The CyberWire Daily Podcast 9.26.17
Ep 442 | 9.26.17

Equifax C-suite retirements continue. Deloitte still has little to say about its breach. Mac OS zero-day goes unpatched. Russian influence operations.


Dave Bittner: [00:00:01:01] It's no secret that people who support the CyberWire on Patreon are smart and attractive. Find out how you can join them at Patreon dot com slash the CyberWire. Thanks

Dave Bittner: [00:00:14:11] Equifax CEO Smith retires. Deloitte remains tight-lipped. Suggestions about how to identity and investigated breaches. Mac OS High Sierra suffers from a password exfiltration zero-day. Two days after Germany's elections and the Russian dog hasn't barked (or the bears growled), but there are plenty of 2016 paw prints over US opinion.

Dave Bittner: [00:00:41:18] Time to take a moment to tell you about our sponsor Recorded Future. What do you do in the first week in October? If you're a threat intelligence enthusiast, consider joining Recorded Future for RFun 2017 in Washington DC on October fourth and fifth, and say hello to us. The CyberWire will be there and podcasting from the floor on the fifth. This year's annual conference promises to be at least as good as the last five. After all it's organized by Recorded Future, the people who know a thing or two about collection and analysis of the information out there on the web. Recorded Future customers, partners and threat intelligence enthusiasts are all invited to RFUN 2017. Meet others like you, people who understand that cybersecurity depends upon actionable intelligence. Network with your information security peers to learn how others apply threat intelligence powered by machine learning. RFUN is the place to be. Register now at Recorded Future dot com slash RFUN. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:50:21] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, September 26th, 2017.

Dave Bittner: [00:02:02:00] Equifax CEO and chairman Richard Smith retired this morning in an apparent gesture of atonement for the company's massive data breach. Paulino do Rego Barros Jr. has been appointed interim CEO, Mark Feidler will become non-executive chairman. Smith joins the CIO and CSO in breach-linked retirement. The company said that Smith and the board “expressly agreed to defer any formal characterization of his departure and the determination of any payments or benefits” Smith may be owed until after the review of the data breach. The new chairman said: ”Equifax is a substantially stronger company than it was 12 years ago. At this time, however, the board and Rick agree that a change of leadership is in order.” Smith is still scheduled to be grilled by Congress in coming weeks. Various Senators and Representatives have jumped up to declare their continuing dudgeon and reassure their constituents that they won't be mollified by a handful of high-profile retirements. Equifax continues to receive very harsh reviews for incident response, as experts warn all to brace for a breach-enabled cybercrime wave. The McClatchy news service offers a dismally probable list: theft of your tax refund or social security check; someone getting a second mortgage on your house; renting a car while pretending to be you (and then wrecking that car); or buying a gun in your name. The incident should prompt some serious examination of identity management. The old, familiar forms of establishing you are who you say you are, obviously no longer remotely adequate.

Dave Bittner: [00:03:41:08] Deloitte continues to be tight-lipped about its own breach. Reuters reports that the company says only six customers were affected, the information lost was relatively minor, and the affected customers were informed in a timely fashion. Deloitte's websites and Twitter feeds haven't addressed the breach yet, as far as we can tell. "Engage in proactive messaging to the broader base of stakeholders and the public regarding what is known and not known, and what the organization is doing." Those words figure into Deloitte's own advice on how to handle the strategic and reputational risk of a breach. If the breach really is restricted in scope, perhaps the number of stakeholders are sufficiently limited that quiet and private communication is the appropriate approach, there may indeed be good reason for holding information close. Some observers think it possible the breach may be more widespread and consequential in its effects, but it's still too early to tell.

Dave Bittner: [00:04:37:22] With three major breaches disclosed in less than a month, Equifax and Deloitte, and lest we think this is all confined to the private sector, let's not overlook the Securities and Exchange Commission, there are many calls to do something. One example of something that may be worth considering came from Ron Gula, security expert and founder of Gula Tech Ventures. He suggests that governments might play a role in post-breach investigation that's analogous to the role the US National Transportation Safety Board plays in accident investigation. Some threshold would need to be established, suggestions are surely welcome.

Dave Bittner: [00:05:14:16] Most observers agree that Equifax's response to their breach has been handled poorly, to say the least. So what's the proper response to a breach? We spoke with Steven Moore, VP and Chief Security Strategist at Exabeam. Before joining Exabeam, he was with Anthem playing a leading role in the response and remediation of their breach. So his advice comes from experience.

Steven Moore: [00:05:37:02] Usually what happens in most organizations, if they don't self discover, is a lot of chaos and a lot of quick political changes within the company. Heroes will emerge, a very quick change will occur inside of the company, sort of when the aliens arrive, if you will. So everyone stops sort of fighting internally and begins to focus very clearly on a new and distinct problem.

Dave Bittner: [00:06:00:01] Do they find that the planning that they did ahead of time is generally sufficient to recover or are things coming at them fast and furious?

Steven Moore: [00:06:08:02] From my experience, the planning that happens before is insufficient, largely because they've focused on the wrong problems. They may have protocols for certain things, but they've never actually had to go and attack the problem at the speed and at the breadth that they're faced with in a breach, especially if someone knocks on the door, like a customer or maybe even an adversary or someone like the FBI and says, hey, you've had a problem.

Dave Bittner: [00:06:36:05] What are the typical actions that people take and what parts are good and which parts are mistakes?

Steven Moore: [00:06:41:02] Part of the actions that are forced on someone or an organization, they typically buy into three things. They're buying visibility; they're buying some sort of analytics, or someone to sort of decipher what has happened; and then response. Other things that pop up, a great emphasis on managing the message, pulling people from one job into another. There's a lot of other sort of operational, sort of hero work that occurs as well.

Dave Bittner: [00:07:08:05] And so, in the meantime, the day to day business has to be done. How do organizations generally handle that?

Steven Moore: [00:07:16:11] That's a fantastic question. In many cases it doesn't. There are cases where, depending on what happens inside the company, there may be a shutdown of critical systems. There may not be enough resources or maybe enough planning to spin those up into another location. So I have experience with a company that I did business with in my past, that provided a service. It was such a bad situation that they had to shut down completely for months, and as a service provider to my former employer, that was a very sticky situation, because now you're sort of in a vendor management disaster recovery situation.

Dave Bittner: [00:07:59:03] Do people find themselves dealing with sort of an unexpected emotional hit?

Steven Moore: [00:08:03:24] Absolutely. I can tell you first hand that when something like this happens, people are afraid. There's a hit to an ego. Often in information security, we get to play the hero. We get to solve problems and do very cool things. So when a negative event happens, it can really hurt our self image, speaking very plainly and very directly. And then the choice becomes, and I've had to share this first hand with some of my staff, and people I care about that I worked with, and say the problem is here. It's your choice on how you behave. You know, you have to sort of ride the bomb all the way down and your actions, through this crisis, will dictate your career from here on out, and so there's a huge opportunity as well.

Dave Bittner: [00:08:50:00] So take us through what kind of advice you have for organizations? What are some of the best practices they can engage in, if they get word that there's been a breach?

Steven Moore: [00:08:59:11] The first thing they want to do is think very quickly and be self aware, if not already, about what gaps might they have? Do they have relationships with the local authorities? Might they need outside investigative help? Or even PR help? So a quick triage of those things, that's out of the gate. I mentioned earlier about sort of acquiring or buying or thinking about visibility, analytics and response. You're going to have to have that, and it may be a combination of things you buy; services you acquire. That's a necessity. So scoping what you're doing and using economies of scale to pull together vast amounts of information to sort of stitch together timelines for response. So be aware, and then begin thinking about how you plan to run the investigation, obtain visibility, obtain analytics and response. That's where I'd start.

Dave Bittner: [00:09:54:02] You know, there's that old saying about how an ounce of prevention is worth a pound of cure. What can people do on the preventative side to make things easier if they do face something like this?

Steven Moore: [00:10:04:23] One of the things, and this may be a weird one, when you're in a situation, like a breach, you're going to have to go deep. You're going to have to go very deep. You will end up pulling in people who might have been an analyst, and they may need to come up and operate like a director. Let me explain. In the Anthem breach, at the time I was a junior level director, but because of circumstance, I had to get pulled into very quickly executive level discussions. One story: I had to get on with a 1,000 of our largest clients, with seven minutes notice and virtually no sleep for many days. Had my mentors not prepared me for really public speaking and being able to share complex thoughts with a wide audience, I would have failed miserably. So that's one thing I think you can do. Grab the up and comers and start inviting them in to even give pitches, presentations before a crisis. So identify those people, knowing you're going to have to go deep.

Dave Bittner: [00:11:02:01] That's Steven Moore from Exabeam.

Dave Bittner: [00:11:05:18] Apple is updating MacOS High Sierra. Unfortunately, it comes with a security hole. Synack's chief security researcher Patrick Wardle has demonstrated a password exfiltration zero-day. He says he disclosed it to Apple earlier this month, but that no patch was made available for it. Wardel told ZDNet he likes Macs a lot, but thinks Apple has badly oversold their product's reputation for security.

Dave Bittner: [00:11:31:21] Germany's Sunday elections returned Chancellor Merkel to office with a different coalition and without much evidence of Russian influence. More information on the influence operations in the 2016 US elections is out, however. Exactly how they sought to interfere is slowly coming to light, purchased Facebook placements are the latest tactic. Why there were doing it is no mystery at all, division and discord based on race, religion, and class seem to have been Moscow's goal.

Dave Bittner: [00:12:05:13] A quick note about our sponsors at E8 Security. They understand the difference between a buzzword and a real solution, and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new, but proven technologies at E8 Security dot com slash CyberWire. We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach, in fact unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload and move from data to understanding. Check out E8 Security dot com slash CyberWire and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:13:09:18] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back.

Joe Carrigan: [00:13:15:11] Hi Dave. How are you?

Dave Bittner: [00:13:16:10] Pretty good. You know, you have made the point several times here on the CyberWire that you're a big fan of password managers.

Joe Carrigan: [00:13:23:20] I am.

Dave Bittner: [00:13:24:06] I am a recent convert to password managers, and I must admit I was skeptical at first. I thought how could this, isn't this just another level of complexity for me to throw into things, you know, having to manage my passwords?

Joe Carrigan: [00:13:40:23] It adds complexity to your passwords, but it makes it easy for you to do that and when you add complexity to passwords, your passwords are better.

Dave Bittner: [00:13:51:14] And what's impressed me is how, you know, we're using one of the big name ones. I'm not going to name it here and give them a free plug, but it's one of the ones you've heard of and they really do make it easy. Not only do they store your passwords, they store the sites where those passwords are, so you can go in and, you know, because there are some things like I rarely use, you know, I rarely log into the account where my dental insurance is stored, and so it's easy for me to forget what that password is, but with the password manager, it's all right there. It's automatic.

Joe Carrigan: [00:14:25:11] That's exactly right. I use, I will tell you the one I use, because the one I use is open source. It was designed by Bruce Schneier. It's called Password Safe. It's not cloud based, so I have to keep it somewhere where I can access it anywhere I need to access it, but I keep it on a thumb drive and have it available, usually anywhere I need it to be. It does all the same things. It stores the websites, stores my username, stores my passwords and allows me to have really, really complex passwords. You know, my default policy for a website is 20 characters, random generation. It doesn't have to be pronounceable words or anything, with all kinds of special symbols. There's no way I'd ever be able to remember that. If somebody asked me right now what my Facebook password is, I would not be able to tell them.

Dave Bittner: [00:15:14:06] Well, and another point was, you know, people sort of push back and say, well then don't you just have one password that rules them all and, you know, because you have to have a password to get into your password manager, and so that's sort of the keys to the kingdom.

Joe Carrigan: [00:15:26:19] It is the key to the kingdom. You are creating essentially a single point of failure, but now what has to happen is somebody has to target you specifically to get that. You know, that can happen, certainly. It's a lot less likely than one of these 200 websites that are in my password manager being hacked. That's actually far more likely. That's the bigger risk, I think.

Dave Bittner: [00:15:45:23] And the other thing is that with these password managers, you can have multi factor authentication turned on. So even if someone did get that, you know, the main password, the keys to eh kingdom, I would still get a notification that I still have to do the multi factor to log in. So there's a backup there. It doesn't seem as dire as it was.

Joe Carrigan: [00:16:07:06] No, the multi factor authentication is great.

Dave Bittner: [00:16:09:16] You won me over.

Joe Carrigan: [00:16:12:15] I'm glad.

Dave Bittner: [00:16:13:20] I have to say, like I say, I was skeptical at first, but let me just put the word out there that from Joe and Dave, if you're not using a password manager, it's easier than you think it's going to be, and boy, does it really make your security, it ups the level of security, right off the bat.

Joe Carrigan: [00:16:30:09] It does.

Dave Bittner: [00:16:30:18] So money well spent.

Joe Carrigan: [00:16:31:20] Yes, especially if it's free.

Dave Bittner: [00:16:33:24] Especially if it's free.

Joe Carrigan: [00:16:34:16] And I know I've said it, you know, I've said that in the past, I've said, you know, if it's free, they're monetizing it somewhere, but generally an open source software, particularly with this product, the Password Safe, they're not monetizing it. It's just something that somebody did for the good of humanity.

Dave Bittner: [00:16:50:01] Right. Next week on the CyberWire, how Joe's passwords all got compromised by the free software he was using online, and how Dave laughs at him for not using a paid product. So make sure you don't miss that. All right, Joe, thanks for joining us.

Joe Carrigan: [00:17:03:16] My pleasure, Dave.

Dave Bittner: [00:17:06:22] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Cylance dot com. If you enjoy our show, we hope you'll consider leaving us a review on iTunes. It is one of the best ways you can help people find us. We do appreciate it. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.