Clicky

Cybersecurity Shorts — China-linked VPN hack, Bipartisan Cybersecurity Efforts, New Study from HP on Nation-State Cyber Incidents and more
by Shelly Kramer | May 4, 2021

In this episode of the Futurum Tech Webcast, we focus exclusively on cybersecurity, in a series we’re calling Cybersecurity Shorts. Today, I’m joined by fellow analyst Fred McClimans for a conversation on six cybersecurity topics in quick succession. This episode covers:

  • News of hackers linked to China using a flaw in Ivanti’s Pulse Connect Secure VPN to target defense industry researchers in the US.
  • Efforts by a bipartisan group of lawmakers who are pushing for legislation funding cybersecurity training and developing programs to attract and retain cybersecurity talent in the federal government along with other efforts by lawmakers to combat cybersecurity threats.
  • A warning from the UK’s security experts about threat actors’ use of LinkedIn to target government officials and others.
  • A new study from HP on nation-state cyber incidents going back over a decade and how that’s not predicted to get any better any time soon. If ever.
  • News of a leak of 3.2 billion passwords containing 1.5 million records with government emails, and what that means from a cyber risk standpoint.
  • AI-powered cybersecurity platform Vectra AI raises $130 million — evidence of the new world of artificial intelligence and machine learning in threat detection.

You can grab the full episode of the Cybersecurity Shorts show here:

Or grab the audio here:

Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.

More Insights from Futurum Research:

SAP Cyberattack Currently Underway Exploits Known Security Vulnerabilities 

Bipartisan Lawmakers Work Toward Disclosure Bill For Cybersecurity Breaches

Cybersecurity And The Role Hardware Plays In The Enterprise Security Journey – Futurum Tech Webcast Interview Series

Transcript:

Shelly Kramer: Hello. And welcome to this episode of the Futurum Tech Webcast. This is a new series that we’re launching that I’m really excited about, and we’re calling it Cybersecurity Shorts. And today’s our first episode. And our goal here will be to cover a handful of topics in quick succession, that’ll be available on our… it’ll be available as a full episode on our webcast and podcast channels. And then it’ll also be available as individual snippets of conversation in case there’s a topic that you’re most interested in. So we’re excited about it, we think that you’ll be excited about it too. I’m so happy to be joined by my colleague and fellow enlist here at Futurum, Fred McClimans. Hey, Fred. Great to see you.

Fred McClimans: Great to see you, Shelly, as always.

Shelly Kramer: As always. So we’re going to start out by talking about some recent cybersecurity news. China-linked hackers have used a VPN flaw to target US defense industry researchers. This was reported in the last week that at least two groups of hackers linked to China, big surprise, have spent months taking advantage of a flaw in Ivanti’s Pulse Connect Secure VPN suite. And they’ve used this to break into what has been described as a very limited number of customers systems. Of course, there’s always a move to mitigate damage in these early days. And I don’t doubt that it’s a very limited number of customer systems. But still, what I thought was interesting about this was that cybersecurity company, FireEye, who also discovered and reported the SolarWinds hack that we’re still dealing with fallout from reported tracking 12 malware families associated with the exploitation of this Pulse Secure VPN, these VPN devices, and all of these are related in some way to circumventing, and getting back to our access to the devices. FireEye’s Mandiant, which is a division of the company, FireEye, actually acquired Mandiant the last couple of years they reported, they believed multiple threat actors are involved, and that these intrusions, and this is really the money point, the money line here.

These intrusions happened at defense, government, and financial organizations around the world. And in each instance, the earliest instance of attacker activity was traced back to this Pulse Connect VPN. And when we looked deeper at this Ivanti, Pulse Connect’s parent company, has contracts with government agencies that include The Pentagon, The Coast Guard, The Nuclear Regulatory Commission, and The Bureau of Fiscal Service. So nothing to worry about there, really. And acknowledging this attack, SISA, the government cybersecurity association organization issued an advisory on April 20th, just last week, and indicated that Ivanti has developed a checker tool and is working on a patch, which is great, but that patch is not expected to be available until sometime later in May. So the organization strongly encouraged any organizations using the Ivanti, Pulse Connect Secure to immediately run that Ivanti integrity checker tool. And I’ll link that here in these webcasts notes. Fred, any thought on this?

Fred McClimans: Well, boy a ton of thoughts on this. On the one hand, you’ve got organizations now, as you mentioned, this company, the VPN company, they have connections to a lot of important organizations in the government and industry. And they’re targeting these organizations specifically for that reason.

Shelly Kramer: Right.

Fred McClimans: It’s an opportunity to kind of extend what they’re doing with a little bit of more focus here. So that’s one major concern there. Part of that goes to all of the cyber attacks that we’ve had over the last decade or so, and all the data that people are able to accumulate that paints a really detailed picture of not just an organization and who they deal with, but the individuals within that organization. And of course, we help them by throwing so much out there onto social media. You may be the president of a company, the Chief Financial Officer, the Chief Information Security Officer at a company, but if you’re posting, “Hey, I’m on vacation over here in Brazil somewhere.” People know that and they track that, and they use that information just to paint that profile, and to get inside the head of the person that they’re trying to attack. And it’s an issue.

Shelly Kramer: It’s a big issue. And you know what? For threat actors, this is a full-time very, very lucrative business in undertaking. And it’s funny that you should mention other breeches and government entities, and social, because we’re going to touch on all of those topics later on in our conversation. And so, as a segue here, speaking of the SolarWinds attack, and this is a hack that happened that was discovered in February. And we are so far from understanding truly the consequences and how the infiltrations, and what data was accessed. Again, we are so, so far from this. We do know that this was a Russian attack. And so, I know that a bipartisan group of lawmakers has had some thoughts on what governments need to do to mitigate cybersecurity vulnerabilities. And you’re going to talk a little bit about that.

Fred McClimans: I am indeed. So let’s go back to 2016, 2017. There were a number of conversations that were taking place in the cybersecurity world about how to augment the capabilities that the United States has as an entity, and individual businesses and so forth, and critical infrastructure sectors, what could be done to kind of augment their abilities, because we have been dealing with a chronic, and it’s only going to get worse shortage of talent in the cybersecurity space. It’s an ongoing issue and there are a lot of things, and some of our clients on the RPA side are using automation tools to kind of improve the efficiency of the staff there, but it’s been an ongoing issue. So back in 2016 and ’17, we first started to see the idea of forming or creating some sort of a National Guard type auxiliary cybersecurity force.

In fact, back in December of 2017 there was a good publication in FCA talking about a model for building a civilian reserve cyber security force. So fast forward to the SolarWinds hack and others over the past couple of years, there have been a number of proposals to kind of use the National Guard as it exists with an augmented capability to provide cybersecurity capabilities. Unfortunately, the National Guard itself doesn’t really have that authorization. So earlier this year in January, there was a bill put forth in January to authorize the National Guard to stand up a cybersecurity unit. That has continued in those efforts to the point where just in the last couple of days, we’ve actually seen another bill, a bipartisan bill, go into a Congress to create the civilian cybersecurity reserve.

This is sponsored by Jimmy Panetta and Ken Calvert, a Democrat and a Republican here. Not that, that makes much difference in this day, but there is some bipartisan support for this. So what this would effectively do, and they’re trying to set up a sort of a pilot program here. This would help the Department of Defense and defense are in Homeland Security with an effort to create sort of a civilian reserve Corps. You would have to be a member or a prior member of the Defense Department, or the military, or the government in some capacity. And it would be an invitation only type of agenda or operation here. It’s intriguing.

I think there are a number of challenges that we face going forward. I don’t know that this particular bill has any more legs than any of the other dozen or so that have been over the past few years. But the reality is that we do need to find a way to rapidly supplement our cyber defenses here. And a part of that comes through manpower in part as we’ll talk about in a couple of other topic areas, can come through artificial intelligence.

Shelly Kramer: Right.

Fred McClimans: But clearly, the need is here. And what we’ve seen so far is that the basic model that we have now, it just does not work. The idea of detect a breach, remediate the breach is doing us zero good right now. In fact, it’s doing us a lot of harm, because every time we detect it’s usually after data has been taken, after some piece of information has been brought together. And if you look at that basic premise of the whole basic process of cyber threats here, you want to go out, you want to accumulate as much data as you can. You want to aggregate that data together. Then you want to analyze that data to find some really meaningful insights, and then act on that data.

Shelly Kramer: Right.

Fred McClimans: And we’ve been giving them a decade or more of accumulate, and aggregate, and analyze. And it’s kind of scary here, where we are. So I’m nice, and pleased, and very happy, and thrilled to see this effort here, we’ll see how successful it is. But it’s something that at least if we don’t try to augment our capabilities in this type of an area, then I think we’re just sitting around waiting for the next breach. And I know as I mentioned earlier, some of the skill shortage here that we’re trying to address, some of that can be done through RPA technologies. And Shelly, I know you’ve been working with some of the companies out there, they’re doing exactly that in this space.

Shelly Kramer: Yeah. And I think that, I was looking at a report by the government accountability office that was recently published, and they reported a shortage of cybersecurity and IT pros. But what they said is that this is putting the government at high risk, and that’s really… And so, another thing that’s happening, that lawmakers are working on is legislative funding for cybersecurity training, and also developing programs that attract and retain cybersecurity talent in the federal government. And that’s really it. There’s such a demand for cybersecurity talent. As a matter of fact, Chris Krebs, who led SISA during the Trump administration is now working with FireEye. He has his own firm, but he’s consulting with FireEye… Oh no SolarWinds, I’m sorry. He’s consulting with SolarWinds. But my point is, if you have this expertise, it is incredibly sought after. And I know that you have kids who are teenagers, I do too. I can’t tell you how many times I talk to my kids about, “Do you have any idea what opportunities exist in the cyber security space?” And they look at me like, “Mom, you’re crazy.”

Fred McClimans: Shelly, I tell you, my oldest son is a senior in high school, and the class he loves the most, cybersecurity.

Shelly Kramer: Yeah. There’s just so much opportunity there, but our workforce shortage, there’s some barriers to entry. I know DHS is doing things to address both the workforce shortage and kind of reducing, addressing barriers to entry for underrepresented groups. So the fact that that’s in motion is good. There’s also legislation in play about mandatory breach notification as a result of the SolarWinds. And SolarWinds’ attack has just been an impetus for so many things. And when you talk about mandatory breach notification, there’s positives and negatives there, how much information do we want to put out there? Companies do have an obligation to report what is involved in those obligations. And lastly, I saw an interesting news tip just today about big tech companies, US big tech companies, urging governments to designate ransomware as a bonafide national security threat.

And this is a push to combat the hacking epidemic. And this hacking today… to date has cost businesses, tens of billions of dollars. And so I was pleased to see… let’s see, the phrase that you just used. Pleased, and thrilled, and happy to see Microsoft, Amazon, Cisco, FireEye, and then officials from both the FBI and the US Department of Justice calling for measures to deal with this. We’ve seen attacks on hospitals, government agencies, critical infrastructure. Of course, all of these are incredibly important. We’ve seen hacks on vaccine makers trying to get access to information from the companies making vaccines. And as I mentioned earlier, there’s so much competition among cyber-criminals and nations. And the problem is some nations are either unable or unwilling to enforce laws, preventing the launch of attacks.

Other nations actually create ecosystems that support these attacks. See Russia, China, North Korea. So it really is a big problem. It’s great to see that there is proposed legislation in the works and that most of this legislation that we’ve been talking about is our bipartisan efforts. So I think that’s tremendously important.

Fred McClimans: Shelly, one final thought on this. My hope is that we don’t get caught up in the yes or no answer politics in this type of a situation. And I’ll give you a really good example. Breach notification tremendously important, but there are layers of breach notification. In a situation where I’ve just detected an intrusion into a network, the last thing I want to do before I’ve had a chance to actually figure out what’s going on is to announce that I may have cured the breach. I may be aware of what’s taking place, but I don’t want to tell the world we found you. So there’s a layer there. There’s maybe an initial breach notification that goes to a government organization that has the participation of industry leaders in there so that everybody is now aware of what’s taking place. And then there’s a staged release of information in a more public venue. So we’ll see how this plays out.

Shelly Kramer: Yeah. Lastly, I think what needs to happen from a business standpoint, it’s like with the Microsoft exchange servers attack, it’s like with this VPN attack, now with the Pulse Connect VPN, there’s not a patch available yet, but there’s a way to see if you’ve been affected, right? With a Microsoft exchange server attack, part of the problem with that is that there are tons of companies who haven’t done the patches, and so again, is it lack of time, expertise, whatever it is within your organization. But there is a very real responsibility on the part of businesses to understand that cybersecurity is a board level conversation. This is something that has to take top priority over everything else that’s going on. And when something big happens like this, everything has to stop until these patches are in place. And I think that’s an important thing as well.

So I want to move on in this conversation. You mentioned earlier what we put out there in social security… Oh, social security. What we put out there in social media and how that has an impact. And one of the things that I saw the other day that I thought was interesting is that the UK announced… launched a counter-intelligence campaign warning over folks being targeted on LinkedIn. And so, the UK Center for Protection of National Infrastructure, in conjunction with their counter espionage components of their national security service, MI5, isn’t that James Bond MI5? They’ve issued a warning to the UK’s government workforce, alerting them to the danger of using LinkedIn. And this new campaign that they’ve launched is called Think Before You Link. And so the campaign targets 450,000 UK’s civil servants, academia, government.

And what the agencies behind the campaign claim is that over 10,000 individuals have been targeted on LinkedIn within the last five years. Personally, 10,000 in years doesn’t seem like a big number to me. But let me step back and say this kind of education, doesn’t just stop, this kind of campaign doesn’t just stop in the UK. In France, for instance, in 2018, the government warned their government workforce about the use of threat actors on LinkedIn, who were talking about consulting contracts and reaching out for fake interviews. And some 4,000 French workers were involved that were targeted on LinkedIn by threat actors. The same thing happened in Germany in 2017 and 2018. And the United States created a campaign in 2020, and Australia created another campaign. So all of these governments are looking at LinkedIn and saying, “People, LinkedIn is dangerous.”

And what they shared again is that foreign intelligence services said that they’re posing as headhunters and consultants on networking sites specifically to target people in various countries. And this is one of the top ways that foreign adversaries, both identify and target government cleared workers and get information from them. And I thought that was really interesting. It’s funny because I have a fairly large LinkedIn network, and one day, a couple of weeks ago, I had a couple of different connection requests. And what was so odd is, you’re kind of moving at a fast pace, and you’re doing this, and you’re doing this, or you’re scrolling through your LinkedIn connections. I use LinkedIn all the time. So it’s an important platform for me. But my brain recognized as quickly as I’ve been going through connection requests and reading pitches and everything else, that two of the requests had the exact same photo.

Fred McClimans: I’ve got a story for you on that in a second.

Shelly Kramer: So anyway, the whole campaign around… I thought this was interesting, and I’ll link this in the show notes. The campaign that was released in the United States in I think November of 2020 includes a 30 minute film, and it’s called The Never Night Connection. And it walks through specific instances of how this kind of targeting happens on LinkedIn, and what threat social platforms pose. And you know what? If you’re using LinkedIn, or if you’re a business leader, and you have team members using LinkedIn, this could be 30 minutes well spent watching this. And Fred, so tell me about your story.

Fred McClimans: So it’s almost exactly what you described about realizing something about a picture. About three years ago, I was going through LinkedIn, regular basis, just going through the different connection requests, and one just happened to catch my eyes. I thought it looks familiar, but I don’t know. Let me click through, go back and look at the person’s background. I’m like, “Well, that’s interesting.” They’ve got a couple other connections. I followed that to a couple of more connections, and I ultimately come across several different attempts that people have made to connect with me on LinkedIn that were linked back to a common item. And that was that they had each attended the same university in China for the same period of time. And that was their only educational experience, and only had one job experience on there at some fictitious company that just did not exist.

So I started following this down, where were they connected to? And it turned out that there was a complete imitation or a virtual company that existed. But the one that was online, wasn’t the exact same company, sort of a fake webpage situation, fake company. It was in the oil and gas exploration field, and they had connections within this LinkedIn page, and the people that were all there is listed as VP of sales this, head of marketing that. They had connections to thousands of people in the oil and gas industry at that mid to lower level there, lower level working or employment level. As part of this, one of the common threads that I found in this group was there was a social Firefly, sort of a Firestarter.

Firestarter in social terms, that’s the person that goes, “Oh, that’s a great idea. I can connect you to this person, and this person, this person.” They bring everybody together. There’s sort of the buzz at a party, so to speak. This person there, I could not track down beyond a couple of different social media profiles that all looked bogus when you kind of dug into them deeper. But this person had connections and somebody was having conversations with all of these people in the oil and gas industry, and they were chatting about where they were going, and what they were doing. It span multiple networks.

But the interesting thing was that when you went back to all the core, like the heads of the business lines, the VP of exploration, and the head of sales, and whatnot, all of their pictures were pictures that you could find on free advertising sites. The male model sites, the female model sites, the business exact [crosstalk] computer. They had taken pictures, and even use them multiple times, with multiple individuals.

Shelly Kramer: I have many friends by the way, who’s… people don’t just resort to taking images from sites like image sites, or whatever. I can’t even tell you how many friends I know personally, male and female, whose profiles have been-

Fred McClimans: Been used. Yeah.

Shelly Kramer: … whose photos have been stolen, have been reused, even pictures of their kids. I have a girlfriend who’s found images of her and her family on billboards.

Fred McClimans: Wow.

Shelly Kramer: Just crazy use. Yeah. So it is scary. I think that in closing, I really like the US’ Never Night Connection Campaign says, “A friend of a friend may not be a friend.” So I think the takeaway here is, it doesn’t matter whether you’re in the UK, the US, Germany, France, or any country anywhere, know that threat actors are using LinkedIn. They are patient, tenacious, and smart. Especially if you are in certain organizations, I can promise you, they’re paying a lot more attention than you are. And it depends on what your settings are. Your settings could be such a way that if you’re connected, if you and I are connected and my settings are fairly open, you can easily get in and look through my connection database, and things like that.

So think about things like that. Think about who you connect with, and I encourage people to do a Fred moment, to go down that rabbit hole and say, “Wait a minute, let me suss this out a little bit.” And the other thing is, I think that it’s important. This is so cheesy, but if you see something, say something. You know what I’m saying?

Don’t just see this anomaly. And I do think that this is where LinkedIn fall short, because I try to report these profiles to LinkedIn, and there was absolutely no way that I could do it. And you know what? You have an obligation. And I realized that all of our social platforms have… and Google as well, have made a no customer service, the foundation upon which they have been built. And there’s no way to contact them, and there’s no way to truly report anything that has any nuances, or anything else. But when this kind of thing is going on, we, the public, need a mechanism by which we can report this. And you and I have a platform. I can write a blog post about what I discovered on LinkedIn, and how I feel like this is a threat, and how there’s no way to report it to LinkedIn and, “Oh, Microsoft, I hope you’re paying attention.” You know what I’m saying? We have a platform that we can use, and networks that we can use to try to get that word out. But I think-

Fred McClimans: I want to do that. If there’s somebody out there that has something that they need to…

Shelly Kramer: Let us know.

Fred McClimans: Please, yes.

Shelly Kramer: Let us know. So with that, we’re going to move on and talk about a new study from HP that we thought you might be interested in. Fred, take it away.

Fred McClimans: Yeah. So HP, and actually HP Security for Personnel Systems Department, and the University of Surrey have gone through what they called the Into the Web of Profits study. They looked back over the past decade at cyber security attacks, primarily with a focus on nation state oriented attacks. So in investigating over 200 of those attacks over more than a decade, they started finding connections between the different groups, and different nation states the way they were attacking the approaches to their attack. And they turned up some really interesting stats and data here. One being that the number of nation state attacks since 2017 has doubled between 2017 and 2020. And I want to point out for a moment that cybersecurity attacks have increased far beyond that, but the nation-state attacks, those are the ones that really get the attention because there’s an alternative need.

We have threat actors out there that are the individuals. The person that wants to goof around with something. We have organizations organized crime, individual groups and teams that are out there that are working on their own behalf for monetary gain. You have people that are sort of freelancers that are out there. But when you get to that level of nation-state attack, they start to dig into a lot of critical infrastructure and national security, and it becomes a very big issue. So let me talk about some of the stats here because some of these are actually really interesting.

So it looked at the cybersecurity stats. There’s 100% increase in nation-state attacks from 2017 to ’21. 10, publicly attributed tax in 2020 by nation-states. That’s a big deal in my mind. 40% of the attacks in the past year, they say were directed to targets that included a physical component, such as utilities, or industrial control systems, and 20% were tied to some sort of regional conflict. Now, that’s an interesting one there, because what you see is the emergence of organizations using cybersecurity as a way to impact politics.

Shelly Kramer: Right.

Fred McClimans: Regional conflicts to insight, to escalate, to perhaps gain an espionage insight, or possibly as a result of that, to create misinformation campaigns coming back out. So I thought that was interesting. They also found that nation-state attackers were now more interested in enterprises, 35% of the tax out there-

Shelly Kramer: I saw that.

Fred McClimans: … than they are in government, cyber defense agencies, only 25% of the attacks. There’s a lot of money there, a lot of money there. And it’s important to point out that the nation-state attackers, they’re not necessarily the state itself, but teams that the state would hire and work with, or gain information from. And in fact, there’s an interesting side note they found in here. 10 to 15% of the black market sales of data coming from these nations that oriented attacks are believed to be providing those services or supplying government groups with that data. So it’s not just an issue of as a nation state saying, “Here’s our team and we’re going to do X.” It’s people going out and independently gathering information, and then selling that information.

Shelly Kramer: This is big business. But 1.2 point on focusing on enterprises, think about it this way, the SolarWinds hack, okay?

Fred McClimans: Mm-hmm.

Shelly Kramer: SolarWinds is an enterprise, one of the biggest defense vendor for defense organizations, right? So they weren’t targeting the government directly. They targeted the SolarWinds enterprise, same thing with the VPN… Pulse Connect VPN, enterprise who has connections to government. So I think that kind of explains that a little bit. I think they’re very, very interested in accessing government information.

Fred McClimans: Absolutely.

Shelly Kramer: But they’re doing it in a different way than going… sometimes they’re going directly to the government itself.

Fred McClimans: When you look at that component that says an increased number of these attacks are not just in cyber, but they’re targeting physical assets out there. You think about the 16 critical infrastructure sectors, everything from chemicals, to communications, to transportation, to food, all these systems that a nation would need to survive. And we put a lot of emphasis on those, but they are increasingly at risk from these type of attacks. And when we start to look at the increased tendency for organizations to actually use these attacks to impact politics, now you’re starting to see a bigger picture coming out here. And when you look from a regional conflict perspective, there’s no doubt that yes, we have been in conflict with Russia since the ’40s and through the cold war.

China is that emerging threat, but we can’t discount Russia, North Korea, Iran, and others out there that are seeing that they can use social media, not just information campaigns, but information that they may gather on the physical assets that are out there to kind of position themselves in a new type of light. And that opens up the possibility for recognizing that at some point, we either have to just openly declare, which we have not done yet. We’ve been kind of cybersecurity is off on the side. We have to literally openly declare look an attack on us, and our critical infrastructure in cybersecurity is the same thing as a physical attack on our shore.

Shelly Kramer: Excellent.

Fred McClimans: And something has to be done there, or you step back and you go “Look, we’re going to all agree, we’re not going to do this anymore.” I’d love to say that…

Shelly Kramer: Which is not going to happen. That’s not going to happen. That’s not going to happen. Yeah.

Fred McClimans: But it is interesting. This whole study, I think just kind of highlights, and we’ll include the link in the show notes for this.

Shelly Kramer: Absolutely.

Fred McClimans: But I think it kind of highlights the fact that the cybersecurity, the sort of the hacker movies of the ’80s and ’90s and the war games type stuff. Yeah, that’s cute, but we have moved so far beyond that.

Shelly Kramer: We have.

Fred McClimans: We’ve moved so far beyond somebody stealing your credit card data and using it to purchase something at another store. We’re now to the point where national security interests. And by default, civilian and citizen interests are now being impacted in a significant way. And I think that needs a new level of attention, which goes back to the first thing we talked about in this show today, the effort to kind of augment the cybersecurity reserve capabilities that we have.

Shelly Kramer: Well, absolutely. And also, US big tech companies stepping up and saying, “This is a national security matter. And no matter what anybody else says, we’re here to tell you that we know. This is a national security matter.” So I think that’s a really important thing. And I think that it’s great to see these companies get involved. Moving on in more hacking news that may be of interest, 3.2 billion leaked passwords containing 1.5 million records with government emails are now out there floating around. This comes from an analysis by Cy Hunt, an application security assessment firms that helps organizations guard both mobile and web applications. They published an analysis of, what is the biggest known compilation of password leaks by a hacker on an internet forum? This 100 gig dataset is called Combat 21, compilation of many breaches. It was published in an on online cyber crime forum on February 2nd. This data was compiled from multiple leaks in different companies and organizations over the years.

And here’s some of that data. 3.2 billion passwords linked to 2.18 billion unique email addresses were exposed in this data dump. This includes 1.5 million passwords associated with email addresses from government domains around the world, including 625,000 from the US alone. In addition, these numbers are crazy, the leak includes 1,000,005 passwords. Let’s see. So the United States is 625,000 government passwords, the UK 205,000, Australia, 136,000, Brazil, 68,000, Canada 50,000. And the top 10 US government domains affected by this leak are the State Department, Veterans Affairs, Department of Homeland Security, NASA, the IRS, Center for Disease Control, Department of Justice, Social Security Administration, US Postal Service, the EPA. So they’re all over the place, right? And by the way, there were only a very small number of passwords in this leak related to the Chinese government and the Russian government, big surprise.

But for me, the most interesting takeaway, other than the massive amount of email information out there is that what information you can get in a relatively short period of time by analyzing these leaks. Okay. So what they were able to do is that you could… looking at this data, they could see current and past passwords, which also shows what my patterns are as a user, and how password reuse and changing password habits are shown. And what they found was in many cases between three and 30 passwords that were linked to a unique email. So Shelly Kramer, my email, and it could show whether I’m using the same password on domain, domain, domain, because by the way, those domains are in the leak. So you don’t have to look at that many to see, “Oh my God, here she is on 10 different domains using the exact same password.” So you’ve got your password we users clearly identified. Think about the danger this presents for your organization, especially if you’re a government. And then it also showed password changing habits. So every time Fred changes his password, he takes the same password and he adds this character, this character, what’s the next character in that sequence.

So we are creatures of habit. Again, think about the danger that this poses to your organization. And then to tie this back to the threats to infrastructure that we were just talking about. The Oldsmar Florida water facility that was attacked in February plays a role here. And this is for those of you might not remember, or don’t connect the name. This is the water treatment facility where lye levels were increased 100 times in an attempt to poison the water supply. This attack in Florida, it happened three days after this data was leaked online. And the credentials for the water plant were included in this email password leak.

So that is a very big deal. And I just thought, these numbers are just so mind blowing and it’s like… but what we can’t let happen, if you’re listening to this, if you’re watching this, what we can’t let happen is we can’t be so overwhelmed by the enormity of this that we just think, oh. And I’ll say this because you and I, we’d done some research with both brands and consumers, not at all related to cybersecurity, but where consumers have told us that they feel so vulnerable, and they feel like their privacy is not protected by brands.

They’re very concerned about it, they’re anxious about it. They don’t know what to do about it at all. And so sometimes again, I think we just tend to, whether we’re a business or an individual, sometimes we get so overwhelmed by the enormity of the challenge ahead of us that we just kind of frozen. We don’t do anything. Well, we can’t afford to not do anything about this.

Fred McClimans: No, no, absolutely not. It’s interesting, you mentioned the trust issue in there. We did a study with a SaaS last year that revealed exactly that, that the consumers… a majority of consumers felt that they were giving up too much data. They were giving up too much control. And at the same time, you had a majority of brands out there that were also saying, “Look, we recognize.” One really big breach can destroy the trust that we have with our consumers out there. And yet we still get into the situation where, because it perhaps is profitable, it advances a new product launch, or whatnot. We often see organizations moving ahead with a new implementation, new program, a new technology, or a new market launch, a new website without making sure that that is in fact really 100% secure. They’re willing to take a little bit of a risk there. So it’s a big challenge, a huge challenge out there.

But that connection, I did not know that about the connection back to the Florida water breach. That makes perfect sense there. You think about that, you go back to the 4A’s cybersecurity that that’s exactly these people accumulating, aggregating all this data together from multiple websites, analyzing it to find Shelly Kramer’s pattern and passwords, and then activating that data to hack into this facility.

Shelly Kramer: Well, and targeting. As I said, when we started this conversation, we’re going to touch on every single one of these things, whether it’s the dangers of social, whether it’s ransomware, it’s a national security threat, it’s the threat to infrastructure. So all of these things I think are really interesting. And we’re going to wrap up this conversation looking ahead to… some technology that is already in use. But what we also think is ahead with regard to artificial intelligence, and machine learning, and threat detection, and how the role that, that will play in cybersecurity. So Fred let’s hear it.

Fred McClimans: Yeah. So the news headline is Vectra AI. They are a cybersecurity company that has based their core value prop around artificial intelligence and the ability to ingest in process an amazing amount of data looking for patterns that might indicate a data breach or a security risk within an organization. The second part of that headline there is that they are now a unicorn. They raised $130 million that puts them at about a $1.2 billion valuation, not too shabby. And if you just look at that number there, that’s not a unique number. We see a number of companies in the cyber security space using artificial intelligence, machine learning, and deep learning, all of these companies raising significant amounts of money because they’re able to do something that we as individuals really can’t do at this point. And that’s connect the dots across an unlimited number of vectors.

So there’s really some significant potential here for these. So looking specifically at Vectra what they do is they send security enriched metadata. So it actually data that has been processed a bit into a more contextual format. They send that into their data lakes and then they analyze it for any number of different possibilities, anomalies. And when you think about the number of data points we throw off within an organization, every time a data transits through an organization from one user to another, from one server to another, between different applications, that’s a data path. It’s a pattern that can be identified and said, this is a normal path, this is not a normal path. And then you combine that with the number of IoT sensors and data sensors, and just software engines that are out there. Every time a software tool makes a decision, link this to RPA tools, every time an RPA tool makes the decision and does X or Y that’s a data point.

And we can look at all of these data points now with artificial intelligence, and we can spot the anomalous behavior out there and get a much better insight into threats that we may not have even envisioned or thought of. And it’s important to note that in a lot of… I think just about every study that we’ve done in cybersecurity and in the security space, Shelly, has indicated to us that there’s a level of threat visibility that is critical to organizations, that most organizations don’t have complete visibility on. In fact, there was one, let me pull up this exact study here. I want to make sure I get this right in here. We did a study with Dell last year, and it turns out that dashboards played a really significant role in detecting cyber breaches. A dashboard that’s that one pane of glass where all the data sensors come in.

But it speaks to a deeper level of understanding that you are potentially at risk. And it turns out… let me find this correct stat here on this. I want to make sure I get this perfect dashboard.

Shelly Kramer: There’s a researcher.

Fred McClimans: Let’s see. Yeah. So well, in fact, so in our particular study, 44%… [inaudible] two-thirds of organizations said they’ve been the victim of security breach in the past 12 months. But there was a difference. Organizations that had at least one or more dashboard for managing all their security profiles, they were twice as likely to have said that they had been breached in the prior 12 months, which brings up an interesting point. We’ll have this one group that has dashboard visibility that says, “Yes, we’ve been breached.” And you have another group, same type of business-

Shelly Kramer: Says, “We’re good.”

Fred McClimans: … saying, “We’re fine, but we don’t have any dashboard out there.”

Shelly Kramer: We don’t know what we don’t know.

Fred McClimans: We don’t know what we don’t know.

Shelly Kramer: So we are just going to assume that we are safe. It’s crazy.

Fred McClimans: Exactly. So when you look at that, it’s very clear that having visibility into the network is critical to understand that you have been breached. And that’s sort of a mindset. It’s a philosophy that we recommend all the time to organizations that you have to think security.

Shelly Kramer: You have to.

Fred McClimans: You can’t just say, “We have a group over there that’s watching security.” That’s not sufficient. You have to actually think security first, and put yourself in a position where if you were the threat actor, what might you do? Well, if you’re not sure what that is, put as much information in front of you as you can. And that’s where tools like Vectra AI come into play. These tools have the ability to look at all this data that would be impossible for an individual to watch and monitor. It’s logs, it’s IoT sensors, it’s software, it’s monitoring RPA systems, phenomenal ability.

And I think that really is, that’s kind of the future of where we’re getting with cybersecurity is sort of this tiered approach, where if we can pull enough information in, and I’ll say this should probably be across multiple organizations. If we can find a way to actually anonymize and take away any kind of identifiable information, patterns, although AI is pretty good about that. But if we can find a way to kind of pull data from multiple organizations within an industry into a common data lake like that… we can then apply the right machine learning and deep learning to spot these anomalous patterns out there. I think that has to become a part of our overall cybersecurity posture.

Shelly Kramer: Yeah, I think it does. And as you said, we’ve done work with Dell. We know some interesting things about what customers think, or what users think, and what the reality is, and that there is often a big disconnect. And real-time visibility into everything that’s happening, in my opinion, is the only way a CSO could possibly sleep at night, right? And even then, I can’t imagine the stress that would go along with this job. And Splunk has done a great job as well with their security operation centers, and all the work that they’re doing. And Vectra is interesting. They’re not the only ones using AI as part of this equation. One thing I thought that was interesting as we were prepping for this show is that I saw that Vectra did a similar survey.

And they said that nearly 80% of their survey respondents claim to have good or very good visibility into attacks that bypass perimeter defenses like firewalls. Yet, there was a contrast between the opinions of management level respondents and practitioners, with managers exhibiting greater confidence in their organization’s defensive abilities than practitioners. So the people with eyes on what’s happening day-to-day up to their necks in all things cybersecurity, really understand the risk much more sometimes than more senior level people. And that’s why we constantly say this is an executive level conversation that your organization needs to have cybersecurity, and your CSO needs to have a seat in the boardroom. This is business mission critical.

Fred McClimans: Yeah. Actually, there’s an interesting twist in there that I’ve seen enough to go, “This is possibly a troublesome issue.” When we talk about dashboards, sometimes the oversimplification of dashboards can lead to that false sense of security. And one of the examples I used to use a lot in presentations talking about tiering of dashboards and ability to dive deep is that the ultimate dashboard for a CEO is an iPhone screen or a Android screen, take your pick, and it’s either red or green. And if it’s green, they know everything’s good and they can go about doing what they’re supposed to be doing. But if it’s red, they know something is wrong here.

Shelly Kramer: Stop immediately.

Fred McClimans: Because a lot of people don’t want red on their screen. I think there’s a tendency to kind of push down a lot of these smaller cyber attacks that are addressed at a lower level, and not give them the proper visibility up to management to make the right business decisions. And you’re right, having the CSO at the C level and on the board, that’s critical. I think there’s also a very strong role for large enterprises to actually start to combine that Chief Risk Officer and the Chief Security Officer and sort of a Chief Risk and Trust Officer, somebody that’s responsible for the overall trust and well-being of the organization that spans not just business process risk, but business process security risk.

Shelly Kramer: Yeah. And I think that one other thing that we’re seeing as a trend in the industry as analysts is that we’re seeing cybersecurity advisory and consulting services being a part of what vendors are offering. And I think this is really important because to go back to our earlier conversation, when we talked about, there is a very real dearth of cybersecurity talent, there is a very real dearth just of IT talent in general. So rather than swimming and trying to figure out all on your own, not only can you use technology products from some of these technology vendors, you can work with them on consulting and advisory and managed services providers. And so, I think it’s really important for organizations to understand, you don’t have to do all this on your own, and expect yourself to do it on your own when everything about security, cybersecurity business risk has just become more and more complex is really kind of silly. And so, step back and realize that there are organizations that are very capable, that you can work with that can provide advisory and consulting services that are probably important to the organization.

Fred McClimans: And it’s not just cybersecurity, but extend that into the AI field as well, because we’re talking about, AI related to cybersecurity. But a lot of these areas, we don’t know all the nuances of the use cases. We don’t know all the nuances of the application. And I’ll give you a good example. Somebody that we were just talking about the other day, C3 AI has differentiated themselves in the marketplace when it comes to AI as sort of the core for analyzing and understanding data, instead of taking sort of a, “Let’s provide all the storage and the data aggregation and then apply AI to it.” They’ve kind of inverted that and said, “Look, AI is at the core, let’s bring all the data in for that.”

But one of the things that differentiates them from a lot of others in that space is that they’ve recognized from the beginning of Tom Siebold’s company, that look, “This is so new to all of us, that it’s got to be a partnership.” And they excel in the area of providing that partnership level service and customization because every enterprise is different today. The idea of thinking of cybersecurity back… gosh, a decade or two ago, “Oh, well, I’ve got McAfee off the shelf, that no longer works.”

Shelly Kramer: That no longer works. And really, I think that that’s another trend that we’re seeing in the industry, strong strategic partnerships from some of the biggest players in the industry, and from more of the small to midsize players in the industry. And that’s really the path forward because again too, for any organization, even at the enterprise level to think, “I’ve 100% got this covered, we can do it all ourselves.” That is really not the path forward, I think in most cases. So it’s just knowing that it is those strategic partnerships, great vendor relationships, that’s smart business.

Fred McClimans: It is indeed.

Shelly Kramer: It is indeed. Well, Fred, that wraps our show. And thank you so much for always being my favorite cybersecurity geek. I think that we’re the ones on the Futurum team who are really most interested in this stuff. And I can’t close here without a call to action to download… Daniel Newman and I recently wrote and published a brief called The Rise of Confidential Computing, which is some nascent technology that we’re already seeing in the marketplace. And trust is the new battlefield in the age of digital transformation. And you’ll be able to read all about what confidential computing is and how it handles data in its various stages, and what we’re seeing from big companies in the space like IBM and AWS, and so many others, and what they’re doing with regard to confidential computing, which I think is going to be a really important next step in what enterprises for sure do to keep their data safe.

So with that, thanks for joining us. Fred, I know I’ll see you again on another one of these webcasts really soon. And for everybody hanging out with us today, thank you.