Published on October 30th, 2021 📆 | 6341 Views ⚑
0Cyber Security Today, Week in Review for Oct. 29, 2021
Welcome to Cyber Security Today. This is the Week in Review edition for Friday October 29th. Iâm Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
Â
In a few minutes guest commentator Dinah Davis, Canadian-based vice-president of research and development at Arctic Wolf, will join me to discuss some of the news. But first a look at highlights from the past seven days:
At least 14 cloud service providers and resellers of technology products have been compromised since May by the Nobelium threat group. Microsoft said these victim firms are part of more than 140 companies that have been targeted by this group. According to U.S. intelligence, Nobelium is part of Russiaâs foreign intelligence service. Dinah and I will talk about this latest version of supply chain hacking.
Despite the pandemic, the number of cybersecurity pros in Canada and the U.S. jumped by double digits this year, according to a report. But thatâs not enough to cover the demand for information security staff. Dinah and I will look at what the numbers mean.
The Conti ransomware gang has added a new tactic for raising money. Itâs offering crooks the ability to buy the IT network access of organizations it has already hacked into. The crooks can then do the stealing of data and threaten the organization instead of the Conti gang. Security experts arenât sure what to make of this strategy.
Approximately 400,000 users of Scoolio, a student community app widely used in Germany, could have had sensitive information exposed due to an application programming interface flaw in the platform. A researcher discovered the problem rather than a hacker. But this comes as Akamai released a report this week saying sloppy work by developers is increasingly making APIs a way threat actors can hack into companies. APIs connect different platforms. I have a longer story on this on ITWorldCanada.com.
Remember the embarrassing hack last year of Twitter employees that led to the take-over of accounts of celebrities? Twitter wants to make sure it wonât happen again. This week Twitter said every employee now has to plug in a USB security key to log into their work computers and access the platform. If a crook gets an employeesâ username and password, they canât log into that account without the physical key. For some organizations a USB security key is the best form of multi-factor authentication, particularly for those with access to sensitive systems like IT workers. By the way, Twitter subscribers also have the choice of using a security key.
Fake Android apps with spyware have been discovered that apparently target people in Israel. Thatâs because some are spread by social media messages in Arabic. One is a radio player. Another purports to be a guide to Jerusalem. One masquerades as the legitimate end-to-end encrypted instant messaging application called Threema. None of fakes were available in the Google Play store, where the legitimate versions of these apps were available. People got the fakes by clicking on links in other app stores or from social media posts.
In addition, Lookout Threat Labs said it found seven Android apps with malware that could dig into the root of the operating system. One was in the Google Play store, the others were in the Amazon Appstore and the Samsung Galaxy Store. Once a hacker has root access to a device they can do almost anything. The bad apps pretended to be utilities like password managers and system tools like app launchers or data savers.
(The following is an edited transcript. To hear the full discussion play the podcast)
Howard: I want to bring in Dinah Davis now. I thought weâd wind up Cybersecurity Awareness Month by discussing common ways organizations fail in educating employees. First of all, why is awareness training so important?
Dinah: Awareness training is so important because the biggest hole in corporate security right now is the people: One wrong click of a link and youâve now installed malware. So if youâre not doing awareness training youâre not teaching your people how to react properly and how to protect their company properly.
There are five main reasons employees often fail: The first is infrequent training. People forget about 80 per cent of the new things they learn within four weeks unless they arenât frequently re-engaged with it. So you want to make sure youâre doing awareness training in little chunks every couple of weeks, so it stays in the forefront of their mind. I said little chunks because too much data all at once and people canât digest it.
Another thing: Trainers shouldnât trainers shame the learners. âYou clicked the link that was bad,â or âYouâre not learning fast enough.â You really have to promote a culture of understanding and learning. You want people to come to you when they make a mistake and say, âIâm sorry, I made a mistake. Iâm learning. Iâm trying.â If theyâre going to be shamed theyâre going to keep their mouth shut. And youâre not going to know about a lot of bad things that have happened. Right.
Similarly, you donât want to build a culture of distrust. That happens if your programmingâs not consistent. This monthâs training is 30 minutes long, and then you donât have anything for six months. It makes it look like [the organization] doesnât really care. Another thing is sometimes IT staff want to make phishing tests so hard no one in the organization actually can tell itâs a fake. You want to make them difficult, but not too hard because you want people to spot them. And when they donât click the link and they report it, you get to say, âYou correctly identified fishing,â and then people feel good about it. Itâs a positive feeling.
The last one is to make sure youâre not just checking a box. Make sure youâre not just doing training for compliance reasons and finding like the most boring, easiest, one-hour training session that you can send out once a year. Youâre going to pay for that later in breaches and other problems.
Howard: In all the years that youâve been receiving training can you recall what most made the effect on you?
Dinah: It was the first time I had been trained on phishing emails. I just remember them pointing out five big things that you need to look for, and I still look for them today: Hovering over the URL. Is it right? Looking for spelling mistakes, checking the link that theyâre sending you. Does it have a weird characters in it? Checking the [senderâs] email address at the top. Is that actually real? It just had such a big effect on me. It just gave me tangible things to look at. I think thatâs one of the most important things when youâre building awareness training: What are tangible, real things people can do. Show them and they can grasp that.
âŠ
Howard: Letâs turn to the Microsoft report on the Nobelium hacking group. It says that this allegedly Russian government-backed gang is attacking tech companies that sell products and services to governments and companies. Why is this so dangerous?
Dinah: Itâs the supply chain attack again. If you can get into the companies that governments trust and can get your malicious code into their software, the government will download it because they trust the companies that itâs coming from. Itâs exploiting the trust that governments and companies have with their suppliers.
Howard: Supply chain attacks arenât new. Listeners may remember the huge theft of credit card data in 2013 from the Target department store chain. That started when crooks hacked into the heating and air conditioning supplier to Target. Because that supplier had direct access to Targetâs IT systems they could leap from the air conditioning system into the point of sale system and siphon off credit card numbers. Whatâs new in this Nobelium attack?
Dinah: Theyâre not actually exploiting a lot of security vulnerabilities. Theyâre using a diverse set of tools to get in. Youâve got to remember, these guys are also the ones that are responsible for the SolarWinds supply chain attacks. So theyâre very resourceful.
Howard: And as I understand part of the Nobelium attack involves once again, password spraying, which is guessing passwords using lists of stolen passwords and assuming that some people are reusing the same password over and over again. And this circles back to awareness training, because people need to be trained not to do that. What should organizations in the supply chain do to protect themselves?
Dinah: They need to review and audit the access privileges [off employees]. Always go with the principle of least trust. Give staff only as much access as they need to be able to do their work. You also need to review and audit the logs and configurations for all applications and devices for [unapproved] changes in access. A lot of the time, weâ see attackers go after accounts that were created a long time ago and the employee is no longer there. But their account wasnât de-activated. Thatâs how the attacker gets in.
Howard: Iâm going to move on to the cybersecurity jobs report. Cybersecurity jobs have never been more in demand than they are today and a report this week by the International Information Security Certification Consortium, which among IT pros is known as the ICS2, estimates the number of people in the cybersecurity workforce in Canada this year is up 21 per cent over 2020, and up 30 per cent in the U.S. But IT departments still want to hire more. So thereâs this talent gap. Is this report, good news or bad news?
Dinah: I think itâs a bit of both. We took the global job openings from 3.12 million down to 2.7 million. So thatâs good news. Bad news: We need to grow by 65 per cent to fill that gap for next year. That might be a little difficult. But I generally think itâs good news because it means that the field is opening up, that people are more aware of it and more people are choosing roles in this area. As an employer to really try and get more people in, I think you need to look at your hiring practices differently. How are you hiring? Who are you hiring? And one big thing I think you can do, which is just good for other reasons as well, is to diversify your job ads.
There are a few key ways that you can do that. You can make sure youâre using inclusive language â not using jargon or pop culture references or violent expressions. A big one that I really like is listing qualifications, not credentials. Avoid listing specific degrees or years of experience or other requirements that may cause qualified candidates to self-select out, when you can just list very clearly the responsibilities in the job. And if somebody can do that, then theyâll self-select in. You want to make sure youâre describing the position and not the profession. For example, how this job will work for your company, not just how does this job work in general.
Howard: But the report still talks about a gender and diversity gap, which has long existed in IT in general, in information security in particular. Can you talk about the importance of having a diverse it staff?
Dinah: The importance of a diverse staff in anything is multiple different ideas, viewpoints, build stronger solutions. Itâs been proved over and over again in company output. The more diverse a senior leadership is the better the profits are. You donât want a whole bunch of people who think the same way who have the same culture, because theyâre only going to look at the attack surface one way, and figure out how to defend it one way. But when you bring in people with different backgrounds, different schooling, different ways that theyâve made their way into cybersecurity, youâre going to get a more holistic approach to things. And in the end, be far more secure for it.
Gloss