Host Adrian Vernon and VP of Product Management Chris Goettl break down some of the biggest headlines in the world of cybersecurity right now! The conversation includes:
Host Adrian Vernon and VP of Product Management Chris Goettl break down some of the biggest headlines in the world of cybersecurity right now! The conversation includes:
Adrian: Hi everyone, welcome to Ivanti Insights. Adrian Vernon here, along with as usual, Chris Goettl. Chris, this is episode 16, can you believe it? The beat just goes on.
Chris: Yeah, it's crazy. We've been doing this for a while now, our followers are increasing. We appreciate you guys all joining us here for yet another episode, and I think we've got a good lineup of conversation here today as well.
Adrian: We do. Chris today, I'm going to call this our headline news episode. We're quickly going to hit upon multiple happenings in cybersecurity news, so I say let's get into it. Headline number one: apple made news recently, obviously with the launch of iOS 15, but did you hear about the critical security flaw that was fixed in iOS 14.8 that came out only a week before that iOS 15 launch? Can you shed some light on what happened there?
Chris: Yeah, so this was a vulnerability that came to light because of some nation state activity that started to take advantage of this. It actually affects more than just the iOS, it's basically all your apple devices, your Mac OS and the iOS devices, so your iPads, even the apple watch is exposed to this. What this is, is a zero-click vulnerability. So it used to be called like a server-side vulnerability, but basically this allows an attacker to get onto a device without much interaction at all. Once on the device, these guys were able to get access to your microphone, to your camera, to all data access, anything on there, even install additional applications on that device.
Now, the group that created this was a corporation that was creating tools to be used by nations to spy on individuals; the software was called Pegasus. And what it allowed them to do was put this on high profile individuals devices so that they could try to basically spy on or infiltrate into that person's life and gather information or intel on there. It was found on a few high level or high profile person's phones and also journalists were being targeted with this as well by certain nation states. Now, the chances of Pegasus being on most of our devices is pretty slim. You know, this is some nation state-level technology used to target very high profile individuals, most of us don't fall under that category. The part that is concerning about this is now that this has been exposed, what happens next is this opening in the apple software allows other threat actors to now take advantage of it. So typically when nation states are at play, the tools that they're using, slowly start to get exposed more and more out to the market. You know, we had some very notable NSA tools get exposed to the market, which led to WannaCry, NotPetya and other eternal blue family of vulnerabilities being used in a lot of different attacks. That's another example of when nation states play. At some point, the rest of the cyber criminal world will get their hands on this technology.
So what happens next? Well, organizations needed to start to make sure that people's devices were being updated. The Mac iOS updates, a lot of companies have patch management technologies, Ivanti can support the Mac platform. Many of you might even be using our patching technology for the Mac platform, but with the iOS devices, it becomes a little bit more nebulous. It's harder to be able to force things to happen on a mobile device because that user has more control over it. There's a shift happening in the manufacturers to try to enable more direct management of those things, but there’s this back and forth over privacy and corporate level access happening in the mobile devices of the world that we're still in the middle of. So if you're in the small number of organizations that have more control over those devices, you might've been able to do a push notification to your users saying update your iOS version by taking these steps. You may have been able to take another step and say if they haven't done it by a certain amount of time, cut off access to corporate email or corporate applications and data. Most organizations don't have that type of capability. This is where the strength of our mobile iron technology having the MDM capabilities and our secure productivity apps and mobile threat defense, all in one combined solution really does give organizations with that level of capability an advantage because they can start to take those actions. But most organizations are actually being forced to reduce security on mobile devices.
I'll throw a couple of stats here at you real quick Adrian. Those of you who follow Verizon, Verizon has a couple of very interesting yearly reports they put out, most notably the data breach investigations report. I've been following that one for years, and they've also got a mobile security index report. Ivanti actually participated in contributing to that this year. We gave them some great statistics on emergence of QR codes and how those could be used to attack our users on mobile devices, but a couple of other stats that were very interesting coming out of this. 76% of IT pros said that they had been pressured to sacrifice the security of mobile devices for expediency to meet business goals. Now of those, of the people that were surveyed from that particular vendor who contributed, 45% of companies said that they actually had to take action and reduce their security capabilities. So right now we're in this tug of war over control over that mobile device, all of our users are using their mobile to access email, to access corporate data. When a vulnerability like this comes out, that corporate data is now exposed. And again, Pegasus may have been nation state-level tools that were targeting a very small percentage of people in the world. But now that these tools are becoming more and more visible to the broader market, anybody can start to use those to buy off-the-shelf access to weaponized versions of these same exploits and be able to take advantage of that. So pressure is on, we need to make sure that our mobile devices are becoming more and more secure.
Adrian: But let me ask you this, Chris. So given the increase that we see in cybersecurity threats and it's increasing by the day, we know that, the headlines continue to take center stage in a lot of cases. Do you anticipate that that pressure could shift a little bit? That say, hey you know what, the business side says we really do need to focus on security, make sure you don't skimp on security when rolling out this next thing.
Chris: Yeah, absolutely. You know, there is a lot of pressure and a lot of concern around that mobile device. The number one type of attack on the mobile device is trying to compromise a user's credentials. Phishing is a top attack vector, but we're seeing vulnerabilities like this recent apple one which allow access to get more complete access on that phone and be able to use it to spy on whoever those individuals are. So with that, you're seeing more and more companies banning cell phones from important meetings, but there's a tipping point that we haven't quite reached yet. We're getting closer to it though. This back and forth over the user's privacy versus security of that device and access to corporate information. Regulatory requirements, you know, we talked about the Biden administration, the Zero Trust guidance that had just recently come out. In that guidance is very clearly stated that mobile devices need to be secured as well as client devices. So it absolutely is a rising concern and there's going to be more and more pressure especially in the highly regulated spaces to ensure that we've got security across all of our devices. And security for users, security for access, and most importantly, for the data that those all come into contact with. So it definitely is a mounting challenge that pressure is increasing.
Adrian: Okay Chris, let's move to headline number two: it's been reported that researchers have discovered threat actors exploiting a disclosed critical security flaw to use compromised systems as crypto-miners. Now we're hearing that it's a remote execution flaw that was used. What is that, and what else do we know about this attack?
Chris: Yeah, so remote code execution basically is one of the more scary forms of vulnerabilities. It allows an attacker to exploit a system without needing to have local access to it. They also don't need to interact with a user to execute that attack. So they don't have to phish a user, they don't have to try to have somebody help them get the malware onto that system. They're able to just go and target that system remotely and deliver the payload that they want to. In this case, crypto-miners are quite insidious when it comes to this. A lot of e-commerce web servers, and other tools in this case, the software targeted in this case, the confluence platform is a Wiki software, that's used by a lot of organizations. WordPress is another prime example of very common web facing, very public facing software that all of us are running. So these types of remote code execution flaws, if they can see a public facing server inject their crypto-miner onto that system and do that times thousands, tens of thousands, even hundreds of thousands of systems globally, suddenly they just get to kick back and let this thing continue to mind money for them. And it's all coming at the expense of CPU, power consumption, even cloud costs of the organization that didn't update that software.
Adrian: Okay, let's move on to headline number three. We all heard about the solar winds breach at the end of last year in December, 2020, a major cyber attack suspected to have been committed by a group backed by the Russian government. It penetrated thousands of organizations globally, including multiple parts of the US federal government, leading to a series of data breaches. And this included the department of Homeland security Chris and the US treasury department. You remember, we talked about this, our very first episode of Ivanti Insights released in December 2020, right? As this was major front page news. That was episode one, numero uno, all the way back in December, you remember? And if anyone is interested in going back, take a more detailed listen to episode one back in December. Now Chris, there's reports coming out that we haven't seen the last of the group that was suspected above in the solar winds breach. Give us a quick rundown on the latest solar winds related news as it sits today.
Chris: Yeah. So one thing that often happens is after a major incident gets uncovered, a group that executed that may come under a lot of scrutiny. They may have to even disband or go a sub level for a little while to regroup and let things die down a little bit, and that seems to be what happened here. This group, a new backdoor technology called Samiras is being seen out there. It's got the same capabilities that the sun shuttle second stage malware used in the solar winds breach, but basically it looks like this technology has now resurfaced in a group that may very well be the same group or elements of the same group that was used before. So not related to the solar winds breach, but the skillset of that group, the technology that they were using, looks to still be out there and what are they doing today. This is the type of thing that as we see major incidents like this happen, this is why we have to investigate research and understand how they went about these. So we can figure out how to combat the tactics they're using because they will surface again at some point.
So this one no specific large-scale event like solar winds has happened at this point, but are they out there looking for, and building up to another large-scale supply chain event, very possible. The thing to be diligent about here is to focus in on the same things we talked about in that episode one. Making sure that if you're a service provider, if you are developing a technology or a platform for customers to consume, you want to be extra diligent about your CI/CD pipeline. You want to make sure that you're looking at and ensuring that your code is secure, that the components you integrate with are secure and keeping up to date, and that you've also got good cybersecurity hygiene practice within those development environments. So more of just a call to action here, this is a group that's resurfacing, that specializes in that type of advanced, persistent threat tactic of getting into and infiltrating supply chains like that. Just another call to be diligent in your security practice.
Adrian: And Chris we've talked about this before, where for many organizations, even when you have security solutions in place, right now, with the way things are going, it's not a matter of if you're going to get hit, it's a matter of when. So we can't stop these threat actors completely, but how do we disrupt these threat actors? How do we throw them off their game?
Chris: Yeah, it’s absolutely more of a when kind of situation, they constantly change their tactics. You know, when one model isn't working, they'll shift to another. And if we find a way to disrupt that, we can stop them, we can disrupt them, we can make it more difficult for them to execute that and force them to go on to other things. Can we ever eliminate crime? Well that's like trying to say can we ever completely eliminate the drug trade or just regular street crime. No, you can never fully eliminate that. What we can do is we can learn from it and we can make ourselves more resilient to the types of things that they're doing. So this is where the Biden administration executive order urging companies to do a more strong Zero Trust strategy, absolutely plays to this type of a strategy. It's built around access to our data, it's built around the shifts that we've had, the trends globally that we've had, where more and more people are working remotely from any device. And we need to think about how we're securing very differently.
So can we take the amount of increase of ransomware crime, can we reduce that? Yes, absolutely. I think the world as a whole can combat this to a point where we can start to reduce that effect. Is it going to be difficult? Yes, but how do we go about that? It's absolutely a matter of focusing in on frameworks like Zero Trust, frameworks like the CIS controls or the NIST cybersecurity framework. Utilizing the guidance from those types of frames, we can start to create security roadmaps within any organization to build up and improve our security measures. So can we eliminate ransomware altogether? No, but can we make it so that we're less likely to be a target? Absolutely. Can we make it so that if we are hit by ransomware, we can reduce the amount of downtime, increase our ability to recover, and eliminate or reduce the number of situations where a payout to that threat actor is necessary to recover. That's what we need to be doing to improve our security overall.
Adrian: And you know, along those lines, because it's not a question of if, it's a question of when this hit may occur. How do we effectively remediate the situation as quickly as we can, or minimize the damage? We did an episode if you remember not too long ago, it was just a few weeks ago, in early August, the next evolution of patch manager, don't try to patch everything. How do you prioritize? And we brought Sri on who was the former CEO of Risk Sense, a company that we recently acquired here at Ivanti, and it'd be worth people perhaps going out and checking that out.
Chris: Yeah absolutely, and on that note, that risk-based approach, we're looking at tapping into that for the broader experience that we're all trying to deal with. Can we get that risk-based approach of what we need to resolve on mobile devices? Can we get it on traditional clients and servers? Can we get it for cloud-based solutions on prem-based solutions? We need that type of visibility everywhere. There's no way to tackle all of the security issues that are out there. What we need to focus on first is the ones that threat actors are taking advantage of and have tools to be able to execute on. That information does exist, it’s something that Risk Sense specializes in. And one of the key reasons we acquired them strategically at Ivanti here is to bring that visibility to our customers. Make sure that they've got a feel for what's putting their organization at risk so they can attend to those urgent needs. If we de-risk our situation, could we avoid being the target? Possibly not. Can we mitigate the overall impact? Absolutely.
Adrian: I was going to ask you, I was going to say hey we're quickly winding down, do you have a final parting thought, that sounded like that might've been it. Or is there anything else to that.
Chris: No I stole your thunder on your closing question there, I think that was my parting thought for this week.
Adrian: All right Chris. Hey, as always, love getting together with you every couple of weeks. You know what, it's October, let's not forget cyber-security awareness month here in the month of October. So anything to add about that?
Chris: You know what, I'm going to share one of my favorite personal security tips. This one actually, a former colleague of mine shared this tip with me a few years back. But I report my credit card has been damaged at least once a year to get it changed out, and the reason for that is you go and use your credit card everywhere. And you'd never know when that card was captured in a credit card breach or a card skimmer or something else, somewhere, anywhere. Especially if you're similar to myself or if you're a road warrior out there traveling a lot, make sure to change your card out more frequently. It's not too difficult to do, when you report a card damage, typically they're going to give you a card with an updated CVV and different expiration date on it. The number will stay the same, but enough information changed where if anything was captured, it's not going to make it very easy for them to try to guess at those other two elements to use that credit card. I actually just got back from vacation not too long ago, we were road tripping and on our way home, the day we're leaving to drive two days worth of driving back home, my card got declined. And it's because there was a fraudulent charge being made. So I called the credit card company, we figured out what was going on, we ended up actually having to temporarily accept that fraudulent claim, just so I could have a credit card enough to spend money as needed on the way home. Because we had gas and meals and other stuff to pick up, but it was just under my one-year window. I was actually looking forward to getting my card updated sometime shortly after that. But even that one-year window sometimes isn’t quite enough.
Adrian: Okay. And when you talk about this one-year window, do you coincide that with cybersecurity awareness month? Does that say oh, every October I better do this?
Chris: Yes, and the reason I brought it up and remembered that is several years back, we did a cybersecurity tips for road warriors, kind of a blog post. We had like 10 recommendations from some of our most global travelers. Things like you can get little wifi hotspots when you travel to a hotel, you hook that up to their wifi and you connect through it and establish a VPN tunnel that completely separates you from the hotel wifi. Other tips like that, we shared that month. This was one of the tips that was shared in that case, so now I tend to do this around October every year.
Adrian: Well I'll tell you Chris, I like that. And so as we move into mid-October and our next episode, and with it being smack in the middle of cybersecurity awareness month, I think that's a great place. Our producer Craig, he's listening in right now and I can see his wheels turning in his brain thinking maybe that could just be Chris and Daniel’s personal security tips month in and around that. So I think we'll dive into that a little bit more.
Chris: That'll be a fun episode.
Adrian: All right Chris, always a pleasure, we'll talk again in a couple of weeks. Folks, thanks for listening, and until next time, stay safe, be secure and keep smiling!