Due diligence cannot be done as a one-off.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:25] And now a quick word about our sponsor, Juniper Networks. NSS Labs gave Juniper its highest rating of "Recommended" in its recent Data Center Security Gateway Test. To get your copy of the NSS Labs report, visit juniper.net/securedc, or connect with Juniper on Twitter or Facebook. That's juniper.net/securedc. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:00:56] Thanks to our sponsor, Enveil, whose revolutionary ZeroReveal solution protects data while it's being used or processed – the 'holy grail' of data encryption. Enveil delivers privacy-preserving capabilities to enable critical business functions. Organizations can securely derive insights, cross-match, and search third-party data assets without ever revealing the contents of the interaction or compromising the ownership of the underlying data. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Peter Hansen: [00:01:34] We can't say too much about the exact process we used to find this, as Virgin Media was part of a much larger collection of breaches that we're currently processing...
Dave Bittner: [00:01:45] Our guests are George Punter and Peter Hansen from Turgensec on their research that led to the discovery of the Virgin Media breach.
Peter Hansen: [00:01:56] ...One of which was the recent legal breach – hundred and ninety-three law firms – I'm not sure whether you guys heard of that one, but that's been in the news a bit recently.
Dave Bittner: [00:02:07] That's Peter Hansen.
Peter Hansen: [00:02:09] More or less just scanning open servers in a particular way, I would say.
Dave Bittner: [00:02:16] And when you get a hit, when you discover something that you think may require a little more of your attention, what's that process like? What happens next?
Peter Hansen: [00:02:27] Yeah, so we have a set of policies and processes. So the first step, in accordance with the flowchart that we have, is that we document IP:port:date in a table. And then from this table, once it's been populated a certain amount, we'll have someone go through it and assess the priority, because obviously not all breaches are equal, and we want to get to the ones that are the most serious first. The first step on that is examining the immediately visible data, deciding whether it's government data or not – because obviously if it's government data, it's not something that we can touch, and we'd need to report that to the NCSC at that point. And then from there, basically, we've got this whole huge process, pretty much, of a logic flow for understanding how to deal with it. Because obviously, it's a different process depending on the specific circumstances with each one. Because obviously you have government data, but you also have corporate data versus individual data, so these different types need to be processed in different ways
Dave Bittner: [00:03:31] Yeah, and I'll just – for our listeners, I'm looking at quite an elaborate flow chart here of responsible disclosure. I mean, what are the overall principles here that you're following when it comes to responsible disclosure?
Peter Hansen: [00:03:47] So, we have another document for just that. (Laughs)
Dave Bittner: [00:03:49] (Laughs) Of course you do.
Peter Hansen: [00:03:53] Yeah, we've been very careful to do this in a way that we don't get, uh, sued. So, the overall points on the policy – you have a list of primary objectives here. So, first one – lawful, timely discovery of data sets containing personal information being one of the first points. Then the protection of rights of individuals being the second. Timely and consistent communications with the organizations found to be suffering from the data breach. Then the application of fair and ethical standards and the balance of the rights of individuals and organizations – so, whether we prioritize protecting individuals where individual data was breached or prioritize protecting organizations. Because obviously, it's a bit of an interesting question here, whether when you're causing damage to organizations, you're actually causing more damage to individuals.
Peter Hansen: [00:04:43] So say, for example, with the Virgin Media breach, Liberty Global Shares took a pretty huge hit after the disclosure, as well as the – I would imagine what will come through eventually in the ICO fine as well. So, it's a question of how much – how do you balance the likelihood of damage to the individuals against the damage that will be done to the companies? Because obviously we don't want the companies to suffer in a way that forces them to lay people off.
Peter Hansen: [00:05:10] And then the next one would be encouraging organizations to be transparent, and the adherence to the letter and spirit of the legislation protecting personal data and the rights of individuals, are the main point that we operate on.
George Punter: [00:05:26] Yeah. So there was one you missed there, Peter, which is adherence to the letter and spirit of legislation...
Dave Bittner: [00:05:33] That's George Punter.
George Punter: [00:05:35] ...And when we say that, we mean GDPR legislation, which has quite a strong spirit. With the GDPR legislation, which a lot of people may not know, is that it is quite – it's not laid in stone and it's built upon acting within the spirit and the principles of GDPR. And so we seek to address that as well.
Dave Bittner: [00:05:58] Now, when you come upon something like you did with Virgin Media, where I suppose fairly quickly you knew that you had something significant, what is the process that you go through there, in terms of reaching out to Virgin Media themselves? And if you could give us a little bit of play-by-play as to how it worked in this case.
Peter Hansen: [00:06:18] Okay, so we contacted their DPO...
Dave Bittner: [00:06:21] Peter Hansen.
Peter Hansen: [00:06:23] ...And it wasn't actually me or George that was the person handling this exact set of communications. I believe their chief cybersecurity officer got back to us. Overall, Virgin Media were pretty responsive in the first instance. They did a pretty good job overall.
George Punter: [00:06:42] Yeah, I believe their response and the database being closed was within ten minutes, which was very impressive.
Dave Bittner: [00:06:48] Wow.
Peter Hansen: [00:06:49] Yeah, yeah. It was very, very good. It got referred up to Liberty Global after that. And I think everything was – they did everything right, more or less, up to the point of perhaps the statement, I think. The biggest thing that really skewed things, I think, was the FT approaching a senior member of Virgin Media and asking him, so, like, basically jumping on him and saying, have you had a data breach, and then publishing based off that, because they were forced to act quite quickly.
George Punter: [00:07:19] Yeah, if I could just say something...
Dave Bittner: [00:07:22] George Punter.
George Punter: [00:07:23] ...Which is that it's typical with these companies that they would seek to underplay the extent of breaches, and this happened a little bit with the rushed Virgin Media response, but they quickly corrected that. And overall, we're quite happy with the way Virgin Media played out. They cooperated with us, aside from the little hiccup at the beginning, which is kind of – I wouldn't say it's typical with all of our experience. We've been threatened before. We've been told that we're spammers. And most recently with the legal breach, you, of course, have Advanced Software, who are, it seems, refusing to come clean. And in the end, it only makes it look worse for them, we think, to be honest. If you're not transparent and upfront from the beginning, it just begins to look worse and worse as the story develops.
Dave Bittner: [00:08:20] Hmm. Now, there was a point where you all took issue with some of the ways that Virgin Media was describing the breach itself, in terms of the types of information that was released and the severity of that. You all had a post on your own website where you all thought the severity was perhaps more significant than what Virgin Media was making it out to be.
Peter Hansen: [00:08:46] Yeah, so the overall point there, I guess, was that they didn't have as much time to go through it necessarily as potentially even we did when we were triaging. So, when the FT jumped on the executive figure at Virgin Media and said, basically, has this happened? – they had to roll out a statement super, super fast in response to what the FT were writing. And they did get a forensics organization involved to help them. But I don't think that was even fast enough, still, because obviously, the timescale they were working with was super, super tight at that point. The overall vibe with any of these disclosures is that companies don't want to overstate, so they play it on the safe side. The key point, I guess, from us, was the customers being linked to porn, I guess.
Dave Bittner: [00:09:40] Hmm. And this has to do with customers being able to make requests for certain types of content that they either want blocked or unblocked.
Peter Hansen: [00:09:50] Yes.
Dave Bittner: [00:09:51] Gotcha. Now, can you take us through – describe for us actually what the issue was here. In terms of this data being exposed to the Internet, what had Virgin Media failed to do here?
George Punter: [00:10:03] Yeah, I think what I would say is usually with these things, it's never a technical thing that's gone wrong. It's usually a process error. So, whilst it's very easy for someone to make a configuration error or something like that. And the issue is process, mainly, and especially supply-chain security as well.
Dave Bittner: [00:10:30] Now, in your responsible disclosure program here, do you give the organizations a certain amount of time before you go public with them?
George Punter: [00:10:39] Yeah, absolutely.
Peter Hansen: [00:10:40] Yeah, so we have a whole timeline document for that.
George Punter: [00:10:42] Yeah. And we strongly encourage organizations to work together with us on a statement. So, this is what happened with Virgin Media. We were actually in the process of working on a statement with them together, but then it was leaked to the Financial Times before we could finish that process and we were a little bit ambushed. But aside from that, we were cooperating with them on making a statement together, and that's what we aim to do with all of these breaches. With Advanced, they explicitly stated that they did not want to work with us, and we have not seen that turn out very well.
Dave Bittner: [00:11:20] Yeah, and so I would say, I mean, in general, from a broader point of view, what are your recommendations for organizations to better protect themselves against this sort of thing?
Peter Hansen: [00:11:32] I would say how the systemized process for assessing the cybersecurity capabilities of their suppliers. Also to understand that due diligence is not something that can be done as a one-off. So, organizations change, and let's say you're taking on a new supplier – you can do due diligence on them before they are holding your data. But you also need to do afterwards as well, especially given that in many cases they'll actually be expanding their systems to account for adding you in, if you get what I mean.
Dave Bittner: [00:11:59] Have you seen any shift since GDPR came into effect? Have organizations gotten better with this? Are they giving it better attention?
Peter Hansen: [00:12:11] I think probably overall. I haven't got any stats to back this up. I would suggest that the more the ICO can do its job, the more the National Cyber Security Centre can do their job, the more painful it will be for corporations to mistreat data, and the more they will handle it properly. I mean, ultimately, the only thing that any of these big businesses care about is money. So obviously, if it's in their financial interest to look after data, then they will do it.
George Punter: [00:12:38] Also, along with that, we're hoping that through our responsible disclosures, through breaches.uk, that by raising publicity over these breaches and the extent of these breaches, and notifying the people who are involved in these breaches, and letting the people who've been involved in the breaches know if and how much compensation they might be due – because there is actually precedent for receiving compensation if you're involved in a data breach, which most people aren't aware of – we hope by doing those things we can provide some level of accountability to the organizations, and also financial incentive to handle people's data more carefully. Because if it comes out in the press, people find out about it, or if they get class actions against them, they're going to start paying attention.
Dave Bittner: [00:13:33] What sort of advice do you have for the organizations who find themselves in the middle of something like this? If they find themselves in the midst of some sort of data breach like this, what's the best way for them to handle it, to have the least amount of reputational damage as they go?
Peter Hansen: [00:13:50] I would say the best thing you can possibly do is to work closely with the people who are disclosing to you, because they're ultimately not out to do you harm. If they were, they wouldn't be talking to you. I would say the best thing...
George Punter: [00:14:01] Yeah, your data would have already been out.
Peter Hansen: [00:14:04] ...Is to talk to the people making the disclosure, understand what it is that their process is, and just work with them to the end of the earth, I guess, because ultimately that's the – almost like the independent assurance on anything that they produce.
George Punter: [00:14:19] Another thing I would say is from the outset, react quickly, take it seriously, be open and transparent about the full extent of the breach, and also be open and transparent about all of the internal investigations and practices that you're putting in place after the breach has happened. I think, in some cases, good crisis management can often, after a breach, improve consumer confidence because a lot of people realize that data breaches are inevitable, and it's really the response of the company to a data breach which can – what separates the wheat from the chaff, in a way. If you respond quickly, let all the right people know, be completely open about what you're doing, how you're going to prevent it from happening again, then I think you can really win, or at least not lose the trust of your customers after a data breach.
Peter Hansen: [00:15:19] Yeah, one thing I would say as an example, like, we rang up – I personally rang up somebody recently, just the other day, actually, to disclose one of these huge breaches – something that's actually, in terms of a number of people impacted, significantly larger than Virgin Media. And I asked this guy who was responsible whether he'd be prepared to give me an email address so we could, like, format all this stuff and send it through to him to help him understand what happened. And he told me that you didn't have an email address, which was just great, really.
Dave Bittner: [00:15:54] (Laughs) How could that be?
Peter Hansen: [00:15:55] Yeah, well, I don't know.
George Punter: [00:15:57] Yeah, you should send him an email, Peter.
Peter Hansen: [00:16:01] (Laughter) We found his email addresses anyway, don't worry.
Dave Bittner: [00:16:03] Yeah. I mean, I suppose I can understand the impulse to sort of hunker down and try to protect yourself when you're trying to figure out what's going on, but at the same time, you don't want to be adversarial with the folks who are coming to you presumably with helpful information.
George Punter: [00:16:21] Yeah, I mean, in the case of a data breach, if someone's coming to you to tell you it's happened, then they're definitely on your side, because there's a lot of places they could go which doesn't involve incurring risks to themselves. It's like shooting the messenger, in a way.
Dave Bittner: [00:16:40] Our thanks to George Punter and Peter Hansen from TurgenSec for joining us. We'll have a link to their research in the show notes.
Dave Bittner: [00:16:47] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:16:56] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:17:04] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing. CyberWire team working from home is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.