THE CYBYR.COM BLOG

This is a Blog Page covering in-depth analysis of hot topics, controversial ideas and opinions in cybersecurity, networking and AI. (Updated Sept 19th)
See also the breaking news page covering around ten of the top news items each month.

Covered on this page:

  • NaaS: A room full of elephants
  • GenAI: Show me the intelligence
  • National Public Data’s exposure of 3bn personal info items now holds the record. Privaterecords (MC2) is close 2nd.
  • Crowdstrike /Microsoft: The biggest IT disaster of all time?  Estimated at a cost of $5.4bn.
  • Did AT&T open Pandora’s Box?
  • NIST’s Cybersecurity Framework has been lauded. We explain why we have a very different view to others about this.
  • How and why the Securities and Exchange Commission is attempting to bring accountability globally
  • The now infamous breach of the MGM hotel chain shows what happens when you don’t implement holistic cybersecurity.
A Huge OpportunityA Room Full of Elephants

Network as a Service

 

Developing Story (September 2024): NaaS represents a huge opportunity but there are 5 elephants in the NaaS room:

  • E1: The areas I covered in my article and the ONUG blog listing what enterprises actually want or seem want, are now mostly being ignored by most providers to their collective and indiviudal cost.These are:
    • On-demand services without owning the infrastructure
    • Seamless access to any application from any any location
    • Consumption-based ordering and billing via a secure API or portal.
    • Responsiveness to changing business demands irrespective of underlying network or service technologies.
    • Choices of infrastructure as a service, platform as a service or managed services.
    • Verified delegation of all security functions including management and monitoringwithout the need for enterprise security expertise.
    • No Provider or integrator lock-in. The fear of providing on-demand solutions without lockin to an overall provider misses the point of access from any location
    • Simplification of operations.
  • E2: NaaS  has become locked into the same proprietary approaches that are the antithesis of collaborating to make a large market for all. Here are 15+ non-collaborating versions of NaaS including:
    1. Network Vendors & Systems Integrators: HPE – Aruba, Cisco, Dell, Juniper, Amdocs
    2. Service Providers: Lumen, Verizon, NTT, BT, Orange Business
    3. Hyperscalers: Google, Microsoft Azure, Amazon Web Services
    4. Wide Area Network Transport: Graphiant, Megaport
    5. Multiple Clouds: Aviatrix, Nile, Perimeter 81, Aryaka
    6. Security-focused: CloudFlare, Palo Alto Networks,
  • E3: The requirements of critical infrastructure with operation technology being isolated from IT networks is not being properly addressed.
  • E4: Mentioned above, the concept of having an API layer/portal so that all users can dynamically select the cloud and network services they want is not being addressed.
  • E5: NaaS failed last time because the vendors and providers could not come up with a model to avoid buying equipment or amortizing the cost rather than subscribing to a service. Some dismiss the idea.

si3t

DiscussionIntelligence Reality Check
Generative AI

Ahead of several AI Networking events there are a number of discussion points: threats, accuracy, costs, value, adaptability to changing data and the integration of networking and security concepts. From a security perspective the most promising is potential removal of lateral movement attacks that drive ransomware and there are many more that will be developed here.

This particular blog is about the myth of with word “intelligence” in AI, a.k.a. “the intelligence fantasy.” In previous iterations of AI human learned experiences and judgements about the future were definitely present. GenAI.

CoPilot has some great aspects: aggregating information and providing instant answers to questions such as “how I do X” or “how do I rework code from language X to language Y and other training type info, such as what the top XDR products?. That’s all great, very useful and there’s nothing wrong with it (except when it doesn’t give a valid answer). However, it does not display actual intelligence as we know it. I.e. it lacks these critical qualities

  1. Understanding: grasping the significance in a wide the context of our business and technical issues.
  2. Applying reasoning and judgement to make decisions that are relevant right now and not from even the recent past let alone last year. (Yes our brain also predicts the future from the brain patterns it recorded from our past and tells us what to do based on survival – but that’s not intelligence either.)
  3. It’s not transformative or innovative (coming up with game-changing new ideas)
  4. The user’s actual relevant human experience is not taken into account
  5. Real-time adaptation to my results as they are achieved and impact on future decisions
  6. Being curious and asking questions in order to give thoughtful recommendations. ChatGPT is only half a dialog: you ask questions, it gives answers – CoPilot has no curiosity and never asks you anything. Even your dog asks you (in its own way) “Is there any more food?” “Can we go for a walk, now?”
  7. Understanding that most decisions have a critical emotional context!! – Not a common discussion about decision-making but brain science tells us that we store emotions together with facts about events!!! If you don’t agree then think about how your technical decisions are made with not wanting to look stupid, or wanting to be admired so you get promoted, etc. It’s the filter that CoPilot does not have because it’s not human and has never executed anything.

Sure, its very useful, I use it all the time but intelligent, it aint. Agree? Disagree? Thoughts on what GenAI really should have been called. When I have written “Knowledge-based systems” software in the past I programmed in my personal experience, judgments and knowledge as the basis of recommendations and measurement of success. Could GPT have such data input? Possibly.

More on AI Networking in October 2024.

In Depth AnalysisNational Public Data

Biggest-ever Theft of Personal Data

and one month later the silver medal goes to MC2 (a.k.a. … 

August 2024: Crowdstrike’s “Biggest Ever” didn’t last for long … National Public Data – a service provided by Jericho Pictures of Florida, revealed that almost 3 billion data records have been hacked at first by USDoD over the last several months  and made worse by hacker “Fenice.” They leaked 3 billion records with personal details, including full names, addresses, SSNs in plain text and 130 million unique email addressesThis is a massive story – easily the biggest theft of personal data of all time. Visit pentester.com to see if your information is included. You will likely see addresses that you don’t even remember that you lived at. Good grief! More to follow on this but once you have confirmed your personal data is there, you should review your bank accounts, then lock or freeze your credit at the three bureaus. They are free but only protect your credit not your finances. 

Yes your historical data is there but there is a question of the validity of all of this, so this is to be continued. There’s lots of coverage on this: Troy Hunt’s HIBP, Bleeping Computer. etc.

Update: Weeks later there is not a mention of the incident on the NPD website. I suspect they would claim that it’s all public information anyway with plenty of other search facilities are available. No surprise that many class action law suits have been filed.

September 2024 update: Cybernews revealed that “background check firm MC2 (privaterecords.net) leaked 106,316,633 records containing private information about US citizens, raising serious concerns about privacy and safety.” Estimates suggest that at least 100 million individuals were affected by this massive data leak. More individual data – beyond that of the NPD leak above – included were IP addresses, email, encrypte passwords, employment history, propert and legal records and much more. In addtion, 2.3m mc2 subcribers had their details exposed.

News AnalysisCrowdstrike/Microsoft Chaos

And the winner of the biggest IT disaster of all time goes to …

A systemic supply chain failure appears to be the cause of a major costly outage on July 18/19th. An example of software created to prevent attacks being worse than the attack itself.

Several Updates: Once again Trust without Verification was likely the cause of a major outage worldwide today.  Crowdstrike’s “Falcon Sensor” extended  detection and response software update was seemingly not developed or regression tested with integrity. The nature of the problem was that it immediately crashed 8 million Windows PCs with faulty assembler code that required devices to be manually restarted. I.e. it seems that any testing should have immediately created this as part of the release process. Although reported as a “Cyber Outage” this is only a cyber-incident because this software embedded in Microsoft systems that was designed to prevent attacks and in order to detect issues, this that unlike regular applications it needs to run at the highest privilege levels accessing the OS kernel.

Apologies from Crowdstrike’s CEO, George Kurtz are all well and good but 26,000 affected companies, telecom outages, 1000s of servers requiring bitlocker keys inserted to be restarted, media and hospital outages and stock exchange closures are the reality – and hundreds of other stories. It makes us all question the wisdom of trusting automatic updates which have been strongly advocated here and everywhere else as a key defense. Mr. Kurz has been summoned to testify to Congress. It also questions the seemingly weak verification systems that should be contractually required to protect both customers and their suppliers as a joint responsibility. This is not dissimilar from the Snowflake/AT&T issue covered in #76. Let’s hope these lessons will be learned soon. Let’s face it – it could have happened to anyone.

Updates  continue…
This gets more interesting as it develops. It turns out that a previous EU regulation forced Microsoft to allow access to its OS thus allowing third party apps access to write kernel interpreter code. In a way it is a cybersecurity issue since it’s the cybersecurity apps that need to do that. This one attempted to read from non-existent memory – I have seen the crash-event code from this bad yet signed Channel File 291 – and that caused the processor to choose to stop and the screen to turns blue instead of a possible safe mode recovery. So, that’s the downside of the regulation that wasn’t helped by flawed test, validation or even flawed content delivery on BOTH sides. This approach lays other cybersecurity software open to malware penetration too. Oh, and the count of cancelled flights has now been listed as 4,000 and 8 million PCs were affected; 10s of thousands of servers too and required bitlocker keys to be used to manually restart them.  I wonder what the bill for this will be?

Finally, Crowdstrike’s President accepted the “Epic Fail of the Year Award” in Las Vegas’ Defcon event in August and said it will be on display in their headquarters as a lesson for all “Crowdstikers” – now that was a touch of class.

P.S. (September 2024). At a “why can’t we all get along event” in mid-September, Microsoft magnamously appreared to provide guidance for companies such as Crowdstrike without Microsoft themselves taking any responsibility for not collaborating with suppliers to endsure that such “proper” processes were being followed. Until customer/distributors like Microsoft do that, it’s going to happen again.

News Analysis AT&T Massive Breach

Massive Breach Revealed  – but why now? – July 2024

The strange thing about this story is that it’s suddenly news. The question is why? Certainly, the breach involving data giant Snowflake that revealed AT&T customers that occurred in April this year that resulted in theft of “nearly all” customers records. This is on top of others that occurred including the 6-month period in 2022 where all call and text calls (not the content) were stolen as reported by TechCrunch. That’s been known for some time. So why cover it again unless there is new unrevealed info? Embarrassing as all this must be for those in AT&T responsible for customer retention, it appeared to be no coincidence that the timing of these disclosures and revelations are an attempt to ward off potential legal action as they come on the same day that the SEC has further strenghtened its breach reporting regulations as reported by Mintz. Something doesn’t seem quite right here. But wait there’s more …  It came that it was the DOJ that told Scripps News that this incident “met the standard” that warranted a delay in releasing information about it, because it posed a “substantial risk to national security and public safety.”

Not that AT&T were the only company breached in the Snowflake “incident” that turns out to boast the unenviable distinction of being the largest breach – ever!

Looking into this a bit more, I think that anyone who as been called by someone who had an AT&T service during that breach period is now open to a deep fake exploit because the all records of both caller and who they called were stolen. I.e. it’s not just AT&T customers who are at risk but pretty much everyone. Scenario: someone (say person A) in your contact list calls you so you pick up. (They are in your contact list because they called you previously and the hacker knows they called you and you don’t even have to be an AT&T customer).  Beforehand the hacker called person A and generated a deep fake from their voicemail. It’s official: you are now toast.  One example of many might be: “Hi, Mark, John, here. I have something big to celebrate. I want to buy you dinner. Meet me at Spago’s at 7.30. I have a table reserved. It’s a surprise – see you there.!” (Now you are out of the house we’ll pop by and steal everything.)  Another might be: “It’s you father, I’m in trouble and I need your help.”

Please tell me I’m wrong about this.

News Analysis Analysis of the NIST Cybersecurity Framework 2.0
NIST Publication of February 2024. Drafted in mid-2023 and published in February 2024, there has been plenty of coverage. It is covered here because of the view that differs from others. There is definitely a need for such a framework but CSF 2.0 appears not to address such a need as explained below. Its abstract states: “It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes.”
No Framework
There is no guidance in any of the 6 categories and 107 sub-categories of the document. Rather than a Framework, it’s written as a commentary on what you did or should have done (note the past tense) in order to reduce risk. While it is out-of-scope to describe how to implement defense etc., it must surely tell you what to do rather than motherhood statements on what should have happened. For instance, “Continuous evaluation is applied to identify improvements” or “Identities and credentials for authorized users, services, and hardware are managed by the organization” What, who and how? The whole document is missing any kind of detail.
No Actions, No Methodology
Next these commentaries are in the vaguest and highest level statements that give no indication on how they should be achieved.
Organizational Areas Not Covered
  • Sales, Marketing, Human Resources, Customer Support
  • Operations, Manufacturing, Finance and Admin, etc.
2023-2024 Cybersecurity Topics not covered
  • No mention of Zero Trust or Microsegmentation
  • Nothing on Critical Infrastructure vulnerabilities, IoT
  • No discussion on Cloud Security or kubernetes, workflow protection
  • Nothing on Secure services, etc.
  • Nothing on SASE, SSE, CASB, even Firewalls
  • No defense tools such as Threat Detection and Removal
Threats not addressed
  • Phishing, Insider Threats, Social Engineering, Malware Detection
  • No mention of MITRE or STRIDE
  • Advance Persistent Threats, Lateral Movement, Elevation of Privilege
  • Physical Security
This is just a start … but this long list is frankly sufficient to document a big missed opportunity.
News Analysis Security and Exchange Commission Requirements and Opportunities
A deeper look at the SEC rules. March 2024 This is an ongoing look at the Securities and Exchange Commission reporting rules and responsibilities that came into effect in December 2023, their relationship with the White house Security Strategy and their impact on US and international business operations.  The rule of reporting cybersecurity incidents that reasonably be expected to cause material impact on investors is just the beginning. It turns out that the Security Exchange Commission (SEC) regulations that require public companies  to disclose material breaches via submission of for 8K only seem to apply to reporting to the SEC but then really only to the FBI. I.e. 4 days can turn into 60 subject to FBI involvement or even 120 if the FBI deems it to be a “substantial security risk” to public safety.  However, it doesn’t stop there. Each time further information about the attack occurs, then this too must be reported within 4 days. This sounds like an opportunity for political manipulation but is likely better than what we had before. More on this Bank Info Security Article. Annual disclosure requirements also require disclosure of the kinds of expertise and procedures that are in place to defend cyberattacks, describing the managing programs directly or via third parties. The management of incidents will reveal much about the quality of the organization’s cybersecurity program and more importantly the organizations quality of operation. It begins to be obvious that these disclosures can create a huge competitive advantage if managed well. In terms of defense this level of governance can deflect liability to third parties if responsibility is properly managed. Although the final version of the ruling did not require cybersecurity expertise to be on the board it does not mean that responsibility for cybersecurity can be abdicated to 3rd party service, software, security or indeed any 3rd party in a supply chain. Liability will depend on the reasonable and documented steps to protect the organization and is customers and investors.
News Analysis In Depth on the MGM Resorts Breach
hotel
Whatever happened at the MGM?. This story began in 2023 but the ramifications persist into 2024.

The reason the MGM story holds the attention is the lessons that can be learned. It’s tricky because the hotel chain is saying very little. More than two weeks after the incident access to accounts and room booking were still offline.  4 weeks later and the MGM site allowed you to log in but some information seems not present. The losses for the third quarter were reported to be around $100m it stated on October 6th. MGM revealed that any transactions conducted from ???? to 2019 were also stolen. Bearing in mind that is not just bank, social security and data of birth info but gaming records that may have fallen to the wrong hands. Eventually the MGM said that no ransom was paid. Interesting.

The following shows how the events panned out and looks at thirteen (no unlucky gaming pun intended) areas that could be questioned and for you to check in your own organization.

What could possibly go wrong? The massive breach of the MGM hotel chain (they have 31 properties) that disabled everything from room key entry, room bookings, use of casino machines and payouts and taken down their website will cost them millions. However, it’s the loss of personal data stored in their MLife system or who stayed at any of their properties providing credit card, email or even bank details or social security details may be the big risk. Typically, your bank (I checked with mine), etc., would protect you from any attempt to directly remove funds that was not from a merchant (e.g. mortgage company, gas or phone company) approved for a direct debit and would raise a security alert. I.e., that applies to compromised MGM data and other merchants with whom you have direct debits. This is not the first time MGM has been breached. 4 years ago the MLife database was compromised but it sounds like the lessons were not learned or weak links not strengthened. This time the FBI have been called in and maybe they can “help” the MGM “learn.” Caesars Palace also admitted being hacked by a different group and paid a multi-million dollar ransom in order to avoid sensitive customer data being exploited. Meanwhile, MGM made a weak statement about the situation and not a word about exposing extremely sensitive customer gaming record information which was possibly the real and most lucrative target for hackers!
Speculating the cause “vx-underground” on “X” reported that the cause may have been social engineering exploited by the ALPHV group. This was later denied in a strange, posted message by the hackers. Not only that but  “vx-underground” were themselves taken offline with a Denial of Service attack – presumably as a warning to others.
The scramble to avoid SEC retribution. Next, MGM  jumped on the SEC ruling by the 8-K filing of the outage (how could they not?). For everyone, the breach is another wake-up call to anyone who does not understand the importance of Holistic Cybersecurity – it’s not just the largely unverified IT software, it’s the whole organization. The lack of Insider Threat strategy, social engineering monitoring, lack of Zero Trust thinking and lack of a meaningful third party software verification system, just doesn’t cut it any more. The juggernaut of the SEC is coming and it’s interesting that the good work by CISA’s Secure by Design and Default initiative (April 2023) – but it would not have come close to preventing the MGM issue! Neither would NIST’s upcoming self-attestation initiative. To see how you can be better protected click here. 
What a surprise It didn’t take long for several class action law suits to be filed but several Las Vegas attorneys have done that against the two hotel chains.
Avoiding the same fate

As we said, the reason the MGM story holds the attention is the lessons that can be learned. Frankly, it’s not unique.

It’s all rumor but if the hack really began with employee credential theft then the questions begin for them and anyone reading this would be “are you avoiding all of these problems?” Addressing every one of these might have prevent the MGM situation and should be adopted by your organization:

  Some Questions to be Asked
and Actions for You to Consider
 
  • Were staff trained to be alert for social engineering at the MGM or in your organization?
  • Was there MFA (two factor or multi-factor authentication) at MGM so anyone can log in from anywhere without challenge?
  • Are they still using old style user name and passwords rather than Passkeys?
  • Assuming the breach was not from a device owned by MGM and at an approved location then there is there a ban on BYOD (Bring your own device) and was it detected?
  • It appears that OKTA is being used for identity management by MGM. Did this fail too? Does the OKTA software include operational or management level protection of its own software, even if the new CISA work does not require it?
  • Was Least Privilege in place? If not, then why not?
  • It’s highly likely that the attack had multiple phases that could have included elevation of privilege, lateral movement, etc. Does MGM deploy software that detects and prevents that?
  • It seems that the internal system does not employ Zero Trust principals that would have caught non-typical user behavior in many ways (time of day, data systems accessed, data loss prevention, privilege and separation of duties code, blocking of access at unusual times, policy management, etc.). It should have provided immediate event notification.
  • Was customer data encrypted anywhere in the system and was there an air-gap backup to such data and alternative back up servers etc. If so, was it even tested?
  • If the MGM has a security policy, then does it include social engineering or insider threat strategy that would have easily prevent unusual user access?
  • What did MGM do to verify the security of the software systems deployed, or did it trust that it was all good?
  • Under the new SEC guidelines, reporting is required but how much of the above was actually disclosed?
  • Reports say that there are no MGM board members with cybersecurity experience. If this is true then it’s no surprise that they were hacked. Is cybersecurity an executive level imperative? This saved to last because it’s the biggest issue.

Okay. It was a long list and there’s probably more. Any one of the protections could have prevented the incident.  The question is: do you have all of these in place in your organization?