Podcasts
The Retail & Hospitality ISAC Podcast
Ep 47
The Retail & Hospitality ISAC Podcast 3.27.24
Ep 47 | 3.27.24

Future-Proofing Authentication, RH-ISAC’s 10th Anniversary, plus the Monthly Intelligence Briefing

Show Notes
Transcript

Luke Vander Linden: This is Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center. And you've made a great decision to listen to the "RH-ISAC" podcast. [ Music ] Whether you're avoiding starting a big project at work or trying to hide from your family in your home office, listening to the RH-ISAC podcast is a great decision. We have some good guests today. I know I say that every time, but it's true. I'm going to sit down with Josh Cigna, Solutions Architect at Yubico, one of our associate members. They do a lot of great things with authentication, certainly very topical with so many of the recent breaches having to do with MFA failing. I will also be welcoming back the RH-ISAC's own Lee Clark with our semi-monthly threat briefing. We'll see if he has any breaking news for us. And our illustrious President, Suzie Squier, is back with one of our founding members, Ken Athanasiou, currently the CISO and a VP at VF Corporation. He was with American Eagle Outfitters and then AutoNation back when he was on our board and when the RH-ISAC was getting started. Suzie's discussion with Ken is, of course, part of her series of Plus-One conversations with our founders in celebration of our 10th anniversary. If you were with us back when we were getting started 10 years ago, or if you have something cybersecurity related you'd like to contribute to the podcast, shoot us an email at podcast@rhisac.org. Or, if you're a member, hit me up on Slack or Member Exchange. And if your company is not yet a member of the RH-ISAC, this is the only time I'll tell you it's okay to hit the pause button. Go to rhisac.org/join to learn more and to start the process. And then you can hit play again. [ Music ] All right, I'm now excited to be joined on the podcast by Josh Cigna, a solutions architect at Yubico. Welcome to the podcast, Josh.

Josh Cigna: Thank you so much, Luke.

Luke Vander Linden: Thanks. So Yubico is a great supporter of the RH-ISAC, one of our associate members. So thank you for that. For those of our listeners who don't know what you guys do, can you give us a little background? Tell us what's going on.

Josh Cigna: Sure. We make the YubiKey. It is a hardware multi-factor authentication device. It supports lots of different protocols. The main point of it is to make authentication safe and secure and simple and really meet the customer where they are with their -- and make sure that they have the best multi-factor authentication options available to them.

Luke Vander Linden: That is a -- that's a huge thing right now. I think a lot of the events, we'll say, in the news recently have been brought about by, or at least MFA and authentication has played a role in them. So having strong things in place to protect against misuse of authentication is important. So tell us more from your perspective. These attacks that are going on, there really is an urgent need to protect. So what's your viewpoint on that? And specifically, I guess, around PCI DSS 4.0, what does all that have to say about MFA?

Josh Cigna: Yeah, I mean, if you look at the numbers coming out of some of the larger reports, like the Verizon report, they estimate somewhere between like 74 or 75% of cyberattacks originate with a human being, with the attack on the human. Because our employees, we train them to be empathetic. And we train them to solve problems for people calling in on the phone. Or we train them to listen to people from the helpdesk. And attackers really take advantage of that because legacy multi-factor authentication mechanisms aren't secure against those types of attacks. Instead, when you use those mechanisms, you need to make your end users more secure. What PCI DSS has mandated in its new 4.0 requirements mirror what we're seeing from lots of other organizations, from CISA, from NIST, from the EU, from Australia, where instead of just -- instead of just MFA, they want phishing-resistant MFA. We have the capability. We have the compute to make these things happen. And those organizations want to see it adopted to protect customers, to protect employees, to protect organizations, and to protect the citizens of the world. Yeah.

Luke Vander Linden: Right. Not all methods of MFA are created equal. So what other -- what types to make them phishing resistant should people and companies be considering?

Josh Cigna: So, if you look at the guidelines coming out of NIST, there are two classifications of MFA that are considered phishing resistant. They both rely on public key cryptography. The first is smart card, venerable smart card, been around since the '80s, really secure. It has a long-proven track record to work, to be able to be resilient against those types of attacks. However, it requires a lot of infrastructure. The other mechanism that kind of meets that bar is FIDO, FIDO2. FIDO2 came along with some work between Yubico and Google with the original mission of create smart card for the web, create a way to use that public-private key cryptography without requiring the large infrastructure. And it's been iterated, and it's grown, went from U2F to FIDO2 to passkey, which is what we have now. And it really has matured into a place where it can be deployed to end users. It can be deployed to consumers. It can be deployed to all of these different types of people without a lot of pain on both the deployer and the target. And also it maintains that public-private key cryptography and that bidirectionality of communication that we know is important and needed to become phishing resistant.

Luke Vander Linden: So you mentioned passkeys. Tell us more about what that means, what they are, and how that fits. Passkeys are just the latest iteration of the FIDO2 or WebAuthn standard. In the drive to make FIDO2 more achievable and more available, we wanted, the FIDO Alliance wanted, to get away from this hardware key model. They wanted to create other ways to use the types of compute that people are used to to achieve this. So they came up with passkey. And what passkey is, is it is just a FIDO2 certificate that can live on a mobile phone or can live in a TPM on a laptop. So you don't necessarily need dedicated hardware to gain the advantages of that strong public-private key cryptography in your authentication workflows. And it's really targeted at consumers. If you look at large retail firms, if you look at large online sellers, they're starting to adopt this as a mechanism to authenticate. Most people use passkey, don't even realize it because it's how Apple and it's how Google authenticate their users back into their own systems. So a key thing there when you -- when you talk about not needing hardware, you're talking about that fob that a lot of people used to have and trying to remember where that was and how to use that.

Josh Cigna: Yeah. And there are -- there are definite use cases for that key fob. You get some advantages with the key fob versus the synchronized passkey, that passkey that can live on a phone. But then there are other advantages for that synchronized use case. And it's about evaluating what your consumer base looks like, what customers are trying to serve, evaluate what your risk tolerance is, and then really deciding on which path to go. Do you want to go synchronized, which would be device passkeys that live on a phone? Do you want to go hardware bound, which would be passkeys that live on a fob? Or do you want to just support everything and say, we welcome all takers?

Luke Vander Linden: Yeah, you know, every company really has to think a lot about their employees. But unique to our space in retail and hospitality, we're also thinking about our customers, our guests. So figuring out which or considering which type of authentication to use really impacts retail and hospitality in a different way.

Josh Cigna: Yeah. And one of the really nice things about passkey, especially in the consumer space, most of the providers have built the system into the gestures that users are normally used to. So, if you're used to doing a face ID on a phone or a fingerprint ID on the phone, that's the mechanism that you use to enroll. Or that's the mechanism you use to unlock the passkeys that reside on your device. So, from that consumer space, it's transparent. You're not really asking them to do anything new or different. But they get the advantage of that secure bidirectional authentication that ZYTO provides.

Luke Vander Linden: Right. So it decreases the friction that our members would be most concerned about. So once, you know, in consideration of these different types of authentication, what kind of takeaways or actions -- action items do you think our listeners could take away and do right now?

Josh Cigna: First and foremost, I'm a storyteller, so I always tell people to first figure out what their use cases are. What are they trying to solve? Next, understand the supporting needs for those use cases. Again, are you looking at your CIAM space, your customer space? What are you trying to accomplish? Do you want to reduce friction? Do you want to increase security? Do you want to do all of the above? On the employee side, you need to also consider traceability and accountability. So you need to be able to ensure that when you build that authentication system, you include identity proofing in it, you include the ability to tie individual users to individual sessions. So these are -- these are the types of things to think about as you're crafting those stories. After that, you know, once you have those use cases defined, go and see what's available on the marketplace. The FIDO Alliance is the larger group that controls that FIDO2 standard. We've put out lots of good white papers recently, both for the public and private sectors. There's a series of five white papers that we put out last year specifically targeting enterprise scenarios, whether you're starting fresh, whether you're moving from like an SMS to a passkey, whether you are going from smart card to passkey, all of these different scenarios are outlined in different white papers. You can go and get those and read those freely and really get some good -- lay some good tracks to a successful program. And, you know, go into this with your eyes open. A lot of the time, we like to say, you know, focus on what works. So, even if you have legacy processes in place, don't overly rely on those legacy processes because we know they can be superseded. We know they can be overcome by attackers. Instead of investing funds and trying to shore up those processes, look at ways to meet the needs of today.

Luke Vander Linden: That's, I mean, that's the point is that threat actors are always adapting, always trying to stay a step ahead of our security teams. And we're trying to stay one step ahead of them. So, I mean, looking forward, what do you see in the future for authentication? What you're building and advocating for now might not be the best practice next year, 10 years from now?

Josh Cigna: My favorite anecdote, the favorite article that I read recently, is about a campaign launched by threat actors that was instructing users -- it was -- they were impersonating helpdesk. And the first email was giving them instructions on how to de-enroll their FIDO authenticators from their account so that helpdesk could help them. So, obviously, FIDO is on the right path there. Looking into the future, what do we think is going to come down the path? We -- It's hard. We really need to see more buy-in for FIDO because the public-private key cryptography that it's built on has a very long track record of success. Like I said, this was built with smart card as the model. And smart card really has stood the test of time. And there are some really useful and really forward-looking parts built into the FIDO standard. There's a process called origin-bound credential checking. This is a bidirectional check. So your authenticator is actually checking to make sure that the request came from the right place. So it's not -- it's not just the system that you're logging in to, verifying that you are the right person. It goes the other direction. And using tools and processes like that, we are really hoping to future-proof a lot of these behaviors. So far, again, based on the anecdotal evidence we have and based on the real research we have, it's successful. What does the next attack look like? We never know until we see it. Are we confident that we can weather that storm? We're fairly confident.

Luke Vander Linden: That's great. You know, when we pick our associate member partners, it's really for your expertise. And great looking out for what's happening now, but also in the future and looking at the authentication methods that are on the horizon as the technology evolves, as the threat actors evolve. So we appreciate that. Thanks very much, Josh Cigna, from Yubico. Thanks very much for joining us on the podcast and sharing some of your expertise with us. And we look forward to working with Yubico in the future.

Josh Cigna: My pleasure. I look forward to speaking to all of your members real soon. [ Music ]

Suzie Squier: Hello, everybody. Today, my guest today is Ken Athanasiou, who is with VF Corporation. And we go way back to the early days of the then R-CISC. And Ken is joining me today to come back to those early years as we get ready to celebrate our 10-year anniversary, Ken.

Ken Athanasiou: Yeah. It's amazing that it's been 10 years already, right? It's pretty wild.

Suzie Squier: On one hand, it feels like so long. On the other hand, it feels like it was -- it was, you know, not 10 years ago.

Ken Athanasiou: Time flies when you're having fun, I guess.

Suzie Squier: That's what they say. Well, thanks for joining me today. So we'll get a little bit into your new role in a little bit. Before we do that, let's go back to 2014 in the early days when you were -- I don't -- I don't know specifically what your title was, but I know you were at American Eagle Outfitters. Because I'm not sure if the title CISO was as prolific as it is today. Was that your title back then?

Ken Athanasiou: No, my actual title was Global Director of Information Security. Yeah, the CISO title, it wasn't quite as common back then as it is now.

Suzie Squier: It's one of the things that I've been talking to some of our old colleagues. That we've said that that title suddenly got elevated and used more often than it is today because of -- because of everything that is going on. But let's go back to that time period. Do you remember what it was like at American Eagle after in early of January, February of 2014 when the news hit the papers? And what kind of internal conversations were you having? Did all of a sudden you get a knock on your door from the CEO who maybe you met with often, maybe not? So what was it like in your neck of the woods during that time frame?

Ken Athanasiou: Yeah, it was pretty exciting. That was -- that was obviously big news. And there was a lot of questions from the C-suite as well as the board about, you know, where were we at? How were we positioned? You know, what was going to -- what was our risk associated with, you know, that type of an attack? And it was -- it was certainly a time of fear, uncertainty, and doubt for the -- for the organization. And I don't think we were uncommon with that. There was a lot of questions that were, you know, kind of bubbling up all over the place.

Suzie Squier: And what do you think was the difference between that? I mean, it certainly wasn't the first time that a retailer had been breached and we had -- we'd have, you know, notifications in the past. What do you think made this one? Was it just the size of it? Was it, you know, was it the brand that -- was it the type of attack that really elevated the conversations?

Ken Athanasiou: Yeah, I think it was all of the above. You know, certainly, it was not an insignificant attack under any circumstances. And the fact that it was Target really got people's attention and the type of attack, right, the fact that it was it was so significant to the organization. I think there was just a combination of things that kind of got people's attention.

Suzie Squier: And then at that time, as you know, probably still gathering information, did you have more frequent meetings with, say, the C-suite following kind of those discussions or, you know, throughout the year as things unfolded?

Ken Athanasiou: So we actually had had a -- we had a pretty good strategic plan already in place. So the initial conversations when it first broke were pretty excited. But once they recognized that we actually had a reasonably good plan in place, we knew exactly where our vulnerabilities are or were and what we needed to do, we did get an acceleration of some of the things that we had asked for previously and basically been told, yeah, it's going to have to wait, it's going to have to wait. But the fact that we had a decent plan laid out already allowed us to, you know, once we got that influx of money from the, you know, the leadership allowed us to move pretty quickly and really close some gaps that we had previously identified.

Suzie Squier: So when we started gathering the heads of information security back in around March, and we actually had the meeting in your backyard at the time in Pittsburgh, do you remember what those earlier meetings were like when we, you know, finally kind of brought this group together?

Ken Athanasiou: I do. I do. I definitely remember those. And we had some great conversations. And initially we had a -- we had a couple of folks who were very nervous about talking about their, you know, their programs and where they were and what they were doing. And, you know, we quickly established that, hey, you know, the bad guys are talking to each other about techniques and tactics. And we're not talking to each other. So we're at a huge -- we were at a huge disadvantage because we weren't sharing what we were seeing. We weren't sharing what we were doing. And, you know, we quickly got past the, you know, hey, this could be intellectual property. This could be a competitive advantage. This could be this, all the -- all the things that, you know, people were kind of bringing up that were making them reticent to really share. And we talked through those things. And we came to essentially a gentleman's agreement in the group that we would -- we would treat this as an information sharing opportunity. And we would use Chatham House rules essentially to say, look, this is stuff we're sharing that normally we wouldn't talk to any outsiders about. But we established a sense of trust with each other. And that allowed us to really talk about, you know, exactly what we were seeing, what was happening in our environments, and where we had gaps and what other folks were seeing. It really opened things up significantly.

Suzie Squier: Yeah. It took a couple of meetings, you know, in-person to develop. You know, I think we all realized at the time and it's still to this day, you can't be meeting in person to establish, you know, that rapport and that bond. But now I think folks are a little bit more used to it. But back then, we really had to, like you said, have a lot of conversation and discussion. And I think people were very open to it once, you know, folks like you and Jim and I know Bill Dennings, who was at Nike at the time, had some good, you know, helped people really understand the benefits. And like you said, how we kind of need to keep up with the bad guys because they were already doing this.

Ken Athanasiou: That's exactly right. That's, I mean, and the bad -- the bad guys were sharing stuff freely. And, in some cases, they were -- they were charging each other for some of that -- some of that knowledge. But I mean, they were very, very open with each other about how they were actually, you know, succeeding and penetrating environments. Whereas on our side, we were very much about, oh, I can't talk about that, can't talk about that, can't talk about this. And that shift in perspective to be more open and really talk through those things was, yes, it took a little bit of time, but it was hugely beneficial, I think, to all of us.

Suzie Squier: And then around -- toward the latter part of the year, when we kind of learned, we studied the ISAC model, FS-ISAC was a great supporter in that effort, and we put the board together. And you were part of the initial board. And that was a lot of fun building an organization. Do you remember like a lot of meetings, a lot of calls? Do you remember what it was like going with that group as we continued to build the organization?

Ken Athanasiou: I do. It was a very exciting time. There was a whole lot of potential. Everybody saw the potential. There was also -- there was also confusion about what's the best way to go forward. How should we move -- how should we move the ball down the field, so to speak? And you're exactly right. The, you know, looking at the FS-ISAC was, as a model, I think, really helped us significantly. We weren't reinventing the wheel. But at the time, the FS-ISAC was way more mature than what we were trying to do. So we kind of had to pare it back a little bit and figure out how we were actually going to be able to be successful at a more simplistic level than what the FS-ISAC was doing. We had to start somewhere. And the model of the FS-ISAC was hugely beneficial in giving us a perspective on what we could be. But we didn't -- we started to figure out how we would get from point A to point B.

Suzie Squier: And even once we built it, and I think this is even after I, you know, step back, you know, back to my role at RILA, there was still a lot of work to be done on sharing information. You know, there was one thing to be -- to agree but then to share threat information. And there was still a lot of work to be done in the early phases, even after we had put the R-CISC together.

Ken Athanasiou: Yeah, there was, and nobody knew exactly how to share or what they should share. So there was a lot of -- a lot of crosstalk, a lot of communications that were happening. And I would say maybe if we were lucky, 5, 10% of that was hugely valuable at the beginning because there was a lot of talk, but we didn't know what to say to each other. We didn't know how to say it to each other. And we still had folks who were -- who were, you know, very nervous about sharing openly about things that they saw in their environment. The days of all the anonymous shares that people were saying, hey, I saw something, but I don't want to talk about it, that it was in relation to my company, but I am willing to do an anonymous post, that sort of thing. So it really took some time to evolve and, you know, figure out what's the right platform and how do we actually communicate to each other? And again, what is the useful stuff to communicate?

Suzie Squier: So, you know, from your perspective and your role and then having moved on from American Eagle, how has the RH-ISAC community, the R-CISC, and now the Retail and Hospitality ISAC impacted you over the years?

Ken Athanasiou: Oh, it's been -- it's been massively helpful. The amount of information you can -- you can get from the RH-ISAC now through multiple different channels has just been, it's hugely helpful. I mean, you can say, hey, I've got this problem. Toss it out on the forum, and very, very quickly, you'll get somebody to respond with, I saw that, too. Here's what I -- here's what I did. Here's how it worked out. Here's what didn't work. Here's what did work, that sort of thing. You know, I have my guys fairly regularly troll the forum, like looking for those types of bits of information, especially when we've got something new that we're looking at. Yeah, I mean, obviously, the hot -- the hot topic of the day is, you know, AI and how are you controlling AI and those sorts of things. And are you allowing access to chatbots and et cetera? And there's a bunch of stuff that came out very quickly, right, with people's opinions and thoughts. And we've watched that evolve over time as well. So it's been hugely beneficial not just to myself personally but to my teams over the years.

Suzie Squier: You know, in addition to, obviously, the sharing of the threat intelligence, which is key to the -- to the ISAC, it's to your point, I think the kind of what I call the ultimate phone-a-friend is really just such a huge benefit that you've got, hey, they want me to put this in place. I've got no idea. Has anybody done it? And you just, you know, it ramps you up so much quickly when you have some peers throughout the industry to reach out to.

Ken Athanasiou: Absolutely, absolutely. And the benefits for the smaller organizations are even more than the benefits for the larger organizations. Obviously, if you have a, you know, a multibillion-dollar company and a large team, you're doing a lot of different things, some of which is easily reproducible in a smaller company, some of which is not. But they at least have an idea of, hey, here's what X is doing. And that may be a little more complex than we can actually do in this smaller environment. But we can -- we can model ourselves after that and come up with the same type of requirements and look at the different tools that they're using. It's just a matter of how does that fit in the smaller environment.

Suzie Squier: Yeah, I agree. I agree. And I think that the culture of our larger, more mature companies realizing that and jumping in, I think is just huge. And it's something that I know I'm very proud of. And I think, you know, you, as a leader of the organization, are probably proud of too.

Ken Athanasiou: Yeah, absolutely. And, you know, there's this whole idea of a rising tide floats all ships, right? I mean, that is -- that is 100% correct. And we've recognized that our consumers having confidence in our various brands is extremely important. And the fact that they're willing to, you know, give us their personal information, their credit card information, et cetera, and they can feel confident that all of our fellow retailers are protecting that information at a certain level, that helps everybody. You know, obviously, we want -- we prefer they shop with us. But we just -- we want them to shop, period, and have confidence that the retail companies that they're interacting with have the right controls in place to keep them safe.

Suzie Squier: So anything in particular that, besides that, which I think is huge, is just that whole rising tide theory. Anything else that stands out to you that you're kind of most proud of as being a leader back, you know, as building this organization?

Ken Athanasiou: You know, the community that's been created is really spectacular. You know, as you said, you've got -- it's not just the phone-a-friend. It's the -- it's the interactions that we see on a regular basis between companies that previously weren't talking to each other at all. And the level of interaction that we're seeing is just phenomenal, right? So we're doing now and have been for a while what the bad guys were doing well before us, right? We're communicating. We're talking. We're explaining to folks, here's what I saw. Here's how they compromised this system. And that that information has, I think, dramatically improved our entire ecosystem. So I'm immensely proud of what the RH-ISAC has become. I'm not on the board anymore. I think six years was plenty. And I think that --

Suzie Squier: [Laughs] Yeah, I think so.

Ken Athanasiou: Yeah, that was --

Suzie Squier: That was a lot of time.

Ken Athanasiou: -- that was plenty. Yeah. And, you know, I still see fantastic stuff coming out of the RH-ISAC. And I see it continue to evolve. And I'm just -- I'm immensely proud of what the organization has become. And I see even more potential for us to do -- to do great things.

Suzie Squier: Yeah. Work is not over yet, right? Yeah. Always want it to be done. So tell us a little bit about your role at VF. And I know there was a -- there was a lot when you separated, you know, VF. And then Kontoor Brands, that's totally complete now. So how's the team? How's, you know, what's kind of maybe, if not keeping you up at night, what's kind of on your project plans?

Ken Athanasiou: Sure. So, you know, I've been here over four years now. And it's been a -- it's been a fantastic company to work for. You know, the fact that I get great discounts on Vans and North Face and Timberland and Dickies and all that other. Yeah, that's kind of icing on the cake. When I first joined the organization, we were going through a significant transformation. A lot of the technology functions within VF had been outsourced. And we were -- we were bringing things back in-house. And the reason that things were being brought back in-house was because it was pretty chaotic. There was just not a -- not a singular way of doing things, of making changes in the environment. And it was very expensive. So, as part of that, I essentially had to build the security program here from scratch, which is -- which is exactly what charges me up about new opportunities, right, you know, getting the opportunity to really build out a new program and implement it and mature it, et cetera. So I spent the last four years really doing that and just having a great time and not done by any stretch of the imagination. When I left American Eagle Outfitters and went down to AutoNation down in Florida as their CISO, that was another greenfield build, and had a -- had just a great time doing that there. But that was a more simplistic environment than what VF is, right? AutoNation is a very large, the largest, car dealership organization in North America. But it was North America. And VF Corporation is a global entity. We have headquarters over in Stabio, Switzerland. We have headquarters in Shanghai. We have data centers all over the globe, and we operate our brands globally. So much more complex, much more exciting, but having an absolute blast. Probably the thing that -- the thing that's got me most excited right now is we're doing a very significant transition from legacy-on-premise data centers into cloud-native and hybrid cloud environments. And that's something that's happening very, very quickly. It's going to be happening over the next year and a half. And that's allowing us to do a very significant architecture shift in how we deliver services. And obviously, as part of that architecture shift, we're getting the opportunity to really take our security to the next level and lower the risks that we're presented with.

Suzie Squier: Oh, awesome. That sounds great. We'll look into checking in on that with you down the road, see how that's going. Last question, I know that, I think, and correct me if I'm wrong because I know you have been, you're one who follows, you know, maybe regulations, what's going on, I think, more in the, not necessarily political, but the kind of government level, especially in your role. Any thoughts on the SEC and the regulations? How would you guys -- are you guys talking about that internally?

Ken Athanasiou: We are. We absolutely are. You know, obviously, the notification change that's coming December 18th, I believe, is when that takes effect, that's got people a little bit concerned. We've gone through and looked at that. And we already have a very robust notification process in place. So we had to make a couple of minor tweaks to that. We don't see that as hugely significant. I can see other organizations that don't necessarily have, you know, a mature communications process look at that and get pretty freaked out. But for us, it's really not going to be a huge -- a huge deal. Some of the SEC actions that we've seen are a little disconcerting. You know, there's a particular organization that, you know, SolarWinds, that had a bit of an issue. And now they're essentially having, I mean, it seems like a pogrom has been started against them. And I think the outcome of that is going to have some interesting ramifications for all of us. I mean, we've seen other -- we've seen other instances in the past where CISOs have been targeted by, you know, regulation, regulatory actions, and those sorts of things. So that seems to be increasing. So that's something that I think we just need to be aware of and ensure that we're operating as above the board as possible. And we're also communicating with our -- with our organizations about these types of events to make sure that they understand that these things can happen. The likelihood isn't incredibly high still. It seems to be very targeted and selected actions that they're taking. But these are -- these are significant shots across the bow, so to speak. And we need to pay attention to them.

Suzie Squier: And it may be after this recording airs, but we're having -- that's going to be part of our next CISO community conversation is a little bit about that because, it's like you said, it may be one-offs, but one-offs can start adding up. So --

Ken Athanasiou: That's right. That's right. And you don't want to be one of those one-offs.

Suzie Squier: No, no. So good conversations to have and make folks aware of it. And yeah, just again, just like we were talking before, what are folks -- what are folks thinking and doing about it? So, yeah. Well, good. Well, thanks for your time today. It was great seeing you and catching up.

Ken Athanasiou: Hey, good to see you as well. It's been a while since we had a chance to chat.

Suzie Squier: I know.

Ken Athanasiou: And always enjoy it.

Suzie Squier: Yeah, me too. And hopefully -- we're hoping, for the 10th year, we'll get everyone together and have a great celebration. So, hopefully, we can get you out there for that.

Ken Athanasiou: That would be wonderful.

Suzie Squier: All right. Thank you. Have a good --

Ken Athanasiou: Looking forward to it.

Suzie Squier: -- rest of the day.

Ken Athanasiou: Thanks. You too.

Suzie Squier: See you. [ Music ]

Luke Vander Linden: All right. And welcome back to the podcast. Lee Clark, Cyber Threat Intelligence Production Manager right here at the RH-ISAC.

Lee Clark: Thanks for having me, Luke.

Luke Vander Linden: Now, in case our members don't know, you're really in charge of all the threat intel publications that come out of our organization, right?

Lee Clark: Yeah, as the production manager, I'm kind of the editor-in-chief for the intel team. So I'm basically the quality manager for the stuff that our team ends up researching and writing. One of the things I'd like to highlight that we've been working pretty hard on, Brian, our VP of Intelligence and I have been working pretty hard on a new intelligence offering that we're producing for the ISAC community, right? This is going to be the RH-ISAC Monthly Leadership Briefing. We produced the first one at the beginning of this month, first week of the month. And that's the planned publishing cadence from now on is the first or second week of every month, right? And these monthly leadership-level briefs will cover major events that we've reported on for the community for the previous month, along with best practice recommendations, how to mitigate major security risks, and then a sort of quantitative breakdown of what trends we've been seeing as well. And this was helped along a lot by JJ Josing, our principal threat researcher who runs our MISP instance, and Syerra Stinnett, our data guru on staff, right?

Luke Vander Linden: It's a team effort.

Lee Clark: Yeah, yeah, yeah. Nothing that our team produces can be produced in a vacuum or without the competence and skills of our colleagues supporting us, right? So, as with all of our reporting and all of our products that we release for the community and to the public, we're encouraging feedback on the format and content of the product series to make sure its value to the community is maximized. So any of our executive or leadership level members who may be listening to this, please feel free at any time to let us know feedback of what in the production process can be more helpful, what can be more effective and more time saving for your organizations, right?

Luke Vander Linden: Excellent. Sounds great. Love that. So let's get to it then. What breaking news do you have for us today, or what are we seeing out there trend wise?

Lee Clark: Sure. For the last month, the number one thing we've been seeing up front is a lot of discussion about the Microsoft notification about Nobelium, right? I don't have specific notes on this because we didn't release public blogs on the subject. Everything we ended up releasing was at the TLP:AMBER+STRICT level for members only, right, because it was -- it was focused on impact to member industries. So the main news feature, I think that a lot of people will be looking at, is that, essentially, a Russian State-backed group compromised the email accounts of a number of high-level Microsoft leaders. They stole some source code. They stole a lot of threat intel information about their own group. It was like a reconnaissance. They wanted to see what Microsoft knew about them. And this follows a number of bigger Microsoft-related stories that our members have been seeing recently, none of which are really Microsoft's like fault, right? I wouldn't want this to sound like I'm bashing Microsoft. A lot of Microsoft-themed phishing going on right now, especially Teams- and OneNote-themed phishing going on. And then a couple of pretty critical zero-days that got patched recently. So that's been really heavy in the community. We also had a report that I wanted to highlight specifically for our -- for our group. The first one is the FBI released their annual cyber threat landscape. And we went through and did a breakdown of what they're seeing for the past year with what some of our trends are. Now, if I can give a little bit of foreshadowing and a little bit of promo, every June and July, Verizon releases their DBIR, Data Breach Incident Response Report, right? And that is a big statistically driven look at the global threat landscape that breaks down by industries. And whenever that comes out, we always produce a comparison report showing how it looks against our data, all right? So we're doing that in like a forecasting sort of preliminary way here with what we've got from the FBI. So the key takeaways from this for our community really are business email compromise remains one of the most prevalent threats our industries face. A lot of critical sectors continue to experience a high volume of ransomware targeting, especially from Alphie, BlackCat, LockBit, Akira, Royal, and Black Basta, right? A lot of major sectors that have been targeted by ransomware groups actually heavily overlap with RH-ISAC industry verticals. Now, because we're the Retail and Hospitality ISAC, that doesn't immediately conjure the idea of critical infrastructure. But a lot of the major sectors that have been targeted heavily by ransomware groups over the last year overlap pretty heavily with industries that we cover here at the RH-ISAC. Now, RH in the ISAC stands for Retail and Hospitality, which doesn't immediately conjure the idea of critical national infrastructure, as you might define it according to the Department of Homeland Security standards, right? But we actually are. We cover manufacturing organizations. We cover commercial facilities. We cover some food and agriculture. We cover several airlines, right, major facets of transportation, all of which qualifies critical national infrastructure sectors, right? So we see that targeting as much as the other industries do, right? The final point that we come to in the FBI report is that phishing, personal data theft, nonpayment fraud, and extortion lead the major crimes that organizations see. You've heard me say several times on the podcast that this is the year of fraud, right? The RH-ISAC intelligence team is focusing heavily on fraud mitigation and how to help our members handle that, right? So all of these things that the FBI is sort of coming in and saying that they're seeing really heavily in the community are also things that we're working on with our own members, right? If we talk about ransomware a little bit, if we talk about BlackCat specifically, another large story that's going to be really heavy in the news is the Change Optum breach, right? So, for people who don't know, Change Healthcare or Optum run a large service that processes payments for apparently most retail pharmacies in America, right? They got hit by BlackCat pretty, pretty severely. And that disabled the ability of a lot of pharmacies nationwide to actually process payments. This started getting resolved a little bit last week as they were able to mitigate and move through some of this. But it caused a significant disruption for an extended period of time, right? BlackCat officially claimed responsibility, publicly shamed Change Optum for the -- for the attack. And there are reports that they took a twenty-two-million-dollar ransom and then took down their infrastructure, right? And this comes after an entire month or two of law enforcement organizations playing whack-a-mole with BlackCat infrastructure. They would take down a site. BlackCat would stand up another site or turn on an old site that was inactive. They would take that one down and they went back and forth like this for some time, each of them releasing public statements talking about the other one. So one thing I want to highlight with this particular piece is, for instance, I had never heard of Optum before this -- before this attack. I hadn't actually heard of them. But I've never worked for a retail pharmacy in their business operations or security. And this highlights something that we're working on really hard at the ISAC lately is on the third-party risk environment, the supply chain environment that our members face. Because we cover so many different industries and organizations whose businesses are so different, an airline versus a retail pharmacy chain versus a gas station chain versus a quick service restaurant chain, each of these organizations will have tools that they use in their own business operations that the others don't because they fulfill specific functions. Those tools all present a potential third-party risk in the supply chain there. And it's one of the things that we're working really hard on helping our members secure as we move forward at the RH-ISAC and continue to implement new projects to help benefit members.

Luke Vander Linden: Yeah, you're absolutely right. I mean, retail and hospitality, really the sectors that we serve, cross over so many different things that you might think of as health care or travel or financial services. And some of these companies that serve, as you say, the third party are incredibly diverse. And they themselves cross over lots of sectors. So it's very complex. But protecting consumers is what we do, and we're happy to do it. Lee, you know, I've said on the podcast before that we're entirely remote. You and I do not live or work near each other, so we don't get to see our co-workers very often. But I will get to see you in just about two weeks at the RH-ISAC Summit. I'm very excited about that. And damn it. I almost made it through an entire episode without mentioning the Summit. But it'll be good to see you and about 450 of our member representatives.

Lee Clark: Yeah, exact same here. It's one of the virtues of our organization is that we are fully remote. But that also means that we don't get to see our colleagues that we love very often. And the Summit is, it's pretty much, everyone who works here, it's our favorite part of the job because we get to see each other. We get to hang out. We get to see all of our members who we love and hang out with them. And it helps build camaraderie and everything. It's a really communal and exciting and fun atmosphere. And you learn a lot, right? We have one of the most hard tech skill-driven conferences I've ever been to in terms of content and speakers, right? And on top of that, they're all fun people to hang out with. So, yeah, we're all really looking forward to Denver and flying into a foot and a half of snow in April.

Luke Vander Linden: Yes. Not looking forward to that, but, you know, it'll be fun. It'll be great. It's worth it at the end of the day. Lee Clark, thank you very much for joining us once again on the podcast. [ Music ] Thank you to my guests, Josh Cigna of Yubico, our own Lee Clark and Suzie Squier, and, of course, Ken Athanasiou. And as always, thank you to the production team who try, try, try to make us sound good. From the RH-ISAC, that's the incomparable Annie Chambliss. And from N2K Networks, Jennifer Eiben, Tré Hester, and Elliott Peltzman. And thank you for tuning in. Stay safe out there. [ Music ]

The Retail & Hospitality ISAC Podcast
Podcast Info
HOST(S):
Luke Vander Linden
Luke Vander Linden is the VP of membership and marketing at the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), the cybersecurity sharing and collaboration community for the consumer-facing business sector. In his role at RH-ISAC, Luke is responsible for member growth and engagement and, as part of the leadership team, overall organizational strategy. Luke lives in Connecticut with his wife and two sons.
Schedule: Biweekly. Wednesdays.
Credits: RH-ISAC Producers are Annie Chambliss and Marisa Troscianecki, Senior Producer is Jennifer Eiben, Theme Song by Elliott Peltzman, Mixing by Tré Hester.
Creator: Retail & Hospitality ISAC
The Retail & Hospitality ISAC Podcast