Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: 2024-12-09 - A Better Mike
Release Date: December 11, 2024
Host/Author: Black Hills Information Security

Introduction

The episode begins with the usual playful banter among the hosts—John, Kelly, Corey, Ryan, Wade, and Alex—discussing minor technical issues with microphones and expressing frustrations with equipment and software updates. The hosts set a casual tone, preparing listeners for an in-depth discussion on pressing information security (infosec) topics.

1. FBI Advises Against Using SMS for Communication

Key Discussion Points:

• The Federal Bureau of Investigation (FBI) has issued a warning advising against the use of SMS for sensitive communications due to vulnerabilities. This has sparked a debate among the hosts regarding the implications for security and daily communications.

Notable Quotes:

• John (04:46): "The FBI says you don't use your cell phones anymore and that'll fix all the problems, obviously."
• Corey (08:58): "We have not figured out if we've even ejected them from the networks yet. So you should be using encryption."

Insights:

• The hosts delve into the complexities surrounding SMS vulnerabilities, discussing how data brokers and compromised telecom systems exacerbate security risks.
• They highlight the discrepancy between government recommendations and the current state of telecommunications security, emphasizing the need for encrypted communication channels.

2. Encryption vs. Compliance: Shifting Frameworks

Key Discussion Points:

• The conversation shifts to the effectiveness of current compliance frameworks versus an accountability-based approach in enhancing cybersecurity.
• The hosts argue that compliance often serves as a minimum standard, whereas accountability could drive organizations to adopt more robust security measures.

Notable Quotes:

• John (10:08): "We're losing all of these really smart people that are working through this. And I just have this fear that we're getting into a situation where we are going to be fighting each other more than actually dealing with the cyber threats."
• Corey (29:21): "There's too much that can take that away at this point in time. We've seen that with different regulations."

Insights:

• The hosts propose moving from a compliance-based framework to an accountability framework, drawing parallels with the General Data Protection Regulation (GDPR) in Europe.
• They debate the practicality and potential consequences of such a shift, considering the likelihood of organizations circumventing accountability measures.

3. Regulatory Landscape: GDPR and CCPA

Key Discussion Points:

• Kelly provides an overview of the GDPR and the California Consumer Privacy Act (CCPA), discussing their impact on privacy awareness and organizational practices in the United States.
• The conversation touches on the challenges of enforcing these regulations and their influence on global privacy standards.

Notable Quotes:

• Kelly (35:31): "GDPR introduced Americans to the concept that information about me is my person and belongs to me."
• John (25:07): "If we can take it back a couple of steps, we are at the point right now where we're going into a situation like this where, like this is bad."

Insights:

• The hosts acknowledge the role of GDPR and CCPA in shaping privacy conversations in the U.S., noting that while these regulations have heightened awareness, their implementation and enforcement remain inconsistent.
• They discuss the potential for these frameworks to influence future privacy laws and the importance of continuous dialogue on data protection.

4. Ransomware Attacks: The Case of Stoli Vodka

Key Discussion Points:

• A significant portion of the episode is dedicated to discussing a ransomware attack on Stoli Vodka, a Russian-affiliated vodka brand. The attack led to the shutdown of their U.S. operations, highlighting the severe impact of such breaches on businesses.
• The hosts examine the broader implications for other industries, particularly healthcare, where ransomware can have life-threatening consequences.

Notable Quotes:

• Wade (43:03): "Stoli has announced that they're shutting down operations in the U.S. due to a data breach and ransomware attack."
• John (44:59): "Ransomware kills about 60% of the small businesses that get hit."

Insights:

• The discussion emphasizes the critical need for robust cybersecurity measures and the devastating effects of ransomware on both large and small businesses.
• The hosts advocate for improved security hygiene and highlight the gap between the prevalence of ransomware attacks and the public's awareness of their frequency and impact.

5. Advanced Persistent Threats (APTs) vs. Ransomware

Key Discussion Points:

• The hosts engage in a debate over the definitions and distinctions between Advanced Persistent Threats (APTs) and ransomware groups.
• They explore whether ransomware groups are evolving into APT-like entities or if the two remain fundamentally different in their objectives and methods.

Notable Quotes:

• Wade (52:49): "Ransomware isn't just about disabling and encrypting systems and files anymore. It's about extortion."
• John (53:44): "The goal of an APT is to dwell as long as possible. And I think that's a fundamentally different thing than a ransomware group."

Insights:

• John argues that APTs aim for long-term, undetected infiltration to siphon data, whereas ransomware groups have an end-state of extortion, which necessitates persistence but differs from the stealth objectives of APTs.
• Wade counters by suggesting that modern ransomware groups may require a level of persistence akin to APTs to successfully extort organizations by targeting critical and sensitive data.

6. Data Brokers and Potential Regulations

Key Discussion Points:

• The conversation shifts to the role of data brokers in the ecosystem and the proposed regulations to block them from selling data.
• The hosts discuss the feasibility and potential effectiveness of regulating data brokers to enhance privacy and security.

Notable Quotes:

• John (25:36): "Every company on the planet has to be HIPAA certified and HIPAA compliant."
• Kelly (23:27): "There are congresspeople who are advocating that telcos are mission critical utilities that should be regulated as such."

Insights:

• The hosts debate whether imposing stricter regulations on data brokers could significantly reduce data breaches and enhance consumer privacy.
• They consider the challenges of enforcing such regulations, especially given the global nature of data brokers and the potential for companies to relocate to less regulated jurisdictions.

7. General State of Information Security

Key Discussion Points:

• The hosts reflect on the overall state of information security, expressing concerns about the lack of continuity in leadership within organizations like CISA and the broader implications for national cybersecurity.
• They discuss the psychological and societal impacts of cybersecurity breaches, including public desensitization to breaches and the need for better communication strategies to encourage secure practices.

Notable Quotes:

• John (12:55): "We've been talking about the secure by design principle for over 23 years. Years. And the only way it actually works is if we open up these things so that people can install. They can get root access on their devices."
• Wade (37:52): "Creating AI programs to automatically deny claims... there's so much tragedy here."

Insights:

• The discussion underscores the frustration with outdated security principles like "secure by design" and advocates for "open by design" to enhance transparency and security.
• There is a strong emphasis on the need for better cybersecurity hygiene across all sectors and the importance of building a security-aware culture both within organizations and among the general public.

Conclusion

The episode wraps up with reflections on recent news, including the shutdown of Stoli Vodka’s U.S. operations due to a ransomware attack and ongoing cyberattacks on the NHS. The hosts express a mix of frustration and cautious optimism, highlighting the ongoing challenges in the cybersecurity landscape. They emphasize the importance of moving beyond compliance, fostering accountability, and enhancing public awareness to mitigate the ever-evolving threats in information security.

Final Takeaways:

• Adopt Encrypted Communication: Heed the FBI's advice to move away from SMS in favor of more secure messaging apps like Signal and WhatsApp.
• Shift to Accountability Frameworks: Consider transitioning from compliance-based to accountability-based cybersecurity frameworks to drive more effective security measures.
• Regulate Data Brokers: Support and advocate for stricter regulations on data brokers to protect consumer privacy and reduce data breaches.
• Enhance Cybersecurity Hygiene: Implement fundamental security practices across all organizations to prevent ransomware and other cyber threats.
• Promote Open by Design: Encourage the development of open systems to allow better security testing and vulnerability management.

Listener Advisory: This summary is intended to provide an overview of the key discussions and insights from the podcast episode. For a comprehensive understanding, listening to the full episode is recommended.