Novel attacks and creative phishing angles. - CyberWire Daily

Summary7 min read

CyberWire Daily - Episode Summary

Title: Novel Attacks and Creative Phishing Angles
Host/Author: N2K Networks
Release Date: November 25, 2024

1. Overview

In this episode of CyberWire Daily, hosted by N2K Networks, the focus is on the latest developments in cybersecurity, highlighting novel attack methods and innovative phishing strategies. The episode delves into sophisticated cyber espionage tactics, emerging phishing scams targeting consumers, significant discussions from international cyber defense conferences, critical vulnerabilities in widely-used software, and a comprehensive interview with Leslie Carhart from Dragos on the evolving landscape of Operational Technology (OT) incident response.

2. Sophisticated Cyber Espionage: APT28's Nearest Neighbor Attack

A significant segment of the episode covers a complex cyber espionage operation uncovered by Valexity in early 2022, executed by the Russian cyber group APT28, also known as Fancy Bear.

Key Points:
- Operational Strategy: The group employed a strategy termed the "Nearest Neighbor Attack," where they compromised multiple organizations in close physical proximity to their primary target (Organization A).
- Technical Exploitation: After gaining valid credentials through password spraying, APT28 encountered multifactor authentication barriers on Organization A’s public-facing services. To bypass these, they infiltrated a neighboring entity (Organization B) and exploited a dual-homed system connected via Ethernet and WiFi. Using the WiFi adapter, they accessed Organization A’s enterprise network remotely.
- Extended Compromise: The attackers also breached a third nearby organization (Organization C), demonstrating the scalability and stealth of their approach.
Notable Quote:

“They infiltrated their target's network remotely, highlighting the need for robust WiFi security measures and vigilance against such innovative attack vectors.”
— Maria Varmazas, 05:15

3. Emerging Phishing Scams: Apple ID Suspension Tactic

As Black Friday approaches, cybercriminals are ramping up phishing attacks to exploit consumer frenzy.

Key Points:
- Target: Apple users receiving fraudulent emails claiming their Apple ID has been suspended.
- Mechanism: These deceptive messages prompt recipients to provide personal information or click malicious links, capitalizing on the urgency to secure deals.
- Apple’s Warning: Apple advises users to verify the authenticity of such communications by contacting official channels and to be cautious of unsolicited emails requesting sensitive data.
Notable Quote:

“Always verify the authenticity of such communications by contacting Apple directly through official channels.”
— Maria Varmazas, 07:45

4. International Cyber Defense Efforts: NATO Conference Insights

UK Cabinet Office Minister Pat McFadden addressed the NATO Cyber Defense Conference in London, emphasizing the escalating cyber threats from Russia.

Key Points:
- Threat Landscape: Russian cybercriminals are increasingly targeting nations supporting Ukraine, leveraging advanced technologies like artificial intelligence to enhance their attacks.
- Countermeasures: Introduction of the Laboratory for AI Security Research with an initial investment of £8.22 million aims to develop sophisticated cyber defense tools and promote intelligence sharing among NATO allies.
- Strategic Importance: McFadden stressed the necessity for NATO members to remain vigilant and proactive to safeguard critical infrastructure against potential cyberattacks.
Notable Quote:

“Ensuring robust defenses against potential cyberattacks on critical infrastructure is paramount in the evolving AI arms race.”
— Pat McFadden, 10:20

5. US Senate Push for Transparency: TSA Facial Recognition Audit

A bipartisan group of US Senators has requested an audit of the Transportation Security Administration’s (TSA) use of facial recognition technology.

Key Points:
- Concerns Raised: The technology is set to be deployed across hundreds of airports without independent evaluation of its precision or safeguards for passenger privacy.
- Legislative Action: Senators argue that the program could create one of the largest federal surveillance databases without Congressional authorization.
- Audit Request: The letter urges the Department of Homeland Security’s Inspector General to evaluate TSA’s facial recognition program and report findings to Congress before its widespread implementation.
Notable Quote:

“This program could become one of the largest federal surveillance databases overnight without authorization from Congress.”
— US Senators, 12:05

6. Ransomware Strikes Supply Chain: Blue Yonder Attack

US-based supply chain management software company Blue Yonder suffered a ransomware attack, disrupting services to major grocery chains in the US and UK.

Key Points:
- Impact: Outages affected Morrison’s and Sainsbury’s supermarkets, leading to challenges in goods distribution.
- Response: Blue Yonder’s Azure public cloud services remained unaffected. The company is collaborating with external cybersecurity experts to investigate and implement recovery measures.
- Recovery Status: As of November 24, Blue Yonder has made progress in restoration efforts but hasn't provided a full recovery timeline.

7. Critical Vulnerabilities: QNAP and Avast Exploits

The episode highlights two significant vulnerabilities affecting widely-used software platforms.

QNAP Vulnerability (CVE-2024-27130):
- Issue: A stack buffer overflow in the noSupportACL function within the Share CGI script could allow remote code execution.
- Affected Systems: Network Attached Storage (NAS) devices.
- Mitigation: QNAP has addressed the issue in QTS 5.1.7.2770 and QUTS Hero H 5.1.7.2770 builds released in May 2024. Users are urged to update promptly.
Avast Anti-Rootkit Driver Exploit:
- Technique: Attackers exploit the outdated aswrpot.sys driver in Avast's anti-rootkit software to gain kernel-level access.
- Impact: This allows malware to disable security defenses, facilitating undetected attacks.
- Notable Use Cases: The Avos Locker ransomware has utilized this exploit, underscoring the threat posed by vulnerable drivers.
Notable Quote:

“Attackers deploying the illegitimate aswrpot.sys driver allows malware to terminate processes and disable security products, effectively evading detection.”
— Maria Varmazas, 15:40

8. China's Regulatory Moves: Combating Information Echo Chambers

China’s Cyberspace Administration (CAC) has launched a campaign to regulate internet algorithms to prevent the creation of information cocoons.

Key Points:
- Regulatory Mandates: Tech companies must prevent homogeneous content dissemination and enhance transparency in content ranking algorithms.
- Prohibitions: Discriminatory pricing based on user demographics in e-commerce is banned.
- Compliance Deadline: Companies have until the end of the year to comply, with assessments beginning in January.
Notable Quote:

“The CAC mandates that tech companies prevent the dissemination of homogenous content and enhance transparency in content ranking algorithms.”
— Maria Varmazas, 17:10

9. Expert Insight: Leslie Carhart on OT Incident Response

In an in-depth interview, Leslie Carhart, Technical Director at Dragos, discusses the unique challenges and evolving strategies in Operational Technology (OT) incident response.

Key Points:
- Distinctive Challenges:
  - Kinetic Consequences: Cyber incidents in OT environments can lead to physical harm, environmental damage, and disruption of critical services.
  - Legacy Systems: Many OT environments rely on outdated systems (e.g., Windows NT, XP) that are difficult to secure and require specialized tools and training.
  - Operational Constraints: Incident response must prioritize safety and avoid exacerbating physical system vulnerabilities.
  - Access Difficulties: OT facilities are often remote and require specialized safety protocols for responders.
- Monitoring and Security Measures:
  - Boundary Management: As IT and OT systems converge, monitoring the interfaces between them becomes crucial to prevent intrusions.
  - Network Architecture: Emphasizes the importance of segmenting and isolating industrial networks to control ingress points effectively.
  - Vulnerability Management: Identifying and mitigating vulnerabilities in perimeter devices is essential due to the inherent insecurity of many industrial protocols.
- Industry Maturity:
  - Variation Across Sectors: Industries like oil and gas, with higher budgets, are leading in cybersecurity maturity, while sectors like manufacturing and municipal utilities lag due to financial constraints and limited resources.
  - Incident Response Planning: Even small organizations should develop basic incident response plans to ensure preparedness despite resource limitations.
Notable Quotes:

“Everything we have to do in terms of cybersecurity defense and incident response has to come down to what avoids those consequences.”
— Leslie Carhart, 15:00

“You have to commit at least a few hours to thinking about, if you had ransomware in your industrial environment, who would you call and would they pick up the phone?”
— Leslie Carhart, 25:30
Recommendations:
- Adopt SANS Critical Controls: Implementing the five Critical Controls for Industrial Cybersecurity can significantly enhance defense mechanisms.
- Develop Incident Response Plans: Tailored plans, even if basic, are essential for effective response and recovery.

10. Concluding News: Stop & Shop’s Customer Outreach Post-Cyber Incident

Following a recent cybersecurity incident that led to empty shelves at Stop & Shop stores, the grocery chain took proactive measures to regain customer trust.

Key Points:
- Recovery Efforts: Stop & Shop offered free coffee and sweet treats in Connecticut, Massachusetts, and Rhode Island as a gesture of appreciation to customers for their patience during the tech turmoil.
- Customer Engagement: The initiative aimed to maintain customer loyalty and mitigate the negative impact of the service disruption.

11. Final Remarks

The episode underscores the dynamic and evolving nature of cyber threats, emphasizing the need for robust security measures, proactive incident response planning, and continuous vigilance across both IT and OT environments. Insights from industry experts like Leslie Carhart highlight the critical importance of tailored cybersecurity strategies to protect against sophisticated and potentially devastating cyberattacks.

For more detailed stories and updates, visit The CyberWire Daily Briefing.

Loading summary

Transcript18 lines

[00:02]
Gianna Whitfer
You're listening to the Cyberwire Network powered by N2K. Gianna Whitfer here, co host of the Breaking through in Cybersecurity marketing podcast on N2K CyberWire Network. Here to interrupt your Thanksgiving break with just one little ad. We are hosting Cyber Marketing Con, a conference for marketers and go to market in the business side of cybersecurity this December 8th through 11th in the beautiful city of Philadelphia, Pennsylvania and also virtually get your ticket at cybermarketingconference.com or through our main website cybersecuritymarketingsociety.com.
[00:48]
Dave Buettner
Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know I started my first business back in the early 90s and oh what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place and they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBER10 to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from setup to success@legalzoom.com and use promo code CYBERTEN, that's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm LZ Legal Services LLC.
[02:31]
Gianna Whitfer
Apt 28 uses a novel technique to breach organizations via nearby WI FI NETWORKS. Your Apple ID is not suspended. UK highlighting Russian threats At the NATO cyber defense conference, US senators request an audit of TSA's facial recognition technology Supply chain software company sustains ransomware attack Critical QNAP vulnerability could allow remote code execution Outdated Avast Anti rootkit driver exploited no more Internet rabbit holes for China Guest Leslie Carhart from Dragos on the shifting landscape of OT Incident response and Stop and turns Cyber Oops into coffee and cookies. Today is November 25, 2024. I'm Maria Varmazas host of the T Minus Space Daily podcast in for Dave Buettner and this is your Cyberwire intel briefing. In early 2022, cybersecurity firm Valexity uncovered a sophisticated cyber espionage operation by The Russian group APT28, also known as Fancy Bear. And this operation, termed the Nearest Neighbor Attack, involved the group compromising multiple organizations in close physical proximity to their primary target, referred to as Organization A. After obtaining valid credentials through password spraying attacks, the attackers faced multifactor authentication barriers on Organization A's public facing services. So to circumvent this, they infiltrated a neighboring entity, Organization B, and exploited a dual homed system connected via Ethernet and WiFi. By leveraging the system's WiFi adapter, they accessed Organization A's Enterprise Wi Fi network, effectively bridging the gap without physical presence. Further investigation revealed that the attackers had also compromised a third nearby organization, Organization C, using similar tactics, and this method allowed APT28 to infiltrate their target's network remotely, highlighting the need for robust WiFi security measures and vigilance against such innovative attack vectors. As Black Friday approaches, scammers are out there looking for every angle to get into your wallet. A recent phishing scam is targeting Apple users with emails falsely claiming that their Apple ID has been suspended. This attack is highly believable and in a time when consumers are out there feeling that time is short to get their best deal and may be tricked into action. These deceptive messages aim to deceive recipients into providing personal information or clicking malicious links. Apple warns that users need to protect themselves and be cautious of unsolicited emails, especially those requesting sensitive data or urging immediate action. Always verify the authenticity of such communications by contacting Apple directly through official channels. On November 25, 2024, UK Cabinet Office Minister Pat McFadden addressed the NATO Cyber Defense Conference in London, highlighting the escalating cyber threats posed by Russia. He emphasized that Russian cyber criminals are increasingly targeting nations supporting Ukraine utilizing advanced technologies like artificial intelligence to enhance their attacks. To counter these threats, McFadden announced the establishment of the Laboratory for AI Security Research, backed by an initial 8.22 million pound investment. This initiative aims to develop sophisticated cyber defense tools and to promote intelligence sharing amongst NATO allies. McFadden underscored the necessity for NATO and its members to remain vigilant and proactive in the evolving AI arms race, ensuring robust defenses against potential cyberattacks on critical infrastructure. A bipartisan group of US Senators last week sent a letter to the Department of Homeland Security's Inspector General requesting an audit of the Transportation Security Administration's or TSA's use of facial recognition technology. According to the record. The letter stated this technology will soon be at use in hundreds of major and mid sized airports without an independent evaluation of the technology's precision or an audit of whether there are sufficient safeguards in place to protect passenger privacy. TSA has not provided Congress with evidence that facial recognition technology is necessary to catch fraudulent documents, decrease wait times at security checkpoints or stop terrorists from boarding airplanes. The senators added that this program could become one of the largest federal surveillance databases overnight without authorization from Congress. The letter asks DHS Inspector General Joseph Cuffari to thoroughly evaluate TSA's facial recognition program and report your findings to Congress before it becomes the default form of passenger verification at security checkpoints. US based supply chain management software company Blue Yonder sustained a ransomware attack last week disrupting its services to several grocery store chains in the United States and United Kingdom. Morrison's and Sainsbury supermarkets in the UK have both confirmed outages related to the incident, and this incident led to challenges in the flow of goods to stores. Blue Yonder's Azure public cloud services remained unaffected. The company is collaborating with external cybersecurity experts to investigate and recover from the attack, implementing defensive and forensic protocols to safeguard its Systems. As of November 24, Blue Yonder reported continued progress in restoration efforts, but has not provided a definitive timeline for full recovery. A critical vulnerability has been identified in QNAP's network attached storage or NAS devices, potentially allowing attackers to execute remote code. This flaw, designated as CVE2024 27130, stems from a stack buffer overflow in the no SupportACL function within the Share CGI script. Exploitation requires the attacker to obtain a valid SSID parameter, typically generated when a NAS user shares a file. QNAP has addressed this issue in QTS 5.1.7.2770 build 20240520 and later and QUTS Hero H 5.1.7. 2770 build 20240520 and later. Users are strongly advised to update their systems promptly to mitigate potential risks. Recent cybersecurity investigations have uncovered a malicious campaign exploiting a legitimate but outdated AVAST anti rootkit driver to disable security defenses on targeted systems. This technique, known as Bring your own vulnerable driver or byovd, involves attackers deploying the illegitimate aswrpot SYS driver, which contains known vulnerabilities to gain kernel level access. Once installed, the driver allows the malware to terminate processes and disable security products, effectively evading detection. This method has been observed in various malware campaigns, including those involving the Avos Locker ransomware, highlighting the persistent threat posed by the exploitation of vulnerable drivers. China's Cyberspace Administration, or cac, has initiated a campaign to regulate Internet algorithms, aiming to curb practices that create and I quote, information cocoons or echo chambers that limit diverse content exposure. The CDAC mandates that tech companies prevent the dissemination of homogenous content and enhance transparency in content ranking algorithms. Additionally, the use of algorithms for discriminatory pricing in e commerce is prohibited, requiring platforms to avoid price differentiation based on user demographics. Companies have until the end of the year to comply with assessments beginning in January. Coming up on the guest segment, Dragos Technical Director Leslie Carhart spoke with Dave Buettner about the shifting landscape of OT incident response. We'll be right back.
[11:01]
Dave Buettner
And now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBefore, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35. Vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBe4 for sponsoring our show. Imagine this. Your primary identity provider goes down. Whether it's a cloud outage, network issue or even a cyber attack, Suddenly your business grinds to a halt. But what if it didn't have to meet Identity Continuity from Strata, the game changing solution that keeps your business running smoothly no matter what. Whether your cloud IDP crashes or your on prem system faces a hiccup, Identity Continuity seamlessly shifts authentication to a secondary or even tertiary IDP automatically and without disruption. Powered by the Mavericks Identity Orchestration platform, Identity Continuity uses smart health checks to monitor your IDPs availability and instantly activates failover strategies tailored to your needs. When the coast is clear, it's a seamless switchback. No more downtime, no lost revenue, no frustrated customers, just continuous, secure access to your critical applications every single time. Protect your business from the high costs of IDP outages. With Identity continuity from Strata, downtime is a thing of the past. Visit Strada IO Cyberwire to learn how Strata's identity continuity can provide seamless enhanced capabilities to your existing identity fabric. And receive a free set of AirPods Pro.
[14:08]
Gianna Whitfer
Dragos Technical Director Leslie Carhart spoke with Dave Buettner about the shifting landscape of OT incident response.
[14:16]
Leslie Carhart
I have found it very, very interesting to see what types of cases we get at dragos. We are kind of pathfinders in the space of doing exclusively industrial or OT incident response to cybersecurity incidents. And since nobody's ever really done that as a dedicated corporate practice, there's some other organizations that do it to some extent. They have a couple people who do it, but that's all we do is a incident response business. So nobody really knew what to expect in terms of the types of calls, the depth of those calls that we would get. And I've been to Dragos for about seven years now and it's been really fascinating to see that landscape evolve and see what our metrics actually look like in terms of the types of cases that we get. And it's definitely different than enterprise incident response firms. It's certainly different types of cases and they tend to give you a little bit of an indication of where the maturity of the industry is and what people are interested in?
[15:17]
Dave Buettner
Well, let's dig into that. I mean, what are some of the unique challenges that you and your colleagues face there when it comes to responding to incidents in OT environments compared to a typical IT environment?
[15:30]
Leslie Carhart
So there's a couple different things to consider. First of all, everything is kinetic consequence based in cybersecurity and ot. What I mean by that is the result of somebody doing something malicious to equipment or you making a mistake as a cybersecurity professional isn't just ones and zeros. It's potentially somebody getting hurt, somebody dying, the environment being contaminating, critical services being unavailable to the public. So very clear real life consequences. Everything that we have to do in terms of cybersecurity defense and incident response even has to come down to what avoids those consequences. What is the risk decision that we make during the response process to get things up and running in a safe way where we won't see those Consequences. And how do we do our practice, how do we do forensics, how do we do restoration of systems or even containment of systems in a way that doesn't cause worse consequences than an adversary? So that's one thing is that focus on process consequences over anything else. And then there's, there's logistical hurdles as well. So we're dealing with a lot of legacy stuff. I see Windows NT, Windows 95, Windows XP on a regular basis in my job and I have to deal with those systems. And if you go to forensic school today, you're not really typically learning how to work with 30 year old systems. So it's hard to train people, it's hard to get tools and equipment and anti malware that work on those systems. And they oftentimes just can't be replaced in the near term because again, process consequences, those systems are warrantied to work in a safe way as a single unified unit. And if you start replacing parts, upgrading operating systems, you can again cause that catastrophic consequence. So oftentimes we have to work around those legacy systems and figure out ways to do fair forensics safely on them. And finally, there's just different people and logistics involved in getting to these facilities. We're talking about sometimes very remote industrial facilities, things that aren't easy to access, places where there are safety considerations. You need specialized safety training equipment to get onto them or to visit those facilities and work in them. And that makes it a very, very different challenge. But back to the tooling. Another thing to expect if you're getting into this space is that we don't have a suite of modern security tools. In a lot of cases, if you're doing enterprise incident response, you have all these logistical things you have to think about in a normal business, but nowhere near the level of the safety considerations and process considerations you've got in the operational environments. But also on top of that, you've got a technology suite of modern security tools. In most enterprise environments you're Talking about Windows 10, Windows 11, modern server versions, modern versions of Linux, and you have things like edr, xdr, next generation firewalls which are great, I love them, but we see very few of them in those legacy sensitive environments. So again, we have to do cybersecurity with much more jury rigged and creative tools to deal with not having modern security tooling, but yet dealing with modern adversaries.
[18:43]
Dave Buettner
Well, how do you monitor those boundaries between the IT and OT systems? I'm thinking, especially as things continue to.
[18:51]
Leslie Carhart
Get more complex and they're getting more connected, so we're seeing convergence of technologies. So there's a lot more Cisco and Windows and Linux in those environments than there used to be because it's cheap and it's easy to replace, it's easy to support. And so you've got that to deal with. And then the connectivity of these environments has changed over time. So we've seen more connections for remote access, more connections for telemetry and just integration of devices, devices for efficiency. So a lot of things that used to be connected to a few things via say serial connections are now connected to vast process network SCADA systems using Ethernet. So you've got these very sensitive, very critical industrial protocols and they're traversing modern networking equipment. And sometimes they're connected to the Internet, sometimes they're connected to remote access services. Now sometimes they're connected through a DMZ into the enterprise network. They're very, very rarely air gapped. That's something I see maybe a couple times a year in real practical effect. So controlling. I often use the analogy of a MM for these, for these networks, I'd like to see them be a crispy candy outside around that gooey candy center. The devices inside most of these industrial networks are insecure and vulnerable by design. I see a lot of talk about PLCs being vulnerable. Yeah, they're simple computers. They're going to be relatively vulnerable. There's practically no encryption in industrial protocols for a reason. It has to be efficient and reliable. So inside that industrial equipment network, yeah, things are pretty vulnerable. What you try to do is you try to monitor it well and you try to isolate and architect security measures around those segments of the network so that you can control ingress and aggress. That's really, really important. As we see more vendors and third parties and even organizations themselves putting in Internet connections, cloud connections, remote access, sometimes multiple forms of remote access, it becomes very hard to restrict that boundary. And that's where we see a lot of intrusions coming from.
[21:04]
Dave Buettner
How do you evaluate the current maturity level of folks within the industrial sectors? Are there specific verticals that are either leading or lagging when it comes to OT cybersecurity?
[21:17]
Leslie Carhart
Yes, absolutely. It depends a lot directly to funding and legislation, regulation and resources available to those verticals. It's quite clear in most cases overall, industries like oil and gas have a lot of money and they can spend a lot of money. They're motivated to by financial reasons. They can spend a lot of money on large cybersecurity programs and a lot of new technology and updating their systems. But if you look at industries like manufacturing, where there's a very small margin to make profit, you cannot spend that kind of money on your cybersecurity program, and you don't necessarily have the regulatory or legislative motivation to do so as well. And then you look at things like small municipal utilities. When you talk about your local water or sewage utility, usually there's maybe like one or two IT people, much less any cybersecurity staff. And those people are responsible for securing that entire utility on whatever budget their local municipality chooses to give them. So there's vast discrepancies between, in various countries that varies, of course, by what's public and private. But for the most part, there's vast discrepancies between different organization sizes and different organization verticals.
[22:36]
Dave Buettner
When we're talking about business continuity and risk management, do you have any words of wisdom in terms of, like, what are some of the most effective steps that OT focused companies can take to prepare themselves for cyber incidents?
[22:51]
Leslie Carhart
Yeah. So to prevent and deal with. To deal with the cybersecurity threats overall. There is a white paper that was released through SANS called the Critical Controls for Industrial Cybersecurity, the five Critical Controls for Industrial Cybersecurity. And I recommend that anybody who's working in that space go download that paper. It's not marketing, it's not sales. It's very, very practical advice. And it breaks things down into things like building strong architecture. Like I talked about that crispy candy outside with the gooey candy center. And they also talk about monitoring your environment. I will never get calls until something is catastrophically broken unless there's some monitoring in place, unless somebody's actually doing some type of threat detection, Things have gone pretty far. If I get a call and organizations didn't have a way to detect any threats, they also talk about remote access. And remote access is a pivotal piece to these modern networks. In a lot of networks, I find eight, nine different remote access methods into them when they think they have one, and that's a really big deal. That's a really hard problem to get a handle on. They talk about vulnerability management and, well, I mentioned that a lot of industrial devices are vulnerable by design. It's important to know where those vulnerabilities exist so you can build controls and monitoring around them. But more relevantly, you really need to be on top of that crispy candy outside. You need to understand the security or lack of security of your perimeter devices if those are vulnerable and somebody gets in, because there is a new exploit out there and you haven't patched in time. There's not going to be many defensive measures inside the industrial network. You really have to protect that outside of your network. So the final thing that they talk about, though, is incident response planning and preparation. You should have some kind of incident response plan for your industrial networks, your industrial segments of your business, for cybersecurity incidents. And I know a lot of people are like, we're a tiny water utility and we don't have the resources to plan for things. The plan can be, we know who we're going to call for help and we know that there's an SLA there and they will actually help us. And this is how we'll preserve some evidence for them. It could be like a page like that and they would be better off than a lot of the organizations I deal with who are people are in tears. It's catastrophic. Things have already gone very wrong and they had no way to even get help because they had no plan at all. If you can have a detailed, sophisticated plan and be able to do forensics and monitoring and logistics, that's wonderful. That's. That's fantastic. But you have to have some kind of plan, even a fundamental plan of what you're going to do. Because I'll tell you, I do this for a living. This is what I do every single week, day in and day out. I respond to incidents in industrial networks. And there is no organization that's too big or too small or too uninteresting or in a vertical nobody cares about. It just happens across the board. It happens to anyone and everyone. And you need to have a plan. It's nothing against you. You need to commit at least a few hours to thinking about, if you, say, had ransomware in your industrial environment, who would you call and would they pick up the phone?
[26:02]
Gianna Whitfer
You can find a link to the blog that Leslie discussed in our show Notes.
[26:21]
Dave Buettner
The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business.
[26:58]
Gianna Whitfer
And finally, after a recent cybersecurity hiccup, left stop and shop shelves emptier than a diet soda can. The grocery chain has bounced back and offered free coffee and sweet treats to customers in Connecticut, Massachusetts and Rhode Island. This gesture was their way of saying thanks for sticking with us through the tech turbulence. So if you were in the area over the weekend and happened to swing by between 10am and 3pm over the Thanksgiving shopping holiday weekend, I hope you got a chance to grab a complimentary pick me up. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Also, please fill out survey in the show notes or send an email to cyberwiren2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp, Simone Petrella is our president, Peter Kilpie is our publisher, and I'm Maria Varmazas in for Dave Buettner. Thanks for listening. We'll see you tomorrow.
[29:13]
Dave Buettner
And now a word from our sponsor, NordPass. NordPass is an advanced password manager from the team behind NordVPN. Designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now you can go to www.nordpass.com cyberwire for 35% off the NordPass business yearly plan. Don't miss out on that.