Robin’s Newsletter #254

30 April 2023. Volume 6, Issue 18
RSA Conference 2023 takeaways. Data-driven decision making. IoT and Digital Services legislation.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

RSA Conference 2023 takeaways

The world’s largest cyber security conference took place this week. Around 45,000 people descended on San Francisco for RSA Conference 2023 to hear from 650 speakers across 25 tracks. The exhibition halls host a cacophony of 500 vendors, large and small, from around the world. Increasingly there are side events organised around the event in San Francisco vying for your attention too. I was there for training, to catch up with some Cydea partners and get a feel for what’s happening across the industry. 

There are some of my takeaways:

🤖 The AI hype was less than expected. There were a few notable new announcements and features from Microsoft, Google and Recorded Future. However, the ChatGPT hype wasn’t everywhere. It was quite balanced, considering some of the product marketing (see below). Where AI is present, it’s being used as a shorthand for automation.

🗂️ There’s been category consolidation around xDR, exposure management and cloud security. The former two complement each other nicely and make a logical extension for vendors from either category looking to upsell or seeking greater insight or capability. A few new companies were looking at quantum cryptography and some exciting uses of machine learning to process policies and security documentation for third-party risk management.

⚠️ Risk crops up repeatedly in many products now, but almost universally, they don’t have the business context. Instead, things are scored using proprietary and ordinal scales or given arbitrary red/amber/green labels. One established vendor I spoke to has a menu called ‘risk’ that shows a list of vulnerabilities. Risk is being seen — rightly, I believe — as a way to elevate findings but without much appreciation or opportunity for businesses to feed in or configure these to give bespoke outcomes. (Side note, vendors: 📊 board members aren’t being given logins to your product or fawning over your executive dashboard: your product ends at the CISO.)

🔥 Attack surface is the new hotness. It’s cropping up almost as frequently as risk. There are also some very bold claims around product marketing: detecting the undetectable_; _ending cyber risk_, and so on. It all feels quite blunt and perhaps damages the integrity of your brand with more mature buyers. In the same vein, CrowdStrike was giving out action figures of _Turbine Panda_ and _Wizard Spider_ amongst others. We should be celebrating people that defend, not fetishising adversaries.

☁️ Cloud security vendors still come in many shapes and sizes. Some wrap better protection or detection around existing stacks. Some focus on improving the code quality of cloud apps. Identity is essential here, and I think we’ll start to see more intent-based detection solutions in the coming years as more businesses have smaller network and endpoint footprints. However, it’s important to remember that many organisations still have sizeable on-premise stacks and networks. It’s easy to believe that everyone is doing everything in the cloud all the time. A transformation is underway, but there is still a long way to go. New models require new skills and capabilities; not even hyper-scale providers like Google and Microsoft claim to have all the answers.

Watch Tim Orchard and me share our top 5 RSAC takeaways from 4 days in 3 minutes on LinkedIn.

Interesting stats

2,200x amplification of denial-of-service (DoS) traffic is possible by exploiting the Service Location Protocol (SLP) in some services from VMWare, Konica Minolta, IBM and more.

50:1, the ratio by which “Chinese hackers… outnumber FBI Cyber personnel,” according to FBI Director Christopher Wray.

Other newsy bits

  • Last week I was left with a nagging feeling about NCSC’s data-driven cyber model (vol. 6, iss. 17) and I’ve realise what it is. Good decisions are determined by the quality of their framing: what do you want to know? It’s one of the reasons we believe in mapping between risk scenarios and detection use cases at Cydea. Improving ‘scope’ maturity within DDC results in collecting all the things, regardless of their utility. To make better evidenced-based decisions about cyber security, I think you need the following:
  1. Alignment to goals and objectives
  2. Clearly identified alternatives
  3. Support from the best information
  • IoT Security: A good read from David Rogers on the secondary legislation that, subject to parliamentary approval, will set the security requirements for ‘connectable products’ (read: internet of things and mobile devices). It’s based on the Code of Practice for Consumer IoT Security (ETSI EN 303 645) and, in particular, requires no default passwords, to have and act on a vulnerability disclosure policy, and to publish a minimum time for which consumers can expect to receive security updates. The Product Security and Telecommunications Infrastructure Bill was introduced in 2021 (vol. 4, iss. 48) and will see penalties of up to 4% of global turnover.

  • Digital regulation: The European Commission has announced 19 online platforms that will be regulated under the Digital Services Act. YouTube, Google’s Search, Maps, Play Store and Shopping, plus Facebook and Instagram, as well as Amazon’s store, Apple’s AppStore, Bing, TikTok, Twitter, LinkedIn, and Wikipedia, along with other platforms reporting over 45 million active users are in scope. Targeted advertising based on ethnicity, political opinions, or sexual orientation is prohibited, as is any profiling of children. Risk assessment and mitigation of how illegal content and disinformation can spread on their services will also be required.

In brief

  • Symantec says that the 3CX incident, attributed to North Korea (vol. 6, iss. 16), affected at least two more organisations in the energy sector in the US and Europe.

  • Capita: The UK Pensions Regulator has written to 300 pension schemes administered by Capita, who announced a breach at the beginning of the month (vol. 6, iss. 15) , urging them to determine if “there is a risk to their scheme’s data”.  

  • Hookup websites ‘CityJerks’ and ‘TruckerSuckers’ have been compromised, and profile information and direct messages for 77,000 and 8,000 respective users has been stolen.

  • Americold, a cold storage and logistics company, has suffered an ‘intrusion’ this week that required the company to shut down its network. It has requested that customers “cancel any inbounds” and that outbound delivered will “be very limited”. Ransomware is the suspected cause of the disruption.

  • Fake Minecraft apps on Google Play Store with a collective 35 million downloads were bundled with adware to defraud advertisers, says McAfee.

  • Many Salesforce Community websites are leaking information because of permissive and confusing guest permission settings, according to Brian Krebs. If you run a Salesforce instance, you can run a guest user access report to check what content is publicly accessible.

  • Print management software PaperCut is under active exploitation. An unauthenticated, remote code execution vulnerability (CVE-2023-27350; 9.8/10) allows attackers to run code without having to log in on any instance exposed to the internet. Some compromises appear to result in the Truebot malware being installed which may be a precursor to Cl0p ransomware attacks.

  • MacOS info-stealer Atomic steals keychain passwords, local files, cookies and credit cards stored in browsers. The new malware costs $1,000/month and is not yet widely detected by antivirus solutions.

  • The FIN7 cybercrime group is targeting Veeam backup servers: WithSecure says it’s observed attacks, likely using CVE-2023-27532, before the attackers download PowerShell scripts and install the DiceLoader backdoor.

  • Russia is conducting “a significant amount of intelligence gathering into the Western countries, to include the U.S., in that logistics supply chain,” NSA cybersecurity director Rob Joyce told the RSA Conference. The hypothesis is that Russia is trying to understand and potentially find a way to disrupt the support the US and Europe have provided Ukraine. Meanwhile, Illia Vitiuk, the head of the Department of Cyber Information Security in the Security Service of Ukraine, says “state groups conduct more than 90%” of cyber attacks against Ukraine, with ‘hacktivist’ groups being used as cover to release information.

  • M&A and funding: Lookout’s consumer mobile business, which includes antivirus for smartphones, has been sold to F-Secure in a deal valued at $223 million as the company focuses on enterprise solutions. Bastion, a French startup, has raised $2.8 million bundling together phishing simulation, attack surface scanning, endpoint detection and response, and emailing protection for small businesses priced at €10/user/month.

And finally

  • Colorado has signed a right-to-repair law that will allow farmers the ability to fix their machinery themselves or at independent mechanics, rather than requiring costly trips to main dealerships. The law has been strongly opposed by John Deere, which updated its terms of service in 2016 (vol. 4. Iss. 28) to prevent such behaviour but led to tractor hacking and sites offering cracked firmware downloads. 
Robin

  Robin's Newsletter - Volume 6

  RSA Conference Artificial Intelligence (AI) Denial-of-Service (DoS) Internet of Things (IoT) Product Security and Telecommunications Infrastructure Act (2022) Digital regulation Regulation Digital Services Act Russia Right to Repair Capita 3CX Data-driven cyber (DDC)