Newsletter

The most clicked link from last week’s issue was NSA director Rob Joyce’s comments on the agency needing to be “left-of-theft” with its intrusion prevention priorities.

P.S. There’s still time to request an invite for the book-signing cabana-con I’m co-hosting with Crossbeam CISO Chris Castaldo on Wednesday, August 4 alongside Black Hat in Las Vegas.  Space is very limited.

Monday blues.

The newsletter is delayed (and truncated) this week because of travel.  After 1.5 years of fairly disciplined pandemic lockdown, I took a cross-country flight to visit family and friends in New York and found the experience mostly normal, except for the eternal struggle not to fiddle with face masks.

In the midst of navigating this strange air travel normalcy, a friend shared this from the Daily Stoic newsletter:

“As the cases drop precipitously, there will be temptation to want life to go back to normal. For you to abandon the bubble you have created. Pause before you do that. Which parts of this slower, stiller life are worth protecting? What did you stop doing in this last year that doesn’t need to be resumed? What did you start doing — out of necessity — that’s worth continuing? What would life look like with more purpose in it, what could you accomplish with clearer priorities?”

This resonates, especially when large parts of the world are still waiting for first-shot vaccinations and the news surrounding the Delta variant isn’t exactly encouraging.

Pause and think through things carefully and resist the temptation to resume pre-pandemic life. This is true for security programs forced into digital transformation by work-from-home realities.  Pause and rethink the way you view normalcy in security and use the lockdown lessons to find newer, clearer priorities.

_ryan

A word from our sponsor (Uptycs, SQL-powered security analytics platform)

If you’re struggling with questions like, “What containers in my environment are running this known vulnerable package?” or “Where else is this file hash appearing across my Kubernetes Cluster?” or “How many servers have had the password rotated in the last 90 days?” Uptycs gives you the ability to get all the answers from the same console. Reach out for a hassle-free demo.

The big stories.

• Microsoft continues to struggle with diagnosing and patching high-severity vulnerabilities in Windows. This Print Spooler bug (CVE-2021-1675) is serious business, with remote code execution entry points on an executable that ships by default on all Windows server installations. An upcoming Black Hat talk is also part of the story.
• LinkedIn’s problem with data exposure via API data scraping is getting much, much worse. The latest tranche of hijacked LinkedIn data is 700 million LinkedIn records, including full names, gender, email addresses, phone numbers and industry information.
• Dan Goodin reports that hackers exploited a zero-day, not a 2018 bug, to wipe Western Digital My Book Live devices. The folks at Censys has published a technical report on this botnet-vs-botnet nightmare.

Supply chain security and SBOM happenings.I’m fixated on the U.S. government’s push to address software supply chain security and the ramifications for cybersecurity decision makers in the private sector. Some things to keep on your radar:

• I wrote a piece for SecurityWeek on how CISOs are looking at mandatory SBOM requirements and why it should be front-burner topic for both buyers and sellers in cybersecurity.
• This SBOM at a glance (pdf) introduces the practice of Software Bill of Materials, supporting literature, and the pivotal role SBOMs play in providing much-needed transparency for the software supply chain.
• Here’a re-up of a detailed SBOM FAQ document that outlines information, benefits, and commonly asked questions.
• This two-page overview provides high-level information on SBOM’s background and eco-wide solution, the NTIA process, and an example of an SBOM.
• Have a look at this series of SBOM Explainer Videos on YouTube.
• The Linux Foundation has released an SPDX SBOM generator to help software makers auto-populate ingredient lists that include components, licenses, copyrights, and security references of applications. The tool uses the SPDX v2.2 specification and aligns with the current known minimum elements from NTIA.

What exactly is ‘critical software’?

The Biden executive order on cybersecurity has its first deliverable: a definition from NIST for “critical software” that needs special protection in the software supply chain security push.  FCW reports that the new definition of critical software covers a lot of behind the scenes compute tools – endpoint protection, data backup, identity and credentialing management, operating systems and container environments, which perform functions dealing with user trust and operational monitoring and are designed to be managed by users with an elevated privilege level. Here’s the NIST page with the critical software categories.

Telcos monetizing SMS 2FA delivery.

From the ‘why-can’t-we-have-nice-things’ department comes word that an unidentified telco is selling — and embedding ads for shady VPN software — alongside Google 2FA messages being delivered via SMS. Google was quick to distance itself from this discovery and said it was working with the telco “to understand why this happened and to ensure it doesn’t happen again.”  Good.

Watchables.

• A conversation with Anne Neuberger on cyber-strategy in the Biden era (YouTube).
• Proofpoint’s Selena Larson and Daniel Blackford take a deep dive into the malicious use of Cobalt Strike.
• A new report from IISS provides a major new qualitative assessment of 15 countries’ cyber power, as well as a new qualitative framework for understanding how to rank global state cyber capacity.
• The NSA’s Top-10 cybersecurity mitigation strategies now include specific guidance for protecting firmware and taking advantage of hardware capabilities.

Death to fake awards.

You all know how I feel about fake awards in cybersecurity.  They’re a pox on the industry and lazy marketers who fund this nonsense deserve our derision.   On the flip side, it’s refreshing to hear startup founders starting to push back on this as “the normal way to do things” (shoutout to Haroon at Thinkst for leading the charge).

I’ll let Dragos CEO Robert M. Lee explain why there’s a better way to market your business without relying on misleading claims and hyped stats:

To new tech founders: Every now and then I get asked to do tech due diligence for investors on startups they’re evaluating. Before I even look at the tech the first place I go is their website. Misleading claims, hyped stats, etc. are common. It’s a huge turn off, avoid it.

And for those of you that know this, but feel you have to play “the game” to stand out – know that I got the same crappy advice early on and my team chose not to do it. It turned out fine for us. If you can’t stand behind what you say publicly your customers will hone in on that.

Being transparent and honest always pays dividends in the long run. I know it seems obvious but in those day to day marketing and PR choices the common sense of that can fade quickly. The good investors I’ve seen have turned down more companies for that reason than any tech item

That doesn’t mean you don’t need marketing help and support. We all need help sometimes outside of our own biases and jargon to communicate clearly to wider audiences. But if it doesn’t feel genuine to you, then change it. Editing should never chance the substance.

* My thanks to all the podcast and newsletter sponsors: MongoDB, Uptycs, Eclypsium and SecurityWeek.  Our partnership with these companies help to keep our reporting independent and vendor-agnostic.

* Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms.  Directly subscribe from these links: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.