• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.


    Add comment
Garrett O'Hara

Expert opinions and insights on the biggest events making cybersecurity headlines this past fortnight.

In this episode we look behind the use of ‘Bossware’ technology and how employers are monitoring web browsing and application use of their remote working employees, we dive into the ongoing risks in the property market with ‘payment redirection’ scams, update you on the role of cyber in the Russia-Ukraine conflict, and review the latest breaches making headlines. 


The Get Cyber Resilient Show Episode #95 Transcript

Dan McDermott: Welcome to season six and episode 95 overall of the Get Cyber Resilient show. I'm Dan McDermott and I'll be your host for today. This week is our Behind the News episode and I'm joined by our resident cyber security expert, Garrett O'Hara.

Today, we'll be looking behind the use of bossware technology, and how employers are monitoring web browsing and application use of their remote working employees. We'll dive into the ongoing risks in the property market with payment redirection scams becoming rife. We'll provide an update on the role of cyber in the Russia-Ukraine conflict. And we'll end with a wrap up of the latest breaches and vulnerabilities to make the headlines.

So Gar, welcome back. And let's begin by diving into the concept of bossware. What is bossware?

Garrett O'Hara: It sounds like a Jetson's type robot, doesn't it? That's going to, you know, trundle into a open plan office and start cracking the whip. Uh, but it's not. Um, it's, it's sort of an interesting one. This came up in, it was an, an article in the Guardian actually this week, but it's, it's been widely reported and covered in the EFF and a few other sort of, uh, media organizations have kind of covered the emergence of bossware. And I think emergence is probably the wrong word, because this stuff has been around for kind of a long time. Uh, but just maybe not called bossware. I'm gonna say bossware a lot because it sounds awesome.

Dan McDermott: [laughs].

Garrett O'Hara: Um, as I, like, as I was reading through this, um, you know, and, and you know, de- define what bossware is, it really, it says we move to much more remote working practices and distributed workers, you know, people who are not necessarily in line of sight of, uh, their managers in a, in a physical location. Uh, I think managers, and I'm gonna say old school managers are looking for ways to monitor their employees that aren't kind of outcome based. And, you know, based on just knowing how your, how your, your reports are working and what they're working on, or are they actually producing results?

So this is aimed at, uh, essentially looking at, uh, devices. So that could be a mobile pho- uh, phone, it could be a laptop or desktop. Uh, you put the bossware on there, and it starts to do things like looking at, you know, time, uh, you're inputting things on a keyboard or using the mouse. Uh, where are you visiting on the web? What applications do you have open? How much time is static versus kind of actually doing things? And, um, you know, doing things isn't jumping on Facebook and, you know, looking at, uh, your friend's photos, it's actually, you know, the productive work that people have been employed for.

Um, it, like this isn't new. Anyone who's kind of-

Dan McDermott: Hmm.

Garrett O'Hara: ... been around for half a minute knows that this stuff has existed for a really long time. But I think what is changing is just the very large, uh, adoption of this as a way to maybe offset, um, offset some of the kind of management [laughs] anxiety, where, you know, they can't see the people who report the- to them anymore. They're actually, you know, potentially hundreds of kilometers away, sometimes thousands of kilometers away. Um, and this maybe is a, you know, it's a little bit of a soother for, for that type of management where, you know, it gets, gets them some metrics and things that they can have a conversation around.

Um, you know, you can see that use case. I think the issue is quite often in my experiences, when you try an overlay metrics onto anybody as a way to kinda say whether they're good or bad, it's incredible how often, you know, something like this simplifies the human experience of showing up to do a job, but misses the bit where somebody's maybe a really strong influencer and a colleague. And you know, that 15 minutes-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... where looked like they weren't working, they actually were on their mobile phone speaking to somebody, um, about a better way to do you something, et cetera, et cetera. So I think it maybe oversimplifies, um, the thing of being, uh, an employee.

The reason I thought it might be an interesting one for us to cover today is as you're looking at what bossware does, it's really come, you know, like sort of a huge overlap with Uber, uh, as platforms. So, you know, they kind of use your entity behavior analysis or the Uber as the sort of user behavior ana- um, analytics. And, you know, we've had people on the pod before talking about how that has been useful from a security perspective.

So to sort of give that a what that is it's, um, basically platforms that can analyze what does a normal day for Dan McDermott look like? You know, what time do you start normally? What kind of files you access normally? Um, where do you access them from physically? You know, on what type of devices?

Dan McDermott: Hmm.

Garrett O'Hara: And, you know, machine learning, you know, uh, would, would build up a picture of, you know, normal patterns for Dan McDermott. Um, and you know, the entities there can be processes, they can be system accounts, whatever it may be, but ultimately you're feeding a bunch of data in to build a, a picture of normal.

And the security outcome is if there's an aberration where Dan McDermott all of a sudden is going into, I dunno, some highly sensitive board papers in, you know, in a way that you don't normally do or you're accessing somewhere that's, um, highly confidential in a way that, in a way and a place that maybe you don't normally, the alarm be start ringing and, you know, potentially the, some automation that kicks in to, um, require MFA where you maybe wou- you wouldn't have needed it before, et cetera. So, you know, kind of step up the requirements for, uh, authentication.

Anyway, you could probably tell huge amount of overlap between-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... bossware and Uber, like, what they will do is essentially the same thing. And probably all that's gonna change is the box that the software comes in and who it's sold to. You know, they'll send to Dan McDermott the, you know, the senior director as a productivity tool to make sure that the people who are in your team are doing their job. And then potentially sell the same platform, um, re-boxed, maybe not even to the CISO, um, for security outcomes. But you know, a huge amount of overlap. It'll be interesting to see where that lands. Sorry, I feel like I've, I've yapped there for quite a while. [laughs].

Dan McDermott: And it's, uh, I mean, the key I think is, is obviously, obviously how it's used, right? This is-

Garrett O'Hara: Yeah.

Dan McDermott: ... probably the big difference, right? And like, you know, like you said, I mean, it sounds quite exciting. I'd like, love to know what people are doing. Um, but you know, [laughs] I mean like this, it is a little bit big brotherish, right? And it, it is really, like you say a little bit old school of managing to time and, you know, input almost rather than actual output and outcomes and being, you know, impactful in work and what, how you actually do that. Um, and that can be a lot more than, you know, just what, what keys you hit at the time and, and what you're looking at.

So I definitely think that, you know, that work productivity outcome based, and, you know, what does that do to a culture is, uh, is I think, you know, much bigger questions that would need to be considered by management in using this. I think the scary thing in the report that you shared as well, though, is, is that in the U.S. sort of, sort of 1,250 firms that have used it, um, 9 out of 10 have then actually used it to terminate workers. Um, so it's like, you know, again, if employees are doing the wrong thing and that sort of thing, okay. But like, is that really a great outcome? And is that really the intention of what this should be?

So you spoke about bossware, and, and it's impact on management practices, but your analysis of Uber, um, to me, is interesting as to, you know, isn't that sort of overlapping with good identity and access management practices? If you've got good IAM in place, isn't that the idea of like, you know, I shouldn't be able to access the board papers, um, anyway? So if I am, then isn't there already sort of a, uh, I guess, a breakdown in security, uh, practices and policies?

Garrett O'Hara: Um, well, not really, uh, the reality is like for IAM or for anything, and especially if you're going with the zero trust kind of principle or philosophy, then the reality is you kind of gotta treat everything like it's gonna be stolen at some point, uh, including sort of credentials. Um, and you know, when you get into privi- privilege escalation, essentially you're potentially using somebody's, you know, true credentials to go and access something that you shouldn't be.

So, um, it, it's not really, it sort of sits on top of that, you know, defense and death approach, um, you know, do your best to protect, uh, credentials, but assume that they will get, kind of get popped at some point. And then when they do, you can start to use the pattern analysis to say, "Well, you know, those credits are for like system admin or for, for this other person, why is this pattern showing up that they're doing something a little bit weird or they're using it to traverse laterally within, uh, an organization?" So it sort of sits around good IAM I would say. And then-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... in, in theory should add to it. Um, it's funny as you were, as you were tal- talking there, you know, you're, so that idea of it's privacy awareness week as well, which I think has a, an important point to play in this as well. I think as an employee, one of the, the things that would bother me is that every single move I potentially make on a work device is essentially recorded, monitored. And yeah, I personally just find that kind of creepy.

Dan McDermott: [laughs].

Garrett O'Hara: And, you know, we talk about cultures, the thing that happens when nobody's looking. And if somebody's always looking, do you ever get a chance to have good culture? Because you know, people are, are, are, they're just doing things outta fear. You know, we, we've talked about this, you know, how many times that, you know, positive motivators are much more powerful, um, culture is much more powerful and it's built positively. Right back to Simon Sinek and, you know, starting with the why in the center of the circle and working-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... your way out, and all of that stuff. But like this to me, you know, without getting into the [laughs] the sort of the clouds here, but it sort of denies the ability to do a job, a good job of culture building within an organization. Because if you're essentially clocking in on your device and clocking out, everything you do is monitored, I don't know, it seems like, it seems like an interesting, it also overlaps, um, substantially with stalkerware, which we, [laughs] we covered-

Dan McDermott: [laughs].

Garrett O'Hara: ... it's probably, I don't know, like a month ago, maybe. Um-

Dan McDermott: Hmm.

Garrett O'Hara: ... this is stalkerware for bosses, you know, it's the same thing.

Dan McDermott: Yeah. Just being justified in a different way, right? Um-

Garrett O'Hara: Yeah.

Dan McDermott: ... and look, I mean, I think, I, I mean, for a lot of us, you know, using the work laptop to do some online shopping, something that's not new. Um, but in the last two years, it's, it's something that probably everybody has done at some point, right? And stuff.

Garrett O'Hara: Yes.

Dan McDermott: So, um, yeah, like you say, like, and is that really a bad thing? Like, you know, if people, the blend of work life balance and that amalgamation and all of those things that have happened and that we do have to readjust expectations and look at what's actually, what is acceptable and what does that look-

Garrett O'Hara: Mm-hmm.

Dan McDermott: ... like? And, and yes, there might be parameters and, and then if bad things, and absolutely, you know, there is, you know, action to be taken and that sort of thing. But yeah, like this notion that everything's being logged and, and, you know, might get flagged at some point, feels like a step too far indeed. And, uh, stalkerware, bossware not a great, not a great-

Garrett O'Hara: It so-

Dan McDermott: ... combination there.

Garrett O'Hara: It sort of isn't. Um, and, and part of what this stuff can do is, you know, it's key loggers, right? So anything you're typing into your computer at work can be recorded. I'd love to see the inter- like intersection of this with privacy legislation where, you know, if somebody does log into, for example, you know, bank accounts, um, or, um, some medical portal, you know, there's a lot of those now-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... where, you know, when you log on to make medical appointments, it asks you a bunch of questions and, you know, you're often typing open text answers. How do you deal, like as a, an employer, how do you deal with the PII and the privacy implications when you're gathering things that you don't even know necessarily RPII and where are they-

Dan McDermott: Hmm.

Garrett O'Hara: ... getting stored and how are they being used? And what is my right as a Europe, European citizen to have that data deleted? Um-

Dan McDermott: Hmm.

Garrett O'Hara: ... I don't know, contract, you know, employer contract law kind of overrides GDPR. Yeah, GDPR. But, yeah. Feels like there's a very, very complex conversation to be had there. But yeah, I don't, I don't know that it's happened. [laughs].

Dan McDermott: No, you're right. And, and as you say, privacy awareness week is a great time to, to bring it up and start to, to think about those things. And for employers, if they're looking at using, you know, bossware and, you know, to take a very holistic and considered approach to that. And as you say, um, are you necessarily collecting everything that you want to be collecting? And if you s- if so, what's your management practices around managing that data afterwards? Because, um, yeah, it could be a, a bit of a slippery slope deed.

The next story is a look into the ongoing risks in the property market-

Garrett O'Hara: Hmm.

Dan McDermott: ... where scammers are targeting property buyers and their lawyers or conveyancers with payment redirections scams, what's going on here, Gar?

Garrett O'Hara: It's a boomerang of a story. I feel like we-

Dan McDermott: [laughs].

Garrett O'Hara: ... yeah, you know, and I have talked about it so many times, but it, it continues to, to happen. Um, it's, yup, so it's, it's not really new, news, it's the, the same problem, but it, it continues. And we continue to see, uh, some very large losses. Again, you know, the property market is made up of a, a set of stakeholders who I would say are by definition not cyber security experts for the most parts. Um, they are, they're builders, they're plumbers, they are people who making cabinets, they are people who build houses and project manage that. Um, conveyancers, solicitors.

Really, you know, the kinds of people that are probably very, very good at what they do, but are not trained in cyber security. So therefore, um, what you're seeing is, you know, payment redirection, what we, you and I recall business email compromise. It's a fairly specific subset of that. And, um, you know, the, the things that are happening here are large sums of money and tens of thousands of dollars, sometimes hundreds of thousands of dollars are getting kind of redirected into scam accounts.

So standard stuff, you maybe pop the, um, your plumber or your cabinet maker, or, um, somebody who's, I don't know, shipping blocks to a building site or, you know, whatever the, the case is, and, um, sends a, an email that looks perfectly legitimate to the customer. And, you know, they, they receive it and they're in the middle of something that would be a highly stressful transaction anyways. Um, given the property market, certainly in Australia, they're probably panicked at any moment.

Dan McDermott: [laughs].

Garrett O'Hara: You know, that something's gonna go wrong and if they don't make the payment as soon as possible, you know, that the whole thing will fall apart. So this, you know, it's inte- in- interesting, you know, when we talked about, um, business email compromise, one of the first indicators is, you know, a sense of urgency, fake urgency.

The entire property market in Australia is just a massive sense of urgency and panic, I would say. Um, but, you know, th- that is what's going on here essentially. Um, you know, very large amounts of money sloshing around in a market where people are not necessarily cyber savvy. And what that's led to is time, and again, um, that, you know, innocent people are losing large sums of money. Laura Jeffrey was on the pod-

Dan McDermott: Yeah.

Garrett O'Hara: ... um, so last year, um-

Dan McDermott: Hmm.

Garrett O'Hara: ... back in, in August 2021, uh, talking about exactly this. You know, she had a personal experience where lost a substantial amount of money. And, um, she talked about ho- how frustrating it was trying to work with the organizations involved, whether that was the banks or the police services. And, you know, how, once you, once it went from one state to another, essentially the case was starting from scratch. And, you know, just the huge amount of frustration, trying to get any kinda resolution.

Um, you know, part, part of what's starting to build, I think is a little bit of pressure to build better processes to protect people and, you know, look at this as an outsider to the property markets specifically. And I think you and, we've talked about this before, how there isn't a manila folder of here's the accounts, don't ever transfer money to anything other than these accounts. And, you know, that's the, the list of kinda ratified or green lit accounts do not ever, ever, whether we email, we phone you, transfer-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... money to those other accounts, unless you come in here and you see us face-to-face, or, you know, whatever the case may be. Um, you know, back to process, we, we could use process, I think, to, to help here at an industry level. Uh, and then pressure on the banks, um-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... where one of the, they kind of call it, just that they don't check the account name. And, um, yeah, that seems like a bit of a miss in, to me anyway. You know, it seems like something that we could do when the, uh, total amount is over X amount of dollars that, you know, there's some sort of safety net there where the account is checked, and if it looks completely different, then you know, something can, can be done about it.

Dan McDermott: Yeah, definitely. And look, as we have discussed before, but if, if people haven't heard other episodes around, you know, the property market has gone through a true digital transformation in the last 10 years. Um, and one of the key aspects of that, that has made this sort of possible is the removal of bank checks. And so when you bought and sold property in Australia, it was sort of almost the last bastion of bank checks in this country, right? And it's sort of continued need to fund bank checks and, and what they meant for the banks and the fees that they got from them and those sort of things.

Um, but what they did do was, they were very specifically used in, in a, in property conveyancing and transfer. Um, and so you would get a list of the checks and write them out and they would physically have to go to settlement and hand them over. Um, and so that process, as you say, the process alone meant that things can go wrong and, and, and they certainly did. And that, and the idea of digital was to remove the notion of human error in some of those, in some of that process.

Um, but what it has done from a security point of view is, is opened up the notion of the end user, who is often, you know, there, there, a consumer buy, making the biggest purchase of their life-

Garrett O'Hara: Mm-hmm.

Dan McDermott: ... right? And as you say, the stress that goes with that. Um, and all of a sudden they're getting targeted and being vulnerable around being told from what they think is their trusted source, is their lawyer or conveyancer that this is, you know, where to send the money. And it's like, "Well, okay, like I've been told by them, I'll send the money here." So, and then all of a sudden everything's done electronically and it's put in, but they're actually not actually the right details and the right party anymore.

So we do need to overcome that because one, you've got sort of, you know, often, often consumers that know maybe a bit about cyber, but aren't, you know, again, it's not their day job and they're in the middle of a, of, of the biggest purchase of their life. And you've got often lot of mo- majority of conveyance in this country is done by very small businesses. You know, one to five employee businesses scattered around, you know, at our towns and suburbs across the country, um, actually helping this process to occur.

So again, they're not being, you know, part of the c- the cyber world. And even though they've gone through this digital transformation, still have a lot of learning as part of that as well. So it does create this environment where there are, I think, two vulnerable sides to it that are just are being exploited sadly. So it's, uh, it's definitely one to, like you say, to keep an eye on, I think, process a big part of it.

I think the industry, as part of the transformation has tried to do a lot of things around this as well. Um, you know, PEXA, as the, as the, as the sort of the, the engine that glues all of it together does a lot of education out in the market, and that as well as do the banks and others. Um, but it still shows that if this is occurring and it keeps coming up and it keeps popping up in the headlines, um, there's still gaps to solve.

Garrett O'Hara: Yeah. It definitely seems that way. And, and, you know, it always come back to you, you wanna make it so that people making mistake doesn't put them so much at risk. And, you know, to me, it always points to either broken tech or broken process when, you know, the, the safety net is so limited, you know, that you fall off the tight rope and, and you lose everything. Um, that just says, "We, we have work to do here."

Dan McDermott: Indeed. Yeah. So let's hope, uh, this is maybe the last time that we, uh, we get to talk about this one, 'cause it never makes a head of lines again. That would be a great-

Garrett O'Hara: I'm gonna-

Dan McDermott: ... outcome.

Garrett O'Hara: ... I'm gonna make a bet on, I'm, I'm gonna-

Dan McDermott: [laughs].

Garrett O'Hara: ... bet that we're, we're gonna talk about this one again. [laughs].

Dan McDermott: You think it's coming, coming back-

Garrett O'Hara: Yeah.

Dan McDermott: ... again. [laughs].

Well, the next one is one that, uh, we keep talking about sadly as well for all the wrong reasons, which is, um, the ongoing conflict in the Ukraine, which, which Ukraine, sorry, which continues, um, with the analysis of the role of cyber within this war. Um, Microsoft has recently reported the detection of five state sponsored advanced assistant threat groups and their ongoing campaigns.

So Gar, this is again, one that I think we keep learning more about the role of-

Garrett O'Hara: Mm-hmm.

Dan McDermott: ... cyber, um, and when it has started and what it's actually it's impact within the actual conflict itself.

Garrett O'Hara: Yeah. Like it, it, it is a really interesting one to me 'cause I think we've, we've definitely covered it every news episode since, uh, the conflict began. And I think there's been confusion is the wrong word, but a little bit of sort of back and forth in terms of the, the importance of cyber, uh, versus kinetic. And you know, there's a lot of kind of, I suppose, bated breath and pausing waiting for, you know, the big CNI hit to happen for Ukraine and people wondering how, how, you know, has this not happened already. And the, um, speculation that it was, was really kind of the reluctance to do anything big because, um, you know, any nation state who pulls that trigger knows that they can then be the, the victim of the, the same exact stuff in retaliation.

So, um, given, um, you know, what I understand is the presence of nation states on most other nation states seen or many sorry, wrong, wrong choice of words there. But many, um, critical national infrastructure, um, systems, you know, do you really, it's almost like the nuclear deterrent, you know, do you wanna be the person who presses the big red button because if you do then it's sort of mutual, [laughs] mutually assu- assured destruction?

Uh, so, you know, there was a little bit of pausing and, and speculation, stuff was happening, but it wasn't the big stuff. Um, and yeah, as you said, uh, Dan, Microsoft has produced a report then certainly indicates that there has been s- not only stuff happening during the conflict, but actually this is stuff that started about a year out as a ramp up into the actual invasion so that, you know, what we're seeing on our TVs now.

So in the background, um, it does look like there was, you know, an increase and, um, sort of alteration, maybe it's some words to use there in terms of the, the things that were happening, um, with state sponsored or state backed groups, uh, in terms of Ukraine. Um, in the Microsoft report, there's actually a very interesting timeline. When you look at, at some of the, the sort of kinetic attacks were on their ground, attacks where they so closely correlate to cyber attacks, uh, you know, a missile all hits a, uh, a media tower, and on that same day, uh, you know, media gets hit by, um, cyber attacks.

You know, there's a few instances that nuclear, same thing. You know, um, as the, you know, Russian soldiers kind of arrived to, um, to a nuclear station, um, cyber attack was happening on, you know, that same sort of, uh, in that same area. So there's, you know, causing correlation and all that stuff. I don't, you know, it's hard to really say. But it certainly seems like, um, um, there was CB radios in play and people were talking to each other because it's either that, or it was massively coincidental, um, you know, on multiple occasions, what was happening at a cyber level, and what was happening at, um, you know, physical or kinetic, uh, level.

Dan McDermott: Yeah, I think, there's sort of two things in that. I think one is, like you say, sort of the advance notion of it that it's, you know, been happening for a long time and, and started, you know, really sort of, it's almost like that setting up, um, for this in, in, in, in advance of. Um, the other is, is like the timing of sort of the two things sort of being almost seeming like they're planned together, right? That it's like, "Let's go after this on both fronts, both of cyber and a kinetic, um, experience at the same time," which then, you know, means how the people dealing with that and what are they looking for and, you know, how do, you know, the vulnerabilities, you know, as we know in a distracted world, and you'd be very distracted, um-

Garrett O'Hara: Yeah.

Dan McDermott: ... in that, in that environment, um, you know, are gonna get more difficult to deal with both fronts at the same time as well.

Garrett O'Hara: Yeah, mo- most definitely. Um, and, and, you know, the play here, I mean, it sort of, it goes right to the, the sort of root of protecting a nation, you know, to sound too dramatic, but it is at that level. And, um, you know, that collaboration and cooperation between, um, private organizations in the cyber security industry or more broadly IT, I mean, that's the reality, I mean, part of Microsoft's involvement here would be that, you know, most countries and, and most organizations are built on a Microsoft environment. You know, people use Office, they use Microsoft Exchange, and we're gonna talk about that a little bit later.

But, um, um, you know, they're, I th- I think a company like Microsoft would be a natural ally, um, at a nation state level, just given the amount of dollars they have. But the pervasiveness of their operating systems and their, you know, their business systems, um, I think will, you know, it'll be useful tool for them to sort of go and help, uh, when it comes to, yeah, the cyber part of this conflict.

Dan McDermott: Indeed. Well, thanks for the insights there and, uh, and, and ongoing sort of analysis of what's happening, uh, as part of that.

Finally, let's wrap up with a quick review of the latest breaches and vulnerabilities to make the headlines. Let's start with an update on one that we spoke about last time on the Lapsus$ hack.

Garrett O'Hara: Yeah. They, they, they just keep, keep on giving. Um-

Dan McDermott: [laughs].

Garrett O'Hara: ... yeah, this one, um, this one actually came out through Brian Krebs, who I'm guessing pretty much everybody knows, um, really awesome, uh, writer and reporter in terms of, uh, cyber. He's been doing a bunch of work going through all the private communications of the Lapsus$ crew. So actually looking at, um, [laughs], you know, what they're saying to each other, so bit sort of-

Dan McDermott: [laughs].

Garrett O'Hara: ... voyeuristic, but it's very interesting. Um, and as part of that, he, he sort of came across the fact that the Lapsus$ crew had breached, uh, T-Mobile and, you know, had popped some of the sort of information, and, um, I believe some of the source code repositories, um, from T-Mobile. So, you know, they're just, they're joining a long list of, uh, organizations at this stage who have been popped and, and had information breached by Lapsus$.

Um, the, I mean, the other smaller part of this is, um, Okta who we spoke about last time of on, maybe-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... maybe the episode before, um, where again, Lapsus$ had hit them. Um, but they've done their, their sort analysis on what actually happened. And it looked like it was, it was very, very limited, um, in terms of the number of customers that were ac- actually affected. So it was really only two. And at the time Okta hadn't really come out too well in terms of their communication with their customers. You know, it was a little bit opaque, what was going on.

Um, but they've, they've actually kind of come around the way. And so, and I saw on LinkedIn, um, a very detailed post, which was quite useful in terms of what happens and, you know, one of those in the spirit of helping the community, um, breakdowns of the, um, the, the Lapsus$, uh, incident. So I think that's kind of a, they were, they, they were getting applause in LinkedIn for, you know, for what that's worth. Um, I think, you know, it's a good sign that, um, the columns were, were really good.

Dan McDermott: Excellent. And, uh, the next story is, is, uh, is actually a good news story, which is great, uh, on the notion of skills development, um, that has been embarked upon, um, the Commonwealth Bank of Australia. What is CBA, uh, doing in terms of cyber security upscaling?

Garrett O'Hara: I think this is very cool idea. Um, so they're basically, um, running a bunch of people through the foundations of cyber security, uh, online course from UNSW. Um, which I sh- I find kind of exciting, you know, making, making that an option for people to go out and learn about cyber security, and, um, do that in, in probably a fairly accessible way given it's online. And, you know, people can kind of jump in and around their work schedule to go and learn about something that I, I think it's fair to say, it's become a life skill. You know, we talk about things that-

Dan McDermott: Mm-hmm.

Garrett O'Hara: ... um, it doesn't matter, kind of matter what your job is, if you can touch type, that's a pretty cool thing. If you go and do a Toastmasters course on public speaking, that's, that's gonna help you probably no matter what your, your actual role is.

And it's starting to feel like cyber security is a little bit like that. You know, it's sort of, um, you know, on the resume where you see people saying, you know, proficient with Microsoft Office, um, you know, that there'll be some version of, you know, I've got my head around cyber security and that may make somebody more, uh, appealing as an employee.

Anyway, CBA are doing this. It's a, a 12 week program. And reading through what was really interesting was that, uh, about a third of the staff who are, uh, doing the course are things like senior managers and, um, 50% or sorry, 6% of those have roles that are outside of cyber security. I think that to me is probably the most exciting part of this.

Dan McDermott: Mm-hmm.

Garrett O'Hara: Because if it was a bunch of, you know, cyber security people, you kind of go, "Well, who cares?" Um, but when you start to see an organization take broad cyber security, that importantly, that they offer this up to, uh, folks who are outside of the cyber security roles, knowing that it will be important for everybody, um, it comes back, you know, we've, we've talked about this so many times, it's a, it's culture. It's gotta be across the organization.

Dan McDermott: Hmm.

Garrett O'Hara: There ain't no point in just the cybersecurity team or IT team understanding this stuff. It needs to be, uh, organizational level. And, you know, this is a really good way I would say, um, of pushing towards that. So applause all round for, uh, CBA. [laughs].

Dan McDermott: Indeed. And one that, uh, the bossware would be very happy with, uh, people spending their time, uh, on the online Uni of New South Wales course doing cybersecurity. So, uh, so it's-

Garrett O'Hara: [inaudible 00:29:12].

Dan McDermott: ... double win on that one-

Garrett O'Hara: [laughs].

Dan McDermott: ... which is great. [laughs]. Um, the last story to, to cover today is actually just a couple of, uh, PSAs or public service announcements around, um, vulnerabilities, uh, and patching. Um, one of your, I know your favorite topics, Gar. So, um, the first was, uh, the announcement of the most exploited bugs, uh, list of 2021.

Garrett O'Hara: Yeah. And, uh, yeah, our friends, we, we just mentioned Microsoft drawn there. Um-

Dan McDermott: [laughs].

Garrett O'Hara: ... they, they were joined, I mean, they certainly aren't on their own, um, Atlassian was one of the other ones. And then the Log4Shell, which we spoke about extensively last year, um, obviously is on that as well. Um, it's funny, there's a, you know, there's a bunch of CVEs that are kind of bunched together for really two, uh, vulnerabilities for Microsoft, that's ProxyLogon and ProxyShell, but they both kind of end up in, uh, RCE or remote code execution, which is never really a good thing. So, you know, no bueno.

Um, the, you know, whatever we're talking about, the specifics of what these are and, and people, you know, you Google them, you'll find them very quickly. And I'm guessing most security teams will be across them already. I think what interesting was watching the commentary come out of the ACSC and, you know, the, the various global security organizations and the message being that when we think about hacking, so often we think about this, you know, highly, you know, super complex, spend hours, trying to figure out how to get into an organization and social engineering and watching where Dan goes to get his coffee. And then you slipping a USB drive into, um, into your briefcase and you plug it in outta curiosity and, you know, these incredibly exciting and amazing, you know, stories.

And then you go and you look at the most exploited vulnerabilities, and they're the ones that, they're, you know, gun of bread and butter stuff, um, patches are available and, um, they're still being exploited it. So, you know, it points to that, the importance of, uh, well, vulnerability management, there's a program. And then the, you know, the patching schedule and as much as possible being able to stay, um, up to date with, you know, the latest, greatest updates patches from vendors, from operating systems, from across the board.

Again, knowing that sometimes it's really easy to just say that on a podcast and say, "Go, and patch." But in reality, sometimes you're, you're, um, you've painted yourself into a corner, shall we say? And by patching X, Y, Z system, it breaks three other things because it's not, you know, it hasn't been tested or blah, blah, blah. So yeah, there is nuance there. But yeah, I think the message here is as much as possible to yeah, patch and stick across these vulnerabilities.

Dan McDermott: Indeed. And, and the final one is, is, uh, patches announced for a vulnerability from Cisco Umbrella users as well.

Garrett O'Hara: So yeah, Dan, this is, um, a, a vulnerability in Cisco Umbrella. So I'm guessing many people would know that's a, you know, DNS play in security, um, as in you use Umbrella. And then when you resolve a DNS entry, if it's dangerous, Umbrella can sort of get in the way and stop you going there. So, um, a safe phone book for the internet basically.

Um, and yeah, there's an SSH vulnerability. So SSH is a protocol for kind of essentially communicating, um, remotely with, you know, platform or whatever it may be, um, generally off across the unsecured network. Um, but there was, uh, yeah, the vulnerability in there where you could potentially get, um, administration cred- credits and do things like, um, you know, restart or alter the, uh, virtual appliance that Cisco Umbrella is, is running on.

So, you know, one to watch. Um, Cisco did bring out a bunch of patches in, in sort of late April for a variety of their systems. So they've, um, yeah, they, they've made available a bunch of patches and, um, again, urge people to go and do that if they can.

Dan McDermott: Indeed. Well, thank you. Yeah, definitely worth for covering some of those vulnerabilities of, of some of these big programs that we know people have in place. Um, and just in case they haven't seen it in that we just thought we, we take the opportunity again to reinforce, uh, those, uh, those, uh, patches that are available for this as well. So thank you, Gar, and appreciate your insights as always. Who do you have, uh, for us as our special guest for next week?

Garrett O'Hara: Yes. Uh, special guest is Jason Duerden, who's the regional director for Australia, New Zealand for SentinelOne. And we've had Jason on, uh, previously, a couple years ago now. Um, awesome guy, very eloquent. And, um, with his move into SentinelOne. Um, I was really keen to just kind of pick his brains and get his take on, you know, the evolution from endpoint AV through ER, into like what XDR actually means today. It's one of those conversation topics that, um, yeah, it's, it's, it's rich and there's nuance there.

And so we, we do try and get into some of that, like the confusion between XDR versus SIEMs, or who's gonna use, which of those three technologies, where do they fit in the ground scheme of things? Um, and then we, we do what we always do, which is kind of the fu- the crystal ball gazing and what's-

Dan McDermott: Hmm.

Garrett O'Hara: ... the future of, of XDR. So cra- yeah, cracking conversation. Jason's an awesome guy.

Dan McDermott: Fantastic. Looking forward to it. Well, until next week, if you would like to continue exploring key topics in cybersecurity, please jump onto, getcyberresilient.com and check out some of the latest articles, including a wrap up of the news in cybersecurity from the month of April, Balancing the books: the CISO's guide to brilliant budgeting from yours truly, and two articles from Gar, one covering how to build better cyber security metrics and the other, how big data is getting bigger, and so are its security problems. So aga- again, thanks for listening. And until next time, stay safe.

Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara