Breached but not broken. - CyberWire Daily

Summary7 min read

CyberWire Daily: "Breached but Not Broken" – December 19, 2024

Host: Dave Bittner
Guest: Jeff Kroll, Principal and Practice Leader of Baker Tilly's Cybersecurity Practice

Introduction

In this episode of CyberWire Daily, hosted by Dave Bittner, listeners are presented with a comprehensive overview of the latest developments in the cybersecurity landscape. The episode, titled "Breached but Not Broken," delves into significant security breaches, vulnerabilities, regulatory actions, and expert insights on mitigating internal cyber threats through effective employee access controls.

Key Cybersecurity News

1. CISA Urges Enhanced Mobile Device Security Amid SALT Typhoon Breach

At the forefront of today's discussions is the alarming SALT Typhoon breach, where Chinese state-sponsored hackers infiltrated the mobile devices of 150 top U.S. officials, including President Elect Donald Trump, Vice President Kamala Harris, and Senator Chuck Schumer. The breach exposed sensitive data, including phone data, messages, and calls.

Dave Bittner reports:

"CISA's latest advisory emphasizes a whole-of-government effort to secure mobile ecosystems, with insights gathered from over 5 million devices across 94 agencies." (02:30)

The Cybersecurity and Infrastructure Security Agency (CISA) recommends the adoption of end-to-end encrypted applications and warns of the pervasive risk of communication interception and manipulation. This incident has exacerbated U.S.-China cyber tensions, leading to considerations of banning widely used TP-Link routers in federal operations. China retaliates by accusing U.S. intelligence agencies of cyberattacks targeting its tech firms.

2. Russian Hacker Group Sandworm Targets Ukrainian Military Infrastructure

The Russian state-sponsored hacker group Sandworm has launched a new espionage campaign targeting Ukrainian soldiers. According to Milcert UA, Sandworm is creating fake websites that mimic the Ukrainian military app "Army," designed to trick users into downloading malicious software.

"These fake sites deliver an installer crafted with EnSys, granting hackers hidden access to compromised systems and allowing data exfiltration via the Tor network." (06:45)

Sandworm, infamous for the 2015 power grid disruption and the 2017 NotPetya attack, continues its relentless focus on undermining Ukraine's military capabilities through persistent cyber aggression.

3. Heapon's Website Bug Exposes Customer Data

A critical website bug in the GPS tracking firm Heapon has compromised over 8,600 GPS trackers, exposing customer names, affiliations, and IMEI numbers. Although location data remains secure, the breach discloses business affiliations and user details accessible through developer tools.

"Hepon, formerly Spytech, claims to manage over 460,000 tracked devices, including those of Fortune 500 customers, but has yet to respond to multiple outreach attempts regarding the data exposure." (10:15)

4. Multiple Vulnerabilities Identified in Sharp Routers

Security analysts have uncovered several critical vulnerabilities in Sharp-branded routers from NTT, Docomo, SoftBank, and KDDI. The most severe flaw allows remote exploitation without authentication, enabling attackers to execute commands with root privileges. Additional issues include OS command injection, improper authentication, and buffer overflow vulnerabilities.

"Users should check advisories and update firmware promptly to mitigate risks." (12:05)

5. Ireland's Data Protection Commission Fines Meta $263 Million

Ireland's Data Protection Commission (DPC) has levied a hefty fine of $263 million against Meta for alleged GDPR violations linked to a 2018 Facebook data breach affecting 29 million accounts globally. The breach exposed sensitive user information, including locations, religions, genders, and contact details, due to a flaw in Meta's video upload system.

"The DPC cited Meta's failure to integrate adequate data protection measures and poor breach documentation as key factors for the fine." (14:20)

This penalty follows previous fines totaling 1.2 billion euros in May 2023 for improper EU-US data transfers and 405 million euros in 2021 for mishandling miners' data.

6. Google Releases Urgent Chrome Security Updates

Google has issued an urgent security update for Chrome to address four high-rated vulnerabilities affecting over 3 billion users. The issues include type confusion, out-of-bounds memory access, and use-after-free flaws in the Chrome V8 JavaScript engine and browser compositing function. Security researchers who identified these vulnerabilities were awarded a total of $75,000 in bounties.

"Users are urged to update Chrome and restart the browser to activate protection." (16:50)

7. Cyber Attacks on India-Based Organizations Surge by 90%

Cyber attacks targeting organizations in India have surged by 92% year-over-year in the third quarter of 2024, with nearly 1.2 billion attacks recorded, according to Indus Face. The majority of these attacks exploit vulnerabilities in APIs and websites, often facilitated by AI tools that lower the barrier for hackers.

"Only 19% of Indian companies use automated API security scanners, while over 30% of critical vulnerabilities remain unpatched after six months." (18:30)

The banking, financial services, and utilities sectors are the most heavily targeted, driven by geopolitical motives. The surge underscores the pressing need for enhanced cybersecurity measures and proactive vulnerability management.

8. Cybercriminals Exploit Google Calendar for Phishing Attacks

Hackers are leveraging Google Calendar to launch sophisticated phishing attacks targeting over 500 million users. By exploiting features like Google Drawings and Google Forms, attackers send emails containing malicious links that bypass traditional security filters, redirecting victims to fake login pages or fraudulent websites to steal sensitive information.

"Over 4,000 phishing emails affecting 300 brands were detected in a recent four-week period." (20:10)

9. Fortinet and Juniper Networks Address Critical Vulnerabilities

Fortinet has patched a critical vulnerability in Forta WLM, a wireless management tool. The flaw allows unauthenticated remote attackers to execute arbitrary code or access sensitive files via a path traversal vulnerability.

"Security researcher Zach Hanley noted that the flaw could allow attackers to hijack admin sessions." (21:05)
Juniper Networks warns of a botnet infection campaign targeting routers with default credentials, exploiting Mirai malware. The affected Session Smart routers are being used in DDoS attacks, prompting Juniper to advise immediate action to change default passwords and monitor for unusual behavior.

"Reimaging infected devices is the only surefire way to eliminate the threat." (22:00)

Interview: Jeff Kroll on Employee Access Controls

Guest: Jeff Kroll, Principal and Practice Leader of Baker Tilly's Cybersecurity Practice
Topic: Utilizing Employee Access Controls to Mitigate Internal Cyber Threats

Best Practices for Employee Access Controls

Jeff Kroll emphasizes the critical role of employee access controls in safeguarding organizational assets:

"Real best practice is making sure employees only have access to the things they need to have access to, contemporaneous with when they need to have that access." (15:14)

He advocates for the principle of least privilege, ensuring that employees obtain access strictly necessary for their roles and only for the duration required.

Challenges in Implementing Access Controls

Implementing stringent access controls is often fraught with operational challenges:

"Without some real heavy-duty thought and automation around those things, it's really, really difficult to do." (16:32)

Kroll highlights the tension between security and operational efficiency, where the need for quick access adjustments can lead to broader access privileges, undermining security protocols.

Balancing Security and Reducing Friction

Effective communication and organizational buy-in are paramount:

"Communication is absolutely key... helping them to understand what the potential risks are of that additional access." (20:34)

Kroll suggests that executive leadership must view cybersecurity as a business risk rather than an IT issue, fostering a culture that prioritizes security across all departments.

Managing High-Level Access Risks

High-ranking executives often require tailored access control strategies:

"The higher up you are in an organization, the less access you actually want that person to have." (22:53)

Kroll advises limiting the access of top executives to minimize their vulnerability to cyberattacks, recommending that sensitive information be managed through trusted lower-level personnel.

Recommendations for Implementing Access Controls

Kroll offers pragmatic advice for organizations embarking on access control enhancements:

"Don't try to boil the ocean. It's better to just pick one or two applications, knock them out, and then start working through the other hundred." (24:22)

He stresses the importance of incremental progress, focusing on achievable goals to build a sustainable and effective access control framework.

Conclusion: Russia Labels Recorded Future as Undesirable

In a notable development, Russia has designated cybersecurity firm Recorded Future as "undesirable," a term traditionally reserved for NGOs and media organizations. CEO Christopher Alberg referred to this move as a "rare compliment," acknowledging Recorded Future's significant support for Ukraine since Russia's full-scale invasion. The firm has provided substantial intelligence, cloud access, and collaboration with Ukrainian agencies to protect critical infrastructure and investigate war crimes.

"Imagine being so effective that an entire country bans you." (28:31)

This designation underscores the geopolitical ramifications of cybersecurity operations and the pivotal role of intelligence firms in modern conflicts.

Final Thoughts

"Breached but Not Broken" provides a thorough examination of the current cybersecurity threats and strategic measures necessary to combat them. From high-profile breaches and regulatory actions to expert insights on internal threat mitigation, this episode equips listeners with valuable knowledge to navigate the evolving digital threat landscape.

For more information and comprehensive coverage of today's stories, visit CyberWire Daily or subscribe to our daily briefing.

Loading summary

Transcript18 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network. Powered by n2k. This episode is brought to you by Dutch Bros. Big smiles, rocking tunes and epic drinks. Dutch Bros. Is all about you. Choose from a variety of customizable handcrafted beverages like our Rebel Energy drinks, coffees, teas and more. Download the Dutch Bros app for a free medium drink plus find your nearest shop, order ahead and start earning rewards Offer valid for new app users only. Free medium Drink Reward upon registration. 14 day expiration terms apply. See Dutchbros.com do you know the status of your compliance controls right now? Like right now we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off CISA urges senior to enhance mobile device security Russian state sponsored hacker group Sandworm is targeting Ukrainian soldiers. A website bug and GPS tracking firm Heapon is exposing customer information. Multiple critical vulnerabilities have been identified in Sharp branded routers. Ireland's Data Protection Commission finds Meta $263 million for alleged GDPR violations. Google releases an urgent Chrome security update to address four high rated vulnerabilities. Cyber attacks on India based organizations surged 90 year over year. Cybercriminals target Google Calendar to launch phishing attacks. Fortinet patches a critical vulnerability in Forta WLM Juniper Networks warns of a botnet infection targeting routers with default credentials. Our guest is Jeff Kroll, Principal and practice leader of Baker Tilly's cybersecurity practice, with advice on using employee access controls to limit internal cyber threats and when is undesirable a badge of honor.
[03:02]
Jeff Kroll
Foreign.
[03:08]
Dave Bittner
December 19, 2024 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks again for joining us here. It is great to have you with us. CISA has urged senior government officials to enhance mobile device security. Following the SALT Typhoon breach where Chinese hackers access the phone data, messages and calls of 150 top US officials. The agency recommends using end to end encrypted apps and warns that all communications, government or personal, are at risk of interception or manipulation. High profile targets included President Elect Donald Trump, Vice President Kamala Harris staff and Senator Chuck Schumer. CISA's latest advisory emphasizes a whole of government effort to secure mobile ecosystems, with insights gathered from over 5 million devices across 94 agencies. The breach underscores the vulnerability of US telecom networks, with Chinese hackers reportedly maintaining access to compromised systems. The breach has escalated U S China cyber tensions, prompting discussions about banning TP link routers widely used in federal operations. China in turn accuses U.S. intelligence of cyber attacks against its tech firms, alleging the theft of sensitive data and exploitation of software vulnerabilities. The cyber standoff continues to intensify. Russian state sponsored hacker group Sandworm is targeting Ukrainian soldiers in a new espionage campaign. According to Milcert ua, the hackers create fake websites mimicking the Ukrainian military app army to trick users into downloading malicious software. Army launched earlier this year, streamlines bureaucratic tasks for soldiers, making it a critical tool. The fake sites hosted on cloudflare workers deliver an installer crafted with ensys. When executed, the file grants hackers hidden access to compromised systems, allowing data exfiltration via the Tor network. Cert UA links this campaign to Sandworm. Known for major attacks like the 2015 power grid disruption and the 2017 NotPetya incident, this operation underscores ongoing Russian cyber aggression targeting Ukraine's military infrastructure. Recent attacks include malware planted in messaging apps and campaigns aimed at conscripts, highlighting a persistent focus on disrupting Ukrainian forces. A website bug in GPS tracking Firm Happen is exposing customer names, affiliations and Data on over 8,600 GPS trackers, TechCrunch reports. While location data isn't included, IMEI numbers and details about business affiliations of users are accessible through developer tools. Hapin, formerly Spytech, provides GPS tracking for vehicles and possessions and claims over 460,000 tracked devices, including Fortune 500 customers. The company has not responded to multiple outreach attempts, leaving the data exposed. Multiple critical vulnerabilities have been identified in sharp routers and models from NTT, Docomo, SoftBank and KDDI, requiring immediate firmware updates. The most severe flaw allows remote exploitation without authentication, enabling attackers to execute commands with root privileges. Other issues include OS command injection, improper authentication and buffer overflow. Risks Users should check advisories and update firmware promptly to mitigate risks. Ireland's Data Protection Commission fined Meta $263 million for alleged GDPR violations tied to a 2018 Facebook data breach affecting 29 million accounts globally. The breach, linked to a flaw in Meta's video upload system, exposed sensitive user data including locations, religions, genders, children's personal data, phone numbers and email addresses. The DPC cited Meta's failure to integrate adequate data protection measures into its systems, poor breach documentation and inadequate compliance practices. This fine follows several others against Meta, including 1.2 billion euros in May 2023 for improper EU US data transfers and 405 million euros in 2021 for mishandling miners data. Meta responded by highlighting its corrective actions and commitment to user safety. Google has released an urgent Chrome security Update to address four high rated vulnerabilities affecting over 3 billion users. The issues include type confusion, out of bounds, memory access and use after free flaws in the Chrome version 8 JavaScript engine and browser compositing function. Security researchers earned $75,000 in bounties for identifying these risks. Users are urged to update Chrome and restart the browser to activate protection. Dark Reading reports that cyber attacks on India based organizations surged 92% year over year in the third quarter of 2024, with nearly 1.2 billion attacks recorded, up from 600 million the previous year, according to Indus Face. The attacks, including 377 million denial of service events and 215 million bot driven API requests, are increasingly exploiting vulnerabilities in APIs and websites fueled by AI tools like large language models. These tools lower the barrier for hackers, enabling rapid exploitation of issues like SQL injection. The banking, financial services and utilities sectors were heavily targeted with geopolitical motives driving disruptions despite rising threats. Only 19% of Indian companies use automated API security scanners, while over 30% of critical vulnerabilities remain unpatched after six months. With 44% of Indian businesses reporting data breaches costing over $500,000 in three years, cybersecurity is now a top priority for 61% of executives, according to PwC. Cybercriminals are targeting Google Calendar, used by over 500 million people to launch phishing attacks, according to Checkpoint Research. Attackers exploit Google Calendar's features like Google Drawings and Google Forms to send emails with malicious links that bypass traditional security filters. These links often redirect victims to fake login pages or fraudulent websites stealing sensitive data like passwords or financial details. Over 4,000 phishing emails affecting 300 brands were detected in a recent four week period. Fortinet has released patches for a critical vulnerability in fortawlm, a wireless management tool which could allow unauthenticated remote attackers to execute arbitrary code or access sensitive files via a path traversal flaw. The issue affects multiple versions of Forta wlm, with updated versions resolving the issue. Security researcher Zach Hanley of Horizon 3 AI reported the flaw, noting it could allow attackers to hijack admin sessions. Fortinet also patched a related OS command injection bug in Forta Manager Juniper Networks warns of a botnet infection campaign targeting routers with default credentials exploiting Mirai malware. Customers reported unusual activity on Session Smart routers, which were compromised and used in DDoS attacks. The malware scans for devices using default passwords, gains access, and executes malicious commands. Juniper advises changing default credentials, using strong passwords, monitoring for unusual behavior, blocking unauthorized access with firewalls, and keeping devices updated. Reimaging infected devices is the only surefire way to eliminate the threat. Coming up after the break, Jeff Kroll from Baker Tilly's Cybersecurity Practice has advice on using employee access controls to limit internal cyber threats and when is undesirable a badge of honor. Stay with us. And now a word from our sponsor, Know before it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing Security Stack tools to help you strengthen your organization's security culture. KnowBefore's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and Counting Security Coach analyzes your Security Stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever Connectivity Cloud. Visit cloudflare.com to protect your business everywhere you do business. Jeff Kroll is principal and practice Leader of Baker Tilly's cybersecurity practice. I recently caught up with him for advice on using employee access controls to limit internal cyber threats.
[15:14]
Jeff Kroll
It's interesting. It's really a wide spectrum, but it's really an area that I think a lot of organizations don't necessarily put as much scrutiny to as they should. So really, when you think about employees, right, they're the ones who have access to almost everything in an organization, right? They're running the organization. They need access to whatever applications you have, whatever systems you have, whatever sharepoints you have. So it's usually, you know, depending on the size of organization, a lot of people and a lot of organizations, I would say, you know, put in processes to add a new user, delete a user, modify access for a user. The scrutiny that's not always there, though, is within all of those processes for changing a user's access is how much access should they have? So it's an interesting area where, you know, in my mind, employee access really goes from the day an employee shows up, or even when you're interviewing them, in some cases, all the way through to when, you know, ultimately they leave the organization. All of the bells and whistles and controls along the way of how somebody gets access, gets granted access, gets moved access, and ultimately loses access is all in that population, as well as, obviously, authentication mechanisms and, you know, how people are authenticated for what they have.
[16:27]
Dave Bittner
Well, let's dig into some of the details here. I mean, what would you consider to be best practices?
[16:33]
Jeff Kroll
Well, so, you know, real best practice is interesting because, you know, a lot of people these days are talking about zero trust environments, and people, you know, for years before that have talked about least privilege as a concept. Right. And so really, the. The real best practice, in my mind is, and it's easier said than done, making sure employees only have access to the things they need to have access to, contemporaneous with when they need to have that access. Right? So I'll use health care as usually a relatively straightforward example of that. Right. Let's say you have a hospital and you have, you know, a whole bunch of nurses. Should all of the nurses have access to all the floors at every given any given time? Well, probably not, right? Ultimately, you figure those nurses should only have access to, you know, the floor they're working on that day. Right. Or that shift. And maybe even you narrow it down further to say, well, you have a scheduling system. Could you somehow, real time only grant access to the floor to the nurse, to the patients? That nurse is Working with on that floor at that given time sounds great in theory, right? It sounds like, well, yeah, of course, why should the nurse have access to everything? Because if somebody breaks into her account, they have access to everything. If the nurse wants to do something bad, she has access to everything. So if you can limit her access to just those patients, just that floor, just that time, all of a sudden, you've really mitigated the risk of access related to that employee. Right. The challenge with that is obviously when you think through that, without some real heavy duty thought and automation around those things, it's really, really difficult to do. So that's why I really think, even though that I would say is the best practice is to really limit people to what only what they need access to to really get their job done. You have these competing priorities both with regards to operationalizing that and how do you make that actually work in a real life environment and can your technology to support you to be able to do that. You also have challenges sometimes just with management of an organization saying, well, that's great that you only want this nurse to work on this floor at this time, but he or she maybe gets called up to another floor and how am I going to handle that? And it's an emergency situation. And so what happens is sometimes operationally people go to the other end of the spectrum and say, give them access to everything because we don't know what will go on. So there's kind of this interesting balance there that gets really difficult to manage.
[18:49]
Dave Bittner
It's really easy for me to imagine the system starting to erode as people get annoyed with it. Right. Somebody needs access to something, they can't get it, they complain, they complain loudly. And the people who are in charge kind of throw up their hands and say, okay, give this person access to this and then it never goes away. Am I speaking about a realistic peril here?
[19:15]
Jeff Kroll
You are spot on. That is exactly what happens. And even though people talk about reviewing access, I always say, does do periodic access reviews really get to that deep level? Right. Probably not. Right. So a lot of times what we find is once access is granted, it usually persists. And you know, a lot of times the people making the decisions, I'll call it from an IT department or cybersecurity department, Right. The people who are, you know, a lot of times looking to say, hey, let's limit access, let's keep it tight, they may not be as involved in the business process to always be ready to push back on some of those decisions. Right. When. When somebody in the business is saying, no, our people all need this access. And hey, look, yesterday we had this big problem, and that big problem was because they didn't have access. So go grant some more access. It's sometimes difficult for them, not being necessarily the experts in whatever that business process is, to be able to be like, well, wait a second, I get that happened yesterday, but that's like a once in a year event. And we could probably design some type of, you know, exception process. We could work when that once in a year event happens. But because they're not necessarily in the know, to your point, somebody's screaming, somebody's mad, and all of a sudden access gets expanded beyond what is probably the ideal access.
[20:26]
Dave Bittner
I mean, it really strikes me that communication is a real key part of implementing this sort of thing effectively.
[20:34]
Jeff Kroll
Yeah, it's absolutely communication. And I think there's an element of buy in a lot of times from the, what I'll call it, the non IT professionals, the business professionals don't always have the mindset that they need to keep access really limited. And so I think that's one of the hurdles a lot of organizations need to overcome is not that they're doing something wrong by asking for the additional access, but rather helping them to understand what the potential risks are of that additional access. Right. Because we all know it's a matter of when, not if, every organization, or almost every organization as some type of cyber event, some type of breach. Right. Well, those breaches get a lot easier if the access that they get into is somebody who has their access really limited. Those breaches get a lot harder when that access is really broad.
[21:24]
Dave Bittner
Well, in your experience, do you have any words of wisdom here for how to strike that balance between limiting access but also limiting friction?
[21:36]
Jeff Kroll
You know, it's a difficult thing. I think it's really a tone at the top issue, meaning I think, you know, a cyber IT department can work with whatever procurement department. Right. They try and come to a meeting of the minds and that that can obviously happen. But what I find the best controlled organizations from a cyber perspective tend to be the ones where the boardroom cares and, you know, your C suite cares, and they set the message that they really want to be a secure organization and that then starts permeating down. That's really where it needs to come from. And really viewing it not as an IT thing, but as a business risk. Right. Cyber and access is not an IT risk, it's a business risk. And the organizations that view it as a business risk and drive it down through the organization that way, at least in my experience, tend to have a better security posture. Maybe not perfect, but a better security posture than the ones who view it. You know, that the age old saying, you know, that's an IT problem. Those are the ones that tend not to be as well secured.
[22:40]
Dave Bittner
What about the folks who tend to have the most access? You know, I, I would hate to be the IT person who has to report to the CEO and say you're not going to be able to access everything whenever you want to. How's that going to fly?
[22:54]
Jeff Kroll
Right, so that's a great question. Right. So, and we run into that a lot where some of the higher up executives start asking for more and more access. Generally speaking, not exclusively, but generally speaking, we actually view it as more of a risk when the higher ups have excessive access. Right. Because if you think about a CEO of a company of a large organization, everybody knows the name of that CEO and there's lots of people doing all sorts of, you know, investigation into what that person does, whether they like it or not. Right. There's lots of bad actors out there trying to glean information and figure out, you know, nuances at CEO ways. They could potentially spoof them when they go on vacation, stuff like that. So usually the higher up you are in an organization, the less access you actually want that person to have. You actually want to take that access out of their hands and give it to somebody maybe a little lower down, obviously recognizing sometimes there's sensitive data, things like that that you couldn't do that with. But what I call the rank and file, you know, super user type access, we usually recommend unless there's a really good reason, don't get that in the hands of your C suite. In fact, take information access out of their hands because they're by nature a target of bad actors.
[24:07]
Dave Bittner
You know, every organization setting down this path has their own particular starting point here. Do you have any advice for those folks as they're heading down this path to make it as easy for everybody involved as possible?
[24:23]
Jeff Kroll
Yeah, the biggest advice I always have is don't try to boil the ocean. Right. There's going to be lots of applications. You're never done with reviewing access. You're never done with trying to get access to where you want it to be. A lot of organizations I do see sometimes get caught up in analysis paralysis. We have 100 applications and we need to find data owners and we need to do this, we need to do that. And while you want to have good processes across the board that are sustainable Usually it's actually better to just say, okay, if we have 100 applications, let's pick one or two, let's knock them out. Let's figure out what works for us as an organization. Get your quick wins, right? Get your quick hey, here's where we were able to limit access and then start working through the other hundred, right? You don't have to get everything done tomorrow. Obviously, the sooner you get it done, the better. But a lot of organizations almost bite off more than they can chew a lot of times in these access control projects. And as a result, because they bite off so much, they actually don't get anything done over a period of time versus trying to, you know, break it into bite sized pieces and say, we're going to go deal with this department for the next three months.
[25:32]
Dave Bittner
That's Jeff Kroll, principal and practice leader of Baker Tilly's Cybersecurity practice. And finally, Russia has labeled cybersecurity firm Recorded Future as undesirable, a badge CEO Christopher Alberg cheekily dubbed a rare compliment. The Russian prosecutor general accused the firm of aiding Ukraine in offensive information operations and supporting the West's propaganda campaign. Ahlberg and Team Undeterred probably framed the notice. Recorded Future has actively supported Ukraine since Russia's full scale invasion, providing $10 million in intelligence, cloud access, $20 million in aid in 2023 alone, and collaborating with 16 Ukrainian agencies to protect critical infrastructure and investigate war crimes. Their insect group's research, often spotlighting Russian cyber antics, likely didn't win them any fans in Moscow. Interestingly, they're the first cybersecurity company to make Russia's undesirable list, typically reserved for NGOs and media. Imagine being so effective that an entire country bans you. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement enforcement agencies. This episode was produced by Liz Stokes Our mixer is Trey Hester with original music and sound design by Elliot Heltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomor.
[28:32]
Jeff Kroll
It.