Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, December 15th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to discuss several stories from the past seven days. These include a U.K. Parliamentary report saying the country isn’t prepared for a targeted ransomware attack, North Korea’s Lazarus group is still exploiting the two-year old Log4j vulnerability and the latest on insider attacks in a jail sentencing and a U.S. Air Force report into data leaking by an Airman.
But before we get to the discussion on those stories, here’s other recent news that happened this week:
The United States and the U.K. issued sanctions against the Russian-based Callisto Group, which is accused not only of widespread cyber attacks but also of trying to undermine democratic processes in Britain.
The Edulog Parent Portal used by some school boards so parents could keep track of school buses had access control problems that impaired security. Researchers at Tenable said the vulnerability could have allowed anyone access to sensitive data. Edulog says it has fixed the issue in the portal’s API.
The outage at the AlphV/BlackCat ransomware gang’s data leak site is still unexplained. No law enforcement agency has acknowledged having a hand in the outage. However, on Thursday the gang managed to get a message out that it hit a Toronto business management firm. It claims 8TB of data was copied. The firm hasn’t replied to my email request for comment.
Microsoft has seized the U.S.-based websites and IT infrastructure of a gang it calls Storm-1152. It’s the number one creator and seller to crooks of fake Microsoft accounts. These accounts can be used to bypass identity verification software. However, the gang may have online distribution sites in other countries.
A number of data management products from Dell Technologies need to be patched. The company says its PowerProtect Data Domain, APEX Protection Storage and Data Manger Appliance servers need to be updated to fix serious vulnerabilities.
Police in France arrested a Russian man suspected of laundering funds for the Hive ransomware gang. More than a half a million euros worth of cryptocurrency was seized. The Hive network was dismantled in January.
The British Ministry of Defence has been fined the equivalent of almost $600,000 for making a common email mistake: Sending a mass email to many people and putting all their email addresses in the “To” section. The email addresses should have been sent as a blind copy. Instead, the names and details of 265 Afghans seeking admission to the United Kingdom were revealed. Had the list of names fallen into the hands of the Taliban their lives could have been threatened.
And Southern Illinois Healthcare is notifying over 147,000 patients of a data breach. The incident at its Harrisburg clinic happened 12 months ago. Data copied may have included names, dates of birth, Social Security numbers and clinical information.
(This edited transcript covers one of the four issues discussed. To hear the full conversation play the podcast)
Howard: How much should a government lead in the fight against ransomware?
A British Parliamentary National Security Strategy report on ransomware this week said because large parts of the U.K. critical infrastructure is vulnerable, a co-ordinated and targeted attack has the potential to cause severe damage to the British economy. The report says the government should consider establishing a national cyber resilience regulator for critical infrastructure, which would cover utilities, banks, telecommunications, transportation, agriculture and governments. The report complained firms hit by ransomware get next to no support from law enforcement or government agencies. At the very least the government National Cyber Security Centre should be funded to support all public sector victims — like municipalities and hospitals — to the point of full recovery. More critically the report complains that while the Home Office — which has responsibility for police departments among other things — is supposed to be the lead department on ransomware the former cabinet minister in charge, the Home Secretary, had no interest in it. The report says responsibility for ransomware should be in the hands of the Deputy Prime Minister.
This is pretty incendiary stuff. My first question is, is any country ready for what the report calls “a co-ordinated and targeted attack?”
Terry Cutler:Â There’s a lot to digest here, and not just because of the amount of sheer complexity that’s involved. There’s not just one group that handles everything [in a nation] so we have to have an advanced cyber security infrastructure and kept constantly up to date. And there would have to be collaboration between national and corporate levels. Just try to imagine the people involved in handling all this. You’ve got CISOs that are aging three years just in one company and they would probably lose 50 years of their life handling all this. So the biggest piece is going to be collaboration between government and the private sector. There’s got to be regular application updating, audits and penetration testing all the time, which we’re not seeing now with companies. And if they’re also to adhere to a stronger regulatory framework there’s got to be strong stronger laws in place — something like GDPR in Europe, where there has to be breach notifications to victims and government.
Howard: This year we’ve seen record reported ransomware attacks, which raises the question of can a country be ready for a co-ordinated and targeted ransomware attack that’s a worst-case scenario?
Terry: It’s going to come down to rapid response and detection. But we’re short staffed in cyber security. We’re 3 million personnel short worldwide. Not many of us want to work for the government, for example, because the pay is a lot less [than the private sector]. You have less flexibility with your schedule. All those factors come into place. I do agree there needs to be a specialized cyber security force that’s going to have the proper measures in place to help protect the country. There also needs to be collaboration with law enforcement because we can stop these attacks in certain ways, but we need to go to the source and and shut these bad guys down.
Howard: I’ve asked this question many times before: This is 2023, ransomware is only a couple of years old and surely every company knows by now to be prepared for any cyber attack. So why aren’t critical infrastructure sectors ready now?
Terry: You still have a lot of legacy IT systems lying around, especially in healthcare. We’re still seeing Windows XP [in organizations], and they’re not designed to work with more modern technologies that are out there. But you can’t just mass update these things or replace them because it can be extremely expensive. Not only that some operating systems are embedded into the technology. For example, in healthcare a radio radiology machine that can cost $200,000 may have Windows XP built right into the box. You can’t just update the firmware; you have to replace the entire equipment. And there are budget constraints. There’s not an infinite budget for cyber security, especially in the private sector. I think the biggest challenge, too, is that these threats are evolving so quickly that we need AI and other technologies to stop attacks.
…Human error is one of the biggest threats. Even if we do a lot of security awareness training one employee could have an off day. They click on something they’re not supposed to and it allows the hacker to get into their environment. We’re also dealing with supply chain issues like we saw with Solarwinds … There’s just too much complexity [in IT environments] and it’s very, very hard to protect them.
Howard: The report raises the question I think of how much of this falls on the shoulders of government. In Canada and the U.S. there are government agencies like the U.S. Cyber Security and Infrastructure Security Agency (CISA), the Canadian Center for Cyber Security. They’ve got resources that companies can draw on. And of course companies can rely on their major providers — Microsoft, IBM, Cisco Systems and so on. But it seems companies aren’t getting the message. One thing we know from investigations is that a lot of companies are still failing on basic cyber security. Why is that happening? Should governments be pushing on cyber security or should industry lead?
Terry: I think it should be industry-led because we’re on the front lines of of seeing these attacks. We’re doing a lot of incident response, we’re collecting a lot of evidence of how these attacks are coming in … Government’s role is to be in charge of setting standards and regulations. You want to make sure that organizations comply and ensure some type of baseline-level security. Now of course smaller companies think no one’s going to want to hack them. But cybercriminals know they don’t have the time money or resource to deal with cybersecurity, so it makes them the number one target. So they need help even if it’s government grants or tax breaks on help them get up to date [technology].
Government should also provide resources and guidance, like the CISA. They’re going to do some some R and D. Of course governments need international co-operation. There’s also public awareness campaigns to promote safer online behavior.
If we look at the private sector’s responsibility, they’re going to be tasked with implementing these measures, have technologies in place to help protect the company. This will also involve continuous training and education … The private sector also can invest in cyber talent. I think the biggest takeaway here is collaboration. We need to be able to share the the type of information that we’re seeing on the ground to the government and help them create proper frameworks.
Howard: The report raises the idea of the U.K. creating a new national cyber resilience regulator for critical infrastructure that would have the power to punish organizations that don’t meet a cyber security regulatory standard. What do you think about that idea in Canada or the U.S.?
Terry: It’s a really good idea. But a lot of companies will say they don’t have the time or budget. But if you have incentive programs like tax breaks that would probably help. There’s some pros and cons: Some of the benefits are they’re going to have a standardization of cyber security practices. A dedicated regulator could help enforce and standardize cybersecurity measures across all of these industries. At least there’s a baseline. There’ll be some accountability finally because we’re not seeing much of that right now. But you have regulatory complexity now … Cyber security is a global issue, so ensuring that regulators can align international norms and practices will be very, very difficult to do.
Howard: The Canadian government has proposed a cyber security law for overseeing critical infrastructure. It’s now before Parliament. One piece would give the Industry Minister the power to order telecommunications companies to take specific actions to secure the communications sector. The law would also create a cyber security compliance regime for all critical industries by using existing regulators like the Superintendent of Banks, who oversees the financial sector; the Canadian Energy Regulator, which oversees inter-provincial utilities. So there wouldn’t be a need to create a new regulator. But these bodies would have the ability to issue fines for not meeting cyber security standards. Athough the bill was introduced over a year ago it isn’t even at the committee discussion stage yet.
Terry: I remember presenting to the Conference Board of Canada back in 2013 about how much the telcos can see on the internet. One of the biggest problems is how do you defend against things that you don’t know or have never seen? This is where the telecommunication carriers come in, because they have the biggest visibility over the internet. And if you pair them with law enforcement cyber criminals are going to have a fight on their hands. Bill C 26 has some benefits here. It’ll help improve cyber security defences, especially in critical infrastructure. It’ll give authority to the Industry Minister, and it’ll help protect against cyber threats for sure because right now telecommunications companies are not providing much cyber security on the back end.