Welcome to this week’s edition of the teiss magazine.
News from the front line
It’s rather depressing to learn that data leakage attacks grew by 93 percent in 2020. We have seen the supply chain targeted recently. Another example of this is seen with hackers lacing NoxPlayer updates with malware to target online gamers. In a separate incident, ShinyHunters has leaked the personal data of 2.3m MeetMindful users onto the dark web. Law enforcement is fighting back though so it isn’t all bad news. Emotet infrastructure has been taken down in a global law enforcement operation. Similarly, NetWalker infrastructure has been taken down by authorities in the U.S. and Bulgaria.
Plenty of security advice from our contributors this week. We have thoughts on how automation can help defenders beat the cyber threat odds. Why should the hackers be the only ones to use AI? We have advice on how to avoid damage caused by the communication gap between companies and their security vendors. And a warning: CIOs are massively underestimating SSH risks. It was Data Protection Day 2021 last week. We think that effective data protection must move up the business agenda, and rapidly. And it will help if organisations adopt a company culture of security and compliance. 5G is ramping up with security implications for everyone. We have some advice on managing the new security landscape of 5G, and beyond. And a question: can you accurately work out where your critical controls failed?
Leaks and hacks
Our weekly round up of some of the worst security lapses. An unsecured VIPGames elasticsearch server has leaked 23m records and 66k user profiles. And in a similar incident, the Pakistani delivery firm Bykea has exposed 400m records via an unsecured server. Separately, a ransomware attack has disrupted the services and web assets of the UK government organisation UK Research and Innovation (UKRI).
Good week for: The Metropolitan Police: The owner of SMS Bandits has been arrested by London’s police force for carrying out large-scale phishing scams.
Bad week for: Grindr: Dating site Grindr has been fined £8.45m by the Norwegian data watchdog for illegally selling user data.
Adam Brady at Illumio explores the new risks introduced by 5G and how the security and legal landscapes will change to manage them.
The telecoms industry has always been a fast-moving field, driven by rapidly evolving technology. Network operators must continually adapt their infrastructure and strategies to incorporate new technological developments – and the security and compliance challenges that come with them.
New technology can often represent a seismic shift in the way telecoms services are provided, enabling operators to provide faster connections over wider areas. This is particularly the case with 5G, the latest technical revolution in the sector.
While the average consumer will generally think of 5G as providing faster mobile download and streaming speeds, and the new technology can be as much as 20 times faster than a 4G connection, faster download speeds are only one facet of what the transition to 5G is providing.
The new technology is capable of delivering latency rates of just 1 millisecond, compared to the average 200 milliseconds seen in most 4G services. This has huge potential for fields such as internet of things (IoT) and operational technology (OT) where devices are operated remotely.
The low latency also means that many more devices can be connected to the same network in the same area, requiring far less energy. This means devices can operate for longer while also costing less to produce. Taken together, these advantages can transform the way many industries operate.
However, as with most technological advances, 5G is not without its drawbacks. Amidst all the bizarre conspiracy theories about COVID and mind control are some very real concerns about security. The telecoms companies constructing 5G infrastructure must contend with both potential new attack surfaces being exploited by threat actors, and internal threats with geopolitical motivations.
Perhaps more than any technical development before it, 5G is also forcing operators to keep up with a rapidly evolving regulatory landscape that is moving much faster than that which we normally see for technical laws.
What are the threats to 5G?
The most high-profile security concern around 5G has been the supply chain, particularly the potential for interference by foreign companies supplying equipment and infrastructure. The UK Telecoms Supply Chain Review Report published in July 2019 by the DCMS said that “the most significant cyber threat to the UK telecoms sector comes from states.”
While there have been concerns about several different vendors with ties to nation states, the most prominent example was the involvement of Chinese telecom giant Huawei, which had a large role in the initial development of the UK’s 5G infrastructure. There were widespread concerns that the company could establish secret backdoors that would allow the Chinese government to covertly access the network, conduct surveillance, and exploit it in hostile cyber activities.
Huawei was initially banned from involvement in the most sensitive core elements of the UK’s national 5G network, and the situation eventually escalated to the UK government banning the purchase of Huawei 5G equipment from 2021 onwards and committing to removing all existing technology from 5G networks by 2027. This will be a major priority for telco companies, and we are aware of several that are already underway with replacing their Huawei equipment.
Like all other forms of technical infrastructure, 5G networks will also be in the sights of cyber criminals. The most likely target will be the operators’ management layer, which confers a great deal of control over the network.
While the packet core is unlikely to be a direct target, lateral movement into the management layer and supporting services is a more realistic concern. The network as a whole is too big to attack head on, but attackers can compromise a machine at a network operator and move laterally to access the management layer. From there, an attacker will have a vast attack surface available to them.
One notable trait of the telecoms industry is that most operators tend to use very similar kinds of architecture and builds, whereas other entities such as banks tend to have very distinct infrastructure from each other. This can be quite advantageous when it comes to establishing interoperability between systems and an established security architecture.
It can also be a security weakness. The risk is that if threat actors discover a vulnerability in one operator’s infrastructure, they will potentially be able to exploit the same weakness in other organisations as well.
How does 5G security differ from 4G?
5G is not simply a faster version of 4G – it is a whole different technology. As well as performance, there are some fundamental shifts in security. This includes several improvements such as in-built end-to-end encryption with IMSI (International Mobile Subscriber). But there are also some new risks.
One of the biggest changes is that 5G enables devices to connect more directly to backbone applications and networks, whereas previous technology featured more intermediary layers . This is key to 5G’s transformative low latency. However this direct connectivity also means removing layers of obfuscation and security functions.
This new threat landscape is still largely theoretical. The true potential threats will probably not be understood until businesses have been using it for longer – and unfortunately potentially not until a landmark security breach has occurred.
5G has particularly strong applications for IoT and OT – two areas with their own distinct security challenges. IoT devices are often known to fall short on delivering adequate security, while OT systems often struggle with reconciling 30-year-old air-gapped industrial technology with digital cyber threats. 5G may exacerbate these risks and create new opportunities for threat actors.
The rapidly evolving legal landscape
Suitably enough for a technology that offers a revolution in speed, the legal and regulatory landscape around 5G is also moving at an unprecedented pace.
In November 2020, the DCMS published the Telecommunications (Security) Bill to establish a legislative framework suitable for keeping 5G infrastructure secure. Considering there was little by way of official guidance even three or four years ago, this is a remarkably fast turnaround for technical legislation.
The bill has a major focus on combating the risk of internal threats and backdoors. Telecoms operators must stop using equipment from high-risk vendors or face fines of up to ten percent of their turnover, or even as much as £100,000 a day for continuous contravention.
Other elements mandated by the bill include implementing secure design and maintenance for the sensitive equipment in the core of the network that handles how infrastructure is managed, as well as the implantation of effective access controls and regular security auditing.
Specific guidance has also been published in the Telecoms Security Requirement (TSR). The guidance draws on extensive research from the NCSC and lists comprehensive analysis of different threats and prescriptive advice on securing infrastructure. The process was also very interactive, and we are aware of telecoms clients that were provided with the chance to review drafts and feedback on language and processes.
What next for 5G?
We are now at the crucial phase where most operators’ 5G infrastructure is transitioning from build-and-design to real use. Most telecom companies are in a similar phase of productionising their networks.
Time will now tell how the interplay between security and risk introduced by 5G will work in the real world. Similarly, we will now wait and see if the new regulations and guidance have hit the mark and will withstand attention from threat actors.
We can expect lawmakers to act quickly to amend and adapt legal and regulatory powers as the situation develops. Telecoms operators will likewise need to be able to move rapidly to adapt their infrastructure as new laws – and threats – emerge.
Adam Brady is Director of Systems Engineering, EMEA at Illumio
Main image courtesy of iStockPhoto.com
Originally Aired: 4 February 2021 at 10 am
This episode is now available to view on-demand
Managing shadow IT is hard at the best of times. But when they move to the cloud, how can you manage the risks?
Shadow IT is IT that hasn’t been sanctioned by an organisation or services that are a subsidiary part of a sanctioned platform but were not evaluated and – and people assume they have been approved. Plug-ins and marketplace add-ons may be security or privacy risks.
People don’t use technology because they want to be insecure. They use it because they need to do something, and often they need to do it quickly because of the speed of innovation that is required in today’s world. And there is an age-old tension between rapid innovation and the need for organisations to remain secure.
One problem can be that developers use their own shadow technology to build things, perhaps a pricing system, with non-standard technology and without proper governance, meaning for instance that products can’t be updated if the developer leaves.
Security is often considered to be an insurance policy, a way of ensuring that businesses function effectively: businesses are there to make products that people want to buy. If security gets in the way of that, then its credibility, its importance, is diminished.
BYOD used to be considered as part of shadow IT. But today there are so many applications that can manage BYOD that it is really less of an issue although of course there can still be issues if it is not managed well.
Should IT be leading the push back of non-sanctioned tools?
These days, there is increasingly a need to do things quickly – “Just do it”! So if security is a function that says “No”, then people will find ways of working round it. So the role of security is to find ways that people can be secure when they are using new tools and systems or going into the cloud. Security needs to have visibility so they can manage threats, rather than stopping people from doing things.
Nowadays we have less control: it’s harder to put your arms round things when there are time pressures and when it is so easy to set a new digital system up and use it. So we need to look at new ways of collaborating. We need to communicate better. We need to focus on detection and resilience rather than prevention – because things will go wrong. And we need to protect the data, not just the system – defence in depth.
Risk acceptance and risk appetite need to be better understood. Decision-makers don’t often have much time to devote to understanding security: their focus will be o the business. We need to be able to support them in that.
How can businesses continue to innovate while maintaining security?
Security needs to be “shifted left” in the development process. It shouldn’t be the case that security reviews are done at the end of a project. Security needs to be integrated into every stage of the development process. For instance, when people are using open-source software, there should be a process where the software is scanned and identified as genuine before it is used. This should be done in a way that the developers don’t need to think about it, it’s just done for them.
One solution is to elevate the status of security professionals so that they have more credibility, more influence with senior decision-makers so that the security agenda is also elevated. However, we do need to guard against elevating it beyond the real day-to-day problems. It’s not just a strategic problem: it is a hands-on development problem. We need to make sure that the junior developers who are creating code and reusing software understand what the issues are.
Shifting security left involves explaining the big security picture to people – why security is important and what will go wrong for people if security fails, but at the same time explaining the practical results of ignoring a particular security protocol is ignored.
How can we future supply chains?
With development, it is inevitable that certain things will be bought in from a third party. As well as assessing whether the third party suppliers are secure, it is also important to understand what would happen if that particular item failed, and how resilient the development process would be.
It is relatively easy to understand whether something is secure at the moment. But risks may arise after we have half-assed something. In some ways, there is a danger that when we use third parties we are building a house of cards. This may be the case even when you are using very well established suppliers like Microsoft and Amazon. However, increasingly the problems that stem from cloud use is the customer’s fault. Businesses need to understand what data they are storing in the cloud for instance. And they need processes such as “least privilege” for access which enable access to change as people’s responsibilities change. In other words, as the development process progresses, the security implications also change and developers need to understand that. You can’t outsource the responsibility for security. Good governance is essential.
Session: The Changing Needs of the CISO: Moving From Hard Technical Skills to a Soft Skills Focus
Air Date: 2 February at 16.00
This episode is now available to view on-demand
How cyber professionals are moving from hard technical skills to a soft skills focus
With the migration to remote working and increased use of platforms like teams, the most successful companies have been those that were either already using cloud services or those that were at least planning for them. There are disadvantages to the cloud of course. People are not always good at whiteboarding where they have to draw with a mouse. And they miss face to face contact.
It’s important to take a new look at risks, however. If you feel that using, say, Zoom is a security threat then you need to consider whether the threat from hackers listening in to your conversations is greater than the risk to your organisation of having no conversation at all. In any case most communications platforms have improved security greatly.
In fact the pandemic has helped people to realise that the security profession is there to help make things work rather than preventing people from doing things.
Is the cybersecurity professions still battling to be seen as important by senior executives?
There is less of an emphasis on status and trust is now more important. The likable element, the soft skills - these are the things that organisations are looking for. Storytelling is also a key skill so that technical issues can be simply explained to senior non-professionals.
Previously, IT security was more autocratic. But technology has helped the profession to change and now there is a greater emphasis on bringing people with you. A sense of proportion is important: trying to frighten people is no longer a useful tactic. Instead aligning cybersecurity with the business case will be more effective.
Is imposter syndrome a big problem for the cybersecurity profession?
When things are quiet no one notices security – it’s just business as normal. But that’s true of most parts of business. Professional self-doubt is always there. Is that why security people blog frequently?
One issue is that people often talk about the good things but rarely talk about the security failures, especially their own failures. People need to realise that no one is perfect, that things don’t work all the time, and to accept that. The infosec industry is still a very young one but it is growing up. People are realising that luck, as well as hard work, play a part in career progression, as it does everywhere. Self-promotion isn’t always the best way forward.
And imposter syndrome isn’t always bad. It forces you to learn so you feel less of an imposter.
What sort of people are needed in cybersecurity?
Security teams need to be diverse with lots of different types of experience, not just technical. In the past CISOs were perfectionists and “badge gathers” who collected accreditations. But being a visionary and adding value to a business requires people to have a breadth of skills.
For example, negotiation, conflict management, writing skills – these are all useful skills to a degree for a security professional. A lot of technical people have found it difficult to accept this, although that’s changing now. For instance, we are always negotiating with the Board with colleagues or managing conflicting priorities. And when we are building teams or building careers we need good communication skills. Where do you get these skills? Not just from courses. You can get them anywhere even computer games!
Cyber professionals need to be able to bridge the gap between business and technology. You don’t need to know everything – but you need to know who to ask and who is credible. And this comes back to another skill – humility: leaders don’t need to know everything but they need to know who they can trust.
And while cyber professionals are in some ways becoming less technical, more focussed on people, boards are becoming more technical, especially as technology becomes part of what most organisations are selling.
Clients are also becoming more knowledgeable about technology and more curious and demanding about cybersecurity. They are making proactive demands which are also driving change and pulling security professionals further into the business.
Is the route into being a CISO going to change?
The main training partners will emphasise soft skills and influencing skills more in the future. If you want to be successful you need to persuade people to give you a budget or make changes. Security strategy will become more prominent in business and transformative strategies. This doesn’t mean CISOs have to be different but there will probably be different ways of developing the skills, different routes into the professions. However, we will always need to have several hats – strategist, technologist, guardian…
There are few qualifications that are 100% necessary as a job requirement. Being rigid in that way means that you will miss out on talent. Life experience and what you can bring to the role are more important. A lot of people do look for technical qualifications and they do open doors, but for many organisations they are less important than experience and personality, especially for leadership roles.
Every business is different and the CISO has to get the right balance for their organisation. For some technical skills will be more important. For others, it will be people skills. But for any organisation, passion and commitment are critical.
One of my squaddies shared an article with me this weekend that I feel compelled to share here because its subject – the malicious “insider threat” – tends to make leaders queasy. The article was written by David Roza for the website Task & Purpose on 26th January and titled (seriously!): ‘Delete all phones’ — How one man killed communications at an Air Force base for weeks. Kudos to the editor because that headline has made me laugh every time I’ve read it.
I’m only going to summarize the story since I want you to both read and share the original. In a nutshell, some years back, the military IT boffins at Whiteman AFB, Missouri hired a corporate contractor to run part of their voice systems network for them. In October 2017, one of the civilian company’s civilian contractors decided – for some reason – to destroy all of the base’s virtual phone records in their VOIP switch. This fellow took it upon himself to wilfully and maliciously scrag thousands of virtual phones, plunging the base into administrative chaos. Then … and this is, to me, the best part of the story … the saboteur just … stayed at his desk, He carried on working for an unknown number of days or weeks until the MPs nicked him.
You’d think that sort of criminal breach of trust would lead to the perpetrator getting fricasseed by a drone-delivered AGM-114R9X “flying ginsu” missile. Apparently, the base’s reaction wasn’t so creatively vindictive (although I daresay I can guess how the local comm squadron commander felt about it). Per the last paragraph in Mr. Roza’s article:
“The [accused’s plea]agreement does not specify why [the accused] triggered the command, but it did explain that his crimes have a maximum punishment of 10 years of imprisonment and a $250,000 fine. Instead, with the guilty plea, [the accused] agreed to a sentence of five years’ probation, no fine, $26,927.08 in restitution to the Air Force and a $200 special assessment. The court has the option of rejecting the plea agreement.”
That seems like an awfully good deal, considering
This fellow is guilty of violating privileged user ethics rules and sabotaging a comms system on a bomber base. Yeah, I can see the military “rejecting the plea agreement.” If nothing else, the next potential “rebel sysadmin” needs to consider what awful fate befell this bloke and reconsider their dastardly plan before pulling a similar stunt on their government employer’s crucial C4I systems.
All that being said, I’m absolutely fascinated by the fact that the saboteur didn’t immediately flee after committing his crime. I want to read the court psychiatrist’s records on this case. Saboteur dude did a sabotage, then stuck around like nothing hand happened! He kept processing work orders (or whatever his job was) for … hours? Days? Weeks? I suspect that a more rational criminal would have legged it just as soon as their caper was complete. What was this guy thinking?! He had to realize that getting caught would bring a world of hurt down on him. Abusing your privileged position and betraying your nation’s trust to disrupt critical comms for a freaking military base? That’s not the sort of “whoopsie!” moment that the military is known for laughing off.
This one, peculiar twist in the narrative stands out to me like one of those third act side comments from an episode of Vera that retroactively re-frames the entire narrative and shifts focus from the assumed suspect onto one of the minor background characters. There’s something about this odd, unexpected, atypical behaviour that I find captivating. If the saboteur’s objective was to inflict a coms outage, then why stick around after the deed was done. If the objective was to make a statement, then why not make one as soon as the attention-grabbing exploit was executed? If, instead, the objective was to keep getting paid as cushy government contractor gig, then why sabotage the bloody phone system in the first place?
Insider threat cases fascinate me. The psychopathology required to gamble away a fantastic opportunity and ruin your life for such small potential gain …
It’s maddening. It really is. We’re probably never going to know the fellow’s real motivations or thought process, so let’s make the best of what we do have: the internal sabotage of Whiteman AFB’s VOIP service can serve as a killer case study or tabletop exercise premise for Cyber Ops teams. It’ll make for great discussion fodder. Consider:
So many good questions. I imagine the After-Action Review from Whiteman has already addressed these questions and has meticulously reconstructed the event from square one. I’d adore getting to read it (just please don’t send me classified info, as I don’t have a U.S. security clearance anymore) (thanks).
For the record, I am not the least bit interested in trying to continue this column series from prison. I’m all for a healthy challenge, but … no thanks. I’ll pass.
Nonetheless, with a little adaptation, I encourage security departments everywhere to use variations of these same questions in a local exercise. Pick a system that a malicious insider could take offline with their elevated credentials and play through not just the immediate security incident, but the post-incident investigation as well. Challenge yourselves: can you accurately work out what really happened and where your critical controls failed?
Odds are, a rousing tabletop exercise might highlight a few of your team’s existing suboptimal security controls. Give you a change to apply some process improvement now, before they’re really needed. That might save your organisation a ton of downtime and drama if one of your own – God forbid – tries to pull off a “Whiteman Wipe.”
Author: Keil Hubert
Keil Hubert is the Head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant.
Air Date: Tuesday 16th February 2021, 16:00 (GMT)
Denis Onuoha, Chief Information Security Officer, Arqiva
Daniela Somerscales, Chief Information Security Officer, ClearBank®
Tee Patel, vCISO, Iron Oak Security
Air Date: Thursday 18th February 2021, 10:00 (GMT)
Ben Aung, Executive Vice President & Global Chief Information Security Officer, Sage
John Rouffas, Chief Information Security Officer, Pharos Security
Craig McEwen, Chief Information Security Officer, Anglo American
Be sure to add these dates to your diary!