• Daniel McDermott

    Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.


    Add comment

And we're back, for the first episode of 2023! Dan, Gar and Vinh return to the mics and take us behind the latest cyber news making headlines. In this episode we cover the newly formed global Ransomware taskforce being led by Australia, we dive into how an outage at the Federal Aviation Administration (FAA) in the US sent the nation into travel chaos, and how revenue from Ransomware attacks fell by over $300 million dollars in value in 2022. We then wrap up of the latest breaches and vulnerabilities to make the headlines.


The Get Cyber Resilient Show Episode #121 Transcript

Dan McDermott: Welcome to 2023, and to our first episode of the Get Cyber Resilient Show for the year. Remarkably, this is our 121st episode in total. And today, we kick off the New Year with a look behind the cyber news headline. I'm Dan McDermott, your host for today, and I'm joined by our resident cybersecurity experts, Garrett O'Hara and Vinh Nguyen. Today, we will be looking into a newly-formed global ransomware taskforce comprised of 37 like-minded Goverments that is being led by Australia.

Next, we will dive into how an outage at the Federal Aviation Administration in the US sent the nation into travel chaos, and how being cyber resilient is much more than just defending against attacks.

Our final deep dive story will be a review into how revenue from ransomware attacks fell by over $300 million in value in 2022. And we'll end with a wrap of the latest breaches and vulnerabilities to make the headlines. Gar and Vinh, welcome back to the show and happy new year.

Garrett O'Hara: Happy new year, guys.

Vinh Nguyen: Happy new year.

Dan McDermott: Fantastic. Well, we kick off, this is season 10 and really having a look behind the cyber headlines that have made the news over the break in the last sort of six weeks or so. So Gar, let's kick things off by looking into how the new Australia-led Global Ransomware Task Force kicked off last week.

Garrett O'Hara: Yeah, so a, I think you kind of set it in intro piece got a bunch of goverments around the world getting involved in the International Counter-Ransomware Task Force, the ICRTF and this came out of Biden's work last year, which I'm guessing folks who have no lives will remember [laughs] when a bunch of government folk got together to talk about the ransomware problem, and this is one of the outcomes.

And obviously we have Clare O'Neill locally as chair of that organization, which I think is an awesome signal of I suppose the esteem that Australian talent and, and the sort of perspective Australia has on ransomware and cyber in general that we have, I think, you know, it's, it's quite a high-profile gig for Clare O'Neill, and I'm, I'm sure and have no doubt she is upt to the task. It'll be interesting to see where this goes. You know, Dan, you mentioned there's 37, you know, countries that are involved, and obviously we're not gonna go through all of the, the folks who are, are there. But that's, I see Ireland was part of the list also, and Australia.

But interesting to see countries like Nigera were there Bulgaria, India. And also our friends in Estonia, and uh, for those who are interested, there is, there may be a podcast episode that talks about Estonia and their [inaudible 00:02:48]- [laughs]

Dan McDermott: [laughs]

Garrett O'Hara: ... to cyber, but I think I've bleated on about that episode s- uh, too much at this stage. But look, I, I, I think the long and the short of this is it's it's an incredibly exciting global initiative. You know, we talked on the show so much around the way to fight ransomware being collaboration between not just, you know, private sector and the government, but also different countries. You know, this is a, a crime that has no jurisdiction, no borders, as does most cybercrime. So the only r- way we'll really ever get this under control and under kinda, sorta wraps is that governments will collaborate and work together.

And yeah, the working groups that they've put together are also kind of interesting, 'cause at the moment you've got the names of the working groups, but I'd love to, you know, see the briefs and wh- you know, what their [laughs] what their remit actually is. So there's, there's five of them. Resilience, which is co-led by Lithuania and India, and then you've got Disruption. And I've got questions around what, you know, what does that actually involve? And that's led by Australia. Counter-Illicit uh, f- Finance, and that's led by the UK and Singpore, and then Public-Private Partnership, led by Spain, and then Diplomacy is led by Germany. So y- interesting to see what those working groups gonna do as they go forward.

Dan McDermott: And Gar, as they start to unfold, and I guess as these groups come together and that, do we have a view of sort of timetable, of expectations on what we might actually see come out it you know, and therefore how do we sort of know what success will look like? 'Cause obviously a d- I think a great initiative hits the headlines, makes a- everybody feel good that, you know, the world's coming together and, and doing something about, you know, this blight that we've known as ransomware. But how do we know if it's working?

Garrett O'Hara: You just have to believe the politicians, Dan. I mean, that [inaudible 00:04:39]-

Dan McDermott: Oh, okay.

Garrett O'Hara: Yeah, I mean, i- it's a good one. I, it [laughs] the, I think the proof will be in the pudding, and I think we're actually gonna talk th- uh, about this in a story a little bit later. But there's starting to be some reasonable proxies in terms of the the money spent or money lost, really, when it comes to ransomware, like what it's costing businesses. And I suppose one of the good metrics that we can measure this by is if we see that number coming down year over year, then, you know, presumably there's some good stuff that's coming g- happening in, in the world of ransomware.

Now, what I would say is how much of that is attributable to this group rather than stuff that would've happened anyway? And, you know, I, I think some of the things we'll talk about in, in one of the stories later will maybe point to, you know, a trend that was maybe already happening, and a task force that I think is really important, don't get me wrong, but maybe in a good position to kinda ride the wave politically of stuff that will make them look good despite potentially not having had the, you know, the hand in solving this problem that they make out to, to have had.

I agree with you, it's retail politics. I don't know about you guys, but friends AR easking about this stuff, they're talking about the bit where they're seeing scams and friends who're being ransomed, and businesses they know. This isn't what it was like three years ago when we started the pod um, where, you know, it was still very much a cyber problem. This is very much a well-known, well-understood, front-of-mind problem for many, many businesses, which I'm sure is why we're starting to see the sort of political energy behind it. They know those votes, and if they know it's important to their funding and the people who, who donate to them.

Dan McDermott: And obviously, ra- as you said, ransomware is, gets the headline, right? And that, but I think that all of these things actually help address, you know, cybercrime and cyber attacks in general, right? It's not necessarily only going to, you know, impact, I guess, ransomware. Uh, It should i- impact other attack types and helping the other areas as well.

Garrett O'Hara: L- p- look, potentially. I mean, I, I suspect this task force will have a fairly narrow scope to ransomware, but I think you're spot-on in that there's a bunch of over- other government bodies that are involved in the broader cyber landscape. And, you know, f- things like offensive attacks we- we're kind of seeing more of that kind of saber-rattling, more of that language, more infrastructure being taken down, more of governments actually going after the root cause of this stuff.

Um, And, you know, there's, there's many, many task forces [laughs] now that I've actually lost track of all the task forces and working groups and bodies that have been spun up to counter and t- try and sort of fight the good fight against various kinda parts of the, the cyber problem. So yeah, look, it'll, it'll be interesting to, to see where this goes, and I, I absolutely take your point, Dan, around, like, how do you measure this? This, tha- I think that's the interesting one. The good news for me is, it's got a task force, it's got that many countries signed up and involved. Maybe the bad news is that some of the countries that aren't there are also the hotbeds of [laughs] and similar. So, [

Dan McDermott: laughs]

Garrett O'Hara: ... you know, maybe the task force it could be really nice to put on some nice canapes and some good champaign and, you know, invite them in get those, those cats involved as well.

Dan McDermott: It's definitely gonna be interesting to see. One of the, the th- potential measures is a report came out last Friday just around ranking countries in terms of cyber crime and how at risk they are. And the measure that was taken was the number of victims per 100,000 of a population. And Australia unfortunately took the sort of illustrious task of coming in in fourth place. So room for improvement-

Garrett O'Hara: [laughs]

Dan McDermott: ... obviously. But you know, sort of seen, it's, the, the UK at number one stood out with like 450 victims per 100,000, sort of population. So we're well ahead of anybody else. The US obviously with the, the most actual people attacked and impacted, but with such a large population it was less per, so the 100,000 came in second. Interesting, Canada third and Australia fourth. And we've spoken a lot around, I guess, the, the notion of sort of Australia being a, you know, a ripe sort of attack vector. And I think Canada would be similar in terms of prosperity and wealth and, you know, the way that it goes about doing things as an interesting sort of, I guess comparison as well.

But I think it's those type of things that maybe will be able to sort of come to the fore and start to show like, do we see an actual decrease in these numbers? Will we actually see, you know, cyber crime coming down, ransomware reducing in terms of the number of attacks, the impact, like as you said. We'll talk about the value and the v- that come through, will th- we be able to sorta point to these things as the year goes on to start to say l- you know, a- you know, partly the task force, the focus, the resilience that is being put in place by all of these nations starts to have some sort of, you know, accumulative effect over time.

Garrett O'Hara: Yeah, I mean, you fundamentally just want the cost of attack to be higher than, you know, the, the sort of coin that they're making when they do the attacks. I- it's interesting, as you're talking through that kind of metric of I think it was attacks per capita-

Dan McDermott: Ooh.

Garrett O'Hara: ... like, it starts to, like, I'd, I'd have questions about that. Because I think when you get to a population that's comparatively low compared to, say, the US or, you know, fairly large countries, and also places where you see this kinda distillation or consolidation into a couple of companies that do private healthcare, as an example. It just needs one attack, and, because so many people get caught up in it. Tha- that as a metric strats to get a little bit it's still useful, but is it a good metric to understand, are we making progress?

'Cause you have one big attack, and all of a sudden, you know you know, [laughs] we look really bad, because, you know, Medibank or or Optus happened last year, but actually, if you took those out of a, like a n- you know, a normalized version or whatever the statistical-

Dan McDermott: Mm.

Garrett O'Hara: ... I was terrible at stats in college, so I was, probably used the wrong word there. But if you took those out and looked at the data again, like, where would we be uh, without those kinda large attacks? Yeah. B- like, butw e need some metric on, you gotta start somewhere and start measuring somewhere, so ...

Vinh Nguyen: And you're right, Gar, I think like metrics will come and the proof will be in the pudding. One thing I did have a, it just came into my mind just then is, if we have this task force and we're thi- I mean, you know, those seven countries come together, looking to get more countries in, it's almost like putting a bogeyman story to it, right? It's like, these ransomware groups, these people out trying to get money, you know, information, there's someone out there now, there is this task force that, you know, you go to s- sleep, you keep one eye open because you never know what's gonna happen, right? What are we gonna do to help protect the, I guess, the people [inaudible 00:11:19] what the country's contributing, right? 

Garrett O'Hara: Definitely. I'm not gonna steal our thunder, 'cause there's there's a quote that I hope we get to a bit later on, from one of the US government people that, to your point, Vinh, like it, it sorta, it's gonna end up on a tee shirt-

Vinh Nguyen: [laughs]

Dan McDermott: [laughs]

Garrett O'Hara: ... probably. But i- it is the bogeyman, and the, "Here, we're coming to get you."

Dan McDermott: Well, definitely one that will be interesting to see, how those five working groups, actually what their scope looks like, how they come together, and hopefully we start to see some communication and, and meaningful outcomes from this task force. But certainly a nice big headline to start the year with.

Vinh, our next story is looking to what happened at the Aviation Administration in the US, that sent air travel into chaos over there.

Vinh Nguyen: W- we've all gone through our fair share of traveling woes, right? You get to the airport and your bag is just gone, maybe your flight's delayed or it's been canceled. And imagine, like, the fallout from having over 10,000 flights and over 1000 canceled nationally across the states, because of, I guess, human error. And that's exactly what happened, Dan. As you mentioned, i- earlier in the month, the FAA uh, said a contractor accidentally deleted files off of their Notice to Air mission system, and what the contractor was trying to do in this case was actually try to fix something, right? They were, they were trying to correct the [inaudible 00:12:43] that was out of sync between primary and backup databases, and as a result, just kind of did a big oopsie in this case. I had to look it up, like their [inaudible 00:12:53] system, their system database was actually taken down.

It's a very important system when it comes to air traffic control, 'cause it's a system that alerts pilots, you know, these aircraft pilots of potential hazards along the flight routes, so they might need to kind of go a different route potentially, or their location where there might be a risk as well that could affect the flight.

The key thing here is there is, hasn't been an indication of, you know, a security breach or malicious intent in this case. It's human error again. I- it's [inaudible 00:13:23] again, and this time it is a big oopsie by this poor contractor. And when we look at even what the pod's called, Get Cyber Resilient, we're always focused on attacks, right, we're focused on ransomware and phishing, but we know it's not everything. And this case, due to human error, due to processes, we've seen a lot of these flights be canceled, essentially, being delayed and it's been having a [inaudible 00:13:47] effect on passengers [inaudible 00:13:48] and it's been a pretty poor and a poor experience by the FAA and, I guess the goverments as well.

Garrett O'Hara: It's funny, Vinh, as you were talking there, I don't know what, if it's the same for you guys. When stuff goes wrong these days, I assume cyber first.

Vinh Nguyen: [laughs]

Garrett O'Hara: And I don't know if it's just 'cause we spend so much time talking about it, but if overall, like, you go back 10, 15 years ago even, I, you, you probably think an IT system craps itself, somebody kicked a power cable." But like now, my first instinct is, "Oh, somebody's attacked," you know, in this case the FFA. Sorry, the FAA. Yeah, it's, it's such an interesting psychological ... and I definitely feel different about it, I, yeah, I don't know if it's the same for you guys.

Dan McDermott: Yeah, I think that was my first take as well, is like, a- as I-

Garrett O'Hara: Mm-hmm.

Dan McDermott: ... reading through the notes in the preparation it was like, "Where's the attack?" Like-

Garrett O'Hara: Yeah.

Dan McDermott: ... "Oh, is this really, is this a story for, that we should be talking about?" And then it's like, it's like, of course it is. But it's, it is that thing of like, so that's what we've become so used to, right? And, and that, but I mean, you do think about, like, you know, the travel warning system, i- and we know the extreme sort of weather conditions that the US is going through and stuff at the moment, you know-

Garrett O'Hara: Mm-hmm.

Dan McDermott: ... It's, you know, pretty, pretty full-on winter at times, right? So you can imagine there'd be lots of airports affected through that at different periods, lots of rerouting of traffic all [inaudible 00:15:11] time. If you can't do that, the whole system sort of grinds to a half very quickly. And as you say, all based on, you know, a contractor's human error in terms of updating that database.

But the impact therefore is so, so wide. And I think the interesting thing, then Gar, is like, is that whole notion of, what does cyber resilience actually mean? I think we're so focused on the defense, and the protect, and the stop the bad things getting in that if that's the only thing you're focused on, you're still vulnerable.

Garrett O'Hara: I, I t- totally agree. F- we had Fergus Brooks on episode, he was 109. I didn't memorize that, by the way, I did look it up before we started. But like Fergus talked about this a lot, and, you know, thinking about impact, and I totally agree with you, Dan, we're as an industry, we're, we're slightly obsessed with the attacks, and, you know, wh- what happens if there's a cyber attack? And spot on, Dan, like it's, you're, you couldn't be more right there. But his, his comment, and I think he's spot-on, is like, we actually, yeah, we, sure we need to think about, obviously we do, but also you need to think about impacting what, you know, what if the bad thing happens, whether it's human error, whether it's a cyber attack, whether it's a natural disaster, any of those things.

And he used an expression which stuck with me, which is the foreseeable maximum loss. And I think psychologically, tha- those words have, you know, power and energy in a way that impact probably doesn't. Um, And highly recommend going back and listen to his episode, by the way, I think it was, it was one of the ones that really hit home with me just around how we sometimes get to thinking, not wrong, but we c- we could do better in terms of what, what is important.

The other thing and here I am waving my pen on my, you know, my sort of soapbox here, but the, you know, we talk about a human error, and spot-on, it was uh, I think the technical term is oopsie is what I took from-

Dan McDermott: [laughs]

Garrett O'Hara: ... what Vinh said. You know, th- there's probably a contractor somewhere that's feeling really bad about you know, taking down [laughs] all the airplanes in the US. What an amazing story to tell your friends over a beer.

Dan McDermott: [laughs]

Garrett O'Hara: I mean, to be fair, y- you'd almost do it for the [laughs] for, for the story. But the, the comments, and this is coming from the CEOs in many of the large airlines over there is that actually this isn't, you know, a random thing. That this is ... Well, it maybe sort of is, but it's more of reflection of lack of investment over ongoing years. And, you know, that's something we see, private enterprise in, in cyber where, you know, people are tr- trying to justify budgets when nothing has happened, and that's kinda the point. Nothing's happened because we're spending money to, you know, be cyber resilient but we see this all the time in government, and it's heartbreaking, where the sys- downward pressure, you know, politicians seeing success as not spending money and, you know, gutting programs, et cetera, et cetera, et cetera. And then when stuff goes wrong, you know, everyone kinda goes, "Oh, how, like, how did that happen?" And, well, you need to spend money. You have to spend money. This stuff doesn't just happen magically, you need to spend money on technology, on people. It takes time and you gotta plan for the future.

But yeah, anyway off the soapbox, but yeah, y- you could see the, the sort of commentary from the CEOs of, you know, folks like Ed Bastian from Delta Airlines, or Scott Kirby from United Airways clearly calling out that the FAA needs more resources.

Dan McDermott: Indeed. And not to preempt too much, Gar, but as, it's a nice prelude into sort of next week's guest as well, and it's all about the preparedness and about what, you know, how do we actually make sure that we are prepared for when, when this happens, right? And it's not just an attack, but when some sort of cyber resilience issue i- is occurring, how do you actually react and respond, and how do you have that in place from all systems across the business and in- very importantly from a communication point of view of h- telling, being able to communicate with all of your stakeholders under that high-stress, high pressure environment that is, th- under that high stress, high pressure environment um, that that is, th- these times. Because h- when it happens, it happens quickly, and all of a sudden there's no time to be thinking about, "What should we do?" Second-guessing, you know, decision-making processes, protocols, communication. You don't have that in hand and have that well prepared and rehearsed in advance, it's gonna, it gets difficult really quickly.

Vinh Nguyen: That's such a good point. I mean, no one knowingly would want to do something bad, right? A lot of time it is them being under the pump and their boss saying, "This has to be done." And sometimes taking a shortcut to get things done, that's just where the human mind goes. So I will, just before we wrap and move to the next story, I will say, I will point us back to the predictions episode. My prediction around social incentivizing, not to say that this particular case was that, but there you start to see, like, the potential, right? You know, "Well, I'll pay you X amount and you do a big oopsie for me and just play it like an accident," just planting the seed there.

Dan McDermott: Vinh, it sounds like you're running a book on the side-

Vinh Nguyen: [laughs]

Dan McDermott: ... on the predictions episode as to, like, which one will come true first, and and, you know, running it $12.50 sounds like you're you're in for some value there.

Vinh Nguyen: Absolutely.

Dan McDermott: [laughs] Please r- gamble responsibly. [laughs] I think it is all of those things interesting. One of the things in the first story we spoke about was the notion of a ransomeware and its value. So our final deep s- dive story for this episode is to, is look into a new report that's claimed that revenue from ransomware fell a staggering $300 million in value, or by nearly 60% last year. Gar, how c- how come it's dropped off so quickly?

Garrett O'Hara: Yeah, I s- I suppose the first thing to point to is where the research came from, which is Chainalysis, which they're an organization that does, you know, s- it's kinda in the name, right, blockchain analysis. Um, So looking at blockchain for compliance reasons, or, you know, if you're looking for fraud, et cetera, they're the go-to company. Um, In the spirit of transparency, my cousin's husband [laughs] actually works for them, so they're, they seem like a really solid organization doing, doing good work.

Anyway, they- they've basically analyzed the blockchain and looked at addresses that are kind of, I suppose, controlled by or known to be associated with ransomware actors or groups. And, you know, by definition that would be a subset. It's not like Chainalysis knows every single ransomware actor out there, and knows exactly where their their crypto's going. But it's a pretty good proxy. You know, we were talking a bit earlier on, actually, Dan, about your, you know, how do you measure success? Well, if you forget absolute numbers, I think once we're seeing a trending down of, of the overall number being paid out to ransomware groups, well, that's probably a good sign. But yeah, essentially they've, they've analyzed the blockchain and looked at the the payments, and yeah, seen that kinda drop-off year over year. So yeah, it was, what, 765 million in 2021, and then that's down to 456 million in 2022.

So they're not the only ones being, you know, hit by this tech downturn. You know, everybody, it seems like everyone's getting- [laughs] everyone's getting hit.

Dan McDermott: And I guess, Gar, like, putting on the [inaudible 00:22:25] hat a little bit, and we know that crypto crashes occurred. So the value has actually gone down. So are we seeing less ransomware attacks, are we seeing less payments, or is it just that the crypto crash has, like, impacted it, the actual value and bottom line, or have they done a constant currency analysis as as we like to do in business often?

Garrett O'Hara: I have no idea what a constant currency analysis is, Dan.

Dan McDermott: [laughs]

Garrett O'Hara: You're you're [laughs] you're speaking a foreign language to me. I, so I don't know, but like, it is one of those weird things where the, the crash in ransomware prices, and I think we actually talked about this in the pod, didn't we, when this was happening? That you know, all of a sudden, is it worth it when, you know, the Bitcoin [laughs] you know, f- I feel like it's the obligatory, you know you know, "One million [inaudible 00:23:14]," but, you know, you've got one, or 10, 10 Bitcoins, that was a huge amount, and then, you know, if it drops down or crashes out, then all of a sudden, you know, it's, you put all this work into something that isn't paying out. Um, You would assume, you know, they've done the SWAT analysis, Dan, they've run it up the flagpole, and, you know, understood if it's if it's worth it or not, and y- I, I would assume tha- you know, ransomware a- sorry, the attackers would, you know, kinda take this stuff into account. But we d- we don't know, is the long and the short of it.

it is a, it's an absolute number, nad it's, I suppose, gonna be subject to the fluctuations of the cryptocurrency market.

Dan McDermott: And I definitely do think that it does point towards sort of Vinh's point around the micropayments. You know, i- moving into sort of ransomware as well rather than necessarily going for the big bang all the time, but looking at smaller sort of increments. And I think that, you know, the success that we've seen and we reported on last year around some of the international task force and taking down some of these large sort of ransomware gangs, and that we've seen sort of an evolution of the ransomware as a service industry, to being able to provide sort of smaller, almost smaller sort of options available, as well.

And they've sort of moved to this notion of things like cross-platform attacks, where they can get into multiple systems and move their, their way laterally around that, harder to detect, but asking for small payments along the way and not necessarily going for that big bang all the time. So there's no doubting that like they're looking at, you know, different themes like extortionware, right? So, you know, looking at sort of sensitive information and data, and sort of, you know, putting a value onto that on a s- maybe a smaller subset of the, of a total sort of dataset that they may have. So there's no doubting that we're seeing the uh, the ransomware as a service industry go like, sort of, you know, pivot, as as we like to say these days as, I guess, challenges have come at the top end of the market but it's not stopping them, right?

So cryptocurrency crashes, big organizations not necessarily paying you know, the backlash against them and the, the target that they've got on their back from international sort of crime, you know, task forces, and, and so forth, is meaning that they're not necessarily going away, but it's getting harder, and they're having to do, you know, new things, and they continue to innovate and look at new ways to, to sort of penetrate as well. So I definitely feel as though all of those things combined are creating n- this constant flux and change in, in, I guess, the threat sort of vectors in and out because, well, of what might happen.

Garrett O'Hara: Definitely. I wonder if we're gonna see it, like vinyl in music, where, you know, the attackers are gonna go back to duffel bags of money and drop points. I, I mean, I, that's gonna be an exciting time if we get there.

Dan McDermott: Ra- ransomware on a floppy disk uh, you know, where it all started. [laughs]

Garrett O'Hara: Now you're [inaudible 00:26:06]-

Dan McDermott: I'm not sure anybody would know how to use it to [laughs] to get caught out these days, but-

Garrett O'Hara: Yeah, you'd be, you'd be in a lot of trouble, wouldn't you, trying to yeah, distribute-

Dan McDermott: [laughs]

Garrett O'Hara: ... [laughs] ransomware on a floppy these days. But yeah, look, a- all joking aside, you know, the future of crypto, like, wh- where does that go in terms of, you get to the point where there's regulation on crypto, you know, as a currency, the ownership thereof, nad some of the legislation that's come through in the US already where, I mean, I think for a long time you basically you, you, in theory, weren't allowed to pay sanctioned organizations or ranswomare groups if there were attackers.

You know, I say in theory, and I'm doing the bunny quotes and on camera. But there's strong suspicion that in the background businesses were, you know, paying ransoms, getting keys to decrypt and, and onward and upward. But they're saying that there will be, like, civil penalties and, and they'll go after organizations that are doing that now, so I think there's a little bit of hard medicine for some organizations wh- where, and, you know, again, easy to say, "Don't pay the, don't pay the ransom," and then if you're in the situation where people are gonna lose their jobs and all that stuff, then, you know, the, the temptation is always there to do it and to do it secretly. But it changes the game, I think, if you, you know, you're gonna actually face civil penalties for doing that. Like it feels, there's a different texture to that if you're gonna make a business decision. So yeah, it'll be, certainly be interesting to, to see where that goes.

Dan McDermott: Indeed. Well again, I think one that sets us up well for the year ahead in terms of looking at what the impact will be and whether we'll cons- continue to see that decline in value of ransomware and the evolution of sort of micropayments and where ransomware as a service continues to evolve to.

Garrett O'Hara: Yeah. Definitely.

Dan McDermott: And finally, let's wrap up with a quick review of the latest breaches and vulnerabilities to make the headlines. The first news item is that the la- is the latest update and fallout from the Medibank breach.

Vinh Nguyen: So anyone who has obtained quotes from their health insurer agent, which is all of us, right, we all do that thing every year where you go to all the different health insurers, punch in your details, [inaudible 00:28:10] who gets the best offer. AHM being part of Medibank means that if you actually obtained quotes from AHM your data is potentially being leaked as well as part of the overall data breach. So there have been, I guess, email notifications to people who have requested these quotes to come through, saying, "Hey, you know, they've leaked things including your name, gender, date of birth, address, phone number."

And again, it's just, again, asking that question where it's, how long is it, should you be keeping the data for? And I guess, like, from AHM's perspective, if people are generally asking for a quote for their health insurance, you know, you wanna keep the details there because, you know, maybe they'll go back at some stage, maybe you can do some marketing to them as well. Like, from a business perspective, it makes sense to hold onto their details, but again, you can see why, if you hold onto details, you're also open to being, I guess going through a security incident and potentially leaking out those information of, I guess, your potential customers.

Dan McDermott: I think the [inaudible 00:29:12] interesting here is, is the continued scope, right, of, of the breach, right? It keeps expanding, it's, so it's like, "It's this dataset," "Oh, it's this one," "It's this one," it keeps going. And like you say, Vinh, it sorta shows that you know, if you're storing the data, i- i- i- it's vulnerable to some degree, right? And so they've stored the quoting data, and now all of a sudden, like, maybe, and probably weren't looking at that in the first instance of the breach, right? It's not as, necessarily, it's not as detailed, not as sensitive as some of the other information. And now as you continue to sort of investigate, it's like, "Oh, that's been breached as well."

Garrett O'Hara: I reckon we're number one on your list next year, Dan-

Dan McDermott: [laughs]

Vinh Nguyen: [laughs]

Garrett O'Hara: ... as the scope increases, increases.

Dan McDermott: You're gonna have to fill me in, Gar.

Garrett O'Hara: On your l- your list, we came in number four last year, or this year, [

Dan McDermott: laughs]

Garrett O'Hara: ... in attacked countries. I reckon, you know, a- as we see this impacting more and more Australians, yeah, we'll, per capita, we'll be higher and higher on the list.

Vinh Nguyen: Going for gold.

Garrett O'Hara: Yeah, we can kee- keep going, get to the top of the podium, right? So-

Dan McDermott: There you go.

Garrett O'Hara: [laughs]

Dan McDermott: It's the Australian way.

The next headline is the plan from the WA government to create a cybersecurity hazard plan. Gar, what is a hazard plan?

Garrett O'Hara: I, I suppose, really, in theory it's probably something that I would've expected existed already. Um, But there you go. Um, I was definitely sorta s- probably surprised, if I'm honest, when I read this. So it's basically the government over in WA creating a formal emergency response plan when there's a cybersecurity uh, incident, presumably something that's gonna, you know, affect the state at a statewide level or something pretty serious or significant. Um, I, I'll be honest with you, I'm, I'm just kinda surprised that at this stage, in this era, in 2023, this isn't just kind of standard stuff for state planning and, and national planning. But it's made the news, so presumably it's not.

Dan McDermott: Yeah, i- i- like you say, it sort of is surprising, but I guess that is that thing of formalization of some of these plans, right, and to have that, that emergency response and to have that official plan in place you know, at a, at a state level continues to show, I guess the escalation of where cyber's at, but also where it's coming from, right? That it wasn't something that was necessarily considered maybe important enough, significant enough. Needing the time, resource to have such a, a response plan in place. But it's interesting that it's now being raised to that sort of level, and we're seeing some of these things come to life.

Garrett O'Hara: Yeah, I mean, and to your point, Dan, earlier you kinda need the plan and need to have practiced the plan for the plan to mean anything, and I think that's the thing that surprises me. Because, you know, if a big cyber incident happened in WA, you know, three weeks ago, did people know what they were [laughs] you know, what they were gonna do? That's kinda the worry. But it's, you know, it sorta fits in, you know, I'm looking at a list of some of the designated natural and man-made hazards, and there are things like f- you know, terrorist acts, missing persons rail crashes, heat waves, the floods. And [inaudible 00:32:13], cybersecurity, honestly, six years ago, this probably warranted, you know, being included in that list, given the im- the impact and the effects. But good to see it's I suppose it's a good news story.

Dan McDermott: Indeed. I think any action, you know, is a, is, like you say, progress towards, you know, having a, a better cyber resilient future.

Finally, CrowdStrike has alerted the cyber world to attack that's being described as bring your own vulnerable driver, or BYOVD. Vinh, what does a BYOVD attack entail?

Vinh Nguyen: Ah yes, another acronym in security.

Dan McDermott: [laughs]

Vinh Nguyen: You gotta love it. The, so if you think of a driver essentially being that piece of software between your operating system and your device, what this crime group is doing is attempting to deploy a malicious kernel driver which exploits an existing vulnerability. But at the end though what that does is once it's in allows attackers to either execute code, initiate a DDoS attack using those kernel privileges. So when I say kernel think of like the heart of the operating system.

The tricky thing here is the drivers that are used by this particular crime group are actually signed by different certificates they have been installing from cyber authorities like Nvidia, so the people that do the gaming stuff, global software LLC, to trust the stolen certificates that Windows would just allow through, 'cause they trust it, right? 'Cause it's a valid certificate.

Now, this is different than what happened in 2021 where Microsoft actually said that any drivers with confirmed security vulnerabilities will be blocked by Windows, right? It's part of the Windows Update, you know, it's part of the, I think it's the HVCI, or the Hypervisor-protected Code Integrity, you gotta check that box, it should automatically add it to the blocklist and that shouldn't work. So I guess these threat actors are using these drivers to then go in, disable endpoint, which is break that crash [inaudible 00:34:02] pick that up, because if you're able to disable endpoint security products, then that can limit what the system is [inaudible 00:34:09] looking at potential, you know, detection capabilities, you know, later phases of a persistent attack moving forward.

So it's great [inaudible 00:34:17] to pick this up and let the world know that, hey, you know, there is a vulnerability at the moment, and we should be keeping our eye out for these vulnerable drivers.

Dan McDermott: Amazing. Certainly something I did not know anything about, and thanks for the education, Vinh. And, like, as you say, something, a new acronym for us to, to keep an eye out for in the world of cyber and making sure we're getting on top of.

Garrett O'Hara: I, I cannot say it, guys. Like, basically BYOVD was the, the sort of theme of many of the college parties I went back to in my 20s. Yeah, sorry, had to be done. We can edit it out.

Dan McDermott: Oh, [inaudible 00:34:52]- [laughs]

Vinh Nguyen: [laughs]

Garrett O'Hara: [laughs]

Dan McDermott: Well, on that note, thank you Gar and Vinh. Do appreciate almost all of your insights in another big news episode today. But Gar, who do you have as our special guest for next week?

Garrett O'Hara: So next week, Dan, we have Grant Chisnel, and ferocious guy. So recorded the interview last week, I think it was, and you know, one of those ones you just get genuinely excited about putting out there. He's a really energetic guy, really knows what he's doing, and you know, kinda the real deal in terms of his, his organization [inaudible 00:35:28], so it's that idea of, like, do all the planning before the bad thing happens, so that wh- you know, when it does, you're kind of in a, a good and better position obviously than than those organizations who, who don't. So crisis management and crisis planning is his thing and he's certainly, yeah, he's got an incredible set of experiences, not just in cyber, by the way, but in, in other stuff as well. Phenomenal guy, very interesting.

Dan McDermott: Yeah, fantastic. Really looking forward to that and Grant is also featuring at our upcoming Mimecast Connect event in late February in Sydney and Melbourne. So if you haven't seen those check out the Mimecast website and get [inaudible 00:36:08] if you can. Grant will be a featured speaker and one we are very much looking forward to hearing.

On that note, until next week, if you would like to continue exploring key topics in cybersecurity, please jump on to getcyberresilient.com and check out some of the latest articles, including how the financial service industry are facing fresh cyber threats. Also a look into cyber insurance. Is it an essential part of your protection or a pointless expense? And a full wrap of the latest threats and news in this month in security, s- January edition. So thanks for listening, and until next time, stay safe. 

Editor, Get Cyber Resilient

Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.

Stay safe and secure with latest information and news on threats.
User Name
Daniel McDermott