Robin’s Newsletter #281

5 November 2023. Volume 6, Issue 45
SEC charges SolarWinds CISO. Countries vow not to pay ransomware demands. Major updates to CVSS.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

SEC charges SolarWinds CISO with fraud

  • There’s been a lot of posts and chatter about the US Securities and Exchange Commission bringing charges against SolarWinds and its CISO, Timothy Brown. There’s a lot of speculation and inaccuracies floating around on social media.
  • The SEC alleges that at least from the point of SolarWinds initial public offering in October 2018, through the Sunburst incident in December 2020 (vol. 3, iss. 51), investors were misled by not disclosing known risks and inaccurately representing its cyber security measures. It’s the first time the SEC has attempted to hold a chief information security officer personally liable.
  • “SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks,” Gurbir Grewal, director of the SEC’s enforcement division, said in a statement. The SEC complaint highlights that, in October 2018, when the company filed its initial public offering, an internal presentation authored by Brown said that “current state of security leaves us in a very vulnerable state for our critical assets”, while the IPO filing only mentioned “generic and hypothetical cyber security risk disclosures”. 
  • Brown is also alleged to have been involved in drafting the 8-K filing submitted after the December 2020 incident, which “[failed] to disclose that the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times”.
  • Other examples in the charges from internal emails, messages and presentations will be all-to-familiar to security teams: comments like “[we’re] so far from being a security minded company”, to calls to make backend infrastructure more resilient, and “[t]he volume of security issues… outstripp[ing] the capacity of engineering teams”.
  • Lawyers for Brown said he had acted with “diligence, integrity, and distinction” and that they “look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint”.
  • There’s a lot of “CISO is a scapegoat” rhetoric, and I think it’s important to realise that in the two notable examples of this — Uber/Joe Sullivan (vol. 5, iss. 41) and this SolarWinds/Timothy Brown case — the CISO was at the ‘top table’ and they were involved in the decision making. If you are in a similar position, an incident occurs, and you have acted unethically or illegally, then yes, you should be worried. If you need advice to understand what you’re being asked to sign off on, ask for it! But, if you don’t have a seat at the top table, if you’re not making the decisions, then it will be a massive stretch for a court to find you guilty for actions demonstrably taken by others. Either way, it will get the attention of leadership in your organisation, and I think you can expect some questions from the board to come (through line management) in the coming weeks and months. Use this opportunity to communicate posture and discuss how you can improve/maintain communication on this important topic in the future.
  • In the meantime, regardless of the seniority of your position, it almost certainly is your duty to accurately communicate cyber risks and the security posture of your organisation and to raise concerns if it’s being misrepresented. 

Forty-nine countries vow not to pay ransomware demands

  • Forty-nine countries in the International Counter Ransomware Initiative (CRI), plus the European Union and Interpol, have signed a pledge never to pay cybercriminal’s ransom demands. Members agreed that “relevant institutions under our national government authority should not pay ransomware extortion demands.” CRI members also committed to helping any other member with incident response should government or critical sectors be victims of a ransomware attack.
  • Two information-sharing platforms, hosted by Lithuania and Israel/UAE, will also be used to share threat intelligence. The US Department of the Treasury will also share details of illicit crypto-currency wallets ransomware actors use.
  • TechCrunch looks at sanctions against ransomware groups and concludes they are undoubtedly a step in the right direction.

Major update to spec for Common Vulnerability Scoring Standard

  • FIRST (the Forum for Incident Response and Security Teams) has announced CVSS v4.0. It’s a major update to the common vulnerability scoring system used to communicate information about security issues in software and wrap them all up into a single severity score.
  • A significant change is the introduction of ‘nomenclatures’ used to communicate nuances stemming from threat or environment variables. A ‘base’ nomenclature (CVSS-B) will contain the base metrics about a vulnerability, while ‘threat’ (T) and ‘environmental’ (E) metrics can be added by consuming organisations to tailor the assessment to their specific needs.
  • That’s a good thing because it will allow vulnerability management solutions to better rank issues depending on, for example, user-specific confidentiality, integrity or availability requirements. It also means that, while CVSS-B scores are comparable, any CVSS-BT or -BE scores will be specific to that organisation. The FIRST user guide is also keen to emphasise that CVSS measures severity, not risk.

Interesting stats

47% of cyber pros have had to deal with layoffs, budget cuts and hiring or promotion freezes, with  22% explicitly experiencing layoffs, and  31% expect additional cutbacks in the next year, says ISC2, who estimate that there has been  8.7% growth in the global cyber workforce to 5.5 million people, however, demand appears to be outstripping supply, with a  12.6% increase in the ‘workforce gap’, which now stands just shy of 4 million. Source: ISC2 Cybersecurity Workforce Study 2023 (PDF)

Interesting data on authorised push payment (APP) fraud from the UK’s Payment Systems Regulator, which show a huge disparity in how banks look after their customers:

94% of reported APP fraud cases were fully reimbursed by TSB, 91% for Nationwide, and 79% for Barclays, who take the top three spots by volume, with just  6% of cases raised with Monzo being fully reimbursed, putting them at the bottom with Danske Bank (7%) and AIB (12%). (Original article at The Guardian).

Other newsy bits / in brief

And finally

  • Windows CE has reached end of life. From PDAs (remember the Compaq iPaqs, anyone?) to small laptops, ATMs, and a host of other embedded devices, Windows CE (or Pocket PC or Windows Mobile in some of its guises) powered them all.

  Robin's Newsletter - Volume 6

  “SolarWinds" Solorigate / SUNBURST Timothy Brown Securities and Exchange Commission (SEC) International Counter Ransomware Initiative (CRI) Ransomware Sanctions Common Vulnerability Scoring Standard (CVSS) Authorised Push Payment (APP) Cyber workforce Time Leap seconds Artificial Intelligence (AI) AI Safety Summit Okta Apple Find My Bluetooth Low Energy (LE) Hive Hunters International RansomVC