points. This third wave of Shamoon attacks demonstrates the technique.

Rick Howard: [00:09:43:12] So, to protect yourselves from these kinds of attack, here's my recommendation at a high level. Seek vendors who will help you install two factor authentication into your systems and who will help prevent your employees from being socially engineered into giving up their credentials to some fake website. But fascinating attack sequences that Unit 42 is discovering.

Dave Bittner: [00:10:02:23] And once again, I mean, we come back to this critical nature of credentials and the importance of training your employees, you know, where people might be trying to trick them out of giving them up.

Rick Howard: [00:10:12:20] I know. And this is one of my pet peeves too. You know, I really balk that we have to train the grandmas of the world to be careful about their passwords because, you know, I have trouble with this. I can't believe my mother-in-law is not going to have trouble with it. So there is technology out there. We've talked in a previous interview about some of the things you can do that kind of reduce the attack surface, and there is technology that your security vendors have that can force you to use two factor authentication using the firewalls and enforcement mechanisms, so that's great. That makes it a lot easier to deploy that stuff in your applications you have internal to your employees and the ones that are external. There's even technology out there that looks for employees being tricked into giving their legitimate credentials to fake websites. So seek those vendors out and get that installed in your network.

Dave Bittner: [00:11:00:22] Alright. Rick Howard, thanks for joining us.

Dave Bittner: [00:11:07:06] And now a moment to tell you about our sponsor ObserveIT. We hear about all sorts of threats and the spectacular tales of hacking that grab people's attention. But what about the threat that every organization faces that goes unnoticed. The insider threat. Insider theft of sensitive data is already the occasion of some of the biggest business litigation of the 21st Century. Whether the insider is malicious or just mistaken, they can take your business down before you know what's hit you. If proprietary data walking out the door or vendors accidentally taking down critical systems keep you up at night, take at a look at ObserveIT's free guide "Quick Wins For Reducing Insider Threat" at observeit.com/cyberwire. Their mission is to help you identify and eliminate the insider threat by knowing what your people are doing in real time. Check out observeit.com/cyberwire to learn more about managing insider risk today. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:12:10:21] My guest today is Joyce Brocaglia. She's the CEO of Alta Associates and founder of the Executive Women's Forum. She returns to the CyberWire to review the results of the Biennial Women In Cybersecurity Report, which was generated using data from the 2017 Global Information Security Workforce Study, which is a project of the Center For Cyber Safety And Education and ISC Squared.

Joyce Brocaglia: [00:12:34:17] The main thing that I took away from this is that it's not really just one thing. The survey was conducted by almost 20,000 cybersecurity professionals, of which over 2,000 were women and they answered various questions and I think some of the results are pretty eye popping. Unfortunately, the numbers haven't changed much in terms of the representation of women in cybersecurity. This is a biennial study. It was done in 2013 and 2015 and consistently in 2017, women still represent globally about 11% of the total population. So, as you know, since women make up about 50% of the total population, 11% in cybersecurity is not a great representation. And the fact that it hasn't changed is very troubling.

Joyce Brocaglia: [00:13:25:05] What I also found troubling is that 51% of women reported various forms of discrimination in the workplace and that 51% escalated all the way to 67% as women rose through the ranks and that is compared to 15% discrimination decided by men. And I'll be curious when the diversity study comes out, how many of those 15% are actually diverse men. So I think the gap is probably larger than that. The other thing that is important to be noted is that although women across the board have higher levels of degrees, they have much less representation in senior executive and management positions. Men are four times more likely to hold C level positions or executive positions than women, and nine times more likely to hold managerial positions than women. Kind of the find straw, if you will, is that women at every single level from the staff through the C level are still reporting that they're earning less than men are. So, when you say kind of what's the one big thing? I think the one big thing is that it's not just one thing. It's really the confluence of all of these events that make this a problem that really, really needs to be actively addressed.

Dave Bittner: [00:14:49:20] What does the survey point out in terms of what's driving the gap? It sounds like it's not education.

Joyce Brocaglia: [00:14:54:07] Well, I think one of the things that's driving the gap is that when you look at the combined statistics and also the statistics that 28% of women indicated that their opinions are not valued. When you look at the fact that their opinions aren't valued, they're being discriminated against at high numbers, they're paid less, it's kind of a bad trifecta. It's the combination of those things that if it's not addressed we're never going to shorten or close that gap. I think that there are some highlights to the report. Women who feel valued in their organizations report that they have a higher level of access to sponsorship and mentorship type programs. The people that feel valued, the women that feel most valued and also very supported and successful in their roles, feel that they also have benefited from leadership development programs.

Joyce Brocaglia: [00:15:46:07] So I think that there's a clear correlation that you might be able to draw from engaging women earlier on in their careers and providing them access to stretch assignments, providing them access to, you know, both internal and external leadership development programs, period mentoring programs. Then all of that makes a difference in their ability to be selected and noted as high potential women. Of course, that helps with the retention of the women in the field.

Dave Bittner: [00:16:19:19] The reports refers to actionable solutions. Can you take us through some of those?

Joyce Brocaglia: [00:16:25:05] Well, first of all, we talk about really creating and being aware of the need to create an inclusive workplace that really supports women. So, some of that has got to do with evaluating the unconscious and the conscious bias in your recruiting practices and looking at performance evaluations on an ongoing basis. Gaining data and making that data available to both women and men in the organization, of what the female pipeline is and ensuring that you include women in those succession plans to executive and C level roles. Sometimes I've seen companies that I do recruiting for being successful because they actually tie gender equality goals to their business objectives, as well as to their executive compensation. That seems to get people's attention. You know, I think being transparent in terms of salary ranges and areas of opportunities for promotion, gives opportunities for women to know that hey, this is where I stand in that median range, if I'm above it or below it, and maybe I do need to step forward and negotiate on my own behalf.

Joyce Brocaglia: [00:17:38:23] We see many companies having employee resource groups, but that's kind of a shotgun approach. I don't know that that's having the effect that is going to be strong enough to really close this gap. You know, unfortunately, I think that companies really have to kind of put their money where their mouth is and step up to the plate and spend time and energy and dollars to invest in sponsorship programs, mentorship programs, training, giving women access to conferences and events and areas where they can be mentored by women, either internally and externally, and certainly being mentored by men. I know at the Executive Women's Forum we have a tremendous amount of men that are corporate ambassadors who do an awesome job of not just building diversified workforces, but really supporting and mentoring the women on their team. You know, this is a problem that needs to be solved from the top down. The executives of a corporation really set the goals and the standards and that it's up to cybersecurity executives, which are predominantly male, to really take conscious actions and talk to their hiring managers and their teams about the importance of really bringing, you know, the 50% of the population that is women into their organizations, because every study shows that when women are added to teams, their effectiveness increases.

Dave Bittner: [00:19:09:24] That's Joyce Brocaglia from Alta Associates and the Executive Women's Forum. The biennial Women In Cybersecurity Report can be found the Center For Cyber Safety Education website.

Dave Bittner: [00:19:24:11] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can protect you through their use of artificial intelligence, check out cylance.com.

Dave Bittner: [00:19:38:11] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend everybody. See you back here on Monday. Thanks for listening.