Last Month in Security 005: Shady Ethics and Ransomware Targeting Chokepoints

In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden are joined by Richard Greenberg, CISSP, President of ISSA-LA and current candidate for the ISSA Board of Directors.

The other week, the UK has its own Change Healthcare level attack where medical procedures were canceled at multiple London hospitals for weeks on end, and a critical emergency declared following a ransomware operation that disrupted pathology services provider Synnovis.

As well, CDK Global fell prey to a ransomware attack that led to a massive disruption in the US auto sales market and impacted hundreds of dealers to the tune of tens of millions in lost sales.

Point: The Change Healthcare attack revealed a financial chokepoint in the US healthcare system that impacted hundreds of providers and their patients, while the Synnovis attack similarly disrupted care at dozens of hospitals in the UK, and the CDK attack demonstrated how attacks on SaaS providers can similarly be a chokepoint.

Are we starting to see attackers consciously targeting these chokepoints? If not planned, are they taking notes for future targeting where - much like supply chain attacks – attacking one compromises many?

And of course, we all agree that it’s never a good idea to pile on after an attack by blaming the victims, but sometimes it’s like, “come on?”

Last year CISA alerted nearly 2,000 organizations about vulnerabilities that could be exploited in ransomware attacks, yet only about half took any action on the alerts.  

We already know that ransomware operators are adept at taking advantage of unpatched vulnerabilities and misconfigurations and are automating these aspects of their attack progressions – so why is patching not a priority?

There are only two reasons for an organization having failed to patch in a timely manner: they could patch but didn’t, or they wanted to patch but couldn’t. How much blame should we put on victim orgs if they are not doing all they can to help themselves?

Last but not least, we dive into the exposure of what is being referred to as the “Gili Ra’anan Model,” where CyberStarts – an Israeli investment VC – ran a CISO rewards program where they can “earn points” worth tens of thousands of dollars for “recommending and purchasing” vendors who happen to be in the CyberStarts’ portfolio of companies.

While there is nothing wrong with a CISO benefiting monetarily for lending their time and expertise to the evaluation of vendor offerings, the program gave the appearance of financially incentivizing CISOs to choose products that would earn them cash versus better protect their organizations,

For reference, the CyberStarts portfolio has 22 companies whose combined value is $35 billion, and five of these companies are unicorns (including Wiz who just got bought by Google for $23 billion), and the portfolio companies have raised $1.8 billion in recent months.

Principal investor Gili Ra'anan, for whom the “model” is named, showed an internal rate of return of more than 100%, which is a very unusual figure even for the best funds in the world.

So how much did this program influence the valuations, funding raises, stock prices, and subsequent acquisition of these portfolio companies? Are programs like this ethical, or can they be run in a more ethical manner?

The guys dig in...

‍About Our Guest:

Richard Greenberg, CISSP, President of ISSA-LA, is a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and speaker with over 30 years of management experience. Richard has been a CISO, Director of Surveillance and Information Systems, Chief of Security Operations, Director of IT, and Project Manager for various companies and agencies in the private and public sectors.  

Richard has been inducted into the Information Systems Security Association (ISSA) Hall of Fame, is a Distinguished Fellow, and has received their Honor Roll designation. He has also been selected as a finalist for both the (ISC)2 Americas Information Security Leadership Award in the Senior Information Security Professional category and the Los Angeles Business Journal CIO of the Year in Security.  

Richard is one of just ten candidates for the ISSA Board of Directors, and if you have not heard Richard’s interview on Will Ferrell’s Ron Burgundy Podcast, you should definitely check it!  

Your Hosts:

Anthony M. Freed, Halcyon Director of Research and Communications: Freed is a strategic communications leader, award-winning writer, publisher and podcast producer who was previously a freelance security journalist leading headline-making investigations that included the Symantec NAV source code leak, the mass compromise of US government agency account credentials, the denial-of-service attack that took down WikiLeaks, and more. Freed is also the principal researcher who produces the quarterly Halcyon report Power Rankings: Ransomware Malicious Quartile - Inside Data Extortion Attacks.  

Ben Carr, Halcyon Advisory CISO: Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant.  

Ryan Golden, Halcyon Chief Marketing Officer: Golden has a strong background in marketing and leadership roles across the security industry and vast experience in building successful brands, as demonstrated by his role as VP of Design & Creative at Cylance, Inc., where he led the disruptive Cylance brand from pre-revenue to a $1.4B acquisition By BlackBerry. Golden is a technical CMO with deep experience in defending organizations against ransomware operations and other advanced attack scenarios, and also served as the Vice President of Marketing at ShiftLeft, Inc. ‍

Subscribe to the Show:

• Apple Podcasts

• Spotify

• Amazon

• Podcast Index

• Podcast Addict

• Podchaser

• Pocket Casts

• Deezer

• Listen Notes

• Player FM

‍

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.