Equifax agonistes. Kaspersky denies his company's a security risk. Political database for sale found exposed. Trolling the DCI.

Dave Bittner: [00:00:01:07] The CyberWire Podcast is made possible in part by listeners like you, who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:13:24] Equifax continues to struggle in the quicksand of wayward patching and clumsy incident response. Congress, the FTC, the CFPB and DoNotPay are all taking an interest. Another database, this one for sale to political campaigns, is found and Alaska voters are affected. Kaspersky says his company is a bystander that's been hit on the Russo-American political crossfire. The US Navy continues to investigate the USS McCain collision and Harvard decides Manning won't be a Kennedy School Fellow after all.

Dave Bittner: [00:00:50:19] Time to take a moment to tell you about our sponsor, Recorded Future, the real-time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cybersecurity analysts unmatched insight into emerging threats. We read their dailies at the CyberWire and you can too. Sign up for Recorded Future's cyber daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. They watch the web so you can have time to think and make the best decisions possible for your enterprises security. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:50:12] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, September 15th, 2017.

Dave Bittner: [00:02:00:14] The Equifax breach grows progressively uglier as the company confirms that a known but unpatched Apache Struts vulnerability lies at the root of the data theft it disclosed last week. The patch isn't an easy one to apply, doing so would require rebuilding buggy Struts versions and testing them to ensure that the fix doesn't harm any necessary functionality, but observers tend to think that a well-resourced organization dependent upon the security of the data it holds, should have been able to manage.

Dave Bittner: [00:02:30:15] General outrage continues to mount, as Equifax's incident response and consequent consumer service have not impressed the millions of people affected by the hack. People complain of having been unable to get help freezing their credit when they've phoned the company. Those who've reached the credit freeze pages of Equifax's website report a variety of glitches and security problems. Some people had difficulty uploading the documents necessary to prove their identity and, post-breach, were queasy about giving the credit bureau any more data. One complaint said the screen that was supposed to display the PIN that would enable you to unfreeze your credit simply went blank, thus leaving one with, apparently, a permanently frozen account. Another got the PIN, but noticed that instead of being randomly generated, it was simply a numerical representation of the date. That's of course an easy PIN to guess. People also have their noses out of joint about the company's having charged them for imposing a freeze. Equifax decided late Wednesday to waive those fees and has indicated that people who paid them can have a refund. No word yet on how many disgruntled customers are turning to the robolawyers of DoNotPay for representation in small claims court, but people aren't happy.

Dave Bittner: [00:03:43:12] Many are calling for regulations to prevent another breach of this magnitude. Security expert, Bruce Schneier, for one thinks this isn't the sort of problem for which there's a market solution. The market is good at solving problems between buyers and sellers, but that's not what's going on in this case. We've spoken of consumer data and consumer service as opposed to customer data and service, because the people affected by the breach aren't Equifax customers. They are, as Schneier puts it, Equifax's product, or, more precisely, information about them is Equifax's product. Equifax's customers are businesses engaged in assessing the kind of credit risk individuals they might do business with pose.

Dave Bittner: [00:04:25:06] The Federal Trade Commission has, as expected, opened an investigation into the incident, and that's not good news for Equifax, as the FTC is notoriously one of the more aggressive and punitive regulatory bodies in the US Federal landscape. It's unusual for the FTC to announce that it's begun an investigation. The Consumer Financial Protection Bureau has also begun its own investigation.

Dave Bittner: [00:04:49:10] There's another problem with a misconfigured cloud database. This one, a CouchDB database, was found openly accessible on the web, not even a password needed, where it stayed until it was secured and taken offline Monday. Discovered by security researchers at Kromtech, which has been finding a lot of these, lately, the database was compiled by TargetSmart, a political campaign data broker. The compromised information includes name, address, date of birth, ethnicity, marital status, voting preferences, political issues and causes an individual might be lobbied on, the ages of a person's children, if any, household income, and whether or not the voter is a homeowner. TargetSmart says it's not to blame, a third-party that licensed some of the data from TargetSmart, Equals3, is the outfit that exposed the information.

Dave Bittner: [00:05:38:18] Returning to Congress, another executive who will be testifying there under challenging, but possibly less hostile conditions, is Eugene Kaspersky. The Russian-based security software company that bears his name was, this week, the subject of a Binding Operational Directive from the Department of Homeland Security giving the Executive Branch as a whole, and remember, that's the really big branch of the Federal Government, ninety days to find any Kaspersky software they may have and get it off their networks. This follows months of quiet FBI warnings, removal of Kaspersky from some Federal contracting vehicles, and the decision by Best Buy to no longer carry Kaspersky's consumer and small business security tools.

Dave Bittner: [00:06:20:20] The DHS Directive is based on its assessment that the Russian company poses a risk, the text of the directive is brief and terse, but it emphasizes that Russian law requires Russian companies to cooperate as directed with Russian intelligence and security services. Kaspersky himself says the hostile scrutiny he's received is unwarranted, and that he's simply caught in the crossfire of a Russo-American geopolitical shootout.

Dave Bittner: [00:06:46:18] The US Navy has dispatched a cyber investigation team to look into the USS McCain's collision with a merchant ship near Singapore. No evidence of hacking is so far known, but absence of evidence isn't, yet, being taken as evidence of absence.

Dave Bittner: [00:07:02:17] WikiLeaks is doing some trolling of US DCI Pompeo over Pompeo's complaint to Harvard that the university's offer of a Kennedy School fellowship to, Chelsea Manning, disgracefully honored someone who betrayed the US and the warrior ethos. WikiLeaks’ Assange thinks the outrage is selective. Harvard has since rescinded the offer, the withdrawal accompanied by a statement from the Dean that it didn't realize a fellowship would be perceived as an honor. Assange's trolling gets some enthusiastic meta-trolling from RT, the news organization formerly known as Russia Today.

Dave Bittner: [00:07:42:13] Time to share some news from our sponsor, Cylance. Cylance has integrated it's artificially intelligent, Cylance Protect Engine, into VirusTotal. You'll know VirusTotal is the free online service that analyzes files and URLs to identify viruses, worms, trojans and the other kinds of badness, antivirus engines and website scanners pick up. Well, Cylance has pledged to help VirusTotal in it's mission of making the security industry more perceptive and the internet a safer place. It's like public help for cyberspace, free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit Cylance.com and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:08:42:09] And, joining me once again is, Justin Harvey, he's the global incident response leader at Accenture. Justin, welcome back, we want to take a little different approach to things today. We want to take a look behind the scenes, share a day in the life of an incident response team. What can you tell us about that?

Justin Harvey: [00:08:59:18] Well, a there are some similarities between working as an incident responder for a major corporation under the government and working as an incident responder for Accenture, for a consulting organization. The similarities are that both of the roles, both consulting and a corporate-based role, are focused on responding to the latest threats that organizations face. An incident response job is stressful, it is moving from one cyber incident to another. How should I put this? They're a skilled trade, meaning it's much like detectives for a police department, whereas you don't see very many rookie detectives, you see detectives who have spent, five, ten, 15, 20 years as beat cops and they move to be a detective, and it's the same thing with incident response. It's very difficult to go out and get the necessary training without having a lot of experience under your belt.

Justin Harvey: [00:10:08:00] One of the true differences between doing incident response for a company versus a consulting company is that you're exposed to many more environments, and you really don't know what you're getting into from a consulting angle. Both of these types of roles, regardless of who you work for, you always have to be prepared to respond to basically any type of incident. I'm not sure if you know this, but, all incidents happen on Fridays, after five o'clock, before a three day weekend, so. Incident responders have to be very agile or they have to be flexible from their time perspective; many weekends are spent working on problems. Then the last thing I would say would be, not all of us, or not all incident responders, are always working on an incident. So, you have to fill your time with activities that are either increasing your knowledge of the threats that are out there or doing threat hunting, essentially looking for the next incident to respond to.

Dave Bittner: [00:11:15:14] Yes, I was going to ask you about that, is it purely reactive? Or, is there a proactive side to it as well?

Justin Harvey: [00:11:21:05] Yes, the, the proactive side to incident response is threat hunting, and it is a great means of operating what we call in a continuous response manner. Meaning, if we are to embrace the adage, breaches are inevitable, then organizations need to get better and faster at finding the next incident or the next breach. Therefore, the incident response team has the necessary skills, they've got the access and they also have the methodology in order to find those threats. A threat hunt program could be searching for anomalies or suspicious activity within a SIM, it could be taking the latest anomalies or suspicious indicators, a compromise, from open source intelligence or closed source intelligence and scanning your organization's end points. Or it could just simply be working through the existing caseload and looking for the stuff that doesn't add up.

Dave Bittner: [00:12:22:14] Alright, it's interesting stuff, it takes a special certain kind of personality I guess to succeed, to thrive as a member of an incident response team, but glad you guys are out there. Justin Harvey, thanks for joining us.

Dave Bittner: [00:12:38:12] Now, a word about our sponsor, the upcoming cybersecurity conference for executives. The Johns Hopkins University Information Security Institute and COMPASS Cyber Security will host the event on Tuesday, September 19th in Baltimore, Maryland, on the Johns Hopkins Homewood Campus. The theme this year is emerging global cyber threats and the conference will feature discussions with thought leaders across a variety of sectors. You can find out more and register at thecyberwire.com/jhucompass. Learn more about the current and emerging cybersecurity threats to organizations and how executives can better protect their enterprises data. Speakers include cyber lawyer, Howard Feldman; IoT engineering expert, Dr. Kevin Kornegay, and healthcare data security thought leader, Robert Wood. You can find out more at thecyberwire.com/jhucompass. And we thank the Cyber Security Conference for Executives for sponsoring our show.

Dave Bittner: [00:13:43:20] My guest today is Luke Beeson, he's the vice president for security in the UK and continental Europe at BT in London. Leading a team who delivers their cybersecurity services to customers, while protecting BT's own systems as well. We began our conversation discussing the challenges a large organization like BT faces when it comes to protecting themselves and their clients.

Luke Beeson: [00:14:05:10] When you're a company with over 100,000 employees, you're operating across 180 countries, remaining nimble, keeping agile, can be difficult. One, one of the things we've done, which has helped greatly, is we've tried to embrace new technology and we've done that through something called our cyber assessment lab. We have a team of people in our research and development center here in the UK in Ipswich, and they are constantly testing and evaluating new security technology, which we're bringing that to play in BT when we deem it appropriate and when we think the technology has reached the maturity level that we can deploy it. From a technology perspective, that's what we're doing. But we're too quick to talk about technology in security, so we should also talk about people. From a people perspective we're investing heavily in bringing in new recruits, specifically, new apprentices. That's school leavers, who have an aptitude and a way of thinking that we think fits well in cybersecurity and also graduates, fresh graduates.

Luke Beeson: [00:15:11:14] So, we're, we're starting to very much build our own human intelligence and human capability. I think it's really important that we focus on the people side of security as much as we do on the technology side, because, ultimately, this is a people problem and we need people to help solve it. A focus on new intake and improving the skill set is really important as well.

Luke Beeson: [00:15:33:09] If we made cars in the same way that we made cars 100 years ago, for sure, we'd have a skills shortage of car makers but what we've done, of course, is we've evolved how we make cars and actually, we've introduced a lot of automation and robotics and we don't need so many people to make cars. The skills shortage that we all talk about in the security domain no doubt is a problem, particularly at the very high end of the skill set, but I do believe that a combination of upskilling of existing resource and better orchestration and automation as we described earlier, probably, ultimately, holds the answer. I don't think, necessarily the answer is getting hundreds and hundreds and thousands and thousands of more people doing computer science degrees, as much as I'd love that to happen, I think it's probably a combination of that and needing more orchestration and automation.

Dave Bittner: [00:16:20:10] How do you, personally, prioritize your responses to the various indicators that come in? When your team comes to you and says, "these are the things that are happening in our network to our customers", what's your process for choosing what demands your immediate attention?

Luke Beeson: [00:16:37:12] Yes, for us and for our customers, we would go through a process of understanding the critical assets and, invariably, the information security that's applications. We would use that as a taxonomy to then prioritize indicators. For example, if we saw a significant threat against our BT Sport platform and there was about to be a live soccer match on, we would jump on that right away. It's a combination of operational imperatives and understanding what your critical assets are and using that to prioritize the indicators. And we do exactly the same with our customers, so, we'd sit down with our customers for a day or longer if it was required, to really understand what it is that's crucial to keep their business running and then if we start to see threats or indicators against those particular assets.

Dave Bittner: [00:17:31:05] From the vantage point that you have with BT what, sort of, advice would you give for those who are out there fighting the good fight every day, trying to protect themselves and their customers?

Luke Beeson: [00:17:46:23] I think, and this might sound counterintuitive, but I would urge people to try to achieve simplicity. I think, in the security domain, we are very good at over complicating situations and granted, sometimes it can be very complicated, but in my experience, keeping things very simple, focusing in on your most critical assets, being very clear about the impact from any particular incidents, so that it gets a proportionate response and really bringing things down to their core components to keep them simple and keep it in the language of the organization that you're working within, so it makes sense. We always talk about security, or cybersecurity, being a border level agenda item, well, it might well be, but if we're speaking a different language to the board then we're going to quite quickly get out of alignment. I think it's about simplicity, it's about speaking the language of the organization that you're working in and it's about focusing in on outcomes to make the organization more secure.

Dave Bittner: [00:18:48:11] Our thanks to Luke Beeson for joining us and thanks to Joel Hare from BT for coordinating the call from the other side of the pond. You can hear more of my conversation with Luke Beeson on an upcoming episode of the Recorded Future Podcast, that'll post this coming Monday. Among the topics we discuss is the affect the upcoming GDPR regulations may have on BT and other organizations around the world. So do check that out.

Dave Bittner: [00:19:16:20] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, check out cylance.com

Dave Bittner: [00:19:29:16] The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik. Social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend. Thanks for listening.