Darin Andersen, Chairman & Founder, CyberTECH
Nick Bilogorskiy, Sr. Director of Threat Operations, Cyphort
Tony Busseri, CEO, Route1 Inc.
Jonathan Dambrot, CEO & Co-Founder, Prevalent
James Carder, CISO & VP of Logrhythm Labs
Sean Martin, CISSP, Founder and Editor-in-Chief, ITSPmagazine
It's alleged that the CIA developed tools designed to spy on people, taking advantage of weaknesses in smart connected devices such as smart phones, smart TVs, smart personal assistants, and other household IoT technologies.
In this discussion, we do a walk-through of what happened, what didn't happen, what systems and devices are impacted, and what data is involved in the leaks. Most importantly, we'll get some insight into what the larger societal impact of this could be.
Join us for this in-depth conversation to learn:
- Where stuff broke down.
- Who is impacted, how are they impacted, and what’s at risk.
- What the government can do to help.
- What the commercial InfoSec community can do to help.
- What consumers need to know to help (protect) themselves.
HERE ARE SOME ANSWERS TO QUESTIONS RAISED DURING THE WEBINAR FOR WHICH WE WERE UNABLE TO ADDRESS DURING THE LIVE SESSION
Question: Why WiKiLeaks did not disclose the capabilities of Russian Government or Chinese Government or Iranian Government, etc.?
Nick Bilogorskiy, Cyphort: I believe that is because of a conflict of interest. The timing and content of previous Wikileaks disclosures, makes it likely they are coordinating with Russian intelligence and taking the Russian side in the "cold war 2.0".
Wikileaks' Julian Assange is a state of war with the American government. He was the one who recommended to Snowden to seek asylum in Russia. He tried to deflect on DNC hack, claiming he didn't get Podesta emails from Russia. He attempted to discredit the Panama Papers, which alleged corruption among many of Russia’s political and financial elites. In 2011 Julian allowed his friend and WikiLeaks staffer Israel Shamir to hand off documents to a pro-Kremlin publication exclusively, and then use his documents to aid a state-sponsored crackdown on dissidents in Belarus. Then, of course, there is his TV show, paid for by Kremlin-funded English language channel Russia Today.
To me, Julian Assange appears to be either a paid agent, or being manipulated by the Russians, and that's why we will not see him disclosing capabilities of Russian Government of their allies.
James Carder, Logrhythm: I think there are a couple scenarios here. There are different laws or consequences related to exposing this type of data in each of those countries and that could have an impact. The second being that they didn’t have as significant of a collection for the other countries that you have listed. A drop of 9000 documents from one agency is significant and they might not have the same for the other countries.
Question: This is vastly complex, the OPM breach was massive federal failure. This is so much worse than most understand. "corporate IT" ranges from good to just poorly managed. Laws are important but we need comprehensive tools and a "path" in corporate land. Basically it has to be a box or something to install. or a platform
James Carder, Logrhythm: I agree that OPM was a massive failure in a lot of ways. I think we do have comprehensive tools and a path but that still doesn’t make this easy. There are platforms available today that can leverage a number of other products, tie them together, and manage your entire threat lifecycle from detection to response and remediation, to include future prevention. The key is getting these pieces tied together so you can leverage the orchestration and automation features of a security platform. I would agree that companies and the government need to do this.
Nick Bilogorskiy, Cyphort: I agree corporations need better tools to manage the risk from such breaches. I recommend 5 things in this respect:
- Upgrade your breach detection tools to include a platform that has visibility into web, email and lateral vectors for threats payloads and communication, can catch zero-day attacks by behavior; uses deep learning analytics and correlates alerts from all security vendors into a timeline view.
- Train your staff on recognizing phishing. I recently spoke to a large company where their phishing open rate decreased from 30% to 5% after cybersecurity awareness training.
- Use multi-factor authentication by default, stop using passwords alone (https://medium.com/@nickbilogorskiy/no-more-secrets-why-passwords-are-the-new-exploits-abeeef0bc55e#.n9um3eh21).
- Backup your critical data offsite to be safe from ransomware (https://www.brighttalk.com/webcast/14473/222271).
- Obtain data breach insurance, you will need it.
Question: The US federal government has forward-thinking policies in place that mandate compliance with cybersecurity best practice. With the almost daily occurrence of data breaches, shouldn't corporate America face similar requirements?
James Carder, Logrhythm: I[endif]I think corporate America does do this to some degree. If you are a part of a regulated industry, there are regulations around the protection of data, personal information, financial records, health records, etc. Many of these regulations leverage security best practices and standardization through organizations like NIST. It just goes back to the investment in getting the program (people, process, and technology) stood up and maintained.
Question: Doesn't our government have a duty to protect us as from risk? If they spend all that money and effort and research (our money) to learn about ways to 'spy', to learn of these vulnerabilities - then there's something wrong when they keep quiet about it so they can use it on others but leave us at the same time all vulnerable. Doesn't matter if it's companies or citizens who are vulnerable. It's a conflict of interest ethical dilemma. Makes me feel betrayed.
James Carder, Logrhythm: You bring up an excellent point. Our government does have an obligation to protect us to some degree and reduce risk to some degree. There are some parties that want more ability for the government to do this work and some parties think we have too much of it today and reduce the amount of government oversight and protection. As for the government and their spending on cyber security, I think they tend to do a good job of balancing defense and protect with the ability to be offensive in nature. The offensive capability is actually defense in its own right as countries that know another country has the ability to retaliate may not attack that country in the first place. I also feel like the money invested in cyber espionage also aids in our defense. I do agree that there is some potential risk in knowing about vulnerabilities and not disclosing them to the manufacturer or vendor, leaving the rest of us consumers exposed to some degree. There is also another side of it that says disclosing or exposing that vulnerability could put consumers at more risk if not properly handed. An example being a medical device that could be exploited, potentially killing a patient. If that exploit gets into the wrong hands it puts patients across the globe at risk. In the end, it is a fine balance.
Question: Should we just remove the 4th amendment?
James Carder, Logrhythm:No, of course we shouldn’t remove the 4th amendment. You don’t change a core principle of what this country stands for and was founded on when things get a little tougher. You figure out a way to work within our laws and our principles. I think an alternative to the 4th amendment would be even worse for our way of life. There are countries where this is the case and I’m willing to bet many of them would trade place with us.
Additional Reading: Remember When We Were the Listeners and Off Meant OFF!?