From Security Weekly Wiki
Jump to navigationJump to search

Recorded March 3, 2020 at G-Unit Studios in Rhode Island!

Episode Audio


  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Security News

    Security Weekly News -- Week of 1 -- March -- 2020

    1. Tesla, SpaceX Parts Manufacturer Suffers a Data Breach due to DoppelPaymer.
    2. Maryland Court rules Digital Assets Damaged During Ransomware Attack are Covered.
    3. National Ink and Stitch, LLC v. State Auto Insurance Companies.
    4. U. S. Government Sanctions Two Chinese Nationals in Connection with Lazarus Group Money Laundering.
    5. The two were also named in a 250 Million hack of an unnamed Exchange.
    6. Swiss Government files Criminal Complaint over CIA/BND Crypto AG operation.
    7. Cruise Line Hack Exposes Personal and Financial Data.
    8. How Princess Cruise Ship will be Cleaned of Coronavirus.
    9. Shark Tank Judge almost loses 400k in a spearphishing email scam.
    10. Spotify Hacking: How has someone taken over my music?
    11. COVID-19, CDC Site
    12. Plague, Inc. removed from China's AppStore.

    Expert Commentary:

    Cyberattacks a Top Concern for Gov Workers

    Doug opened up this episode of Security Weekly News by talking about ransomware. It seems like we talk about ransomware every week. There’s a good reason for that. It’s because we do. And let’s face it, it’s in news every week. Someone got hit with it and they are locked out of their data. They may pay the ransom, they may not, or they may go out of business. It’s in everyone’s awareness. IBM had a poll conducted the cybersecurity concerns and awareness of state and local government employees. The poll was conducted from January 16 - Feb 3, 2020, which plays into one of the findings a bit.

    One of the interesting findings is that overall these employees have a higher level of concern about cyberattacks than they do about natural disasters, environmental disasters, terrorist attacks, disease outbreaks, and economic decline. At this point, I suspect the poll was taken prior to the current level of concern about the coronavirus. I’d be interested in seeing how much these numbers have changed. One thing that I noticed on this high level finding is that the levels of concern is that the levels of concern on these categories varies depending on the role an employee has in the organization. IT staff were far and away most concerned about security incidents than anything else. Conversely, emergency personnel were concerned about these type of events, their highest concerns were natural disasters and terrorist attacks.

    IBM cites ransomware being in the news and local governments being targeted with ransomware as reasons for this higher level of concern. As I was reading up on topics for this week, I ran into articles on state governments being locked up with more ransomware. No surprise there, but I imagine these employees are feeling a bit targeted.

    I also thought it was interesting that with this concern level, 44% of employees said they have not received basic security training and 70% have not received what they feel is adequate training to respond to security attacks. Contrast that with 66% of the people polled said their employer is prepared for security incidents and 74% of them were confident in their ability to not fall prey to an attack. I’m assuming that would mean some kind of social engineering or phishing attack. My experience makes me feel that some folks are a bit overconfident in their judgement. These attacks are too widespread and successful to buy into that self assessment. And I’ve conducted attacks that worked very well in organizations of all types.

    One of the thoughts I had as I read this last bit on training was that a good phish is going to create a sense of urgency, fear, or worry. That level of stress weakens our judgment and makes us more likely to make mistakes. In times of stress, people fall back on their previous experiences and training. Good training would make it more likely that someone would recognize the attack because they have the ability to fall back on that knowledge and experience on how to respond.

    I suspect most of our organizations would have similar findings if this poll was taken against them. Sure, this was a poll that will be used by IBM for marketing, but there’s still some useful information here. The catch is that we will need to be able to craft training that is actually realistic and useful. For example, I’ve seen phish training that is set up to not look too realistic or be too good. The organizations fear it could impede the legitimate flow of information in it. It’s good to be aware of this issue, but instead of weakening the training in a massive way it probably would be better figure out how to adjust the training to take that into account. Provide a way to get good feedback to the employee on where the signs were that a phish was a fake and don’t make them fear their employment for failing to recognize them immediately.

    If you would like to take a look at the poll results, I have them linked in the show notes for you. In the mean time, think about the security training your organization does and whether it could be improved and where those improvements should be made.