Cybersecurity Month-End Review: Oracle Breach, Signal Group Chat Incident, and Global Cybersecurity Regulations - Cybersecurity Today

Summary7 min read

Cybersecurity Today: Month-End Review Summary

Release Date: April 5, 2025
Host: Jim Love
Guests: Dana Proctor (Ottawa), Randy Rose (Center for Internet Security, Saratoga Springs), David Shipley (Fredericton)

1. Introduction

In the April 5, 2025 episode of Cybersecurity Today, host Jim Love convenes a panel comprising Dana Proctor from Ottawa, Randy Rose from the Center for Internet Security in Saratoga Springs, and the ever-present David Shipley from Fredericton. The discussion focuses on major cybersecurity events of the month, evaluating breaches, communication mishaps, and evolving global regulations.

2. Oracle Breach: A Case Study in Poor Incident Communication

David Shipley initiates the conversation with a critique of Oracle’s handling of a recent security breach:

[01:33] David Shipley: "Breaches happen even to the big kids. It's important to be honest when it happens because the speculation, the rumor mill, the register, savage headlines on the reg, they're just not worth dancing around."

Incident Overview: A hacking group claimed to have breached Oracle Cloud Classic, not the primary Oracle Cloud service. Initially, Oracle denied the breach, but contradictions arose when the hackers demonstrated their access by placing messages on Oracle servers.

Discussion Highlights:

Transparency Failure: Randy Rose emphasizes the critical role of communication during breaches.

[04:11] Jim Love: "But in cybersecurity, if you're not candid, you're gonna do have more pain in the long run than you do by just putting this out."
Broader Implications: Dana Proctor underscores the long-term damage to Oracle's trustworthiness due to mishandled communications.

[09:09] Dana Proctor: "Breaches do have a way of bringing our businesses, if not our future trajectory down significantly."
Rebuilding Trust: David Shipley notes that while breaches can be detrimental, organizations like CrowdStrike have successfully rebuilt trust post-incident by transparently addressing issues.

[09:41] David Shipley: "You can actually rebuild trust through an incident. It's not ideal, but you can."

3. Signal Group Chat Incident: Government’s Security Oversight

Jim Love transitions to discussing a notable security lapse involving Signal, an encrypted messaging app widely trusted for secure communications.

Incident Overview: Several U.S. Government officials used Signal for sensitive communications, believing it to be fully secure. However, vulnerabilities were exploited, allowing unauthorized parties to access conversations.

Key Points Discussed:

Misplaced Trust in Technology: David Shipley criticizes the assumption that using encrypted apps like Signal inherently ensures security.

[10:13] Jim Love: "You have encrypted communication there. Only you got to make sure you don't invite the wrong people to that..."
Government Policy Failures: Randy Rose explains the complexities of data classification and the importance of adhering to need-to-know principles even when using secure channels.

[16:14] Randy Rose: "When you move something out of official IT channels, you've lost control over who can get that."
Cultural Norms and Leadership: The panel emphasizes that technological solutions alone are insufficient; organizational culture and leadership commitment are paramount.

[19:27] Randy Rose: "When there's a breach, understand what it is, what's going on, who's impacted, how do we resolve that issue."
Consequences and Accountability: Dana Proctor expresses frustration over the lack of accountability and the excuses provided by officials regarding the breach.

[17:41] Dana Proctor: "The telling me that it was okay that this journalist was in that chat was just an offense on my intelligence."

4. Global Cybersecurity Regulations: UK’s Progressive Steps vs. Canada’s Struggles

The conversation shifts to global cybersecurity regulatory environments, particularly contrasting the United Kingdom’s proactive measures with Canada’s lagging efforts.

UK’s Legislative Advances: David Shipley highlights the UK's introduction of new legislation targeting data centers and Managed Service Providers (MSPs), recognizing these entities as critical to the digital economy.

[20:03] David Shipley: "The UK government take a really nice leadership role globally in new legislation being proposed to actually extend critical infrastructure cybersecurity."

Challenges in Canada: Dana Proctor laments Canada's delayed and insufficient regulatory framework, despite significant investments in certification programs.

[23:04] Dana Proctor: "But we still can't get regulations or bills through to say what our telecommunications or our nuclear power plants should be required to do."

Role of MSPs: Randy Rose elaborates on the importance of regulating MSPs, which often serve small organizations lacking robust internal cybersecurity measures.

[24:58] Randy Rose: "Having regulations that support those organizations is one of the best ways to get to those organizations that are traditionally really hard to get to."

Historical Context: The panel reflects on previous initiatives like Canada's version of Cyber Essentials, noting its failure due to lack of enforcement compared to the UK's success where government RFPs mandated compliance.

[28:42] David Shipley: "Cyber Essentials was more successful in the UK because you couldn't get a government RFP if you didn't have the basic bare minimum."

5. Recent Cybersecurity Incidents: Kuala Lumpur Airport and NHS Scotland

Kuala Lumpur International Airport Ransomware Attack: Dana Proctor discusses a $10 million ransomware attack on the airport, focusing on the convergence of Operational Technology (OT) with Information Technology (IT), which exposed critical flight information systems.

[39:25] Dana Proctor: "They had whiteboards in the Kuala Lumpur International Airport... targeting what used to be physically separate fiber networks into the same network."

NHS Scotland Ransomware Attack: The panel examines a severe ransomware incident that crippled most clinical systems, forcing staff to revert to pen and paper operations for over a day without effective incident response plans.

[40:06] Dana Proctor: "Patient care wasn't able to go on... no segmentation for offsite backups... they had no incident response plan."

Implications: These incidents illustrate the devastating impact of ransomware on critical infrastructure and the urgent need for robust cybersecurity measures and preparedness.

6. EDR Bypass and Endpoint Security Challenges

Jim Love introduces a discussion on the sophistication of recent Endpoint Detection and Response (EDR) bypass techniques, highlighting their threat to small businesses.

Technical Insights: Randy Rose explains that while EDR systems are essential, their effectiveness is contingent on proper tuning and configuration to detect novel attack vectors like “living off the land” binaries.

[36:26] Randy Rose: "EDR isn't brand new, but some of the techniques that we're seeing are pretty novel and interesting."

Panel Concerns: Dana Proctor and David Shipley emphasize that many organizations treat EDR as a “set and forget” solution, neglecting continuous monitoring and testing, which diminishes their efficacy.

[37:47] Dana Proctor: "We need to be testing, we need to be actually running some semblance of penetration testing..."

[37:59] David Shipley: "When we hear vendors say that sweet siren song of it's automated, smart, intelligent, you don't have to do anything, it is the disaster of the sirens."

7. Law Enforcement and Cybercrime: Arrest of a Canadian Hacker

The panel touches on the recent arrest of a Canadian individual implicated in hacking the Texas GOP, highlighting the challenges and successes in international cyber law enforcement.

[44:19] Dana Proctor: "One of the best environmental campaigns ever. But also, do not taunt the FBI with foul language and tell them what they can and can't do."

Discussion Points:

Jurisdictional Challenges: Randy Rose notes the difficulties in international law enforcement coordination, though this particular arrest marks a victory.

[45:13] Jim Love: "I keep looking at this... it's incredibly hard to get through the communications people from police who will actually talk to you."

Deterrence: The panel agrees that persistent efforts by authorities like the FBI serve as a deterrent against cybercriminal activities.

8. Positive Developments: Integrating Anti-Money Laundering with Cybersecurity

Dana Proctor highlights the integration of Anti-Money Laundering (AML) initiatives with cybersecurity frameworks, fostering more robust detection and prevention mechanisms against financial cybercrimes.

[46:23] Dana Proctor: "Anti money laundering, anti fraud, cybersecurity, they're all very close cousins."

Benefits: Such integration enhances the ability to detect and thwart illicit financial activities, particularly those targeting vulnerable populations like seniors and individuals with disabilities.

9. Conclusion and Reflections

Jim Love wraps up the episode by reflecting on the rapid passage of time during the discussion and expressing gratitude to the panelists for their insightful contributions. He encourages listeners to engage via email or LinkedIn for further discussions on cybersecurity topics.

[47:23] Jim Love: "Thank you very much and thanks for listening... we'll do this again next month."

Key Takeaways

Transparency and Honesty: Effective communication during breaches can mitigate long-term damage to an organization’s reputation.
Regulatory Enforcement: Strong, enforced regulations, as exemplified by the UK, are crucial in enhancing cybersecurity across all sectors.
Continuous Vigilance: EDR systems require regular tuning and testing to remain effective against evolving cyber threats.
Law Enforcement Collaboration: International cooperation is essential in combating cybercrime, with recent arrests highlighting progress.
Integrated Approaches: Combining AML with cybersecurity efforts strengthens overall defense mechanisms against financial cyber threats.

For more detailed discussions and updates, subscribe to Cybersecurity Today and follow Jim Love on LinkedIn.

Loading summary

Transcript99 lines

[00:02]
Jim Love
This is our Cybersecurity Today Month End in review panel. We have Dana Proctor with us from Ottawa.
[00:08]
David Shipley
Right, pleasure.
[00:10]
Jim Love
We have a new guest, Randy Rose from the center for Internet Security. And Randy is from Saratoga Springs. Doesn't that sound nice? Saratoga Springs, New York. Welcome.
[00:22]
Randy Rose
Thank you.
[00:23]
Jim Love
And the old familiar. And we got David Shipley. They're all familiar. Yeah, we got David Shipley. He's always here. We've got David Shipley from Fredericton. And David, by the way, has started doing the Monday morning Cybersecurity Today newscast. And it's been a while since I've just been able to wake up on Monday morning and listen in. What a treat. And we have me, Jim Love, from the heart of Halliburton county, the heart of the ice storm. We don't have power here yet. We're hoping any day now.
[00:53]
David Shipley
That's crazy, Jim.
[00:54]
Randy Rose
That's horrible.
[00:55]
Jim Love
Yeah. So it's. So this has been our. This is our month in review show. And if all of the people in the audience know this, we bring some stories and we talk about them and try and find some insights into them. And generally it's a good opportunity for us to get together and share information as well. And as you were saying, Dana's were just before we went on air for this was pretty easy pickings. There's. There's not easy pickings. There's a lot of opportunity out there for stories that people go, oh, wow. So shall we start?
[01:24]
Dana Proctor
Let's go.
[01:25]
Jim Love
Okay, David, you brought the first one. And this was Oracle. I'll let you, you lead with this one. This was fantastic. This was. We'll start with a little bit of humor here.
[01:34]
David Shipley
Gather around the fireplace, kids, for stories of how not to do incident communications. Listen, breaches happen. They happen even to the big kids. Microsoft's been hit, Security companies have been hit. People get hit. It's important to be honest when it happens because the speculation, the rumor mill, the register, savage headlines on the reg, they're just not worth dancing around. I know we live in the era where we call ransomware an unauthorized penetration test that our backups failed to respond to or some other bureaucratic speech. But man, like now we're at the point where Oracle Cloud wasn't hacked. It was Oracle Cloud classic. Like Coca Cola gets away with the Coca Cola and the Coca Cola Classic.
[02:26]
Jim Love
Come on now, this is a long intro here, Dave. Story is, a group said that they'd hacked Oracle. Oracle denied it. The group said, hold my beer. And they said to bleeping computer. I think it was, here's, here's how you can get on and see a message on the Oracle server. I'm going to go put one there for you now. And they went, whoa. Now, Oracle, being the transparent organization, they said was, no, this isn't happening. And then I think the whole story broke and it is quite obvious that something happened there.
[03:02]
David Shipley
And let's be clear, at this point, I feel like Sesame street, which is still on the air despite cuts that are coming to NPR and, and other things in the United States, I feel like the count. It's not one breach, it's two breaches. Because it's Oracle Cloud classic. And privately, some of their healthcare clients are getting notifications. This thing is just metastasizing. And what's hilarious is, so they say we weren't hacked. Then the hacker goes, hold my beer. Then they say it was Oracle Cloud classic and it's only stuff from 2017. The hacker goes, here's some records from 2024. So as guys like, stop bleeding. And if we're going to use memes as visualization, there's this classic scene from the Simpsons where the kid is crying. He's. Stop hitting him. He's already dead. I'm starting to feel bad for you guys now. I've gone on this whole emotional journey where I was like, oh, my God, you've been breached.
[03:54]
Randy Rose
To.
[03:54]
David Shipley
I can't believe you're not communicating it to. Oh, everyone's just including myself. We're just part of this train now. Of. What are you doing?
[04:04]
Jim Love
So Dana knows what's happening here, Randy. But David's also our culture critic.
[04:09]
Randy Rose
Sounds like it.
[04:11]
Jim Love
But the issue comes up and it comes up again. And I'm almost been wondering whether I'm too cynical or sometimes I come across. Because I get these things in stories where I read corporate communication and I just start calling it the blah, blah, blah, blah, blah. It's what has. Maybe we can get by with that in companies, but in cybersecurity, if you're not candid, I know it hurts, but if you're not candid and open, you're gonna do have more pain in the long run than you do by just putting this out. I still remember the big hacks that have happened where people have come straight out and said, we got hacked. It happens. Here's. We're looking at it, we're dealing with it. We'll give you as much information as we know and that happens. And those companies come back.
[05:02]
Dana Proctor
Yeah, I think you're hitting on such a great point. There And I think any of us that do any type of simulation will be talking about a good holding statement. A good holding statement doesn't involve smoke and mirrors. A good holding statement doesn't involve inaccurate information. If you don't know, don't say. But yeah, Incident Management 101 to your point, David, don't say things that aren't true and work with your comms team on a better holding statement. And if you don't know, don't say anything until you do. I'd lean this out into 1, 2, 3 and me. A lot of their bankruptcy is certainly being attributed to the breach that they had and the privacy concerns. I know we can talk more on that because this was a softball of a month to pick which ones to review, Jim. But very much they. Breaches do have a way of bringing our businesses, if not our future trajectory down significantly.
[05:58]
Jim Love
Yeah. And Randy, what about when you're advising clients and when your organization is talking to people and you could just to introduce. Randy, you worked for the center for Internet Security and it deals with a lot of not for profits, but I guess agencies and public sector organizations in the US and they're obviously when we met the first time we were talking about the school hack.
[06:17]
Randy Rose
Oh, you're talking about power school. Yeah, the power school.
[06:19]
Jim Love
A lot of schools had to come up and get information out to say by the way, your kids information is out there. That can't be pleasant.
[06:27]
Randy Rose
No, I think Dana hit on a really good point which is the communications piece of it really at the end of the day, there's two issues here with Oracle, right? There's the data breach, right. So there's obviously some controls concerns, right. They didn't have proper controls in place and that led to a breach. And that's one issue because you're dealing with a breach of data. And the whole other issue is how you communicate about it. And it's not. The irony's not lost on me that as an IT organization your role is communications, right? That's what you do, you provide communications. It's digital communications, but it's communications no less. And then you fail miserably at communicating what's actually going on in the organization. I think these are two wildly different skill sets, but they're, you can't, they're inextricably linked together. When there's a breach, you have to be able to communicate about it. And I love that. The US Navy aviation community has a wonderful three step crisis action plan which is aviate, navigate, communicate and you think about the kind of crises they deal with. They are in planes, right? They're these, they're flying aircraft. When they have a crisis, you're talking about a threat to life and safety. So their number one concern is keeping the plane in the air. AV8. Right. Their second concern is where am I and where am I going and can I get there? So that's the navigate piece. And it's only after they know I can keep the plane in the air and I have an idea where I am. Like, am I in enemy territory or not? Can I get back to the aircraft carrier or not? Or can I land this thing safely? Only after they figure those things out do they communicate what's going on. And I think that's something that we fail in cyber to simplify our processes, right. When there's a breach, understand what it is, what's going on, who's impacted, how do we resolve that issue? And then when we have those key pieces, we don't have to know everything, but we just need to know the key pieces to communicate effectively. I think it's something that some organizations do really well and a lot of organizations just fail miserably.
[08:18]
David Shipley
And I think when it comes to that, it's always dangerous in this business to live in our digital houses and throw our rocks and realize that our house is made of glass as well. And my criticism is not that a large global provider got breached. Man, this is hard. It happens. I think my criticism is that I'm becoming deeply concerned. Their ability to do exactly what you just said, Randy, is I don't think they can fly the plane. I don't think they know what's going on. And that, to me, I think could be more damaging than just, yep, something's happening. We're investigating it. More details to follow and communicating clearly to what Dana was saying. But the almost circus show, and I've had just about enough I can handle of clown and circus shows right now for a lifetime. I don't need to see this in the IT world. Politics has got the market cornered.
[09:09]
Dana Proctor
Yeah, it is disheartening, isn't it, that how they've responded to it and how they've repeatedly doubled down has been more disturbing. And it does then speak to your point, Randy, of did they have the controls? Were they aware? Are they flying the proverbial plane? And that's a concerning aspect. And I think a lot of our trust in the Oracle brand has been corroded because of their behaviors.
[09:34]
Jim Love
When you lose trust, you lose everything in a company. And yet some companies like I said, come back. And they build that trust.
[09:41]
David Shipley
The irony of a breach, is it even, like, things that were not cyber attacks, but were it incidents? So, CrowdStrike, if you show that you've learned from it. I actually had a number of people are like, yeah, we renewed our contract with CrowdStrike, or we became a CrowdStrike customer, because they've clearly learned their lesson. And so you can actually rebuild trust in through an incident. It's not ideal. It's not the great way to do it, but you can. But there's a way to do it, and there's a way not to do it. Yeah.
[10:14]
Jim Love
Speaking of denial, making people dig deeper, I did a story on the Signal Group chat that this month, and the basis of that was a number of people in the US Government were communicating using what they thought was an encrypted app. And I didn't. This. I didn't make this a political story. It was a practical story for what we think. And that is, oh, we're on Signal. That's fine. We've got an encrypted communication there. Yeah. Only you got to make sure you don't invite the wrong people to that or that people can't get control of your phone, because it's great to have an encrypted app, but how do you hear the words and see the words in English for you? Your phone can decrypt this information so anybody in that chat can hear everything now. So we went to that first piece of it and then absolute denial. This was not confident. Talk about another communication error. This was not. This was not highly secure information. Why? Because. Because I'm the Secretary of Defense and I. Can I say what's classified and what's not? This is not classified. And everybody goes, that's semantics. We all know. So people dig deeper to the story, and of course they dug deeper. And there have been at least 20 signal group chats that they've held around the world on various things. And by the way, while they're traveling. And how do I know that? Because one of the people from that call, the famous call, was in Moscow at the time. And if you tell me you're carrying a phone in Moscow and it's not been intercepted or been hacked, then I'm going to tell you, you don't know what you're thinking. There's no way that a device wanders around the city of Moscow with all of those cybersecurity experts that Moscow has, and they don't break that device. Just. I find that impossible. And by the way, we all know they're micing your hotel room and all that sort of thing too. But anyway, that's the political story, but not the politics of it. It's this idea of we fall in love with an app or some process that we've got and then we stop thinking about all of the things that go around it. Did anybody else find that sort of insight to that story?
[12:26]
David Shipley
A couple of things that I want to highlight to nist. Identity and Access Management's hired. I can't help myself. But like literally this is Maslow's hierarchy of cybersecurity needs. Right. Who you adding to what? Secondly, shadow it is such a huge thing and one of the stories that got lost in the politics of this was how many people had raised red flags about signal in particular on government devices and were overruled by political appointees. And the lesson for leaders listening to this is when your people are raising genuine concerns about insecure methods of communication that you should probably not do. Convenience versus security or legality. I think lastly, as a former journalist, I totally get why these actors decided to use non government record keeping systems. They were pain and you don't want necessarily every conversation to be recorded and then used in a court of law. When someone's potentially looking at war crimes, I get where they're at, but yeah, does that add up? Don't know. It's those things that are interesting. And by the way, this isn't just government, right? How many banks have been fined by global regulators for people using WhatsApp to conduct business in transactions that are supposed to be in systems of records, like hundreds of millions of dollars. So like we're all tee heeing at government and all that fun stuff and it's political, but it ain't the only group of gats using unsanctioned, quote, unquote, secure communication systems to do business. And you're kidding yourself if you don't think that this is happening all over the place to get around access to information, regulations and other things.
[14:12]
Randy Rose
Yeah, there's a challenge too. I think in this particular case, and I know this is the case in a number of Western countries that deal with classified information, there's essentially two sets of rules, right? There's the classification level of the data. So that's determined by. Here in the US we use something called an oca, an original classification authority and there are guides that, that the OCA follows to say like this, this level of information combined with this other piece of information make it this level of classification with These information controls in place, right? These dissemination controls, all of those kinds of things. And that's determined by an oca. And then there's a second piece of the information. So you have the data classification piece and the second piece is need to know. So you need to have a clearance of the right level to gain access to the. To that data by default. And then you need to have a need to know. So when you talk about a chat that ends up in a situation where a person who does not necessarily have a need to know, let alone doesn't have the proper clearance and you're taking information that you would require a certain level of system, a certain secure system in order to transmit that data, you're taking that data off and putting it into that other environment. I understand, like some of the officials are saying, this wasn't classified or had we determined that it was the. It was unclassified data was able to be transmitted. You're still at this point transmitting it to somebody who doesn't have a need to know. So even if the classification piece was resolved, you now have this, this other issue that hasn't really been addressed, which I think is, to David's point, goes to risks with not just shadow it, but that whole identification and authorization piece of it. When you move something out of official IT channels now you've lost control over who can get that. Right now you're dealing with an information dissemination issue and potentially putting the wrong kind of information into the hands of people who really don't have a need to know. And I would say in this particular case, a journalist definitely didn't have a need to know the kind of content that was being shared, which ultimately ended up a lot of it being shared to the American public. That's very interesting. Other side to this, I don't think is really getting a lot of.
[16:14]
Dana Proctor
And I think that's where my mind went to it and certainly in full agreement with you. But if I go to maybe more a human element, which I know in talking to you before I often go there is when my values are violated, I get really pissed off. And this pissed me off, that information should not have been shared with a journalist, it should not have been shared with the public. And to say to give that weak excuse and expect that we should have, one, believed the excuse and two, accepted the excuse just made me more pissed off. So in, in the whole situation it was to. And I think it ties in well with the oracle as well, is our society is wonderfully connected. It doesn't mean that we shouldn't still be following the golden rule of being honest and being truthful. And if you don't have something nice to say, keep your mouth shut. The telling me that it was okay that this journalist was in that chat and the information being shared was public anyways really was just an offense on my intelligence or my acceptable aspects. And the interesting things in a community conversation. Wandering through the grocery aisle, that was one of the comments. They said, oh, just be careful what friends you keep in your contacts for WhatsApp, because if they get added, that's the problem. And I said, hold on, that's actually, that's how it ended up being transacted. But the problem was that they were actually having that conversation on Signal.
[17:41]
Jim Love
You can get to this thing of we can blame the devices, we can blame the failure, we can blame all these sorts of things, but you have to look back with common sense and say, should I be talking about this here? And if anybody ever stands in elevators behind people or in restaurants and you have to ask yourself, should you be having that conversation here? It happens all over the place. The denial just makes it just makes it worse.
[18:10]
David Shipley
It's funny you mentioned that, but we're talking about Signal that there are four coffee shops in downtown Toronto where if I want to be in the loop about major financial transactions, one one of them will generally have something pretty interesting to say. So if you sit at the Starbucks and you pretend you have your headphones in, but you're just being nosy as I'll get out, you learn a ton. It's fantastic. The Signal chat is the example in this case, but to your point about where and when it's appropriate to have what conversations. I guess the good news of this is the big winner of this whole mess was Hillary Clinton, because, I mean, her social media posts were on fire, right? I mean, that LinkedIn post where it was like, are you kidding me with the I emoji? Look, there was some good emoji used in that chat, but that was, that was something else, right? So I guess they had winners and losers on that one. But in all seriousness, if you think that this isn't happening in some fashion within your organization, you're kidding yourself. And then the question is, how do you create the norms in the culture where people don't do it? Because there's no technological. If the US government, with the full might of the NSA, cannot prevent senior leaders from doing this, there's no technological way to do it. You've got to have the buy in to do it, to Dana's point. People got to believe in doing the right thing.
[19:27]
Randy Rose
Yeah. Dave, I might challenge you on the winner though. I think Signal itself, it probably comes out as the winner. Fair point. I think as we, as we progress as a society, we, I think we're going to start to see more and more use of encrypted messaging apps. And I don't think Signal could have paid to have the promotion that they got through this entire time. Every media outlet on the planet was writing about this. Signal was created by Moxie Marlinspike, who's a well known entity in the hacking community. And I think that guy just laughing all the way to the bank because I think more and more people are signing up for Signal today than a few weeks ago and they did have.
[20:04]
David Shipley
The best micro release note I've ever seen and some spicy posts from Moxie. So I will concede the point. Randy, I do agree Hillary's going to have to come in second place yet again.
[20:15]
Randy Rose
Burn.
[20:16]
Jim Love
But again, without being political. There's a leadership piece to this that I, that I think we have to learn from. And I remember when we were, when iPads were first coming into the office, when we had no idea how to secure them and the CEO would bring one in, wander it in and. But nobody else could do that. We just. Leadership matters. And, and that, and the tone for. We say that old tired phrase, the tone from the top. If you want to have a secure organization, you had best not overrule your security people all the time and say but yeah, but it's okay for me. But not for the great unwashed. Because the great unwashed learns from you. They know what's happening, they know what's important. And that's every CISO out there has gotta be saying when you set that type of example, this is what happens to you.
[21:04]
Dana Proctor
Yeah, touche.
[21:06]
David Shipley
Now, on the positive side, speaking of.
[21:08]
Jim Love
Examples, there's a positive side.
[21:10]
David Shipley
There is a positive side. Not to this story.
[21:12]
Jim Love
There's.
[21:13]
David Shipley
Besides Signal being the number one ad, but I saw the UK government take a really nice leadership role globally in new legislation being proposed to actually extend critical infrastructure cybersecurity. So this is the extension of the European NAS2. And what was really awesome was they were specifically targeting data centers, MSPs like the actual value chain of which their modern digital economy depends on. Which is so nice to see because as we talk about the month that was of course C26 went down in flames because of a typo and of course the political survival of the Liberal Party here in Canada required us to probe Parliament. There had been the faintest and most Hopi of hopes that somehow they would come back, do a speech from the throne before pulling the trigger in election and we might have got it passed, but nope, just not to be. And so Canada is now three plus years out easily from any kind of modern cybersecurity laws. And I'm sure Dana is as frustrated as I am because we both spent valuable time testimony to Parliament to to actually have basic laws that cover some of our economy.
[22:26]
Jim Love
C26 Rip for those vacationing off planet.
[22:29]
David Shipley
C26 was the Canadian Critical Cybersecurity act which included amendments to the Telecommunications act which actually ironically gave the government the authority to force our telcos to get rid of Huawei, which they currently don't say they don't have. But that could be gray along with mandatory requirements for cybersecurity for energy transmission, telecommunications, transportation and the finance sector.
[22:57]
Jim Love
And Dana, you were, you were just as passionate about this and working actually actively on trying to get this across the finish line as well.
[23:05]
Dana Proctor
Yeah, yeah. And the challenge that was seen for so long was we were waiting for perfection to move forward. It came to the Senate at the 11th hour before Senate went for the summer break. They did very quickly come through with it. But the challenge that I've got right now is to your point, David, we have no regulation, we have nothing guiding. So when I look at, if we look at the month in review, one of the items that I was looking at getting ready for today is I had to smile the launch of that. I have to read it because there's so many words in it. The cybersecurity certification program released as the a new cybersecurity standard and self assessment tool for level one of four levels specifically made for our ST by the standard councils of Standard Council of Canada. We'll start accepting applications for organizations who want to become certification bodies to support the evaluation and certification. So we've created all of this government bureaucracy for four levels of certification for defense and supply chain. But we still can't get regulations or bills through to say what our telecommunications or our nuclear power plants or our other critical infrastructure should be required to do on behalf of Canadians.
[24:28]
Jim Love
Yeah. And the problem again, leadership. It shows how much you care. If this was really something urgent, they could have fixed it.
[24:39]
David Shipley
Oh yeah, they had two and a half years.
[24:41]
Jim Love
Just another what's privacy and security? Who cares? And again, that sends a message not just to citizens, that sends a message to staff, that sends a message to everybody that this stuff isn't really that important in terms of how you're doing your job. That's scary.
[24:57]
Dana Proctor
That's it. That's it.
[24:59]
Randy Rose
I do want, I want to go back to a point Dave made about the UK bill that I think is probably lost on a lot of people. So the focus on the data centers and the MSPS and managed service providers is really critical for smaller organizations. So when you look at, when we think of data centers, right. We think of the large behemoth organizations, but who are they actually servicing? Their customers on the whole are very small organizations. There's a lot of them and they don't have the ability to run their own internal data center. That's why they use these large data centers. Same thing with the managed service providers in the US And I suspect this is the case for a lot of, a lot of countries. The smaller the organization, whether it's a small business, nonprofit or a local government, they don't have the resources in house to run a lot of the IT and cybersecurity infrastructure themselves. So they have to outsource it. And in most cases, at least here in New York, one of the things that we see, and actually really all of New England, so you know, the whole northeastern, eastern part of the US we see managed service providers are often relatively small organizations themselves. So they're regionally aligned. There might be an organization based out of here like the New York Capital Region, and it provides services to maybe 60 organizations in the local area. And then just outside of their local area there's a different managed service provider. So having regulations that support those organizations is one of the best ways to get to, I'll call it the extremities. Right. Get out to those organizations that are traditionally really hard to get to. Because even if you have a federal regulation that says we're going to mandate all organizations do this thing, there's just a massive amount of organizations that have no resources to do that thing, whatever that thing is. Right. So they're relying on those outside providers. So the more we can do to support those managed service providers, data centers and other third party organizations that actually have the resources, the better off everybody is. So that's what I really like about this UK bill.
[26:57]
Jim Love
Yeah. And. But it also establishes a standard for msps. And there used to be this old, in the days when there were Christmas ads and things like that, there used to be this ad that said open me first. And I think that's what people think of msps, open me first. Because I. You've got all kinds of clients and I can reach you. And I don't think, in many cases, I don't think MSPs are always taking that as seriously. I'm not saying they all do, but I'm saying there's so many hacks of MSPs that come up week after week and at least setting a standard that says there's a regulation, you're going to pay a fine if you don't do this. I read a small tech company for a while, we got out of hosting. One of the reasons we got out of hosting, we weren't going to be as good enough at security as. So I could sleep at night. That was, it was just that turn it over to somebody who's going to actually do this better. And that was. That's a huge piece. But I think a lot of MSPs don't know what they don't know. I read a couple forums because I'm still interested in that area. And you read what's who. Some of the people are that are supplying a lot of small organizations and, and you go, you really don't know what you're doing.
[27:59]
Dana Proctor
And so it's a little bit of a lost leader in business. And I think that's the challenge there as well, is to do it economically. The value point just can't be that robust. I'm. I'm a little jaded around the standards that they've brought about, though. I lived through. What was it? It was years ago. It was called Cyber Essentials, wasn't it? And I'm sorry, I'm giving you all goosebumps right now going, I remember the willies. Wasn't it a similar program where it was to be part of a supply chain in the uk, you needed to. Your company need to align to a certain level of controls and you were certified up to an essentials or whatever the next level was. And it died a horrid death. And we tried to do it in Canada.
[28:43]
David Shipley
Yeah. It was more successful in the UK by orders of magnitude because in Canada we spent millions, tens of millions of dollars on Canada's version of Cyber Essentials. But we didn't remember what the UK did that actually made people want to do it, which was you couldn't get a government RFP if you didn't have the basic bare minimum.
[29:01]
Randy Rose
No.
[29:01]
David Shipley
In Canada was like, we think this is a nice thing to do. And 12 organizations across the country, like 12 value for dollar not there. Do I think that we need a basic set of fire code for some standards? Yes. What's different about this defense. One that you're mentioning is that, and this is interesting is we were rushing to match the US And Randy, you might have to help me here, but there's a US dod, I'm gonna say CMMC standard that came out, God help me, I can't remember the. What it actually stands for. But we of course being Canadians, like we have to make our own version. That has to be then given equivalency so that our suppliers can supply the US Defense industrial complex. But, but in, in one of those life's greatest ironies, it turns out we may not be able to supply to defense industrial complex in the United States. So this entire certification has become kind of Don Quixote charging at the windmill because we can't even sell aluminum and steel to the United States. I don't know if I'm right about that, Randy, about CMMC or if I'm on the right.
[30:04]
Randy Rose
Yeah, no, you're.
[30:05]
Dana Proctor
Yeah.
[30:06]
Randy Rose
So CMMC was the, the cyber maturity model certification. And it's. That one is focused specifically on what we call the div. The defense industrial base. So it's all the contract organizations that like outside contractors that provide services to the federal government. But you're right, it's a framework for kind of effectively what you just said. And I didn't. I actually wasn't. I had to Google that. Cybersecurity or Cyber Essentials in the uk Cause I wasn't tracking that. But it looks like that was a national cybersecurity center initiative that did have a forcing function which essentially CMMC is the same. If you're going to work with the federal government, you have to meet a certain requirement to handle controlled unclassified information or federal contract information. That was like a big part of what CMMC is. And I think if I'm not mistaken, I think it's actually. It either already did undergo a major update or it is undergoing an update. CMMC2.
[30:57]
David Shipley
Yeah. You can comply with CMMC2 or you can use signal.
[31:02]
Randy Rose
Yes. And so those are your options.
[31:05]
David Shipley
Danny, you were going to say something?
[31:07]
Dana Proctor
No, we end up with bureaucracy and acronyms instead of actual security.
[31:14]
David Shipley
Security.
[31:14]
Dana Proctor
Right now people aren't choosing to not implement multi factor authentication segmentation identity controls because they just don't want to. They're usually doing it because they don't have the money to. Or the people to this. But it's expensive. Yeah. Technology in some ways is somewhat times the cheapest part. So that's where I'm struggling with some of these programs. Love the. And I had forgotten the cyber essentials success was because it had some teeth to it. I wasn't aware there was only 12 in Canada. That's horrific. So you're. I'm optimistic if we're creating this new standard that's assisting that it would bring some semblance of improving the waterline for our defence contracts. Engaging with corporations that only meet that. The challenge is that is going to be a tax tariff on those companies. They're going to have to meet that certification and maintain it. And that's hard to do in an industry where we're already seen as a tax instead of as an amplifier.
[32:14]
Jim Love
And we're still in a place. I don't know what it's like in the US but in Canada we're still in a place where most small businesses are just not even vaguely protected. Not even going through the motions of anything resembling security, let alone when it gets complex. And. And without that you're. Not only are those businesses in jeopardy, but any customers they work with are in jeopardy. And I keep looking at this every time I look at a new story that comes out of some. And where there's. I'll just lead into this. There's a whole story about EDR bypasses this month. And I found three stories. We did them one after another. Microsoft Defender. There's a. There's an open. Microsoft acknowledges it. It's out there bypassing that. There are three or four or five tools floating around right now that use software that is basically software that won't trigger anything in an EDR because it's built like a regular piece of software or it is legitimate software, but it's been hacked or bypassed. And those are just some of the things that are happening. And, and my favorite of all of these things using old certificates. This is how clever these guys are. Using old certificates that have expired. But spinning back the clock on the machine you attack.
[33:38]
Dana Proctor
Yeah.
[33:38]
Jim Love
So it looks like the certificate is real. What I can go through these and we did stories of them. You can read them all and I'll put some links in the show notes if people want to follow some of these. But. But the fact is that's the level of sophistication that's going out there attacking the one thing that small business might actually have and that's endpoint detection. And so that's. This is a problem, I think a universal problem. And it. One that's just not. Doesn't seem to ever go away.
[34:09]
Randy Rose
Yeah. I might challenge you a little bit onto one defense mechanism that small businesses will have is edr. I think at least the organizations I've seen they might have host based detection in the form of antivirus. But antivirus and edr, two totally different things and one being signature based and one being more behavioral based. But a lot. One of the articles that you sent my way was the Forbes article where it talks about an FBI alert. I'm happy to say a little bit of self promotion here. My team, the security advisory that went out with that was joint between DHS as a FBI and my team at the Ms. ISAC Multistate Information Sharing and Analysis Center. We focused on the Doozer ransomware and that's we did a lot of the technical analysis behind that report. And you're absolutely right, these are things EDR bypass isn't really brand new, but some of the techniques that we're seeing are actually pretty novel and interesting. Turning back the clock was a relatively new one. And the other thing you mentioned too is the living off the land binaries or Lobins. Those are. We're seeing more and more actors doing that. Medusa is one of them. We've seen. We've had. I think the number is seven Inc. Ransomware. That's INC Ransomware cases just this year. Same kind of thing. A lot of living off the land using things like PS Exec and other PowerShell capabilities to use administrative tools that are inherent on a system to so that they don't have to install their own malware. Right. It helps evade detection. It's so one of the challenges is even if you have EDR, but that EDR isn't properly tuned to your environment, you might miss some of those living off the land techniques. Because how EDR should work is identifying things that are outside of the normal behavior on that system. So if a user has never used PowerShell before and all of a sudden PowerShell's being invoked, EDR should catch that or PowerShell's being invoked to run specific commands, EDR should catch that. And sometimes that's not the case because EDR is installed, but it's not actually been through the proper process to tune itself to the network and to the host in that network. So that's one of the challenges sometimes we have with even if there is edr, even if there is a security tool in place, it's not properly tuned to the environment. And that that alone. I think that gets back to Dana's point earlier. It's not always necessarily the tool. You might have the tool in place, but the more expensive thing is configuring it for the environment, making sure that it's adequately tested.
[36:26]
Jim Love
Right.
[36:26]
Randy Rose
Running in a secure configuration, all of those things.
[36:29]
Jim Love
There was another thing I saw in one of the articles and just was, yeah, they hadn't set up the edr, right? They had it, but it was set up or it was bypassed by something, but. Or that it disabled it, but basically it would give an alarm but not do any protecting. Oops.
[36:48]
Dana Proctor
And isn't that the fun, right, the old adage of set and forget, right? We've got EDR check, we're good. And to your point, a lot of the small medium businesses, even enterprise businesses, we get focused on other activities. We're forgetting some of those golden rules of we need to be testing, we need to be actually running some semblance of penetration testing at some point. We're even purple teaming with your monitoring organization to ensure that you're actually testing valid use cases. You're looking at your rights and your administrations. Right? Doing some certification campaigns within an organization is pretty foundational for most of us. I dare. I don't know an actual percentage. I'm sure ChatGPT, another GPT could tell me a number, but I suspect if I was to put a bet on it, it's less than 10% of our organizations actually do that and do it on the regular. So these types of stories, I hope, act as reminders of, oh yeah, I should go check that and make sure that my ADR is actually picking up. Powershell Run, for example, as you mentioned.
[37:48]
David Shipley
Randy, I think, Dana, you're 100% correct. And Randy, the same thing. You got to tune these things. What I'm desperately afraid of. So many vendors are sprinkling AI magic pixie dust and saying it does it all for you. Which, dear listeners and viewers, like a natural human tendency, is where we don't want to do extra work. We're busy, we're tired, we're cranky, we got enough on the plate, whatever it is. And so when we hear vendors say that sweet siren song of it's automated, smart, intelligent, you don't have to, you can set it and away you go. It is the disaster of the sirens, right? For those that use naval references or mythological naval references, right? So sirens would lure you in and your ship would crash to the rocks and you'd be devoured by monsters. Here ended the lesson on EDR and the vendors that say you don't have to do anything, you just got to install it. And the other part is, of course, we buy into the idea of the silver bullet still and silver bullet thinking is all throughout information technology, whether it's customer relationship management or other systems or security systems, we. We keep falling for the same trap. It's like the Wile E. Coyote. And technology is our Acme Corp. And we have a very unhealthy relationship with it. And hopefully that movie will be coming out soon now that it's been released from Warner Brothers hell. Fingers crossed.
[39:07]
Randy Rose
That's a news article we didn't talk about yet.
[39:10]
Dana Proctor
Part 2.
[39:11]
Jim Love
Does anybody else have another story? Do you want to. You want to cover it? Dana? Do anything?
[39:15]
Dana Proctor
I. Yeah, getting ready to. Like I said, it was a bit of a softball month because there were just so many really great articles and so a few that caught my eye I'll say and in some ways made me shake my head because to your point that you'll often say David of catching the Dilbert there were a few of them. One is the Kuala Lumpur International Airport. $10 million ransomware in itself is not necessarily horrific.
[39:41]
Randy Rose
Right.
[39:41]
Dana Proctor
You're like okay, another two point airport got hacked is but the convergence of the OT with the IT this from what I've been able to read was certainly very targeted and the irony was not lost on me that their flight information dashboards was what predominantly was what was seen by travelers. So they had whiteboards if I believe the articles that we're reading and we'll get whiteboards in the Kuala Lumpur International Airport. Not a small airport for quite a bit of time. So public disclosure of the sensitive or sorry public impact no flight challenge. But it begs the how far can they go? Airports are now being seen as I can get some attention with these and airports are wonderful little cities. There's a lot of financial gain. What I love as well is that they said no, we're not paying the ransomware. So a neat story. Not close to home, but I dare say could be on the other side of it was the NHS Scotland and you could interchange NHS Scotland with any local hospital. Major ransomware attack knocked out most clinical systems staff was left for arguably I think it was a day and a bit pen and paper operations were canceled. Patient Claire wasn't able to go on Entire systems were offline if I'm believing what we're reading. No segmentation for offsite backups. They had legacy infrastructure that they blamed as the leading culprit and no, they didn't seem to have any incident response plan outside of maybe some tabletops that they had done. They had not simulated this so they were at an absolute inability on how do we actually respond the Beetlejuice to this is it could have been one of our hospitals in a heartbeat. So those were the two that caught.
[41:25]
Jim Love
You said this was an OTIT thing. I didn't catch the story.
[41:29]
Dana Proctor
So a bit of convergence there that by getting into the flight information dashboards, you're going through what is more traditionally the OT side of the airports, of understanding when the airlines were planning to be departing and arriving and which gate they're at. That's often being either informed by OT or run by IT and then converged into the IT side of an airport. So it's absolutely targeting a. I would say an Achilles heel of the airports.
[42:00]
Jim Love
Wow. And the NHS story did you said they came back in a day and a half. They were. They actually get back that fast?
[42:08]
Dana Proctor
Back up. Not using pen and paper, according to the article. Back up. I don't know that you catch up that quickly. I don't believe you're that quick.
[42:17]
Jim Love
Even if they were perfect a day and a half, I think they might. We might class them. In our other story of being less than honest about what's happening, we had four hospitals here in or five hospitals here in Ontario that were attacked. They didn't come back for months.
[42:35]
David Shipley
In fairness.
[42:36]
Dana Proctor
Come back.
[42:37]
David Shipley
Like there's a famous political quote. It depends on the definition of his right. And depends what you mean by open. So, yeah, I mean there's a lot of leeway on that side. What's interesting with the NHS hacks, like a lot of these health trusts in the uk, it's been their managed service providers that get hit and then it takes them down. Which goes back to Randy's point about what's nice about the. And probably honestly what's driving the UK focus. And it's. Oh, yeah, MSPs are critical infrastructure. The. The OT IT thing just. It's only going to continue to accelerate because we've turned networks into software and people have made a lot of good progress in efficiencies and scale and money to be made in doing that. But when you turn what used to be physically separate fiber networks into the same network, that sends split by software, you're typos away from bad things happening and OT devices continue to be a dumpster fire. Yeah. The one. One last shout out I want to give is, of course kudos to police when they bust a criminal. But we have a Canadian that is now been charged for a hack of the Texas gop. Apparently, according to reporting from the Globe and Mail, he was actually quite prominently featured in a documentary that's on Netflix about the founding of Anonymous Police 1 OPSEC 0 with lessons to be learned. I think earlier this week, you kicked off the week and I said a couple of things. If you're going to hack, don't target Texas, don't mess with Texas. One of the best environmental campaigns ever. But also, do not taunt the FBI with foul language and tell them what they can and can't do, because you know what motivates a cop. Yeah. Challenge me. Right?
[44:19]
Randy Rose
Yeah.
[44:20]
Jim Love
Is he.
[44:20]
Randy Rose
So he.
[44:21]
David Shipley
He hacked around and found out.
[44:23]
Jim Love
Did that. Did you hear anything about that? Was that news in the States? Any at all?
[44:28]
Randy Rose
I don't. You know what, to be honest with you, I don't know about the specific story of Cottle getting arrested. I don't remember seeing that until you passed it my way. But certainly the breach of the Texas Republican Party, that was years ago, though. That was back. That was near the height of COVID if I remember correctly. It was kind of like 20, 21 maybe. So I do. Yeah. I mean, that made news for sure. But I don't think the arrest has really hit off here in the US that's not really. That kind of stuff doesn't always pick up. Like we're interested in the sensational part. So the hack itself makes it into U.S. news and we escalate that. But when they catch the guy, it's kind of like, all right, yeah.
[45:05]
David Shipley
The good news for this cat is he's apparently being charged in a Canadian law, which means possibly Canadian jail time, and he's not going to end up in El Salvador. So that's a win.
[45:14]
Jim Love
Yeah, I guess so. But the iq, but. And this is one of the things that I talk about. I'm actually trying to get together to do a police show because. But it's incredibly hard to get through the communications people from. To get police who will actually talk to you, because I honestly believe we don't know how hard the work is. This hack happens years ago, and God bless them in the U.S. the FBI have been the most dogged people for going after. And that's why I loved David's story saying, don't mess with the FBI if you have that reputation. It may take us years, but we'll get you. That's the type of prevention you get. And I think in many cases, some other police forces, maybe some in Canada could learn from that. And that is that you just don't let go. And so that if you're going to do. What's that, Bretta? You don't do the crime if you can't do the time and and I'm not your pound on the table law and order guy but there is a special place in hell for people who hack hospitals and do things like that or who cheat old people out of their pensions and God bless the FBI.
[46:23]
Dana Proctor
On that one Here one of the if we try to leave a little bit of positivity on this well is one of the things that I'm loving is seeing the anti money anti laundering activities being brought more in with the it the O not a little bit in the OT because of there's certainly some brick and mortar aspect to it as well. But the security program right years ago we call it Fusion. I think it's having its resurgence not the least of which of other stories that were in the news not so long ago, but one of the well TD bank for the anti money laundering but certainly anti money laundering, anti fraud, cybersecurity, they're all close cousins, all very close cousins. So I'm loving that some of the programs are leaning more into how to be detecting and then of course how to be thwarting or at least being aware to detect sooner than later and putting some stop to that because to your point special place in health for people that take advantage of seniors, people on fixed income, people in disability, people with special needs. You shouldn't take advantage of anybody but especially not the weak.
[47:23]
Jim Love
That's great. The wonder of this is how fast the hour goes. This has been I'm hoping I get you guys back again for another month because I think we covered a lot on this one but this the time just zipped by on this one. So thank you very much. My guests have been Dana Proctor with us from Ottawa, Randy Rose from Syracuse. No Saratoga Springs. Sorry I got Syracuse on the brain. I can't help Saratoga Springs. And D David Shipley from beautiful Fredericton and I'm your host Jim Love. Thank you very much and thanks for listening. If you have comments on the show please send them to me at editorialechnewsday ca you can reach me there. You can find me on LinkedIn most that's a lot of people roast me there and I'm just happy to have a non political discussion on LinkedIn. So come to me and talk to me about cyber security and if you're watching this on YouTube right underneath the video just leave a comment. We'll get back to you. Thanks a lot gang and we'll do this again next month.