It’s a beautiful spring day here, and I admit I’m as happy as a dog in the sun. This week, we have an incredible slate of technology and security stories for your consumption. The breaches and vulns keep rolling in, with Sisense, PANW, and LastPass all making the content cut. We also discuss the impact of CAC and churn on SaaS business models and the meaningfulness (or not) of cyber catastrophes. Last but not least, we delve into modern money laundering and the efficacy of a public and private relationship to fix NVD. Don’t forget to check out The Cyber Why Podcast and see the TCW team in living color! Have a great weekend!
Featured Sponsor - Traceable.AI
API Masterclass Episode 4 is LAUNCHED!
Do you love the idea of robbing a bank? Good news, you can, totally ethically. Join Traceable for the next live API Security Masterclass. We’ll cover an introduction to APIs, what kinds of vulnerabilities exist, how to find them, and how to test your own APIs. Whether you’re on the blue team and trying to understand threats, a hacker new to APIs, or a developer trying to better understand how your code can go wrong, these live classes will tell you everything you need to know. And don’t leave it on in the background, these are interactive sessions so you can get the most out of it! Join Episode 4 or go back to Episode 1 to get caught up!
Sisense Breach Fallout Will Be BIG!
Why CISA is Warning CISOs About a Breach at Sisense (Krebs on Security)
Matt Johansen Writeup on Sisense breach (Vulnerable U)
Sisense breach has CISA and everyone else panicking (Risky Biz News)
This one is going to be a big one. Krebs and others have done some detailed research on the massive security breach at Sisense. I didn’t know what Sisense was until I read about this breach, and after I heard what they did, the importance of the issue jumped. Sisense is a product and application business intelligence platform that allows you to make smarter decisions based on real data from your products. The attackers discovered cloud tokens, allowing them to access Sisense customer data, which included “millions of access tokens, email account passwords, and even SSL certificates.” The result of the attack is a massive compromise that may lead to the compromise of over 1000 customers’ downstream systems and applications. In short, this is a big one! It’s so big, in fact, that CISA themselves have begun reaching out to potentially compromised companies to facilitate cleanup and lower the risk of additional fallout.
If you use Sisense or have any upstream or downstream vendors that use Sisense, please ensure you read these details and respond as quickly as possible. You are at risk.
How Churn Destroys SaaS Models - OUCH!
Is SaaS Math Broken (OnlyCFOs)
The Margin Crush is Coming in 2024 (The Cyber Why)
As an adjunct professor at a major business school (Go Heels!), I stay very connected with business economics. This particular article is relevant not only for general SaaS behavioral knowledge but is specifically important for cybersecurity founders and investors to understand. As your customer acquisition costs (CAC) increase and your time to pay back those costs after you land a customer (CAC payback) gets longer, the unit economics of SaaS businesses break down. Add to that, the most frequent issue I’m seeing in cyber SaaS companies today - a massive increase in churn - and you have a recipe for disaster. In the next five years, AI will decrease the amount of time it takes to build newer, updated technologies, increasing churn and lengthening CAC Payback times for cyber SaaS solutions. This raises the real question: “What happens next?” If SaaS margins go down, churn goes up, and CAC Payback gets out of control, will there be enough efficiency gains in traditional SaaS business models to offset those impacts? Time will tell… in the meantime, go read this article and nerd out on metrics for a bit.
Is A Private + Public NVD a Good Idea?
NIST Proposes Public-Private Group to Help with NVD Backlog (Security Boulevard)
As we previously discussed in The Cyber Why, The National Institute of Standards and Technology (NIST) is facing severe challenges with its National Vulnerability Database (NVD) as it struggles to keep up with a surge in security vulnerabilities due to budget cuts and increased software vulnerabilities. Instead of adequately funding the problem, NIST is now proposing the creation of a public-private consortium to help tackle the backlog. This consortium would include stakeholders from industry, government, and other sectors to collaborate on improving the NVD's efficiency and coverage.
The situation at NIST and the NVD backlog is at a critical juncture. The NVD is an essential tool that informs threat intelligence and vulnerability management, helping to prioritize and mitigate potential threats. With the backlog growing, timely and reliable data becomes scarce, potentially exposing systems to unaddressed vulnerabilities. What concerns me the most is the potentially perverse incentive structures if a joint NIST and private sector effort were to happen. The private sector will always attempt to make a profit and bias the work effort to help them do so. Because of this, the results may not be as broadly suited to the improved security of the world. Instead, it may benefit a few companies that can successfully leverage a return on time and resource investment. I’ll be watching this one closely.
Are Cyber Catastrophes Meaningful?
Debunking NotPetya’s cyber catastrophe myth (Binding Hook)
What if the risk of a massive cyber attack or worm really wasn’t that massive? The author of this article draws comparisons of the most significant cyber catastrophes of all time against natural disasters and other massive financially impacting black swan incidents. I’m not 100% convinced of his logic as he attempts to normalize the dollar impacts of attacks, including NotPetya, The Morris Worm, SoBig, MyDoom, and others, against wars, famine, hurricanes, and other naturally occurring disasters.
I’m not sure what the analysis's benefit is other than to tell cybersecurity people not to take themselves so seriously. In the grand scheme of things, a massive cyber attack that impacts the majority of the world isn’t going to be important twenty years from now. The author says, “It’s just not big enough to matter.” As technology continues to embed itself into the day-to-day lives of society, the impact of disruption and attack will continue to increase in significance. When an attack takes down a hospital that impacts the life of a loved one, it’s going to matter to you, too! Let’s take this one to the notes section - I’d love to hear what you think of the author’s conclusions!
Money Laundering in the Modern Age
How a Money Laundering Crew Allegedly Moved Millions Through FanDuel (404 Media)
It's not quite a “story #5”, but it's still an interesting departure from the standard attacks and defenses type of content. This article, while a little bit short on technical details and rightfully so, digs into a modern money laundering scheme using the latest online sports betting apps such as DraftKings and FanDuel. It’s a long-known fact that nefarious activities happen around casinos, and money laundering is one of them. Now that those casinos are prolific throughout the United States and online, I’m certain that we will see continued growth in these types of fraud-based attacks. Hackers go where the money is, and right now, the money is in and around the online betting systems. Give this one a read, and if you want to bet on these attacks' growth, hit me with a comment below <GRIN>.
Quick Hits and Hidden Gems
The $100 cybersecurity budget – how cyber pros would spend it (CyberNews) - Might as well be $0, but the thought experiment is an exciting idea.
The Security Path - New Book Announcement - I was interviewed by two great authors and participated in this fun, new book detailing how successful cyber notables got to where they are today. Use code “thecyberwhy” for a 40% discount when purchasing!
OpenAI transcribed over a million hours of YouTube videos to train GPT-4 (The Verge) - We all knew they did it, but what does it mean to fair use and copyright legal precedent? Time will tell.
LastPass: Hackers targeted employee in failed deepfake CEO call (Bleeping Computer) - We knew this was coming. Eventually, attackers will stop using weird comms channels, and this attack class will work like a charm.
CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway (Palo Alto Networks) - A critical OS command injection vulnerability in the GlobalProtect Gateway of Palo Alto Networks PAN-OS software for specific versions. Patches coming soon!
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!
„I’m not sure what the analysis's benefit is other than to tell cybersecurity people not to take themselves so seriously.“
I agree. I guess as the author has an insurance background, he has a very specific perspective on things. Aside from economic damage (and I do not have enough insights on how those are estimated and whether everything is included that I can think of) there is also personal damage to consider.
I believe that we haven‘t seen the big one yet, but I also believe that the real danger lies in hybrid attacks. So I am not sure how they will be counted.
The problem with the NotPetya insurance piece is that it comes across as a strawman argument. He could have ended the piece with the following statement.
“That may seem monumental—-and by cyberattack standards it is—-but as catastrophes go, that’s a pretty small price tag.”
Okay, fine, who is arguing that?
And that’s what’s missing. There ARE folks saying that cyber has the most damages ($10 Trillion by 2025 or some BS like that) and is the most important threat to businesses. That’s the setup and context missing from this article, in my opinion.