The UK designates data centers as Critical National Infrastructure. Cisco releases patches for multiple vulnerabilities in its IOS XR network operating system. BYOD is a growing security risk. A Pennsylvania healthcare network has agreed to a $65 million settlement stemming from a 2023 data breach.Google Cloud introduces air-gapped backup vaults. TrickMo is a newly discovered Android banking malware. GitLab has released a critical security update. A $20 domain purchase highlights concerns over WHOIS trust and security. Our guest is Jon France, CISO at ISC2, with insights on Communicating Cyber Risk of New Technology to the Board. And, could Pikachu be a double-agent for Western intelligence agencies?
Remember to leave us a 5-star rating and review in your favorite podcast app.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Our guest is Jon France, CISO at ISC2, sharing his take on "All on "Board" for AI – Communicating Cyber Risk of New Technology to the Board." This is a session Jon presented at Black Hat USA 2024. You can check out his session’s abstract. Also, N2K CyberWire is a partner of ISC2’s Security Congress 2024. Learn more about the in-person and virtual event here.
Selected Reading
UK Recognizes Data Centers as Critical National Infrastructure (Infosecurity Magazine)
Cisco Patches High-Severity Vulnerabilities in Network Operating System (SecurityWeek)
BYOD Policies Fueling Security Risks (Security Boulevard)
Healthcare Provider to Pay $65M Settlement Following Ransomware Attack (SecurityWeek)
Google Unveils Air-gapped Backup Vaults to Protect Data from Ransomware Attacks (Cyber Security News)
New Android Banking Malware TrickMo Attacking Users To Steal Login Credentials (Cyber Security News)
GitLab Releases Critical Security Update, Urges Users to Patch Immediately (Cyber Security News)
Rogue WHOIS server gives researcher superpowers no one should ever have (Ars Technica)
Pokémon GO was an intelligence tool, claims Belarus military official (The Register)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential security leaders in the industry. Learn more about our network sponsorship opportunities and build your brand where industry leaders get their daily news.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the CyberWire network, powered by N2K. Defense contractors face immense pressure to comply with CMMC 2.0 security standards, needing a secure user-friendly file-sharing solution. Kiteworks, a FedRAP moderate-authorized solution, supports nearly 90% of CMMC 2.0 level 3 requirements, reducing compliance effort and cost. Kiteworks leverages a zero-trust framework for swift compliance and offers a secure platform for defense data protection needs with advanced security features and ease of use. It's intuitive UI, mobile apps, and centralized policy management simplify administration. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal secure file-sharing platform made for defense contractors. Visit kiteworks.com to get started. The UK designates data centers as critical national infrastructure. Cisco releases patches for multiple vulnerabilities in its iOS/XR network operating system. BYOD is a growing security risk. A Pennsylvania healthcare network has agreed to a $65 million settlement stemming from a 2023 data breach. Google Cloud introduces air gap backup vaults. Trichmo is a newly discovered Android banking malware. GitLab has released a critical security update. A $20 domain purchase highlights concerns over who is trust and security. Our guest is John France, CISO at ISC2, with insights on communicating cyber risk and new technology to the board. And could Pikachu be a double agent for Western intelligence agencies? Today is Thursday, September 12, 2024. I am Trey Hester, filling in for Dave Bittner. And this is your Cyberwire Intel Briefing. [Music] Greetings all and thank you for joining us today. The UK has designated data centers as critical national infrastructure, placing them alongside energy and water systems. Announced by technology secretary Peter Kyle on September 12, the move aims to bolster cybersecurity and prevent IT disruptions. A dedicated government team will provide support, monitor threats, and coordinate with security agencies like the National Cyber Security Center to protect data centers from attacks. This comes alongside a proposed $3.75 billion investment in a new data center and an $8 billion investment in Amazon Web Services. Industry leaders welcome the move, noting that many centers already meet CNI security standards. CISCO has released patches for eight vulnerabilities in its iOS XR network operating system, including six high severity flaws. The most critical with a CVSS score of 8.8 could allow attackers with low privileges to elevate their access to root by executing crafted commands. Another major issue affects the M-Trace II feature and could be exploited remotely to trigger a denial of service attack. CISCO also disclosed two high security command injection vulnerabilities and the routed passive optical network controller software. These and two other flaws, including two medium severity issues, have been patched. CISCO is unaware of any active exploitation of these vulnerabilities. Verizon's 2024 mobile security index highlights the growing security risk posed by employee mobile device use at work, known as bring your own device or BYOD. The report reveals that 37% of employees use public Wi-Fi despite organizational bans increasing vulnerability. Mobile device threats surged in 2023, with 85% of organizations seeing more risks, while 77% fear AI-driven attacks like deep fakes and SMS phishing. Critical infrastructure sectors, including energy and health care, are particularly at risk, with 86% reporting heightened mobile and IoT security issues. Verizon's Mike Corellis stresses the importance of comprehensive security strategies, including mobile device management, network access control, and employee training on phishing and AI-driven threats. He warns that unmonitored devices and security connections can lead to severe security breaches. Most organizations are boosting mobile security spending, but a united effort between public and private sectors is essential to counter evolving threats. Lehigh Valley Health Network in Pennsylvania has agreed to a $65 million settlement in response to a class action lawsuit stemming from a 2023 data breach. The breach, attributed to the Black Hat ransomware gang, began in January of 2023 and impacted over 130,000 patients and employees. Stolen data included personal and medical information, social security numbers, and, in some cases, clinical images and nude photos. LVHN disclosed the attack in February and confirmed the involvement of the ransomware group in July. Affected individuals were offered two years of identity protection. The class action suit, filed in March of 2023, accused LVHN of failing to safeguard patient data. Settlement payments will range from $50 to $70,000, with the highest amounts awarded to those whose photos were leaked. A final approval hearing is scheduled for November 15. Google Cloud has introduced air-gapped backup vaults as part of its enhanced backup and disaster recovery service, now available in preview. These vaults provide robust protection against ransomware and unauthorized data manipulation by creating immutable and indelible backups, preventing modification or deletion until a set retention period elapses. Isolated from the customer's Google Cloud project, these air-gapped vaults reduce the risk of direct attacks on backups. Trichmo is a newly discovered Android banking malware, identified by Clephy's threat intelligent team that targets financial institutions and customers. Derived from the Trichbot malware, Trichmo uses advanced evasion techniques like broken zip files and broken apps to avoid detection. Disguised as Google Chrome, it exploits Android accessibility services to gain admin controls. Once installed, Trichmo can capture one-time passwords, record screens, log keystrokes, and remotely access-infected devices. It also conducts HTML overlay attacks to steal credentials. The malware communicates with its command and control server, which stores exfiltrated data, including logs, credentials, and images, but lacks authentication, leaving victims vulnerable to multiple attackers. Initially discovered in 2019 by CertBund, Trichmo primarily targets European banking apps with a focus on German language users. A recent leak exposed 12 gigabytes of stolen data, raising concerns about future exploitation. GitLab has released a critical security update, addressing multiple vulnerabilities. The most severe flaw has a CVSS score of 9.6 and could allow attackers to trigger pipelines as other users. GitLab urges all users to upgrade to the latest patched versions immediately to prevent security risks, including unauthorized access, privilege escalation, and data compromise. GitLab.com has been patched and no action is required for GitLab dedicated customers. Security researcher Benjamin Harris, CEO of Watchtower, exploited a $20 domain purchase to gain control of a previously authoritative "who is server" for the dot-moby domain, leading to significant security concerns. After discovering the original domain, dot-moby-registry.net had expired, Harris registered it and set up a rogue who is server. Within days, his server received millions of queries from high-profile organizations, including governments, security tools, and certificate authorities. This allowed Harris to potentially issue counterfeit HTTPS certificates, track email activity, and execute malicious code on querying devices. The vulnerability exposed flaws in trust systems and outdated infrastructure, which could be exploited by attackers. Harris' findings highlight the fragility of internet trust and security processes, and the incident led to discussions with security organizations to prevent further misuse of the domain. The issue underscores broader concerns about the recycling of infrastructure and expired domains. Coming up after the break, Dave Bitner's conversation with John France, SISO at ISC2. John shares his Black Hat USA 2024 session on "All on Board" for AI communicating cyber risk of new technology for the board. Stay with us. [Music] Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try "Delete Me." I have to say, "Delete Me" is a game-changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind, knowing my data privacy is protected. "Delete Me's" team does all the work for you with detailed reports, so you know exactly what's been done. Take control of your data and keep your private life private by signing up for "Delete Me." Now at a special discount for our listeners, today get 20% off your "Delete Me" plan when you go to joindeleteme.com/n2k and use promo code "n2k" at checkout. The only way to get 20% off is to go to joindeleteme.com/n2k and enter code "n2k" at checkout. That's joindeleteme.com/n2k code "n2k." When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPPA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off vanta. John France, CISO at ISC2, sits down with Dave Bitner to discuss his insights on communicating cyber risk of new technology to the board. It's actually a conjunction of two very topical things. They sit quite nicely together, which is some people call it an emerging. It's an emerged technology in AI that's really hitting the mainstream now. That has lots of promise, speaking to somebody who has lots of peril, potentially with it. Those kind of risk balances, the risks are all need to be communicated to the right stakeholders and leadership. That happens to also intersect with the board needs to be made aware. Board level communications from a cyber security practitioner's point of view or from a CISO's point of view is being able to articulate somewhat highly technical things in a language that resonates with leadership, and so they can understand it and make the correct decisions around it. That's why the two topics together, so topical tackling two interesting facets that are off the moment. Let's go through some of the highlights from the presentation together. I'm curious, where do we find a typical board member coming to this conversation? What is their perception of AI? It's a great question. If you listen to the drums of what's going on, AI is either going to solve the world's problems or going to eat the world. Business leaders are looking to leverage the solved the world problems. They're really focused on really trying to get value out of new technologies to keep competitive advantage or to gain efficiency in operation. They're sort of viewing, in essence, what's hitting them in the face daily these days of AI is going to make you more efficient. It's going to enable you to do things you haven't done before as good business opportunity, and so they're looking to exploit that. Some of them are aware of some of the risks also as well, so that's the counterpart to that. Is it the security professional's job to say, not so fast here? There could be potential peril ahead. I think a really good security pro or a CISO is why I love it, called the balance engine, so we never want to be the department of no, nor should we be. We're the department of let's take a look at it, and it's yes, maybe, but here are some guidelines. A really good CISO, especially in the in light of AI, which, by the way, through some of our surveys, is showing that there's not a huge amount of depth of knowledge in AI out there in terms of some of the risks and rewards that it happens to present, but a really good CISO is that balance to say, look, we need to be a little more risk cautious around here. Here are some of the pitfalls. Now we can talk about AI, and that might be hallucination and data usage rights of model training and biasing and those kinds of things. Here's how you've got to watch out for those kinds of things if we're going to make it part of our decision matrix. But also, the other balance is, and here's where you can probably take a little more risk than you think you might be able to take. It's not all downside and beware. It can be upside, and actually, I'll come and bust some myths. Let's have a look at it in a balanced way, and we may be able to take a little more risk here if it's not life, mission, critical or critical or actual infrastructure. We could take a little more risk. If it is, then we might need to be a little safer on that side of how we incorporate. It's that kind of balance and communicating that to the board. What you really want to be is a business leader, and a partner to the boards offering sage advice in your expert area, in a language that the board actually can digest. How do you handle that translation layer there? You say communication is key, and that can be a challenge of bridging that gap? Yeah. I hope I'm not an outlier in this case. Well, my CEO tends to say, "You're a bit weird for a techie," because you actually understand business. I think flippantly, she makes an important point, which is a lot of ceases that come through a very technical background and use jargon. That doesn't really resonate well with people that come from the business angle. We're a little bit of a translation there. We've got to be able to translate technical concept into business language. The language of business, as we know, is risk, reward, sometimes regulation and responsibility, a sort of fiduciary responsibility, as well as business opportunity, and that can be money competitive advantage. So understanding those broadly was, and that's how that world works, and then converting into the technical world. I think it's key. We can use data and evidence where applicable, but we make it digestible. Prioritization is also something that we can bring to the table, i.e. options. There are three ways of doing this, and we think option A is probably the best for a number of reasons, but you've got other options there. As you were preparing this Black Hat presentation, you were doing the research for it. Were there any particular things that were eye-opening to you? Any surprises that you unearthed along the way? Yeah, I mean, ICT runs a workforce study year-on-year, and we involved, and I can't remember the exact number, but it sort of tens of thousands of security practitioners to get their opinion, and the data is actually telling us something quite interesting, which is AI as a technology really wasn't on the radar a couple of years ago in terms of topics to take note of. I think it's number two or number three, so it's really rocketed up the ranks, and as we know, it's only really been in the public consciousness for 18 months, two years-ish, so that's not surprising, but we confirm through data that it is a big topic of discussion amongst practitioners as well as leadership. The other thing we found was there's a little bit of uncertainty of how to sometimes to control new technologies and AI-on-specific, so 29% of the respondents said they didn't have hard controls in place for the use of AI, and 10% didn't know how their organizations are going to handle access to AI-based systems. That was kind of an interesting, whilst it's a topic of discussion and opportunity, policy controls and general level stuff hasn't really caught up with it. How I tackled that in our organization is, we tried to use some simple language if you wouldn't put it into a Google search engine, don't put it into a generally available AI. People can go, "Oh, yeah, I wouldn't put my social security number into Google. Don't put it into an AI then." There's some simple, simple, easily understood things that you can start building some guardrails around, especially on the usage angle. That's a couple of stats that came out of the survey that were, like I said, not shocking, but confirmatory is that it is a really good issue of the day, and it's getting the creative juices of how do we tackle it flowing, I think. Our security folks finding themselves having to deal with a hype cycle here. It's everything these days is AI, AI, AI, to the point where I think it's lost some of its meaning. What do you mean by that? If I'm just imagining a board member coming and saying, "Listen, we're all in on AI, okay, what do you mean by that?" Good question. What I'm seeing as a practitioner myself, and through conversation, is there's a couple of modes that AI is really starting to express itself into the business world. One is probably the data-driven larger companies where they can actually invest in direct usage of AI themselves, whether that be instigating a model on their own infrastructure, or even if they're really big training their own model, because it takes lots of data, lots of money to do that. They're the kind of companies that are starting to have to tackle with how do I securitize the AI models itself and how do I look around the infrastructure. A lot of good cyber hygiene practice comes to play here. If you look at some of the stuff that we do around education and certification, our life cycle certificate covers a lot of good practice around that, whether it's AI or whether it's general code. Those are those that are implementing models. That's one thing pushing into business. Then there's just the general consumption. Probably where you've seen it come to the fore of the tooling that you use. One day, you'll be using it at Adobe product, for instance, and not quite happily using it. The next day, oh, there's this weird AI button that's just to peer to my tool belt. What's that? We're seeing AI come to the fore as I'm going to call on that general feature creep, whereas lots of vendors are starting to add it into the existing tool sets. There's a little bit of a, as a practitioner, go, "I might need to have a look at where that data goes and how it's used and what the contract says and the T's and C's." But that's probably about 80% of where we start to see it express itself. Sometimes we purchase tooling specifically because it is AI enabled or machine learning enabled. For instance, if we're doing voiceovers on video production in multi-language, you might want to buy in some AI tooling to do either translation or voice acting, those kind of things. Point use cases, feature creep in that, and then the larger companies are integrating into their core product and workflow and business flow. Are we finding that along with the enthusiasm for this technology that there's appropriate budgeting happening as well? I can only speak from a personal experience and that we do have generally, and it's an R&D budget, that we utilize and some of it is going towards looking at AI. For me and my team personally, that's for efficiency gain in security tooling and security stance. On behalf of the organization, we are looking at some AI-based things and whether they would be a good fit. For us, yes, we've got a budget to do that. One of the good suggestions I've heard and I will jump on the same bandwagon is you've got to start experimenting with these things, even if it's in the sandbox, to understand them, to understand how to deploy them and get the best out of them. I think it's a good practice that you should have some experimentation and change budgets around emerging technology, not just AI. What are your recommendations then? For folks who have the responsibility of presenting to the board and managing that relationship, what are your words of wisdom here? I said them at the head, but I'll reiterate them speaking a language that they understand. That's the language of business, that's risk, reward, efficiency, those kind of things rather than core technology. Be the good translator, I think, is number one. Number two, don't be the department of no, be the department of yes, maybe. That's a balancing act, so that would be that balancing act. Really, I think the third one is listen to what questions are going to come back and take them back. If you need a bit of decoding, take the time to do that as well, so that you can go back with the correct answer. Cybersecurity and business leadership is kind of a team game and it requires all the players to understand each other and move forward. Headline is there's opportunities in technology and we've just got to make sure it's a safe and secure way of exploiting those opportunities where we're not there to stop them. Well, before I let you go, John, anything coming up on the calendar that our listeners can benefit knowing about? Yeah, sure. Hopefully, a lot of our listeners are members and those who do not do consider joining, but you can always join us at Security Congress that's being held this year in Las Vegas. In October, if you head on over to IC2, there's an event scheduled there and some of these topics will be discussed at that form as well. Look forward to seeing you there. That's our own Dave Vittner, speaking with John France. And finally, in a move that might leave Pikachu shocked, a Belarusian defense official, Alexander Ilanov, claimed Pokemon Go was a sneaky tool of Western intelligence agencies. Appearing on local TV, Ilanov said the game's digital creatures conveniently popped up near military runways at the height of its popularity. While Pokemon Go had its share of privacy concerns and scammers, the idea of it being an intelligence tool has been widely debunked. Russia once called it a CIA scheme, and countries like Indonesia, Egypt, and China weren't fans either. Niantic, the game's developer, insists it follows local laws and does not spy on players, so no need to worry about Pikachu peeking into military bases. Still, military officials worldwide urge caution when sharing location data, whether you're catching Charmander, or taking a jog near classified sites. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Hey, CyberWire listeners, as we near the end of the year, it's perfect time to reflect on your company's achievements and set new goals to boost your brand across the industry next year. And we'd love to help you achieve those goals. We have some unique end-of-year opportunities, complete with special incentives to launch 2024. So tell your marketing team to reach out. Send us a message to sales@thecyberwire.com or visit our website so we can connect about building a program to meet your goals. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. Our mixer is me, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Carp. Simone Petrella is our president. Peter Kilpe is our publisher. And I'm Trey Hester, filling in for Dave Bittner. Thanks for listening. And rest assured that Mr. Bittner will be back on the mic tomorrow. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Register early and save at M-Wise.io/Cyberwire. That's M-Wise.io/Cyberwire. (gentle music)