You're listening to the Cyberwire Network, powered by N2K. We get it. This interruption isn't what you actually want to be listening to right now. But at Credit Karma, we've learned that a little disruption can be a good thing, especially when it comes to the slow, outdated, and totally complicated financial system. We started shaking things up by offering free access to your credit scores, then we expanded into more areas of personal finance. And now we've added new tools and personalized features to make it easier to optimize your money and grow it faster. Download into it Credit Karma today and get everything you need to outsmart the system. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC2, ISO 27001, HIPPA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. A North Korean hacker is indicted for major cyber attacks, crowd strikes in recovery mode, pushing thrives in the wake of B.S.O.D. chaos, whiz spells out NO to Alphabet's $23 billion offer. France goes full cleanup, Israel's secret shield in spyware saga, HOSA and COPPA 2.0 promise safer surfing for kids, and 2K's CSO Rick Howard speaks with Steve Schmidt, CSO of Amazon about the culture of security and what it means to the CSO role. And last but not least, hacking can happen to anyone. Today is July 26, 2024. I'm Maria Vermasas, sitting in for the celebrating or napping Dave Bittner. This is your Cyberwire Intel Briefing. The U.S. has indicted RIM Jung Hyuk, a North Korean military intelligence operative for a series of cyber attacks targeting American healthcare providers, NASA, military bases and other entities. The indictment alleges RIM and the Andariel unit within North Korea's intelligence agency accessed sensitive information and installed ransomware, causing significant disruption and financial loss. They allegedly laundered the ransom money through a Chinese bank to fund further cyber operations. RIM is charged with conspiracy to commit computer hacking and money laundering. The FBI and Justice Department manage to recover over $600,000 in cryptocurrency from the attacks. We've got some updates for you on several stories that we've been tracking lately. CrowdStrike reported that over 97 percent of its Windows sensors have been restored following a global IT outage caused by a software update on July 19. This outage affected critical sectors, including airlines and financial services. CEO George Kurtz praised the collaborative recovery efforts and committed to preventing future incidents. In their Threat Signal report, Fortiguard Labs shares analysis and insights into the latest cybersecurity threats and vulnerabilities. The latest report details campaigns used by threat actors to spread malware, using phishing and scams to take advantage of their recent widespread global IT outage affecting Microsoft Windows hosts. This outage is due to an issue with a recent CrowdStrike update that can cause a bug check or a blue screen of death on the affected Windows machines, which may get stuck in a restarting state. The BBC reports that Israeli cybersecurity firm WIS has rejected a $23 billion takeover offer from Google parent company Alphabet in what would have been its largest ever acquisition. Reportedly in an internal memo seen by the BBC, WIS founder and chief executive Asaf Rappaport said he was "flattered" by the offer. A source close to the deal told the BBC that the offer was very tempting, but WIS believed it was big enough to go it alone. In other international news, the European Central Bank has announced a cyber resilience stress test for 109 banks under its direct supervision in 2024. The exercise assessed how these banks would respond to and recover from a cyber attack rather than just their ability to prevent it. The test scenarios simulated successful cyber attacks, say that three times fast, disrupting daily operations, forcing banks to activate emergency procedures and restore normal functions. The ECB's first-ever cyber risk stress test was launched in a response to a surge in attacks, with possible geopolitical motives. The ECB will use the insights gained to improve the bank's cyber resilience frameworks and overall risk management practices. French authorities have launched a major operation to remove malware from the country's computer systems ahead of the Olympics. This disinfection operation focuses on combating the PlugX malware, which has infected thousands of devices, primarily for espionage. The campaign, coordinated with other affected countries, aims to enhance cybersecurity in light of increased threats. Israel has intervened in the ongoing lawsuit between WhatsApp and NSO Group to prevent the disclosure of state secrets. WhatsApp alleges that NSO Group's Pegasus spyware targeted 1,400 users, including activists and journalists. NSO claims it acted on behalf of foreign governments seeking immunity, but this defense has been rejected by U.S. courts. The U.S. Supreme Court recently allowed WhatsApp's lawsuit to proceed, marking a significant step towards accountability. Despite this, Israel's involvement aims to protect sensitive national security information from being exposed during the legal proceedings. The Kids Online Safety Act, or COSA, and COPPA 2.0 are likely to pass the U.S. Senate, aiming to bolster children's online privacy and safety. COSA requires platforms to implement features preventing harms, like bullying, and mandates the most protective settings by default for minors. COPPA 2.0 expands protections to those under 17, bans targeted advertising to children, and establishes a digital marketing bill of rights. The original COPPA rule became effective in 2000. Coming up for today's guest conversation, N2K's CSO Rick Howard speaks with Steve Schmidt, CSO of Amazon, about the culture of security and what it means to the CSO role. We'll be right back. And now, a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. If users learn from their mistakes and strengthen your organization's security culture with Security Coach, learn more at nobefore.com/securitycoach, that's nobefore.com/securitycoach. And we thank no before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. AWS is a media partner here at Intookase Cyberwire. In June of 2024, Brandon Karp, our VP of Programming, Jen Ivan, our Executive Producer, and I traveled to the great city of Philadelphia to attend the 2024 AWS Reinforced Security Conference. I got to sit down with Steve Schmidt, the Amazon Chief Security Officer. I started out by asking him about the security culture within the company. Well, it's an interesting thing to talk about primarily because a lot of people think of computer security as a technical problem. I don't believe that to be the case, actually. I think it's fundamentally a people problem. There are certainly lots of tools that we have to work with, lots of things that we have to build to help secure customers and encryption and access control, those sorts of things. But fundamentally, this is about human beings who are our adversaries. They're people who want to get access to information that we hold. That's true for whether it's Amazon or anybody else out there on the internet. We have to focus on what are their motivations, what do they want, and it's the usual kind of stuff you've probably heard about before, usually in the espionage space, where it's money or ideology or ego. If you think about the computer security space, a lot of it's ego-driven. If you look at the people who want to be the best hacker out there, kind of thing. Money, of course, really factors into it when you look at the people who are ransomware actors. How do you incorporate a culture of security into your internal organization, especially a huge organization like Amazon? Yeah. A culture of security is really the only way to ensure that we're doing everything we need to to adequately secure both the enterprise that we represent, but also to help our customers secure themselves. I think we've had some unfortunate examples recently in the press about when there's an inadequate culture of security in companies. We ended up with some nation-state actors taking advantage of some people as a result. Building that culture is really something that starts from the top. It starts from where is the security organization in the company? If you look at Amazon, we chose, for example, to have the computer security organization directly to the CEO, and that sets the tone for everything else that goes in the company. Furthermore, it's not just the responsibility of the security organization to secure our business or our customers. It's every builder in the company's job, and that's something we convey to everybody and reinforce through the way that we do our performance appraisals, the way that we look at the kind of tools that we give them, the techniques that they use to build, and distributing that security expertise across the company means that we've got people who every single day think about security and the customers that they're representing. As opposed to, "I'm a builder, I'm going to go make a bunch of software and then security is going to come in at the end and tell me all the things that I screwed up and I got to go redo." It's an interesting juxtaposition because when you think about security from the beginning, it actually is more efficient from a development perspective because there's less stuff you have to go undo. It works out better. It's a little bit of a bump to get over in the beginning to get people thinking that way, but once they do, it's more efficient for the builders, and it's better security for the company. Amazon's in an interesting position where you report directly to the CEO. That is not the case most of the places that are out there, but I also don't think it's anything that the CSO can influence you. And lastly, don't take a job unless that's who you work for. Is there, am I wrong about that? Yeah, a lot of companies have very traditionally had the CSO reporting through the CTO or legal or the CIO sometimes and that kind of thing, and those are often representative of circumstances where the company grew up with a sort of a regulatory mindset for security. The government says we have to have some, and so we do, and we'll put them into, I don't know, wherever it fits in the company. We recognized when we started AWS as a business that without getting security right, we literally could not have a business, because fundamentally, what are customers doing? They're trusting us with their data, they're trusting us with their business information, and as a result, we absolutely had to get security right. So it was Andy Jassy's priority from the beginning of building the company. Andy Jassy was, for people who don't know, Andy Jassy was the CEO of AWS. He was actually an individual who started off in a product management role in the company and was one of the people who said, you know what, we can do this really cool thing with running computers by the hour, and he's now the CEO of Amazon. All right, so the CEO, in this case, decided that security was essential to the products that Amazon was going to build. Like you said, it's not the case for many organizations out there. Do you think that the new SEC rule that came out last, they announced last summer and became official in December that says that public companies now have to report material cyber events within four or five days, whatever the rule is? Do you think that starts to change how CEOs will look at that going forward? I think that it's going to be a new situation for a lot of companies to have to go figure out. Those of us in our industry, in particular, anybody who's had federal government contracts forever, we've had to report within a certain number of days if there are security incidents, so it's not a change for us. But for a lot of places, security was kind of out of sight out of mind, and now all of a sudden it's something that, oh my gosh, I have to pay attention to because it may become a reportable event, something very public. The other part of that, of course, is I'm not even sure that the industry or the SEC knows yet what this really should mean because the guidance is so vague that it's report a material event. What's materiality in this space? I think it's one of those unsettled legal areas, frankly, where there's going to have to be a lot of people looking at it to say, all right, what is the real threshold because nobody knows. It's brand new. I mean, Justice Thurgood Marshall back in the '70s gave a destination of what business materiality is, and it is extremely loose. But I will say that the finance people and the SEC people and those kinds of people in business, they've had generally accepted accounting principles, GAP principles forever. The current versions as of 2009, right? So these are 90 rules that they have all agreed to that they need to follow. In the cybersecurity space, we don't have that. We crap our head around, what is material and how do we do that? And that's a big GAP for back of a better word. No, that's actually a really apropos description because it's the very discussion I've had with several people. In the accounting world, there are relatively binary rules. You can do this. You may not do that. The result is a series of things that can be independently measured by somebody else. That's GAP. In the cybersecurity space, there really isn't. It's this enormous gray area where we have to make judgments and decisions. And I think until people figure out what those acceptable judgment points are like you're talking about with the 90 rules, we're not going to be in that position. And the other part of materiality is does it actually affect the financials of the company? And in most of these cases, the answer is no, yet companies are still reporting it. Now, if you look at the biggest one that had to be reported recently, did that affect the stock price of that company at all? No. So was it material from that sense? No. Was it important? Probably. Maybe. Maybe. Okay. Right. But I think the famous one is the SolarWinds case, right? Where the SEC decided that it was material and that not only that, now we're going to charge individuals on the company with fraud because what they were saying in public about how good their program was was not what was going on behind the scenes, which I find ludicrous by the way, right? But that's kind of the situation we're in. And should CISOs be afraid of that at this point, do we be doing something different because of that? And I don't know what you think about that. I think there are a lot of folks who are re-looking at their career choices in light of that. Seriously. It's one of these unbounded liability questions when you look at the, all right, so how do I determine individually if somewhere in the company there's something which is not going the way it should be going? It's, I think it's one thing if you know as an individual that what you're saying is wrong. Well, that's pretty straightforward. But it's a lot of folks, especially in big companies, who are saying, I can't see every quarter of it. How am I supposed to know? Well, there's a difference between reporting the details, which we all know there's all kinds of things that could be better, right? And then what you say in public to stockholders, which, you know, and it's not lying. It's just, I'm not giving you the day-to-day stuff. You probably don't need to know anyway, right? Yeah, there were often discussions, well, you know, how many attempted intrusions, that's not useful. I'm sorry, it's not. What is useful for someone making decision is overall, what is the state of this company's behavior? And is this, you know, an isolated incident that they're talking about here, or is this something that's more representative of, like, an ongoing and continual problem? So Ivy remissed, we talk a lot about what CSOs do for their living, all right? So I want to wrap this back around, okay? You've been doing this for a long time. What's a typical day for a chief security officer for a fortune? What is it? Amazon Fortune 10 or something like that? It's Fortune 10. That sounds about right. Yeah. And AWS, it's not even their own. If you created them like an own company, it'd be a Fortune 35 company. So that is a large, very successful company. So what is a typical day for somebody like you? Interestingly, the typical day for me starts off with reading the overnight handoffs from our on-call engineers. So I personally like to stay really attached to the details of things. And like many organizations, we have a follow the Sun model for on-call security engineering staff. And there's a tool that we use internally, which hands off state of things. You know, we saw this thing occur. Here's what we're doing about it here. The next steps, here's who's on the hook, that kind of thing. I literally start my day reading those. And I guess the analogy would be the old, you know, if you're a law enforcement executive, you read the blotter from the night before. It's the same kind of thing here in the tech space because it gives me an idea about what current events look like and the kind of things that can either be, okay, it's a handle that's not a big deal, or might turn into something interesting that we have to pay more attention to. The rest of my day tends to be focused on a series of mechanisms. Mechanisms are tools or processes which allow us to drive specific behaviors across the company. It's mechanisms to review things like the state of patching across all of our fleets, or the path to build future techniques that we're going to need or tools that we're going to need, because a lot of my job as a senior person is, what do we need to have built three or four years from now that we don't have right now? And so it's that strategic forward looking kind of, all right, we need to be in this place, or else we're going to have a problem. Case in point there would be an internal authentication and authorization stack called Midway. Midway is a hardware MFA-based stack that we have to touch, actually he's got one sticking out of his computer right there, a button on the side of the computer in order to authenticate. Well a lot of people are realizing now that hardware multi-factor authentication is really, really important, if you look at a lot of the problems that have popped up in the last couple of years, it's because people had single factor authentication on accounts. They could log in with a username and a password. Rolling that kind of system out, the hardware MFA system out to accompany our size is something you don't do overnight. We literally had to start building that about 12 years ago, and in order to get into the state that we want now. So you're looking for things that you've got to build in the future just by looking at what's happening today. That's right, and doing a little bit of Ouija board prediction about where the bad guy's going to go and where do we need to be. Do you attend sock briefings? Is that even a thing in Amazon, or is it too big to have one sock everywhere? We actually don't have a physical sock anywhere. We have virtual facilities, basically it's our on-call engineers, and that handoff tool is the sort of virtual sock briefing. So the tool literally says, "Here are the things I'm working on, here's the state therein," the kind of thing you would get in a briefing. What's at the end of the day? The end of the day tends to be the wrap-up of, "Okay, I'm going to go read what's popped out of the literature or the interesting places that I like to watch today. Make sure I'm up to speed on current events," and then look forward to the, "All right, who do we need to be talking to in customers in the next few weeks as it were typically?" And looking at what are they going to need to talk about? If you look at what's happened in the last couple of weeks, what are the questions we should expect from those customers? What's going to be worrying them? What's top of mind? We've been talking to a lot of Amazon people at this conference, and I always tell them that there's a law in Virginia that you can't have a security conference unless you talk about artificial intelligence. So especially at your level, "Okay, how does the chief security officer in Amazon think about this new technology that's getting ready to engulf all of us?" Artificial intelligence is a thing. Yeah, so the fun thing about artificial intelligence is there are a lot of definitions for us. And if you look at the model processes that are used in artificial intelligence, it's something that people have been working on for a long time. The really interesting component of artificial intelligence as a security problem is the difference between the way a generative AI model behaves and normal software code babes. So if you think about normal software writing processes, I have an idea, I want to instantiate it in code, I want to build it in a way that's secure, so I go ahead and go through these processes with my security team on how do I build the model, and then how do I threat model it, and then how do I build the software, and how do I test it, how do I red team the software penetration test it, and those sorts of things. And that all is predicated on the fact that the software is a static object. It is written, I can test it, I will always get the same results if I retest it. Generative AI is not the same. And in fact, my keynote at Reinforce here this year will talk a little bit about that, about how it changes what the security professional has to think about. This is no longer AI checked that it's good, I'm done kind of situation. It's oh my gosh, models actually change because of the interactions with the end users. The software applications that sit on top of them give different answers over time based on the forward operation of the model, which means my testing is never done. I have to keep retesting and come up with new ways of testing in order to keep current. So that's one of the things here at the conference is we're not inventing new strategies here. We're doing the same things, but it's going to be different because it's a new tech where there's going to be some slight tweaks to it. That's by here you're saying. Yeah, that's very true. And it's a situation where in many cases, the ultimate game of the adversary is the same. They want your data. It's just the way that they get access to it that's different. So we have to build new ways to detect it. We have to build new ways to test it. We have to build ways that test continually as opposed to point in time. But most importantly, what we have to do is give our developers good guardrails. So they do things safely. You know, understanding that there's a big difference between the knowledge and experience that people have in the traditional code space, which they've achieved over many, many years, and the generative AI space was relatively new. So a software developer is learning new things. We have to help them learn safely. That was Steve Schmidt, the Amazon Chief Security Officer. You can find links to the on-demand content from AWS Reinforce 2024, including Steve's talk in our show notes. Most of our listeners who deal with legacy privileged access management products know they tend to be expensive, difficult to deploy, and hard to use. Keeper security is the answer. Keeper's Zero Trust solution delivers password, secrets, and connection management in one easy-to-use platform. It's fast to deploy, agentless, clientless, and has no implementation fees. Plus, Keeper is FedRAMP authorized. That's why we trust Keeper to prevent breaches and gain full control over privileged users. Visit keeper.io/cyberwire to schedule a quick demo. That's keeper.io/cyberwire, and thanks to Keeper security for supporting our podcast. Ladies and gentlemen, gather round for a tale that's both cautionary and cunning. No before, a U.S.-based security vendor known for its robust security awareness training recently found itself in the crosshairs of a North Korean hacker. So picture this. No before, on the lookout for a software engineer for its AI team, hires someone who seems to check all of the boxes. Background check? Past. References. Verified. Photo ID. Flawless. I'll be at a little bit AI-enhanced. Despite thorough background checks and interviews, the hacker slipped through using sophisticated identity theft and AI enhancements. This candidate, unfortunately, was not just a tech enthusiast but a North Korean hacker using a stolen U.S. identity. The plot thickens, as no before's new hire receives their shiny new Mac workstation, and immediately tries to load malware onto the company's network. No before's vigilant security operations center or SOC quickly caught onto this cyber shenanigans, neutralizing the threat before any damage could be done. No data was lost, no systems were compromised, just a near miss in the grand game of cyber cat and mouse. CEO Stu Showerman, ever the sage, shared this incident in a blog post, not as a breach notification because there was no breach, but as a learning moment. His message was clear. If it can happen to us, it can happen to almost anyone, don't let it happen to you. So what is a lesson here? Stay sharp, invest in continuous security training, and ensure your SOC is always one step ahead. Because, in the world of cyber security, it's not just about if you'll face an attack, but when. Let's keep those digital defenses strong, folks! And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at www.thecyberwire.com. Be sure to tune in to research Saturday tomorrow, where Dave Bitner sits down with Dick O'Brien from the Semantic Threat Hunter team. They're going to be discussing their work on their new findings, ransomware attackers may have used privilege escalation vulnerability as "zero day." Also, they're going to provide some background and history on Black Basta. That's research Saturday, definitely check it out. And that's it for the Cyberwire, here's wishing Dave Bitner a very happy birthday this weekend from all of us at the team here at N2K. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like the show, please share a rating and short review in your favorite podcast app. Also, please fill out the survey in the show notes or send us an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500, to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Heltsman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karp. This among Petrella is our president, Peter Kilby is our publisher. And I'm your host, Maria Vermasas, sitting in for the one and only Dave Bitner. Happy birthday, big guy. And thanks for listening, everyone. We'll see you on Monday. [MUSIC PLAYING] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M.Y.'s, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M.Y.'s features one-to-one access with industry experts and fresh insights into the topics that matter most, right now to frontline practitioners. Enter early and save at M.Y.'s, I/O/Cyberwire, that's M.Y.'s, I/O/Cyberwire. [MUSIC PLAYING] (gentle music)
