Lessons for Cybersecurity Leaders From Russia-Ukraine WarAlso: Okta Breach Postmortem; Progress on Going Passwordless
The latest edition of the ISMG Security Report analyzes what lessons cybersecurity leaders can learn from the Russia-Ukraine war. It also examines the Okta data breach and Lapsus$ attack and describes how tech companies are supporting new developments in the FIDO protocol.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz analyze the lessons cybersecurity leaders can learn from the Russia-Ukraine war, as discussed during this week's CyberUK 2022, the U.K. Government's flagship cybersecurity conference;
- ISMG's Jeremy Kirk revisit Okta's data breach debacle after the company was attacked by the Lapsus$ group;
- Jeremy Grant, co-founder of the Better Identity Coalition, discuss the significance of Apple, Google and Microsoft joining forces to support the newest developments in the FIDO protocol (see: Apple, Google, Microsoft Unite to Make Passwordless Easier).
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the April 28 and May 5 editions, which respectively discuss whether rewards are effective in combating nation-state cybercrime and whether the tide is finally turning against ransomware.
Anna Delaney: What cybersecurity lessons should security leaders be learning from the Russia-Ukraine conflict and the post-mortem of Okta's data breach debacle, these stories and more on this week's ISMG Security Report.
Hi, I'm Anna Delaney. More than 75 days after Russia invaded Ukraine, what cybersecurity lessons should security leaders be learning from the conflict? That's been a topic under discussion at this week's CYBERUK conference in Wales, held annually by Britain's National Cybersecurity Center. Matthew Schwartz is executive editor of DataBreachToday and for Europe. And he joins me now to discuss the conference. Matt, what have you been hearing?
Matthew Schwartz: Well, as you noted, Anna, we're well into Russia's invasion of Ukraine, and CYBERUK is a great event, in part because it gathers government cybersecurity czars and intelligence officials. And it's always fascinating to hear their takeaways from the top events of the day. And of course, the Russia-Ukraine war is probably amongst the top of those events, and has been a frequent point of discussion, not just in terms of the takeaways for cybersecurity leaders, but also some of the surprises that these officials are seeing. And surprise number one, I think everyone can probably agree would be the fact that on the cybersecurity front, we haven't seen anything yet that looks like cyber war. So a national security agency official in attendance, Rob Joyce says that he's counted at least eight different strains of Wiper malware. And there's also been a number of different attacks targeting Ukraine and beyond. Here's Jeremy Fleming, the director of Britain's GCHQ Intelligence and Cyber Security Agency, in his opening keynote speech Tuesday at CYBERUK:
Jeremy Fleming: Perhaps, the concept of a 'cyber war' was overhyped, but there's plenty of cyber about including a range of activity, we and partners have already attributed to Russia. We've seen what looks like spillover activity that has affected other countries. And we've seen indications that Russia's cyber operatives continue to look for targets in countries that are opposing their actions.
Delaney: And what else is taking conference speakers by surprise?
Schwartz: So on Tuesday, there was a great panel discussion involving the aforementioned government cybersecurity czars, not just from Britain, but also the US, Australia and the EU. And all of them agreed. One of the most big surprises of the conflict has been the role played by the hactivists. Hactivism, you may remember, used to be big back around 2010-2011. And then it fizzled out. But with the conflict, we've seen it come storming back. Here's Abigail Bradshaw. She's head of Australian Cyber Security Center, which is part of the country's Signals Directorate.
Abigail Bradshaw: One aspect that took us by surprise, though, was the emergence of these cyber, civil vigilantes we call them, and the scale of them and then there's some reports about 300,000. On any one day, you might have 59 issues group on the side of Ukraine and 20 odd on the side of Russia, the numbers change on a day by day basis. But the public engagement in that course by the actors and the capacity for that to actually introduce extreme unpredictability that the opportunities to spill over and actually for wrongful attribution and retribution and escalation, which in our world is highly problematic. I think the emergence of those it's worth analyzing and calling them out, the new sorts of behaviors that break those global norms which we hold so dear.
Delaney: What lessons should chief security officers be learning from Ukraine?
Schwartz: Great question. We've seen hacktivism resurge. Is that really going to be a corporate threat, for example? That remains to be seen. Also, we haven't seen a huge number of attacks emanating from Russia, although as GCHQ's Jeremy Fleming noted, Russia is targeting critics of Putin. So there's things to be aware of there. But taking those two takeaways into account, as well as the other items that have been under discussion, the big lesson to be learned here is the importance of resilience. All of the cybersecurity officials that I've seen speak have praised Ukraine, for the fact that it's been targeted by a very major cyber adversary namely Russia, and Ukraine has not been knocked down, far from it. Here's Rob Joyce. I mentioned it before. He's director of the NSA's Cybersecurity Directorate. And he said, in a panel discussion at the conference, "Ukraine's ability to resist repeated Russian efforts to destroy its systems and to hamper its critical infrastructure is not happenstance."
Rob Joyce: It's very clear! A number of Wipers, I can think of at least eight unique variants of Wipers that have been deployed against Ukraine and they've responded, kept their systems up, and rebuilt their systems. But I think one of the things they've done is they have emergency plans, having been under pressure for years, it hasn't been just this crisis, but they have been able to practice and they understand what good incident response is, and they're able to then recover. And I think having a practice plan, as well as the recovery plan is a really vital lesson we should all take.
Schwartz: Other officials also hammered this point home. Here's Lindy Cameron, CEO of Britain's National Cyber Security Center:
Lindy Cameron: Certainly, that's one of the lessons I'd love the public to learn from this is that you don't need to be passive in response to this actually, there's stuff that you can do, please get on with it as fast as possible. But you know, you can be active in your own cyber defense. I think it's a really important lesson to people that even in the face of a significant state adversary, you don't need to freeze in the headlines. So I think it's a great lesson to take away and it's been very impressive. We also have been very proud to be assisting Ukrainians with that, and I know other colleagues have as well.
Schwartz: So there you have it. Incident response remains essential. Resilience and planning to be able to survive and recover from attacks, in part by not just planning but rehearsing those plans also remains essential. And in Cameron's words, we know these things now, please just get on with it as fast as possible.
Delaney: Wise words indeed. Thanks, Matt.
Schwartz: Thank you, Anna.
(Transition Ad: You are listening to the ISMG Security Report on ISMG Radio. ISMG - Your number one source for information security news.)
Delaney: How does a minor security event become a customer relationship headache while perhaps identity management vendor Okta has a few thoughts. Jeremy Kirk, our managing editor of security and technology, revisits one of the most talked about breaches of the year so far.
Jeremy Kirk: Recently, a group calling itself Lapsus$ went on a hacking spree. It released source code from Microsoft and T-Mobile and data from other companies including Samsung and Nvidia. Then in March Lapsus$ claimed to high profile victim Okta, one of the most popular identity management vendors that counts big name clients around the world. Lapsus$ claimed to have powerful access and publish incriminating screenshots that appeared to support its claims. The problem was nearly none of it was actually true. But it caused major headaches for Okta, as its customers feared their identity access systems might be at risk. Luckily, those systems were not but the optics really looked bad. Brett Winterford is regional chief security officer with Okta and APJ.
Brett Winterford: When those screenshots were published, most people took what they said on face value.
Kirk: At the center of the drama was a company called Sitel, which was Okta's customer service support contractor. In January, Lapsus$ briefly gained access to a thin client session of one of Sitel's customer support engineers, but the access wasn't nearly as powerful as the group claimed. Here's Winterford again:
Winterford: And so that we're able to click around to take some screenshots. That session was 25 minutes. Out of five days of being on the social network, they were basically able to do this shoulder surfing exercise for 25 minutes. They attempted a few things. But the actions that they attempted didn't result in any compromise or configuration changes.
Kirk: Sitel hired a top notch forensics firm to investigate the incident. But it still hadn't provided the report to Okta, when Lapsus$ suddenly dumped the screenshots on Telegram in March. That left Okta in the lurch. Winterford says Okta was confident its customers didn't need to take actions such as resetting passwords, but it still didn't have the full data or logs from Sitel. And when Sitel did send the report, they mistakenly sent it to Okta's procurement department. Winterford says Okta should have more aggressively pursued obtaining the report.
Winterford: And that was a mistake. We followed up on several occasions, trying to get more information. But at the end of the day, we were way too patient.
Kirk: Winterford says the incident highlights the importance of having visibility into the systems of third party partners when a security incident happens. Otherwise there's what he calls a log jam of information where one party is dependent on another party to finish their part of an investigation. It's a tough problem to solve but one that many companies are facing with breaches that touch their partners as well. Winterford says, if Okta had good data and logs from Sitel early on, the situation wouldn't have snowballed into the event that it did. For what it's worth, Okta cut Sitel loose after the incident. Here's Winterford again:
Winterford: No one sees a distinction between a third party support provider and Okta. They see an Okta application in those screenshots. What really matters to me is visibility, our ability to respond in that moment and say things with absolute confidence. And I think that if were to come out within 12 hours, and with a technical blog post that really walked people through exactly the extent to what the threat actor could and could not have viewed, this would have been over in a heartbeat. It's down to visibility. You've got to put yourself in a position where you're not relying on your Comms team to put out a fire, that you actually have the visibility to say the things with confidence that you need to say.
Kirk: For Information Security Media Group, I'm Jeremy Kirk.
Delaney: Finally, the FIDO Alliance had some big news this week. FIDO, which is focused on providing open and free authentication standards to help reduce the world's reliance upon passwords, announced that Apple, Google and Microsoft have joined forces to support the newest developments in the FIDO protocol. Co-founder of the Better Identity Coalition, Jeremy Grant told our senior vice president of editorial, Tom field, just how big a watershed moment this is, since FIDO's creation.
Jeremy Grant: I think it's the inflection point that's going to allow us to finally make password list login by default. People talk for years about killing the password. When I was running the instinct program at NIST, we talked about part of our mission was shoot the password dead. Part of it has been getting to this point where you not only have standards, but also by it. And I think that latter part's really important. Already today, given the embrace you've seen by the three big platforms and other big tech companies and banks and chip makers and others, it's literally impossible to go buy a device today, running an operating system from Microsoft, Apple or Google that doesn't support FIDO out of the box and the device at the operating system level at the browser. But now, the buy-in at this next step to enable these multidevice credentials and actually make it easy and practical for consumers to log in with asymmetric public key cryptography. That's the real news here is that they're all saying we're not going to compete against each other on this point, or they might compete in the details of the implementation. But we're all going to agree to collaborate here because all three of those companies, and I think a lot of others involved in FIDO Alliance, realize that for the health of the security ecosystem, killing passwords really has to be the priority. And so this is from my perspective and big step forward.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time.