In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden are joined by Chaunda Dallas, MSIT, who went from emergency room nurse to healthcare cybersecurity specialist on her journey to safeguard patients and their most sensitive data.

First off, we take a look at a Microsoft advisory regarding an affiliate attacker dubbed Vanilla Tempest Leveraging who was observed utilizing the JScript Gootloader malware to drop INC ransomware.

GootLoader is typically spread via SEO poisoning waterhole attacks by a threat actor tracked as Storm-0494, and Vanilla Tempest is assessed to be associated with Vice Society, which has not been very active recently. They have been observed dropping BlackCat, Quantum Locker, Zeppelin, and Rhysida payloads previously.

Then we dive into some post-event regulatory and legal actions which significantly benefit from hindsight, of course. It’s a much different perspective looking back at chain of events than when making decisions in real time pre-event or during an attack.
So, does that make these critical assessments just Monday morning armchair quarterbacking after the fact? Well, the SEC recently dismissed much of SolarWinds case for this very reason.

The SEC had claimed that SolarWinds' website over-stated their compliance with government standards in implementing strong password protections and following a secure software development protocol, insisting that internal conversations uncovered in the investigation suggested otherwise.

The judge in the case disagreed, stating the regulations in question were for financial controls, not security controls. Subsequently, most of the case against SolarWinds and their CISO were dismissed.

Three other cases (very different) from last month also call into question whether it is fair to deeply scrutinize security decisions well after the fact with all information post-event in hand.

Case one involved Enzo Biochem, a biotech company was ordered to pay $4.5 million to the attorneys general of New York, New Jersey, and Connecticut following a 2023 ransomware attack that compromised the data of over 2.4 million people.

Key failings included poor password management, lack of multi-factor authentication (MFA), and the failure to encrypt sensitive data on all systems. The attackers gained access using shared credentials, one of which hadn't been updated in a decade. Clearly there were egregious lapses in security here – not a best effort.

Case 2 involved attackers accessing Lehigh Valley Health Network (LVHN) and deploying ransomware after exfiltrating healthcare data. The brunt of the enforcement actions involved the attackers leaking sensitive images of breast cancer patients.

A class-action lawsuit, filed in March 2023, accused LVHN of failing to safeguard patient data, although there was no indication of poor security practices as we saw with Enzo Biochem, so for the sake of discussion we assumed that none had occurred.

As security pros, we know a determined attacker with enough resources will eventually succeed – so is any and every organization that handles sensitive data basically facing default judgements when they get popped?
Case 3 involved over 2.7 billion records being exfiltrated in an attack on a company called National Public Data, where the information eventually found its way to a hacking forum. The breach resulted in a class action lawsuit against National Public Data for failing to protect this sensitive information.

What is interesting about this case is the fact that the information that was compromised had been scraped from public sources by National Public Data, which aggregates and sells the data for background checks and other purposes.

In this episode of Security Gets Serious, host Ben Carr sits down with Richard Greenberg (CISSP), President of ISSA-LA, a well-known cybersecurity leader and evangelist, former CISO, advisor and speaker.

Ben and Richard dive into the buzz around how AI is being used to both enhance cybersecurity defenses and as a tool for cyber attackers, then they examine the potential for bias in AI models as it becomes more integrated into security systems.

They also look at what ethical concerns arise regarding bias in AI algorithms, and how organizations ensure their AI-driven security measures are fair, effective and unbiased.

Ben then asks Richard about his thoughts on to what extent is it ethical for organizations to monitor their employees' activities to ensure security, and what guardrails should be in place to protect employee privacy.

The of course we have to dig into some of the latest ransomware trends, and what steps can organizations take to protect themselves – like engaging with ethical hackers for penetration testing, and how organizations ensure that these practices are conducted responsibly and ethically.

Ben and Richard also delve into whether Zero Trust is really working or if it is just another security strategy that puts too much focus on a concept and not the execution, and cloud security challenges and how organizations can mitigate risks.

Lastly, they discuss the culture of security and learning from failure – namely how security failures can lead to significant improvements in an organization's security practices and why we need to do to a better job in fostering an environment where failures are seen as learning opportunities.
Richard brings over 30 years of management experience and has been a strategic and thought leader in IT and Information Security as a CISO, Director of Surveillance and Information Systems, Chief of Security Operations, Director of IT, and Project Manager for various companies and agencies in the private and public sectors.

Be sure to check out Richard’s spot on Will Ferrell’s Ron Burgundy Podcast – it's a riot.

Your Host, Ben Carr, Halcyon Chief security and Trust Officer: Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant.

The other week, the UK has its own Change Healthcare level attack where medical procedures were canceled at multiple London hospitals for weeks on end, and a critical emergency declared following a ransomware operation that disrupted pathology services provider Synnovis.

As well, CDK Global fell prey to a ransomware attack that led to a massive disruption in the US auto sales market and impacted hundreds of dealers to the tune of tens of millions in lost sales.

Point: The Change Healthcare attack revealed a financial chokepoint in the US healthcare system that impacted hundreds of providers and their patients, while the Synnovis attack similarly disrupted care at dozens of hospitals in the UK, and the CDK attack demonstrated how attacks on SaaS providers can similarly be a chokepoint.

Are we starting to see attackers consciously targeting these chokepoints? If not planned, are they taking notes for future targeting where - much like supply chain attacks – attacking one compromises many?

And of course, we all agree that it’s never a good idea to pile on after an attack by blaming the victims, but sometimes it’s like, “come on?”

Last year CISA alerted nearly 2,000 organizations about vulnerabilities that could be exploited in ransomware attacks, yet only about half took any action on the alerts. We already know that ransomware operators are adept at taking advantage of unpatched vulnerabilities and misconfigurations and are automating these aspects of their attack progressions – so why is patching not a priority?

There are only two reasons for an organization having failed to patch in a timely manner: they could patch but didn’t, or they wanted to patch but couldn’t. How much blame should we put on victim orgs if they are not doing all they can to help themselves?

Last but not least, we dive into the exposure of what is being referred to as the “Gili Ra’anan Model,” where CyberStarts – an Israeli investment VC – ran a CISO rewards program where they can “earn points” worth tens of thousands of dollars for “recommending and purchasing” vendors who happen to be in the CyberStarts’ portfolio of companies.

While there is nothing wrong with a CISO benefiting monetarily for lending their time and expertise to the evaluation of vendor offerings, the program gave the appearance of financially incentivizing CISOs to choose products that would earn them cash versus better protect their organizations, For reference, the CyberStarts portfolio has 22 companies whose combined value is $35 billion, and five of these companies are unicorns (including Wiz who just got bought by Google for $23 billion), and the portfolio companies have raised $1.8 billion in recent months.

Principal investor Gili Ra'anan, for whom the “model” is named, showed an internal rate of return of more than 100%, which is a very unusual figure even for the best funds in the world. So how much did this program influence the valuations, funding raises, stock prices, and subsequent acquisition of these portfolio companies? Are programs like this ethical, or can they be run in a more ethical manner?

The guys dig in...

‍About Our Guest:

Richard Greenberg, CISSP, President of ISSA-LA, is a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and speaker with over 30 years of management experience. Richard has been a CISO, Director of Surveillance and Information Systems, Chief of Security Operations, Director of IT, and Project Manager for various companies and agencies in the private and public sectors.

Your Hosts:

Anthony M. Freed, Halcyon Director of Research and Communications
Ben Carr, Halcyon Advisory CISO