Dave Bittner: [00:00:03] A U.S. Energy Department report alludes to a March cyber incident. Citycomp refuses to yield to blackmail, so now its client data is being leaked. The U.S. Department of Homeland Security has issued Binding Operational Directive 19-02. A U.K. judge sentenced Julian Assange to 50 weeks jail for bail jumping. Facebook reveals the privacy-focused initiatives it plans to implement. And notes on the Global Cyber Innovation Summit.
Dave Bittner: [00:00:36] Time for a message from our sponsor, Bandura Cyber. Are you using threat intelligence, or is threat intelligence using you? Threat intelligence gateways, or TIGs, are an exciting emerging network security technology that take the heavy lifting out of making threat intelligence actionable, operational and useful. TIGs aggregate IP and domain indicators of compromise from an unlimited number of sources, such as DHS, information-sharing groups like FS-, MS- or ONG-ISAC, commercial sources like Webroot or Anomali, or even your own internal IoCs from your SIEM or TIP. With the need for multiple sources and views of threat intelligence now more important than ever, and with existing solutions' limited ability to ingest and block third-party IoCs at scale, TIGs make taking action with massive volumes of threat intelligence easy. Get the definitive guide to this next-generation technology, "Operationalizing Threat Intelligence: An In-Depth Guide to Threat Intelligence Gateways," at banduracyber.com/cyberwire. A bonus - it's written by our friends at Bandura Cyber. They're the company that started the TIG category. And it's free. Again, that's banduracyber.com/cyberwire. And we thank Bandura Cyber for sponsoring our show.
Dave Bittner: [00:01:59] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 1, 2019.
Dave Bittner: [00:02:08] E&E News reports that the U.S. Department of Energy has said that four counties in California, Utah and Wyoming experienced a cyber event that interrupted electrical system operations briefly on March 5. The incident was disclosed in an electric disturbance and emergency report released yesterday. The Western Electricity Coordinating Council confirmed that the event affected a single entity, but few other details have been made public. The counties affected were Kern County and Los Angeles County in California, Salt Lake County in Utah and Converse County in Wyoming.
Dave Bittner: [00:02:44] Motherboard notes that there's no reason to panic based on this information, as the department's definition of a cyber event is expansive. While it's possible that remote hacking or malware was involved, it's far more likely to be due to human error or a hardware or software bug. E&E News points to a similar filing after a blackout in Michigan last year, which turned out to be an accident caused by an employee in training.
Dave Bittner: [00:03:11] German IT infrastructure provider Citycomp says a hacker stole a large amount of information from its customer database and threatened to leak the data unless the company paid a ransom. Citycomp refused to pay, so the hacker has started publishing the data on a dedicated website. Citycomp's customers include Oracle, Airbus, British Telecom, Hugo Boss, Porsche, Volkswagen and many others. The Register says that most of the data that's been leaked so far is the type of information that would be useful to someone who wanted to hack one of Citycomp's clients, such as detailed lists of installed IT equipment and hardware specifications. ZDNet notes that the dump also includes financial records, meeting schedules and some contact information.
Dave Bittner: [00:03:57] The U.S. Department of Homeland Security has issued Binding Operational Directive 19-02, which establishes vulnerability remediation requirements for internet-accessible systems. The directive builds on and supersedes Binding Operational Directive 15-01. Agencies will have to fix faster. The new directive requires that critical vulnerabilities be remediated within 15 calendar days of initial detection. Agencies will have 30 calendar days to remediate high vulnerabilities. Binding Operational Directives apply to U.S. federal agencies, with exceptions for the Defense Department and the intelligence community.
Dave Bittner: [00:04:38] It almost goes without saying these days that encrypting your data can be an effective way to protect it from prying eyes, whether that data is in transit or at rest. The challenge is maintaining control over that encryption so it doesn't get in the way of the data being useful. A number of companies are developing datacentric encryption solutions, what they refer to as always-on file security. Vera Security is one of those companies, and Bert Grantges is their vice president of solution engineering.
Bert Grantges: [00:05:06] In today's economy of collaboration with multiple different organizations and entities outside of your business, there's really no way to protect data once it leaves your perimeter, once it leaves that "physical control," quote, unquote. And where they're changing the model is how encryption and datacentric security can really be leveraged to allow the control that they've been clamoring after for the past 15 to 20 years, right? How can I exchange data freely with a third party but ensure that I still have control over that data no matter where it travels? So it's a much more proactive measure of how they want to protect data in order to respond to just general business concerns, but also consumer and internal privacy regulations that are popping up all over the world, like GDPR, the California Privacy Act, NYDFS Cybersecurity Act. And things of that nature really require that level of control.
Bert Grantges: [00:06:11] And, you know, you see these breaches with large enterprises, from Marriott to HBO to Sony way back in the day, and it's apparent that the technology to really give that power of control of their data hasn't been there in the past. And that's something that - Vera and other companies like us are trying to change that.
Dave Bittner: [00:06:33] And so what's the change there? How are companies like yours using encryption to better protect data?
Bert Grantges: [00:06:40] That's a good question because encryption's been around a long time, right? It's not like encryption's new. But what we're looking at in terms of how encryption can enable the business is really around redesigning how people work with encrypted data.
Bert Grantges: [00:06:56] One, we talk about, you know, digital rights management control. So how can I work with encrypted content, do so securely, but not change the way that I work? As an example, if I get an encrypted Word document, I shouldn't have to think about having to go get a proprietary viewer or, you know, how is this going to change my relationship with the data? I should be able to work with - inside Word, or even AutoCAD - work within the native tools that I'm used to, while doing so securely.
Bert Grantges: [00:07:26] So new technologies are coming up that allow us to have that low-friction experience. And dynamic relationships to the data can change in real time. So if I'm a third-party manufacturer working on a CAD drawing that you provided me as an example, if you decide to move to another manufacturer, you literally have a kill switch button that prevents me from ever opening that content again so that you can enforce that level of control.
Dave Bittner: [00:07:57] What about for that organization who's looking to get started with something like this? What is the transition period like?
Bert Grantges: [00:08:03] It's actually pretty straightforward to get started with datacentric encryption, what we like to call always-on file security. What's great about the nature of secure files is they tend to travel, right? You know, when you have information that you need to share with somebody in your organization, you'll send them an email. You'll drop it in a network file share. Somebody is going to pick that up. If they don't have appropriate access rights, they can't access the data. But if they do, they can just start to use it. And people see how they can be productive and secure. And it creates a great relationship between the business and IT.
Bert Grantges: [00:08:42] One of the most interesting things I've found about our work with customers is that they develop a dialogue around the data because they actually get to see how data's used because it's not just about the protection. It's also about being able to see what happens to data in a way that you can audit that defensively against breaches, against regulatory compliance issues that may be coming into business, or even for legal reasons with additional third parties you may have. So giving a full 360-degree view of what people can do with the data, as well as being able to visualize that, is extremely powerful and can be implemented, you know, in a very short amount of time to where you start to see value in the business.
Dave Bittner: [00:09:28] That's Bert Grantges from Vera Security.
Dave Bittner: [00:09:33] Julian Assange will serve 50 weeks in jail at her majesty's pleasure for jumping bail in 2012. The judge said his bail violation was particularly egregious, saying that he, quote, "exploited his privileged position to flout the law and advertised internationally his disdain for the law of this country," end quote. He entered the Ecuadorian Embassy in London to avoid being extradited to Sweden, and he remained there for seven years. The judge also noted that Assange's extended residence at the Ecuadorian Embassy and his subsequent arrest had cost taxpayers 16 million pounds. Assange apologized in a letter to the court, saying he did what he thought was best at the time. He still faces federal conspiracy charges in the U.S.
Dave Bittner: [00:10:19] Facebook, at its F8 shindig, announced that the future is private. CNET quotes CEO Zuckerberg as acknowledging the skepticism that will meet the new direction - quote, "I get that a lot of people think we're not serious about this. I know we don't have the strongest reputation on privacy, to put it lightly," end quote. A look at the Telegraph's review of the company's initiatives suggests that end-to-end encryption of messages represents the biggest move toward privacy. Other changes, like the new prominence of groups and initiatives to suggest unknown people likely to become friends, seem likelier to lead the social network into data temptation.
Dave Bittner: [00:10:58] And finally, we have a correspondent at the Global Cyber Innovation Summit, which opened this morning in the Fells Point neighborhood at Baltimore's Inner Harbor. One of the principal organizers, AllegisCyber's Bob Ackerman, explained the choice of venue. The group that put the summit together wanted to create a Davos-like atmosphere that would cater to the needs and interests of CISOs. They chose to hold the summit in Baltimore because the cybersecurity community needed this kind of engagement on the American East Coast. And Baltimore, being at the center of what Ackerman called an unparalleled pool of cyber engineering talent that's grown in Maryland universities with the support of massive U.S. federal investment, was a natural choice. That massive federal investment, of course, has long been centered on the National Security Agency, whose Fort Meade home is in the Baltimore suburbs.
Dave Bittner: [00:11:48] Ackerman's introduction was followed by remarks delivered by Maryland's Governor Larry Hogan, who was particularly concerned to point out the state's engagement with international cybersecurity development, particularly in the United Kingdom and Israel. He also alluded to the emergence of an apprenticeship model around the University of Maryland, Baltimore County.
Dave Bittner: [00:12:08] This morning's final keynote was by Dave DeWalt, now of Momentum Cyber, formerly CEO of both FireEye and McAfee. He delivered his account of what he called a perfect cyber storm created by the speed of innovation and the swift evolution of vulnerabilities and threats such innovation brings with it.
Dave Bittner: [00:12:27] We'll have more updates from the summit over the course of the week. The proceedings will continue through tomorrow.
Dave Bittner: [00:12:38] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire. And you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good, as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:13:48] And I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos. I want to touch today on conferences, and particularly how organizations like yours can get the most out of their attendance of conferences, like RSA, for example. What are your thoughts there?
Robert M. Lee: [00:14:04] I think it's just expectation management. If you're going to RSA to find the latest research in, like, O-day (ph) dropping stuff, like, you're not going to have a good time. But I've been really pleasantly surprised with RSA. I went not expecting for, quote, unquote, "my community" to be there in industrial security. I was like, maybe it'll be like CSOs and like others, but I don't know that, like, a lot of, like, practitioners are going to come.
Robert M. Lee: [00:14:27] And what we did last year and what we did this year is we're a big sponsor of the ICS Village. It's the ICS Village. It comes around to a lot of different locations, but it's got a big presence at RSA. And Bryson and Tom VanNorman run it with a lot of support from the community. It's not a booth. It's just a village. And it's got a bunch of industrial control systems in it to show people, like, what type of equipment's running their modern world of power and manufacturing and others. And so a lot of the talks we did were actually at the village. And I was really surprised with not only how many of ICS security community was there, but also just how many people were so excited about industrial security.
Robert M. Lee: [00:15:05] I think my biggest takeaway from RSA this year and last year has been - there's, like, a movement forming around ICS security. And a lot of folks that have never thought about it before are now getting excited about it, which means really good things for our folks. I think, obviously, we did go and have some talks as well. And I got up on the - one of the main stages or whatever they call it and did that as well. My big message to folks was a lot of industrial security over the years has been copy-and-pasted enterprise security. We take frameworks and regulations from IT. And whatever doesn't break the ICS, we just move it into ICS. Like, oh, you show a patch program. That makes sense. Hey, we should have a patch program. Let's have a patch program. But, like, why we have a patch program or what the ICS implications are or if it's even valuable at all never gets questioned.
Robert M. Lee: [00:15:51] And so this year, all I did is I looked at the various attacks that we've seen, as well as some of the threats that we track at Dragos, and said, OK, let's break them down step by step. These aren't novel events. There is no such thing as a novel attack. There's a series of steps. And maybe some of those steps are novel, but many of them are not. And let's look at each one of those steps across the ICS kill chain and evaluate it and say what could've been done and what can we learn from these steps? And so I took kind of this intelligence-driven approach to say, OK, well, over these last six major events, here are the controls that kind of bubbled up to the top of things that actually are important for environments - things around visibility and threat detection and being able to respond, multifactor authentication - like, certain things that we might've thought anyway, but we have proof and we have evidence to show that this is impactful. And here's how you can go do this kind of analysis yourself to actually make sure that you're adapting your requirements to your threat landscape instead of, quote, unquote, "best practices."
Robert M. Lee: [00:16:51] And I thought that was a lot of fun. And it seemed to resonate with a bunch people. And I really hope the industrial community takes more of an intelligence-driven approach because historically, again, it's taken more of a copy-and-paste or regulation-based approach. And I don't - I don't think that's getting us where we need to get to.
Dave Bittner: [00:17:06] And to what do you attribute the increased interest there? Is it awareness? Is it that more of these systems are becoming integrated? What do you see things - that coming from?
Robert M. Lee: [00:17:16] I think there's a lot of factors. For one, I think, you know, attacks do get attention. And we hear about, like, oh, wow, a power grid went - like, portions of a power grid in Ukraine went down. Like, what is that? Like, there's a story aspect that sucks people in. And we saw this, you know, post-Stuxnet in 2009, 2010 - like, a lot more interest in the community. And so attacks do have that ability.
Robert M. Lee: [00:17:38] But I think more of it's been the people that have been in this community are becoming evangelists, kind of been pushing the way forward. I think - obviously, I have a very biased view, but, like, the SANS community over the years, with what Mike Assante and Alan Paller started and Tim Conway and those guys were over - doing, and me authoring one of the courses over there, I think we're training people in capacities that have never been done before, so it's more accessible than it's ever been before. You look at the ICS Village as being accessible to show people.
Robert M. Lee: [00:18:09] Like, a lot of people don't even know where to get started. They may have heard about ICS or SCADA or - God forbid - SCADA. And they're moving in. And they're going, man, I like this. But it's really - it's daunting to see how you can even get started without spending a lot of money. I don't want to, like, pat ourselves too far on the back, but I think my folks at Dragos have done a really good job of, kind of educational and content-driven to the community. And, hey, here's free reports and insights. I mean, we're a tech company, and half the time, people think we're a services company because we're out showing people more about the ICS world than we are pitching our product.
Robert M. Lee: [00:18:41] I think this combination of these folks at the asset owners doing the mission, SANS, ICS Village, companies like Dragos - I think this combination, with the attacks, is drawing mass amounts of interest but also returning us back to norm of, hey, don't freak out. This is doable. We can absolutely invest in our people, in our infrastructure, and do good things.
Robert M. Lee: [00:19:04] And I think there's a compelling story that just sucks people in - is you may not care about your local bank. Many do. But there's something special about industrial. When you talk about your bank, it's your bank. When you talk about infrastructure, it's our infrastructure. That's our power company. That's our manufacturing industry. There's this - there's something special about industrial. And I think that just resonates with people.
Dave Bittner: [00:19:26] Robert M. Lee, thanks for joining us.
Dave Bittner: [00:19:32] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:45] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.