Investigation, introspection, watchdogs, and leakers. The risk of collecting and storing data.
Dave Bittner: [00:00:01:03] So it's the end of your fiscal year and you find you have a whole bunch of money just left sitting around in your budget. What are you going to do with it? Head on over to patreon.com/thecyberwire and become a supporter of our Podcast. Thanks.
Dave Bittner: [00:00:16:11] Nation-state influence operations against elections prompt investigation, introspection and policy studies. We hear about the implications of a major voter database exposure in the US, and about what might be done to mitigate such risks. Leaks from intelligence services seem to be inflicting collateral damage on Internet users as they find their way into criminal hands.
Dave Bittner: [00:00:42:18] A few words about our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning. We know we have. But E8 would like you to know that these are not just buzzwords, they're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data.
Dave Bittner: [00:01:03:15] So go to e8security.com/cyberwire and let their white paper guide you through the possibilities of these indispensable, emerging technological tools. Remember the buzz about artificial intelligence is not about replacing humans, it's really about machine learning, a technology that's here today. So see what E8 has to say about it and they promise you will not get a sales call from a robot. Learn more at e8security.com/cyberwire. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:41:09] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, June 21st, 2017.
Dave Bittner: [00:01:51:11] Today's news involves consideration of nation-state cyber conflict. US Senators push the Department of Homeland Security to release a full report on its investigation into US election influence operations. Former Homeland Security Secretary Johnson calls for more Federal assistance with election security. New York State is not waiting, their Governor has announced a major state-wide study of election security.
Dave Bittner: [00:02:16:02] One election-related incident is the exposure of a voter database by Deep Root Analytics, disclosed last week. We heard from Cybernance, whose CEO, Mike Shultz, shared his perspective on the incident.
Dave Bittner: [00:02:28:06] The exposure occurred when the data were hung out on an Amazon S3 account. This reminded us of another recent exposure, that of National Geospatial Agency sensitive-but-unclassified information, similarly left out for inspection in S3 by an NGA contractor. We asked Shultz, and he said the two incidents were coincidental, but not surprising. "More than 80% of data breaches are a result of the breakdown of internal practices, policies, process and people." He thinks this most recent case probably shows a lack of executive commitment to proper cybersecurity protocols. If either contractor had applied the NIST Cyber Security Framework to this aspect of their practice, Shultz thinks, the exposures might not have occurred.
Dave Bittner: [00:03:12:00] He said, "The federal government is finally beginning to lead the way through the latest cybersecurity executive order, requiring all federal agencies to assess cyber maturity and report the gaps and remediation plans to ONB, alongside a new statement confirming agency heads will now be held accountable in the case of a breach or attack.” We assume that voter information of the kind left exposed is largely a matter of public record. If that's so, why are we so concerned about this exposure? Shultz told us, “The expectation of privacy, a rational belief or not, is part of the American foundation of voting and political freedom. The greatest risk for organizations is not the data itself, but how the data is strung together. In one place, there might be an individual’s name and address, along with others who share the address, gun ownership, opinions about abortion, religion and other highly personal matters. However, the manipulation of that data to granularly segment society, segmentation of us versus them issues, groups and categories of people, can be very unsettling and even illegal. You cannot publish the name and address of a person with a license to carry a concealed handgun. If an organization knows this information, they can target them to their benefit or detriment, which is not permitted in the U.S. No matter the purpose the data collector has at the time of collection, there must exist a minimum moral obligation to apply effective controls in the protection of individuals and their data.”
Dave Bittner: [00:04:37:06] But this exposure, while it shows the risks that come with big data, shouldn't necessarily scare enterprises away from cloud services. As Shultz puts it, "Most hosting companies have invested heavily in processes and policies to provide the best data security available. Typically, hosting companies have outstanding security, often times better than individual corporations. This data circumstance was an internal failure to adequately apply policy, process and personal training to secure the data internally in this context for Deep Root Analytics. It's akin to parking your car in the street and leaving the keys in the ignition.”
Dave Bittner: [00:05:12:14] At this stage of the investigation, it seems to Shultz that the problem lies with Deep Root Analytics' use of the S3 cloud, and not with the Amazon service itself. According to UpGuard’s report of the discovery, it appears the security controls for this data repository were not activated. He drew two lessons from the incident. First, data should be collected with ethical oversight and clear consideration of security. Second, hosting of and access to data should be done under national standards for cybersecurity.
Dave Bittner: [00:05:43:01] We often speak of companies having teams of IT and security professionals defending their networks round the clock, 24/7. But what about small businesses? The mom and pop shops or one off companies who lack the resources for a dedicated security team. Arlen Frew is General Manager of Security Solutions and Applications at Nominum, a core DNS services company. And he gave us an overview of the cyber security challenges small businesses can face.
Arlen Frew: [00:06:08:24] The first and foremost is that they generally by definition in their small size lack dedicated IT resources. So as more and more of the world is technically based in our communication and business is more done on the Internet these days, it's really just tough for a small business owner to keep up on literally what the latest exploits and trends for the various bad actors on the Internet are.
Dave Bittner: [00:06:39:05] And when they do get hit, do they get hit particularly hard relative to their size?
Arlen Frew: [00:06:45:04] It can be, it can be devastating for a small business. One of the biggest threats to small business these days is ransomware. What they have found is that small business owners, because when that happens they probably don't have really good backup systems or even the technical skill to quickly and effectively recover the laptop problem, even a good backup. And so it's often more cost effective to simply pay the ransom. And some of the biggest security consultants in the world simply recommend, even the probably the FBI and NSA, you know, you should just pay the ransom. If it's $300 or $400, you really need to value what your time is and the impact to your business of just having that machine out of rotation.
Arlen Frew: [00:07:34:22] And it can affect more than just the person who downloaded the ransomware because it can spread to network devices and network drives where I know of small law firms, for instance, where you have three or four attorneys that all of their machines are locked out for a period of time. One of them can be half a day, a full day and it's just simply more cost effective to pay the ransom and move forward, and take more protective actions in going forward than try to roll it back as a very concrete example of why it's impactful for small businesses.
Dave Bittner: [00:08:10:07] And so, what are your recommendations for small businesses to protect themselves?
Arlen Frew: [00:08:14:10] Multiple, I think that first and foremost is get some visibility, and by that I mean some kind of capability of generating a report of what is happening on your network. What devices are connected, what they're connecting to, and that's especially true, you know, as more and more of our business is done on the Internet. What applications is your phone pinging out to and your laptop and all the other various devices that are on our networks today. One, where are they going? Just that pure visibility of understanding that traffic goes a long way towards helping people build very simple but very effective control mechanisms on where traffic should or should not be going. They say sunlight is often the best disinfectant and I think that's a good place to start, is get some good reporting.
Arlen Frew: [00:09:06:01] Two is kind of up level your game in terms of just understanding that a lot of links are bad. The statistics I've seen lately upwards of 30% of links in emails are somehow related to malware. Be aware, that if you don't know the source of that email sender, explicitly, you know, not clicking on something would probably be the best course of action, just in general. And then third, I think you really try to get an understanding of what's available in terms of security products and software that could protect your end points and everything that's connected to your network. So there are tools and products that are available today that can work at a level that is very easy to maintain, very easy to deploy and it really doesn't take a lot of technical knowledge or technical skill to run them pretty effectively.
Arlen Frew: [00:10:02:01] The Internet is more and more a part of our lives. We do a majority of our communication via the Internet, small businesses are doing most of their business on the Internet. And whether that's their accounting or their purchasing, everything is really in the digital domain these days. Fortunately or unfortunately, all the power and convenience and goodness that comes from being so connected also means that there's a level of risk in those connections as well that bad actors are learning to take advantage of. So I think the importance was just, one, awareness that every time you're on the Internet, you need to be aware of what you're doing and why you're doing it. I think as more and more people in our lives continue to move in that direction, it's just going to require a great amount of diligence on a business owner's personal level.
Dave Bittner: [00:10:57:24] That's Arlen Frew from Nominum.
Dave Bittner: [00:11:02:13] The US Congress also wants some answers about what appear to be, and are generally regarded as, leaks from within the US Intelligence Community. The House Armed Services Committee is looking into establishing closer oversight of the Intelligence Community, particularly with respect to cyber operations. NSA itself seems likely to receive an enhanced inspector general's office as the agency responds to a Defense Department investigation into past leaks, including progress made since the Edward Snowden affair.
Dave Bittner: [00:11:32:06] Leaks from US agencies are also regarded as having produced significant collateral damage as tools and information found their way into criminal hands. Dr. Web, for one, is tracking the progress of such tools as they're used to infect machines with Bitcoin mining software.
Dave Bittner: [00:11:48:03] Trustwave has received its 2017 Global Security Report, which looks back at the past year's security trends. There's some good news, enterprises are detecting intrusions faster, for example, but more trends are negative than positive.
Dave Bittner: [00:12:06:15] Now I'd like to share something about orchestration from our sponsor ThreatConnect. You know them as experts in intelligence but they also know a thing or two about orchestration. ThreatConnect arms organizations with a powerful defense against cyber threats and gives them the confidence to make strategic business decisions on the basis of that accurate, realistic appreciation of the threat that's essential to sound risk analysis. Built on the industry's only intelligence driven, extensible security platform, ThreatConnect provides a suite of products designed to meet the threat intelligence aggregation analysis and automation needs of security teams at any maturity level. So learn how to get started orchestrating your defenses, go to threatconnect.com/webinar and sign up for their June 22nd online session. It's free and there's no obligation. The webinar begins at 1pm eastern, time, 11am Pacific. That's threatconnect.com/webinar. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:13:09:03] And I'm pleased to be joined once again by Professor Awais Rashid, he heads the academic center of excellence in Cyber Security research at Lancaster University. Professor, welcome back. I think when a security expert comes to a board of directors with advice, generally that board is going to take that advice, that of all is what the security person was hired for. But you all have been doing some research that shows that perhaps maybe they shouldn't think so fast?
Professor Awais Rashid: [00:13:33:19] Yes, I mean I'm not suggesting of course that boards of directors should not listen to security experts. But the research that we have been doing looks at how different stakeholder groups within an organization approach security decisions. And what other perhaps tacit biases that underpin those decisions, because that helps us understand the how and they why behind security decision processes. So what we actually did was we designed a tabletop game, it's effectively a Lego board where people are charged with protecting a cyber physical environment, basically a small utility company. And we have been playing this game with homogenous groups of players, so are some are groups of security experts, some are managers and some are regular IT people. And studying their decision processes and how they come up with the various decisions, and do they always make good decisions.
Professor Awais Rashid: [00:14:25:12] What we've found very interestingly is that the security experts are not ipso facto better at making security decisions. In some cases they make very questionable decisions because they are often attracted by the big shiny box, the best technology, when sometimes simpler approaches such as providing appropriate security training and awareness to your staff can be a much better alternative. What we learned from this is that different stakeholders within an organization tend to have their own biases. And sometimes, you know, listening to others in an organization can actually tell you more about the security problem, the potential vulnerabilities that you may have to tackle as a security expert, than just simply relying on your own judgment and background experience.
Dave Bittner: [00:15:10:21] Professor Awais Rashid, thanks again for joining us.
Dave Bittner: [00:15:15:15] And that's the CyberWire. For links to all of our stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsors Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.
Dave Bittner: [00:15:32:22] Thanks to all of our supporters on Patreon, you can find out more at patreon.com/thecyberwire.
Dave Bittner: [00:15:39:08] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, social media editor is Jennifer Eiben. Technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.