Bolstering the digital shield. - CyberWire Daily

Summary10 min read

CyberWire Daily: Bolstering the Digital Shield

Host: Dave Bittner
Guest: Oren Corin, Co-founder and Chief Product Officer at Verity
Release Date: January 16, 2025

1. Introduction

In the January 16, 2025 episode of CyberWire Daily, host Dave Bittner delves into pressing cybersecurity issues affecting various sectors, with a special focus on healthcare cybersecurity. The episode titled "Bolstering the Digital Shield" features insightful discussions, expert analyses, and the latest updates on significant cyber incidents.

2. President Biden's Comprehensive Cybersecurity Executive Order

Dave Bittner opens the episode by discussing the landmark cybersecurity executive order issued by President Joe Biden just days before leaving office.

Mandates and Provisions:
- Stronger Network Monitoring: Enhancing the surveillance capabilities across federal networks to detect and respond to threats promptly.
- Secure Software Development: Implementing robust security practices in the software development lifecycle to mitigate vulnerabilities.
- Stricter Protections for Cloud and IoT Systems: Establishing stringent security standards for cloud infrastructure and Internet of Things (IoT) devices to prevent exploitation.
Emphasis on AI Integration:
- The directive promotes the incorporation of artificial intelligence in cybersecurity strategies, aiming to safeguard critical infrastructure and improve threat analysis.
Compliance and Enforcement:
- Software Vendor Requirements: Vendors must demonstrate secure development practices.
- Empowering CISA: The Cybersecurity and Infrastructure Security Agency is granted enhanced authority to conduct proactive threat hunting.
- Reduced Reliance on Dominant IT Providers: Encouraging diversification to minimize risks associated with single points of failure.

Notable Quote:

“The directive seeks to address vulnerabilities exposed by incidents like the SolarWinds hack,” said Dave Bittner at [04:15].

Potential Impact and Future Outlook:
- The effectiveness of the executive order hinges on the incoming administration's commitment to cybersecurity priorities and the appointment of key officials.
- Aimed at laying a strong foundation for ongoing cybersecurity enhancements, the order addresses both immediate and long-term security challenges.

3. Major Cybersecurity Incidents

a. Silk Typhoon's Breach of the US Treasury Department

Bloomberg reports a significant breach by the Chinese state-sponsored group Silk Typhoon, compromising the US Treasury Department.

Details of the Breach:
- Affected Systems: 419 computers accessed, targeting staff involved in sanctions, international affairs, and intelligence.
- Data Compromised: Over 3,000 files, including policy documents, sanctions materials, and sensitive law enforcement data.
Methodology:
- Exploited vulnerabilities in Beyond Trust's systems without deploying malware, indicating a sophisticated and stealthy attack vector.

Notable Quote:

“Investigators found no evidence of malware or long-term infiltration into classified systems,” stated Dave Bittner at [06:40].

Response and Implications:
- Treasury reported the incident to CISA and sought FBI assistance.
- The breach has prompted Congressional briefings and a reevaluation of security practices at affected organizations.

b. FBI Investigation into Chinese Telecom Firm Buycel's Technology

Reuters highlights the FBI's scrutiny of Buycel's Technology, a Chinese telecom hardware firm founded by former Huawei executives.

Concerns Raised:
- National Security Risks: Potential vulnerabilities in base stations and risks of remote access leading to espionage.
- Company Background: Despite assertions of independence from its Chinese parent, Buycel's operations show strong ties to Chinese military interests.

Notable Quote:

“Critics allege Buycel is managed from China, with most equipment sourced from Chinese suppliers,” explained Dave Bittner at [08:20].

Ongoing Investigations:
- The US Commerce Department and FBI are probing Buycel’s activities, reflecting heightened fears about Chinese telecom firms compromising US infrastructure.

c. Critical Vulnerability in UEFI Secure Boot Mechanism

A severe flaw identified in the UEFI secure boot mechanism allows attackers to bypass protections and deploy malicious bootkits.

Vulnerability Details:
- Affected Systems: Most UEFI-based systems, including recovery tools from vendors like Howyar, Greenware, and Radix.
- Exploitation Method: Utilization of a custom loader by Microsoft’s UEFI application, leading to persistent undetected access during boot.

Notable Quote:

“This vulnerability highlights concerns over third-party UEFI security practices and Microsoft's code signing process,” noted Dave Bittner at [09:50].

Mitigation Measures:
- Microsoft has revoked vulnerable binaries in its January 2025 Patch Tuesday update.
- Users are advised to update systems, ensure secure boot databases are current, and audit UEFI configurations.

d. Data Breach at California-Based Cannabis Brand Stizzy

Stizzy, a cannabis brand operating in California, experienced a data breach affecting 380,000 individuals.

Breach Details:
- Timeline: Between October 10 and November 10 of the previous year.
- Compromised Data: Government IDs, medical cannabis cards, and transaction histories.
Attack Attribution:
- Everest Ransomware Group: Claimed responsibility for the breach, suggesting ransomware as the attack vector.

Notable Quote:

“Stizzy is offering affected individuals 12 months of free credit monitoring,” reported Dave Bittner at [11:30].

e. North Korea's Lazarus Group Expands Attacks

The Lazarus Group, affiliated with North Korea, is intensifying its cyber campaigns targeting the software supply chain.

Operation 99:
- Methodology: Utilizes fake LinkedIn profiles to lure Web3 and cryptocurrency developers into cloning malicious GitLab repositories.
- Malware Deployment: Custom malware tailored for various platforms steals files, credentials, and cryptocurrency wallet information.
Financial Motivation:
- The group has reportedly stolen $1.34 billion in cryptocurrency in 2023 and $660 million in 2024, aiming to fund the North Korean regime.

Notable Quote:

“Lazarus’ goal is to compromise developer workflows, steal intellectual property, and access cryptocurrency wallets,” explained Dave Bittner at [12:10].

f. FTC's Action Against GoDaddy for Security Failures

The Federal Trade Commission (FTC) has identified significant security lapses at GoDaddy, resulting in multiple data breaches.

Allegations:
- Inadequate Cybersecurity Practices: Failure to manage assets, update software, monitor security events, and segment shared hosting environments.
- Impact: Exposure of sensitive data, including customer credentials and credit card numbers affecting millions of small businesses.

Notable Quote:

“The FTC alleges that GoDaddy failed to manage assets, update software, monitor security events, and segment shared hosting environments,” stated Dave Bittner at [13:40].

Proposed Settlement:
- Security Overhaul: Implementation of robust information security programs, real-time event analysis, and mandatory multi-factor authentication.
- Compliance Requirements: Annual security testing and prohibition of misleading security claims.

g. Critical Vulnerability in Veeam Backup for Microsoft Azure

Veeam has patched a high-severity vulnerability in their Backup for Microsoft Azure product.

Vulnerability Details:
- Affected Versions: Up to 7.1.0.22.
- Exploitation Risk: Allows unauthenticated attackers to perform server-side request forgery, enabling unauthorized network enumeration and potential subsequent attacks.

Notable Quote:

“Veeam discovered the issue during internal testing and released a patch to address it,” mentioned Dave Bittner at [14:20].

User Recommendations:
- Immediate system updates.
- Ensuring secure configurations and regular patch management.

h. Data Leak from Over 15,000 Fortinet Firewalls

The Belsen Group has leaked sensitive data from more than 15,000 Fortinet firewalls on the Dark Web.

Leak Details:
- Data Compromised: Usernames, passwords (some in plain text), SSH keys, digital certificates, and firewall rules.
- Origins: The leak stems from a 2022 zero-day vulnerability affecting Fortaos, Fortaproxy, and Forta Switch Manager.

Notable Quote:

“The leaked data highlights ongoing risks from unpatched systems,” observed Dave Bittner at [15:05].

Mitigation Measures:
- Fortinet has urged organizations to check patch histories, update credentials, and assess exposure.
- A recent warning about another zero-day vulnerability underlines the continuous threat landscape.

4. Interview with Oren Corin: Healthcare Cybersecurity

Oren Corin, Co-founder and Chief Product Officer at Verity, provides an in-depth analysis of the current state of healthcare cybersecurity and the emerging challenges posed by AI integration.

a. Healthcare as a Prime Cybersecurity Target

Ease of Exploitation:

“They will still be a main target because in some cases it's easier to hack a hospital,” Oren Corin stated at [16:08].
Security Control Vulnerabilities:
- Corin highlights instances where hospitals possess advanced security tools but fail to utilize them effectively, leaving systems vulnerable despite compliance mandates.

Notable Quote:

“When we've logged into the different layers of security, everything was turned off. It's like 100% turned off,” shared Corin at [17:00].

b. The Rise of AI in Healthcare and Associated Risks

Data Outside Organizational Boundaries:

“We are seeing so many hospitals and healthcare institutes are starting to use AI outside of their own boundaries,” explained Corin at [16:45].
Centralized Data Repositories:
- The move to cloud-based AI solutions centralizes sensitive data, making it a lucrative target for attackers aiming to exploit vulnerabilities in external services.

Notable Quote:

“If data was stored inside the hospital... from an attacker perspective, you just need to go to the center of the data that is outside of the organization,” Corin emphasized at [17:40].

c. Recommendations for Strengthening Healthcare Cybersecurity

Continuous Threat Exposure Management (CTAM):

“CTAM is something everyone needs. But in healthcare, it's about scoping ourselves on what is important to protect,” Corin advised at [22:15].
Utilizing Existing Security Controls:
- Instead of investing in more tools, Corin advocates for maximizing the use of current security measures through effective remediation and validation.
Adopting Cloud Security Posture Management (CSPM):

“Use the CSPM first because you've moved to the cloud and if it's an external service, external application that you use...,” Corin suggested at [23:05].
Hiring Specialized Expertise:
- Encouraging partnerships with Managed Security Service Providers (MSSPs) to bridge gaps in in-house expertise and manage complex cloud environments.

Notable Quote:

“They don't need more, they actually need to use what they have there,” Corin stated at [23:50].

5. Meta's Legal Troubles: AI Training on Pirated Content

The episode concludes with a shocking revelation about Meta's legal challenges concerning the use of pirated content to train its AI models.

Court Document Revelations:
- Meta's AI Team utilized Libgen, a repository known for pirated books, to train AI models, leading to accusations of copyright infringement.

Notable Quote:

“Internal exchanges reveal employee concerns over torrenting pirated data on corporate devices,” reported Dave Bittner at [26:10].

Legal Implications:
- The lawsuit, backed by authors like Richard Kadri and Sarah Silverman, alleges that Meta knowingly employed stolen works, potentially violating the Digital Millennium Copyright Act (DMCA).
Corporate Response and Defense:
- Meta argues fair use, but the exposed practices significantly weaken their position, exposing the company to severe legal repercussions and undermining their defense.

Impact on Intellectual Property Practices:

“The scandal underscores Meta's cavalier approach to intellectual property,” Bittner summarized at [27:20].

6. Conclusion

The "Bolstering the Digital Shield" episode of CyberWire Daily offers a comprehensive overview of the evolving cybersecurity landscape, highlighting critical vulnerabilities, high-profile breaches, and the intricate challenges faced by the healthcare sector. With expert insights from Oren Corin, the discussion underscores the necessity for continuous threat management, effective utilization of existing security tools, and the prudent integration of AI in sensitive environments. Additionally, the revelations about Meta's legal issues serve as a stark reminder of the ethical and legal responsibilities tech giants bear in safeguarding intellectual property.

For a more in-depth analysis, listeners are encouraged to access the full State of Healthcare Cybersecurity 2025 report available in the show notes.

Notable Quotes Summary

Dave Bittner:
- [04:15]: “The directive seeks to address vulnerabilities exposed by incidents like the SolarWinds hack.”
- [06:40]: “Investigators found no evidence of malware or long-term infiltration into classified systems.”
- [08:20]: “Critics allege Buycel is managed from China, with most equipment sourced from Chinese suppliers.”
- [09:50]: “This vulnerability highlights concerns over third-party UEFI security practices and Microsoft's code signing process.”
- [11:30]: “Stizzy is offering affected individuals 12 months of free credit monitoring.”
- [12:10]: “Lazarus’ goal is to compromise developer workflows, steal intellectual property, and access cryptocurrency wallets.”
- [13:40]: “The FTC alleges that GoDaddy failed to manage assets, update software, monitor security events, and segment shared hosting environments.”
- [14:20]: “Veeam discovered the issue during internal testing and released a patch to address it.”
- [15:05]: “The leaked data highlights ongoing risks from unpatched systems.”
- [26:10]: “Internal exchanges reveal employee concerns over torrenting pirated data on corporate devices.”
- [27:20]: “The scandal underscores Meta's cavalier approach to intellectual property.”
Oren Corin:
- [16:08]: “They will still be a main target because in some cases it's easier to hack a hospital.”
- [16:45]: “We are seeing so many hospitals and healthcare institutes are starting to use AI outside of their own boundaries.”
- [17:00]: “When we've logged into the different layers of security, everything was turned off. It's like 100% turned off.”
- [17:40]: “If data was stored inside the hospital... from an attacker perspective, you just need to go to the center of the data that is outside of the organization.”
- [22:15]: “CTAM is something everyone needs. But in healthcare, it's about scoping ourselves on what is important to protect.”
- [23:05]: “Use the CSPM first because you've moved to the cloud and if it's an external service, external application that you use...”
- [23:50]: “They don't need more, they actually need to use what they have there.”

Final Thoughts

As cyber threats continue to evolve, "Bolstering the Digital Shield" emphasizes the critical need for organizations, especially within the healthcare sector, to adopt proactive and intelligent cybersecurity measures. By leveraging expert insights and staying informed about the latest vulnerabilities and breaches, stakeholders can better protect their digital assets and maintain robust security postures in an increasingly hostile digital landscape.

For more details and access to supporting reports, visit CyberWire Daily and check out the show notes accompanying this episode.

Loading summary

Transcript19 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. And now a message from our sponsor. Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than.
[00:39]
Oren Koren
Ever with AI tools.
[00:41]
Dave Bittner
It's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
[01:20]
Oren Koren
Learn more@Zscaler.com Security.
[01:37]
Dave Bittner
President Biden issues a comprehensive cybersecurity executive Order Updates on Silk Typhoon's US treasury breach A Chinese telecom hardware firm is under FBI investigation. A critical vulnerability has been found in the UEFI secure boot mechanism. California based cannabis brand Stizzy suffers a data breach. North Korea's Lazarus Group lures freelance developers. The FTC highlights major security failures at web hosting giant GoDaddy. Veeam patches a critical vulnerability in their Backup for Microsoft Azure product Hackers leak sensitive data from over 15,000 Fortinet firewalls. Our guest today is Oren Corin, Verity's co founder and CPO, sharing insights about the state of healthcare, cybersecurity and Shiver Me Timbers. Meta's AI trains on a treasure chest of pirated books. It's Thursday, January 16th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. Thanks for joining us here today. Great to have you with us. As expected, President Joe Biden, just days before leaving office, issued a comprehensive Cybersecurity Executive Order to bolster the US Government's digital defenses. The directive mandates stronger network monitoring, secure software development, and stricter protections for cloud and IoT systems. It emphasizes using AI for cybersecurity with programs to safeguard critical infrastructure and analyze threats. Agencies must adopt digital identity tools, secure open source software, and prepare for post quantum cryptography. Key measures include requiring software vendors to prove secure practices, empowering the Cybersecurity and Infrastructure Security Agency to conduct threat hunting and reducing reliance on dominant IT providers. The order also introduces consumer IoT labeling and prioritizes research on AI security. The directive seeks to address vulnerabilities exposed by incidents like the SolarWinds hack. However, its future depends on the incoming administration, which has yet to define its cybersecurity approach or appoint key officials. The order aims to set a strong foundation for continued improvements. Bloomberg has an update on the Chinese state sponsored hackers identified as Silk Typhoon who breached the US Treasury Department, compromising 419 computers and accessing sensitive, unclassified data. The attackers targeted staff involved in sanctions, international affairs and intelligence, stealing usernames, passwords and over 3,000 files, including policy documents, sanctions material and law enforcement sensitive data. They also accessed information on investigations by the Committee on Foreign investment in the U.S. the breach occurred between September and November and exploited contractor Beyond Trust's systems. Investigators found no evidence of malware or long term infiltration into classified systems. Treasury reported the attack to CISA and sought FBI assistance. Congress was informed of the breach, with officials conducting a damage assessment and considering alternatives to Beyond Trust. China denied involvement, calling the allegations groundless. Treasury employees will brief the Senate Banking Committee While Beyond Trust's systems remain offline, the US Commerce Department and FBI are investigating Buycel's Technology, a telecom hardware firm founded in China by former Huawei executives, over potential national security risks, Reuters reports. Bicelles, established in 2014, supplies equipment for mobile networks across all US states. The probes focus on the company's Chinese origins, vulnerabilities in its base stations and potential risks of remote access or espionage. The Pentagon recently listed Bicelles as linked to Chinese military, while CISA flagged security flaws in its products. FBI concerns date back to 2019, including warnings to customers near sensitive US sites. Despite claims of independence from its Chinese parent, critics allege Bicells is managed from China, with most equipment sourced from Chinese suppliers. BuyCells denies security risks and say they cooperate with investigators, but scrutiny reflects ongoing fears about Chinese telecom firms compromising US infrastructure. Federal agencies and customers remain wary. A critical vulnerability has been found in the UEFI secure boot mechanism impacting most UEFI based systems discovered by eset. The flaw allows attackers to bypass secure boot protections and deploy malicious bootkits like bootkitty and Black Lotus, even on systems with secure boot enabled. The issue lies in a UEFI application signed by Microsoft, which improperly uses a custom loader instead of secure UEFI functions. Affected software includes recovery tools from vendors like Howyar, Greenware and Radix. Exploitation grants attackers persistent undetected access during boot by replacing legitimate bootloaders. Microsoft revoked vulnerable binaries in its January 2025 Patch Tuesday update Users are advised to update systems, ensure secure boot databases are current, and audit UEFI configurations. Though no real world attacks have been observed, this vulnerability highlights concerns over third party UEFI security practices and Microsoft's code signing process. California based cannabis brand Stizzy is notifying 380,000 individuals of a data breach stemming from a vendor's cyber attack. Between October 10 and November 10 of last year, attackers accessed systems at the vendor, stealing personal information tied to four Stizzy locations in San Francisco, Alamido and Modesto. Compromised data includes government ID details, medical cannabis cards, transaction histories and more. Stizzy suspects ransomware as the Everest Ransomware Group claimed responsibility leaking some stolen records. Stizzy is offering affected individuals 12 months of free credit monitoring. North Korean hackers, specifically the Lazarus Group, are targeting the software supply chain in a campaign dubbed Operation 99, according to Security Scorecard. The campaign lures Web3 and cryptocurrency developers via fake LinkedIn profiles offering freelance projects. Victims are directed to clone malicious GitLab repositories, which connect to attackers command and control servers, deploying custom malware tailored to each victim's platform, be it Windows, macOS or Linux. The malware steals files, credentials, clipboard data and key logs, maintaining persistence through advanced encoding and modular frameworks. Lazarus goal is to compromise developer workflows, steal intellectual property and access cryptocurrency wallets. The campaign is part of North Korea's broader strategy to fund its regime, reportedly stealing $1.34 billion in cryptocurrency in 2023 and 660 million in 2024. The operation exemplifies the growing sophistication of North Korean cyber tactics to exploit, trust and disrupt critical supply chains. The Federal Trade Commission has identified major security failures at web hosting giant GoDaddy, attributing multiple data breaches from 2019 through 2022 to inadequate cybersecurity practices. A proposed FTC settlement requires GoDaddy to overhaul its security measures, including implementing robust information security programs, real time event analysis and mandatory multi factor authentication for employees and third parties. The breaches exposed sensitive data, including customer credentials, credit card numbers and websites affecting millions of small businesses and their customers. The FTC alleges that GoDaddy failed to manage assets, update software, monitor security events and segment shared hosting environments, leaving customers vulnerable to malware, data theft and website compromises. The proposed order prohibits misleading security claims and mandates annual security testing Although no financial penalty is included, non compliance could result in significant fines. A critical vulnerability has been identified in Veeam Backup for Microsoft Azure, affecting versions up to 7.1.0.22. This high severity flaw enables unauthenticated attackers to exploit a server side request forgery weakness, allowing unauthorized network enumeration and potential follow up attacks. Veeam discovered the issue during internal testing and released a patch to address it. Users are urged to update their systems immediately to mitigate risks. Hackers known as the Belsen Group have leaked sensitive user Data from over 15,000 Fortinet firewalls on the Dark Web. The data, reviewed by security researcher Kevin Beaumont, appears authentic, including usernames, passwords, some in plain text, SSH keys, digital certificates and firewall rules. The leak stems from a 2022 zero day vulnerability affecting Fortaos. Fortaproxy and Forta. Switch Manager organizations are urged to check patch histories, update credentials and assess exposure. Many impacted devices remain in use, often maintained remotely. The leaked data, dating back to October 2022 highlights ongoing risks from unpatched systems. Fortinet has also recently warned of another zero day vulnerability potentially under attack. Coming up after the break, my conversation with Oren Coren, Verity's co founder, speaking about healthcare cybersecurity and shiver me timbers, Meta's AI trains on a Train Treasure chest of Pirated books Stay with us.
[13:19]
Oren Koren
And now a word from our sponsor, Know Before. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35. Vendor integrations and Counting Security Coach analyzes your security Stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.
[14:52]
Dave Bittner
Cyber threats are evolving every second and staying ahead is More than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Oren Koren is Verity's co founder and chief Product officer. I recently caught up with him for insights on the state of healthcare cybersecurity.
[15:48]
Oren Koren
I think what we've seen in 2024 and 2023 will be the same, but with another layer of complexity. First of all the same. They will be still a main target because in some cases it's easier to hack a hospital. And if you want, I can explain that. But the second piece is we are seeing so many hospitals and healthcare institutes are starting to use AI outside of their own boundaries. That means saving, sending, sharing our own personal data with an external AI, solutions or advanced processes. And those I believe will become the targets because if the data was stored inside the hospital, and again, we can talk about how easy or not is it to get in, but now maybe we don't need to get in as an attacker. From an attacker perspective, you just need to go to the center of the data that is outside of the organization. I believe that will be an. We will see a massive increase in 2025 for that.
[16:58]
Dave Bittner
Well, let's go at those one at a time. I mean, starting with the notion of the hospital itself, the healthcare organization being a attractive target. You know, we talk about how they have that combination of perhaps not being as fully funded as other organizations and also obviously having a critical mission. I mean, that is par for the course these days. That has not changed over the past few years. Right?
[17:25]
Oren Koren
And it will not. The example for that is me and my other co founder Adi, we went to the Healthcare Institute for a discussion, just a security discussion, not something related to the product. And I've asked the CISO and the cio, can you please grant me access to your security control just for a second? I just want to see what actually you do with them. Are you using them? The answer was definitely yes. And when we've logged in to the different layers of security, everything was turned off. It's like 100% turned off. I looked at them and I said, that's on you. You understand that, right? In two, three months, home, we'll get in. They said yes, but they might get in, but no one will die. Because the security controls that we have will not take down the mri like what we see in hospitals or health care is that they cannot patch because mainly compliance, because the MRI that is on Windows Vista or something will not be patched for the next eight years until the next episode of compliance processes. That means they have the vulnerability, they have the risk of the exposure and they cannot update, upgrade with all of the known processes. They need to use the compensating controls, but they do not want to use them or they are reducing the protection because those are very intrusive and are impacting their business, their businesses saving lives. So we are seeing that all the time. Almost every time you will see a research on someone got hacked, it's because they had everything they had the ability to protect. It's mandatory compliance to have all of those tools and controls, but they have not used them because they will say yeah, I will not use those, it will take me down and I'm not going to jeopardize someone life because of a signature that I need to enable for my vulnerability. It's a very common unfortunately today.
[19:32]
Dave Bittner
Yeah, I've certainly heard that story before. Well, talking about AI and the data going off site, explain that to me. Are we talking about the casual use of readily available AIs, the ChatGPTs of the world or are we talking about custom solutions for the medical industry that is also, let's say cloud based?
[19:58]
Oren Koren
No, the custom solutions definitely in ChatGPT and those tools there is a risk, but I don't think that that will be the main one. Yet another example, I went to another institute and they have a project for the human genome. They actually map everything. They collect all the data from everyone that comes to the hospital and send it to advanced analysis. Everything is analyzed in the cloud. So actually there is one repository with all of the genome structure and also all of the it's not photos, all of the results of the tests of everyone that came to the hospital, it's one location. Now I will ask the engineer or the IT manager in the hospital, do you know how to secure your cloud? Let's say it's an application you've deployed in your aws. Do you know how to secure it or to how to validate the security there or so if the answer is yes, let's hope if the answer is no. Okay, use the CSPM first because you've moved to the cloud and if it's an external service, external application that you use, that means the hospital might not be the target. They will just target someone else, an external resource or even a startup that is doing that, that might have security, might not. And in one place they will be able to collect all the data or to encrypt all of it. And in some cases it's human life. Because the MRI analysis today is using AI inside the systems that are inside the hospital, but also outside. So would you pay a million bucks for someone life if you need to pay the ransom or not? That's I think crucial question that we will see even more. But not by attacking the hospitals themselves, but the external locations where the data is stored.
[21:51]
Dave Bittner
Well, I mean, given these realities, the things that we've laid out here, what are your recommendations then? I mean, what, what is there for these organizations to do?
[22:01]
Oren Koren
Let's start with AI. When you're moving to the cloud, you cannot assume you know what you do. You've deployed firewalls and routers and the EDR and the WAFs of the globe. And you've done that for the last 20 years and you're amazing at that as a CISO, you've done that in your career and then you got the CISO position and now you actually know how to manage it, how to define the security and how to enforce it, how to validate. The team is doing their job. But when you are moving to the cloud, it's almost the same, but it's different. Someone needs to know what to do there. And the engineer that worked for the last 20 years at the hospital still needs to work there. They still have the infrastructure, but you need someone else that have the expertise. And what I've seen from the US government standpoint in the flight I've done with someone from Microsoft, they finished a project with the US government that the US government is giving an MSSP service to the hospitals without any payment to help them use those service providers. You don't have enough budget to hire all the DevOps you need. So my recommendation will be if you have those projects and it's very easy to map today, if data is being sent outside or saved or stored outside, or hire the relevant ones and first of all use the cspm, run a CSPM to understand if there is a misconfiguration there. But second, move to services because probably you will not be able to hold the manpower. They will not go to work at a hospital, they will go to a big firm or a big tech company if you want strong DevOps. So that's for the AI, for the organizations themselves. The exposure management and remediation today and was defined by Gartner as ctam. Continuous threat exposure management is something that everyone needs. But in healthcare the idea of CTAM and I think it's a very important thing to focus on is let's scope ourselves on what is important to protect what are my assets or important assets. Let's understand if I have the way to protect them and then let me protect them with what I have. It's actually a circle of five steps. I'm seeing CTAM as something that again, continuous threat exposure management is something that is very common today in lots of discussions with sea levels. But what they need to realize or understand is it's not about budget or buying more controls. They don't need more, they actually need to use what they have there. It is one way and we are doing the remediation piece, validation piece, find the gap and then resolve it. But just to be aware that you have the controls to protect and it's your responsibility. That's the first step.
[24:56]
Dave Bittner
That's Oren Koren, Verity's co founder and Chief Product Officer. We have a link to their State of Healthcare Cybersecurity 2025 report in our show Notes. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access, reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off.
[26:27]
Unknown
This episode is brought to you by Indeed. We're driven by the search for better. But when it comes to hiring, the best way to search for a candidate isn't to search at all. Don't search match with Indeed. Use Indeed for scheduling, screening and messaging so you can connect with candidates faster. Listeners of this show will get a $75 sponsored job credit to get your jobs more visibility. At Indeed.com, terms and conditions apply.
[27:02]
Dave Bittner
And finally, Meta's legal troubles have deepened as new evidence exposes the company's reliance on pirated content to train its AI models, marking a major escalation in its copyright infringement case. Unredacted court documents reveal Meta's AI team used Libgen, a notorious repository of pirated books, to train its models. The lawsuit, filed by authors including Richard Kadri and Sarah Silverman, claims Meta knowingly leveraged stolen works. The court slammed Meta's excessive secrecy, accusing it of seeking to avoid bad PR rather than protecting business interests. Internal exchanges reveal employees concerns over torrenting pirated data on corporate devices, and even escalations to CEO Mark Zuckerberg, who allegedly approved its use. Meta also ceded pirated files, effectively becoming a distributor of stolen material. Meta's arguments hinge on fair use, but the revelations could significantly bolster the plaintiff's case, including potential Digital Millennium Copyright act violations. The scandal underscores Mehta's cavalier approach to intellectual property, its shaky defense against claims of exploiting shadow libraries Move fast and pirate things. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher and I Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
[30:03]
Oren Koren
Foreign.
[30:18]
Dave Bittner
Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, Delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life. Private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.