Auxiom Logo Outsmart Chaos Gold

CISA Breach


Matt Loria  0:07

So hi, I’m Matt Lauria with Auxiom. And I’m here with Earl Duby, our Chief Information Security Officer in our first vlog or video blog to talk about CISA being hacked recently.

Earl Duby  0:22

That’s pretty interesting, isn’t it? The government agency that is supposed to be leading the way for the United States in terms of you know, how to protect ourselves and how to do cybersecurity gets hacked. But honestly, we shouldn’t be surprised by that. I mean, if you’re the one that’s out there, and if you are the US agency that is talking about that, you’re actually the global agency that’s talking about that. Because typically, the rest of the world follows what the US government is doing in terms of cybersecurity and standards. That’s why NIST is so important, because this is a pretty global agency as well. So obviously, they’re gonna have a big bullseye on their back. So I’m not at all surprised that this did happen.

Matt Loria  1:07

Yeah, I was actually just reading one of the directors, his own personal Twitter, you know, now known as X was, was hacked. So yeah, this top cybersecurity diplomat named Fick said last year, his personal account on social media platform X was hacked. He called it a peril of the job, which, you know, makes sense, because you’re right. If you’re in the business, you’re gonna have, you’re gonna have a target on it.

Earl Duby  1:31

But yeah, the the unfortunate side effect of this type of exposure is that it kind of lends credence to what a lot of people say about like, A, if I just stay, you know, if I keep a low profile, no one ever find me, you know, it kind of reinforces that security by obscurity mindset that a lot of companies have sure that I’m just not going to, you know, have a big presence on the internet, and then I don’t have to worry about getting hacked. But I think that’s the wrong message to take out of an incident like this, I think the right message to take out of this is everybody is vulnerable, everyone is susceptible to cybercrime, even the largest cybersecurity agency that the US government has. So you know, hopefully when, you know, a lot of these small and mid-sized companies look at an article or a news posting like this, they don’t get the mistaken belief that, Hey, as long as I stay off of the social media or whatever, I’ll be okay. Because it’s not the case. Right?

Matt Loria  2:33

Right. Or you were telling me the other day when we were chatting about this, that the vulnerability that was actually exploited was something that’s kind of been in the news in previous years.

Earl Duby  2:48

Yeah, yeah, for sure the platform has been in the news for years, at least three years that I can think of. So the way that these attackers got into CISA, was through a VPN connection. So VPNs are technology that we use to have a secure connection between the internet which is an insecure zone, into your internal network, which is a secure zone. And so in order to cross that cross that boundary, you gotta have a VPN, which kind of encrypts traffic and protects the inside from the outside. So CISA was using a VPN technology by a company called Ivanti. And Ivanti has been in the news for all the wrong reasons for several years now. And so I was a little bit surprised when I read that article and got deeper into it, that the way that the adversary got in there is through an Ivanti VPN, because I would have thought that CISA would have took those out by now and replaced it with a more secure platform. So, you know, it just kind of goes back to one of the things we talked about was just how important vulnerability management is, you know, it’s really the foundation to all security is vulnerability management.

Matt Loria  4:04

And if anybody who’s watching this, that is doesn’t know what vulnerability management is, can you can you bring it down to layman’s terms?

Earl Duby  4:14

Yeah, to put it in real simple terms. You know, you think about your house, you know, so your, you leave your house and you go away for the weekend. You know, you want to know that your house is secure while you’re gone. So, you know, before you leave, you walk around your house and you say, hey, are all my windows locked? Doors locked? Is the patio door locked? Is the gate, you know, to the alley on my fence is that locked up? You know, so it’s really just walking around and making sure that you know, everything that is supposed to be you know, in order is in order before you know before you leave because, you know obviously if an adversary wants to get into your house, you know, they’re not going to take a hatchet and chop a hole through your wall, you know, they’re gonna try to find an open door or an open window, and they’ll come in that way. Or if you have a really weak lock on your door, they’ll just, you know, pry your door open with a crowbar or something. So vulnerability management is just making sure that your locks are as strong as they need to be. Your windows are closed and locked up, your basement is locked, you know. So it’s this really just understanding your environment and making sure that there’s no avenue for someone to just easily get into your house.

Matt Loria  5:34

It’s almost just like simple housekeeping. Right. And we had talked about it that, you know, vulnerability management is something that’s done on an ongoing basis, you you had told me to look into it monthly right to do a monthly check would be reasonable for most organizations.

Earl Duby  5:51

Yeah, cuz the way that this plays out in an organizational settings, you have something called the vulnerability management tool. And it basically just scans your network, looking for flaws in software, looking for operating systems that need to be patched or upgraded, it looks for computers that are old and need to be replaced or updated, things like that. So you’re scanning your whole network looking for those weaknesses. And you don’t want to do that just like once a year, because vulnerabilities pop up all the time, like every day in the news, there’s a new vulnerability that’s been, you know, shown in the news. And so these things are constantly being, you know, revealed or whatever. And so you got to make sure that your tool, your vulnerability management tool, is getting those updates. But you also don’t want to scan every day, because that’s just a lot of traffic that you’re putting on your network. And, honestly, no one can actually react to the findings that quick. So if you do it once a month, you’re getting the latest updates in there, or pretty much the latest updates, you are scanning your network looking for those weaknesses, but then you have time to fix them. Because it’s not just about finding the vulnerabilities, it’s about actually fixing the vulnerabilities. So if you find that your front door is unlocked, you don’t just say like, Oh, my front door is unlocked, and then kind of go on with your business, you actually got to lock your front door. So when you find that you have, you know, operating systems that, you know, say you have a Windows machine and 15 of them need to be patched, you actually got to take the time to go patch those, you know, operating systems. And so that’s what that month allows you to do is find your vulnerabilities, gives you time to remediate the vulnerabilities. And then you run it the next month. And hopefully you see a lot of those old vulnerabilities falling off, because you fix them. And then now you’re finding the new ones that have been updated in the database. Because these vulnerability management tools, they have a huge database. And they’re getting constantly fed with the latest vulnerability information from all the different software providers. So as they find vulnerabilities in their own code, through self testing and bug bounty programs, they’re they’re updating that information, it goes into the vulnerability management tool, that’s what you’re scanning your network with. So you got to have a little time in there to to process the vulnerabilities that you find and then prepare for the next set of scans.

Matt Loria  8:30

So when we go into an organization and run the run the scan for the first time, it’s typically a whole lot of stuff. And then month after month after month, it starts to whittle down because you’ve addressed those, and you’re maybe only finding you know, of the of the 20 doors, only one of them is unlocked, or maybe only one of them has a weak lock that needs to be remedied.

Earl Duby  8:52

Exactly. And what you’ll find is, you know, your son ran out the door and didn’t lock it when he left. So it’s it’s finding the things that aren’t just historical, but you’re also finding things that are just happening, you know, and that’s why it has to be a continuous vulnerability scanning, as opposed to us just do it once a year. I hear that every once in a while is like, Oh, we only have to do this once a year. I’m like, No, you can’t do it once a year because you might have a vulnerability sitting out there for 360 days. Sure. And that’s a lot of exposure to have if you’re on a crime-ridden neighborhood like the internet, right?

Matt Loria  9:29

It’s funny, you got me thinking about my own garage, right? I’ve got two garage doors, you know, car doors, and then I’ve got one man door on the side. And usually there’s a bunch of stuff in front of that door. I have no idea if that door is locked or not. You know, and so, you know, just just even thinking about that in the household terms is like, what do I have to do in my own home? Right usually the front door thing the example you gave about your son leaving it open. My mind wouldn’t just leave it unlocked. He’d leave it wide open so I can usually tell Yeah, the ability that I have when we leave the house.

Earl Duby  10:05

Yeah, and this is, you know, this is why it’s really important, you know, when we do risk assessments, because we do a lot of risk assessment for these companies that we work with. And, you know, one of the first things we look for is like, how are you identifying your vulnerabilities? How are you doing that scanning, who’s looking at the reports of the scan, because again, it’s not good enough to just have a tool, run a scan, is the actual follow up that gets you the value? You know, and so it’s, it’s really looking at your organization, figuring out how you have integrated vulnerability management into your overall security or risk management process. Yeah, I think I overlooked that piece.

Matt Loria  10:48

Yeah. You know, I think in it, it’s kind of funny, have you ever had a, you know, a contractor over your house, and as soon as he looks at the work from the previous person, he says, Oh, what fool was in here who could have done this? And, you know, and sometimes it’s us as the homeowner who did that. So he’s, he’s right. But, you know, oftentimes, it’s like, we had a qualified person in there doing it, who had a set of, you know, a bit of information that we gave them that that made them do the work the way that they did it. And, you know, right or wrong, maybe it’s just a varying of opinion, I feel like in it, a lot of the challenges is that, you know, everybody’s got their own kind of methodology of things. And so what do you think could have happened in, you know, in a situation like this, where, you know, it’s a government organization? You know, don’t, wouldn’t somebody have come along and said, hey, you know, I’m not sure who the guy who was here last year, but look at what’s going on? Right?

Earl Duby  11:50

I think a lot of it is priorities, you know, and you don’t really know what’s going on inside of an organization in terms of, you know, how much staff they have, how much time the staff members have, you know, because everything is about priorities, and reminds me of, you know, going back to the house analogy, so when I bought my very first house, I had no idea what I was doing, you hire the home inspector to come in and say I, you know, look at this house and tell me if it’s worth the price, they’re asking for it. So I hired this guy out of the phonebook, had no idea who he was. And he shows up, and he starts going around this house, and he says oh, this isn’t to code. This isn’t to code. And he’s got this big long list of, you know, he’s checking outlets, and he’s checking wiring, and he’s checking all this stuff. And he’s just like, not code, not code, not code, not code. So after a while, I’m like, damn, this is a pretty long list this guy’s putting together. And I asked him, I said, So of all of this list, do I have to fix all this stuff? What are some stuff I can fix now and other stuff I can fix, you know, maybe in a year or two? And, you know, is there some way I should be kind of addressing this list? And he’s like, Well, I can’t tell you that. I can only tell you what’s up to code, what’s not up to code. And I was like, Man, I’m paying you like a fair amount of money to do this inspection. For me, I would expect that you can tell me like, things that I absolutely should fix, or things I shouldn’t even buy this house because these things are present. And the guy wouldn’t do that. He was just like, so I actually kicked him out of the house. I didn’t even let him finish the inspection. I threw him out. I say, Look, I need more than this. And so I hired another inspector and brought them into the house. And that guy was actually like, Alright, this one you need to fix like, really quickly. This one, you need to have the homeowner fix it before you buy this house. These things here is not the code was not a big deal. So my point being, you can get this big long list of vulnerabilities. But unless you prioritize them, and kind of tackle them in a timely manner, something could last out here for years, that might actually be a high priority thing if you prioritize that wrong. So it’s possible that they looked at this Ivanti VPN situation and said, you know, we have these other controls in place. So we think that we have some time before we have to fix this VPN situation that they have. And maybe these other controls just weren’t as effective as they thought they were or whatever. So that’s part of the challenge. And when you see an article like this, it’s like, oh, I can’t believe these fools didn’t, you know, address this Ivanti situation? It’s like, well, we don’t really know what was going on inside of that organization. Because hindsight always says, Yeah, you obviously should have fixed that thing. See it got exploited. But when you’re inside of that running it, you might think you have other controls in place that are going to mitigate the adversary’s ability to get to that that vulnerability that you have. So it’s kind of got to give them a little bit of some leeway on it. But on the other hand, anybody listening to this that has Ivanti VPNs really need to think about replacing that technology just because it’s had such a troubled history. You know, this isn’t just like the first time this flared up with these guys, there are multiple instances of Ivanti VPNs, just not holding up their end of the bargain when it comes to securing an environment. So I think it’s time that people start moving on.

Matt Loria  15:45

Should we put a plug in for Palo Alto at this point in here?

Earl Duby  15:49

Well, I’ll tell you what, I worked at a previous company before going off on my own. And then ultimately coming here, we had Ivanti VPNs. And we replaced them with a combination. Another thing with VPNs, you’d like to have different risk profiles. So you don’t want to bring in your employees, your third parties, contractors, consultants, have them all pass through the same thing and then come out the other side with the same access rights. So we we decided to take out the Ivanti firewall or VPN and replace it with a two-tiered solution. So we ended up going with Palo Alto’s for our employees. And then we use Cisco VPN for third parties and other people that way, we could set up different kind of penetration zones. So the employees came in, and they had a different set of access rights, then third parties coming in had much more restricted access rights. And so we used technology to kind of drive those two different risk zones.

Matt Loria  16:56

Interesting. Interesting. All right. Well, thanks. We’ll be bringing our folks are any of our viewers, clients prospective clients, just fans of Auxiom will be bringing more, more information like this to you in a timely fashion. And thank you, Earl Duby.

Earl Duby  17:14

Alright. Thanks.


Related Posts

AT&T Data Breach

Video (0:04) I’m Earl Duby, I’m the CISO at Auxiom. I’ve been getting a lot of questions over the last couple days about this AT&T

Read More »