This is our cybersecurity today month end. In review panel. We have Dana Proctor back with us from Ottawa. Hooray. Are you sure? Pleasure to be back. We have a new guest, Randy Rose from the Center for Internet Security, and Randy is from Saratoga Springs. Doesn't that sound nice at this time? Saratoga Springs, New York. Welcome. Thank you. And the old familiar we, David Shipley, the old familiar, no. Yeah. We got David Shipley, he's always here. We've got David Shipley from Fredericton.
And David by the way, has started doing the Monday morning cybersecurity today newscast, and it's been a while since I've just been able to wake up on Monday morning and listen in. What a treat . I don't, . And we have me Jim, love from the heart of Halliburton County, the heart of the ice storm. We don't have power here yet. We're hoping any day now. That's crazy. That's horrible, Jim. That's horrible. Yep. Yeah, so it's, so this has been our, this is our month in review show.
And if all of the people in the audience know this we bring some stories and we talk about them and try and find some insights into them. And generally, yeah, it's a good opportunity for us to get together and share information as well. And as you were saying, Dana, as we're just before we, we went on air for this was pretty easy. Pickens there's, not easy pickings. There's a lot of opportunity out there for stories that you go, oh, wow. So shall we start? Let's do it. Let's go.
Okay. David, you brought the first one and this was Oracle. I'll let you, you lead with this one. This was fantastic. This was, we'll start with a little bit of humor here. Gather around the fireplace kids for stories of how not to do incident communications. Listen, breaches happen. They happen even to the big kids. Microsoft's been hit security companies have been hit. People get hit.
It's important to be honest when it happens, because the speculation, the rumor mill, the register savage headlines and the reg they're just not worth dancing around. I know we live in the era where we call ransomware, an unauthorized penetration test that our backups failed to respond to or some other bureaucratic speech. But man, like now we're at the point where Oracle Cloud wasn't hacked. It was. Oracle Cloud Classic, like Coca-Cola gets away with the Coca-Cola and the Coca-Cola classic.
You come on guys. Now this is a long intro here, David. The story is a group said that they'd hacked Oracle. Oracle denied it. The group said, hold my beer. And they sent to Bleeping Computer, I think it was, here's here's how you can get on and see a message on the Oracle server. I'm gonna go put one there for you now. And they went, whoa. Now Oracle being the transparent organization, they said was no, this isn't happening.
And then I think the whole story broke and it is quite obvious that something happened there. I. And let's be clear, at this point I feel like Sesame Street, which is still on the air, despite cuts that are coming to NPR and and other things in the United States, I feel like the count, it's not one breach. It's two breaches 'cause it's Oracle Cloud Classic. And privately, some of their healthcare clients are getting notifications. So this thing is just metastasizing.
And what's hilarious is so they say we weren't hacked. Then the hacker goes, hold my beer. Then they say it was Oracle Cloud Classic, and it's only stuff from 2017. And the hacker goes, here's some records from 2024. So it's guys like, stop bleeding and if we're gonna use memes as visualization, there's this classic scene from The Simpsons where the kid is crying. He is stop hitting him. He is already dead. I'm starting to feel bad for you guys.
Now I've gone on this whole emotional journey where I was like, oh my God, you've been breached to, I can't believe you're not communicating it to, oh, everyone's just including myself. We're just part of this train now of what are you doing? So Dana knows what's happening here, Randy, but David's also our culture critic. Sounds like it. Yeah. But the issue comes up and it comes up again and I've almost been.
I'm wondering whether I'm too cynical or, sometimes I come across, 'cause I get these things in stories where I read corporate communication and I just start calling it the blah blah, blah, blah, blah. It's, what has, maybe we can get by with that in companies but in cybersecurity if you're not candid, I know it hurts, but if you're not candid and open you're gonna do have more pain in the long run than you do by just putting this out.
I still remember, the big hacks that have happened where people have come straight out and said, we got hacked. It happens. Here's, we're looking at it, we're dealing with it. We'll give you as much information as we know and, and that happens and those companies come back. Yeah. I think you're hitting on such a great point there. And I think any of us that do any type of simulation, we'll be talking about a good holding statement. A good holding statement doesn't involve smoke and mirrors.
A good holding statement doesn't involve inaccurate information. If you don't know, don't say. But yeah, incident management 1 0 1. To your point, David, don't say things that aren't true and work with your comms team on a better holding statement. Okay. And if you don't know, don't say anything until you do. I'd lean this out into 1, 2, 3, and me. A lot of their bankruptcy is certainly being attributed to the breach that they had and the privacy concerns.
I know we can talk more on that because this was a softball of a month to pick which ones to review, Jim. But very much they breaches do have a way of bringing our businesses, if not our future trajectory down significantly. Yeah. And Randy what about when you're advising clients and when your organization is talking to people?
And you could just to, to introduce Randy, you works for the Center for Internet Security and it deals with a lot of not-for-profits, I guess agencies and public sector organizations in the US and there, obviously, when we met the first time we were talking about the school hack. Oh, you're talking about PowerSchool? Yeah, the PowerSchool Bridge. Yeah. A lot of schools had to come up and get information out to say, by the way, your kids' information is out there. That can't be pleasant.
No, it's, and I think Dana hit on a really good point, which is the communications piece of it. Really at the end of the day, it. There's two issues here with Oracle, right? There's the data breach, right? So there's obviously some controls concerns, right? They didn't have proper controls in place, and that led to a breach. And that's one issue because you're dealing with a breach of data and the whole other issue is how you communicate about it.
And it's not the irony's not lost on me that, as an IT organization, your role is communications, right? That's what you do. You provide communications, it's digital communications, but it's communications no less. And then you fail miserably at communicating what's actually going on in the organization. I think these are two wildly different skill sets, but they're, you can't, they're inextricably linked together. When there's a breach, you have to be able to communicate about it.
And I love that the US Navy aviation community has a wonderful three step crisis action plan, which is aviate, navigate, communicate. And you think about the kind of crises they deal with. They are in planes, right? They're these, they're flying aircraft. When they have a crisis, you're talking about a threat to life and safety. So their number one concern is keeping the plane in the air aviate, right? Their second concern is, where am I and where am I going? And can I get there?
So that's the navigate piece. And it's only after they know I can keep the plane in the air and I have an idea where I am, like, am I an enemy territory or not? Can I get back to the aircraft carrier or not? Or can I land this thing safely? Only after they figure those things out, do they communicate what's going on? And I think that's something that we fail in cyber to, to simplify our processes, right?
When there's a breach, understand what it is, what's going on, who's impacted, how do we resolve that issue? And then when we have those key pieces, we don't have to know everything, but we just need to know the key pieces to communicate effectively. And I think it's something that some organizations do really well. And a lot of organizations just fail miserably.
And I think, when it comes to the, it's always dangerous in this business to live in our digital houses and throw our rocks and realize that our house is made of glass as well. And my criticism is not that a large global provider got breached. Yeah, man, this is hard. It happens. I think my criticism is that I'm becoming deeply concerned their ability to do exactly what you just said, Randy. It's I don't think they can fly the plane. I don't think they know what's going on.
And that to me, I think could be more damaging than just Yep, something's happening. We're investigating it. More details to follow, and communicating clearly to what Dana was saying but the almost circus show, and I've had just about enough I can handle of clown and circus shows right now for a lifetime. I don't need to see this in the IT world. Politics has got the market cornered.
Yeah. It is disheartening, isn't it, that how they've responded to it and how they've repeatedly doubled down has been more disturbing. And it does then speak to your point Randy, of did they have the controls? Were they aware? Are they flying the proverbial plane? And that's a concerning aspect, and I think a lot of our trust in the Oracle brand has been corroded because of their behaviors. \ when you lose trust, you lose everything in a company.
And yet some companies, like you said, come back and they build that trust. And the irony of a breach is, and even like things that were not cyber attacks, but were it incidents. So CrowdStrike, if you show that you've learned from it, I actually had a number of people who were like, yeah we renewed our contract with CrowdStrike, or we became a CrowdStrike customer because they've clearly learned their lesson. And so you can actually rebuild trust, in through an incident. It's not ideal.
It's not the great way to do it. But you can, but there's a way to do it and there's a way not to do it. Yeah. Yep. Speaking of denial, making people dig deeper, I did a story on the Signal group chat the this month. And, and the basis of that was a number of people in the US government were communicating, using what they thought was an encrypted app. And I didn't this, I didn't make this a political story. It was a practical story for what we think. And that is, oh, we're on Signal.
That's fine. We've got an encrypted communication there. Yeah, only you gotta make sure you don't invite the wrong people to that or that people can't get control of your phone because it's great to have an encrypted app, but how do you hear the words and see the words in English for you? Your phone can decrypt this information, so anybody in that chat can hear everything now. So we went to that first piece of it and then absolute denial. This was not confident.
Talk about another communication error. This was not, this was not highly secure information. Why? Because because I'm the Secretary of Defense and I can I say what's classified and what's not? This is not classified. , and everybody goes, that's semantics. We all know. So people dig deeper to the story. And of course they dug deeper and there have been at least 20 Signal group chats that they've held around the world on various things. And by the way, while they're traveling.
And how do I know that? Because one of the people from that call, the famous call was in Moscow at the time. And if you tell me you're carrying a phone in Moscow and it's not. Been intercepted or been hacked, then I'm gonna tell you, you don't know what you're thinking. There's no way that a device wanders around the city of Moscow with all of those cybersecurity experts that, that Moscow has, and they don't break that device. Just I find that impossible.
And by the way, the, we all know they're micing, your hotel room and all of that sort of thing too. But anyway, that's the political story, but the, not the politics of it. It's this idea of we fall in love with an app or some process that we've got. And then we stopped thinking about all of the things that go around it. Did anybody else find that sort of insight to that story?
A couple of things that I wanna high highlight to nist, identity and access management's hired man, sorry, this I can't help myself, but like literally this is Maslow's hierarchy of cybersecurity needs, right? Who you add into what? Secondly, shadow it is such a huge thing. And one of the stories that got lost in the politics of this was how many people have raised red flags about Signal, in particular on government devices, and were overruled by political appointees.
And the lesson for leaders listening to this is when your people are raising genuine concerns about insecure methods of communication that you should probably not do convenience versus security or legality. I think lastly, as a former journalist, I totally get why these actors decided to use non-government record keeping systems. They were pain man. You don't want necessarily every conversation to be recorded and then used in a court of law when someone's potentially looking at war crimes.
I get where they're at. But yeah. Does that add up? Dunno. It's it's those things that are interesting and by the way, this isn't just government, right? How many banks have been fined by global regulators for people using WhatsApp to conduct business and transactions that are supposed to be in systems of records, like hundreds of millions of dollars. So it's like we're all teeing at government and all that fun stuff.
And it's political, but it ain't the only group of cats using un unsanctioned quote unquote secure communication systems to do business. And you're kidding yourself if you don't think that this is happening all over the place to get around access to information, regulations and other things. Yeah there's a challenge too, I think in this particular case. And I know this is the case in a number of Western countries that deal with classified information. There's essentially two.
Sets of rules, right? There's the classification level of the data. So that's determined by here in the us. We use something called an OCA, an Original Classification Authority. And there are guides that that the OCA follows to say like this, this level of information combined with this other piece of information make it this level of classification with these information controls in place, right? These dissemination controls, all of those kinds of things. And that's determined by A an OCA.
And then there's a second piece of the information. So you have the data classification piece, and the second piece is need to know. So you need to have a clearance of the right level to gain access to the, to that data by default. And then you need to have a need to know, so when you talk about, a chat that ends up, in, in a situation where a person who does not necessarily have a need to know, let alone doesn't have the proper clearance, and you're taking information that you would.
Require a certain level of system, a certain secure system in order to transmit that data, you're taking that data off and putting it into that other environment. I understand like some of the officials are saying this wasn't classified or, had, we determined that it was, the, it was unclassified data, it was able to be transmitted. You're still, at this point, transmitting it to somebody who doesn't have a need to know.
So even if the classification piece was resolved, you now have this, this other issue that hasn't really been addressed. Which I think is to David's point, goes to risks with not just shadow it, but that whole identification and authorization piece of it. When you move something out of official IT channels, now you've lost control over who can get that.
Right Now you're dealing with an information dissemination issue and potentially putting in the wrong kind of information into the hands of people who really don't have a need to know. And I would say, in this particular case, a journalist definitely didn't have a need to know the kind of content that was being shared which ultimately ended up, a lot of it being shared to the American public. That's very interesting.
Yeah, other side to this, I don't think is really getting a lot of folks, and I think that's where my mind went to it and certainly in, in full agreement with you. But if I go to maybe more a human element, which I know in talking to you before, I often go there is, when my values are violated, I get really pissed off and this pissed me off. That information should not have been shared with a journalist. It should not have been shared with the public.
And to say, to give that weak excuse and expect that we should have one, believed the excuse and two accepted the excuse. Just made me more pissed off. So in, in the whole situation, it was to and I think it ties in well with the Oracle as well, is, our society is wonderfully connected. It doesn't mean that we shouldn't still be following the golden rule of being honest and being truthful. And if you don't have something nice to say, keep your mouth shut.
The telling me that it was okay that this journalist was in that chat and the information being shared was public anyways, really was just an offense on my intelligence or my acceptable aspects. And the interesting thing is in a community conversation wanting through the grocery aisle, that was one of the comments they said, oh, just be careful what friends you keep in your contacts for WhatsApp, because if they get added, that's the problem. And I said hold on.
That's actually, that's how it ended up being transacted. But the problem was that they were actually having that conversation on Signal. It, you can get to this thing of we can blame the devices, we can blame the failure, we can blame all these sorts of things. But you have to look back with common sense and say, should I be talking about this here?
I, if anybody ever stands in elevators behind people or in restaurants, and you have to ask yourself should you be having that conversation here it, it happens all over the place. The denial just makes it. Just makes it worse. It's funny, like you, you mentioned that, but we were talking about Signal, but there are four coffee shops in, downtown Toronto where if I want to be in the loop about major financial transactions, one, one of them will generally have something pretty interesting to say.
So if you stay in the Starbucks and you pretend you have your headphones in, but you're just being nosy as all get out, you learn a ton. It's fantastic. The Signal chat is the example in this case, but to your point about where and when it's appropriate to have what conversations? I guess the good news of this is the big winner of this whole mess was Hillary Clinton. 'cause I mean her social media posts were on. Fire, right?
I mean that LinkedIn post where it was like, are you kidding me with the eye emoji? Look, there was some good emoji use in that chat, but that was that was something else, right? So I guess winners and losers on that one. But in all seriousness if you think that this isn't happening in some fashion within your organization, you're kidding yourself. And then the question is, how do you create the norms and the culture where people don't do it?
Because there's no technological, if the US government with the full might of the NSA cannot prevent senior leaders from doing this, there's no technological way to do it. You gotta have the buy-in to do it. To Dana's point, people gotta believe in doing the right thing. Yeah. Dave, I might challenge you on the winner though. I think Signal itself it probably comes out as the winner. Fair point.
I think as we as we progress as a society, we, I think we're gonna start to see more and more use of encrypted messaging apps. And I don't think Signal could have paid to have the promotion that they got through this entire thing. Every media outlet on the planet was writing about this. Signal is created by Moxie, Marlin Spike, who's a well-known entity in the hacking community. And I think that guy is laughing all the way to the bank.
'cause I think more and more people are signing up for Signal today than a few weeks ago. And they did have. The best micro release note I've ever seen and some spicy posts from Moxie. So I will concede the point. Randy I do agree. Hillary's gonna have to come in second place yet again. Burn. But again, without being political, there's a leadership piece to this that I that I think we have to learn from.
And I remember, when we were, when iPads were first coming into the office when we had no idea how to secure them and the CEO would bring one in, wandering in and, but nobody else could do that. We just, leadership matters and, and that and the tone for we say that old tired phrase, the tone from the top, if you want to have a secure organization, you had best not overrule your security people all the time and say, but yeah, but it's okay for me, but not for the great unwashed.
'cause the great unwashed learns from you. They know what's happening. They know what's important. Yeah. And that's, every SI CISO out there has gotta be saying, when you set that type of example, this is what happens to you. Yeah. Touche. Now on the positive side, speaking of examples. There's a positive side. There is a positive side. Okay. Not to this story.
There's, besides Signal being the number one app download but I saw the UK government take a really nice leadership role globally in new legislation being proposed to actually extend critical infrastructure cybersecurity. So this is the extension of the European NIS two. And what was really awesome was they were specifically targeting data centers.
MSPs, like the actual value chain of which their modern digital economy depends on, which is so nice to see because, as we talk about the month, that was, of course, C 26 went down in flames because of a typo. And of course the political survival of the Liberal party here in Canada required us to promote parliament. There had been the faintest and most hopey of hopes that somehow they would come back, do a speech from the throne before pulling the trigger in election.
And we might have got it passed, but no, just not to be. And so Canada is now three plus years out easily from any kind of modern cybersecurity laws, and I'm sure Dana is as frustrated as I am because we both spent valuable time testifying to parliament to to actually have basic laws that, cover some of our economy. C 26 R ip.
For those vacationing off Planet C 26 was the Canadian Critical Cybersecurity act, which included amendments to the Telecommunications Act, which actually ironically gave the government the authority to force our telcos to get rid of Huawei, which they currently don't say they don't have, but that could be gray. Along with mandatory requirements for cybersecurity, for energy transmission, telecommunications, transportation, and the finance sector.
And Dana, you were you were just as passionate about this in working actually actively on trying to get this across the finish line as well. Yeah. Yeah. And the challenge that was seen for so long was we were waiting for perfection to move forward. It came to the senate. At the 11th hour before Senate went for the summer break. They did it very quickly come through with it. But the challenge that I've got right now is, to your point, David, we have no regulation. We have nothing guiding.
So when I look at, if we look at the month in review, one of the items that I was looking at getting ready for today is I had to smile, the launch of that. And I have to read it because there's so many words in it. The cybersecurity certification program released as the, a new cybersecurity standard and self-assessment tool for level one of four levels, specifically made for our stand by the standard councils of CAN Standard Council of Canada.
We'll start accepting applications for organizations who wanna become certification bodies. To support the evaluation and certification. So we've created all of this government bureaucracy for four levels of certification for defense and supply chain, but we still can't get regulations or bills through to say what our telecommunications or our nuclear power plants or our other critical infrastructure should be required to do on behalf of Canadians.
Yeah. And the problem, again, leadership, it shows how much you care. If this was really something urgent, they could have fixed it. Oh yeah. They had two and a half years. But just another, what, what's privacy and security? Who cares? And again they, that sends a message not just to citizens that sends a message to staff. That sends a message to everybody that this stuff isn't really that important in terms of how you're doing your job. That's scary. That's it. That's it.
I do wanna, I wanna go back to a point Dave made about the UK bill that I think is probably lost on a lot of people. So the focus on the data centers and the MSPs, the managed service providers is really critical for smaller organizations. So when you look at, when we think of data centers, right? We think of the large behemoth organizations, but who are they actually servicing their customers on the whole are very small organizations. There's a lot of them.
And they don't have the ability to run their own internal data center. That's why they use these large data centers. Same thing with the managed service providers in the US and I suspect this is the case for a lot of a lot of countries. The smaller the organization, whether it's a small business, a nonprofit, or a local government, they don't have the resources in house to run a lot of the IT and cybersecurity infrastructure themselves. So they have to outsource it.
And in most cases, at least here in New York, one of the things that we see, and actually really all of New England, so you know the whole northeastern eastern part of the us we see managed service providers are often relatively small organizations themselves. So they're regionally aligned. There might be, an organization based out of here, like the New York Capital region, and it provides services to, a num, maybe 60 organizations in the local area.
And then, just outside of their local area, there's a different managed service provider. So having regulations that support those organizations is one of the best ways to get to. I'll call it the extremities, right?
Get out to those organizations that are traditional, traditionally really hard to get to because even if you have a federal regulation that says we're gonna mandate, all organizations do this thing, there's just a massive amount of organizations that have no resources to do that thing, whatever that thing is, right? So they're relying on those outside providers.
So the more we can do to support those managed service providers and data centers and other third party organizations that actually have the resources, the better off everybody is. So that's what I really like about this UK bill. Yeah. And, but it also establishes a standard for MSPs and, the, there used to be this old in the days when there were Christmas ads and things like that, there used to be this ad that said, open me first. And I think that's what people think of. MSPs open me first.
'cause I, you've got all kinds of clients and I can reach you. And I don't think, in many cases, I don't think MSPs are always taking that as seriously. I'm not saying they all do. But I'm saying there's so many hacks of MSPs that come up week after week, and at least setting a standard that says there's a regulation, you are going to pay a fine if you don't do this. I ran a small tech company for a while. We got out of hosting.
One of the reasons we got out hosting one weren't gonna be as good enough at security as so I could sleep at night. That was, it was just that, turn it over to somebody who's gonna actually do this better. And that was, that's a huge piece. But I think a lot of MSPs don't know what they don't know.
I read a couple forums 'cause I'm still interested in that area and you read what's, who some of the people are that are supplying a lot of small organizations and you go, you really don't know what you're doing. And so that's a little bit of a lost leader in business. And I think that's the challenge there as well, is to do it economically. The value point just can't be that robust. I'm. I'm a little jaded around the standards that they've brought about though. I lived through, what was it?
It was years ago, it was called Cyber Essentials. Oh, wasn't it? And I'm sorry, I'm giving you all goosebumps right now going I remember this. The lilies. Yeah. Wasn't it a similar program where it was, to be part of a supply chain in the uk you needed to your company need to align to a certain level of controls and you were certified up to an essentials or whatever the next level was, and it died a horror death. And we tried to do it in Canada.
Yeah, it was more successful in the UK by orders of magnitude because in Canada we spent millions, tens of millions of dollars on Canada's version of cyber essentials. But we didn't remember what the UK did that actually made people want to do it, which was you couldn't get a government RFP if you didn't have the basic bare minimum. No. And Canada was like, we think this is a nice thing to do, and 12 organizations across the country. Like 12. Value for dollar not there.
Do I think that we need a basic set of fire code for some standards? Yes. Yeah. What's different about this defense one that you're mentioning is that and this is, interesting, is we were rushing to match the us and Randy, you might have to help me here, but there's A-U-S-D-O-D. I wanna say CMMC standard that came out. God help me. I can't remember the, what it actually stands for. But we, of course, being Canadians we're like, we have to make our own version.
That has to be then given equivalency so that our suppliers can supply the US defense industrial complex. But in, in one of those life's greatest ironies, it turns out we may not be able to supply the defense industrial complex in the United States. So this entire certification has become kind of donkey hode charging at the windmill because we can't even sell aluminum and steel to the United States. I don't dunno if I'm right about that, Randy, about CMMC or if I'm on the right side.
Yeah. No, you're, yeah, so CMMC was the the cyber maturity model certification. And it's, that one is focused specifically on what we call the dib, the defense industrial base. So it's all the contract organizations that, like the outside contractors that provide services to the federal government. But you're right. It's a framework for kind of effectively what you just said.
And I didn't, I actually wasn't, I had to google that cybersecurity or cyber essentials in the uk 'cause I wasn't tracking that. But it looks like that was a National Cybersecurity Center initiative that did have a forcing function, which, essentially CMMC is the same if you're gonna work with the federal government, you have to meet a certain requirement to handle controlled unclassified information or federal contract information. That was like a big part of what CMMC is.
And I think, if I'm not mistaken, I think it's actually, it either already did undergo a major update or it is undergoing an update CMMC two. Yeah. Yeah. It's a, you can comply with Cmmc two or you can use Signal. It's great. Yeah. Those are your options. Sorry, Dana, you were gonna say something? No it, we end up with bureaucracy and acronyms instead of actual security.
Security right now, people aren't choosing to not implement multifactor authentication, segmentation identity controls because they just don't want to, they're usually doing it because they don't have the money to, or the people to. Expense, this type of certific? The, it's exp expense. Yeah. The technology in some ways is somewhat times the cheapest part. So that's where I'm struggling with some of these programs.
Love the, and I had forgotten the cyber essential success was because it had some teeth to it. I wasn't aware there was only 12 in Canada. That's horrific. So you're, I'm optimistic. If we're creating this new standard that's assisting that it would bring some semblance of improving the waterline for our defense contracts. Engaging with corporations that only meet that, the challenge is that is going to be a taxed tariff on those companies.
They're going to have to meet that certification and maintain it. And that's hard to do in a industry where we're already seen as a tax instead of as an amplifier. And we're still in, in a place, I don't know what it's like in the US but in, in Canada, we're still in a place where most small businesses are just not even vaguely protected. Not even going through the motions of anything resembling security, let alone when it gets complex.
And and without that you're, not only are those businesses in jeopardy, but any customers they work with are in jeopardy. And, I keep looking at this every time I look at a new story that comes out of some, and there's, I'll just lead into this. There's a whole story about EDR bypasses this month. And I found three stories. We did them one after another. Microsoft's defender, I. There's a, there's an open out and Microsoft acknowledges it.
It's out there bypassing that there are three or four or five tools floating around right now that use software that is basically software that won't trigger anything in an EDR because it's built like a regular piece of software or it is legitimate software, but it's been hacked or bypassed. And, those are just some of the things that are happening. And, and my favorite of all of these things using old certificates.
This is how clever these guys are using old certificates that have expired, but spinning back the clock on the machine you attack. Yeah. So it looks like the certificate is real. What? I can go through these and we did stories of 'em. You can read them all and I'll put some links in the show notes that people wanna follow some of these, but the fact is that's the level of sophistication that's going out there attacking the one thing that small business might actually have.
And that's endpoint de detection. And so that's, this is a problem, I think a universal problem. And it, one that's just not, doesn't seem to ever go away. Yeah. I might challenge you a little bit on the one defense mechanism that small businesses will have is EDR. I think at least the organizations I've seen, they might have host-based detection in the form of.
Antivirus but antivirus and EDR two totally different things and, one being signature based and one being more behavioral based, but a lot, one of the articles that you sent my way was the Forbes article where it talks about an FBI alert, happy to say a little bit of self-promotion here. My team the security advisory that went out with that was joint between DHS as A FBI and my team at the SI Sac Multi-State Information Sharing Analysis Center.
We focused on the Medusa ransomware, and that's, the, we did a lot of the technical analysis behind that report. And, you're absolutely right. These are things, EDR bypass isn't really brand new, but some of the techniques that we're seeing are actually pretty novel and interesting. Turning back the clock is, was, a relatively new one. And the other thing you mentioned too is the living off the land binaries or bins, those are, we're seeing more and more actors doing that. Medusa is one of them.
We've seen, we've had, I think the number is seven. In ransomware, that's INC ransomware cases just this year. Same kind of thing. A lot of living off the land using things like PS exec and other PowerShell capabilities to use, administrative tools that are inherent on a system to, so that they don't have to install their own malware, right? It helps evade detection.
And so one of the challenges is even if you have EDR but that EDR isn't properly tuned to your environment, you might miss some of those living off the land techniques because how EDR should work is identifying things that are outside of the normal behavior on that system. So if an, if a user has never used PowerShell before and all of a sudden Powershells being invoked, EDR should catch that, or Powershells being invoked to run specific commands, EDR should catch that.
And sometimes that's not the case 'cause EDR is installed, but it's not actually been, through the proper process to, to tune itself to the network and to the host in that network. So that's one of the challenges sometimes we have with even if there is EDR, even if there is a security tool in place, it's, it's not properly tuned to the environment. And that, that alone, I think that gets back to Dana's point earlier, it's not always necessarily the tool.
You might have the tool in place, but the more expensive thing is configuring it for the environment, making sure that it's, adequately tested, running in a secure configuration, all of those things. It was another thing I saw in one of the articles and just was, yeah, they hadn't set up the EDR right? They had it, but it was set up. Or it was bypassed by something, but, or that it disabled it, but basically it would give an alarm but not do any protecting. Oops. And isn't that the fun, right?
I, the old adage of set and forget, right? We've got EDR Check. We're good. I. And to your point, a lot of the small, medium businesses, even enterprise businesses, we get focused on other activities. We're forgetting some of those golden rules of we need to be testing, we need to be actually running some semblance of penetration testing at some point, or even purple teaming with your monitoring organization to ensure that you're actually testing valid use cases.
You're looking at your rights and your administrations, right? Doing some certification campaigns within an organization is pretty foundational for most of us. How I, I dare, I don't know an actual percentage, I'm sure chat GPT or another, GBT could tell me a number, but I suspect if I was to put a bet on it, it's less than 10% of our organizations actually do that and do it on the regular.
So these types of stories, I hope act as reminders of, oh yeah, I should go check that and make sure that my a DR is actually picking up PowerShell run, for example, as you mentioned, Randy. I think Dana you're a hundred percent correct and Randy, the same thing. You gotta tune these things.
What I'm desperately afraid of, so many vendors are sprinkling ai magic, pixie dust and saying it does it all for you, which dear listeners and viewers, like a natural human tendency, is we're we don't want to do extra work. We're busy, we're tired, we're cranky, we got enough on the plate, whatever it is. And so when we hear vendors say that. Sweet Siren song of it's automated. Smart, intelligent. You don't have to, you can set it and away you go. It is the disaster of the sirens, right?
For those that used naval references or mythological naval references, right? So the sirens would lure you in and your ship would crash to the rocks and you'd be devoured by monsters. Here ended the lesson on EDR and the vendors that say, you don't have to do anything, you just gotta install it. And the other part is of course we buy into the idea of the silver bullet.
Still it's silver bullet thinking is all throughout information technology, whether it's customer relationship management or other systems or security systems. We, we keep falling for the same trap. It's like the Wiley Coyote and technology is our Acme Corp. And we have a very unhealthy relationship with it. And hopefully that movie will be coming out soon, now that it's been released from Warner Brothers. Hell. Fingers crossed that's a news article we didn't talk about yet. Part two.
Does anybody else have another story? Do you want, do you wanna cover it? Dana, do you want anything? I, yeah. Getting ready to, like I said, it was a bit of a softball month because there were just so many really great articles and so a few that caught my eye, I'll say and in some ways made me shake my head because to your point that you'll often say, David, of catching the Dilbert there were a few of them. One is the Kuala Lumpur International Airport, $10 million.
Ransomware in itself is not necessarily horrific, right? You're like okay, another, to your point, airport got hacked, is, but the convergence. Of the OT with the it, this, from what I've been able to read, was certainly very targeted. And the irony was not lost on me that their flight information dashboards was what predominantly was what was seen by travelers.
So they had whiteboards, if I believe the articles that were reading and were able to get whiteboards in the Kuala Lumpur International Airport, not a small airport for quite a bit of time. So public disclosure of the sensitive or sorry, public impact, no flight challenge, but it begs the how far can they go? Airports are now being seen as I can get some attention with these, and airports are wonderful little cities. There's a lot of financial gain.
What I love as well is that they said, no, we're not paying the ransomware. So a neat story, not close to home, but I dare say could be on the other side of it, was the NHS Scotland. And you could interchange NHS Scotland with any local hospital. Major ransomware attack knocked out most clinical systems. Staff was left for arguably, I think it was a day and a bit pen and paper operations were canceled. Patient Claire wasn't able to go on. Entire systems were offline.
If I'm believing what we're reading, no segmentation for offsite backups. They had legacy infrastructure that they blamed as the leading culprit. And no, they didn't seem to have any incident response plan outside of maybe some tabletops that they had done. They had not simulated this. So they were at an absolute inability on how do we actually respond. The Beetlejuice to this is, it could have been one of our hospitals in a heartbeat. So those were the two that caught my answer.
So this was an ot, you said this was an OT it thing. I didn't catch the story. So a bit of convergence there that by getting into the flight information dashboards you're going through what is more traditionally the OT side of the airports of understanding when the airlines were planning to be departing and arriving in which gate they're at. That's often being either informed by OT or run by it and then converged into the IT side of an airport.
So it's absolutely targeting a, I would say an Achilles heel of the airports. Wow. And the NHHS story did, you said they came back in a day and a half, they were back up. Did they actually get back that fast? Back up not using pen and paper, according to the article back up. I don't know that you catch up that quickly. I. I don't believe you're caught it that quick.
I find that even if they were perfect a day and a half I think they might, we might class them in our other story of being less than truthful, honest about what's happening. We had four hospitals here in, or five hospitals here in Ontario that were attacked. They didn't come back for months. In fairness, come back Yeah, like there's a famous political quote. It depends on the definition of is right. And depends what you mean by open, so yeah, I mean there's a lot of leeway on that side.
What's interesting with the NHS hacks, like a lot of these health trusts in the uk, it's been their managed service providers. That get hit and then it takes them down. Which goes back to Randy's point about what's nice about the, and probably honestly, what's driving the UK focus and it's Oh yeah. MSPs are critical infrastructure. The the ot it thing just it's only gonna continue to accelerate because we've turned networks into software.
And may have made a lot of good progress in efficiencies and scale and money to be made in doing that. But when you turn what used to be physically separate fiber networks into the same network that sends split by software, you're typos away from bad things happening. And OT devices continue to be a dumpster fire. Yeah. The one, one last shout out I want to give is of course, kudos to police when they bust a criminal.
But we have a Canadian that is now been charged for a hack of the Texas GOP apparently according to reporting from the Global Mail, he was actually quite prominently featured in a documentary that's on Netflix about the founding of Anonymous. Police won OPSEC zero. So lessons to be learned. I think earlier this week he kicked off the week and I said, couple of things. If you're gonna hack don't target Texas, don't mess with Texas, one of the best en environmental campaigns ever.
But also do not taunt the FBI with foul language and tell them what they can and can't do because, you know what motivates a cop? Yeah. Challenge me. Try it. Yeah. Is he, so he he hacked around and found out. Did that, did you hear anything about that? Was that news in the States, Randy, at all? At all? I don't, you know what, to be honest with you, I don't know about the specific story of coddle getting arrested. I don't remember seeing that until you passed him my way.
But certainly the breach of the Texas Republican Party, that was years ago though. That was back, that was near the height of Covid, if I remember correctly. It was kinda like 2021 maybe. So I do, yeah. I mean that made news for sure. But I don't think the arrest has really hit off here in the us. That's not really, that kind of stuff doesn't always pick up. Like we're interested in the sensational part.
So the hack itself makes it into us news and we escalate that, but when they catch the guy, it's kinda eh. Alright. Yeah. The good news for this cat is he is apparently being charged in a Canadian law, which means possibly Canadian jail time and he is not gonna end up in El Salvador. So that's a win. Yep. I guess so.
But the idea, but, and this is one of the things that I talk about and I'm actually trying to get together to do a police show because, but it's incredibly hard to get through the communications people from to get police who will actually talk to you. Because I honestly believe we don't know how hard the work is. This hack happens years ago and God bless them in the us the FBI have been the most dogged people. For going after.
And that's why the, I love David's story saying, don't mess with the FBII. If you have that reputation, it may take us years, but we'll get you that. That's the type of prevention you get. And I think in many cases, some other police forces, maybe some in Canada could learn from that. And that is that you just don't let go. And so that if you're gonna do what's that, Beretta, you don't do the crime if you can't do the time.
And and I'm not your pound on the table law and order guy, but there is a special place in hell for people who hack hospitals. And, and do things like that. Or who cheat old people out of their pensions and God bless the FBI on that one.
Here one of the, if we try to leave a little bit of positivity on this well, is one of the things that I'm loving is seeing the anti-money, anti laundering activities being brought more in with the it, the o not well a little bit in the OT because of the, there's certainly some brick and mortar aspect to it as well. But the security program, right? Years ago, we call it fusion.
I think it's having its resurgence not the least of which of other stories that were in the news not so long ago, but one of the well TD bank for the anti-money laundering, but certainly anti-money laundering, anti-fraud, cyber security. They're all close cousins. All very close cousins.
So I'm loving that some of the programs are leaning more into how to be detecting and then of course how to be thwarting or at least being aware to detect sooner than later and putting some stop to that because to your point, special place in health for people that take advantage of seniors, people on fixed income, people on disability, people with special needs. You shouldn't take advantage of anybody, but especially not the weak. That's great.
Yeah. The wonder of this is how fast the hour goes. Yeah. This has been, and I'm hoping I can get you guys back again for another month. 'cause I think we covered a lot on this one, but this, the time just zipped by on this one. So thank you very much. My guests have been Dana Proctor with us from Ottawa Randy Rose from Syracuse. No, Sara Tota Springs. Sorry. I got Syracuse on the brain. I can't help Sara Tota Springs and David Shipley from Beautiful Fredericton.
And I'm your host, Jim Love. Thank you very much and thanks for listening. If you have comments on the show, please send them to me at [email protected]. You can reach me there, you can find me on LinkedIn. Most of that's, a lot of people rost me there and I'm just happy to have a nonpolitical discussion on LinkedIn. So come to me and talk to me about cybersecurity, and if you're watching this on YouTube. Right underneath the video, just leave a comment. We'll get back to you.
Thanks a lot, gang, and we'll do this again next month.