Week in Review: Shutdown furloughs CISA, DoD risk framework, Oracle extortion problem

A

From the CISO series, it's cybersecurity headlines. All right. Government shutdown furloughs most to cisa. That ain't good. DOD announces replacement for risk management framework and executive extortion attempts uses data allegedly stolen from Oracle's tool. It's going to be a crazy week, but these are some of the stories that we are basically covering here on cybersecurity headlines. And this is what the team has selected. I am your host for this week, Nick Espinoza. Basically, I have the I run the Deep dive nationally syndicated radio show for cybersecurity. So hopefully on an NPR and public radio affiliate near you. And let's get going because we are looking forward to some insight and some expertise. And you know him, Steve Zaliewski, co host of Defense in Depth. And Steve, thank you very much for joining me here this week.

B

Awesome. I'm looking forward to it, Nick. Going to be a great show.

A

Great, great. And our sponsor is Nudge Security. Secure the workforce edge. And interestingly enough, both Steve and I actually did a security you should know addition with them a couple of months ago. So if you're listening to this show as a podcast, remember that next week you too can join us and our loyal band of vocal experts on YouTube live. Go to cisoseries.com hit the events dropdown and look for the cybersecurity headlines. We can review image. Just click and you can come hang out. So for those of you that are here with us right now, make sure you are contributing to the comments in the chat. We're gonna do our best to address those during the show. As always, it's always a fun time when we get feedback from the audience. And you can also send us feedback by email. We would love to know what you think of the show, providing you think it's good. If it's not, eh, send it anyway. David will read it. Drop us a line@feedbackisoseries.com and as a disclaimer, David Spark is not going to pay our legal bills. So our opinions are our own. And with that, we've got about 20 minutes to dive right into this. So let's get cracking. So Steve, with that, before we basically drop into stuff, what do you think is the biggest story in cyber security this past week?

B

I would say the Asana beer story.

A

Really? Really? That one. That one's kind of personal because, you know, cyber security brought to you by alcohol, the CISO's friend. So, so yeah, I'm with you there. That's a big one. We're going to dive into that one too. But we are going to start with Government Week here in the United States because our first story is simply that the government has been shut down. Right? And therefore they're furloughing most of CISA's staff. Roughly 35% of the agency's staff remains active. And the agency spokesperson, Marcy McCarthy stated that, quote, while a government shutdown can disrupt federal operations, CISA will sustain essential functions and provide timely guidance to minimize disruptions, end quote. So SISA also said that they can recall more staff in the event of an emergency. But that really does beg the question, Steve. SISA says that they can recall this in an emergency. Right. But cyber incidents don't wait for political resolutions. You know, and I'm going to say this right now, cybersecurity is agnostic from politics, you know, but we're not immune from it here. Right? So how realistic is it to rely on emergency recalls in the face of fast moving threats like ransomware, security, stay in sponsored attacks, et cetera, et cetera? I mean, my fear here, honestly, is that with private cybersecurity companies needing as much experienced people as they can get, CISA employees are never going to go back due to higher paying jobs that they can get. Right. The government doesn't pay nearly as well as Silicon Valley. And so, Steve, what do you think?

B

Okay, so you're touching on three things here. Fear, uncertainty and doubt. Right? Short term reality and long term potential consequence. So let me just kind of take it in order here for a minute. Right, which was, yes, cesa, like everybody else, got furloughed, but they still have about 900 people on the job. Okay. Out of the 2,500 that are there. So before we say, oh my goodness, we're not covered, 900 people is a fair number of people. And let's think about what they're doing at this point, which was you And I as CISOs, we understand incident response, so stop working on the proactive stuff. We're going to keep those 900 people, we're going to put a moat around the government and the government services and we're going to hyper focus on protecting them and responding consequence. Yes. So maybe on the commercial side, we're not going to be as quick to be able to talk to you about a potential incident because we don't have all the resources. But the crown jewels are protect the government. And they're going to do that with 900 people. Pretty sure we're going to be okay in the short term.

A

Okay.

B

Now the Other part of that is that long term consequence for a couple of days here, even if the bad guys decide to take advantage of us, those 900 people are going to be able to hold the fort. But what you talked about was a lot of people work for the government because they want to. Right. The CESA people believe it's important to protect the government. Right. They're firefighters, they know it's important. And we're taking those firefighters and saying we don't want you anymore. Over time, right, they may go somewhere else and it's very hard to find new people to come in. So I'd say as for a week or so against these opinion going to be okay. Starts to drag on now, those people that want to do the right thing are going to be forced to go somewhere else. So there is substantial potential long term consequence. But in the short term, I think we're going to be okay.

A

You know, I think my biggest fear on this one, if we're really talking about this, is to that point is going to be the burnout side of it. You know, we know that when cyber teams are understaffed and studies have shown just even in the private sector, CISOs complain. Well, I don't get the budget, I don't have the manpower, I can't do everything. So now you start retracting and prioritizing. But part of, you know, the secret sauce of CISA is that they have been proactive, they've been very good, you know, at committing to ISAC data and intelligence, all this kind of stuff. And if that starts to dry up, the critical industries and critical sectors of the United States, I think really start to kind of degrade in the sense of the quality of the intelligence that the government can give them. And so, you know, it's kind of one of those like a rising tide raises all boats situation, you know. But we're going to see, I mean, for all we know, there's going to be some kind of bill or continuing resolution and you know, by tonight, where, you know, everybody's back to work, you know, come get your overtime paychecks or whatever, or, or maybe, hey, we'll be talking about this three months from now and we might be drunk on this show by then.

B

Three months from now we're having this conversation. Yeah, I gotta tell you, it'll be a very different conversation. But in the short term, you know, the fear, uncertainty and doubt I want to take off the table. Yes, there's a lot of possibilities, Probabilities right now is give it for a few days, like you said, I think we're going to be okay. And so let's go ahead and let CISA focus on what they do the best is protecting critical infrastructure. Have faith in that. Let the ISACs and others do their job of sharing information and let's go ahead and let the system continue to operate because we do have that ability, like you said, for a few days to be able to hyper focus and then we're going to start to see burnout.

A

Right, right. And I'll just add that the last thing I ever want to see is cybersecurity getting defunded. And not because we're in this industry, but because it's beyond critical to the engine of the economy. Right. The engine of the economy is technology. I don't care if you're in construction or health care. Basically it builds the infrastructure to make sure the cars running down the road, we are the early warning system on the car where the airbags, the seatbelt, you know, the locks on the doors, and if we're not there, somebody's getting hurt. So I think that's, that's, that's a rough one. But I think this also dovetails into our next story because apparently it's government week here on week in review because the DoD just announced replacement for risk management for its risk management framework. And for the record, a big shout out here to Sean Kelly for bringing us this one. Because Sean, this is an awesome one, so thank you for that. The Department of Defense has unveiled a new five, five phase framework, excuse me, for assessing cyber risks on its networks. Named the Cyber Risk Management Construct. No more rmf. It has basically been designed to replace the older RMF or risk management framework, which is described as being, quote, overly reliant on static checklists and manual processes that fail to account for operational needs and cyber survivability requirements, end quote. So basically it's key innovation seems to be shifting from a snapshot in time type assessment to more dynamic, automated, continuous risk management, all that kind of stuff. So it's enabling cyber defense and at the speed of relevance, if you will, required for things like modern warfare. So Steve, again, I'm going to throw this to you. Obviously they're criticizing the old RMF and I do love me some NIST 800 RMF as being a checklist, right? Driven, you know, it's checklist driven, it's static and all of that. So in your view, how does this shift us to continuous automated risk management change? Basically, how does it change the culture of cybersecurity and defense. And do you think it's going to succeed where the RMF didn't?

B

So to me, this fundamental shift is an acknowledgment that for 30 years, our ability to expect that we can stop the attack by preventing it and by introducing enough process and friction and security controls that we shut down the gates to attack is not working so well. Okay, we're introducing efficiency, but the effectiveness at stopping the attack, we haven't reached what we thought we could do. This acknowledgement now is don't look at risk as a static exercise and put the controls in place. Right. And be able to prevent it. It's an appreciation that resiliency now has to be part of the conversation that we have to prevent, but that can't be our sole one egg, one basket. Resiliency is withstanding now. So managing our risk framework and our ability to take insurance policies against certain risks to the business, but not all, but then having defense in depth to understand what resiliency looks like to withstand attacks, not to try to prevent them and then have to recover when one happens. And I think this is huge for me because the framework now is acknowledging that we're moving to first line of defense, last line of defense, and evidence of defense as kind of our new mantra around how we establish a risk framework.

A

Right. And I think those are all good points. When I'm thinking about this, I'm thinking about all the tools and technology that we can be leveraging that a lot of organizations simply aren't. So, so think about how many organizations you've walked into or you've heard about that doesn't have like a soar running, right? Or even a seam, something along those lines that would dovetail with something that is a more proactive, you know, risk management. I mean, I've seen multiple risk registers that, oh, we have to update this thing, you know, and so, so I think to that point, yes, this comes proactive. But I also think that, you know, we have multiple threats here, like, you know, AI driven attacks, supply chain compromises, you know, all these different kinds of things. Zero days as well. So are you thinking that this framework is going to be a better and more proactive way to start addressing these kinds of things, but essentially leveraging AI to figure out how the AI is going to hurt us. Right. What do you think?

B

Awesome. So we know how AI has been weaponized for offense, see it all the time, social engineering. The question is that I often ask the vendors, right, Is how are we weaponizing AI for defense? What does that look like. And what you called out here was static checklists and manual processes lend themselves to generative AI and agentic AI to be able to take those processes off of my plate as a human. Right. And be more efficient at the speed with which I can determine how to be effective at stopping the attack. Okay. Which means proactive now gets into near real time reactive and that is a form of offensive defense. And I think this risk posture and risk framework is acknowledging, right that we don't understand how AI is completely integrating into what it is. But it's an appreciation that if we don't weaponize for defense and we don't appreciate that resiliency as a component, we're going to be even further behind.

A

Right, right. And I think any framework that gives the flexibility for adaptation of new technology is definitely a leg up, right. That what we are seeing, I mean just it was in the last month or two prompt lock came out fully AI driven ransomware campaign where I'm one of the criminal jerks of the world. I could just let this thing go to town and I make money sitting on a beach. I mean these are very serious issues and threats that we are seeing today. Not to mention all of the deep fakes that we're seeing in audio, video, everything else. So I think having a proactive new management system like the CSRMC is what they're calling it, not RMF anymore, I think is a good thing. And there's so much to talk about because quite frankly, not every organization really has, I think, a good risk management framework in general, whatever you want to call it. Which brings us to Oracle. So our next story is Oracle, basically executive extortion attempt uses data allegedly stolen through an Oracle tool. So incident responders at Mandiant and Google Threat Intelligence Group and I think Mandiant, still owned by Google. Anywho, they have released a warning about hackers potentially connected to clop, that's the ransomware gang who are attempting to extort corporate executives by threat threatening to leak sensitive information they claim was stolen through the Oracle E business suite. Basically, this is a platform that contains several applications to manage companies, finance, human resources and supply chain functions. The threat actors have already sent extortion emails to executives at quote unquote, numerous organizations. But Mandy, it would not say how many of these companies may have been impacted or what information might have been stolen. And to me this kind of smacks of the whole salesforce thing, you know, that we've been talking about for quite some time here. So Steve, the attackers here obviously they're claiming to have stolen this through the E Business suite by Oracle. So how realistic is this claim? And I think what responsibility do major vendors like Oracle and Larry Ellison owns a Hawaiian island, so it's not like they don't have the cash, right? So what responsibility do they have when their widely used platforms are named in these kinds of attacks?

B

So there's two components of this, right? There is protect the brand and legal and regulatory consequence fines, okay, that Oracle's handling. The problem is every week some other major company is getting breached and so therefore the brand damage just isn't that sustained anymore. And so therefore customers just get used to it. Oracle this week it's Salesforce next week it's Levi Strauss the week after that, right? So that we as business to business consumers are simply saying, okay, so what now what? But what's interesting for me here is think of it as, all right, a hospital got breached, okay? And medical records got out and now I have the medical records of Steve and Nick, okay? So I can go try to go to the hospital and extract money from them, okay? But what I'm now doing is I'm really smart now. I'm going to all the people that I have their medical records and I'm going to extort them. This is just genius, right? I mean, they're just realizing how do I leverage that information, right, by simply saying, I have it and can I get you to pay up? So I think it's just a natural evolution of understanding the value of the data that they've compromised and how they can maximize the extortion potential by not going back to the source of the breach, but by going after all the people that have been breached. Genius, right?

A

I mean, and from my perspective, I'm looking at this as supply chain due diligence, right? If you're looking at Oracle, they've got a compliance page where they check every box up to Fedramp high. So the issue that I've got is like, okay, great, I've done my due diligence, I've collected all the search that they've got, so I know my business is safe. And here we go, right? I mean, look at LastPass and many of the other data breaches we've had, Salesforce included now. So I think this is a big issue. And to that point we all just have fatigue. Like how many times have I stated a Marriott and how many times have they gotten me breached, you know? So I think it's a big issue here. Yeah. And with that we've Got way more to cover. But I want to go basically and have a word from our sponsor here, Nudge Security, because Nudge Security is pretty interesting. And here's the thing, your employees are signing up for new apps, sharing data and connecting tools together, often without anybody knowing. And obviously AI adoption is accelerating this trend. So what if you could continuously discover when people start using new apps or sharing data, then prompt them with security guidance right when and where they are working. So at Nudge Security, we call that securing the workforce edge. Instead of trying to control everything, which is pretty much impossible, we give IT and security teams the visibility they need and automation to guide employees towards secure behaviors. The result, your workforce stays productive, your data stays secure, and you can finally get some sleep at night. So please feel free to learn more@nudgesecurity.com workforce edge so with that, we just went from business to business with Oracle. We got to go to business to consumer. And this one, quite frankly, is personal because the Asahi Beer company just had a cyber attack and Japan is running out of booze. This ain't good. So the ransomware attack has brought on Japan's largest brewer, as I mentioned, Asahi, and it's basically brought them to their knees and left the company country, excuse me, dry for days. Running out of its most popular beverage, Japan is reportedly facing an unprecedented shortage of the nation's most popular beer, Asahi Super Dry, following an announcement earlier this week that malicious hackers had forced Asahi Group holdings to suspend production across nearly all of its domestic facilities. The ransomware attack disabled the company's ordering and delivering systems, bringing production to a standstill and most of its 30 factories and forcing Asahi to announce the postponement of 12 new product launches. This is torches and pitchforks at the hacker's door for me, for the record. So by virtue of that I just mentioned it, they had to halt production at 30 factories, postpone product launches and all of that. So Steve, does this represent a shift where ransomware groups deliberately aim for maximum public disruption? What do you think that looks like in terms of an evolving playbook as we are seeing more sophisticated ransomware like every other week?

B

Good question. What I took away from this and why? I said at the start of the show I thought this was top of mind. Mind is this is an example of what a nation state attack could look like as to appreciating what they're trying to do is impact the social fabric of a country. Okay, and here you go. So however many millions of people in Japan can't get their beer, okay, business to business impacts tens of thousands of people having no beer on the shelves impacts millions and millions of consumers that they now see an actual consequence to an attack. If you think about operational technology, this is an example of why having to protect operational technology is so critical. Because here's a real case of what happens when we don't.

A

Yeah, yeah. And I'm going to add to that just for a second here, because that's.

B

What'S happened in the UK with co.

A

Op and all the retail stores got.

B

Hit just a few weeks back. All of a sudden there's nothing on.

A

The shelves and people see just how.

B

Serious this can be.

A

Yeah, yeah. Well, the Brits are known for stiff upper lip, right? So I think they'll be all right. So that said this to me, kind of smacks of basically just before the war in Ukraine. I mean, look at what Russian intelligence and cutouts were doing to try to destabilize the Ukrainian economy, the Ukrainian media, the Ukrainian government. If you can make people deaf and blind and angry and confused and afraid, then, yeah, I mean, and obviously we're talking about beer, but people like beer. And then so do the Japanese, right? So. So I think this is a huge, huge issue with longitudinal consequences for all. And so with that, let's move on to the uk, stiff upper lip and all, because their Prime Minister is to unveil digital ID cards. Now, if you didn't know this, UK Prime Minister Ker Starmer is set to announce plans requiring all working adults to hold digital ID cards, dubbed Brit cards, as part of an effort to curb illegal migration. The proposal, which would need new legislation, has already drawn criticism from civil liberty groups and privacy groups as well. Downing street argues the measure is essential to ensure those with legal rights can work, suggesting public opinion has shifted Tony Blair's abandoned ID card initiative from the 2000. So, to once again be clear, and I said it earlier in this show, cybersecurity is agnostic to politics, but we're not immune from it. And here we go. So, Steve, let's dive in. So Downing street is basically framing this as a tool to ensure that only legal workers are employed. But digital systems can be hacked, right? They can be mismanaged. We've all seen that. So what are the biggest cybersecurity and implementation challenges the UK would face in rolling out these Brit cards to millions of their people on the island?

B

So the technology is understood. We have driver's licenses, we have federal IDs. The key, I think, is that fundamentally, people have no problem with the concept of it, they're afraid of how it can be abused by the government to be able to implement additional policies, one of which is immigration control. Right? There's just a whole bunch of people that fundamentally don't agree with that. And so they're blocking anything that can enable or support that capability. And so to me, when I look at this, I go, having an authoritative source of knowing who I am from a cybersecurity perspective is the foundation of security. Who has access to what. And having that authoritative source that I really know, Nick, that it's you, is a problem that's getting worse, not better, with all the digital identities and we talk about AI, okay, so the establishment of a federal ID is a great idea. Doing it to be able to enforce an immigration policy may not be the right best use case, but that's for the government to decide.

A

Right? Well, and, and to that point, civil liberties and privacy groups have been basically saying this is a tool for surveillance or for possible governor overment reach. I mean, given all the deep fake technology, for all, you know, like I'm a 37 year old Kazakhstani woman right here talking to you, but I look like me, right? So, so what do you think the safeguards would be around something like this to basically ensure that, you know, this is not being tracked in a way that people don't? Like, if you have to install an app on your phone, you know you can turn on gps, right? And so, so how would you assuage, essentially, as you think it's a good idea that you know the rest of the population to say, hey, you know, I'm all on board for this, you should be drinking my Kool Aid too, okay?

B

Now the logical answer is transparency, okay? The problem I see is with government. It's all of the folks that are simply looking for conspiracy theory, okay? They don't trust the government for a lot of good reasons. So if you don't fundamentally trust the government, how can you trust them to put a trusted identity in place that they're not going to abuse the privilege? And transparency is what we always say. But the naysayers and those that are conspiracy theorists are simply saying it's not what we see, it's what you're not seeing. Well, how do I address that concern given what we've done to me, that's why when you said security is agnostic, security is a function to protect, okay? And enable using security and this ID gives us the ability to protect and enable. That's why it's good, like I said, for immigration, I Don't have a good answer for all of the conspiracy theorists. Right. Because there's always this opportunity to say, it's not what I know. It's an implication that there's more unknown unknowns.

A

Fair enough, Fair enough. And as somebody whose tinfoil hat game is pretty good, given my day job, you know, we do have to run that balance. Balance between, you know, going absolute in the left field versus, you know, kind of being center. But also understanding conspiracies require actual evidence. Right. So. So I think that's, I think that's an important one. And with that, we are almost out of time. So, Steve, any thumbs up, face down, any face palms, not face down? What cyber security story or event would you say deserved either a thumbs up or a face palm this week? Which is what I meant to say, either in the, the stories we've talked about or something else that you, you heard in the world generally?

B

Sure. Face palm is the, the government shut down with cesa. That's just a face pump. Right. You know what I mean? Like, guys, do you understand? It's a war. It's a war. Okay? It's not optional. Right. That's the face palm. Yeah. The thumbs up is the heads up, like I said, on the whole idea behind the beer, which is this is an example of what they're trying to accomplish in a way that it impacts the population to be able to appreciate why cybersecurity as a form of hygiene, brushing your teeth so that when you go to the dentist, you know what I mean, you don't have cavities. Well, this is us brushing the teeth so that you have your beer and don't impact your, you know, kind of social life. And so I go, that's the thumbs up for me because it's a great way for people to see why if it's not good enough security, then these are the types of consequences that you can see.

A

Right, Right. And, and yeah, CISA was a huge one for me as well. I will dovetail with my own face palm on that. I also heard that they, the government will no longer start funding. I'll keep funding the multi state isac. And so that to me is another, like, what the hell are we doing here? You know, like that's, that's like, why would you do that? It's so cr. Critical to basically defense of local government. So it's a huge issue. But Steve Zaluski, thank you so much for your insights today. You're always amazing to hang out with and we should do it more. But where can people find you online?

B

Oh, I just tell everybody on LinkedIn. Okay, that is my address book. I respond to that. I just tell everybody, you're welcome to just look at me on LinkedIn and my obligation here. Pay it forward, pay it back. We're a village and we are trying to protect our businesses against the common enemy. Let's stay focused on that and do the best we can.

A

Right on. Absolutely, 100%. And you should go connect with Steve. Thank you very much to our sponsor today. Nudge security, secure the workforce edge. Also, thank you to the audience today. We can't get to every comment and quite frankly, as the guest host, sorry, Rich, sorry about that one. And sorry, guys listening or watching this, but we deeply appreciate everybody here. It's always great to see familiar faces. On the Fridays I tune in as well. And so don't forget, you can always send us feedback. Please make it good for both me and Steve. But you can, you can hit us up@feedbackisoseries.com and there you go. And so with that, I am Nick Espinoza. I am the basically host of the Deep Dive Security Show. It's nationally syndicated, hopefully on a NPR or public radio station near you. And remember, in the meantime, you can still get your daily news fixed every single day via cybersecurity headlines. It's just six minutes of your time. Super, super important. And with that, thank you all for watching. Thank you all for listening. We'll see you next week. Take care. Cybersecurity headlines are available every weekday.

B

Head to cisoseries.com for the full stories behind the headlines.