WEBVTT 1 00:00:00.000 --> 00:00:02.760 Anna Delaney: Hi, this is the ISMG Editors' Panel. I'm Anna 2 00:00:02.760 --> 00:00:05.760 Delaney and I'm joined by three of my colleagues to discuss the 3 00:00:05.760 --> 00:00:10.170 latest cybersecurity news and stories. And to introduce my 4 00:00:10.170 --> 00:00:13.320 teammates, Tom Field, Senior Vice President of Editorial; 5 00:00:13.470 --> 00:00:16.470 Matthew Schwartz, Executive Editor of DataBreachToday and 6 00:00:16.470 --> 00:00:20.550 Europe; and Rashmi Ramesh, Senior Sub Editor for ISMG's 7 00:00:20.580 --> 00:00:22.680 Global News Desk. Hello, team. 8 00:00:23.250 --> 00:00:24.150 Tom Field: Welcome back, Anna. 9 00:00:24.390 --> 00:00:28.260 Anna Delaney: Thank you very much. It's great to be back. So, 10 00:00:28.260 --> 00:00:31.500 Tom, you were at a live event last week. Tell us more. 11 00:00:32.110 --> 00:00:35.140 Tom Field: First time in over two years. I believe it was the 12 00:00:35.140 --> 00:00:39.160 first live event that ISMG had put on, a summit that is, since 13 00:00:39.160 --> 00:00:44.200 maybe Washington DC in December of 2019. We put on our Pacific 14 00:00:44.200 --> 00:00:47.020 Northwest Summit. It's the first hybrid event that we have done 15 00:00:47.020 --> 00:00:49.510 this year, which meant we had a certain percentage of attendees 16 00:00:49.630 --> 00:00:52.240 there in person, and then hundreds more that we're 17 00:00:52.510 --> 00:00:56.350 monitoring via the web. Three words I'm going to give you to 18 00:00:56.350 --> 00:01:02.050 describe the event. First is emotional. It is a big deal to 19 00:01:02.050 --> 00:01:05.710 get up on stage for the first time in over two years and to be 20 00:01:05.710 --> 00:01:09.190 able to greet a live audience and engage and have a 21 00:01:09.460 --> 00:01:12.190 conversation about these issues that matter to us. And I will 22 00:01:12.190 --> 00:01:15.700 say that I did stop and took a selfie of myself in front of the 23 00:01:15.700 --> 00:01:18.700 audience just to get things started. But I really enjoyed 24 00:01:18.700 --> 00:01:21.580 it. It was a big deal for people to be there. For many, this was 25 00:01:21.580 --> 00:01:24.130 the first time in over two years. They really ventured out 26 00:01:24.130 --> 00:01:27.400 of their homes and communities to go to an event. So it was a 27 00:01:27.400 --> 00:01:30.520 big deal for everybody. The other thing I would say was as a 28 00:01:30.520 --> 00:01:35.410 little bit of a was tentative to an extent because it is people 29 00:01:35.410 --> 00:01:38.950 emerging from pandemic quarantine, still having 30 00:01:39.160 --> 00:01:43.900 concerns about the pandemic and about health issues. And do we 31 00:01:43.900 --> 00:01:49.210 sit close together? Do we shake hands? There's so many 32 00:01:49.210 --> 00:01:54.400 questions. So it's an easing back into the life that we used 33 00:01:54.400 --> 00:01:58.900 to have. And in addition to the conference itself, I also hosted 34 00:01:59.260 --> 00:02:02.560 two roundtables, one over lunch, one over dinner, and it was nice 35 00:02:02.560 --> 00:02:07.720 to see a dozen or so people get together around the table and 36 00:02:07.720 --> 00:02:11.710 enjoy a meal together. And enjoy an engaging conversation. It's 37 00:02:11.710 --> 00:02:16.330 not the same as, you know, when you're doing it via Zoom in a 38 00:02:16.330 --> 00:02:18.940 virtual discussion. I will tell you this though. The thing I've 39 00:02:18.940 --> 00:02:22.930 learned, the difference between discussions in Zoom and 40 00:02:22.930 --> 00:02:27.580 discussions on stage and around the table, we talk more in 41 00:02:27.580 --> 00:02:32.500 person. I found that I needed far fewer questions to engage in 42 00:02:32.500 --> 00:02:35.380 a conversation on stage. And that's the other part of the 43 00:02:35.380 --> 00:02:38.860 conversations. They were more engaging than they have been in 44 00:02:38.860 --> 00:02:43.270 the past. You know, we're not up on stage anymore talking about 45 00:02:43.270 --> 00:02:46.270 zero trust as something that could come down the pike, and 46 00:02:46.270 --> 00:02:50.830 we're not rehashing all the old issues about CISO reporting 47 00:02:50.830 --> 00:02:54.400 relationships. The discussions were urgent. We were talking 48 00:02:54.400 --> 00:03:00.580 about supply chain issues in the wake of Colonial Pipeline and 49 00:03:01.270 --> 00:03:04.720 SolarWinds and issues that really mattered over the course 50 00:03:04.720 --> 00:03:08.200 of the past year. We were talking about incident response 51 00:03:08.230 --> 00:03:12.070 after this wave of ransomware, double triple quadruple 52 00:03:12.070 --> 00:03:15.070 extortion that Matt will tell us more about and has told us 53 00:03:15.370 --> 00:03:20.170 consistently. We were talking about the impacts of what was 54 00:03:20.170 --> 00:03:25.720 happening in Russia, in Ukraine, within 24 hours of President 55 00:03:25.720 --> 00:03:29.680 Biden warning organizations in the US that they might start to 56 00:03:29.680 --> 00:03:33.940 see more ripple effect impact from what's going on there. So 57 00:03:33.940 --> 00:03:37.330 the issues were real, they were compelling. And the speakers 58 00:03:37.330 --> 00:03:41.110 very much were engaged in the topics. And so were the audience 59 00:03:41.110 --> 00:03:45.280 members. I can't say enough about it. It's nice to be back 60 00:03:45.460 --> 00:03:49.360 on stage again. It's nice to be able to engage face to face. And 61 00:03:49.360 --> 00:03:52.720 Anna, you and I are going to do it again next week in Chicago. 62 00:03:52.930 --> 00:03:55.600 Anna Delaney: We certainly are! Very much looking forward to it. 63 00:03:55.900 --> 00:03:59.140 Certainly more organic. I had my first live roundtable a couple 64 00:03:59.140 --> 00:04:03.130 of weeks back. So, I felt the same. Conversation flowed very 65 00:04:03.160 --> 00:04:09.190 naturally, though I didn't have to be there really. On virtual 66 00:04:09.220 --> 00:04:11.830 forums, you're always trying to pull out answers from people, 67 00:04:11.830 --> 00:04:14.830 aren't you? And then I tell them, please implore them, 68 00:04:14.830 --> 00:04:17.770 switch on your webcams. But there was no dearth of 69 00:04:17.770 --> 00:04:20.320 conversation here. So that was great. How are you finding, Tom, 70 00:04:20.320 --> 00:04:24.220 the adjusting to travel and carrying on all the virtual 71 00:04:24.220 --> 00:04:25.720 events that you do? 72 00:04:26.350 --> 00:04:29.320 Tom Field: Well, that's an issue because the virtual doesn't go 73 00:04:29.320 --> 00:04:32.920 away. Worse. And it's not just me, it's all of us. We're so 74 00:04:32.920 --> 00:04:36.340 ingrained now in meeting-to-meeting-to-meeting-to-meeting. 75 00:04:36.370 --> 00:04:39.550 That's how our schedules have been for two years. And it used 76 00:04:39.550 --> 00:04:41.710 to be. You could get on an airplane, you can block off a 77 00:04:41.710 --> 00:04:44.080 few hours because you were traveling and you were sort of 78 00:04:44.080 --> 00:04:47.140 left alone. That was a time that doesn't exist anymore. You've 79 00:04:47.140 --> 00:04:50.950 got to still find a way to accommodate virtual while you're 80 00:04:50.950 --> 00:04:54.490 trying to live actual. I think that's a balance that we're 81 00:04:54.490 --> 00:04:59.320 going to struggle to find again. I would also say that just as 82 00:04:59.320 --> 00:05:03.430 the lovely aspects of being able to meet in person have come back 83 00:05:03.460 --> 00:05:07.570 just as quickly as they have, so have the hassles of travel. I 84 00:05:07.570 --> 00:05:10.150 was trying to come back on a red-eye on Tuesday night after 85 00:05:10.150 --> 00:05:14.110 the event and it got canceled because a seat in first class 86 00:05:14.110 --> 00:05:17.860 came loose from the airplane, and they couldn't find a tool to 87 00:05:17.860 --> 00:05:21.610 be able to reattach it. So rather than having a 500-pounds 88 00:05:21.610 --> 00:05:25.030 seat loose in the air, they canceled the flight and I had to 89 00:05:25.030 --> 00:05:30.160 stay on for an extra 24 hours. All the fun of travel is back. 90 00:05:30.430 --> 00:05:33.010 And I say, the one thing that we didn't have to deal with over 91 00:05:33.010 --> 00:05:37.360 the past two years was wearing shoes all day. Wearing shoes all 92 00:05:37.360 --> 00:05:38.020 day hurts. 93 00:05:38.860 --> 00:05:41.380 Anna Delaney: I mean, you're right. I was in heels. Can you 94 00:05:41.380 --> 00:05:41.860 imagine? 95 00:05:41.950 --> 00:05:42.760 Tom Field: Oh, you know, I wasn't. 96 00:05:43.900 --> 00:05:48.460 Anna Delaney: Well, exactly. Cannot assume. But talking of 97 00:05:48.460 --> 00:05:51.430 travel, Matt, where you upto with your boat? 98 00:05:52.920 --> 00:05:55.080 Matthew Schwartz: Yeah, I'm impounding the oligarch's 99 00:05:55.110 --> 00:05:59.580 yachts, of course, yes, in Fife, Scotland, not too far to the 100 00:05:59.580 --> 00:06:03.690 south of me. This is Dysart Harbour. It's a beautiful 101 00:06:03.690 --> 00:06:09.960 weekend. Very, almost summer-like, briefly a little 102 00:06:09.960 --> 00:06:13.380 break in the wintery weather that we've been having. So all 103 00:06:13.380 --> 00:06:16.260 the boats are out of the harbor at the moment. Everybody was 104 00:06:16.260 --> 00:06:19.350 touching them up, because it was a beautiful day. We've got the 105 00:06:19.350 --> 00:06:23.580 raft here. We've got the puffin. I don't know if you can see that 106 00:06:23.580 --> 00:06:27.270 one. Probably not. But it's just a beautiful day here in 107 00:06:28.050 --> 00:06:28.740 Scotland. 108 00:06:29.010 --> 00:06:31.020 Anna Delaney: Yes, I heard it was gorgeous weather, unlike 109 00:06:31.020 --> 00:06:35.460 where I was. But back to Rashmi. Tell us about your beautiful 110 00:06:35.490 --> 00:06:37.200 spring-like scene. 111 00:06:37.960 --> 00:06:41.740 Rashmi Ramesh: Yes, it's peak summer here in Bangalore. My 112 00:06:41.740 --> 00:06:45.460 background is from a place called Cubbon Park. It's the 113 00:06:45.490 --> 00:06:48.610 central business district and one of the biggest lung spaces 114 00:06:48.610 --> 00:06:52.600 in the city. But these pink cotton candy trees that you see 115 00:06:52.600 --> 00:06:56.050 behind me are seasonal. They bloom in like four or five 116 00:06:56.050 --> 00:06:59.200 colors and they are across the city. Of course, the green cover 117 00:06:59.200 --> 00:07:02.950 is now a lot less. But it's just so stunning to just, you know, 118 00:07:02.950 --> 00:07:06.700 walk down these roads, with a canopy of cotton candy over your 119 00:07:06.700 --> 00:07:07.150 head. 120 00:07:07.990 --> 00:07:10.930 Anna Delaney: Nice imagery. Is there strong scent as well? 121 00:07:12.010 --> 00:07:14.320 Rashmi Ramesh: Not really, but they're just really pretty to 122 00:07:14.320 --> 00:07:14.860 look at. 123 00:07:15.410 --> 00:07:17.510 Anna Delaney: Very much so. Well, I was in Valencia last 124 00:07:17.510 --> 00:07:21.950 week. And this is a city that has 300 days of sunshine every 125 00:07:21.950 --> 00:07:27.710 year. Well, unfortunately, this was not the time. It was rainy, 126 00:07:27.710 --> 00:07:31.730 windy and cold. But anyway, I loved the city. Architecture is 127 00:07:31.730 --> 00:07:34.280 beautiful. And they have a lot of urban art as well. So it 128 00:07:34.280 --> 00:07:38.690 complements all the architecture very well. But Matt, I know it 129 00:07:38.690 --> 00:07:42.050 was a busy week for you. With the news that Okta was one of 130 00:07:42.050 --> 00:07:45.440 the victims of the Lapsus$ hacking group and Okta, of 131 00:07:45.440 --> 00:07:48.950 course, the authentication firm, admitted that it had made a 132 00:07:48.950 --> 00:07:52.070 mistake in handling the attack and the breach. Now I know 133 00:07:52.070 --> 00:07:55.490 you've written a very useful article and what we can learn 134 00:07:55.610 --> 00:07:59.030 from their response. What did they get right? And what did 135 00:07:59.030 --> 00:07:59.720 they get wrong? 136 00:08:01.370 --> 00:08:04.468 Matthew Schwartz: Great question and I'll just say, reportedly, 137 00:08:04.536 --> 00:08:08.805 if that's even a word, but I was indebted to Rashmi for having 138 00:08:08.874 --> 00:08:12.798 run with this story last week, which was that the Lapsus$ 139 00:08:12.867 --> 00:08:16.997 attack group had somehow gained access to Okta Systems or to 140 00:08:17.066 --> 00:08:21.335 somebody who had access to Okta Systems. And I wrote up a kind 141 00:08:21.404 --> 00:08:25.672 of lessons learned from this. I think it's fascinating, not to 142 00:08:25.741 --> 00:08:29.252 try to blame companies, typically not going for the 143 00:08:29.321 --> 00:08:33.589 shock and Freud angle on things. But to look at what happened, 144 00:08:33.658 --> 00:08:37.858 how an organization responded, and how anybody else who wants 145 00:08:37.926 --> 00:08:41.988 to avoid finding themselves potentially in hot water should 146 00:08:42.057 --> 00:08:45.913 learn the lessons from these sorts of incidents. Now, it 147 00:08:45.981 --> 00:08:50.319 seems recently that ransomware has been feeding us with many of 148 00:08:50.387 --> 00:08:54.312 the lessons that need to be learned. Simply because these 149 00:08:54.381 --> 00:08:58.305 attacks are so disruptive. That's interesting, because it 150 00:08:58.374 --> 00:09:02.711 used to be data breaches. So it was, I don't know, not like old 151 00:09:02.780 --> 00:09:07.117 home week. But here we had a big data breach. There didn't seem 152 00:09:07.186 --> 00:09:11.248 to be any ransom component to this. It's not clear what the 153 00:09:11.316 --> 00:09:15.516 Lapsus$ group was doing exactly. But what happened is, Sunday 154 00:09:15.585 --> 00:09:19.303 before last, Lapsus$ group published some screenshots, 155 00:09:19.371 --> 00:09:23.778 which showed that it had access to systems run by Okta, the huge 156 00:09:23.846 --> 00:09:27.495 authentication and identity management provider. What 157 00:09:27.564 --> 00:09:31.626 transpired after that was Okta had detected what it thought 158 00:09:31.695 --> 00:09:35.688 might be a breach in January at one of its contractors who 159 00:09:35.757 --> 00:09:40.163 provides customer service. This is called the Sitel Group and it 160 00:09:40.232 --> 00:09:44.156 was a subsidiary called Sykes which it refers to now is a 161 00:09:44.225 --> 00:09:48.562 legacy part of the organization because it bought it last year. 162 00:09:48.631 --> 00:09:52.761 So Okta said, we knew about this, but we're still waiting to 163 00:09:52.830 --> 00:09:56.892 get the breach report back from Sitel Group. Now already, I 164 00:09:56.961 --> 00:10:01.161 think we can all agree that Okta perhaps started off with the 165 00:10:01.229 --> 00:10:05.704 wrong foot. It's been two months since it detected that something 166 00:10:05.773 --> 00:10:09.973 might be wrong. So I want to give kudos to Okta for detecting 167 00:10:10.042 --> 00:10:14.104 that something might be wrong. So often, when we see breach 168 00:10:14.172 --> 00:10:17.890 notifications, we see these weasel words used such as, 169 00:10:17.959 --> 00:10:21.814 there's no evidence that anything was stolen; there's no 170 00:10:21.883 --> 00:10:25.807 evidence that there's been fraud. Well, that doesn't give 171 00:10:25.876 --> 00:10:30.282 us a lot of assurance, does it? What does give us assurance is a 172 00:10:30.351 --> 00:10:34.206 company like Okta saying, we saw something was wrong, we 173 00:10:34.275 --> 00:10:38.337 immediately started to look into it. It found it was at the 174 00:10:38.406 --> 00:10:42.606 contractor, and the contractor Sitel Group said, we've got it 175 00:10:42.674 --> 00:10:46.736 from here. So fast forward, Okta's initial communication is 176 00:10:46.805 --> 00:10:50.729 we haven't got on the full report. Okta is already on the 177 00:10:50.798 --> 00:10:55.067 backfoot and says, we're still waiting for the results. Now, I 178 00:10:55.135 --> 00:10:59.542 personally think 60 days or more than 60 days, it's too long. If 179 00:10:59.610 --> 00:11:03.879 there's a breach it needs to be investigated, and customers or 180 00:11:03.948 --> 00:11:08.423 anybody who might be potentially impacted, be alerted in a timely 181 00:11:08.491 --> 00:11:12.209 manner. In Europe, a timely matter is 72 hours. In the 182 00:11:12.278 --> 00:11:16.546 United States, a rule of thumb has been oftentimes, yeah, like 183 00:11:16.615 --> 00:11:20.815 Tom might say, 30 days give and take, is what I've heard from 184 00:11:20.884 --> 00:11:25.014 data breach experts. Of course, the answer is it depends. It 185 00:11:25.083 --> 00:11:29.145 depends on if you can give actionable information to anyone 186 00:11:29.214 --> 00:11:33.276 who may have been affected. There's questions about whether 187 00:11:33.345 --> 00:11:37.613 you want to tell them you don't know yet or whether you should 188 00:11:37.682 --> 00:11:41.537 just alert them once you know what they need to do. Now, 189 00:11:41.606 --> 00:11:45.599 obviously, the narrative got away from Okta, because after 190 00:11:45.668 --> 00:11:49.523 two months, the attackers went, hey, guess what, back in 191 00:11:49.592 --> 00:11:53.998 January, we breached the systems and ended up with wasn't really 192 00:11:54.067 --> 00:11:57.854 clear what. So, as you said, Anna, Okta said, we made a 193 00:11:57.923 --> 00:12:02.260 mistake. That was a day or two after its chief security officer 194 00:12:02.329 --> 00:12:06.735 said, we should have moved more quickly. So it's been attempting 195 00:12:06.804 --> 00:12:10.659 to catch up a bit and get the messaging right. The quick 196 00:12:10.728 --> 00:12:15.065 takeaway I would offer here is, if you're any organization, and 197 00:12:15.134 --> 00:12:19.265 somebody publishes screenshots of your internal systems, and 198 00:12:19.333 --> 00:12:23.602 especially if they show access to customer information, as the 199 00:12:23.671 --> 00:12:27.939 Okta breach appeared to do, what are you going to do? Probably 200 00:12:28.008 --> 00:12:31.726 you need to have a better organized response than Okta 201 00:12:31.794 --> 00:12:36.132 had. You probably need to come out and say, we have this matter 202 00:12:36.201 --> 00:12:40.194 under control, it's being investigated, we've communicated 203 00:12:40.262 --> 00:12:44.255 directly with all affected customers. Again, more than two 204 00:12:44.324 --> 00:12:48.730 months after the fact, it showed Okta wasn't keeping a close eye 205 00:12:48.799 --> 00:12:53.068 on things. It should have been checking in with its contractor 206 00:12:53.137 --> 00:12:57.267 on a regular basis to say, what have you found? Perhaps even 207 00:12:57.336 --> 00:13:01.673 saying, look, you've got 30 days after that we're going public, 208 00:13:01.742 --> 00:13:05.804 because we don't want to get caught out if this information 209 00:13:05.873 --> 00:13:09.728 somehow comes to light, which it did. So there's lots of 210 00:13:09.797 --> 00:13:13.308 interesting lessons to be learned here. I think the 211 00:13:13.377 --> 00:13:17.783 biggest one is, Okta did detect the breach, but failed to follow 212 00:13:17.852 --> 00:13:22.052 through with controlling the message. Everybody needs to have 213 00:13:22.120 --> 00:13:25.838 a plan in place. They need to have a person inside the 214 00:13:25.907 --> 00:13:29.831 organization designated to keeping eyes on what is a very 215 00:13:29.900 --> 00:13:33.962 sensitive project management exercise. Okta didn't do that. 216 00:13:34.031 --> 00:13:37.817 It's paying the price somewhat with its reputation. But 217 00:13:37.886 --> 00:13:41.741 honestly, from a long-term standpoint, I don't think any 218 00:13:41.810 --> 00:13:44.840 real fallout is going to affect the company. 219 00:13:46.160 --> 00:13:48.860 Anna Delaney: Rashmi, as Matt said, you've been working hard 220 00:13:48.860 --> 00:13:52.160 on this and reporting this as well. Anything to add to his 221 00:13:52.160 --> 00:13:52.760 comments? 222 00:13:53.720 --> 00:13:57.530 Rashmi Ramesh: No, I thought Matt's analysis was top-notch. 223 00:13:57.560 --> 00:14:02.420 Perfect. But yeah, the one thing that I would want to add is, you 224 00:14:02.420 --> 00:14:06.890 know, Okta's statement, like he said, has been very on and off. 225 00:14:07.310 --> 00:14:10.040 Initially, it started off with, you know, no, not really all 226 00:14:10.040 --> 00:14:13.490 that much, and we saw that this had happened and yeah, nothing 227 00:14:13.490 --> 00:14:16.130 to really worry about. And then like, oh, it was just one 228 00:14:16.130 --> 00:14:18.950 person. It wasn't, again, nothing to really worry about. 229 00:14:19.520 --> 00:14:23.780 But then we are where we are today. And it's also what a lot 230 00:14:23.780 --> 00:14:27.050 of people that I've spoken to have said that, you know, it's 231 00:14:27.050 --> 00:14:30.950 okay to get breached. Companies that have excellent 232 00:14:31.280 --> 00:14:34.970 cybersecurity incident response plans get breached, but what's 233 00:14:34.970 --> 00:14:38.870 not okay is to just sit on it for two months. You should at 234 00:14:38.870 --> 00:14:42.710 least let your customers know that there is an increased risk, 235 00:14:42.890 --> 00:14:45.410 and we can take care of ourselves. So that's what I've 236 00:14:45.410 --> 00:14:46.370 been hearing from people. 237 00:14:48.020 --> 00:14:51.560 Anna Delaney: Matt, I know we've seen a leak this week of the 238 00:14:51.560 --> 00:14:55.760 Mandiant report, detailing the breach timeline of the Sitel and 239 00:14:55.760 --> 00:15:00.350 Sykes breach. The TTP were pretty textbook, were they not? 240 00:15:00.440 --> 00:15:03.860 So is it fair to say that had the right technical security 241 00:15:03.860 --> 00:15:08.570 controls been deployed or even tested correctly, we wouldn't be 242 00:15:08.570 --> 00:15:09.230 in this position. 243 00:15:10.670 --> 00:15:13.370 Matthew Schwartz: Yes, I'm a little low to come in too 244 00:15:13.370 --> 00:15:18.650 closely on the Mandiant report. I mean, it's been leaked. And it 245 00:15:18.650 --> 00:15:21.530 would be good to see what Okta and Sitel Group come back with. 246 00:15:21.560 --> 00:15:24.290 I mean, they're really in the hot seat now, to say, you know, 247 00:15:24.320 --> 00:15:30.860 what did happen, what didn't happen? Okta's been clear in the 248 00:15:30.890 --> 00:15:34.310 extent of the breach, you know, belatedly clear, which is that 249 00:15:34.310 --> 00:15:38.570 this customer support engineer by design, couldn't do very 250 00:15:38.570 --> 00:15:43.130 much. The engineer is authorized to reset a password, but they 251 00:15:43.130 --> 00:15:45.770 don't get to choose the password. It's like when you 252 00:15:45.770 --> 00:15:48.800 phone up and change your password with the bank. The 253 00:15:48.800 --> 00:15:52.100 customer support person turns you over to an automated process 254 00:15:52.130 --> 00:15:55.310 where you enter your new PIN code, or your new password, and 255 00:15:55.310 --> 00:15:58.910 they can't hear that. That's between you and the system. So 256 00:15:58.910 --> 00:16:02.570 there is a similar firewall, if you will, that was purposefully 257 00:16:02.570 --> 00:16:06.560 designed by Okta to be that way, kind of minimum access, which is 258 00:16:06.560 --> 00:16:12.080 great. So what we've seen is the attackers were maybe suggesting 259 00:16:12.200 --> 00:16:16.670 that they had the keys to the kingdom, or God-like access mode 260 00:16:16.670 --> 00:16:19.850 to things and they did not. So it will be interesting to get 261 00:16:19.850 --> 00:16:23.540 some more details like that. For example, from the leaked 262 00:16:23.570 --> 00:16:27.410 Mandiant report about what Sitel Group could have done better. 263 00:16:27.740 --> 00:16:30.860 It's interesting to me that it involved a business Sitel Group 264 00:16:30.860 --> 00:16:34.070 bought last year. It's based in Costa Rica. Not to say anything 265 00:16:34.070 --> 00:16:37.730 about Costa Rican cybersecurity, but we've seen so many breaches 266 00:16:38.030 --> 00:16:42.710 involving subsidiaries that got bought in a relatively recent 267 00:16:42.710 --> 00:16:46.010 timeframe, or if you talk-talk years and years ago, and the 268 00:16:46.010 --> 00:16:49.550 ball got dropped. So I'm waiting to see but yeah, it's a great 269 00:16:49.550 --> 00:16:51.950 question. I think there's going to be more lessons to be learned 270 00:16:51.950 --> 00:16:56.120 here about what to do to help avoid these sorts of breaches, 271 00:16:56.120 --> 00:16:59.420 because the attackers are looking for easy ways in. That's 272 00:17:00.110 --> 00:17:06.380 probably how they got here. Remote Desktop Protocol sort of 273 00:17:06.380 --> 00:17:10.640 connection. So why were they able to do that? Probably two 274 00:17:10.640 --> 00:17:12.890 factor wasn't activated, as it should have been. 275 00:17:13.220 --> 00:17:15.770 Tom Field: Not an unusual story. We've seen this play out so many 276 00:17:15.770 --> 00:17:19.070 times. There is an incident at first and it's the next 277 00:17:19.070 --> 00:17:23.330 SolarWinds. We find out maybe it's a little scaled back from 278 00:17:23.330 --> 00:17:26.030 that. We find out the adversaries get in because they 279 00:17:26.030 --> 00:17:31.220 found the key under a doormat. You see the outrage on social 280 00:17:31.220 --> 00:17:34.430 media. And as always, there's nothing like the outrage of the 281 00:17:34.430 --> 00:17:40.430 uninvolved. Definitely legitimate concerns here. And 282 00:17:40.430 --> 00:17:45.350 ultimately comes back to what Matt and what Rashmi said - Okta 283 00:17:45.350 --> 00:17:47.870 discovered something and they should have said something a 284 00:17:47.870 --> 00:17:50.300 whole lot sooner. And if there's something you can take away from 285 00:17:50.300 --> 00:17:54.260 this, go back to how Mandiant responded when it discovered the 286 00:17:54.260 --> 00:17:57.860 SolarWinds intrusion over a year, almost a year and a half 287 00:17:57.860 --> 00:18:01.610 ago. They came right out immediately, and told what they 288 00:18:01.610 --> 00:18:04.670 knew and more at the forefront of the investigation going 289 00:18:04.670 --> 00:18:08.030 forward. That's a model we all should follow. 290 00:18:08.480 --> 00:18:10.460 Matthew Schwartz: Yeah! FireEye, right? I mean, back when it was 291 00:18:10.460 --> 00:18:14.660 all tied up together. Yeah, it said we were breached. That is a 292 00:18:14.660 --> 00:18:19.190 great model of transparency. We have seen wonderful examples of 293 00:18:19.190 --> 00:18:23.150 that. And this also gets into crisis communications. I think 294 00:18:23.300 --> 00:18:26.630 FireEye is a stellar example. Maersk, when it got hit by 295 00:18:26.630 --> 00:18:30.350 NotPetya, stellar example. Everything was disrupted. And 296 00:18:30.350 --> 00:18:33.200 they said, we're fixing it as quickly as possible, and we will 297 00:18:33.200 --> 00:18:36.440 be as transparent as possible. Here we go. 298 00:18:37.520 --> 00:18:38.960 Tom Field: With what we preach when you see something, say 299 00:18:38.960 --> 00:18:39.350 something. 300 00:18:40.430 --> 00:18:42.920 Anna Delaney: And long-term, Matt, you seem to indicate in 301 00:18:42.920 --> 00:18:45.980 your article that Okta's reputation should be fine. 302 00:18:48.140 --> 00:18:50.990 Matthew Schwartz: Yes, speaking, I don't know. I don't want to 303 00:18:50.990 --> 00:18:54.950 sound like a cynical consumer or somebody who's been covering 304 00:18:54.950 --> 00:18:58.580 data breaches closely since 2003 and has yet to see the expected 305 00:18:58.580 --> 00:19:01.970 changes he would have hoped for. Hope there's no bitterness 306 00:19:01.970 --> 00:19:06.350 creeping into my voice. But, as Rashmi very eloquently said, 307 00:19:06.770 --> 00:19:09.890 businesses get breached. And I think what we've judged them on 308 00:19:09.920 --> 00:19:14.720 is how they respond. What the stock market judges them on is 309 00:19:14.750 --> 00:19:20.960 less clear to me because there's no pretty much example ever of a 310 00:19:20.960 --> 00:19:24.650 business going out of business because of a breach. Unless it's 311 00:19:24.650 --> 00:19:27.320 a cryptocurrency exchange and they lose all their Bitcoins. 312 00:19:28.220 --> 00:19:30.650 There's been a lot of studies. There's no long-term harm that 313 00:19:30.650 --> 00:19:32.810 comes to a business because of a breach. 314 00:19:33.050 --> 00:19:35.240 Tom Field: And it can be career changing, but it's rarely 315 00:19:35.240 --> 00:19:36.080 corporate changing. 316 00:19:37.010 --> 00:19:38.600 Matthew Schwartz: Very well said. If you're the chief 317 00:19:38.600 --> 00:19:41.600 security officer, your days are more numbered than usual. But 318 00:19:42.380 --> 00:19:44.600 longevity in that role is not great, to begin with. 319 00:19:46.130 --> 00:19:49.190 Anna Delaney: Well, that was an excellent analysis. Thank you, 320 00:19:49.190 --> 00:19:53.360 team. Rashmi, moving over to rug pulling. Talk to us about rug 321 00:19:53.360 --> 00:19:56.810 pulling. What is it and talk to us about the latest NFT rug pull 322 00:19:56.870 --> 00:19:57.920 scam case. 323 00:19:58.590 --> 00:20:01.620 Rashmi Ramesh: Right! So lot's happening in the blockchain 324 00:20:01.620 --> 00:20:08.400 space as a whole. But also NFT space, specifically. So a few 325 00:20:08.400 --> 00:20:13.410 days ago, we had what is essentially the first rug pull 326 00:20:13.410 --> 00:20:17.250 scam of the year. It's also the first time the DOJ has charged 327 00:20:17.250 --> 00:20:21.780 people in an NFT rug pull scam. So lots of us there. To back up 328 00:20:21.780 --> 00:20:25.380 a little bit - two people, two 20-year-olds, have been charged 329 00:20:25.440 --> 00:20:29.190 with conspiracy to commit money laundering and wire fraud in the 330 00:20:29.190 --> 00:20:33.540 NFT scam. So they apparently defrauded hundreds, or maybe 331 00:20:33.540 --> 00:20:38.670 thousands of victims, of about 1.1 million. This is what the 332 00:20:38.730 --> 00:20:42.630 Department of Justice says. And it's very interesting how the 333 00:20:42.630 --> 00:20:46.680 scam happened. So these suspects, they had put on sale 334 00:20:46.710 --> 00:20:55.050 about 8,888 NFTs. Each of them worth about $136 and advertised 335 00:20:55.050 --> 00:21:01.320 them as Frosties. And because you know, the NFT market runs on 336 00:21:01.320 --> 00:21:05.040 FOMO, the fear of missing out, all of these NFTs were sold out 337 00:21:05.040 --> 00:21:08.910 within hours. And the suspect then transferred the 338 00:21:08.910 --> 00:21:13.020 cryptocurrency payments gained from the sale to other wallets 339 00:21:13.050 --> 00:21:16.590 under their control without providing the advertised 340 00:21:16.590 --> 00:21:20.490 benefits. Like you know, the giveaways or early access to the 341 00:21:20.490 --> 00:21:25.500 next sale or a Metaverse game that comes with owning the NFTs. 342 00:21:25.530 --> 00:21:29.760 And then they shut down the sale platform. So this is a rug pull 343 00:21:29.760 --> 00:21:33.600 scam. So you pull the rug out from under your victims. And the 344 00:21:33.600 --> 00:21:38.520 buyers, of course, were livid. So they took to Reddit, and they 345 00:21:38.520 --> 00:21:42.420 took to Discord and Twitter to complain. And one blockchain 346 00:21:42.420 --> 00:21:46.500 researcher saw these complaints. He spoke to the victims and then 347 00:21:46.500 --> 00:21:49.920 went back to trace these transactions, because everything 348 00:21:49.920 --> 00:21:52.950 on the blockchain is publicly visible, right? So he noticed 349 00:21:52.950 --> 00:21:57.240 some red flags in the use of crypto mixers, for example. So 350 00:21:57.270 --> 00:22:00.990 he then handed off the case to the feds, who conducted a very 351 00:22:00.990 --> 00:22:03.690 thorough investigation. And here we are. 352 00:22:05.640 --> 00:22:08.580 Anna Delaney: Brilliant! And Rashmi, how did we actually get 353 00:22:08.580 --> 00:22:10.950 here? Well, first of all, I love the way that Reddit is a sort of 354 00:22:10.950 --> 00:22:14.670 a threat intel for law enforcement now. But how did we 355 00:22:14.670 --> 00:22:19.080 get here? Because we saw this space explode last year. How the 356 00:22:19.080 --> 00:22:21.810 criminals been able to get so far in their scams, do you 357 00:22:21.810 --> 00:22:22.170 think? 358 00:22:25.090 --> 00:22:27.850 Rashmi Ramesh: Well, one is, you know, like I said, the fear of 359 00:22:27.850 --> 00:22:30.910 missing out because everybody wants to own an NFT. And the 360 00:22:30.910 --> 00:22:34.660 second is that this one, for example, was a decentralized 361 00:22:34.660 --> 00:22:40.300 platform. So if something gets stolen or if you lose your NFTs, 362 00:22:40.330 --> 00:22:45.160 or if your cryptocurrency is stolen, whom do you go to? There 363 00:22:45.160 --> 00:22:48.610 is not really a central authority for you to complain. 364 00:22:48.640 --> 00:22:52.690 And this is very interesting. There is apparently an actual 365 00:22:52.690 --> 00:22:57.190 Frosties NFT. And they reached out to me and like, you know, 366 00:22:57.190 --> 00:23:00.940 this is what happened; all our customers complained that their 367 00:23:01.120 --> 00:23:03.760 NFTs are stolen; and, we're like, that is not our NFT; that 368 00:23:03.760 --> 00:23:07.180 is not the legitimate NFT; what do we do now? So then they had 369 00:23:07.180 --> 00:23:10.180 to move all of their current customers to a new smart 370 00:23:10.180 --> 00:23:13.900 contract, and it's been a little bit of a pain is what they say. 371 00:23:15.310 --> 00:23:16.180 Anna Delaney: To say the very least. 372 00:23:16.000 --> 00:23:19.330 Matthew Schwartz: I was just going to say, Rashmi, didn't the 373 00:23:19.390 --> 00:23:23.260 alleged offenders or the suspects, I should say, had the 374 00:23:23.260 --> 00:23:26.530 misfortune to allegedly commit these crimes from within the 375 00:23:26.530 --> 00:23:29.620 United States? Because I think they were arrested in Los 376 00:23:29.620 --> 00:23:30.130 Angeles. 377 00:23:30.460 --> 00:23:32.320 Rashmi Ramesh: Right. They were arrested in Los Angeles. 378 00:23:32.740 --> 00:23:34.900 Matthew Schwartz: Not a great move, if you're trying to avoid 379 00:23:34.900 --> 00:23:36.220 the FBI, I'd say. 380 00:23:36.000 --> 00:23:37.410 Rashmi Ramesh: They were 20-year-olds. 381 00:23:38.980 --> 00:23:40.390 Matthew Schwartz: Maybe they weren't thinking as straight as 382 00:23:40.390 --> 00:23:41.920 they should is what you are saying. 383 00:23:42.330 --> 00:23:42.960 Rashmi Ramesh: Sorry? 384 00:23:43.680 --> 00:23:45.930 Matthew Schwartz: Maybe they weren't thinking this through 385 00:23:46.110 --> 00:23:48.570 criminality wise to the best of their ability. 386 00:23:48.870 --> 00:23:49.680 Rashmi Ramesh: Probably. 387 00:23:50.100 --> 00:23:51.810 Tom Field: And none of us has our Frosties. 388 00:23:54.660 --> 00:23:57.660 Anna Delaney: Well, thank you, Rashmi. That was great. Well, as 389 00:23:57.660 --> 00:24:02.070 it's award season, you may have noticed, Anna Oscars style, but 390 00:24:02.070 --> 00:24:05.340 without the slaps. If you could give an award to someone, who 391 00:24:05.340 --> 00:24:07.590 would it be? And for what? 392 00:24:10.990 --> 00:24:13.180 Matthew Schwartz: I know who I would give an award to. 393 00:24:13.650 --> 00:24:14.190 Anna Delaney: Go on. 394 00:24:14.600 --> 00:24:17.720 Matthew Schwartz: All right, I'll go first. Jen Easterly, the 395 00:24:17.720 --> 00:24:20.900 head of the Cybersecurity Infrastructure and Security 396 00:24:20.900 --> 00:24:26.330 Agency. I think I got that right, CISA, for short. She's 397 00:24:26.330 --> 00:24:31.400 done a magnificent job of marshaling cybersecurity 398 00:24:31.400 --> 00:24:35.840 awareness. She's been in tons of hearings on Capitol Hill I've 399 00:24:35.840 --> 00:24:39.470 seen. She follows in the footsteps of Chris Krebs, who 400 00:24:39.470 --> 00:24:46.700 was famously and obviously fired for having said that the most 401 00:24:46.700 --> 00:24:50.450 recent election was, I think, the most secure in history that 402 00:24:50.450 --> 00:24:54.800 we know about, or something to that effect, and which the 403 00:24:54.830 --> 00:24:58.550 previous occupier of the highest office in the country didn't 404 00:24:58.550 --> 00:25:02.030 like that and outlined Krebs. So Jen Easterly has come in. And I 405 00:25:02.030 --> 00:25:05.960 think again, she's just done a great job. Steady hand on the 406 00:25:05.960 --> 00:25:10.850 tiller, extremely knowledgeable and big presence, like I said, 407 00:25:10.850 --> 00:25:13.370 not only in Congress, but on social media. Lots of 408 00:25:13.370 --> 00:25:17.120 communications, she says has a key role, obviously, in helping 409 00:25:17.120 --> 00:25:19.670 with business resiliency, especially with the 410 00:25:19.670 --> 00:25:21.290 Russia-Ukraine war. 411 00:25:21.600 --> 00:25:23.820 Tom Field: I'm going to second that. I think Jen Easterly has 412 00:25:23.820 --> 00:25:27.990 been the most outstanding performer when it comes to 413 00:25:27.990 --> 00:25:31.890 cybersecurity on the national scale. She has been, as Matt 414 00:25:31.890 --> 00:25:35.490 says, out front with Congress, with the public, on social 415 00:25:35.490 --> 00:25:38.880 media. She's made cybersecurity accessible. She made it cool. 416 00:25:39.180 --> 00:25:42.900 She's doing a terrific job. And if I were to have a Supporting 417 00:25:42.900 --> 00:25:46.020 Actor nomination, it will be President Biden. I think, as a 418 00:25:46.020 --> 00:25:49.050 world leader, he's done a terrific job making this a part 419 00:25:49.050 --> 00:25:54.990 of the national agenda and keeping the constituency aware 420 00:25:55.050 --> 00:25:58.230 of what's happening in the world and taking charge by issuing 421 00:25:58.230 --> 00:26:01.890 executive orders as he has and will continue to. So, great 422 00:26:01.890 --> 00:26:02.340 choice. 423 00:26:03.150 --> 00:26:04.500 Anna Delaney: Very good choices. Rashmi? 424 00:26:05.380 --> 00:26:07.870 Rashmi Ramesh: Yeah, I mean, I would absolutely second what 425 00:26:07.930 --> 00:26:11.920 Matt and Tom said, but because we don't pick the same people, 426 00:26:11.980 --> 00:26:16.030 I'm going to pick someone who's closer to my area of interest, 427 00:26:16.030 --> 00:26:23.170 which is blockchain. Actually I'll tell you a little bit about 428 00:26:23.170 --> 00:26:26.680 him before I tell you who he is. So he's worked at the banks, 429 00:26:26.680 --> 00:26:30.940 he's worked for the government, in Treasury, in Justice, and now 430 00:26:30.940 --> 00:26:33.190 he helps companies with blockchain intelligence. 431 00:26:36.670 --> 00:26:37.450 Tom Field: Sounds familiar. 432 00:26:38.740 --> 00:26:42.340 Rashmi Ramesh: It's not who you think it is. His area of 433 00:26:42.340 --> 00:26:45.910 expertise is anti-money laundering, counter-terrorist 434 00:26:45.910 --> 00:26:50.080 financing, global economic sanctions, illicit finance, all 435 00:26:50.080 --> 00:26:54.220 of it focused on digital assets. So I know what you're all 436 00:26:54.220 --> 00:26:57.820 thinking. I also know what Tom is thinking. But it's not him, 437 00:26:57.850 --> 00:27:01.960 although he's really close competition. So my award would 438 00:27:01.960 --> 00:27:07.120 go to Michael Fasanello. He was the researcher I was talking 439 00:27:07.120 --> 00:27:11.260 about earlier in the NFT case. So he was the first investigator 440 00:27:11.260 --> 00:27:15.370 in the rug pull scam. He is now Chief Compliance Officer at a 441 00:27:15.370 --> 00:27:19.150 local FinTech firm and has also worked with a company that 442 00:27:19.330 --> 00:27:23.080 offers really excellent blockchain analysis called the 443 00:27:23.080 --> 00:27:26.920 Blockchain Intelligence Group. So yeah, my award goes to him. 444 00:27:27.760 --> 00:27:29.890 Anna Delaney: Well, I've enjoyed this award ceremony. Thank you 445 00:27:29.890 --> 00:27:32.680 very much. In the interest of time, we've got to stop now. But 446 00:27:32.770 --> 00:27:35.800 thank you very much, all of you. And thank you so much for 447 00:27:35.800 --> 00:27:36.280 watching.