CyberWire Daily Podcast: Alastair Parr on GDPR and Third-Party Risk

Sponsor (CrashPlan): You’re listening to the cyberwire network powered by N2K. And now a word from our sponsor CrashPlan. The tried and true method for making sure you’re covered is to always have a backup plan. CrashPlan takes data preservation seriously. They provide data resiliency by automatically backing up endpoint files to the cloud every 15 minutes with 256-bit AES encryption in transit and at rest. CrashPlan helps you tackle data challenges like ransomware breaches migrations and legal holds. The undeniable solution for the inevitable back up better with CrashPlan. Try it for free at crashplan.com.

Dave Bittner: The U.S federal government issues voluntary security guidelines. Possible privilege escalation with Google cloud and APT compromises. Jump Cloud thin 8 reworks its sardonic back door and continues its shift to ransomware. Ben yellin looks at privacy legislation coming out of Massachusetts. Our Guest is Alastair Parr a prevalent discussing GDPR and third-party risk. And some noteworthy Russian cyber crime. They don’t seem to be serving any political Masters. They just want to get paid ha. I’m Dave Bittner with your cyberwire Intel briefing for Tuesday July 18, 2023.

The U.S federal government has issued some standards and guidelines that affect cyber security practices. The NSA and CISA have issued guidance for 5G Network slicing that is the preparation of a set of logical networks that ride atop a common infrastructure. The guidance in their words is intended to help Foster communication amongst mobile network operators Hardware manufacturers software developers non-mobile Network operators systems integrators and network slice customers in the hopes that it may facilitate increased resiliency and security hardening within Network slicing. CISA has also published a fact sheet outlining free tools for cloud environments to help businesses transitioning into a cloud environment identify proper tools and techniques necessary for the protection of critical assets and data security. And just this morning the White House has announced a cyber security labeling program for smart devices. It’s been anticipated for some time under the proposed new program consumers would see a newly created U.S cyber Trustmark in the form of a distinct Shield logo applied to products meeting established cyber security criteria. The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes. Manufacturers and retailers who have committed to the voluntary program include Amazon Best Buy Google LG Electronics Logitech and Samsung.

Orca security reports a privilege escalation vulnerability bad dot build in Google Cloud that could open the door to supply chain attacks by allowing an attacker to infect users and customers. Orca wrote this morning as we have seen with these solar winds and recent 3CX and move it supply chain attacks this can have far-reaching consequences. Orca’s report explains by abusing this flaw that enables the impersonation of the default Cloud build service account an attacker can manipulate images in Google’s artifact registry and inject malicious code. Any applications built from the manipulated images are then affected with potential outcomes including denial of service attacks data theft and the spread of malware. Orca security has alerted Google and Google has closed the vulnerability. But Orca suggests that affected organizations pay close attention to the details of their instances. Orca writes the revoked permission wasn’t related to artifact registry which turns the supply chain risk into a persistent one. In view of this it’s important that organizations pay close attention to the behavior of the default Google Cloud build service account to detect any possible malicious behavior. Applying the principle of least privilege and implementing Cloud detection and response capabilities to identify anomalies are some of the recommendations for reducing risk.

Jumpcloud announced that its systems were breached in a sophisticated attack conducted by a state-sponsored threat actor on June 27th. They found unauthorized access to a specific area of their infrastructure and determined that some of that access had begun as early as June 22nd. They saw initially no evidence of an effect on customers but they took various precautions that included rotating credentials and rebuilding infrastructure in an effort to shore up their Network and perimeter. The company is convinced the attack wa s sponsored by a nation-state but jump cloud is unsure which state was behind the attack. In further forensic investigation Jump Cloud discovered further unauthorized activity in the form of unusual activity in the command’s framework for a small set of customers. In response Jumpcloud performed a force rotation of all of the admin API keys on July 5th the same day the unusual activity was discovered. As Ars Technica explains Jump Cloud hosts a user base of over two hundred thousand organizations with five thousand paying customers including cars.com GoFundMe and Foursquare. Jumpcloud also engaged its prepared incident response plan including the participation of their incident response partner and notified law enforcement authorities.

The Symantec thread Hunter team has released a report detailing a new variant of the sardonic backdoor associated with the Cyber criminal gang Sisfinx also known as Finn 8. This new variant of sardonic is intended to deliver the nobaris ransomware. The sysfix tool was discovered in 2022 when it was discovered delivering White Rabbit ransomware. Semantic explained that Finn 8’s shift toward ransomware was observed in 2021 after the gang infected several compromised systems in the financial sector with the Ragnar ransomware. Symantec writes the sysfix groups moved to ransomware suggests that the threat actors may be diversifying their focus in an effort to maximize profits from compromised organizations. Symantec explains that the cyber crime Gang has revised its tools noting mainly that the newly reworked back door has been Rewritten in C as opposed to its previous version which was written in C plus. Additionally a new backdoor variant seems to be embedded indirectly into a Powershell script which differs from its previous version in which it featured an intermediate downloader Shell Code that downloads and executes the back door. Symantec concludes its Report with a snapshot of the gang stating sysfinks continues to develop and improve its capabilities and malware delivery infrastructure periodically refining its tools and tactics to avoid detection. The group’s decision to expand from point-of-sale attacks to the deployment of ransomware demonstrates the threat actor’s dedication to max imizing profits from victim organizations. The tools and tactics detailed in this report serve to underscore how this highly skilled Financial threat actor remains a serious threat to organizations.

And finally integritas. That’s what we’ve heard the Roman legionnaires would say to their Centurion to report that their armor and the rest of their gear was intact and in order and that they themselves were standing tall and looking good. Integritas one whole solid consistent with one’s duty or more generally with one’s values that’s integrity. And it’s worth remembering that there can be a kind of Integrity even among criminals. A bit of Honor among Thieves. We’ve grown accustomed to seeing criminal gangs and hacktivists function during the hybrid War Russia has Unleashed against Ukraine as either privateers or auxiliaries operating in the interest of one of the belligerents usually that belligerent has been Russia. And the extent to which the Russian security and intelligence agents have made use of their country’s criminal classes is one of the Striking features of the war in cyberspace. It seems however that at least one Russian or at least russophone cyber gang red curl has continued to act in a purely criminal fashion. Not obviously working in the interest of any government. Researchers had facct which the record describes as an offshoot of group IB describe red curls action against both Russian and Australian targets. The gang’s initial approach is through phishing. Their goal isn’t either the installation of ransomware or the threat of extortion through doxing rather red curl engages in commercial Espionage seeking to steal valuable business information for subsequent resale in the C2C Market. About half of red curls attacks have hit Russian targets. The other half have been distributed across Ukraine Canada and various European countries. We grudgingly admit that there’s something refreshing about a gang that’s in it just to get paid. Not caring about National interest Or Glory. There’s a kind of criminal Integrity here. It’s a base and deplorable Integrity but there’s a consistency in their values. Still we hope they receive some approximation of justice and that some Authority somewhere brings them to book whether it’s the FBI or the FSB the police or the militia it doesn’t much matter. Good hunting John or Jane law wherever you may be. By the way we hope that stuff about Legionnaires and centurions and integritas is true. Our historical desk is the source and they usually get it right but sometimes we wonder if they get their Roman history from tacitus or from watching reruns of gladiator on Netflix. In any case entegritas coming up after the break.

Sponsor (Strata): Ben yellin looks at privacy legislation coming out of Massachusetts. Our Guest is Alastair par of prevalent discussing GDPR and third party risk. Stay with us. Struggling to secure on-prem apps with modern identity? Don’t worry you’re not alone. Join industry leaders from Fortune 500 organizations to secure your apps on any cloud with any IDP regardless of your environment’s complexity. Meet Strata’s identity orchestration platform Mavericks. Say goodbye to the headaches of app refactoring and Legacy Tech debt. With identity orchestration you can modernize Legacy apps to use MFA or passwordless authentication in a few weeks. Migrate from one IDP to another and so much more without changing the app. No matter your IAM use case strata extends the value of your current identity Investments. And the best part you can try it for free today. Visit strata.io cyberwire to share your biggest identity Challenge and they’ll hook you up with a complimentary pair of airpods pro. Don’t miss out. Visit strata.io cyberwire that’s strata.io cyberwire.

Sponsor (Cinteot): And now a word from our sponsor Cynthia. As an 8A hubzone minority and women-owned small business company synthet specializes not only in software engineering but in artificial intelligence and cyber security as well. Synthet’s customers and they retain those customers include the U.S Department of Defense the intelligence community and the Departments of state and Justice. Their mission is to protect the systems that protect the people who protect us. If you’re looking for a partner in accomplishing your mission check out cynthia.com that’s c-i-n-t-e-o-t.com. Your partners in everything data and cyber security.

Dave Bittner: Thank you. GDPR has been in effect for just over five years now. And in their 2023 third party risk management study the team at security firm prevalent looked at the impact of GDPR on the practice of third-party management with its treatment of privacy as a core requirement. Alastair Parr is senior vice president of global products and Delivery at prevalent.

Alastair Parr: What we are experiencing is an uptake in things such as quantity of identified data breaches or impacts from a third party. And we actually allocate and equate some of that to the fact that people have improved visibility. And that’s a general Trend when you start looking at the general insights across the space is that we see increased volume of issues and incidents. And that’s down to the fact that there is a plethora of tools and Technologies out there to aggregate the data at scale that people didn’t necessarily have several years ago. So visibility has certainly improved but people still have ultimately automation issues and Remediation issues across the space.

Dave Bittner: It seems to me to be on the surface in any way to be such a daunting task you know because when you think about all of your third-party suppliers and you think about their suppliers. What do you recommend in terms of an approach to this to break this down into manageable pieces?

Alastair Parr: Completely agree. So absolutely the the challenge is that it is typically we’re talking thousands tens of thousands of third parties and it’s a very daunting and overwhelming challenge. So typically we see people reaching out trying to understand is how can I actually right size that into something that’s manageable regardless of whatever automation tools that I have uh regardless of how engaged the third parties are or how accurate the vendor inventory is. People ultimately need to understand is how can I right size that so I can invest what limited time and effort I have into the right areas. And the people who are successful there are there any common elements?

Dave Bittner: Yes.

Alastair Parr: Very much so. So the most successful third-party risk and life cycle programs that we see tend to be fixated on the internal Focus as much as they are the external. Of course vendor interactions is important being able to aggregate the data and work with the third parties to remediate core deficiencies and dependencies. But the internal aspect is equally important being able to build up that vendor inventory with the business gettin g the business and the stakeholders involved and ultimately invested in the program is foundational. So what are the key findings that we found is that wow I think it’s circus 71 of programs are actually owned by the information security team. We are seeing Circa 63 or 53 of the third party relationships being owned by procurement or business owners respectively. So there’s a sort of a seesaw approach where you need to have the buy-in and the vested uh capabilities and support of the business in order to be able to drive the program effectively.

Dave Bittner: And to what degree is this a technology issue of having the right tools to come at this with versus a Personnel issue and you’re training your employees things like that?

Alastair Parr: I would say more often than not it’s a process first issue. So the Technologies are out there to supplement support automate and scale the processes. But foundationally if the processes aren’t right in the case of who and how do we reach out to the third parties how do we react and interact with with the data outputs that we get it’s very process orientated. You need the business involved you need compliance audit procurement the business owners execs of course and info second risk management all really working together and being a sort of a cohesive unit.

Dave Bittner: What are your recommendations for that security person who has to make the case for this to their board to the powers that be to justify a program like this?

Alastair Parr: So one of the biggest challenges I think they face is the fact that it’s not necessarily a revenue generating function. It’s a case of it’s an insurance mechanism they’re addressing and managing risk to a proportionate level so that things don’t happen. And what certainly helps is when you start seeing incidents and events occur where third parties have had data breaches or events and you’ve been able to detect it and react to it accordingly. So using Legacy Insurance mechanisms where you’ve been able to avoid adverse reputational damage from historical events is certainly useful. But then also identifying how you can use the program to actually save through the procurement cycle. So for example we’ve identified issues and incidents with operational resilience of third parties or their contracts outstanding up people using that leverage in the renegotiation cycle to actually deliver better Services reduce cost Etc. So there is a potentially a dollar element to it as well.

Dave Bittner: What do you suppose the future holds for third party risk management? What would what do you see us headed here?

Alastair Parr: Good question. So one of the long-standing headaches I think in third party risk management is that interaction between vendors and of course the the business itself. There’s a heavy Reliance on things like assessments. There’s a lack of standardization on assessment structures which isn’t going away purely because each organization typically has their own their own variants. In fact over 70 of our customers alone are the hundreds of programs that we manage actually use custom content and assessments in their programs. That’s not going away. So what we start and what we expect to see is components such as AI ultimately helping in translating and adapting various content sources into the answers that we need. So programs don’t care about assessments they care about results they care about risks. So however we aggregate the data whether it’s sock 2 reports uh whether it’s proprietary policy documentation as long as we can analyze it at scale and be able to translate that into tangible risks and context that’s very much where they the entire third party estate and environment is really going to head.

Dave Bittner: Yeah it’s a really interesting Insight. I mean I think in particular that that translation layer to be able to make your case to the board and to your colleagues is so important. And yet I think it’s my experience that lots of folks still struggle with that.

Alastair Parr: Yes absolutely. So the the ability to translate the technical language of risks bar colors you know red is bad uh can be lost on some programs. So you’re absolutely right. So when we tend to build uh KPIs and KRI material for the boards and the execs it tends to be very much Persona focused. We are looking at making sure that we’ve got the right data points that they’re curious about and they’re interested in which help them understand are they at risk.

Dave Bittner: That’s Alastair Parr from prevalent. And joining me once again is Ben yellin. He’s from the University of Maryland Center for Health and Homeland Security and also m y co-host over on the caveat podcast. Ben it’s always great to have you back.

Ben Yellin: Good to be with you Dave.

Dave Bittner: So interesting proposed legislation coming out of Massachusetts here when it comes to the buying and selling of location data. Uh what’s going on here Ben?

Ben Yellin: So this law would be the first of its kind in a state legislature across the country. Massachusetts lawmakers in both the State House and Senate are weighing a near total ban on the buying and selling of location data drawn from mobile devices in the state. Other laws controlled by both Democratic and Republican legislatures have passed broad data privacy legislation. But this would be the first that would Institute a near total ban on buying and selling of this location data. So one element of the law would Institute a warrant requirement for law enforcement access to this data that’s important. It really codifies the Supreme Court’s holding in the carpenter decision from 2018 prevent warrant lists uh searches of historical cell site location information.

Dave Bittner: Would this also prevent law enforcement from purchasing that data without a warrant?

Ben Yellin: It would. Any law enforcement access without a warrant would be uh prohibited.

Dave Bittner: Okay.

Ben Yellin: The broader prohibition uh that’s outlined in this law which I think is more significant is data Brokers would be banned from buying and selling location information about State residents without Court authorization. So there are limited exceptions and circumstances where would be useful to the consumer. Things like uh sharing location for ride sharing purposes for weather applications uh Etc. But the law would be certainly the broadest in this country and it would have a major uh impact. There’s a coalition of civil liberties and privacy groups that are supporting this legislation thinking that it could be a test case uh for broader Nationwide legislation that would Institute bans on buying and selling location data. We’ve seen similar laws proposed at the federal level though not come anywhere close to being enacted to this point. But there’s pretty broad opposition as well. Uh there is a trade Association that spoken opposition at a recent joint hearing on this bill. A lawyer named Andrew Kingman who was representing this trade Association the state privacy and security Coalition said that well they support heightened protections for certain types of personal data that this law is just overbroad. They should look at some other States including neighboring Connecticut which passed a data Privacy Law but didn’t go as far as out having an outright ban on data Brokers on buying and selling this data. Rather it gives consumers the ability to opt out of sale. So it’s still providing consumers with a a choice if the consumers find a the data that these companies aren’t collecting useful for their own purposes then the consumer can consent to that type of collection. But I think that certainly does not go far enough for some of these privacy and civil liberties Advocates who see that not only are companies purchasing this data but local police departments and federal agencies have also purchased location information are using it for law enforcement purposes and that’s kind of an end around of the fourth amendment that groups like the ACLU see as very dangerous.

Dave Bittner: Right and there’s a huge difference between an opt-in and an opt-out by default.

Ben Yellin: Oh absolutely. I mean the opt out means that you have to be technologically savvy enough to take some action to opt out of it. You could bet they’ll hide it somewhere.

Dave Bittner: They’ll hide it somewhere deep in the settings yeah.

Ben Yellin: Right exactly. You’re gonna your thumbs are gonna get tired trying to find that page where you can opt out. Whereas an opt-in you know that that’s really the uh the reverse it kind of goes back to a concept ironically from a Massachusetts academic himself cast sunstein on the idea of a nudge that it makes a huge difference what the default is because people are so unable or reluctant to take action to either opt-in or opt out that whether the default is opt-in or opt-out ends up making a huge difference.

Dave Bittner: Yeah interesting that this has also caught the attention of abortion rights Advocates. What’s their interest here?

Ben Yellin: Yeah so abortion rights Advocates have argued persuasively that phone location data potential particularly when it’s available for sale could lead to state governments and state where abortions have been either curtailed or prohibited entirely after the Dobbs decision last year to track people traveling out of state see king the procedure for the purpose of instituting or initiating prosecution. And that’s certainly a valid concern for abortion rights Advocates. I think the fact that this data is widely available that it can be accessed without a warrant that all it takes is chunk of change to purchase the data. I think is particularly dangerous for individuals seeking to travel out of state to obtain abortions. And it’s not just abortions that have raised particular privacy concerns they also mentioned this article digital stalking National Security threats all of those things can present themselves as problems when data is available for sale. So we have these kind of particular circumstances that have raised concerns for these groups. I think that’s part of the impetus behind the push for this legislation.

Dave Bittner: Is it likely given the makeup of the Massachusetts legislature that this will move forward? What do you think?

Ben Yellin: Yes. I I would have to say the prognosis is quite positive. Uh the Massachusetts legislatures are dominated by Democrats. There’s like five Republicans in the entire Massachusetts state legislature. Uh the current majority leader of the Massachusetts state senate is the sponsor of this piece of legislation. She testified for it at the hearing. So you have a pretty powerful person aligned with this legislation. The governor is a Democrat as well. Um though that doesn’t really matter since the legislature has veto proof majorities.

Dave Bittner: Right.

Ben Yellin: But yeah the prognosis I think for this legislation is is quite positive.

Dave Bittner: All right well we’ll keep an eye on that one. An interesting development for sure. Ben yellin thanks for joining us.

Ben Yellin: Thank you.

Sponsor (Drata): Isn’t fun but neither is a data breach or losing a customer. That’s why drada automated it with automated evidence collection. Over 80 integrations and 24-hour monitoring drata automates the compliance process and keeps you audit ready year round. Drata supports over 14 Frameworks including sock 2 GDPR HIPAA and ISO 27001. With over 455 star reviews drata is the highest rated Cloud compliance platform on G2. Listeners of the cyberwire daily can get 10 percent off drata and waived implementation fees at drada.com partner slash cyberwire.

Dave Bittner: Thank you. And that’s the Cyber wire. For links to all of today’s stori es check out our daily briefing at the cyberwire.com. We’d love to know what you think of this podcast. You can email us at cyberwire n2k.com. Your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cyber security. We’re privileged that N2K and podcasts like the cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector. As well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies. N2K strategic Workforce intelligence optimizes the value of your biggest investment your people. We make you smarter about your team while making your team smarter. Learn more at N2K dot com. This episode was produced by Liz Ervin and Senior producer Jennifer iben. Our mixer is Trey Hester with original music by Elliot peltzman. The show was written by our editorial staff. Our executive editor is Peter kilpi. And I’m Dave Bitner. Thanks for listening. We’ll see you back here tomorrow.

Sponsor (M-Wise): Of cyber security Mega conferences M wise is different. With a focused agenda and targeted problem solving m-wise is where Security’s best go to get better. From September 18th through the 20th in Washington DC you’ll join a special community of Securities sharpest Minds. Your perspectives you might not get anywhere else and reach a new level of Mastery that’ll prepare you for what’s next. Register early and save at mwise.mandient.com conf23. That’s mys.mandient.com forward slash c-o-n-f-2-3.