In this episode of Security Gets Serious, host Ben Carr sits down with Mark Weatherford, former Chief Information Security Officer (CISO) for both California and Colorado, as well as Deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Security.

Mark and Ben dive into the complex roles and responsibilities of the Chief Information Security Officer (CISO), drawing on Mark's extensive experience in leading security teams at the highest levels of both state and federal government.

Mark currently serves as the Vice President of Policy and Standards at Gretel, is the Founding Partner of Aspen Chartered Consulting, and holds positions on the Board of Directors and Advisory Boards of numerous leading and emerging cybersecurity and technology companies.

With a career spanning both public and private sectors, Mark has held several high-profile executive roles in cybersecurity. His previous positions include Global Information Security Strategist at Booking Holdings, Chief Cybersecurity Strategist at vArmour, Principal at The Chertoff Group, Chief Security Officer at the North American Electric Reliability Corporation (NERC), and Chief Information Security Officer for the state of Colorado.

In 2008, Mark was appointed by Governor Arnold Schwarzenegger as California's first Chief Information Security Officer. Three years later, the Obama Administration selected him to serve as Deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Security.

A former naval officer with a deep background in cryptology, Mark was instrumental in advancing the U.S. Navy's cybersecurity capabilities. He served as the Director of Navy Computer Network Defense Operations, Director of the Navy Computer Incident Response Team (NAVCIRT), and was responsible for establishing the Navy's first operational red team, underscoring his commitment to strengthening cyber defense strategies.

Your Host, Ben Carr, Halcyon Chief Security and Trust Officer: Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant.

In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden are joined by Mark Weatherford, VP of Policy and Standards at Gretel, Founding Partner of Aspen Chartered Consulting, who was formerly Deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Security.

We jump into the discussion with some recent news that fallout from the 2023 MOVEit exploit campaign fallout included the leak of 1000’s of companies’ exfiltrated records – including Amazon (2.8 million records), MetLife (585,000 records), and HSBC (280,000 records).
It was previously reported that ransomware operator Cl0p had compromised an undetermined number of victims with the exploit, although it is unclear how well they were able to monetize the attacks.
This comes on top of insurer Coalition releasing their 2024 Cyber Claims Report: Mid-Year Update which found that while the frequency of ransomware attacks slightly decreased in early 2024, their severity intensified as claims rose significantly. The report noted a 140% increase among businesses with over $100 million in revenue, with ransomware attacks now driving 18% of all cybersecurity claims.

Mark provides some keen insights into what this means as far as the relative maturity curve of the ransomware economy, how much more growth can we expect given the success of the RaaS model in enabling less skillful attackers, and whether the US government’s response being largely limited to the issuing of guidelines and frameworks is adequate.

We then take a look at mass data exfiltration events that are now a part of nearly every ransomware attack, such as the National Public Data attack that exposed 2.7 billion records and the Change Healthcare (UHG) attack that exposed the private data of 100 million people, and how potential legal and regulatory impact following an attack in essence is re-victimizing victim organizations.

For example, Lehigh Valley Health Network recently agreed to a $65 million settlement following a class-action lawsuit over a 2023 data breach, Enzo Biochem was ordered to pay $4.5 million to New York, New Jersey, and Connecticut following a 2023 ransomware attack, and the City of Columbus is facing a class-action suit following a ransomware attack that compromised the 6.5 TB of data including personal information of city employees.

We know that ransomware operators are clearly after sensitive data, and we know determined attackers will get in sooner or later. So, is every organization that handles private or regulated data basically on notice that when they are targeted by attackers, they will also be targeted by regulators, then they also will be targeted by shareholders and/or customers?
Is this a constructive approach to the ransomware problem? Can we do better?

About Our Guest:
Mark Weatherford occupies so many important positions, it's hard to know where to start. He is VP of Policy and Standards at Gretel and Founding Partner of Aspen Chartered Consulting, as well as sitting on the Board of Directors and Advisory Boards for dozens of leading and emerging cybersecurity and technology companies.

Mark also has an extensive background in executive-level cybersecurity roles, showcasing a distinguished career in both public and private sectors. He has served as Global Information Security Strategist at Booking Holdings, Chief Cybersecurity Strategist at vArmour, a Principal at The Chertoff Group, Chief Security Officer at the North American Electric Reliability Corporation (NERC), and Chief Information Security Officer for the state of Colorado.

In 2008, he was appointed by Governor Arnold Schwarzenegger as California’s inaugural Chief Information Security Officer. Later, in 2011, the Obama Administration selected him to serve as the Deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Securit

In this episode of Security Gets Serious, host Ben Carr sits down with Chaunda Dallas, MSIT, a Healthcare Cybersecurity Specialist dedicated to safeguarding patient data and driving innovation in healthcare and sports technology.

Ben leans into Chaunda’s more than twenty years of hands-on experience in healthcare, which began with her work as an emergency room nurse where she has seen firsthand the critical role of technology in patient care and the risks to patients presented by system downtime, which motivated her transition into the cybersecurity field.

As an educator and current Ph.D. student, Chaunda's expertise bridges the gap between healthcare and technology, and she actively mentors aspiring cybersecurity professionals through Women in Cybersecurity (WiCyS) as a Technical Mentor and is an active member and volunteer with BlackGirlsHack (BGH) and The Diana Initiative (TDI).

Chaunda contributed to several research projects on healthcare information technology and data protection during her master's degree studies, including Detection of Heart Disease Using Mobile Health Technology, The Use of Healthcare Information Technology in Ambulatory Surgical Centers, and The Adoption, Issues, and Challenges of Wearable Healthcare Technology for the Elderly.

Your Host, Ben Carr, Halcyon Chief security and Trust Officer: Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant.

In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden are joined by Chaunda Dallas, MSIT, who went from emergency room nurse to healthcare cybersecurity specialist on her journey to safeguard patients and their most sensitive data.

First off, we take a look at a Microsoft advisory regarding an affiliate attacker dubbed Vanilla Tempest Leveraging who was observed utilizing the JScript Gootloader malware to drop INC ransomware.

GootLoader is typically spread via SEO poisoning waterhole attacks by a threat actor tracked as Storm-0494, and Vanilla Tempest is assessed to be associated with Vice Society, which has not been very active recently. They have been observed dropping BlackCat, Quantum Locker, Zeppelin, and Rhysida payloads previously.

Then we dive into some post-event regulatory and legal actions which significantly benefit from hindsight, of course. It’s a much different perspective looking back at chain of events than when making decisions in real time pre-event or during an attack.
So, does that make these critical assessments just Monday morning armchair quarterbacking after the fact? Well, the SEC recently dismissed much of SolarWinds case for this very reason.

The SEC had claimed that SolarWinds' website over-stated their compliance with government standards in implementing strong password protections and following a secure software development protocol, insisting that internal conversations uncovered in the investigation suggested otherwise.

The judge in the case disagreed, stating the regulations in question were for financial controls, not security controls. Subsequently, most of the case against SolarWinds and their CISO were dismissed.

Three other cases (very different) from last month also call into question whether it is fair to deeply scrutinize security decisions well after the fact with all information post-event in hand.

Case one involved Enzo Biochem, a biotech company was ordered to pay $4.5 million to the attorneys general of New York, New Jersey, and Connecticut following a 2023 ransomware attack that compromised the data of over 2.4 million people.

Key failings included poor password management, lack of multi-factor authentication (MFA), and the failure to encrypt sensitive data on all systems. The attackers gained access using shared credentials, one of which hadn't been updated in a decade. Clearly there were egregious lapses in security here – not a best effort.

Case 2 involved attackers accessing Lehigh Valley Health Network (LVHN) and deploying ransomware after exfiltrating healthcare data. The brunt of the enforcement actions involved the attackers leaking sensitive images of breast cancer patients.

A class-action lawsuit, filed in March 2023, accused LVHN of failing to safeguard patient data, although there was no indication of poor security practices as we saw with Enzo Biochem, so for the sake of discussion we assumed that none had occurred.

As security pros, we know a determined attacker with enough resources will eventually succeed – so is any and every organization that handles sensitive data basically facing default judgements when they get popped?
Case 3 involved over 2.7 billion records being exfiltrated in an attack on a company called National Public Data, where the information eventually found its way to a hacking forum. The breach resulted in a class action lawsuit against National Public Data for failing to protect this sensitive information.

What is interesting about this case is the fact that the information that was compromised had been scraped from public sources by National Public Data, which aggregates and sells the data for background checks and other purposes.

In this episode of Security Gets Serious, host Ben Carr sits down with Richard Greenberg (CISSP), President of ISSA-LA, a well-known cybersecurity leader and evangelist, former CISO, advisor and speaker.

Ben and Richard dive into the buzz around how AI is being used to both enhance cybersecurity defenses and as a tool for cyber attackers, then they examine the potential for bias in AI models as it becomes more integrated into security systems.

They also look at what ethical concerns arise regarding bias in AI algorithms, and how organizations ensure their AI-driven security measures are fair, effective and unbiased.

Ben then asks Richard about his thoughts on to what extent is it ethical for organizations to monitor their employees' activities to ensure security, and what guardrails should be in place to protect employee privacy.

The of course we have to dig into some of the latest ransomware trends, and what steps can organizations take to protect themselves – like engaging with ethical hackers for penetration testing, and how organizations ensure that these practices are conducted responsibly and ethically.

Ben and Richard also delve into whether Zero Trust is really working or if it is just another security strategy that puts too much focus on a concept and not the execution, and cloud security challenges and how organizations can mitigate risks.

Lastly, they discuss the culture of security and learning from failure – namely how security failures can lead to significant improvements in an organization's security practices and why we need to do to a better job in fostering an environment where failures are seen as learning opportunities.
Richard brings over 30 years of management experience and has been a strategic and thought leader in IT and Information Security as a CISO, Director of Surveillance and Information Systems, Chief of Security Operations, Director of IT, and Project Manager for various companies and agencies in the private and public sectors.

Be sure to check out Richard’s spot on Will Ferrell’s Ron Burgundy Podcast – it's a riot.

Your Host, Ben Carr, Halcyon Chief security and Trust Officer: Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant.

The other week, the UK has its own Change Healthcare level attack where medical procedures were canceled at multiple London hospitals for weeks on end, and a critical emergency declared following a ransomware operation that disrupted pathology services provider Synnovis.

As well, CDK Global fell prey to a ransomware attack that led to a massive disruption in the US auto sales market and impacted hundreds of dealers to the tune of tens of millions in lost sales.

Point: The Change Healthcare attack revealed a financial chokepoint in the US healthcare system that impacted hundreds of providers and their patients, while the Synnovis attack similarly disrupted care at dozens of hospitals in the UK, and the CDK attack demonstrated how attacks on SaaS providers can similarly be a chokepoint.

Are we starting to see attackers consciously targeting these chokepoints? If not planned, are they taking notes for future targeting where - much like supply chain attacks – attacking one compromises many?

And of course, we all agree that it’s never a good idea to pile on after an attack by blaming the victims, but sometimes it’s like, “come on?”

Last year CISA alerted nearly 2,000 organizations about vulnerabilities that could be exploited in ransomware attacks, yet only about half took any action on the alerts. We already know that ransomware operators are adept at taking advantage of unpatched vulnerabilities and misconfigurations and are automating these aspects of their attack progressions – so why is patching not a priority?

There are only two reasons for an organization having failed to patch in a timely manner: they could patch but didn’t, or they wanted to patch but couldn’t. How much blame should we put on victim orgs if they are not doing all they can to help themselves?

Last but not least, we dive into the exposure of what is being referred to as the “Gili Ra’anan Model,” where CyberStarts – an Israeli investment VC – ran a CISO rewards program where they can “earn points” worth tens of thousands of dollars for “recommending and purchasing” vendors who happen to be in the CyberStarts’ portfolio of companies.

While there is nothing wrong with a CISO benefiting monetarily for lending their time and expertise to the evaluation of vendor offerings, the program gave the appearance of financially incentivizing CISOs to choose products that would earn them cash versus better protect their organizations, For reference, the CyberStarts portfolio has 22 companies whose combined value is $35 billion, and five of these companies are unicorns (including Wiz who just got bought by Google for $23 billion), and the portfolio companies have raised $1.8 billion in recent months.

Principal investor Gili Ra'anan, for whom the “model” is named, showed an internal rate of return of more than 100%, which is a very unusual figure even for the best funds in the world. So how much did this program influence the valuations, funding raises, stock prices, and subsequent acquisition of these portfolio companies? Are programs like this ethical, or can they be run in a more ethical manner?

The guys dig in...

‍About Our Guest:

Richard Greenberg, CISSP, President of ISSA-LA, is a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and speaker with over 30 years of management experience. Richard has been a CISO, Director of Surveillance and Information Systems, Chief of Security Operations, Director of IT, and Project Manager for various companies and agencies in the private and public sectors.

Your Hosts:

Anthony M. Freed, Halcyon Director of Research and Communications
Ben Carr, Halcyon Advisory CISO

In this edition of the Halcyon video/podcast series Last Month in Security, host Anthony M. Freed and panelists Ben Carr and Ryan Golden fly solo and dig into the impact that vulnerability exploits are having on the threat landscape.

The latest Verizon DBIR is out, and the Halcyon team was excited to make our debut as contributors to the report, which was more focused on pathways to breaches - the ways attackers got into networks than prior reports.

Verizon Threat Research Advisory Center (VTRAC) looked at 30,458 incidents of which 10,626 were confirmed data breaches - the highest ever. And vulnerability exploitation was back big time with a 180% increase from the previous year.

The surge was mostly driven by MOVEit exploit leveraged by Cl0p to compromise thousands of organizations in just a matter of weeks - likely through automation – with the end result most often being extortion via ransomware.

We made mention that Memorial weekend is the anniversary of the MOVEit campaign, where it is estimated that as many as 8,000 organizations were targeted over the last year.

The report also revealed that about one-third of all breaches involved ransomware or data extortion. More specifically, 9% of breaches involved straight data extortion while 23% included the detonation of ransomware payloads.

Data exfiltration, ransomware payloads and subsequent extortion attempts were the number one attacker actions observed, while stolen credentials, phishing, privilege abuse etc. were much lower in frequency. Verizon also notes this “ramstortion” trend remains a top threat across 92% of industries.

Then we dug into the latest Power Rankings: Ransomware Malicious Quartile report which aligned with many of the DBIR findings – namely how automation of vulnerability exploits in Q1-2024 led to campaigns by ransomware groups leveraging misconfigured MSSQL servers, TeamViewer flaws, Fortra GoAnywhere (again), Citrix NetScaler (still), and even vulnerable Python libraries.

We also discussed how the data exfiltration issue may be bigger problem than ransomware payload, leading to further extortion opportunities for the attackers as well as a drastic increase on potential regulatory and liability for victim organizations, putting the C-level and BoDs at risk like never before.

Of note in the Ransomware MQ Q1-2024 report was the demise of BlackCat/ALPHV, which dropped out of the Frontrunners quadrant, while a new RaaS emerged dubbed RanomHub who is on the rise and very well may be a rebrand of BlackCat/ALPHV.

Other notable movements include LockBit slipping out of the top spot after reigning for quite some time following the identification of a 31-year-old Russian national named Dmitry Yuryevich Khoroshev as the developer and admin for the LockBit RaaS platform and a takedown of the LockBit leaks site and attack infrastructure.

Yet, despite all the LEO actions against these two formerly top-ranking groups, we noted that the attacks leveraging the LockBit payloads continue to be reported in addition to the possible rebrand of BlackCat/ALPHV, calling into question whether the criminal justice system is enough to combat these prolific groups.

Hosts:

Anthony M. Freed, Halcyon Director of Research and Communications

Ben Carr, Halcyon Chief Information Security Officer (CISO)

Ryan Golden, Halcyon Chief Marketing Officer (CMO)

The security market has exploded in recent years as we have seen words like hacker” and “cyber” go from being obscure terms to part of the everyday vernacular of end-users everywhere.

So, what does it take to build a successful security startup? What hurdles do founders face and how do they overcome them to disrupt the market and advance the tradecraft of the security sector?

In this episode of Security Gets Serious, host Ben Carr sits down with Halcyon co-founder and CEO Jon Miller who first led critical teams at several well-known security vendors, then rose to the ranks of CEO to found and shepherd several more to success in a very competitive market.

Miller discusses everything from how his understanding of the evolving ransomware threat landscape shaped his experience as a cybersecurity entrepreneur, to the most alarming trends in ransomware attacks and their impact on businesses and individuals.

Miller also discusses his unique perspective in building defensive security solutions based on his extensive experience in building offensive tools for the U.S. government, and how understanding good offense is critical to mounting a good defense.

Miller has spent 25+ years working in the cybersecurity industry. Prior to co-founding Halcyon, Miller was the CEO & Co-founder of Boldend, a next-generation defense contractor focused on building offensive tools for the US Government.

Before his work at Boldend, Miller held the title of Chief Research Officer of Cylance (now Blackberry) where he focused on malware and product efficacy.

And prior to Cylance, he was employee number 70 at Accuvant (now Optiv) where he helped build and lead the largest technical consultancy at the time Accuvant LABS, working with over 95% of the Fortune 500 as an offensive security expert.

Your Host, Ben Carr, Halcyon Advisory CISO: Carr is a Security & Risk Executive and recognized thought leader with more than 25 years of results driven experience in developing and executing security strategies. Carr has served in global leadership roles at advanced technology, high risk, and rapid growth companies such as Ericsson (Cradlepoint), Qualys, Aristocrat, Tenable, Visa and Nokia. Ben has served as a member of the Board of Directors for organizations such as IT-ISAC and NTXPKUA. He is an advisor for Noname Security and Syn Ventures and has previously served on Advisory boards for Living Security, TruStar, Mimecast, Qualys, and Accuvant. ‍