Dave Bittner: [00:00:03] Ticketmaster's U.K. hacking incident will provide an interesting GDPR test case. Data aggregator Exactis left nearly two terabytes of personal and business information exposed. NSA destroys telephone call data collected in ways it can't square with applicable law. California hastily passes a data protection law. Farewell Harlan Ellison. And our condolences to the victims of the shooting at the Capital Gazette in Annapolis.
Dave Bittner: [00:00:37] And now some notes from our sponsor Cylance. You remember the old song (singing) "Thanks For The Memories" - well, sure, but no thanks for the memory-based attacks. This increasingly common class of cyberattack, the experts at Cylance will tell you, goes after memory as opposed to more traditional targets, like file directories or registry keys. They usually start when a scripter file gets into an endpoint without exhibiting traditional file features. Once they're loaded, they execute and use the system's own tools and resources against the system itself. If you go to threatvector.cylance.com, you can check out their report on memory attacks. That's threatvector.cylance.com. We're pleased to say they're not just sponsors of the CyberWire. They're the people who protect our endpoints. Visit cylance.com to learn more. And we thank Cylance for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:43] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 29, 2018.
Dave Bittner: [00:02:25] Ticketmaster said it discovered the malware on June 23, but U.K. digital bank Monzo says it began noticing a pattern of pay-card fraud developing as early as April 6. By April 12, Monzo believed it had traced the problem to Ticketmaster and so informed them. This is the point at which the case will be interesting from the perspective of the EU's General Data Protection Regulation.
Dave Bittner: [00:02:50] Under the rules that came into full effect on May 25, the company has 72 hours to report a breach. The incident appears to have straddled the implementation date of GDPR. But if the commissioners accept Monzo's April 12 warning as the time the clock should have started and not the June 23 discovery date Ticketmaster U.K. announced, the case may prove a sticky and unpleasant one from the standpoint of regulatory risk.
Dave Bittner: [00:03:18] Marketing and data aggregation firm Exactis inadvertently exposed its dossiers on 230 million Americans - essentially every U.S. citizen. The data include, according to Wired, phone numbers, addresses, dates of birth, estimated income, number of children, age and gender of children, education level, credit rating, interests and so on. Other data include religion and smoking habits - apparently no pay card or Social Security numbers. So you got that going for you, America.
Dave Bittner: [00:03:49] In addition to the 230 million individuals, Exactis also had data on 110 million business contacts. The researcher who found the Exactis information, Vinnie Troia, founder of Night Lion Security, noticed the nearly two terabytes of data in the course of a Shodan search that was sampling publicly accessible Elasticsearch databases. He was surprised by the extent of the information kept by Exactis. Troia informed both Exactis and the FBI of his discovery last week. And Exactis has since secured the data.
Dave Bittner: [00:04:25] It's not clear that the exposed data were accessed and used for fraud or other criminal purposes - so far at least, that seems not to have been the case. But the sheer scope of information collected, aggregated and analyzed on people, most of whom had never even heard of Exactis, is striking. Heck, we hadn't heard of them. The company's slogan is people data for a digital world. And they describe themselves as a leading compiler and aggregator of premium business and consumer data. With over 3.5 billion records, updated monthly, our universal data warehouse is one of the largest and most respected in the digital and direct marketing industry.
Dave Bittner: [00:05:05] They say their services work like this - quote, "our unique triple validation data process triangulates every consumer record - individual contacts, not just household - against three active transactional files, assuring you the highest levels of accuracy across postal, email, phone and mobile data. Layer on hundreds of selects, including demographic, geographic, lifestyle interests and behavioral data to target highly specific audiences with laser-like precision," end quote. Their company blog has no entries more recent than February 12 of this year. So there's no obvious comment on the data exposure.
Dave Bittner: [00:05:45] This is, however, the kind of thing privacy advocates are always warning about - a company you know nothing about collects data on you and uses it to develop a detailed profile that can be used for marketing or who knows what other purposes. If this were an NSA database, the streets would fill with torches and pitchforks.
Dave Bittner: [00:06:04] NSA, by the way, just announced that on May 23 the agency, quote, "began deleting all call detail records, CDRs, acquired since 2015 under Title 5 of the Foreign Intelligence Surveillance Act," end quote. NSA analysts noted technical irregularities in some data received from telecommunications service providers. Since they weren't able to distinguish properly from improperly acquired data, they elected to delete all of it.
Dave Bittner: [00:06:34] But to return to Exactis for a moment, it seems likely that incidents like this will prompt a wave of privacy regulation. California is surfing a bit ahead of that wave this week as the legislature in Sacramento hastily passed a bill that will phase in extensive privacy regulations by 2020. The motivation for the quick and unanimous vote, and the governor's equally quick action in signing it, appears to have been a wish to forestall even more stringent privacy protections that would have appeared as a ballot initiative up for vote by the state's citizens.
Dave Bittner: [00:07:07] ISPs, and especially tech companies of the Silicon Valley tribe, were opposed to such regulation. They seem likely to be less than happy with what actually passed. But it appears better than what they would have been faced with had the initiative gone through. Motherboard rather sourly grumps that lobbyists' fingerprints are all over the bill that passed. So big tech may not have quite dodged a bullet, but at least it only winged them.
Dave Bittner: [00:07:35] Finally, two sad notes - one somber, the other tragic. The somber news is the passing of Harlan Ellison at the age of 84. The science fiction writer was famous for his short stories, screenplays and novellas, of which "I Have No Mouth And Must Scream" was an early classic that came to be called the cyberpunk genre.
Dave Bittner: [00:07:57] The tragic news is of our neighbors in Annapolis, the staff of the Capital Gazette newspaper. Five were killed and several others injured yesterday by a gunman who felt he'd been defamed by the paper's accurate reporting several years ago concerning his criminal conviction. On a personal note, earlier in my career, I spent time working side by side with John McNamara, one of the five killed. He was a talented writer, for sure, but he was also a lot of fun to be around. And he was a genuinely caring and curious man. He deserved better than this. His story should not have ended this way. We extend our condolences to the victims. May the families and friends of those killed receive consolation in their mourning. May those injured receive healing.
Dave Bittner: [00:08:57] Now a few words about our sponsor Invictus - we've all heard that cyberspace is the new battle space. Invictus International Consulting was founded by people who know a battle space when they see it. This premier cybersecurity company, headquartered in Northern Virginia, boasts an expert staff with decades of cybersecurity, technology solutioning and intelligence analysis experience. Its customers in the intelligence, defense and homeland security communities value Invictus and its work. As a service-disabled veteran-owned small business, over 60 percent of Invictus' workforce is comprised of veterans. And it's not just in the government space. It delivers for commercial clients too. An award-winning company - recently named to 2018's Cybersecurity 500 List as one of the world's hottest and most innovative cybersecurity companies - Invictus has also won the most valuable industry partner award at the (ISC)2 15th annual Information Security Leadership Awards. So check them out at invictusic.com. That's invictusic.com. And we thank Invictus for sponsoring our show.
Dave Bittner: [00:10:13] And I'm pleased to be joined once again by Dr. Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. You recently had the opportunity to give testimony before Congress. Bring us up to date here. What were you there for?
Charles Clancy: [00:10:30] It was a hearing held by the Energy and Commerce Committee entitled Telecommunications, National Security and Global Competitiveness. So it was really looking at how can we as a country protect the supply chain for our telecommunications infrastructure, particularly buying foreign-manufactured switches and routers and cellphones - what impact that has on national security - at the same time, how to help make the U.S. telecommunications market, both the vendors and the operators, competitive in a global landscape, particularly as we're moving towards 5G.
Dave Bittner: [00:11:03] And is this related to the stories we've seen about Huawei and ZTE?
Charles Clancy: [00:11:07] Yes, indeed it is. And so there's obviously been a lot of pressure on Huawei and ZTE as two specific companies that have raised concerns. So right now, we have a rule-making pending in the FCC that would prevent public money from being used to subsidize Huawei and ZTE equipment purchased by smaller telecommunications companies. There's pending language in the National Defense Authorization Act that would prevent the U.S. government from buying service from any telecommunication operator that had any Huawei or ZTE equipment in their networks, which would affect all the carriers - all the major telecommunications carriers, that is, here in the United States. And there's also the belief that the White House will be coming out soon with an executive order that will provide some specific prohibitions around Huawei and ZTE specifically.
Dave Bittner: [00:12:00] Now, what was your impression from the folks that you were testifying in front of? What was the amount of understanding and receptiveness they had to the messages you were delivering?
Charles Clancy: [00:12:08] Well, I think everyone understands the risks from a national security perspective. But I think it was a very useful conversation with the committee and with other witnesses. I think we really helped with formulating this concept that a blacklist of two specific companies, Huawei and ZTE, may provide some near term wins, both in terms of national security and in terms of politics, but that a much more nuanced approach to supply chain security is necessary if we're going to tackle this problem at scale. If not Huawei and ZTE, then different companies could pop up tomorrow, next week or next year that would have similar concerns.
Charles Clancy: [00:12:46] And at the same time, if you look at the supply chain of the modern iPhone, there are over 700 suppliers of parts into that device from 30 different countries. And so whether it's the assembly of the iPhone or it's the fact that two-thirds of our chip manufacturing is happening in Taiwan and China, there are a lot of concerns associated with supply chain. And while Huawei and ZTE are two specific examples of that, we really need a risk-based approach to assess and to end supply chain. Certainly, those two companies have done things that demonstrate that they are potentially bad actors. But it's a much more complicated problem than that.
Dave Bittner: [00:13:21] All right. Dr. Charles Clancy, thanks for joining us.
Charles Clancy: [00:13:24] My pleasure.
Dave Bittner: [00:13:33] And now a word from our sponsor. Who's that sponsor, you say? Well, it's none other than the mysterious team behind the spectacularly successful fake security booth at RSA 2018. You remember. It was the one with no vendor name, no badge scanning and the charismatic snake oil salesman pitching his imaginary cybersecurity cures for all that's ailing businesses around the world. So who was behind that booth? Why did they do it? Who's really sponsoring our show today? Get the answers you've been dying to hear and hear the story behind the booth at fakesecurity.com/cyberwire. That's fakesecurity.com/cyberwire. And we thank whomever it is for sponsoring our show.
Dave Bittner: [00:14:32] My guest today is Dr. Mansur Hasib. He's program chair for Graduate Cybersecurity Technology at University of Maryland University College. He's a popular public speaker and opinion writer and author of the book "Cybersecurity Leadership."
Mansur Hasib: [00:14:48] As I was visiting conference after conference, I was finding that there was, first of all, confusion about what the word cybersecurity means. If you asked 10 different people, they would come up with 10 different definitions. There was no authoritative definition available anywhere. And the other thing was people were too focused on the technology pieces, and they were forgetting about the people and the leadership aspects of it. And so I felt like that is what I had done for 30-plus years.
Mansur Hasib: [00:15:24] I always developed my entire strategy around the people because the ultimate cybersecurity of any organization depends on the behavior of the people. And if you cannot engage the people, it doesn't matter how much you spend on technology. At that time that I wrote the book and I was starting to speak about it, hardly anybody was doing it. Now it seems like leadership and governance is becoming big, and a lot of people have recognized that this is a very important field. And maybe this is the most important field.
Dave Bittner: [00:15:54] Now, how do you suppose the various paths that people take to positions of leadership, how does that inform how they approach leadership? Coming up different pathways, do you think that - what's the influence there?
Mansur Hasib: [00:16:08] Yeah. That's a very good observation. Actually, different pathways will probably influence. If you're coming from a computer science background, you think cybersecurity is all computer science. If you come from the social sciences background, which is what I did, you then see that cybersecurity is mostly about business because the whole technology environment exists to fulfill an organization's mission. Without fulfilling the mission, technology is completely useless. So I have always focused on, what is the mission of the organization? And do we have an ROI for it? And how do we justify the expenditures? And how do we strategically see multiple years ahead of us?
Mansur Hasib: [00:16:56] So yes, I think the way people enter the field may influence it heavily. Even right now, the way it's taught at various schools - so for example, if cybersecurity is part of a computer engineering program or a computer science program, you might find that all they're focusing on is the technology aspects and maybe even a very small slice of the technology aspects of the field. Whereas if cybersecurity is housed in a business school or a school by itself, you will probably find that people approach it from a more holistic, interdisciplinary point of view. Cybersecurity is very interdisciplinary. So it's - in my opinion, it should never be run out of a computer science program because cybersecurity is not computer science.
Dave Bittner: [00:17:42] Let's dig into that. Tell me more. What's your perception of that?
Mansur Hasib: [00:17:46] So you probably saw in the very first chapter of the book, it's all about cybersecurity. And I talk about cybersecurity has three primary goals - confidentiality, integrity and availability. Those goals are fulfilled through the strategic use of three types of tools. One are people, then you have policy and then finally, technology.
Mansur Hasib: [00:18:09] The other most important aspect - if you saw the model over there where I talk about that - you have to look at the mission of the organization. So the cybersecurity strategy for, let's say, a healthcare organization is going to be radically different from the cybersecurity strategy of, say, a journalistic organization or an education organization or a mom and pop pizza shop. Definitely, they're going to be very different, so the mission makes a huge difference.
Mansur Hasib: [00:18:37] The data, the information that each of these organizations are dealing with is also going to be different. So you're going to need to have the risk calculation. Now, the risk calculation's going to be different. And the risks are of two types. They're positive as well as negative. And then finally, you have to have governance. Governance means you have to shape the behavior of the people through some culture, some training, whatever that may be.
Mansur Hasib: [00:19:04] But if the people - so to give you a very simple example - you probably saw that example in my book also. Let’s say you have a security system in your home, all right? So that's technology. But that security system is completely useless unless the people in your home actually arm the security system and then know how to use it. And when you do the security system, you cannot just fortify a single window or a single door. Your security has to be thought out carefully.
Mansur Hasib: [00:19:33] And part of it also is when you have guests in your home or visitors, well, are they being trained in your security system? So that - the people aspect, the governance aspect, they're very important. And then the final point is that cybersecurity is a process and a culture. So you have to perpetually improve over time because if you don't improve, what happens is that the people that are trying to get into your system, well, they're going to figure out a way because every system has vulnerabilities. And if you never change, it's like a sitting duck.
Mansur Hasib: [00:20:08] So this is the crux of cybersecurity. And if people don't approach it from this holistic point of view and then take care of people, policy and technology in that order, they will never succeed. You can spend as much as you want on technology, and it will never work. So that is why people coming out of computer science programs only focusing on the technology and maybe just a small slice of it usually will not develop a holistic strategy.
Dave Bittner: [00:20:38] One of the things that struck me as I was reading the book is time and time again, you come back and emphasize the importance of having fun for an organization, for yourself, personally, and the importance of that as a leader. Can you describe for us - so why the emphasis there? Why does it matter so much to you?
Mansur Hasib: [00:20:57] Excellent point. So one of the things that I did was that - as I described cybersecurity, notice one of the things that I stressed on was that perpetual learning and innovation. And that perpetual learning and innovation comes from people. If I'm a happy person, then what happens? I - basically, at the end of the day, I am a glob of chemicals. So when I'm happy, there's a whole bunch of happy kinds of chemicals that are flowing through my entire body. A happy person is actually much, much more innovative. They will learn more. They will do more. They will be working without even feeling like they're working because all these happy chemicals are flowing through their body.
Mansur Hasib: [00:21:44] There's a whole body of neuroscience that talks about how the attitude of a person makes a bigger difference in their success than their knowledge and skills because if you're a happy person and your attitude towards your job is you're having fun and you're enjoying it, guess what? You will learn whatever it is that you need to do very quickly. And because this field involves perpetual learning, you will learn. Why do I learn every day? Because I'm having fun. I enjoy this. The people that I'm interacting with are fun. So they teach me things, and I teach them things. So it's almost like a game.
Mansur Hasib: [00:22:25] And that's what I found over the 30 years that I ran organizations. I was trying very hard not to lose people because if I - it's much easier to have your cybersecurity strategy for your organization if you can retain the people that you hire, mainly because I view people as investments. I invest more and more knowledge into them. As they stay longer, they understand the company more. They know where we're headed. They - we can work as a team better because think about multiple players in a team. If the players never practice together, they're not going to win - doesn't matter if you have superstars or not. So a bunch of reasonably mediocre players playing well together can actually win against a bunch of superstars that don't know how to play together.
Mansur Hasib: [00:23:17] So that was why I felt like building the team, making sure they were having fun helped me in retention because if people were having fun, they usually wouldn't be looking around, even, to see if there were other opportunities because the problem is that if your people are constantly looking around for other opportunities, their focus is not on your organization or your job or their job. Their focus is on something else. And that's when it's a recipe for disaster.
Dave Bittner: [00:23:46] That's Dr. Mansur Hasib. The book is "Cybersecurity Leadership." And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.
Dave Bittner: [00:24:23] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.