The Supreme Court overturning Chevron deference brings uncertainty to cyber regulations. Stolen credentials unmask online sex abusers. CISA updates online maritime resilience tools. Patelco Credit Union suffers a ransomware attack. Spanish and Portuguese police arrested 54 individuals involved in a vishing fraud scheme. Splunk patches critical vulnerabilities in their enterprise offerings. HHS fines a Pennsylvania-based Health System $950,000 for potential HIPAA violations related to NotPetya. CISOs look to mitigate personal risks. On the Learning Layer we reveal the long-awaited results of Joe Carrigan’s CISSP certification journey. Avoiding an Independence Day grill-security flare-up.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
Learning Layer
On today's Learning Layer segment, we share the results of Joe Carrigan's CISSP exam attempt! Hint: the test ended at 100 questions...Tune in to hear host Sam Meisenberg and Joe reflect on his test day experience and what advice he has for others who are in the homestretch of their studies.
Note, Joe's ISC2 CISSP certification journey used N2K’s comprehensive CISSP training course.
Selected Reading
US Supreme Court ruling will likely cause cyber regulation chaos (CSO Online)
Stolen credentials could unmask thousands of darknet child abuse website users (The Record)
CISA updates MTS Guide with enhanced tools for resilience assessment in maritime infrastructure (Industrial Cyber)
American Patelco Credit Union suffered a ransomware attack (Security Affairs)
Dozens of Arrests Disrupt €2.5m Vishing Gang (Infosecurity Magazine)
Splunk Patches High-Severity Vulnerabilities in Enterprise Product (SecurityWeek)
Feds Hit Health Entity With $950K Fine in Ransomware Attack (GovInfo Security)
How CISOs can protect their personal liability (CSO Online)
Traeger Grill D2 Wi-Fi Controller, Version 2.02.04 (Bishop Fox)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. The Supreme Court overturning Chevron deference brings uncertainty to cyber regulations, stolen credentials unmasked online sex abusers, SISA updates online maritime resilience tools. The Telco Credit Union suffers a ransomware attack. Spanish and Portuguese police arrest 54 individuals involved in a vishing fraud scheme. Splunk patches critical vulnerabilities in their enterprise offerings. HHS finds a Pennsylvania-based health system 950 grand for potential HIPAA violations related to not petya. SISA's look to mitigate personal risks. In the learning layer, we reveal the long-awaited results of Joe Kerrickin's SISPI certification journey and avoiding an Independence Day grill security flare-up. It's Wednesday, July 3, 2024. I'm Dave Vittner and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great to have you with us. The U.S. Supreme Court has dramatically shifted the regulatory landscape with its decision in Loper Bright Enterprises versus Ramondo, undermining nearly 40 years of established law by overturning the Chevron deference. This president had allowed courts to defer to regulatory agencies' interpretations of ambiguous congressional statutes. Now, the courts are the final arbiters, potentially destabilizing federal regulations across various sectors, including cybersecurity. Chief Justice John Roberts stated that courts must independently determine if agencies have exceeded their statutory authority. This decision does not overturn past cases but encourages new challenges to existing regulations. For cybersecurity, this means recent regulations might face significant legal hurdles. Potentially impacted regulations include SEC Cyber Incident Reporting, FCC Data Breach Reporting Rules, SISA Cyber Incident Reporting, TSA Cybersecurity Directives, and many others. Existing regulatory actions such as Coast Guard Maritime Cybersecurity Rules and FCC requirements related to the border gateway protocol could also be affected. Furthermore, long-standing rules like those from NERC and the Nuclear Regulatory Commission may face fresh judicial reviews. This decision introduces uncertainty for CISOs who must navigate conflicting judicial decisions across different circuits. Reporting regulations remain in effect but the likelihood of deregulation and inconsistent application of laws will complicate compliance efforts. CISOs should prepare for a turbulent regulatory environment and potential shifts in cybersecurity requirements due to increased litigation and judicial scrutiny. So hold on to the bar, we may be in for a bumpy ride. News at Recorded Future have discovered that thousands of users on dark-net websites sharing child sexual abuse material can be identified using stolen credentials. Infostealer malware typically used to steal banking logins also captured credentials for CSAM sites on the Tor network. These logs link anonymous CSAM site users to clear web accounts like Facebook, revealing real names and personal data. The future analyzed this data and identified around 3,300 users with CSAM site accounts and shared their findings with U.S. law enforcement. Case studies include a previously convicted child exploiter and a volunteer at children's hospitals with multiple CSAM site accounts. The research highlights how infostealer data, which also includes various other criminal activities can aid law enforcement in uncovering offenders and protecting children. The report aims to demonstrate the potential of such data in criminal investigations. The U.S. Cybersecurity and Infrastructure Security Agency has enhanced its Marine Transportation System Resilience Assessment Guide, that's the MTS guide, with a new web-based tool for maritime stakeholders. The updated guide, incorporating expertise from partner agencies, offers resources and methodologies to evaluate and strengthen the resilience of port networks and inland marine transportation systems. It uses sophisticated techniques like Bayesian network analysis and provides a systematic framework for resilience assessments. The MTS guide is customizable and scalable, similar to other planning frameworks and helps identify issues, focus assessments and implement findings. The guide emphasizes a holistic view of infrastructure, people and organizations to develop strategies for reducing losses during disruptions. It also features a Resilience Assessment Resource Matrix, a web-based library with over 100 tools and resources to support maritime resilience assessments. The Telco Credit Union, serving Northern California, shut down several banking systems following a ransomware attack on June 29. The Telco, with over $9 billion in assets, is working with cybersecurity experts and has reported the incident to regulators and law enforcement. Affected services include online banking, the mobile app and outgoing wire transfers, while ATMs and cash deposits remain functional. The ransomware type is undisclosed and it's unclear if any data was stolen. No ransomware group has yet claimed responsibility. Spanish and Portuguese police arrested 54 individuals involved in a $2.7 million vishing fraud scheme targeting senior citizens. The coordinated operation on June 4, led by Europol, involved the Spanish National Police and the Portuguese judicial police. 19 properties were searched, resulting in the seizure of computers, mobile phones, sim cards and drugs. The gang used vishing and social engineering tactics, posing as bank employees to extract information before visiting victims' homes to steal cards, bank details and pins. Some victims were forcibly robbed. Coal and funds were laundered through a network of money mules. The urgency of the operation was due to intercepted communications indicating planned severe violence. Vishing is increasingly used by cyber criminals as text-based scams become less effective. Splunk has released security updates to fix critical vulnerabilities in Splunk Enterprise versions 9.0, 9.1 and 9.2, which could allow remote code execution, command injection and crashes. Users are urged to update immediately. Federal regulators find Pennsylvania-based Heritage Valley Health System $950,000 for potential HIPPA violations after a 2017 ransomware attack involving not Peccia. This is the third HIPPA enforcement action by the US Department of Health and Human Services linked to ransomware. The number of ransomware-related breaches reported to HHS has nearly tripled since 2018. HHS found that Heritage Valley failed to conduct a HIPPA security risk analysis, implement a contingency plan and restrict access to electronic protected health information. The settlement requires Heritage Valley to undertake a corrective action plan, including a thorough risk analysis and workforce training on HIPPA policies. Heritage Valley stated there was no unauthorized data access and that they have implemented safeguards to prevent future incidents. Court cases against CISOs like Joe Sullivan of Uber and Timothy Brown of SolarWinds have highlighted the severe personal risks for security leaders, including potential jail time and hefty fines. A thoughtful report from CSO Online looks at the steps CISOs are taking to mitigate these risks. First, they're ensuring clear definitions of roles and responsibilities within their organizations. Transparent corporate standards help prevent misunderstandings about accountability in risk management. Since documentation has become essential, CISOs, like David Cross of Oracle SaaS Cloud, are keeping detailed records of all decisions and actions to reduce personal liability and provide evidence of compliance with corporate policies. Maintaining a risk register is another critical strategy. By recording cyber risks and stakeholder acceptance, CISOs ensure high-level acknowledgement of these risks, protecting themselves from repercussions if breaches occur. CISOs are also seeking legal protection through indemnification agreements and engaging independent legal counsel. Monitoring public statements about their company's security practices is crucial to avoid legal consequences from discrepancies. By adopting these strategies, CISOs can balance securing their organizations while safeguarding themselves from personal liability. Coming up on our Learning Layers segment, host Sam Meisenberg and Joe Kerrigan reflect on his test day experience and what advice he has for others who are in the home stretch of their studies, stay tuned to see how Joe did. And now, a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed security coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Joining security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with security coach. And more at nobefore.com/securitycoach, that's nobefore.com/securitycoach. And we thank no before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. One came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. On today's learning layer segment, our host Sam Meisenberg teams up with Joe Carrigan, my co-host over on Hacking Humans, to see how Joe did on his SISPY certification exam. So I start every learning layer SISPY journey with Joe the same way and I say we are bringing Joe on to talk about his experience as he gets ready for a SISP. But this is a different one because Joe, you are done. I'm done. You've taken the test. I took the test. Congratulations on even taking it. But we're not here to just win by showing up. Right. How did it go? It was not what I expected. Joe, hang on. People are dying to know the binary yes or no. Okay. Well, spoiler alert. Yes, I passed. Hey, congratulations. Thank you. It was incredible. But it was, I was in there, I started taking the test and started looking at the questions. Very quickly I get a lot of questions that are like, I haven't ever seen this before. Sure. Sure. So I started taking the questions of like, all right, let's get this done and the first question comes up and I'm like, huh, I don't, you know, that I haven't seen this in the study materials. Yeah. Let me, let me think about it. Yeah. And I take my time and I think about it and I get the impression that there's, there's a lot of questions. I'm just getting wrong as I'm taking this test. And then after about question 50, there are a bunch of questions that were just right up straight out of the knowledge set that were very easy for me to get. Awesome. Now, I got this one. I got this one. Okay. I don't have, but I would sit down and think about it, think about the perspective, think about what my manager would think about. And I get to the hundredth question and I click next and I'm like, and it goes, your test has ended. Oh, I was not expecting the test to end here. So Joe, you passed and ended a question a hundred. Yes. You know what that means? Well, I know what I thought it meant, I thought it meant, get out of here. But no, apparently it means you have demonstrated enough knowledge by a hundred questions that you passed the test. You crushed it. That's what you literally saw the minimum number of questions, the test was like, I don't want this anymore. Right. I have two interns that work for me. They taught me this new slang word called cooked, but the test was cooked, cooked, how you spell cooked. Is that CEO? Okay. I think so, but I'm going to use that with my kids. And you crushed it is what is what the test is like, I don't want like Joe to be around anymore. I give up early. Right. So that's, that's incredible. Yes. I, I, I answered it into submission. Well done. Bendy VDV. How long they taking how many hours? It took me, let me think here, I was keeping track of that because I got the first 50 questions in about an hour. Okay. So I was, you know, cause I knew I had three hours to take the test and I was pacing myself to be, I was a little bit ahead of an hour at the end of 50 questions. Okay. And at the end of a hundred questions, I was probably about 10 minutes ahead of two hours. Great. So about an hour and 50 minutes. Sure. That's, that's, you know, probably a little faster than you needed to, but it sounds like what you, what you did do as you described around question 50, when you got just straight up content question, you can go predict the right answer. Right. You can go faster on those. Yeah. Again, you would have used all that time for one on one to one 50 if it had happened. Right. So yeah, and that's a good point. And I knew that when I, when I was able to do the answer prediction stuff and it was right there and I knew the answer was part of it. Uh, yeah, I, I, those questions I probably took maybe 15 to 30 seconds piece on this. Nice. Um, I'm curious, given now that you're on the other side, both on the test itself and the studying, what is like one piece of advice you would give to somebody who's gearing up for their sisby? Uh, it's, it's more about the way you think about things than it is about, uh, you know, the knowledge, the knowledge is good. The knowledge is very important. Yeah. But it's, it's more like, like you've been saying the entire time, it is about the managerial way of thinking. Uh, and I really tried to apply that in the test taking part is you have to think like a manager and I've heard not just you, but a bunch of other people say that. Yeah. Um, so it is, is that is not a lie that is not people telling you something that is exactly what you need to do. Uh, and I, I like to think that I thought like a manager and I was done with the test and a hundred questions. I got some other questions for you. Yeah. I, I, uh, had somebody on my team pull some stats on your studying. Okay. So let's do joke here again, sisby pass by the numbers. How many total questions you think you did in the LMS? I make total questions. I should know this cause it hasn't listed there. Um, I, I'm going to guess I did close to 400, six hundred and 90, six hundred and 90. Okay. Okay. How many, we also calculated the amount of hours you spent just on the question. So again, this is not reviewing. This is not studying, literally just sitting down and doing questions. Okay. Um, I'm going to guess, uh, six hours, no, it can't be six hours. It's got to be longer than that, like probably 10 hours. You're in between six and 10, eight, eight hours. Okay. It's pretty good. Um, you actually spent just one hour just doing identity access management questions. Yes. You were, you were deep in those. I was worried about that, that, uh, which domain do you think you did the most questions in with a hundred and 70? That was probably domain one. Nice. Security risk management. Right. That's to share with you, first of all, your first quiz bank quiz was in March and your last one, you know, went through June. Yeah. So that's a lot of months of studying. Yep. Your worst Q bank quiz was 50%, 50% and that was your domain seven. Okay. And what was your best? Do you know? Uh, I'm going to say it was 85. Well done. 86.6%. 86. So I have a commentary on that stat, which is supposed to show you the volatility. It's normal to maybe score a little bit lower in some stuff and then score really high. You never like as good as you look, you never as bad as you look. So volatility happens in the, in the questions. Um, in your final exam, I, I, I love this because let me ask you what domains were your best in the final? Do you remember, uh, uh, I think domain one was my best. There was one that I know, uh, yeah, I think it was, there was one that gave me the green circle and all the rest of them gave me a yellow circle. Correct. So you're above proficiency and actually two of them. Okay. It was identity access management to five and then domain eight domain eight software development. And why does that make me smile? Uh, because I'm a software engineer. Well, and yes, and because on your diagnostic diagnostic, I did not do well in software development. That's what I'm talking about. Right. And that is so beautiful. It makes me so happy. You know, when you're in a circle, your weakness in the diagnostic, all of a sudden became the strength in the final. Right. And that's something to be proud of. Yeah. Yeah, it was good. So I asked you what a takeaway was, from your perspective, I have a takeaway I want to share with the listeners. Okay. All of the stats that I just shared, 690 questions, it takes a lot to pass this test. Yeah. Like all the hard work you put in, that's what it takes. There are no shortcuts when you're studying for certification exams, especially the CSSP. I would agree with that 100% with this. So congratulations again, Joe, and also on a personal level, I have to thank you. Because if you imagine you haven't passed, I will look really bad. You made me look good. You made me both really. So congratulations. It was great working with you. I knew from the beginning, you were going to be fine, but to actually watch it happen. And you put in all the hours and effort was fun to watch. Yeah. I want to tell you this, Sam. I didn't have that level of confidence in how I was going to pass this test all the way up to the point where right before I picked up the piece of paper and said you passed. Yeah. I was not 100% confident until I saw that, but that's just my nature. Yeah. But yeah. I don't know. Maybe it's imposter syndrome. Who knows? Congratulations, you can't fudge your way around being fully certified CSP. So congratulations again, and whenever you're ready for the next start, let me know. Okay. Well, I will let you know. It's worth mentioning that Joe's ISE2 CSP certification journey made extensive use of N2K's comprehensive CSP training course. You can find out more about that on our website and now a message from black cloak. What's the easiest way for threat actors to bypass your company's cyber defenses targeting your executives at home? That's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking, credential theft, and reputational harm. Close the at home security gap with black cloak concierge cybersecurity and privacy, award-winning 24/7, 365 protection for executives and their families. And more at black cloak.io. And finally, as we head into the July 4th holiday, many will be firing up their grills for some festive fun. However, beware of the trigger-grill D2 Wi-Fi controllers' latest vulnerabilities, revealed by Bishop Fox. These critical flaws, if exploited, allow hackers to control your grill remotely, potentially turning your perfectly cooked steak into a charred disaster. Bishop Fox discovered that the grill's API lacked sufficient authorization controls, allowing attackers to hijack other users' grills by obtaining their 48-bit identifiers. Imagine your neighbor cranking up the heat on your grill mid-cook. To exploit this, attackers can capture network traffic or scan the grill's QR code. Fortunately, Traeger has released updates to fix these issues. To stay safe, ensure your grill's firmware is up to date and consider turning it off when not in use. Enjoy your holiday grilling, but do keep an eye on your Wi-Fi-connected devices. I'll take my steak medium-rare. No password required. And that's the Cyberwire. We'd love to know what you think of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. And how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Train Hester, with original music and sound design by Elliot Peltzmann. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Carp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bitner. We are taking a few days off to enjoy the July 4th holiday weekend. We will see you back here this coming Monday. Have a great weekend. [Music] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now to frontline practitioners. Register early and save at mwise.io/cyberwire, that's mwise.io/cyberwire. [Music] [BLANK_AUDIO]
