The Cyber Why: What We Read This Week...
... and why you should too! (6/14/24)
It finally happened. We missed a week! I was off galavanting around Las Vegas, playing in one of the largest poker tournaments in history, and didn’t have the time to write last week’s newsletter. The scary thing is… NOBODY COMPLAINED! The only thing worse than getting yelled at for missing a week of content is NOT getting yelled at. Come on people.. show us some love!
This week in The Cyber Why, we cover the Snowflake breach that wasn’t, $1B is the new number to IPO, Fortinets acquisition and 0day failures, the Gili Ra’anan Model, and toilet stall harassment. All this and more in this week’s TCW.
Does your email security solution fit your alert budget?
Relying on built-in controls or traditional blockers will inevitably lead to more noise than your incident response team can handle.
Material Security takes a pragmatic approach to email security – stopping new flavors of phishing and pretexting attacks before reaching the user’s mailbox, while searching through everyone else’s mailbox for similar messages in a campaign. What gets surfaced to your team are the highest-value cases to investigate with all the context and reach consolidated into a single view.
Remediations are a breeze with Material – try it out for yourself at material.security.
Snowflake or User Error - Who is at Fault?
Who's responsible in the Snowflake breaches? (Frankly Speaking)
Hundreds of Snowflake customer passwords found online are linked to info-stealing malware (TechCrunch)
Mandiant says hackers stole a 'significant volume of data' from Snowflake customers (TechCrunch)
We talked about this two weeks ago in The Cyber Why, but I want to bring it up again through a different lens. As the news story broke, most articles pointed out that Snowflake had been hacked. What actually happened is quite different than what was originally portrayed in the media. The attack was really a compromise of Snowflake credentials by attackers who had planted info-stealing malware across the computers of employees who have access to their employer’s Snowflake environment. This was a targeted attack against Snowflake using compromised credentials and nothing more. The question left open here is, “Who is at fault?”
Many in the security community believe that both the compromised customers and Snowflake should share the blame for these massive breaches. Snowflake did not require multifactor authentication by default, leaving the end user to configure the instances securely, and the data administrators didn’t properly secure the environment when they deployed the technology. MFA was an option, but it just wasn’t enabled by default. This sounds to me like a case of buyer beware. If you don’t properly lock your front door, is your home's builder responsible when you get robbed? I don’t think so.
This isn’t a cut-and-dry answer. I’d love to hear your comments on the topic below.
Billion Dollar Bollucks - $1B ARR or BUST!
Billions: The New Significance of Billion-Dollar Scale in Cybersecurity (Strategy of Security)
In this article, Strategy of Security author Cole Gromlus identifies a very interesting set of data. Cybersecurity companies aren’t ready to IPO until they are at $1B in ARR or have a very clear path to $1B in ARR via massive growth rates on nine-figure revenue numbers. This is a really interesting piece because the author just doesn’t look at what it takes to execute a cyber IPO in today’s market. Instead, he breaks it down by revenue, valuation, financing requirements, and potential acquisition opportunities that will occur along the way. It’s an interesting expose on modern software company valuations and what it takes to succeed at this level. It’s such an insane thought to me that a company at $250M in ARR and 20% growth wouldn’t be successful in the public markets, while a $250M ARR company with 50% growth and a five-year path to $1B would flourish. The markets reward growth way more than being a healthy business, and if that means getting way out over your skis along the way, so be it. If you don’t crash and burn along the way (Laceworks), good luck sticking the landing.
FortiVulnerable? Fortinet Makes Headlines For Vulnerabilities (Again)
China's FortiGate attacks more extensive than first thought (The Register)
China state hackers infected 20,000 Fortinet VPNs, Dutch spy service says (Ars Technica)
Ongoing state cyber espionage campaign via vulnerable edge devices (Dutch NCSC)
(Rick Pick) Fortinet grabbed headlines this week with their acquisition of cloud security provider Lacework, but that's not their biggest story. Once again, they're in the spotlight for zero-day vulnerabilities. This time, it's CVE-2022-42475, a buffer overflow vulnerability in their SSL VPN. Dutch government agencies first reported this issue in February and just released new details. They revealed that Chinese actors accessed at least 20,000 FortiGate systems worldwide in 2022 and 2023, targeting dozens of Western governments, international organizations, and many companies in the defense industry. No bueno.
I don't know about Fortinet's product security program and the efforts it makes to minimize vulnerabilities, but this is all too common now. To be fair, threat actors of all types target edge devices, but vendors know this and should go to great lengths to push out secure code. At some point, buyers will hold vendors accountable and look at alternatives. If you are a bug bounty researcher, sadly, "Fortinet does not operate a bug bounty program." Fortunately for Fortinet, ripping and replacing big iron network gear is no small feat.
The Gili Ra’anan Model
The Gili Ra’anan model: Questions emerging from Cyberstarts' remarkable success (CTech by Calcalist)
Oh boy, this article is spicy. Rumors like this have been passed around for years, and nobody has been willing to go on record publicly and tell the story. That ended yesterday…
Calcalist, sometimes referred to as a bit of a hit piece publication, has set its sights on Cyberstarts and its founder Gili Ra’anan. They didn’t pull punches, instead making accusations of abuse of conflicts of interest, directly calling out Cyberstarts business model and several CISOs for potentially shady activities. In the article, the author claims that the Cyberstarts model incentivizes enterprise CISOs to purchase products from portfolio companies. Names are named, including specific CISOs who may have purchased multiple Cyberstarts-backed company products, deploying them in major enterprises regardless of their effectiveness, need, or costs. Below is one of the most damning quotes from the article:
"I recruited a new CISO for a financial organization that I managed out of a desire to refresh the cyber defense system. I gave him a free hand because I trusted him and I see this position as a position of trust. Six months later, I noticed that, surprisingly, almost all of the new logos that the CISO introduced were portfolio companies of Cyberstarts," describes a former senior executive at a large financial institution in the U.S.
"It's not that these were necessarily bad solutions, but that some of them were a very low priority for us or solved problems that were not particularly urgent. After I confronted the CISO on the subject, he admitted that he is on the list of advisers of Cyberstarts and receives a percentage of the funds from them. Shortly after this, he left the company and immediately upon the appointment of a new CISO, I asked him to inform me if he was contacted by Cyberstarts. Within a few weeks, he had already received an email from them with a description of their kind of 'loyalty program' that details exactly what he will receive the more he works with the fund." The letter, signed by Ra'anan himself and coming from his email box, also contains a sentence that refers to the amount of future compensation: "It is difficult to predict the performance of the fund, but according to our forecast, the points you have accumulated so far are valued at X dollars. You can expect additional allocations in these funds in the coming years and in the new funds we will raise later."
NOTE: I am not accusing anyone of anything or taking sides myself. I’m simply reporting the story. Do your own analysis and come to your own conclusions.
Poo-Timers and Bathroom Harassment
For our story #5 this week, we bring you the most often heard series of words in every married male human’s life: “Are you STILL IN THERE!” In what can only be described as a shitty user experience, a popular tourist attraction in China has added stall timers to its public bathrooms. Essentially, the longer you sit in the stall, the higher your timer goes letting people know how long it takes you to do your business (or play one more game of Candy Crush). I, for one, think this is ridiculous. The last thing I need is someone telling me to get off the can while I’m on vacation to see a bunch of statues and caves in China. I get enough of that kind of harassment at home!
Quick Hits and Hidden Gems
Some notes on influencering (Lcamtuf’s thing) - This one struck a chord. I’ve been a fan of Lcamtuf for a while now, and it’s great to hear I’m going through the same things he does.
A PR disaster: Microsoft has lost trust with its users, and Windows Recall is the straw that broke the camel's back (Windows Central) - If Apple had launched “Recall” would it have had a positive reception? I’m guessing the answer is YES!
TCP #49: Product News & Recall Dumpster Fire (Cybersecurity Pulse) - Darwin is a super smart dude. More thoughts on Recall (see above)
Cybersecurity is not a market for lemons. It is a market for silver bullets. (Venture In Security) - There HAS to be a better way. I can’t believe we haven’t figured out a better way to measure security efficacy.
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!