ISMG Editors: Business, Cyber Resilience in Israel-Hamas WarAlso: Cisco IOS XE Vulnerabilities in the Wild, Indonesia's Data Protection Picture Anna Delaney (annamadeline) • October 27, 2023
In the latest weekly update, ISMG editors discuss how cybersecurity firms and other businesses are building resilience during the Israel-Hamas war, the latest on the hacks of Cisco IOS XE devices, and recommendations for businesses in Indonesia looking to improve their cybersecurity practices.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Tom Field, senior vice president, editorial; and Suparna Goswami, associate editor, ISMG Asia - discussed:
- Highlights from an interview with Michael Yehoshua, CMO of HolistiCyber, discussing on the impact of the Israel-Hamas war, including its historic perspective and how his and other Israeli companies are focused on resilience;
- How Cisco issued patches for two actively exploited zero-day flaws in the IOS XE operating system, and why researchers noted a significant drop in hacked hosts from 36,541 to approximately 1,200.
- The main concerns and challenges facing cybersecurity leaders and organizations in Indonesia, a year since the country enacted its first personal data protection law.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Oct. 12 Cryptocurrency special edition and the Oct. 20 edition on the impact of Israel-Hamas war on cybersecurity.
TranscriptThis transcript has been edited and refined for clarity.
Anna Delaney: Welcome to the ISMG Editor's Panel. I'm Anna Delaney, and here we discuss the week's top cyber and information security trends, stories and interviews. I'm joined by some of the talented editorial team. Tom Field, senior vice president of editorial; Suparna Goswami, associate editor at ISMG Asia; and Mathew Schwartz, executive editor of DataBreachToday and Europe. Tom, you have started recording interviews with Israeli cybersecurity leaders. This was something in the works for a while. You were supposed to be on the ground in Israel recording these in person, for obvious reasons, you're not there. Share some background to the series itself and who you've interviewed so far.
Tom Field: I was supposed to be traveling to Israel for a series of interviews with security and technology leaders, and because of the Israeli war with Hamas, that's not happening right now. Instead, I've been working with our colleagues and partners at Xtra Mile, which is a B2B, lifecycle marketing agency that's part of ISMG based in Israel. I've been working with them to still do this series of interviews, but to do it virtually, and to talk with security and technology leaders about how they're responding to the war conditions; how it's impacting their organizations, teams, and families; what they see going forward in their message to their customers and to their global partners. I started this series earlier this week, by talking with Michael Yehoshua; he is the CMO of HolistiCyber. He got my attention immediately when I asked him how he's doing and how his family, team, and employees are. He told me, "we're doing fine, but we're not okay." That really kind of struck me as a predominant theme in these conversations is that it's about resilience. It's about the ability to continue to work literally under fire. As he and I were talking, there were rockets bursting overhead. Being able to be resilient and to continue under fire is something that I haven't experienced, I don't know that many of us have. It is insightful for me, certainly to conduct these conversations; I'm hoping it's just as insightful for our audience as well. I'll be doing a series of these, we'll be producing them on the ISMG sites. The point is to share insights from Israel, from security and technology leaders, who are going through this in their message to the world. I'd like to share a bit of a clip from the interview I did with Michael Yehoshua. The question I asked him was, what is your message to your employees, your customers and to your global partners? I'm going to show you a short excerpt.
Michael Yehoshua: War is something that nobody wants, especially not on this side. It's not a war that we started and not one that we ever wanted, but war does have its silver linings. If you look at the Yom Kippur War, the aftermath of that was a very prosperous time in Israel. If we look in the United States after World War II, we had the baby boomers and the rise of the economy. Tough times create tough people, and tough people create tough products. We are a resilient group of people, and we'll get out of this and we'll be stronger than ever.
Field: I was told once that tough times don't build character they reveal it, and we're pleased to see the character.
Delaney: Well, Israel has been dubbed the cyber nation and, as you say, has a strong tradition of military intelligence and cybersecurity. How do you think this background influences the leadership and the strategies in the cybersecurity sector?
Field: There's a lot of preparation, and I think that the Israeli executives I deal with have got good backup plans. They've always thought about resilience. They don't keep things in one area and they've got leaders and teams and systems deployed in different areas of the world. They're prepared for situations such as these. There's been a huge call up of reservists to go into a military service. Michael was telling me about even some of his colleagues from the U.S. who have gone through great pains to fly back to Israel, to go back into the service and to be on the front lines. This is a country and a people that certainly don't welcome crisis, but they're prepared for it.
Delaney: Very true and great first interview, and we look forward to watching the rest. Lots to be learned there. Mathew, a few days ago it was reported that Cisco released patches to address two zero-day vulnerabilities in its IOS XE operating system users' networking devices. Since then, security researchers have observed a significant drop in the number of compromised devices. Bring us up to speed with events and explain the significance of this sudden drop in the number of compromised hosts.
Mathew Schwartz: Cisco has begun to release patches for a lot of its IOS XE operating system - the OS that runs a lot of Cisco's devices, like access points, routers, and other things. These patches have not fully arrived yet, but some of them have started to get shipped. About a week ago, reports started to emerge that there seemed to be a widespread malware campaign targeting these devices. Attackers were exploiting vulnerabilities and it took some time to figure out what was going on. Exploiting a couple of vulnerabilities to gain remote access to these devices, and then to infect them with malware. It's not clear what has been happening next in terms of whether attackers are pivoting off of these devices into victims' networks, potentially using this as a beachhead to further explore the network and attempt to gain administrator-level privileges on other systems. It's not clear if this is a nation-state attacker, given that these are zero-day vulnerabilities. However, we have occasionally seen cybercrime groups, especially ones wielding ransomware, target zero-day flaws. What led to this dip in the number of internet connected Cisco ISO XE devices? Researchers were tracking about 80,000 of these devices before the attack. About 80,000 devices were internet-connected and could be catalogued or counted using freely-available scanning technology. After this attack, researchers figured out a way to fingerprint these devices, and they counted 34,000 last week, rising to about 42,000 that had signs of compromise, declining again to 36,000, possibly because companies couldn't pass, they could deactivate the HTTP capability on these devices to remove them from the internet. Without warning, they dropped to 1,200. The question was who did this? Could it have been grey hat hackers, who came in and proactively knock these devices off the publicly-connected internet, so that organizations wouldn't get hacked before they had time to eventually patch? What it appears to actually have been is the attackers returning to their devices. They know how they've been fingerprinted - the ones they've hacked. They added an HTTP authorization header. When a scan comes in and looks for the string that would indicate these had been hacked, if that scan doesn't have the right username and password to do a handshake with the hardware, it doesn't respond to the scan. That's why the number of hacked devices had dropped to 1,200. Researchers have a new way to fingerprint the devices, and the number of infected devices has risen to about 38,000. Thus, anyone who's running a Cisco device that has this sort of operating system should mitigate; if the patches are available, they should get them in place as quickly as possible. All of them need to look at their security logs for signs of compromise because this is a mass exploitation. It's likely that attackers have come in and later disguised their tracks, having already pivoted into other parts of the network. It's a very serious hacking campaign, which is going to cause a lot of damage for the foreseeable future because a lot of organizations probably won't spot this activity, even though they should be trying to chase it down.
Delaney: Very serious, indeed. How do you think the attackers' tactics really reflect the evolving nature of cyberthreats and what this means for our security measures?
Schwartz: If anything can be hacked in a mass campaign, and attackers can figure out a way to do it, they're going to do it. We've seen this with secure file sharing software, the CL0P ransomware group keeps hitting it again and again. It's not always clear that it's that detrimental of an attack depending on what's being stored on these devices. Something like the Cisco networking gear though is widely used, used by tons of telecommunications companies, and the majority of victims - based on scans - are in the U.S., followed by the Philippines. If you're a nation-state attacker and you can execute this sort of attack, hit all of these endpoints and find some that look exciting, you can take down some really big targets. It reinforces the need for monitoring tons of defense in depth, because you cannot stop all these zero-day attacks. What you can hope to do is see signs of unauthorized or suspicious activity. Even if they've gotten purchase on this type of hardware, when they try to pivot into your network, they get blocked, or they get blocked for long enough that you figure out what's going on and lock it down.
Field: This is happening in parallel what we're seeing happening with Okta. Okta's customers and Okta itself is feeling it in the market valuation.
Schwartz: Okta's customer support system was hacked. It was informed of this by BeyondTrust and Cloudflare, among the other organizations that have come forward to say they got hit. It took Okta a few weeks to figure this out. Attackers are going for any angle they can think of and this isn't the first time we've seen this sort of pivot hit a widely-used piece of software or service, and then try to get to as many of their customers as possible.
Delaney: Excellent insight, and to be continued. Suparna, you've been talking to a wide range of security leaders and legal experts this week about Indonesia's recently formed data protection law and the challenges faced by businesses in the country. How are businesses dealing with this new law?
Suparna Goswami: Various countries in APAC are now coming up with privacy laws and are thinking whether to have a unified law across APAC. However, each country is facing its own challenges. I thought of speaking with a panel of CISOs from Indonesia. Indonesia enacted its first Personal Data Protection law last year, around September. This law came out last year, but it comes into force only next year. The government has given the practitioners and enterprises two years to prepare themselves. Though it will get enforced next year, the practitioners are asking whether they can postpone it further by a couple of years. Let me start with the challenges. The first challenge, which is common across the globe and ASEAN, is not having sufficient cybersecurity professionals. Indonesia has only 100 CISOs, and this happened in the past one year, before that there were 20-30 CISOs across the country. The PDP law now requires every data controller to appoint a data protection officer. For a country which has only 100 CISOs, appointing a data protection officer will be tough. The president of ISC2 said IT people are being appointed as CISOs, their certifications are ongoing, but it's a very haphazard process, they annoy me to understand the entire security. The progress has been very slow, and other aspects of the law are not very clear. Who will be the privacy regulator? As of now, the Ministry of Communication is the one who designed the policy, but going forward who will head the privacy agency? Even after a year it has been announced, there is no communication in this regard. What this agency's role will be and how this agency will interact with other ministries? For example, the financial industry is regulated by the OGK. Will the one heading the privacy agency interact with OGK? OGK too came out with certain cybersecurity regulations for the financial industry. Banks are struggling to meet that, and there is a privacy law that they now have to adhere to. Regarding cross border data transfer, the rule is that the recipient country should have same or higher level of data security controls in place. How does one ensure that how will the government come out to the list? There is no list that has been shared so far. As far as DPO is concerned, only specific businesses need to appoint a DPO. None of the companies have any clarity on the specifications because nothing has been mentioned. Which companies need to appoint a DPO? Which businesses qualify for this? Nothing has been mentioned. Only an announcement has been made, a year has passed, but there is no clarity on what businesses need to do. It also says that businesses should review existing data flow and categories of data that has been processed. The law specifies which category requires what requirements what data flow needs to be measured in what category? There are challenges and there is no clarity. I had a conversation with CISOs, and they are asking the Ministry of Communication to postpone it even further because a year has passed and no clarity has been given. How should consent be obtained? They have little clarification on that, whether it's just terms and conditions, whether it's in writing. Like a typical new law, there is a lot of confusion. What I found surprising is the third most populated country in Asia has only 100 CISOs, of them 70 have been appointed in the past one year.
Delaney: The confusion, the lack of clarity. Did the panelists share any recommendations for businesses in Indonesia looking to improve and enhance their cybersecurity practices?
Goswami: They said they should review how data processors are responding to data at the moment or how a third party is implementing this responsiveness of data, and how they are tracking it. This is one of the things that they said needs to be done. They should review the existing data flow. They said it is very important to know what kind of data you have and categorize those data. The banking industry has a lot of consumer data. Categorize which is personal data and which data can be shared with others. None of them have started categorization of data, even the biggest bank. I asked them if a lot of companies would be adhering to GDPR. How about those companies? Only two banks are adhering to GDPR. None of the others is because they don't have that kind of exposure. Hopefully, things will pan out; as of now, it looks difficult. Next year, I'm not sure whether they will have the law implemented. It will take another couple of years. That's what I've been hearing from even the financial regulator.
Delaney: Very good, well, thank you so much for sharing Suparna; that was great. And, finally, and just for fun, what's the most unexpected or amusing or downright bizarre use of AI you've come across in the realm of cybersecurity news recently. Tom, go for it.
Field: I've got something to share with you first, I don't know if you've seen this. This is the ChatGPT Halloween costume. So, get yours today. I got to say, Anna, you and I've talked about this before, the thing I can't get past is AI hallucinations. And, I know I've experienced it as well, I asked ChatGPT to help me with my own biography. And, it came up with things I wasn't aware of! Completely invented things. So, the whole AI hallucinations; I'm wondering if we're projecting down the road, if in the few years, we're talking about AI flashbacks. That's my fear.
Delaney: At least it recognized you, I didn't think it even know who I was! So, let's talk! Suparna, what have you seen?
Goswami: I'm not sure about his genuineness. But, I found it so funny. In fact, Prajeet was the one who showed me this. So, a hacker group pranks a rival group using AI to mimic the voice of the rival group's leader that contains instruction like delete all your files and format your hard drive. And, the messages are so convincing that they carry this out. So, again, I'm not sure about the genuineness, but apparently they transferred all the Bitcoins to the rival group. And, they posted this video making fun of them. But, yeah, there was this news there and I found it really funny. Like, the hacker probably phishing the other hacker group.
Delaney: Amazing. Yeah! Mat?
Schwartz: So, it's going to seem pretty basic, probably. But, for a lot of the interviews I do, I'm transcribing those now using AI-enabled transcription tools. And, it's great with lots of different kinds of American accents. But, I find that it can really struggle with Scottish accents, and especially with Northern Irish accents, to the point where I will have to read the transcripts out to myself, filled with seemingly legitimate words, but attempting to hear what it was hearing in terms of the actual words being used. So, there's an extra step there. It does transcribe, but it's more of the sounds as opposed to the actual words. So, just a little misstep perhaps on the road to AI autonomy.
Field: And, again, AI is confident when it has no right to be!
Delaney: Yes, any funny examples? A word...?
Schwartz: You don't want to hear my Northern Irish accent. I don't want to see that lack of fan mail there.
Delaney: Well, the most bizarre press release I've come across is something that you sent me Mat, like a few months ago. The headline read AI just created the best girlfriend you'll ever have. So, dream GF is a new cutting-edge platform that purports to be revolutionizing the dating industry with AI, and from what I gather, you can create your perfect girlfriend and your dream girlfriend, which includes having engaging conversations and embarking on virtual adventures. I mean, who can imagine, but that isn't the strangest thing. The best line from the press release was "you can even create your first two girlfriends for free!" Oh, how we laughed.
Field: Lot of confidence in a long relationship, I see.
Schwartz: It was so revolutionary, Anna! I've actually literally blocked that from my mind until you just mentioned it.
Delaney: Yeah, find a cybersecurity angle there. Well, Mathew, Suparna, Tom, thank you so much. This has been a pleasure. Excellent as always!
Field: Thank you for giving us a new definition of trick or treat.
Delaney: Thank you so much for sharing Suparna; that was great.