In this episode of the cybersecurity month-end review, host Jim Love is joined by Daina Proctor from IBM in Ottawa, Randy Rose from The Center for Internet Security from Saratoga Springs, and David Shipley, CEO of Beauceron Security from Fredericton.
The panel discusses major cybersecurity stories from the past month, including the Oracle Cloud breach and its communication failures, the misuse of Signal by U.S. government officials, and global cybersecurity regulation efforts such as the UK's new critical infrastructure laws. They also cover notable incidents like the Kuala Lumpur International Airport ransomware attack and the NHS Scotland cyberattack, the continuous challenges of EDR bypasses, and the importance of fusing anti-fraud and cybersecurity efforts. The discussion emphasizes the need for effective communication and stringent security protocols amidst increasing cyber threats.
00:00 Introduction and Panelist Introductions
01:25 Oracle Cloud Breach: A Case Study in Incident Communication
10:13 Signal Group Chat Controversy
20:16 Leadership and Cybersecurity Legislation
23:30 Cybersecurity Certification Program Overview
24:27 Challenges in Cybersecurity Leadership
24:59 Importance of Data Centers and MSPs
26:53 UK Cybersecurity Bill and MSP Standards
28:09 Cyber Essentials and CMMC Standards
32:47 EDR Bypasses and Small Business Security
39:32 Ransomware Attacks on Critical Infrastructure
43:34 Law Enforcement and Cybercrime
47:24 Conclusion and Final Thoughts
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:01):
This is our cybersecurity today month end.
In review panel.
We have Dana Proctorback with us from Ottawa.
Hooray.
Are you sure?
Pleasure to be back.
We have a new guest, Randy Rose fromthe Center for Internet Security,
and Randy is from Saratoga Springs.
Doesn't that sound nice at this time?
Saratoga Springs, New York.
Welcome.
(00:21):
Thank you.
And the old familiar we, DavidShipley, the old familiar, no.
Yeah.
We got David Shipley, he's always here.
We've got David Shipley from Fredericton.
And David by the way, has starteddoing the Monday morning cybersecurity
today newscast, and it's been a whilesince I've just been able to wake
up on Monday morning and listen in.
What a treat . I don't, . And we have meJim, love from the heart of Halliburton
(00:46):
County, the heart of the ice storm.
We don't have power here yet.
We're hoping any day now.
That's crazy.
That's horrible, Jim.
That's horrible.
Yep.
Yeah, so it's, so this has been our,this is our month in review show.
And if all of the people in theaudience know this we bring some
stories and we talk about them andtry and find some insights into them.
And generally, yeah, it's a goodopportunity for us to get together
(01:08):
and share information as well.
And as you were saying, Dana,as we're just before we, we went
on air for this was pretty easy.
Pickens there's, not easy pickings.
There's a lot of opportunity out therefor stories that you go, oh, wow.
So shall we start?
Let's do it.
Let's go.
Okay.
David, you brought the firstone and this was Oracle.
(01:28):
I'll let you, you lead with this one.
This was fantastic.
This was, we'll start witha little bit of humor here.
Gather around the fireplacekids for stories of how not
to do incident communications.
Listen, breaches happen.
They happen even to the big kids.
Microsoft's been hit securitycompanies have been hit.
People get hit.
(01:48):
It's important to be honest when ithappens, because the speculation,
the rumor mill, the register savageheadlines and the reg they're
just not worth dancing around.
I know we live in the era where we callransomware, an unauthorized penetration
test that our backups failed to respondto or some other bureaucratic speech.
(02:13):
But man, like now we're at the pointwhere Oracle Cloud wasn't hacked.
It was.
Oracle Cloud Classic, likeCoca-Cola gets away with the
Coca-Cola and the Coca-Cola classic.
You come on guys.
Now this is a long intro here, David.
The story is a group saidthat they'd hacked Oracle.
(02:35):
Oracle denied it.
The group said, hold my beer.
And they sent to Bleeping Computer,I think it was, here's here's
how you can get on and see amessage on the Oracle server.
I'm gonna go put one there for you now.
And they went, whoa.
Now Oracle being the transparentorganization, they said was
no, this isn't happening.
(02:55):
And then I think the whole storybroke and it is quite obvious
that something happened there.
I. And let's be clear, at this pointI feel like Sesame Street, which
is still on the air, despite cutsthat are coming to NPR and and other
things in the United States, I feellike the count, it's not one breach.
It's two breaches 'causeit's Oracle Cloud Classic.
(03:19):
And privately, some of their healthcareclients are getting notifications.
So this thing is just metastasizing.
And what's hilarious is sothey say we weren't hacked.
Then the hacker goes, hold my beer.
Then they say it was Oracle CloudClassic, and it's only stuff from 2017.
And the hacker goes, here'ssome records from 2024.
So it's guys like, stop bleeding and ifwe're gonna use memes as visualization,
(03:42):
there's this classic scene from TheSimpsons where the kid is crying.
He is stop hitting him.
He is already dead.
I'm starting to feel bad for you guys.
Now I've gone on this whole emotionaljourney where I was like, oh my God,
you've been breached to, I can'tbelieve you're not communicating it to,
oh, everyone's just including myself.
We're just part of this trainnow of what are you doing?
(04:03):
So Dana knows what's happeninghere, Randy, but David's
also our culture critic.
Sounds like it.
Yeah.
But the issue comes up and it comesup again and I've almost been.
I'm wondering whether I'm too cynicalor, sometimes I come across, 'cause
I get these things in stories whereI read corporate communication
(04:25):
and I just start calling it theblah blah, blah, blah, blah.
It's, what has, maybe we can get by withthat in companies but in cybersecurity
if you're not candid, I know it hurts,but if you're not candid and open you're
gonna do have more pain in the long runthan you do by just putting this out.
(04:46):
I still remember, the big hacks thathave happened where people have come
straight out and said, we got hacked.
It happens.
Here's, we're looking atit, we're dealing with it.
We'll give you as much informationas we know and, and that happens
and those companies come back.
Yeah.
I think you're hitting onsuch a great point there.
And I think any of us that do anytype of simulation, we'll be talking
(05:07):
about a good holding statement.
A good holding statement doesn'tinvolve smoke and mirrors.
A good holding statement doesn'tinvolve inaccurate information.
If you don't know, don't say.
But yeah, incident management 1 0 1.
To your point, David, don't say thingsthat aren't true and work with your
comms team on a better holding statement.
(05:29):
Okay.
And if you don't know, don'tsay anything until you do.
I'd lean this out into 1, 2, 3, and me.
A lot of their bankruptcy is certainlybeing attributed to the breach that
they had and the privacy concerns.
I know we can talk more on thatbecause this was a softball of a month
to pick which ones to review, Jim.
But very much they breaches do have away of bringing our businesses, if not
(05:54):
our future trajectory down significantly.
Yeah.
And Randy what about when you'readvising clients and when your
organization is talking to people?
And you could just to, to introduceRandy, you works for the Center
for Internet Security and it dealswith a lot of not-for-profits, I
guess agencies and public sectororganizations in the US and there,
obviously, when we met the first timewe were talking about the school hack.
(06:16):
Oh, you're talking about PowerSchool?
Yeah, the PowerSchool Bridge.
Yeah.
A lot of schools had to come up andget information out to say, by the way,
your kids' information is out there.
That can't be pleasant.
No, it's, and I think Dana hiton a really good point, which is
the communications piece of it.
Really at the end of the day, it.
There's two issues herewith Oracle, right?
There's the data breach, right?
So there's obviously somecontrols concerns, right?
(06:39):
They didn't have proper controlsin place, and that led to a breach.
And that's one issue becauseyou're dealing with a breach of
data and the whole other issueis how you communicate about it.
And it's not the irony's not loston me that, as an IT organization,
your role is communications, right?
That's what you do.
You provide communications,it's digital communications,
but it's communications no less.
(07:00):
And then you fail miserably atcommunicating what's actually
going on in the organization.
I think these are two wildly differentskill sets, but they're, you can't,
they're inextricably linked together.
When there's a breach, you have tobe able to communicate about it.
And I love that the US Navy aviationcommunity has a wonderful three
step crisis action plan, whichis aviate, navigate, communicate.
(07:21):
And you think about the kindof crises they deal with.
They are in planes, right?
They're these, they're flying aircraft.
When they have a crisis, you're talkingabout a threat to life and safety.
So their number one concern is keepingthe plane in the air aviate, right?
Their second concern is, wheream I and where am I going?
And can I get there?
So that's the navigate piece.
And it's only after they know Ican keep the plane in the air and
(07:43):
I have an idea where I am, like,am I an enemy territory or not?
Can I get back to theaircraft carrier or not?
Or can I land this thing safely?
Only after they figure those things out,do they communicate what's going on?
And I think that's somethingthat we fail in cyber to, to
simplify our processes, right?
When there's a breach, understandwhat it is, what's going on, who's
(08:03):
impacted, how do we resolve that issue?
And then when we have those key pieces,we don't have to know everything,
but we just need to know the keypieces to communicate effectively.
And I think it's something thatsome organizations do really well.
And a lot of organizationsjust fail miserably.
And I think, when it comes to the,it's always dangerous in this business
to live in our digital houses andthrow our rocks and realize that
(08:26):
our house is made of glass as well.
And my criticism is not that alarge global provider got breached.
Yeah, man, this is hard.
It happens.
I think my criticism is that I'm becomingdeeply concerned their ability to do
exactly what you just said, Randy.
It's I don't think they can fly the plane.
I don't think they know what's going on.
(08:46):
And that to me, I think couldbe more damaging than just
Yep, something's happening.
We're investigating it.
More details to follow, and communicatingclearly to what Dana was saying but the
almost circus show, and I've had justabout enough I can handle of clown and
circus shows right now for a lifetime.
I don't need to see this in the IT world.
Politics has got the market cornered.
(09:09):
Yeah.
It is disheartening, isn't it,that how they've responded to it
and how they've repeatedly doubleddown has been more disturbing.
And it does then speak to your pointRandy, of did they have the controls?
Were they aware?
Are they flying the proverbial plane?
And that's a concerning aspect,and I think a lot of our trust in
(09:29):
the Oracle brand has been corrodedbecause of their behaviors.
\ when you lose trust, youlose everything in a company.
And yet some companies, like you said,come back and they build that trust.
And the irony of a breach is, andeven like things that were not cyber
attacks, but were it incidents.
So CrowdStrike, if you show that you'velearned from it, I actually had a number
(09:52):
of people who were like, yeah we renewedour contract with CrowdStrike, or we
became a CrowdStrike customer becausethey've clearly learned their lesson.
And so you can actually rebuildtrust, in through an incident.
It's not ideal.
It's not the great way to do it.
But you can, but there's a way to doit and there's a way not to do it.
Yeah.
Yep.
(10:13):
Speaking of denial, making peopledig deeper, I did a story on the
Signal group chat the this month.
And, and the basis of that was anumber of people in the US government
were communicating, using whatthey thought was an encrypted app.
And I didn't this, I didn'tmake this a political story.
It was a practicalstory for what we think.
(10:35):
And that is, oh, we're on Signal.
That's fine.
We've got an encryptedcommunication there.
Yeah, only you gotta make sure you don'tinvite the wrong people to that or that
people can't get control of your phonebecause it's great to have an encrypted
app, but how do you hear the wordsand see the words in English for you?
(10:56):
Your phone can decrypt thisinformation, so anybody in that
chat can hear everything now.
So we went to that first pieceof it and then absolute denial.
This was not confident.
Talk about another communication error.
This was not, this was nothighly secure information.
Why?
Because because I'm the Secretaryof Defense and I can I say
(11:16):
what's classified and what's not?
This is not classified.
, and everybody goes, that's semantics.
We all know.
So people dig deeper to the story.
And of course they dug deeper andthere have been at least 20 Signal
group chats that they've heldaround the world on various things.
And by the way, while they're traveling.
And how do I know that?
(11:37):
Because one of the people from that call,the famous call was in Moscow at the time.
And if you tell me you're carryinga phone in Moscow and it's not.
Been intercepted or been hacked,then I'm gonna tell you, you
don't know what you're thinking.
There's no way that a devicewanders around the city of Moscow
with all of those cybersecurityexperts that, that Moscow has,
(12:00):
and they don't break that device.
Just I find that impossible.
And by the way, the, we all knowthey're micing, your hotel room
and all of that sort of thing too.
But anyway, that's the politicalstory, but the, not the politics of it.
It's this idea of we fall in love withan app or some process that we've got.
And then we stopped thinking aboutall of the things that go around it.
(12:23):
Did anybody else find thatsort of insight to that story?
A couple of things that I wannahigh highlight to nist, identity and
access management's hired man, sorry,this I can't help myself, but like
literally this is Maslow's hierarchyof cybersecurity needs, right?
Who you add into what?
Secondly, shadow it is such a huge thing.
And one of the stories that got lost inthe politics of this was how many people
(12:46):
have raised red flags about Signal, inparticular on government devices, and
were overruled by political appointees.
And the lesson for leaders listeningto this is when your people are
raising genuine concerns aboutinsecure methods of communication
that you should probably not doconvenience versus security or legality.
(13:09):
I think lastly, as a former journalist,I totally get why these actors decided to
use non-government record keeping systems.
They were pain man.
You don't want necessarily everyconversation to be recorded and then
used in a court of law when someone'spotentially looking at war crimes.
I get where they're at.
But yeah.
(13:30):
Does that add up?
Dunno.
It's it's those things that areinteresting and by the way, this
isn't just government, right?
How many banks have been fined by globalregulators for people using WhatsApp to
conduct business and transactions thatare supposed to be in systems of records,
like hundreds of millions of dollars.
So it's like we're all teeing atgovernment and all that fun stuff.
(13:53):
And it's political, but it ain'tthe only group of cats using un
unsanctioned quote unquote securecommunication systems to do business.
And you're kidding yourself if youdon't think that this is happening all
over the place to get around access toinformation, regulations and other things.
Yeah there's a challenge too, Ithink in this particular case.
(14:15):
And I know this is the case in anumber of Western countries that
deal with classified information.
There's essentially two.
Sets of rules, right?
There's the classificationlevel of the data.
So that's determined by here in the us.
We use something called an OCA, anOriginal Classification Authority.
And there are guides that that the OCAfollows to say like this, this level
of information combined with thisother piece of information make it
(14:38):
this level of classification with theseinformation controls in place, right?
These dissemination controls,all of those kinds of things.
And that's determined by A an OCA.
And then there's a secondpiece of the information.
So you have the data classification piece,and the second piece is need to know.
So you need to have a clearanceof the right level to gain access
to the, to that data by default.
(14:59):
And then you need to have a need toknow, so when you talk about, a chat
that ends up, in, in a situation wherea person who does not necessarily
have a need to know, let alone doesn'thave the proper clearance, and you're
taking information that you would.
Require a certain level of system, acertain secure system in order to transmit
that data, you're taking that data off andputting it into that other environment.
(15:20):
I understand like some of theofficials are saying this wasn't
classified or, had, we determinedthat it was, the, it was unclassified
data, it was able to be transmitted.
You're still, at this point,transmitting it to somebody who
doesn't have a need to know.
So even if the classification piece wasresolved, you now have this, this other
issue that hasn't really been addressed.
Which I think is to David's point,goes to risks with not just shadow
(15:44):
it, but that whole identificationand authorization piece of it.
When you move something out ofofficial IT channels, now you've
lost control over who can get that.
Right Now you're dealing with aninformation dissemination issue and
potentially putting in the wrong kindof information into the hands of people
who really don't have a need to know.
And I would say, in this particular case,a journalist definitely didn't have a need
(16:04):
to know the kind of content that was beingshared which ultimately ended up, a lot
of it being shared to the American public.
That's very interesting.
Yeah, other side to this, I don't thinkis really getting a lot of folks, and I
think that's where my mind went to it andcertainly in, in full agreement with you.
But if I go to maybe more a humanelement, which I know in talking to
you before, I often go there is, whenmy values are violated, I get really
(16:29):
pissed off and this pissed me off.
That information should not havebeen shared with a journalist.
It should not have beenshared with the public.
And to say, to give that weak excuse andexpect that we should have one, believed
the excuse and two accepted the excuse.
Just made me more pissed off.
(16:50):
So in, in the whole situation, itwas to and I think it ties in well
with the Oracle as well, is, oursociety is wonderfully connected.
It doesn't mean that we shouldn'tstill be following the golden rule
of being honest and being truthful.
And if you don't have somethingnice to say, keep your mouth shut.
The telling me that it was okay thatthis journalist was in that chat and
(17:10):
the information being shared was publicanyways, really was just an offense on
my intelligence or my acceptable aspects.
And the interesting thing is in acommunity conversation wanting through
the grocery aisle, that was one ofthe comments they said, oh, just be
careful what friends you keep in yourcontacts for WhatsApp, because if
they get added, that's the problem.
(17:31):
And I said hold on.
That's actually, that's howit ended up being transacted.
But the problem was thatthey were actually having
that conversation on Signal.
It, you can get to this thingof we can blame the devices, we
can blame the failure, we canblame all these sorts of things.
But you have to look back withcommon sense and say, should
(17:52):
I be talking about this here?
I, if anybody ever stands in elevatorsbehind people or in restaurants,
and you have to ask yourself shouldyou be having that conversation here
it, it happens all over the place.
The denial just makes it.
Just makes it worse.
It's funny, like you, you mentioned that,but we were talking about Signal, but
(18:12):
there are four coffee shops in, downtownToronto where if I want to be in the
loop about major financial transactions,one, one of them will generally have
something pretty interesting to say.
So if you stay in the Starbucks andyou pretend you have your headphones
in, but you're just being nosyas all get out, you learn a ton.
It's fantastic.
The Signal chat is the example inthis case, but to your point about
(18:35):
where and when it's appropriateto have what conversations?
I guess the good news of thisis the big winner of this
whole mess was Hillary Clinton.
'cause I mean her socialmedia posts were on.
Fire, right?
I mean that LinkedIn postwhere it was like, are you
kidding me with the eye emoji?
Look, there was some good emojiuse in that chat, but that was
that was something else, right?
(18:56):
So I guess winners and losers on that one.
But in all seriousness if youthink that this isn't happening
in some fashion within yourorganization, you're kidding yourself.
And then the question is, howdo you create the norms and the
culture where people don't do it?
Because there's no technological,if the US government with the full
might of the NSA cannot preventsenior leaders from doing this,
(19:21):
there's no technological way to do it.
You gotta have the buy-in to do it.
To Dana's point, people gottabelieve in doing the right thing.
Yeah.
Dave, I might challengeyou on the winner though.
I think Signal itself itprobably comes out as the winner.
Fair point.
I think as we as we progress as a society,we, I think we're gonna start to see more
and more use of encrypted messaging apps.
And I don't think Signal could havepaid to have the promotion that
(19:45):
they got through this entire thing.
Every media outlet on theplanet was writing about this.
Signal is created by Moxie,Marlin Spike, who's a well-known
entity in the hacking community.
And I think that guy is laughingall the way to the bank.
'cause I think more and morepeople are signing up for Signal
today than a few weeks ago.
And they did have.
The best micro release note I've everseen and some spicy posts from Moxie.
(20:09):
So I will concede the point.
Randy I do agree.
Hillary's gonna have to comein second place yet again.
Burn.
But again, without being political,there's a leadership piece to this that
I that I think we have to learn from.
And I remember, when we were, when iPadswere first coming into the office when
we had no idea how to secure them andthe CEO would bring one in, wandering
(20:30):
in and, but nobody else could do that.
We just, leadership matters and, and thatand the tone for we say that old tired
phrase, the tone from the top, if you wantto have a secure organization, you had
best not overrule your security people allthe time and say, but yeah, but it's okay
for me, but not for the great unwashed.
(20:53):
'cause the great unwashed learns from you.
They know what's happening.
They know what's important.
Yeah.
And that's, every SI CISO out there hasgotta be saying, when you set that type
of example, this is what happens to you.
Yeah.
Touche.
Now on the positive side,speaking of examples.
There's a positive side.
There is a positive side.
Okay.
Not to this story.
There's, besides Signal being thenumber one app download but I saw the UK
(21:17):
government take a really nice leadershiprole globally in new legislation
being proposed to actually extendcritical infrastructure cybersecurity.
So this is the extensionof the European NIS two.
And what was really awesome was theywere specifically targeting data centers.
MSPs, like the actual value chain ofwhich their modern digital economy
(21:40):
depends on, which is so nice tosee because, as we talk about the
month, that was, of course, C 26 wentdown in flames because of a typo.
And of course the political survivalof the Liberal party here in Canada
required us to promote parliament.
There had been the faintest and mosthopey of hopes that somehow they would
(22:00):
come back, do a speech from the thronebefore pulling the trigger in election.
And we might have got itpassed, but no, just not to be.
And so Canada is now three plus yearsout easily from any kind of modern
cybersecurity laws, and I'm sure Danais as frustrated as I am because we
both spent valuable time testifying toparliament to to actually have basic
(22:23):
laws that, cover some of our economy.
C 26 R ip.
For those vacationing off Planet C 26was the Canadian Critical Cybersecurity
act, which included amendments to theTelecommunications Act, which actually
ironically gave the government theauthority to force our telcos to get rid
of Huawei, which they currently don't saythey don't have, but that could be gray.
(22:48):
Along with mandatory requirementsfor cybersecurity, for energy
transmission, telecommunications,transportation, and the finance sector.
And Dana, you were you were justas passionate about this in working
actually actively on trying to getthis across the finish line as well.
Yeah.
Yeah.
And the challenge that was seenfor so long was we were waiting
(23:09):
for perfection to move forward.
It came to the senate.
At the 11th hour before Senatewent for the summer break.
They did it very quicklycome through with it.
But the challenge that I've gotright now is, to your point,
David, we have no regulation.
We have nothing guiding.
(23:30):
So when I look at, if we look at themonth in review, one of the items that
I was looking at getting ready for todayis I had to smile, the launch of that.
And I have to read it becausethere's so many words in it.
The cybersecurity certificationprogram released as the, a
new cybersecurity standard andself-assessment tool for level one
of four levels, specifically made forour stand by the standard councils
(23:53):
of CAN Standard Council of Canada.
We'll start accepting applicationsfor organizations who wanna
become certification bodies.
To support the evaluationand certification.
So we've created all of thisgovernment bureaucracy for four
levels of certification for defenseand supply chain, but we still can't
get regulations or bills through tosay what our telecommunications or
(24:18):
our nuclear power plants or our othercritical infrastructure should be
required to do on behalf of Canadians.
Yeah.
And the problem, again, leadership,it shows how much you care.
If this was really somethingurgent, they could have fixed it.
(24:38):
Oh yeah.
They had two and a half years.
But just another, what,what's privacy and security?
Who cares?
And again they, that sends amessage not just to citizens
that sends a message to staff.
That sends a message to everybody thatthis stuff isn't really that important
in terms of how you're doing your job.
That's scary.
That's it.
That's it.
(24:59):
I do wanna, I wanna go back to a pointDave made about the UK bill that I think
is probably lost on a lot of people.
So the focus on the data centers and theMSPs, the managed service providers is
really critical for smaller organizations.
So when you look at, when wethink of data centers, right?
We think of the large behemothorganizations, but who are they actually
(25:21):
servicing their customers on thewhole are very small organizations.
There's a lot of them.
And they don't have the ability torun their own internal data center.
That's why they usethese large data centers.
Same thing with the managed serviceproviders in the US and I suspect this is
the case for a lot of a lot of countries.
The smaller the organization, whether it'sa small business, a nonprofit, or a local
(25:43):
government, they don't have the resourcesin house to run a lot of the IT and
cybersecurity infrastructure themselves.
So they have to outsource it.
And in most cases, at least here in NewYork, one of the things that we see,
and actually really all of New England,so you know the whole northeastern
eastern part of the us we see managedservice providers are often relatively
(26:04):
small organizations themselves.
So they're regionally aligned.
There might be, an organization based outof here, like the New York Capital region,
and it provides services to, a num,maybe 60 organizations in the local area.
And then, just outside of theirlocal area, there's a different
managed service provider.
So having regulations thatsupport those organizations is
one of the best ways to get to.
(26:25):
I'll call it the extremities, right?
Get out to those organizations thatare traditional, traditionally really
hard to get to because even if you havea federal regulation that says we're
gonna mandate, all organizations do thisthing, there's just a massive amount of
organizations that have no resources to dothat thing, whatever that thing is, right?
So they're relying onthose outside providers.
So the more we can do to supportthose managed service providers and
(26:47):
data centers and other third partyorganizations that actually have the
resources, the better off everybody is.
So that's what I reallylike about this UK bill.
Yeah.
And, but it also establishes a standardfor MSPs and, the, there used to be this
old in the days when there were Christmasads and things like that, there used
to be this ad that said, open me first.
(27:08):
And I think that's what people think of.
MSPs open me first.
'cause I, you've got all kindsof clients and I can reach you.
And I don't think, in manycases, I don't think MSPs are
always taking that as seriously.
I'm not saying they all do.
But I'm saying there's so many hacks ofMSPs that come up week after week, and
at least setting a standard that saysthere's a regulation, you are going
(27:29):
to pay a fine if you don't do this.
I ran a small tech company for a while.
We got out of hosting.
One of the reasons we got out hostingone weren't gonna be as good enough at
security as so I could sleep at night.
That was, it was just that,turn it over to somebody who's
gonna actually do this better.
And that was, that's a huge piece.
But I think a lot of MSPs don'tknow what they don't know.
I read a couple forums 'cause I'mstill interested in that area and you
(27:52):
read what's, who some of the peopleare that are supplying a lot of
small organizations and you go, youreally don't know what you're doing.
And so that's a little bitof a lost leader in business.
And I think that's the challenge thereas well, is to do it economically.
The value point just can't be that robust.
I'm.
I'm a little jaded around the standardsthat they've brought about though.
(28:13):
I lived through, what was it?
It was years ago, it wascalled Cyber Essentials.
Oh, wasn't it?
And I'm sorry, I'm givingyou all goosebumps right
now going I remember this.
The lilies.
Yeah.
Wasn't it a similar program whereit was, to be part of a supply chain
in the uk you needed to your companyneed to align to a certain level of
(28:33):
controls and you were certified upto an essentials or whatever the next
level was, and it died a horror death.
And we tried to do it in Canada.
Yeah, it was more successful in theUK by orders of magnitude because
in Canada we spent millions, tensof millions of dollars on Canada's
version of cyber essentials.
But we didn't remember what the UKdid that actually made people want
(28:55):
to do it, which was you couldn'tget a government RFP if you didn't
have the basic bare minimum.
No.
And Canada was like, we thinkthis is a nice thing to do, and 12
organizations across the country.
Like 12.
Value for dollar not there.
Do I think that we need a basic setof fire code for some standards?
Yes.
(29:15):
Yeah.
What's different about this defense onethat you're mentioning is that and this
is, interesting, is we were rushing tomatch the us and Randy, you might have
to help me here, but there's A-U-S-D-O-D.
I wanna say CMMC standard that came out.
God help me.
I can't remember the, whatit actually stands for.
But we, of course, being Canadians we'relike, we have to make our own version.
(29:37):
That has to be then given equivalencyso that our suppliers can supply
the US defense industrial complex.
But in, in one of those life's greatestironies, it turns out we may not be
able to supply the defense industrialcomplex in the United States.
So this entire certification has becomekind of donkey hode charging at the
windmill because we can't even sellaluminum and steel to the United States.
(30:01):
I don't dunno if I'm rightabout that, Randy, about CMMC
or if I'm on the right side.
Yeah.
No, you're, yeah, so CMMC was the thecyber maturity model certification.
And it's, that one is focusedspecifically on what we call the
dib, the defense industrial base.
So it's all the contractorganizations that, like the
outside contractors that provideservices to the federal government.
But you're right.
It's a framework for kind ofeffectively what you just said.
(30:24):
And I didn't, I actually wasn't,I had to google that cybersecurity
or cyber essentials in the uk'cause I wasn't tracking that.
But it looks like that was a NationalCybersecurity Center initiative that
did have a forcing function, which,essentially CMMC is the same if you're
gonna work with the federal government,you have to meet a certain requirement to
handle controlled unclassified informationor federal contract information.
(30:46):
That was like a big part of what CMMC is.
And I think, if I'm not mistaken,I think it's actually, it either
already did undergo a major update orit is undergoing an update CMMC two.
Yeah.
Yeah.
It's a, you can comply withCmmc two or you can use Signal.
It's great.
Yeah.
Those are your options.
Sorry, Dana, you were gonna say something?
(31:07):
No it, we end up with bureaucracy andacronyms instead of actual security.
Security right now, people aren'tchoosing to not implement multifactor
authentication, segmentation identitycontrols because they just don't want
to, they're usually doing it because theydon't have the money to, or the people to.
(31:27):
Expense, this type of certific?
The, it's exp expense.
Yeah.
The technology in some ways issomewhat times the cheapest part.
So that's where I'm strugglingwith some of these programs.
Love the, and I had forgottenthe cyber essential success was
because it had some teeth to it.
I wasn't aware therewas only 12 in Canada.
That's horrific.
So you're, I'm optimistic.
If we're creating this new standardthat's assisting that it would bring
(31:50):
some semblance of improving thewaterline for our defense contracts.
Engaging with corporations that only meetthat, the challenge is that is going to
be a taxed tariff on those companies.
They're going to have to meet thatcertification and maintain it.
And that's hard to do in a industrywhere we're already seen as a
(32:11):
tax instead of as an amplifier.
And we're still in, in a place, Idon't know what it's like in the US
but in, in Canada, we're still ina place where most small businesses
are just not even vaguely protected.
Not even going through the motionsof anything resembling security,
let alone when it gets complex.
And and without that you're, not onlyare those businesses in jeopardy, but any
(32:37):
customers they work with are in jeopardy.
And, I keep looking at this everytime I look at a new story that
comes out of some, and there's,I'll just lead into this.
There's a whole story aboutEDR bypasses this month.
And I found three stories.
We did them one after another.
Microsoft's defender, I.There's a, there's an open out
(32:59):
and Microsoft acknowledges it.
It's out there bypassing that there arethree or four or five tools floating
around right now that use softwarethat is basically software that won't
trigger anything in an EDR becauseit's built like a regular piece of
software or it is legitimate software,but it's been hacked or bypassed.
(33:20):
And, those are just some ofthe things that are happening.
And, and my favorite of all ofthese things using old certificates.
This is how clever these guys areusing old certificates that have
expired, but spinning back theclock on the machine you attack.
Yeah.
So it looks like the certificate is real.
What?
(33:40):
I can go through theseand we did stories of 'em.
You can read them all and I'll put somelinks in the show notes that people wanna
follow some of these, but the fact isthat's the level of sophistication that's
going out there attacking the one thingthat small business might actually have.
And that's endpoint de detection.
And so that's, this is a problem,I think a universal problem.
(34:04):
And it, one that's just not,doesn't seem to ever go away.
Yeah.
I might challenge you a little biton the one defense mechanism that
small businesses will have is EDR.
I think at least the organizationsI've seen, they might have
host-based detection in the form of.
Antivirus but antivirus and EDR twototally different things and, one
(34:25):
being signature based and one beingmore behavioral based, but a lot, one
of the articles that you sent my waywas the Forbes article where it talks
about an FBI alert, happy to say alittle bit of self-promotion here.
My team the security advisory that wentout with that was joint between DHS as A
FBI and my team at the SI Sac Multi-StateInformation Sharing Analysis Center.
(34:45):
We focused on the Medusa ransomware,and that's, the, we did a lot of the
technical analysis behind that report.
And, you're absolutely right.
These are things, EDR bypass isn'treally brand new, but some of the
techniques that we're seeing areactually pretty novel and interesting.
Turning back the clock is,was, a relatively new one.
And the other thing you mentioned toois the living off the land binaries
(35:05):
or bins, those are, we're seeingmore and more actors doing that.
Medusa is one of them.
We've seen, we've had, Ithink the number is seven.
In ransomware, that's INCransomware cases just this year.
Same kind of thing.
A lot of living off the land usingthings like PS exec and other PowerShell
capabilities to use, administrativetools that are inherent on a system
(35:29):
to, so that they don't have toinstall their own malware, right?
It helps evade detection.
And so one of the challenges is even ifyou have EDR but that EDR isn't properly
tuned to your environment, you mightmiss some of those living off the land
techniques because how EDR should workis identifying things that are outside
of the normal behavior on that system.
(35:49):
So if an, if a user has never usedPowerShell before and all of a
sudden Powershells being invoked,EDR should catch that, or Powershells
being invoked to run specificcommands, EDR should catch that.
And sometimes that's not the case'cause EDR is installed, but it's
not actually been, through the properprocess to, to tune itself to the
network and to the host in that network.
So that's one of the challengessometimes we have with even if there
(36:10):
is EDR, even if there is a securitytool in place, it's, it's not
properly tuned to the environment.
And that, that alone, I think thatgets back to Dana's point earlier,
it's not always necessarily the tool.
You might have the tool in place, butthe more expensive thing is configuring
it for the environment, making sure thatit's, adequately tested, running in a
secure configuration, all of those things.
It was another thing I saw in oneof the articles and just was, yeah,
(36:33):
they hadn't set up the EDR right?
They had it, but it was set up.
Or it was bypassed by something,but, or that it disabled it,
but basically it would give analarm but not do any protecting.
Oops.
And isn't that the fun, right?
I, the old adage of set and forget, right?
We've got EDR Check.
(36:53):
We're good.
I. And to your point, a lot ofthe small, medium businesses,
even enterprise businesses, weget focused on other activities.
We're forgetting some of those goldenrules of we need to be testing, we need
to be actually running some semblanceof penetration testing at some point,
or even purple teaming with yourmonitoring organization to ensure that
you're actually testing valid use cases.
(37:16):
You're looking at your rightsand your administrations, right?
Doing some certification campaignswithin an organization is pretty
foundational for most of us.
How I, I dare, I don't know an actualpercentage, I'm sure chat GPT or another,
GBT could tell me a number, but I suspectif I was to put a bet on it, it's less
than 10% of our organizations actuallydo that and do it on the regular.
(37:38):
So these types of stories, I hope actas reminders of, oh yeah, I should go
check that and make sure that my a DRis actually picking up PowerShell run,
for example, as you mentioned, Randy.
I think Dana you're a hundred percentcorrect and Randy, the same thing.
You gotta tune these things.
What I'm desperately afraid of, so manyvendors are sprinkling ai magic, pixie
dust and saying it does it all foryou, which dear listeners and viewers,
(38:02):
like a natural human tendency, iswe're we don't want to do extra work.
We're busy, we're tired, we're cranky, wegot enough on the plate, whatever it is.
And so when we hear vendors say that.
Sweet Siren song of it's automated.
Smart, intelligent.
You don't have to, you canset it and away you go.
(38:22):
It is the disaster of the sirens, right?
For those that used naval references ormythological naval references, right?
So the sirens would lure you in andyour ship would crash to the rocks
and you'd be devoured by monsters.
Here ended the lesson on EDR and thevendors that say, you don't have to do
anything, you just gotta install it.
And the other part is of course we buyinto the idea of the silver bullet.
(38:42):
Still it's silver bullet thinking is allthroughout information technology, whether
it's customer relationship managementor other systems or security systems.
We, we keep falling for the same trap.
It's like the Wiley Coyote and technologyis our Acme Corp. And we have a
very unhealthy relationship with it.
And hopefully that movie will becoming out soon, now that it's
(39:04):
been released from Warner Brothers.
Hell.
Fingers crossed that's a newsarticle we didn't talk about yet.
Part two.
Does anybody else have another story?
Do you want, do you wanna cover it?
Dana, do you want anything?
I, yeah.
Getting ready to, like I said, it wasa bit of a softball month because there
were just so many really great articlesand so a few that caught my eye, I'll
say and in some ways made me shakemy head because to your point that
(39:28):
you'll often say, David, of catchingthe Dilbert there were a few of them.
One is the Kuala LumpurInternational Airport, $10 million.
Ransomware in itself is notnecessarily horrific, right?
You're like okay, another,to your point, airport got
hacked, is, but the convergence.
Of the OT with the it, this,from what I've been able to read,
(39:49):
was certainly very targeted.
And the irony was not lost onme that their flight information
dashboards was what predominantlywas what was seen by travelers.
So they had whiteboards, if I believethe articles that were reading and were
able to get whiteboards in the KualaLumpur International Airport, not a
small airport for quite a bit of time.
(40:11):
So public disclosure of the sensitive orsorry, public impact, no flight challenge,
but it begs the how far can they go?
Airports are now being seen as I canget some attention with these, and
airports are wonderful little cities.
There's a lot of financial gain.
What I love as well is that they said,no, we're not paying the ransomware.
So a neat story, not close to home,but I dare say could be on the other
(40:34):
side of it, was the NHS Scotland.
And you could interchange NHSScotland with any local hospital.
Major ransomware attack knockedout most clinical systems.
Staff was left for arguably, Ithink it was a day and a bit pen
and paper operations were canceled.
Patient Claire wasn't able to go on.
(40:55):
Entire systems were offline.
If I'm believing what we're reading,no segmentation for offsite backups.
They had legacy infrastructure thatthey blamed as the leading culprit.
And no, they didn't seem to have anyincident response plan outside of maybe
some tabletops that they had done.
They had not simulated this.
So they were at an absolute inabilityon how do we actually respond.
(41:17):
The Beetlejuice to this is, it could havebeen one of our hospitals in a heartbeat.
So those were the twothat caught my answer.
So this was an ot, you saidthis was an OT it thing.
I didn't catch the story.
So a bit of convergence there that bygetting into the flight information
dashboards you're going through whatis more traditionally the OT side of
(41:38):
the airports of understanding when theairlines were planning to be departing
and arriving in which gate they're at.
That's often being either informedby OT or run by it and then converged
into the IT side of an airport.
So it's absolutely targeting a, I wouldsay an Achilles heel of the airports.
(42:00):
Wow.
And the NHHS story did, yousaid they came back in a day
and a half, they were back up.
Did they actually get back that fast?
Back up not using pen and paper,according to the article back up.
I don't know that youcatch up that quickly.
I. I don't believe you'recaught it that quick.
I find that even if they were perfecta day and a half I think they might,
(42:22):
we might class them in our otherstory of being less than truthful,
honest about what's happening.
We had four hospitals herein, or five hospitals here in
Ontario that were attacked.
They didn't come back for months.
In fairness, come back Yeah, likethere's a famous political quote.
It depends on thedefinition of is right.
And depends what you mean byopen, so yeah, I mean there's
(42:45):
a lot of leeway on that side.
What's interesting with the NHShacks, like a lot of these health
trusts in the uk, it's beentheir managed service providers.
That get hit and then it takes them down.
Which goes back to Randy's pointabout what's nice about the, and
probably honestly, what's drivingthe UK focus and it's Oh yeah.
MSPs are critical infrastructure.
The the ot it thing just it's onlygonna continue to accelerate because
(43:10):
we've turned networks into software.
And may have made a lot of goodprogress in efficiencies and scale
and money to be made in doing that.
But when you turn what used to bephysically separate fiber networks
into the same network that sendssplit by software, you're typos
away from bad things happening.
(43:31):
And OT devices continueto be a dumpster fire.
Yeah.
The one, one last shout out I wantto give is of course, kudos to
police when they bust a criminal.
But we have a Canadian that isnow been charged for a hack of the
Texas GOP apparently according toreporting from the Global Mail, he was
actually quite prominently featuredin a documentary that's on Netflix
about the founding of Anonymous.
(43:52):
Police won OPSEC zero.
So lessons to be learned.
I think earlier this week he kicked offthe week and I said, couple of things.
If you're gonna hack don't targetTexas, don't mess with Texas, one of the
best en environmental campaigns ever.
But also do not taunt the FBI withfoul language and tell them what
(44:13):
they can and can't do because,you know what motivates a cop?
Yeah.
Challenge me.
Try it.
Yeah.
Is he, so he he hackedaround and found out.
Did that, did you hearanything about that?
Was that news in theStates, Randy, at all?
At all?
I don't, you know what, to be honestwith you, I don't know about the specific
story of coddle getting arrested.
(44:33):
I don't remember seeing thatuntil you passed him my way.
But certainly the breach ofthe Texas Republican Party,
that was years ago though.
That was back, that was near the heightof Covid, if I remember correctly.
It was kinda like 2021 maybe.
So I do, yeah.
I mean that made news for sure.
But I don't think the arrest hasreally hit off here in the us.
That's not really, that kind ofstuff doesn't always pick up.
(44:56):
Like we're interestedin the sensational part.
So the hack itself makes it into usnews and we escalate that, but when
they catch the guy, it's kinda eh.
Alright.
Yeah.
The good news for this cat is heis apparently being charged in a
Canadian law, which means possiblyCanadian jail time and he is
not gonna end up in El Salvador.
So that's a win.
Yep.
I guess so.
But the idea, but, and this is one of thethings that I talk about and I'm actually
(45:18):
trying to get together to do a police showbecause, but it's incredibly hard to get
through the communications people from toget police who will actually talk to you.
Because I honestly believe wedon't know how hard the work is.
This hack happens years ago andGod bless them in the us the FBI
have been the most dogged people.
(45:41):
For going after.
And that's why the, I love David'sstory saying, don't mess with the FBII.
If you have that reputation, it maytake us years, but we'll get you that.
That's the type of prevention you get.
And I think in many cases, someother police forces, maybe some
in Canada could learn from that.
And that is that you just don't let go.
(46:02):
And so that if you're gonna dowhat's that, Beretta, you don't do
the crime if you can't do the time.
And and I'm not your pound onthe table law and order guy, but
there is a special place in hellfor people who hack hospitals.
And, and do things like that.
Or who cheat old people outof their pensions and God
bless the FBI on that one.
(46:24):
Here one of the, if we try to leave alittle bit of positivity on this well,
is one of the things that I'm loving isseeing the anti-money, anti laundering
activities being brought more in with theit, the o not well a little bit in the
OT because of the, there's certainly somebrick and mortar aspect to it as well.
But the security program, right?
Years ago, we call it fusion.
(46:44):
I think it's having its resurgence notthe least of which of other stories that
were in the news not so long ago, but oneof the well TD bank for the anti-money
laundering, but certainly anti-moneylaundering, anti-fraud, cyber security.
They're all close cousins.
All very close cousins.
So I'm loving that some of the programsare leaning more into how to be detecting
(47:05):
and then of course how to be thwartingor at least being aware to detect sooner
than later and putting some stop to thatbecause to your point, special place in
health for people that take advantage ofseniors, people on fixed income, people
on disability, people with special needs.
You shouldn't take advantage ofanybody, but especially not the weak.
That's great.
Yeah.
The wonder of this ishow fast the hour goes.
(47:26):
Yeah.
This has been, and I'm hoping I can getyou guys back again for another month.
'cause I think we covered a loton this one, but this, the time
just zipped by on this one.
So thank you very much.
My guests have been Dana Proctor withus from Ottawa Randy Rose from Syracuse.
No, Sara Tota Springs.
Sorry.
I got Syracuse on the brain.
I can't help Sara Tota Springs and DavidShipley from Beautiful Fredericton.
(47:48):
And I'm your host, Jim Love.
Thank you very much andthanks for listening.
If you have comments on theshow, please send them to me
at editorial@technewsday.ca.
You can reach me there, youcan find me on LinkedIn.
Most of that's, a lot of people rostme there and I'm just happy to have a
nonpolitical discussion on LinkedIn.
So come to me and talk to meabout cybersecurity, and if
(48:09):
you're watching this on YouTube.
Right underneath the video,just leave a comment.
We'll get back to you.
Thanks a lot, gang, and we'lldo this again next month.
This is our cybersecurity today month end.
In review panel.
We have Dana Proctorback with us from Ottawa.
Hooray.
Are you sure?
Pleasure to be back.
We have a new guest, Randy Rose fromthe Center for Internet Security,
and Randy is from Saratoga Springs.
Doesn't that sound nice at this time?
Saratoga Springs, New York.
Welcome.
(00:21):
Thank you.
And the old familiar we, DavidShipley, the old familiar, no.
Yeah.
We got David Shipley, he's always here.
We've got David Shipley from Fredericton.
And David by the way, has starteddoing the Monday morning cybersecurity
today newscast, and it's been a whilesince I've just been able to wake
up on Monday morning and listen in.
What a treat . I don't, . And we have meJim, love from the heart of Halliburton
(00:46):
County, the heart of the ice storm.
We don't have power here yet.
We're hoping any day now.
That's crazy.
That's horrible, Jim.
That's horrible.
Yep.
Yeah, so it's, so this has been our,this is our month in review show.
And if all of the people in theaudience know this we bring some
stories and we talk about them andtry and find some insights into them.
And generally, yeah, it's a goodopportunity for us to get together
(01:08):
and share information as well.
And as you were saying, Dana,as we're just before we, we went
on air for this was pretty easy.
Pickens there's, not easy pickings.
There's a lot of opportunity out therefor stories that you go, oh, wow.
So shall we start?
Let's do it.
Let's go.
Okay.
David, you brought the firstone and this was Oracle.
(01:28):
I'll let you, you lead with this one.
This was fantastic.
This was, we'll start witha little bit of humor here.
Gather around the fireplacekids for stories of how not
to do incident communications.
Listen, breaches happen.
They happen even to the big kids.
Microsoft's been hit securitycompanies have been hit.
People get hit.
(01:48):
It's important to be honest when ithappens, because the speculation,
the rumor mill, the register savageheadlines and the reg they're
just not worth dancing around.
I know we live in the era where we callransomware, an unauthorized penetration
test that our backups failed to respondto or some other bureaucratic speech.
(02:13):
But man, like now we're at the pointwhere Oracle Cloud wasn't hacked.
It was.
Oracle Cloud Classic, likeCoca-Cola gets away with the
Coca-Cola and the Coca-Cola classic.
You come on guys.
Now this is a long intro here, David.
The story is a group saidthat they'd hacked Oracle.
(02:35):
Oracle denied it.
The group said, hold my beer.
And they sent to Bleeping Computer,I think it was, here's here's
how you can get on and see amessage on the Oracle server.
I'm gonna go put one there for you now.
And they went, whoa.
Now Oracle being the transparentorganization, they said was
no, this isn't happening.
(02:55):
And then I think the whole storybroke and it is quite obvious
that something happened there.
I. And let's be clear, at this pointI feel like Sesame Street, which
is still on the air, despite cutsthat are coming to NPR and and other
things in the United States, I feellike the count, it's not one breach.
It's two breaches 'causeit's Oracle Cloud Classic.
(03:19):
And privately, some of their healthcareclients are getting notifications.
So this thing is just metastasizing.
And what's hilarious is sothey say we weren't hacked.
Then the hacker goes, hold my beer.
Then they say it was Oracle CloudClassic, and it's only stuff from 2017.
And the hacker goes, here'ssome records from 2024.
So it's guys like, stop bleeding and ifwe're gonna use memes as visualization,
(03:42):
there's this classic scene from TheSimpsons where the kid is crying.
He is stop hitting him.
He is already dead.
I'm starting to feel bad for you guys.
Now I've gone on this whole emotionaljourney where I was like, oh my God,
you've been breached to, I can'tbelieve you're not communicating it to,
oh, everyone's just including myself.
We're just part of this trainnow of what are you doing?
(04:03):
So Dana knows what's happeninghere, Randy, but David's
also our culture critic.
Sounds like it.
Yeah.
But the issue comes up and it comesup again and I've almost been.
I'm wondering whether I'm too cynicalor, sometimes I come across, 'cause
I get these things in stories whereI read corporate communication
(04:25):
and I just start calling it theblah blah, blah, blah, blah.
It's, what has, maybe we can get by withthat in companies but in cybersecurity
if you're not candid, I know it hurts,but if you're not candid and open you're
gonna do have more pain in the long runthan you do by just putting this out.
(04:46):
I still remember, the big hacks thathave happened where people have come
straight out and said, we got hacked.
It happens.
Here's, we're looking atit, we're dealing with it.
We'll give you as much informationas we know and, and that happens
and those companies come back.
Yeah.
I think you're hitting onsuch a great point there.
And I think any of us that do anytype of simulation, we'll be talking
(05:07):
about a good holding statement.
A good holding statement doesn'tinvolve smoke and mirrors.
A good holding statement doesn'tinvolve inaccurate information.
If you don't know, don't say.
But yeah, incident management 1 0 1.
To your point, David, don't say thingsthat aren't true and work with your
comms team on a better holding statement.
(05:29):
Okay.
And if you don't know, don'tsay anything until you do.
I'd lean this out into 1, 2, 3, and me.
A lot of their bankruptcy is certainlybeing attributed to the breach that
they had and the privacy concerns.
I know we can talk more on thatbecause this was a softball of a month
to pick which ones to review, Jim.
But very much they breaches do have away of bringing our businesses, if not
(05:54):
our future trajectory down significantly.
Yeah.
And Randy what about when you'readvising clients and when your
organization is talking to people?
And you could just to, to introduceRandy, you works for the Center
for Internet Security and it dealswith a lot of not-for-profits, I
guess agencies and public sectororganizations in the US and there,
obviously, when we met the first timewe were talking about the school hack.
(06:16):
Oh, you're talking about PowerSchool?
Yeah, the PowerSchool Bridge.
Yeah.
A lot of schools had to come up andget information out to say, by the way,
your kids' information is out there.
That can't be pleasant.
No, it's, and I think Dana hiton a really good point, which is
the communications piece of it.
Really at the end of the day, it.
There's two issues herewith Oracle, right?
There's the data breach, right?
So there's obviously somecontrols concerns, right?
(06:39):
They didn't have proper controlsin place, and that led to a breach.
And that's one issue becauseyou're dealing with a breach of
data and the whole other issueis how you communicate about it.
And it's not the irony's not loston me that, as an IT organization,
your role is communications, right?
That's what you do.
You provide communications,it's digital communications,
but it's communications no less.
(07:00):
And then you fail miserably atcommunicating what's actually
going on in the organization.
I think these are two wildly differentskill sets, but they're, you can't,
they're inextricably linked together.
When there's a breach, you have tobe able to communicate about it.
And I love that the US Navy aviationcommunity has a wonderful three
step crisis action plan, whichis aviate, navigate, communicate.
(07:21):
And you think about the kindof crises they deal with.
They are in planes, right?
They're these, they're flying aircraft.
When they have a crisis, you're talkingabout a threat to life and safety.
So their number one concern is keepingthe plane in the air aviate, right?
Their second concern is, wheream I and where am I going?
And can I get there?
So that's the navigate piece.
And it's only after they know Ican keep the plane in the air and
(07:43):
I have an idea where I am, like,am I an enemy territory or not?
Can I get back to theaircraft carrier or not?
Or can I land this thing safely?
Only after they figure those things out,do they communicate what's going on?
And I think that's somethingthat we fail in cyber to, to
simplify our processes, right?
When there's a breach, understandwhat it is, what's going on, who's
(08:03):
impacted, how do we resolve that issue?
And then when we have those key pieces,we don't have to know everything,
but we just need to know the keypieces to communicate effectively.
And I think it's something thatsome organizations do really well.
And a lot of organizationsjust fail miserably.
And I think, when it comes to the,it's always dangerous in this business
to live in our digital houses andthrow our rocks and realize that
(08:26):
our house is made of glass as well.
And my criticism is not that alarge global provider got breached.
Yeah, man, this is hard.
It happens.
I think my criticism is that I'm becomingdeeply concerned their ability to do
exactly what you just said, Randy.
It's I don't think they can fly the plane.
I don't think they know what's going on.
(08:46):
And that to me, I think couldbe more damaging than just
Yep, something's happening.
We're investigating it.
More details to follow, and communicatingclearly to what Dana was saying but the
almost circus show, and I've had justabout enough I can handle of clown and
circus shows right now for a lifetime.
I don't need to see this in the IT world.
Politics has got the market cornered.
(09:09):
Yeah.
It is disheartening, isn't it,that how they've responded to it
and how they've repeatedly doubleddown has been more disturbing.
And it does then speak to your pointRandy, of did they have the controls?
Were they aware?
Are they flying the proverbial plane?
And that's a concerning aspect,and I think a lot of our trust in
(09:29):
the Oracle brand has been corrodedbecause of their behaviors.
\ when you lose trust, youlose everything in a company.
And yet some companies, like you said,come back and they build that trust.
And the irony of a breach is, andeven like things that were not cyber
attacks, but were it incidents.
So CrowdStrike, if you show that you'velearned from it, I actually had a number
(09:52):
of people who were like, yeah we renewedour contract with CrowdStrike, or we
became a CrowdStrike customer becausethey've clearly learned their lesson.
And so you can actually rebuildtrust, in through an incident.
It's not ideal.
It's not the great way to do it.
But you can, but there's a way to doit and there's a way not to do it.
Yeah.
Yep.
(10:13):
Speaking of denial, making peopledig deeper, I did a story on the
Signal group chat the this month.
And, and the basis of that was anumber of people in the US government
were communicating, using whatthey thought was an encrypted app.
And I didn't this, I didn'tmake this a political story.
It was a practicalstory for what we think.
(10:35):
And that is, oh, we're on Signal.
That's fine.
We've got an encryptedcommunication there.
Yeah, only you gotta make sure you don'tinvite the wrong people to that or that
people can't get control of your phonebecause it's great to have an encrypted
app, but how do you hear the wordsand see the words in English for you?
(10:56):
Your phone can decrypt thisinformation, so anybody in that
chat can hear everything now.
So we went to that first pieceof it and then absolute denial.
This was not confident.
Talk about another communication error.
This was not, this was nothighly secure information.
Why?
Because because I'm the Secretaryof Defense and I can I say
(11:16):
what's classified and what's not?
This is not classified.
, and everybody goes, that's semantics.
We all know.
So people dig deeper to the story.
And of course they dug deeper andthere have been at least 20 Signal
group chats that they've heldaround the world on various things.
And by the way, while they're traveling.
And how do I know that?
(11:37):
Because one of the people from that call,the famous call was in Moscow at the time.
And if you tell me you're carryinga phone in Moscow and it's not.
Been intercepted or been hacked,then I'm gonna tell you, you
don't know what you're thinking.
There's no way that a devicewanders around the city of Moscow
with all of those cybersecurityexperts that, that Moscow has,
(12:00):
and they don't break that device.
Just I find that impossible.
And by the way, the, we all knowthey're micing, your hotel room
and all of that sort of thing too.
But anyway, that's the politicalstory, but the, not the politics of it.
It's this idea of we fall in love withan app or some process that we've got.
And then we stopped thinking aboutall of the things that go around it.
(12:23):
Did anybody else find thatsort of insight to that story?
A couple of things that I wannahigh highlight to nist, identity and
access management's hired man, sorry,this I can't help myself, but like
literally this is Maslow's hierarchyof cybersecurity needs, right?
Who you add into what?
Secondly, shadow it is such a huge thing.
And one of the stories that got lost inthe politics of this was how many people
(12:46):
have raised red flags about Signal, inparticular on government devices, and
were overruled by political appointees.
And the lesson for leaders listeningto this is when your people are
raising genuine concerns aboutinsecure methods of communication
that you should probably not doconvenience versus security or legality.
(13:09):
I think lastly, as a former journalist,I totally get why these actors decided to
use non-government record keeping systems.
They were pain man.
You don't want necessarily everyconversation to be recorded and then
used in a court of law when someone'spotentially looking at war crimes.
I get where they're at.
But yeah.
(13:30):
Does that add up?
Dunno.
It's it's those things that areinteresting and by the way, this
isn't just government, right?
How many banks have been fined by globalregulators for people using WhatsApp to
conduct business and transactions thatare supposed to be in systems of records,
like hundreds of millions of dollars.
So it's like we're all teeing atgovernment and all that fun stuff.
(13:53):
And it's political, but it ain'tthe only group of cats using un
unsanctioned quote unquote securecommunication systems to do business.
And you're kidding yourself if youdon't think that this is happening all
over the place to get around access toinformation, regulations and other things.
Yeah there's a challenge too, Ithink in this particular case.
(14:15):
And I know this is the case in anumber of Western countries that
deal with classified information.
There's essentially two.
Sets of rules, right?
There's the classificationlevel of the data.
So that's determined by here in the us.
We use something called an OCA, anOriginal Classification Authority.
And there are guides that that the OCAfollows to say like this, this level
of information combined with thisother piece of information make it
(14:38):
this level of classification with theseinformation controls in place, right?
These dissemination controls,all of those kinds of things.
And that's determined by A an OCA.
And then there's a secondpiece of the information.
So you have the data classification piece,and the second piece is need to know.
So you need to have a clearanceof the right level to gain access
to the, to that data by default.
(14:59):
And then you need to have a need toknow, so when you talk about, a chat
that ends up, in, in a situation wherea person who does not necessarily
have a need to know, let alone doesn'thave the proper clearance, and you're
taking information that you would.
Require a certain level of system, acertain secure system in order to transmit
that data, you're taking that data off andputting it into that other environment.
(15:20):
I understand like some of theofficials are saying this wasn't
classified or, had, we determinedthat it was, the, it was unclassified
data, it was able to be transmitted.
You're still, at this point,transmitting it to somebody who
doesn't have a need to know.
So even if the classification piece wasresolved, you now have this, this other
issue that hasn't really been addressed.
Which I think is to David's point,goes to risks with not just shadow
(15:44):
it, but that whole identificationand authorization piece of it.
When you move something out ofofficial IT channels, now you've
lost control over who can get that.
Right Now you're dealing with aninformation dissemination issue and
potentially putting in the wrong kindof information into the hands of people
who really don't have a need to know.
And I would say, in this particular case,a journalist definitely didn't have a need
(16:04):
to know the kind of content that was beingshared which ultimately ended up, a lot
of it being shared to the American public.
That's very interesting.
Yeah, other side to this, I don't thinkis really getting a lot of folks, and I
think that's where my mind went to it andcertainly in, in full agreement with you.
But if I go to maybe more a humanelement, which I know in talking to
you before, I often go there is, whenmy values are violated, I get really
(16:29):
pissed off and this pissed me off.
That information should not havebeen shared with a journalist.
It should not have beenshared with the public.
And to say, to give that weak excuse andexpect that we should have one, believed
the excuse and two accepted the excuse.
Just made me more pissed off.
(16:50):
So in, in the whole situation, itwas to and I think it ties in well
with the Oracle as well, is, oursociety is wonderfully connected.
It doesn't mean that we shouldn'tstill be following the golden rule
of being honest and being truthful.
And if you don't have somethingnice to say, keep your mouth shut.
The telling me that it was okay thatthis journalist was in that chat and
(17:10):
the information being shared was publicanyways, really was just an offense on
my intelligence or my acceptable aspects.
And the interesting thing is in acommunity conversation wanting through
the grocery aisle, that was one ofthe comments they said, oh, just be
careful what friends you keep in yourcontacts for WhatsApp, because if
they get added, that's the problem.
(17:31):
And I said hold on.
That's actually, that's howit ended up being transacted.
But the problem was thatthey were actually having
that conversation on Signal.
It, you can get to this thingof we can blame the devices, we
can blame the failure, we canblame all these sorts of things.
But you have to look back withcommon sense and say, should
(17:52):
I be talking about this here?
I, if anybody ever stands in elevatorsbehind people or in restaurants,
and you have to ask yourself shouldyou be having that conversation here
it, it happens all over the place.
The denial just makes it.
Just makes it worse.
It's funny, like you, you mentioned that,but we were talking about Signal, but
(18:12):
there are four coffee shops in, downtownToronto where if I want to be in the
loop about major financial transactions,one, one of them will generally have
something pretty interesting to say.
So if you stay in the Starbucks andyou pretend you have your headphones
in, but you're just being nosyas all get out, you learn a ton.
It's fantastic.
The Signal chat is the example inthis case, but to your point about
(18:35):
where and when it's appropriateto have what conversations?
I guess the good news of thisis the big winner of this
whole mess was Hillary Clinton.
'cause I mean her socialmedia posts were on.
Fire, right?
I mean that LinkedIn postwhere it was like, are you
kidding me with the eye emoji?
Look, there was some good emojiuse in that chat, but that was
that was something else, right?
(18:56):
So I guess winners and losers on that one.
But in all seriousness if youthink that this isn't happening
in some fashion within yourorganization, you're kidding yourself.
And then the question is, howdo you create the norms and the
culture where people don't do it?
Because there's no technological,if the US government with the full
might of the NSA cannot preventsenior leaders from doing this,
(19:21):
there's no technological way to do it.
You gotta have the buy-in to do it.
To Dana's point, people gottabelieve in doing the right thing.
Yeah.
Dave, I might challengeyou on the winner though.
I think Signal itself itprobably comes out as the winner.
Fair point.
I think as we as we progress as a society,we, I think we're gonna start to see more
and more use of encrypted messaging apps.
And I don't think Signal could havepaid to have the promotion that
(19:45):
they got through this entire thing.
Every media outlet on theplanet was writing about this.
Signal is created by Moxie,Marlin Spike, who's a well-known
entity in the hacking community.
And I think that guy is laughingall the way to the bank.
'cause I think more and morepeople are signing up for Signal
today than a few weeks ago.
And they did have.
The best micro release note I've everseen and some spicy posts from Moxie.
(20:09):
So I will concede the point.
Randy I do agree.
Hillary's gonna have to comein second place yet again.
Burn.
But again, without being political,there's a leadership piece to this that
I that I think we have to learn from.
And I remember, when we were, when iPadswere first coming into the office when
we had no idea how to secure them andthe CEO would bring one in, wandering
(20:30):
in and, but nobody else could do that.
We just, leadership matters and, and thatand the tone for we say that old tired
phrase, the tone from the top, if you wantto have a secure organization, you had
best not overrule your security people allthe time and say, but yeah, but it's okay
for me, but not for the great unwashed.
(20:53):
'cause the great unwashed learns from you.
They know what's happening.
They know what's important.
Yeah.
And that's, every SI CISO out there hasgotta be saying, when you set that type
of example, this is what happens to you.
Yeah.
Touche.
Now on the positive side,speaking of examples.
There's a positive side.
There is a positive side.
Okay.
Not to this story.
There's, besides Signal being thenumber one app download but I saw the UK
(21:17):
government take a really nice leadershiprole globally in new legislation
being proposed to actually extendcritical infrastructure cybersecurity.
So this is the extensionof the European NIS two.
And what was really awesome was theywere specifically targeting data centers.
MSPs, like the actual value chain ofwhich their modern digital economy
(21:40):
depends on, which is so nice tosee because, as we talk about the
month, that was, of course, C 26 wentdown in flames because of a typo.
And of course the political survivalof the Liberal party here in Canada
required us to promote parliament.
There had been the faintest and mosthopey of hopes that somehow they would
(22:00):
come back, do a speech from the thronebefore pulling the trigger in election.
And we might have got itpassed, but no, just not to be.
And so Canada is now three plus yearsout easily from any kind of modern
cybersecurity laws, and I'm sure Danais as frustrated as I am because we
both spent valuable time testifying toparliament to to actually have basic
(22:23):
laws that, cover some of our economy.
C 26 R ip.
For those vacationing off Planet C 26was the Canadian Critical Cybersecurity
act, which included amendments to theTelecommunications Act, which actually
ironically gave the government theauthority to force our telcos to get rid
of Huawei, which they currently don't saythey don't have, but that could be gray.
(22:48):
Along with mandatory requirementsfor cybersecurity, for energy
transmission, telecommunications,transportation, and the finance sector.
And Dana, you were you were justas passionate about this in working
actually actively on trying to getthis across the finish line as well.
Yeah.
Yeah.
And the challenge that was seenfor so long was we were waiting
(23:09):
for perfection to move forward.
It came to the senate.
At the 11th hour before Senatewent for the summer break.
They did it very quicklycome through with it.
But the challenge that I've gotright now is, to your point,
David, we have no regulation.
We have nothing guiding.
(23:30):
So when I look at, if we look at themonth in review, one of the items that
I was looking at getting ready for todayis I had to smile, the launch of that.
And I have to read it becausethere's so many words in it.
The cybersecurity certificationprogram released as the, a
new cybersecurity standard andself-assessment tool for level one
of four levels, specifically made forour stand by the standard councils
(23:53):
of CAN Standard Council of Canada.
We'll start accepting applicationsfor organizations who wanna
become certification bodies.
To support the evaluationand certification.
So we've created all of thisgovernment bureaucracy for four
levels of certification for defenseand supply chain, but we still can't
get regulations or bills through tosay what our telecommunications or
(24:18):
our nuclear power plants or our othercritical infrastructure should be
required to do on behalf of Canadians.
Yeah.
And the problem, again, leadership,it shows how much you care.
If this was really somethingurgent, they could have fixed it.
(24:38):
Oh yeah.
They had two and a half years.
But just another, what,what's privacy and security?
Who cares?
And again they, that sends amessage not just to citizens
that sends a message to staff.
That sends a message to everybody thatthis stuff isn't really that important
in terms of how you're doing your job.
That's scary.
That's it.
That's it.
(24:59):
I do wanna, I wanna go back to a pointDave made about the UK bill that I think
is probably lost on a lot of people.
So the focus on the data centers and theMSPs, the managed service providers is
really critical for smaller organizations.
So when you look at, when wethink of data centers, right?
We think of the large behemothorganizations, but who are they actually
(25:21):
servicing their customers on thewhole are very small organizations.
There's a lot of them.
And they don't have the ability torun their own internal data center.
That's why they usethese large data centers.
Same thing with the managed serviceproviders in the US and I suspect this is
the case for a lot of a lot of countries.
The smaller the organization, whether it'sa small business, a nonprofit, or a local
(25:43):
government, they don't have the resourcesin house to run a lot of the IT and
cybersecurity infrastructure themselves.
So they have to outsource it.
And in most cases, at least here in NewYork, one of the things that we see,
and actually really all of New England,so you know the whole northeastern
eastern part of the us we see managedservice providers are often relatively
(26:04):
small organizations themselves.
So they're regionally aligned.
There might be, an organization based outof here, like the New York Capital region,
and it provides services to, a num,maybe 60 organizations in the local area.
And then, just outside of theirlocal area, there's a different
managed service provider.
So having regulations thatsupport those organizations is
one of the best ways to get to.
(26:25):
I'll call it the extremities, right?
Get out to those organizations thatare traditional, traditionally really
hard to get to because even if you havea federal regulation that says we're
gonna mandate, all organizations do thisthing, there's just a massive amount of
organizations that have no resources to dothat thing, whatever that thing is, right?
So they're relying onthose outside providers.
So the more we can do to supportthose managed service providers and
(26:47):
data centers and other third partyorganizations that actually have the
resources, the better off everybody is.
So that's what I reallylike about this UK bill.
Yeah.
And, but it also establishes a standardfor MSPs and, the, there used to be this
old in the days when there were Christmasads and things like that, there used
to be this ad that said, open me first.
(27:08):
And I think that's what people think of.
MSPs open me first.
'cause I, you've got all kindsof clients and I can reach you.
And I don't think, in manycases, I don't think MSPs are
always taking that as seriously.
I'm not saying they all do.
But I'm saying there's so many hacks ofMSPs that come up week after week, and
at least setting a standard that saysthere's a regulation, you are going
(27:29):
to pay a fine if you don't do this.
I ran a small tech company for a while.
We got out of hosting.
One of the reasons we got out hostingone weren't gonna be as good enough at
security as so I could sleep at night.
That was, it was just that,turn it over to somebody who's
gonna actually do this better.
And that was, that's a huge piece.
But I think a lot of MSPs don'tknow what they don't know.
I read a couple forums 'cause I'mstill interested in that area and you
(27:52):
read what's, who some of the peopleare that are supplying a lot of
small organizations and you go, youreally don't know what you're doing.
And so that's a little bitof a lost leader in business.
And I think that's the challenge thereas well, is to do it economically.
The value point just can't be that robust.
I'm.
I'm a little jaded around the standardsthat they've brought about though.
(28:13):
I lived through, what was it?
It was years ago, it wascalled Cyber Essentials.
Oh, wasn't it?
And I'm sorry, I'm givingyou all goosebumps right
now going I remember this.
The lilies.
Yeah.
Wasn't it a similar program whereit was, to be part of a supply chain
in the uk you needed to your companyneed to align to a certain level of
(28:33):
controls and you were certified upto an essentials or whatever the next
level was, and it died a horror death.
And we tried to do it in Canada.
Yeah, it was more successful in theUK by orders of magnitude because
in Canada we spent millions, tensof millions of dollars on Canada's
version of cyber essentials.
But we didn't remember what the UKdid that actually made people want
(28:55):
to do it, which was you couldn'tget a government RFP if you didn't
have the basic bare minimum.
No.
And Canada was like, we thinkthis is a nice thing to do, and 12
organizations across the country.
Like 12.
Value for dollar not there.
Do I think that we need a basic setof fire code for some standards?
Yes.
(29:15):
Yeah.
What's different about this defense onethat you're mentioning is that and this
is, interesting, is we were rushing tomatch the us and Randy, you might have
to help me here, but there's A-U-S-D-O-D.
I wanna say CMMC standard that came out.
God help me.
I can't remember the, whatit actually stands for.
But we, of course, being Canadians we'relike, we have to make our own version.
(29:37):
That has to be then given equivalencyso that our suppliers can supply
the US defense industrial complex.
But in, in one of those life's greatestironies, it turns out we may not be
able to supply the defense industrialcomplex in the United States.
So this entire certification has becomekind of donkey hode charging at the
windmill because we can't even sellaluminum and steel to the United States.
(30:01):
I don't dunno if I'm rightabout that, Randy, about CMMC
or if I'm on the right side.
Yeah.
No, you're, yeah, so CMMC was the thecyber maturity model certification.
And it's, that one is focusedspecifically on what we call the
dib, the defense industrial base.
So it's all the contractorganizations that, like the
outside contractors that provideservices to the federal government.
But you're right.
It's a framework for kind ofeffectively what you just said.
(30:24):
And I didn't, I actually wasn't,I had to google that cybersecurity
or cyber essentials in the uk'cause I wasn't tracking that.
But it looks like that was a NationalCybersecurity Center initiative that
did have a forcing function, which,essentially CMMC is the same if you're
gonna work with the federal government,you have to meet a certain requirement to
handle controlled unclassified informationor federal contract information.
(30:46):
That was like a big part of what CMMC is.
And I think, if I'm not mistaken,I think it's actually, it either
already did undergo a major update orit is undergoing an update CMMC two.
Yeah.
Yeah.
It's a, you can comply withCmmc two or you can use Signal.
It's great.
Yeah.
Those are your options.
Sorry, Dana, you were gonna say something?
(31:07):
No it, we end up with bureaucracy andacronyms instead of actual security.
Security right now, people aren'tchoosing to not implement multifactor
authentication, segmentation identitycontrols because they just don't want
to, they're usually doing it because theydon't have the money to, or the people to.
(31:27):
Expense, this type of certific?
The, it's exp expense.
Yeah.
The technology in some ways issomewhat times the cheapest part.
So that's where I'm strugglingwith some of these programs.
Love the, and I had forgottenthe cyber essential success was
because it had some teeth to it.
I wasn't aware therewas only 12 in Canada.
That's horrific.
So you're, I'm optimistic.
If we're creating this new standardthat's assisting that it would bring
(31:50):
some semblance of improving thewaterline for our defense contracts.
Engaging with corporations that only meetthat, the challenge is that is going to
be a taxed tariff on those companies.
They're going to have to meet thatcertification and maintain it.
And that's hard to do in a industrywhere we're already seen as a
(32:11):
tax instead of as an amplifier.
And we're still in, in a place, Idon't know what it's like in the US
but in, in Canada, we're still ina place where most small businesses
are just not even vaguely protected.
Not even going through the motionsof anything resembling security,
let alone when it gets complex.
And and without that you're, not onlyare those businesses in jeopardy, but any
(32:37):
customers they work with are in jeopardy.
And, I keep looking at this everytime I look at a new story that
comes out of some, and there's,I'll just lead into this.
There's a whole story aboutEDR bypasses this month.
And I found three stories.
We did them one after another.
Microsoft's defender, I.There's a, there's an open out
(32:59):
and Microsoft acknowledges it.
It's out there bypassing that there arethree or four or five tools floating
around right now that use softwarethat is basically software that won't
trigger anything in an EDR becauseit's built like a regular piece of
software or it is legitimate software,but it's been hacked or bypassed.
(33:20):
And, those are just some ofthe things that are happening.
And, and my favorite of all ofthese things using old certificates.
This is how clever these guys areusing old certificates that have
expired, but spinning back theclock on the machine you attack.
Yeah.
So it looks like the certificate is real.
What?
(33:40):
I can go through theseand we did stories of 'em.
You can read them all and I'll put somelinks in the show notes that people wanna
follow some of these, but the fact isthat's the level of sophistication that's
going out there attacking the one thingthat small business might actually have.
And that's endpoint de detection.
And so that's, this is a problem,I think a universal problem.
(34:04):
And it, one that's just not,doesn't seem to ever go away.
Yeah.
I might challenge you a little biton the one defense mechanism that
small businesses will have is EDR.
I think at least the organizationsI've seen, they might have
host-based detection in the form of.
Antivirus but antivirus and EDR twototally different things and, one
(34:25):
being signature based and one beingmore behavioral based, but a lot, one
of the articles that you sent my waywas the Forbes article where it talks
about an FBI alert, happy to say alittle bit of self-promotion here.
My team the security advisory that wentout with that was joint between DHS as A
FBI and my team at the SI Sac Multi-StateInformation Sharing Analysis Center.
(34:45):
We focused on the Medusa ransomware,and that's, the, we did a lot of the
technical analysis behind that report.
And, you're absolutely right.
These are things, EDR bypass isn'treally brand new, but some of the
techniques that we're seeing areactually pretty novel and interesting.
Turning back the clock is,was, a relatively new one.
And the other thing you mentioned toois the living off the land binaries
(35:05):
or bins, those are, we're seeingmore and more actors doing that.
Medusa is one of them.
We've seen, we've had, Ithink the number is seven.
In ransomware, that's INCransomware cases just this year.
Same kind of thing.
A lot of living off the land usingthings like PS exec and other PowerShell
capabilities to use, administrativetools that are inherent on a system
(35:29):
to, so that they don't have toinstall their own malware, right?
It helps evade detection.
And so one of the challenges is even ifyou have EDR but that EDR isn't properly
tuned to your environment, you mightmiss some of those living off the land
techniques because how EDR should workis identifying things that are outside
of the normal behavior on that system.
(35:49):
So if an, if a user has never usedPowerShell before and all of a
sudden Powershells being invoked,EDR should catch that, or Powershells
being invoked to run specificcommands, EDR should catch that.
And sometimes that's not the case'cause EDR is installed, but it's
not actually been, through the properprocess to, to tune itself to the
network and to the host in that network.
So that's one of the challengessometimes we have with even if there
(36:10):
is EDR, even if there is a securitytool in place, it's, it's not
properly tuned to the environment.
And that, that alone, I think thatgets back to Dana's point earlier,
it's not always necessarily the tool.
You might have the tool in place, butthe more expensive thing is configuring
it for the environment, making sure thatit's, adequately tested, running in a
secure configuration, all of those things.
It was another thing I saw in oneof the articles and just was, yeah,
(36:33):
they hadn't set up the EDR right?
They had it, but it was set up.
Or it was bypassed by something,but, or that it disabled it,
but basically it would give analarm but not do any protecting.
Oops.
And isn't that the fun, right?
I, the old adage of set and forget, right?
We've got EDR Check.
(36:53):
We're good.
I. And to your point, a lot ofthe small, medium businesses,
even enterprise businesses, weget focused on other activities.
We're forgetting some of those goldenrules of we need to be testing, we need
to be actually running some semblanceof penetration testing at some point,
or even purple teaming with yourmonitoring organization to ensure that
you're actually testing valid use cases.
(37:16):
You're looking at your rightsand your administrations, right?
Doing some certification campaignswithin an organization is pretty
foundational for most of us.
How I, I dare, I don't know an actualpercentage, I'm sure chat GPT or another,
GBT could tell me a number, but I suspectif I was to put a bet on it, it's less
than 10% of our organizations actuallydo that and do it on the regular.
(37:38):
So these types of stories, I hope actas reminders of, oh yeah, I should go
check that and make sure that my a DRis actually picking up PowerShell run,
for example, as you mentioned, Randy.
I think Dana you're a hundred percentcorrect and Randy, the same thing.
You gotta tune these things.
What I'm desperately afraid of, so manyvendors are sprinkling ai magic, pixie
dust and saying it does it all foryou, which dear listeners and viewers,
(38:02):
like a natural human tendency, iswe're we don't want to do extra work.
We're busy, we're tired, we're cranky, wegot enough on the plate, whatever it is.
And so when we hear vendors say that.
Sweet Siren song of it's automated.
Smart, intelligent.
You don't have to, you canset it and away you go.
(38:22):
It is the disaster of the sirens, right?
For those that used naval references ormythological naval references, right?
So the sirens would lure you in andyour ship would crash to the rocks
and you'd be devoured by monsters.
Here ended the lesson on EDR and thevendors that say, you don't have to do
anything, you just gotta install it.
And the other part is of course we buyinto the idea of the silver bullet.
(38:42):
Still it's silver bullet thinking is allthroughout information technology, whether
it's customer relationship managementor other systems or security systems.
We, we keep falling for the same trap.
It's like the Wiley Coyote and technologyis our Acme Corp. And we have a
very unhealthy relationship with it.
And hopefully that movie will becoming out soon, now that it's
(39:04):
been released from Warner Brothers.
Hell.
Fingers crossed that's a newsarticle we didn't talk about yet.
Part two.
Does anybody else have another story?
Do you want, do you wanna cover it?
Dana, do you want anything?
I, yeah.
Getting ready to, like I said, it wasa bit of a softball month because there
were just so many really great articlesand so a few that caught my eye, I'll
say and in some ways made me shakemy head because to your point that
(39:28):
you'll often say, David, of catchingthe Dilbert there were a few of them.
One is the Kuala LumpurInternational Airport, $10 million.
Ransomware in itself is notnecessarily horrific, right?
You're like okay, another,to your point, airport got
hacked, is, but the convergence.
Of the OT with the it, this,from what I've been able to read,
(39:49):
was certainly very targeted.
And the irony was not lost onme that their flight information
dashboards was what predominantlywas what was seen by travelers.
So they had whiteboards, if I believethe articles that were reading and were
able to get whiteboards in the KualaLumpur International Airport, not a
small airport for quite a bit of time.
(40:11):
So public disclosure of the sensitive orsorry, public impact, no flight challenge,
but it begs the how far can they go?
Airports are now being seen as I canget some attention with these, and
airports are wonderful little cities.
There's a lot of financial gain.
What I love as well is that they said,no, we're not paying the ransomware.
So a neat story, not close to home,but I dare say could be on the other
(40:34):
side of it, was the NHS Scotland.
And you could interchange NHSScotland with any local hospital.
Major ransomware attack knockedout most clinical systems.
Staff was left for arguably, Ithink it was a day and a bit pen
and paper operations were canceled.
Patient Claire wasn't able to go on.
(40:55):
Entire systems were offline.
If I'm believing what we're reading,no segmentation for offsite backups.
They had legacy infrastructure thatthey blamed as the leading culprit.
And no, they didn't seem to have anyincident response plan outside of maybe
some tabletops that they had done.
They had not simulated this.
So they were at an absolute inabilityon how do we actually respond.
(41:17):
The Beetlejuice to this is, it could havebeen one of our hospitals in a heartbeat.
So those were the twothat caught my answer.
So this was an ot, you saidthis was an OT it thing.
I didn't catch the story.
So a bit of convergence there that bygetting into the flight information
dashboards you're going through whatis more traditionally the OT side of
(41:38):
the airports of understanding when theairlines were planning to be departing
and arriving in which gate they're at.
That's often being either informedby OT or run by it and then converged
into the IT side of an airport.
So it's absolutely targeting a, I wouldsay an Achilles heel of the airports.
(42:00):
Wow.
And the NHHS story did, yousaid they came back in a day
and a half, they were back up.
Did they actually get back that fast?
Back up not using pen and paper,according to the article back up.
I don't know that youcatch up that quickly.
I. I don't believe you'recaught it that quick.
I find that even if they were perfecta day and a half I think they might,
(42:22):
we might class them in our otherstory of being less than truthful,
honest about what's happening.
We had four hospitals herein, or five hospitals here in
Ontario that were attacked.
They didn't come back for months.
In fairness, come back Yeah, likethere's a famous political quote.
It depends on thedefinition of is right.
And depends what you mean byopen, so yeah, I mean there's
(42:45):
a lot of leeway on that side.
What's interesting with the NHShacks, like a lot of these health
trusts in the uk, it's beentheir managed service providers.
That get hit and then it takes them down.
Which goes back to Randy's pointabout what's nice about the, and
probably honestly, what's drivingthe UK focus and it's Oh yeah.
MSPs are critical infrastructure.
The the ot it thing just it's onlygonna continue to accelerate because
(43:10):
we've turned networks into software.
And may have made a lot of goodprogress in efficiencies and scale
and money to be made in doing that.
But when you turn what used to bephysically separate fiber networks
into the same network that sendssplit by software, you're typos
away from bad things happening.
(43:31):
And OT devices continueto be a dumpster fire.
Yeah.
The one, one last shout out I wantto give is of course, kudos to
police when they bust a criminal.
But we have a Canadian that isnow been charged for a hack of the
Texas GOP apparently according toreporting from the Global Mail, he was
actually quite prominently featuredin a documentary that's on Netflix
about the founding of Anonymous.
(43:52):
Police won OPSEC zero.
So lessons to be learned.
I think earlier this week he kicked offthe week and I said, couple of things.
If you're gonna hack don't targetTexas, don't mess with Texas, one of the
best en environmental campaigns ever.
But also do not taunt the FBI withfoul language and tell them what
(44:13):
they can and can't do because,you know what motivates a cop?
Yeah.
Challenge me.
Try it.
Yeah.
Is he, so he he hackedaround and found out.
Did that, did you hearanything about that?
Was that news in theStates, Randy, at all?
At all?
I don't, you know what, to be honestwith you, I don't know about the specific
story of coddle getting arrested.
(44:33):
I don't remember seeing thatuntil you passed him my way.
But certainly the breach ofthe Texas Republican Party,
that was years ago though.
That was back, that was near the heightof Covid, if I remember correctly.
It was kinda like 2021 maybe.
So I do, yeah.
I mean that made news for sure.
But I don't think the arrest hasreally hit off here in the us.
That's not really, that kind ofstuff doesn't always pick up.
(44:56):
Like we're interestedin the sensational part.
So the hack itself makes it into usnews and we escalate that, but when
they catch the guy, it's kinda eh.
Alright.
Yeah.
The good news for this cat is heis apparently being charged in a
Canadian law, which means possiblyCanadian jail time and he is
not gonna end up in El Salvador.
So that's a win.
Yep.
I guess so.
But the idea, but, and this is one of thethings that I talk about and I'm actually
(45:18):
trying to get together to do a police showbecause, but it's incredibly hard to get
through the communications people from toget police who will actually talk to you.
Because I honestly believe wedon't know how hard the work is.
This hack happens years ago andGod bless them in the us the FBI
have been the most dogged people.
(45:41):
For going after.
And that's why the, I love David'sstory saying, don't mess with the FBII.
If you have that reputation, it maytake us years, but we'll get you that.
That's the type of prevention you get.
And I think in many cases, someother police forces, maybe some
in Canada could learn from that.
And that is that you just don't let go.
(46:02):
And so that if you're gonna dowhat's that, Beretta, you don't do
the crime if you can't do the time.
And and I'm not your pound onthe table law and order guy, but
there is a special place in hellfor people who hack hospitals.
And, and do things like that.
Or who cheat old people outof their pensions and God
bless the FBI on that one.
(46:24):
Here one of the, if we try to leave alittle bit of positivity on this well,
is one of the things that I'm loving isseeing the anti-money, anti laundering
activities being brought more in with theit, the o not well a little bit in the
OT because of the, there's certainly somebrick and mortar aspect to it as well.
But the security program, right?
Years ago, we call it fusion.
(46:44):
I think it's having its resurgence notthe least of which of other stories that
were in the news not so long ago, but oneof the well TD bank for the anti-money
laundering, but certainly anti-moneylaundering, anti-fraud, cyber security.
They're all close cousins.
All very close cousins.
So I'm loving that some of the programsare leaning more into how to be detecting
(47:05):
and then of course how to be thwartingor at least being aware to detect sooner
than later and putting some stop to thatbecause to your point, special place in
health for people that take advantage ofseniors, people on fixed income, people
on disability, people with special needs.
You shouldn't take advantage ofanybody, but especially not the weak.
That's great.
Yeah.
The wonder of this ishow fast the hour goes.
(47:26):
Yeah.
This has been, and I'm hoping I can getyou guys back again for another month.
'cause I think we covered a loton this one, but this, the time
just zipped by on this one.
So thank you very much.
My guests have been Dana Proctor withus from Ottawa Randy Rose from Syracuse.
No, Sara Tota Springs.
Sorry.
I got Syracuse on the brain.
I can't help Sara Tota Springs and DavidShipley from Beautiful Fredericton.
(47:48):
And I'm your host, Jim Love.
Thank you very much andthanks for listening.
If you have comments on theshow, please send them to me
at editorial@technewsday.ca.
You can reach me there, youcan find me on LinkedIn.
Most of that's, a lot of people rostme there and I'm just happy to have a
nonpolitical discussion on LinkedIn.
So come to me and talk to meabout cybersecurity, and if
(48:09):
you're watching this on YouTube.
Right underneath the video,just leave a comment.
We'll get back to you.
Thanks a lot, gang, and we'lldo this again next month.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com