Endpoint Security, Facebook Lawsuit, Hanna Andersson/Salesforce Breach – #SCW17

Matt Alderman, Jeff Man, Josh Marpet, and Scott Lyons discuss current events in information security and compliance.

Recorded 2.11.2020

STATS: Jeff 40% | Scott11%| Josh 17% |Matt 27

PCI Counter: 11

SPONSOR 0:01
The question is simple have any of the systems on my network been compromised? The answer is harder than it should be. Enter AI hunter active countermeasures has automated in streamlined techniques used by the best pen testers and threat hunters in the industry to create AI hunter a network threat hunting solution that does the first pass of a hunt for you to identify systems that are most likely to be compromised and scores the results on a scale from zero to 100. You can then research those systems in-depth with air hunter focus your valuable time on the systems that need your expertise with AI hunter sign up for a personal demo today at securityweekly.com/ACM

RSA offers business-driven security solutions that provide organizations with a unified approach to managing digital risk that hinges on integrated visibility, automated insights and coordinated actions. RSA solutions are designed to effectively detect and respond to advanced attacks, manage user access, control and reduce business risk fraud and cybercrime RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive and continuously adapt to transformational change. For more information visit securityweekly.com/RSAsecurity

Jeff Man 1:15
Welcome back to Security and Compliance Weekly. I’m your host, Mr. Jeff Man, along with Scott Lyons, Josh Marpet and Matt Alderman. One quick announcement before we jump into some security and compliance news. Our next webcast is on February 13. With Shri Sundar Lingam vice president product and solutions marketing at extrahop, where they will be discussing cloud-native network detection and response. You can register for our upcoming webcast by visiting securityweekly.com selecting the webcast dropped down from the top of the menu bar and clicking on registration. Okay, guys, we haven’t done news in a while. Any anything newsworthy that crossed your, your screens this week, we have a couple stories up on our wiki. Just anything jump out to anyone?

Matt Alderman 2:06
Well, I see this breaking news coming across on ccpa modifications in the ccpa law in California. And so I started trying, I’m digging into it trying to figure out okay, so what changed, right, you see these breaking modifications. So I’m in the document with all the red lines in it. And it looks like they’re adding some scope to CCPA. They added a definition for employee benefits, employee-related information. So they’re..

Jeff Man 2:38
Are they adding scope? Or are they defining scope?

Matt Alderman 2:44
They’re brand new definitions. And so my guess is if they’re defining what employment benefits and employment related information is, that they are also further down in this document getting called. So I think there is some expansion of scope here beyond just consumer data to potentially employment data. And to kind of hard to it’s the things just full of red lines.

Josh Marpet 3:11
You know, AB5 Have you heard of a b? Five, Matt? Um, so AB5 is New California legislation that basically outlaws and I’m probably bastardizing, this outlaws independent contractors. So if you have independent contractors working with you, like Uber has all independent contractors, or the gig economy basically, is what the run out. Yeah, it also things like nannies, and you know, a lawn hire kid to mow my lawn. Now I have to give them a W two.

Matt Alderman 3:38
Yeah, but the look, Uber and all these guys are pushing back, this is going to go to court, it’s going to go is it going to get? Yeah, there’s going to be all kinds of interesting cases around that one. But it’s interesting that I see new definitions in here, which tells me that they’re looking to modify scope for ccpa.

Josh Marpet 3:56
So what I’m wondering is, if there’s sort of like, all these different laws, AB5, and ccpa, and everything are going to sort of heterodyne off each other and really create a new sort of middle you and a new environment, at least in California, if not in part other parts of the country. Just by fact that even though each one has a little bit of information that changes, changes, scope, changes definition. But you know, when you talk to start talking about employment data, and and then another law, the definition of employee changes that gets interesting.

Matt Alderman 4:29
Yeah, I see some interesting mobile device. If you collect information from consumers mobile device, you have to notify them as well. You have to have a notice in the app on the on the mobile device as a whole new section in here. There’s some interesting mods in this regulation, which I think is going to definitely expand the scope of ccpa based on what I’m seeing in the red lines.

Jeff Man 4:55
So it’s interesting full disclosure, the person that We were going to interview today that had to cancel at the last minute because of a conflict was going to discuss CCPA. So we are going to hope to reschedule them, because I don’t think we’ve focused an episode yet on ccpa. And we probably should do that in the near future. It was interesting that you found an article that was talking about how it’s continuing to be red line ccpa, I found an article where a merchant that recently discovered that they had been breached is has filed a lawsuit against Salesforce, and has actually cited CCPA in the context of the lawsuit. So you know, it’s not even necessarily set in stone yet. And case law is at least in the beginning stages of being executed, if that’s the right term, just to see how CCPA plays out. And what are the consequences under CCPA?

Matt Alderman 5:56
Yes, agreed. case law will decide a lot of this at the end of the day.

Josh Marpet 6:00
Well, I mean…

Jeff Man 6:00
It always does.

Josh Marpet 6:02
Yeah, we’ve seen that GDPR CCPA. All of these new consumer data privacy laws are, there’s a few sort of fundamental pieces, that case law is going to be very, very interesting on the New York State amended Breach Notification law. All of these laws have something in common if you have the data of one of our people. GDPR, European CCPA, Californians, New York State amended, blah, blah, blah, New Yorkers, if you have the data of one of our people in your database that you’re under our law, even if you’re in Wisconsin, which is not in Europe, California or New York, okay. And you’re under our law and don’t care done, you’re gonna we’re gonna find you, you’re under our regulation. I mean, isn’t that like a jurisdictional issue or a venue issue? But all of them have this, and it’s gonna be really fascinating to see how this goes plays out? Yeah.

Matt Alderman 6:51
Yep. Agreed.

Jeff Man 6:53
All right, we will, we will see how it all pans out eventually. And speaking of pan.

Josh Marpet 7:02
Oh,

Jeff Man 7:04
See what I did there.

Scott Lyons 7:07
Wow.

Jeff Man 7:08
I found an article. It’s my article number two, It’s entitled back to the basics. What is the cost of non-PCI compliance? And basically, the gist of this article is sort of touching on a lot of the things that we’ve been discussing the last couple of weeks, in terms of what is the cost? You know, there’s the fines that are involved, but there’s the cost of investing in equipment and technologies to get yourself to a point of compliance. What was the other one that they mentioned? They had it all, in bullet form. They even cited increased costs of insurance, which I thought was interesting. You know, so basically, the gist of the article was, was, you know, with all the other things that are coming down the pike like GDPR, and CCPA. You know, don’t forget PCI, because it’s going to cost you a lot of money if you’re not PCI compliant. And it’s, it’ll be even worse, if you compound that with GDPR. And CCPA. You know, like..

Josh Marpet 8:12
I’m sorry, I’m gonna push back. This article is Crusher. Um, this absolute crud. I can say other words, but I won’t.

Jeff Man 8:22
Fine. Leave it a crud, but go ahead. This is not necessarily a news article. It’s a blog. But please enlighten us.

Josh Marpet 8:32
So fines recurring charges, absolutely agreed increased cost of insurance and claims. Yeah, BS. We just talked about that. That’s that is crap. Not, that doesn’t happen that way. The only way that would happen is if it’s so public, that the insurance companies like look just because you’re so public, you’re more of a target, you’re just visible, that would be the only way your insurance would go up. And even then it will go down after a year to TCP TCPA. Valid Good point. Potential lawsuits from consumers. All right. Our own research also shows that consumers will stop spending with organizations should they suffer a data breach for like six months? Somehow? They did. But I’m going to say that I doubt it’s any good.

Matt Alderman 9:13
How many people are still using Facebook after the all the issues with privacy and Facebook? numbers still grow revenue still growing? Did it really have that big of an impact? I mean, for us, for people like me that didn’t even have an account or was really worried about it. Some have, but people still using the platform.

Josh Marpet 9:32
So what I’m going to say is author of this article, who is Stacey Richards, I think it says,

Jeff Man 9:39
Well, let’s call the people out. Yes. Go ahead,

Josh Marpet 9:41
please. Well, I’d like to invite you on the show and we’ll talk

Jeff Man 9:45
well, where I thought the article was crowd was, you know, they’re basically saying, you know, you should be doing PCI because you’re going to get fine there and if you and they were tying PCI data, to privacy data, PII data which also makes you subject to other things like GDPR ccpa. And the conclusion was, the answer is to D scope from PCI DSS, which basically says, pawn it to a third party when that’s it, and to make it clear, you can push the responsibility for compliance on to a third party, but that does not mean in any way shape or form that you’ve pushed liability on to the third party.

Matt Alderman 10:31
That is correct.

Jeff Man 10:33
Buyer beware.

Matt Alderman 10:34
Yep. And we’ve seen this before, right. We talked Gramm Leach bliley in the previous segment, third party risks, they outsource a bunch of stuff, the regulator said, you can outsource a function you can outsource a risk, you’re still liable. Same thing exists in PCI. So.

Josh Marpet 10:48
I will I’m gonna throw a new story just about this, and I’ll find the new story. But Wyndham hotels, everybody knows that a franchisee of a franchise, Wyndham hotel got breached, leading to some data being lost. And the parent company was found to have some liability not 100% liability, but was found in court to have liability. And this came about I was just at that franchise show I told you about a minute ago. last segment, I’m sorry. And they were all freaking out like wait, but these are totally separate business entities and like there’s a link, you can take that franchise agreement can take some of that responsibility away. But it’s not, it doesn’t necessarily take the liability away, I’m sorry, right. There are requirements as a parent company to ensure the security and safety of the consumer data.

Matt Alderman 11:41
So that article Jeff would do as a good job trying to overlap credit card with privacy data NIST released is the new privacy framework. So it’s out there for everybody digging into this because I wanted to understand what’s included in here. So they break this down. And just like in the NIST cybersecurity framework, they break down these different domains to cover right, they do the same thing with the privacy framework, I thought it was interesting. Identify right, you have to do inventory around the data govern, build your governance policies, your risk management strategy, back to risk management, awareness training, you have control. Data Processing, is really where the controls come in, it’s all on the data side, then communicate and protect. So an interesting framework haven’t dug into all the details yet. But they’ve set up a framework very similar to the NIST cybersecurity framework of these are the different domains you have to look at when you’re looking at privacy of data.

Jeff Man 12:44
Yeah, I needed like a cross-country flight to San Francisco to give me time to read the new NIST privacy framework.

Yeah, I can’t remember how many pages,

Scott Lyons 12:52
You’ll get one here very shortly. Right? We’re gonna we’re you can you can see us at RSA right?

Matt Alderman 12:58
Yes,

Jeff Man 12:58
Yeah,

Matt Alderman 12:59
There’s a lot of details in here. Appendix A, is really where the meat is in this document for all those listeners who want to go find it. It’s pages and pages of the domains, and then the different categories and subcategories embedded in here. It’s a lot of data.

Jeff Man 13:19
But I respect NIST for being very thorough and providing comprehensive coverage on whatever it is that they tackle, be it the 800 series, or any of the various frameworks that they put out. And I’m I’m a little bit chagrined, as I was reading the article, and they mentioned the cyber, the cyber security framework that’s already going on six years old. Where’s the time flow? Yeah. But, you know, given all that we were saying in the first segment, about companies not caring, how do you get the companies to, to care? And you know, how do you motivate them? You? Where does any of this frameworks fit into, you know, if companies aren’t motivated, if companies aren’t? don’t have the right attitude about security, let’s say? How does How do any of these frameworks fit in? If and if you’re a non-government contract, or non-government in No, firm organization, this is a voluntary thing. Rest is just one of the many frameworks that are out there. I don’t know that NIST is successfully and I’m happy to be proven wrong. I don’t know that NIST has successfully tackled the sort of the public image or public perception of where somebody should look at. And how do we, you know, how does this get people to take things seriously or pay attention?

Scott Lyons 14:45
Yeah, but it’s not in the mission of NIST to be a public facing entity NIST is. And you can tell me I’m wrong here. NIST is for government period.

Matt Alderman 14:56
It is but they’ve built frameworks that people can use as an guideline in what’s missing is the teeth to say, look, you know, some of these regulations, if you’re not adopting these frameworks, then then you are potentially liable. That’s one way to do it. Josh, you were talking the last time on the why, right? for organizations that really wants to do the right thing. These are great reference guides to give them a roadmap of how to do it. But Jeff, to your point, I think what NIST does with the frameworks is a great outline. It’s the implementation in, in helping people implement or providing regulations that if you don’t implement there’s ramifications, that’s what’s missing with some of these frameworks.

Jeff Man 15:43
You know, and ironically, you know, PCI actually does reference NIST in the context of when it talks about using strong cryptography for the transmission or storage of credit card data. It actually cites NIST as a reference organization for, you know, getting a definition or parameters or what is currently considered strong cryptography. Of course, that’s why we have the debacle, the last couple years of, you know, the whole SSL, SSL TLS thing where NIST says, you know, this is bad, it’s deprecated. And yet, I know I had arguments with certain people at tenable over whether it was really a big deal or not, because it was a cryptographic type of flaw that requires a lot of calculation and a lot of sort of conditions to exist and huge amounts of data to actually be able to execute any kind of a cryptographic attack. And my point,

Josh Marpet 16:48
that goes back to what Scott was saying, When NIST is government-based, they’re thinking of right now. Right? Right. files, whereas the world we’re really not thinking about nation state as often as maybe they are.

Matt Alderman 17:00
It wasn’t even like,

Jeff Man 17:03
Let me finish that thought. I’ll let you pick up Matt. But you know, when I was at tenable and arguing that, you know, when PCI first came out and said, You’ve got to deprecate all use of SSL, early SSL and early TLS, because NIST says, so the initial plugins that were written for nessus, were written in the context of PCI and my point was, but we also have government customers, shouldn’t we be telling our government customers that they shouldn’t be using this because that’s what NIST says. And this was happening in like, 2014/15 ish range, where the notice that had gone out from nisc about it, these things being deprecated, were already months, if not years old. I don’t know if I ever won or lost that argument, but I’m not at tenable anymore. So that should tell you something.

Matt Alderman 17:50
I think you lost that one. But a valid point. Again, it’s the implementation. What I’d like to see out of this cybersecurity framework, and maybe the NIST privacy framework is these become baselines for any safe harbor type of legislation, right? Maybe you see a safe harbor for privacy at some point where you’re saying, look, if you’re if you’ve implemented the NIST cybersecurity privacy framework, and you can prove that these different things are in control. Therefore, you’re you limit liability in a GDPR, CCPA. Example, right? Again, there has to be an incentive there. Safe Harbor potentially is an incentive to lower liability. That’s how I think these things will get adopted and potentially used a lot more, versus people who want to do the right thing and need a guide, that it’s great. It’s there. But the incentive on a broader scale just doesn’t exist for these two frameworks, unfortunately.

Jeff Man 18:48
Right. So Scott, you posted a story, I guess we could spend a few minutes talking about the indictments that were put down was that two days ago against Equifax?

Scott Lyons 19:01
Yes. The Fed, finally named four members of Chinese factions that went after Equifax. And it was actually really interesting because there was an excerpt. As I tried to dig to it. There was an excerpt that was taken out of the

Jeff Man 19:28
Blade Runner?

Scott Lyons 19:30
yeah. Equifax being taken to court really caught my attention and the blurb that was taken out of it was and I quote, directly from the suing of Equifax right the documents that get released. It says defendants reliance on an automated vulnerability scanner without any other compensating controls to ensure that the vulnerability had been fully addressed. Further control Due to the failure to patch the vulnerability, although many companies use automated vulnerability scanners, the defendant did not maintain an accurate inventory of the public-facing technology assets running Apache struts, and therefore did not know where the scanner needed to run. Also, they relied on a scanner that was not configured to search through all potentially vulnerable facing websites, right? So it’s not so much that Equifax was was was was taken to court, right. But it was a mix of a couple of different things. So we had a nation-state coming after Equifax, right. Equifax holds a lot of data about a lot of people, and can be the big wrecking ball in the room for a lot of lives. But it was also the fact that Equifax didn’t know where their data was. Right, they didn’t have a comprehensive solution to say, all servers that are public-facing need to be vulnerability scanned. Right? And therefore, the scanner wasn’t tuned correctly. So the real question of liability is, is it on Equifax? Or is it on the scanner? Right? And then A is is are we throwing in a nation-state attack? Just to throw it in? Right? We know that nation-states are going to be doing these things. They’ve been playing these games since Oh, dear God, you know, the beginning of time. But, you know, who’s really at fault here?

Matt Alderman 21:28
It’s it, they’re actually a little bit of both right? There’s a whole identify component, right? Having accurate inventory. And making sure you’re you’re detecting and scanning the right stuff. But then part of it is, well, is it the fault of the vulnerability scanner, because it didn’t have the checks in it, or the person who configured it, didn’t configure it correctly to actually do those checks, right? So it gets it gets a little interesting, but it points out a couple of those core domains that we talk a lot about is basics, right? I have to know what’s on my network, I have to know what’s there, I have to be able to look for vulnerabilities across in, if you don’t have an accurate inventory list, and you’re missing a whole bunch of public web sites that have this vulnerability, that open up a breach they just opened up a very interesting can of worms for organizations that really don’t know what’s on their network and what they’re doing.

Jeff Man 22:23
You know, I don’t know what our schedule looks like in terms of the next time we’ll have a chance to discuss amongst ourselves but I would love to, to do a segment that touches talks about this whole notion of vulnerability segment in when and how do you implement a vulnerability scanner. We touched on it a little bit I happen to sit in on Enterprise Security weekly last week, and it came up a little bit did a little bit of the research for the context of that discussion, but I think there’s a huge disconnect between what I learned last week, Sans teaches vulnerability management starts with a vulnerability scan and my exposure to sorry guys PCI, which has as vulnerability management being mostly two different requirements five and six and the vulnerability scanning comes much later in requirement 11. More on that later that’ll be have to serve as a little bit of teaser I’m afraid Our time is pretty much up for the day. If you want to see these stories, refer to our wiki.securityweekly.com This is security and compliance weekly Episode 17. Gentlemen, I’ve enjoyed the conversation today. Right, let’s do it again next week. For now this is Security and Compliance Weekly build bridges and let’s close the gap between security and compliance.

 

Translate »