Newsletter

open source and cybersecurity news

May 12, 2023

Gmail Dark Web Monitoring, RSAC Interview - Anil Karmel, Dragos Breach

In this Episode:

Episode Transcription:

Pokie Huang: 

Hey, it’s 5:05 on Friday, May 12th, 2023. From the Sourced Podcast Network in New York City this is your host, Pokie Huang. Stories in today’s episode come from Edwin Kwan in Sydney, Australia, Katy Craig in San Diego, California, Derek Weeks in Bethesda, Maryland, Marcel Brown in St. Louis, Missouri. 

Let’s get to it. 

Edwin Kwan: 

This is Edwin Kwan from Sydney, Australia. 

Google announced that it will be bringing dark web monitoring to all users in the United States. This feature was first released in March, 2023 and made available to only their US base Google One subscribers. 

Once enabled, users will be able to scan the dark web for their email addresses and take action to protect their account based on guidance provided by Google. Some of that advice could include turning on two step authentication to protect their account from hijacking attempts. 

Google will also regularly notify their users to check if their email address has been linked to any data breaches that ended up on cyber criminal forums.

Katy Craig: 

While I was at RSA conference, I had the privilege to interview a trailblazer in the field of Governance, Risk, and Compliance (GRC), Anil Karmel, the CEO and Co-founder of RegScale, a small business that’s making big waves in federal and DoD markets. 

In the landscape of cybersecurity. GRC is both foundational and bothersome.

It’s a crucial framework that guides organizations on how to align their operations with regulatory requirements, manage risks effectively, and meet business objectives. However, traditional GRC approaches can be a bit of a double edged sword. 

On the one hand, GRC provides a structure for managing risks and ensuring compliance. But on the other hand, they can be cumbersome, time consuming, and often involve manual processes that are prone to human error. They can also struggle to keep pace with the rapidly evolving cybersecurity landscape where new threats and vulnerabilities emerge daily. 

So what’s the solution to these challenges?

Well, many believe it’s automation. By automating GRC processes, organizations can streamline their operations, reduce the potential for human error, increase efficiency, and more effectively keep pace with the dynamic nature of today’s cyber threats. 

Automation, it seems could very well be the future of GRC.

And like nearly everyone practicing GRC and cybersecurity, compliance was a true challenge for Anil

Anil Karmel: 

I ran into a brick wall of compliance, having to write compliance artifacts and word documents and Excel spreadsheets and defend them like thesis dissertations. Our compliance processes and procedures have not scaled or kept up to date or kept pace with digital transformation efforts and have in fact been a bottleneck to these transformation efforts. 

Katy Craig: 

So Anil decided there had to be a better way to scale GRC activities to keep pace with technology and digital transformations and to address the us versus them mentality between security and compliance. 

Anil Karmel: 

There’s been, you know, for decades, this adversarial mindset between security and compliance. It’s usually security versus compliance. If you adopt a compliance mindset, it’s traditionally, how quickly can I check the box? But that doesn’t necessarily equate to security. 

Katy Craig: 

So what’s the answer? Well, Anil…

Anil Karmel: 

…built, a platform that can meet and serve any regulatory requirement, and be able to allow you to continuously keep your compliance artifacts up to date and understand your risk posture in near realtime. Ostensibly the world’s first realtime, GRC. 

Katy Craig: 

Realtime, GRC. What a notion. Imagine having all the evidence you require for your ATO continuously, in real time. GRC experts can then focus on control gaps and not just keeping paperwork up to date. Anil is excited about OSCAL too, a standard his reg scale platform is using. 

Anil Karmel: 

Both FedRAMP and NIST partnered to create this transformational standard called NIST Open Security Controls Assessment Language or OSCAL. If you want to learn more about that go to pages.nist.gov/OSCAL. This particular standard allows organizations to produce and consume compliance artifacts and conduct assessments, leveraging a standardized machine readable language or schema. We’re leading a movement here of trying to transform how an entire industry has been doing work that really hasn’t seen tangible tooling and innovation in decades. 

Katy Craig: 

So if you’re looking for relief from the toil and drudgery of Excel spreadsheets and Word documents for your SSPs, SARs, RARs and POAMs,, then check out RegScale and the NIST OSCAL.

This is Katy Craig. Stay safe out there.

Derek Weeks: 

On Monday, May 8th, 2023, a known cyber criminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos platform. But there is more to this story. 

I’m Derek Weeks reporting from Bethesda, Maryland. 

The criminal group, according to this week’s Dragos blog, gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplished the initial steps in the employee onboarding process. 

The group assessed resources, a new sales employee typically uses in SharePoint and the Dragos contract management system. In one instance, a report with IP addresses associated with a customer was accessed and Dragos reached out to that customer. afterwards. 

Dragos investigated alerts in their corporate security information and event management system and blocked the compromised account. Dragos promptly activated their incident response retainer with CrowdStrike and engage their third party monitoring, detection, and response provider to manage incident response efforts.

They’re confident that their layered security controls prevented the threat actor from accomplishing what Dragos believes to be their primary objective of launching ransomware. They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure.

The timeline Drago shares in its blog provides the following details. 

-An onboarding message was sent to the employee 

-Within several minutes, the adversary logs in with their credentials. 

-Access to seven systems is attempted within seven hours. 

-All were blocked by role-based access controls.

But access to the customer support system that had the customer contract in it was achieved within the first 47 minutes. 

Just like my last update here on the 505 about Equifax sharing their attempted breach experience, Dragos has done the same here. Dragos learned what worked and what needed improved. We too should learn from these same incidents.

I’d advise you to go and read the Dragos blog this week to see the details there, as well as read through their specific timeline about how the adversary went through their network. 

Thanks again and tune in for daily 505 updates.

Marcel Brown: 

This is Marcel Brown, the most trusted name in technology, serving you up some technology history for May 12th and May 13th. 

May 12th, 1941. German engineer Conrad Zeus unveils the Z3, now generally recognized as the first fully functional programmable computer. Because Germany was fighting World War ii not much was known about the Z3 until after the war. It was an electrical, mechanical computer, so it was not the world’s first fully electronic computer. Although plans were made to replace the mechanical relays with fully electronic switches. However, funding was denied by the German government because the Z3 was not considered important to the war effort.

The Z3 was destroyed by Allied bombing in 1943, but a fully functioning replica was built in 1961 and is on display in the Deutsche Museum in Munich. Because the Z3 was the first programmable fully automatic computer, some people considered Conrad Zeus, the inventor of the modern computer. 

May 13th, 1980. Digital Equipment Corporation, Intel and Xerox jointly announce the ethernet network specification. Ethernet is the predominant networking standard of today’s business and home networks. 

May 13th, 1985. The British Rock Band Dire Straits releases their fifth album Brothers in Arms, which will become the first CD to sell over a million copies. It was the most successful album release on Compact disc for over two decades. I guess Money For Nothing was more than a song title. 

May 13th, 1991. The System7 operating system for the Macintosh is released, the second major upgrade to the Mac OS since 1984. One of the major features included in system seven is built-in cooperative multitasking.

System7 will also introduce the concept of aliases, which later be copied as shortcuts in Microsoft Windows 95. 

System7 was the first Mac OS that I personally became familiar with, and it was the foundation of future Mac OS versions until the release of Mac OS 10, almost exactly 10 years later.

That’s your technology history for today. For more, tune in next week and visit my website ThisDayInTechHistory.com.

Pokie Huang: 

That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to 505Updates.com, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.

5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there. 

Thank you to Edwin Kwon, Katy Craig, Derek weeks and Marcel brown for today’s contributions. 

The Executive Producer and the editor is Mark Miller. The sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by Captivate.fm. This is Pokie Huang. See you next Monday… at 5:05.

Contributors:

Comments:

Leave the first comment

Newsletter