China hacks to track. Turning the enemys weapons against them? Notes from the Billington CyberSecurity Summit. Anti-trust investigations for Facebook and, probably, Google.
Chinese intelligence and security services have been busy in cyberspace. A third party customer leaks data. It received from monster dot com. There's a joker the play store some notes from the billington cybersecurity summit a military look at cyber ops what cisse's up to and some advice from the n._c. N._c. s._c. consists os learn. A thing or two from v._c.'s. antitrust investigations are on the way for facebook and it seems likely that google put me next and now a word from our sponsor observe it the greatest threat to businesses. Mrs today isn't the outsider trying to get in. It's the people you trust the ones who already have the keys your employees contractors and privileged users sixty sixty percent of online attacks are carried out by insiders the stop these insider threats. We need to see what users are doing before. An incident occurs observant enable. We'll security teams to detect risky user activity investigate incidents in minutes and effectively respond with observe it. You know the whole story. Get your free retrial at observant dot com slash cyber wire. That's observe the letter. I the letter t. dot com forward slash cyber wire and we thank observe it for sponsoring our show funding this cyber wire podcast is made possible in part by i bugged crowd connecting organizations with the top security researchers pen testers white hat hackers in the world to identify ten times more vulnerabilities than scanners traditional pen tests learn more about how their award winning platform provides actionable insights like remediation advice to help fix faster while methodology driven assessments ensure compliance aliens needs are met at bug crowd dot com round the cyber wire studios data tribe. I'm dave bittner with your cyber wars summary for friday september six twenty nineteen more reports have emerged on china's extensive work to track and monitor. It's predominantly muslim wieger minority state security services. This is writers says have compromised telecommunications networks in several asian countries with a view to keeping track of the activities of weaker travelers. The the affected networks have been found in at least turkey kazakhstan india thailand and malaysia other notes on chinese activity focus on what appears to be a systematic effort to turn leak equation group tools to beijing's operational advantage a checkpoint study of china's buckeye group also known as abt d._t. Three or u._p._s. team has followed up earlier work by symantec and take a look at buckeyes bem. Sour tool checkpoint concludes with appropriate reservations about the inevitable uncertainty of such assessments that bem sour has adapted the equation groups eternal romance exploit to its own purposes as the researchers put it in their conclusion quote attack artifacts of arrival. I e equation group were used as the basis and inspiration for establishing being in house offensive capabilities the job search service monster dot com has been affected by data breach at an unnamed third party a recruiting firm that some monster customer tech crunch notes that monster did not notify affected individuals of the breach because in their view the data once sold becomes the responsibility of that third party and monster says it did notify the errand customer that they had a problem tech crunch also observed that there's no particular secure unanimity on the topic of whom to notify other companies faced with similar third party data exposure have taken it upon themselves to notify affected individuals individuals others like monster see a line to be drawn here and argue that at some point the data hubei becomes your responsibility a researcher with c._s._i._s. security group describes joker android spyware computing reports that joker has been found in twenty four play store apps apps. The tenth annual billington cybersecurity summit concluded yesterday in washington d._c. We've got some notes on three of thursday's keynotes major major general dennis crawl u._s. Marine corps presently serving as deputy principal cyber adviser and senior military adviser for cyber policy in the department of defense framed military cyber policy. Thusly this is all about outcomes. He offered three salient considerations for u._s. Military cyber policy first lethal body this has three aspects getting the right authorities and these need to be not only the right ones to authorize sound operations but they also need to be deep enough to enable forethought and anticipation processes which need to be repeatable and to enable operators to use the authorities they've been given in the context of process general crawl quoted fellow marine and former secretary of defense general mattis who said quote when good people leap bad process bad process winds and quote and finally of course capabilities a trained force with tools necessary to accomplish a mission. We should note that general crawl didn't discuss actual lethality. His usage seemed more metaphorical than literal it would our reporters thought the a mistake to have heard him advocating general shift of cyber activity toward killing effectiveness might be a useful gloss on what he called lethality second second partnerships such partnerships general crawl said are both domestic. We're partners often have authorities military lax and international where allies allies cooperate to share information within a framework that affords a common level of protection finally reform at bottom general crawl saw this as a commitment mckee ping faith and trust by applying scarce resources and the most effective and affordable ways possible the conference also heard from christopher crabs director actor of the cybersecurity and infrastructure security agency in the u._s. Department of homeland security he discussed the vision of his agency which is familiarly known by its acronym. Susa krebs said cisa is best thought of as the nation's risk adviser he explained the agency has five principles of execution. I operate great with the statutory authority to lead critical infrastructure protection in a collaborative fashion second and third sis is committed to remaining results driven and risk focused focused fourth the agency is determined to work consistently within the framework of constitutional rights and national values and finally cisa intends to execute and engage as one agency in one fight as one team what this means in the short term is that the youngest agency in d._h._s. will face its its defining challenge next year. During the twenty twenty election season krebs concluded quote in two thousand twenty. We're going to lead. We're not going to let the russians or the chinese unease in and quote and the final keynote speaker was kieran martin c._e._o. Of the u._k.'s national cybersecurity center he began again with a description of the realities of the environment in which we live. We find ourselves. Martin argued defending open digital. Society's prosperity is a social concern learn and critical infrastructure presents a serious national risk cybersecurity is at its core about defending a way of life. We face a formidable set of adversaries. Russia is a determined aggressive disruptive opponent are commercial environment today as one in which our businesses are under routine continuous chinese assault north korea and iran are active and hostile trans-national cybercrime has become cumulatively a grave threat to the digital economy and state actions have come to have serious collateral effects quite apart from the effects. They're designed to have on their intended targets. Both wanna cry and not pet you. Illustrate this and and it's worth noting that none of the four state bad actors or the many criminal gangs have any particular stake in an open reliably useful internet operating in in this world has led martin to three conclusions. I government matters. The internet is a public good but well intentioned calls for public. Private partnership have proven when he argued a recipe for inaction instead governments should take responsibility for detection resilience and making technology safer that third responsibility responsibility he emphasized. It's too easy. Martin said to succumb to what he called producer capture. The sort of hobson's choice of security design big companies as in his view too often offer their customers second. We must quote think carefully about our own footprints and quote cyberspace may be an operational domain but fundamentally. It's a peaceful domain and we must act in cyberspace with this. In mind. Finally governments need to look to the future and that means looking mm for effective deterrence and finally it seems that antitrust investigators are circling closer to big tech the wall street journal reported this this morning that state attorneys general are opening antitrust investigations of facebook new york's attorney general is leading the effort to be joined by colorado florida <unk> iowa nebraska north carolina ohio tennessee and the district of columbia on monday. It's expected. The journal says the texas will announce that it ends some three dozen. Other states are opening investigation of google. The inquiries seemed to be about as bipartisan as such things can be nowadays as an indication of public public sentiment. They suggest that big tech is about where big steel and big oil were about one hundred years ago and now a word from our sponsor no before today's phishing attacks have evolved way beyond spray and pray emails that mass target victims instead the bad guys have carefully researched your organization in order to set the perfect trap and pretexting is the key whether it's a phone call from an attacker impersonating your i._t. Department or what seems like an innocuous email that ends up harvesting important credentials the perfect pretext can lead to the bad guys owning your network before or you know it join no before for an exclusive webinar where kevin mitnick the world's most famous hacker and no before chief hacking officer will show you how the bad guys craft such cunning attacks. He'll dig into tactics for reconnaissance target selection creating a pretext and launching an attack and more importantly. He'll tell you what you need to know to protect your organization. Kevin will also share new demonstrations that will blow your mind go to know before dot com slash pretext to register for this this exclusive webinar. That's k. w. b. e. the number four dot com slash p. r. e. t. t. and we thank you know before for sponsoring bring our show <music> and i'm pleased to be joined once again by malek ben salim. She's the senior r._n._d. Manager for security at accenture labs. It's always great to have you back. You and i have been talking talking about the trip you recently made to rights con <hes> and one of the topics of discussion there was how to deal with disinformation campaigns online we we can you share with us yeah so one of the interesting conversations that conference was about freedom of expression on the internet versus censorship the voices that are asking now for more control and more moderation of what gets published on the internet in particular after the all the disinformation information campaigns that we've seen throughout election cycles for instance that video of nancy pelosi a few months ago so the question is how how can we fight disinformation whether there are any viable approaches techniques and can we do it without censorship right without turning into while keeping the internet the way we know it as a platform for free expression but what were some of the ideas tossed around it seems that there is consensus that we definitely need to develop standards of internet transparency and integrity. We also need to limit space for impersonators nadirs existing platforms. Anybody can create an unlimited number of accounts in an anonymous anonymous manner. The question is do we need to have more checks to check that the people creating accounts are really you know physical people as opposed to box right that can start start building or propagating information <hes> without them representing people in the real world so they don't reflect it the the public opinion in the real world right but then i suppose there's a there are legitimate needs for anonymity online as well absolutely yeah and that's really one of the advantages of <hes> off the internet that gets also reflected by the development of platforms firms like blockchain and if area maurici platforms being created that are decentralized distributed and people can join anonymously that reflects likes the the need for anonymity. It's still a trade off. I don't think anybody would say that. We need to completely remove the ability not for people to interact an honest manner but limiting the space for impersonators is what's needed limiting that space meaning checking for bots that really have more harmful impact. Yeah i mean what a challenge to try to have. <hes> you know community standards when you have truly a global community immunity especially as we see also that impersonation techniques are changing and are evolving right now you see these botts infiltrating authentic social groups right so it's not like you know one bought that's broadcasting wrong information on their own but they're really in for trading the the more closed groups and domestic social media dialogue. How do you detect that he's not straightforward but i think we need to do more maurice shirt and come up with some ways of again not completely limiting this but perhaps limiting the space for these personalities. I it strikes me. There's one of the things that by automating the ability to automate these things do that enables an in a symmetry that i i don't know that we had to deal with before that at the scale and velocity at which folks who are out there to spread misinformation and so forth you can do so. It's a different ball game than it used to be absolutely take. The automation of the fast propagation of these of this misinformation is is an unprecedented scale but also <hes> the automation of generating misinformation automatically generating de fakes right. We've never seen that before automatically generating videos is that mimic a real person that looked really like a real person and that that are hard to detect in real time that's an absolutely new challenge and it will continue to grow as we make use of you know gowns general adversarial networks to perform or to build these deep fakes so it's a challenge that will continue to grow and we need to work with the social media companies to come up with some common standards where we can identify these deep fakes paddock data interesting stuff for sure well let bensalem thanks for joining us and kitty and now a few words from our sponsor dragos. The leaders in industrial cyber security technology threats to industrial organizations relations are proliferating as drago's recently identified the most dangerous threat to i._c._s. Zena time the activity group behind tricycles has expanded its targeting beyond oil and gas illustrating trend that will likely continue for other i._c._s. Targeting adversaries learn more about the eight public threat activity. Nobody groups stray goes tracks at drago's dot com slash adversaries and how taking an intelligence driven approach to i._c._s. Security is the most comprehensive handsome defensive strategy to combat industrial adversaries to register for free thirty day trial of drago's i._c._s. Threat intelligence visit drago's dot com slash worldview and we thank drago's for sponsoring our show <music>. My guest today is doug grind staff. He's the senior vice president of cybersecurity solutions for the c. m. i. institute an organization organization that was originally established by the department of defense to assess organizational capability around software development my conversation with doug grind staff centers centers on his notion that cisco's would do well to adopt some of the techniques commonly associated with v._c.'s. He thinks they've got a lot in common. It is very every summer v._c.'s face in that it is a very fast paced in dynamic environment. It is an environment in which there are multiple threats and the the risks are very high and so being able to understand those wrists devout the methodology to de risk those threats into focus the organization on very specific coutcome it. I think is really critical to the success of a._b._c. and in this case also says oh and so what are some of the unique things that v._c.'s faced ace that you think could be brought over to the world of cisco's from a perspective. I think understanding what are the steps that are necessary to start to de risk risk investment in the case of this izzo. How do we understand the risks facing my business me. That's a function of my business model. It's a function of my threat. Environment might competitors. How do i understand those threats and then develop a very precise way of prioritizing those risks and then start to mitigate those risks. I think from from a._b._c. perspective one of the issues that is critical is to understand what are the steps to de risk my investment as i start to erase my investment i start to increase the value of that investment vestment and increase the further likelihood future investment from a scissor perspective being able to understand what are the most significant inherent risks to my business one of those things it could be terminal have a terminal impact on my business and then start defining. What are the necessary steps to mitigate those risks. It could be building new capabilities. It could be focusing missing on developing people acquiring new technologies but that sense of prioritization both from a._b._c. Perspective from the perspective is i think really jog one in in mission critical the second after that starts to become alignment and if you're a successful see you have clear organizational alignment from the stakeholders stakeholders. Maybe the other stakeholders that are in the investment with you all the way through the organization. What is the next crucial step next crucial milestone. We need to achieve in order to continue to build this business. In generate the returns we expect from a assists perspective. It's very much an analog. They also need to understand. How do i create organizational alignment so my board understands and defined our risk tolerances and the team that supporting the security program understand exactly what are the most important security controls one of the most important processes and technologies that are going to be part of mitigating those critical those terminal risks and then i think finally and this one is one. I often talk about not as a as a copernican shift for the s-solve from a._b._c. perspective. I think it's very easy to think about focusing on outcomes right. They're very basic. Metric set determine whether or not you're during the kind of return. I might elevated my revenues to levels that are sufficient. <hes> emma able to demonstrate growth in eba allows me to demonstrate increases in value from a scissor perspective. It's a little bit different and the reason i referred it says the <unk> can shift is that i think it's important to focus not so much on process not so much on do i have sufficient control system so my using the right standards but am i focused on the outcomes. How do i know how my measuring whether or not the level of activity the level of capability have is sufficient to mitigate those cute risks we often think of sufficient capability has maturity do do you have sufficient maturity in those critical capabilities that will start to mitigate the risks that your organization is facing in obviously those risks are informed by all those things we mentioned earlier the threat landscape the competitive landscape that broad array of risks facing your business and understanding that putting it in the context and operationalizing housing. It's such that now. I know what are those key steps in key investments. I need to make to start to address. Those terminal risks. I think is just as important and i think it's valuable valuable analog because v. c. works in a very dynamic constantly shifting right environment where the likelihood of success is not high and the downside risk is actually quite significant. I can result in loss of investment loss of business yeah. It's it's really interesting to me. As you point out the cisco's in my mind they they sort of sit between two groups so they quite often have the board above them and then they have their team and the rest of the organization below them so there's there's sort i sit in the middle of a tension is the right word between those two groups. I wonder is the v._c. Sitting in a in a similar position is there someone <hes> above them. Damn what are the the different sides. They're aiming to please yes. They're trying to please their shareholders. They have stakeholders. They have individuals who have pooled money to potentially create create a fund where they're expecting certain returns and so the the threshold returns are quite high in the timeframe quite narrow for the v._c. That generates a significant amount one of tension as they start to try and support organizations to achieve you know the de risking process generate increases in value in hopefully future investment and what you describe it the says oh i think a spot on i think it is an enormous challenge. V._c.'s are used to working with the financial stakeholders are used to building funds in generating specific perfect targeted returns but now you're looking a lot of the folks that move into these roles of says oh and see us so there is not a lot of training rather. It's how to put cyber security into a business context taxed and think of as a kind of key strategic plank for the business whether it's defining the risk not as an i._t. Risk but as an enterprise risk you know those kinds of strategic skills falls in that kind of board interaction or not commonplace in terms of their career path development so gaining those skills and building that capability. I think is one of the really significant challenges facing says i can't help noticing the emphasis that you're putting on this whole notion of framing everything in terms of risk risk and i i really i. I think we've tracked that trend over the past year or more that that's really a direction. Folks are headed. I would say that's true intellectually. We we engage a lot of organizations across sectors. I think there is a desire to understand risk although unfortunately a lot of organizations think of risk as the threat landscape and and when we think of risk we think it has enterprise inherent risks so we look across all elements of a security program from the physical security to risks of natural disaster her to ecorse network in data integrity issues so when we think of risk we think of it holistically and use that understand the holistic risk put into the context fix that the company uses to find their risk tolerances is important and so once they can get a sense of what are the inherent risks make sure that in the same context that organization thinks the ball other risks on the business and then create an operational plan that seeks to mitigate those risks. I think that is still evolving. It's not an easy process to work work with the let's say the era them and try to operationalize any our enterprise risk management tool that organization jews operationalizing that is quite quite challenging and in fact for the institute we actually developed a methodology that creates <hes> a relational database that connects risks to capability to understand stand which capabilities matter most given your organization's unique risk tolerances and risk profile. That's doug grind staff from the c. m. i. institute and that's the cyber wire thanks to all our sponsors for making the cyber wire possible especially are supporting sponsor observe it the leading insider threat management platform learn more at observant dot com the cyber wire podcast is proudly produced in maryland airland out of the startup studios of data tribe where they're co- building the next generation of cyber security teams and technology are amazing cyber wire team is stefan advisory to make a smith kelsey bond tim no dr joe kerrigan carol -tario nick valenki bennett mo- chris russell john patrick jennifer ivan heater peter kilby and i'm dave bittner. Thanks for listening. We'll see you tomorrow.