WEBVTT 1 00:00:00,210 --> 00:00:02,520 Anna Delaney: Hello, happy new year. I'm Anna Delaney and 2 00:00:02,520 --> 00:00:07,080 welcome to the first episode of the ISMG Editors' Panel of 2023. 3 00:00:07,380 --> 00:00:10,500 This is a weekly conversation among ISMG editors on the most 4 00:00:10,500 --> 00:00:14,280 recent InfoSec news and cybercrime trends. Joining me 5 00:00:14,280 --> 00:00:17,880 today Tom Field, senior vice president of editorial, Marianne 6 00:00:17,910 --> 00:00:21,180 Kolbasuk McGee, who leads our healthcare coverage, and Mathew 7 00:00:21,180 --> 00:00:24,510 Schwartz, executive editor of DataBreachToday and Europe. Good 8 00:00:24,510 --> 00:00:34,140 to see you all. Tom, a foreboding sky behind you. Tell 9 00:00:34,140 --> 00:00:34,590 us more. 10 00:00:34,920 --> 00:00:36,750 Tom Field: It wasn't meant to be that way. It was a pretty one. 11 00:00:36,750 --> 00:00:39,630 It was the moon actually on New Year's Eve out at the local 12 00:00:39,630 --> 00:00:43,680 Cineplex. Took teenagers out to watch a movie and coming out at 13 00:00:43,740 --> 00:00:46,350 11-12 o'clock at night. This is what it looked like. So I 14 00:00:46,350 --> 00:00:47,760 thought it was a lovely way to start the year. 15 00:00:48,150 --> 00:00:50,760 Anna Delaney: It is ... always a beautiful moon and actually it's 16 00:00:50,760 --> 00:00:55,260 a full moon this week at 12 night. Marianne, beautiful 17 00:00:55,260 --> 00:00:56,520 outdoors seen as always. 18 00:00:57,750 --> 00:01:01,350 Marianne McGee: Thank you. This is a lake that's not far from 19 00:01:01,350 --> 00:01:05,160 where we live. And we were taking the dog for a walk during 20 00:01:05,700 --> 00:01:07,890 the end of the day. And I was like "this is pretty - I'll use 21 00:01:07,890 --> 00:01:09,810 this for background." So that's what I did. 22 00:01:11,340 --> 00:01:15,330 Anna Delaney: Good choice. Mathew, are we in Dundee? 23 00:01:15,360 --> 00:01:18,150 Mathew Schwartz: Yeah, this is the McManus in the center of 24 00:01:18,150 --> 00:01:22,530 Dundee. It's an art gallery museum. And if you have a double 25 00:01:22,530 --> 00:01:25,500 decker bus, just in case anybody was wondering where in the world 26 00:01:25,500 --> 00:01:29,460 this might be. So just on a rainy day, there's a big puddle 27 00:01:29,460 --> 00:01:32,670 right behind me. You can't see it. But I was splashing about 28 00:01:32,670 --> 00:01:34,050 with the new year cheer. 29 00:01:35,040 --> 00:01:38,580 Anna Delaney: Very good. So the green buses in Dundee. 30 00:01:38,580 --> 00:01:40,830 Mathew Schwartz: We've got green, we've got red, all sorts. 31 00:01:41,010 --> 00:01:43,380 Anna Delaney: We've got red. Okay, very good. Good to know. 32 00:01:44,040 --> 00:01:47,850 Well, I present you the English countryside. This was taken on a 33 00:01:47,850 --> 00:01:51,420 very long, fresh and muddy walk in between Christmas and New 34 00:01:51,420 --> 00:01:55,410 Year. Just what one needed after the insanity of Christmas. 35 00:01:56,850 --> 00:01:59,100 Tom Field: Big black dog coming up over the hill. 36 00:02:00,390 --> 00:02:04,080 Anna Delaney: There are a lot of sheep as well. Tom, you have 37 00:02:04,080 --> 00:02:06,960 been talking with the CISO of Zoom. Are we secure on this 38 00:02:06,960 --> 00:02:07,470 platform? 39 00:02:09,000 --> 00:02:11,640 Tom Field: I'm told we are! You are right, I did have the chance 40 00:02:11,640 --> 00:02:15,630 to speak last week with the new CISO. He just took over in the 41 00:02:15,660 --> 00:02:18,480 late summer, early fall. Michael Adams is his name. He's got a 42 00:02:18,480 --> 00:02:21,420 good distinguished history. He is the latest CISO at Zoom and 43 00:02:21,420 --> 00:02:25,740 we talked before the year end about his predictions for the 44 00:02:25,740 --> 00:02:29,100 New Year, which you can imagine revolve an awful lot around the 45 00:02:29,100 --> 00:02:32,430 cloud and around collaboration and software. But we spoke as 46 00:02:32,430 --> 00:02:36,690 well about the state of security generally. And guess what, we 47 00:02:36,690 --> 00:02:39,330 did speak about the state of security at Zoom, because you 48 00:02:39,330 --> 00:02:42,510 know, we aren't that far removed from the days we are all for 49 00:02:42,600 --> 00:02:45,690 tentatively trying this platform. And they remember Zoom 50 00:02:45,690 --> 00:02:49,950 bombing. So we talked a bit about initiatives. If you like, 51 00:02:49,980 --> 00:02:54,150 I wouldn't mind sharing a clip of our discussion about how Zoom 52 00:02:54,150 --> 00:02:56,910 is more secure today than it was just a year ago. 53 00:02:57,480 --> 00:02:59,700 Michael Adams: It's a great and important question, because I 54 00:02:59,700 --> 00:03:05,280 think for us, we've really seen a strong evolution in the 55 00:03:05,280 --> 00:03:08,760 culture at Zoom, right? Security has become instilled in our 56 00:03:08,760 --> 00:03:12,420 culture. To me, the biggest advancement we've made on this 57 00:03:12,420 --> 00:03:16,320 front has been our investment in our security program and team 58 00:03:16,530 --> 00:03:22,050 really since 2020. We've done a lot of building out that program 59 00:03:22,080 --> 00:03:25,560 in a more comprehensive fashion. And then I think what we've 60 00:03:25,560 --> 00:03:28,800 pivoted to now is really an optimization paradigm where 61 00:03:28,800 --> 00:03:31,080 we're taking the foundation elements that we built, the 62 00:03:31,080 --> 00:03:34,200 growth we've had in teams and tools and really more 63 00:03:34,200 --> 00:03:37,770 sophisticated advancements. And we're dialing that in. And we're 64 00:03:37,770 --> 00:03:41,460 focused on the biggest risks, biggest impact areas. I'll say 65 00:03:41,460 --> 00:03:44,910 as a company, we've also kind of stepped up by continuing to grow 66 00:03:44,910 --> 00:03:48,150 the security features that we offer to our customers. At 67 00:03:48,150 --> 00:03:50,970 Zoomtopia, this past November, for example, we announced a 68 00:03:50,970 --> 00:03:54,450 series of new offerings and they include things like end-to-end 69 00:03:54,450 --> 00:03:59,730 encrypted feature for Zoom mail service, enterprise auto update. 70 00:03:59,760 --> 00:04:03,600 This is significant. In the last year, we rolled out automatic 71 00:04:03,600 --> 00:04:08,100 updates to our broader consumer base but last month, we've now 72 00:04:08,100 --> 00:04:10,380 introduced automatic updates for enterprise customers and we 73 00:04:10,380 --> 00:04:13,800 think that's a significant accomplishment. And then there 74 00:04:13,800 --> 00:04:16,500 are others that are not insignificant either such as 75 00:04:16,500 --> 00:04:18,930 advanced encryption for Zoom phone voicemail, so I'd say our 76 00:04:18,930 --> 00:04:22,590 program or people, and then also some of what we're offering 77 00:04:22,830 --> 00:04:25,020 through the technology to our customers themselves. 78 00:04:25,320 --> 00:04:27,330 Tom Field: Not insignificant. When you think about it, we all 79 00:04:27,330 --> 00:04:30,630 started using Zoom almost three years ago. That was at a time 80 00:04:30,630 --> 00:04:33,990 you could go up to the URL, essentially plug in a number and 81 00:04:33,990 --> 00:04:36,930 you could join anybody's meeting indiscriminately. Things have 82 00:04:36,930 --> 00:04:41,280 come far as Zoom is grown from something that we use to just 83 00:04:41,490 --> 00:04:45,720 sort of tide us over in the early stages of the pandemic to 84 00:04:45,720 --> 00:04:49,650 as natural a part of our business life today as a 85 00:04:49,650 --> 00:04:50,820 conference room used to be. 86 00:04:52,110 --> 00:04:54,570 Anna Delaney: Absolutely. It's amazing to see the security 87 00:04:54,570 --> 00:04:58,290 evolution at Zoom, and Tom, you mentioned a list of predictions 88 00:04:58,530 --> 00:05:02,670 that he offered and you've seen predictions come and go, or even 89 00:05:02,670 --> 00:05:06,210 stay. What surprised you this year? What's new? What's the new 90 00:05:06,210 --> 00:05:08,940 trend that you're watching that he mentioned? 91 00:05:09,570 --> 00:05:11,400 Tom Field: I don't know that there's anything particularly 92 00:05:11,400 --> 00:05:14,040 new. But here, look, I talked to lots of people over the course 93 00:05:14,040 --> 00:05:17,730 of the last quarter of the year leading up to 2023 about what 94 00:05:17,730 --> 00:05:20,760 their predictions were for security, spoke to researchers, 95 00:05:20,760 --> 00:05:23,730 spoke to vendors, spoke to people that have been CISOs. 96 00:05:23,940 --> 00:05:27,840 This was my first opportunity to speak to a CISO of an 97 00:05:27,840 --> 00:05:31,140 organization that we all use to be able to hear what he has to 98 00:05:31,140 --> 00:05:34,170 say. So I'll tease it only by saying the interview is on our 99 00:05:34,170 --> 00:05:36,510 sites right now. And I encourage people to take a look at it 100 00:05:36,510 --> 00:05:40,860 because it is one CISO's look at what this year ahead, how it 101 00:05:40,860 --> 00:05:43,200 shapes up. You find a lot of commonality there in terms of 102 00:05:43,200 --> 00:05:45,900 threats, in terms of adversaries, in terms of attack 103 00:05:45,900 --> 00:05:48,240 surface, but I think he's got a unique perspective. 104 00:05:48,810 --> 00:05:50,970 Anna Delaney: Very good. Well, we are encouraged for the year 105 00:05:50,970 --> 00:05:54,810 ahead. Marianne, there's a new law, new U.S. law, which 106 00:05:54,810 --> 00:05:58,530 pertains to the cybersecurity requirements of medical devices. 107 00:05:58,530 --> 00:06:01,140 So talk to us about this potential game changer. 108 00:06:01,860 --> 00:06:06,570 Marianne McGee: Yeah, in fact, I think that what was buried in 109 00:06:06,570 --> 00:06:13,530 this $1.7 trillion omnibus spending bill that was signed 110 00:06:13,530 --> 00:06:18,660 into law at the end of last year, less than a week ago, by 111 00:06:18,660 --> 00:06:23,070 President Biden is one of the more interesting and significant 112 00:06:23,100 --> 00:06:26,280 U.S. legislative developments that I've seen in a long time 113 00:06:26,520 --> 00:06:30,720 having to do with health care cybersecurity. Buried in that 114 00:06:30,720 --> 00:06:35,880 bill are provisions that basically give the Food and Drug 115 00:06:35,880 --> 00:06:40,470 Administration more expanded authority over medical device 116 00:06:40,470 --> 00:06:45,690 cybersecurity. Under the new law, the medical device makers 117 00:06:45,690 --> 00:06:50,040 now are required to submit cybersecurity plans for their 118 00:06:50,040 --> 00:06:53,850 new products as part of their submissions to the FDA for 119 00:06:53,850 --> 00:06:57,810 market approval. That includes submitting to the FDA how their 120 00:06:57,810 --> 00:07:01,080 devices can be updated and patched to address 121 00:07:01,080 --> 00:07:04,080 vulnerabilities. The kinds of security controls that are 122 00:07:04,080 --> 00:07:08,520 contained in the devices, security testing information and 123 00:07:08,520 --> 00:07:14,040 so on. The medical device makers must also submit to the FDA a 124 00:07:14,040 --> 00:07:18,600 software bill of materials for their products. Now, the FDA, 125 00:07:18,600 --> 00:07:22,650 for the last several years has been urging medical device 126 00:07:22,650 --> 00:07:26,250 makers to address cybersecurity issues in the pre market of 127 00:07:26,250 --> 00:07:29,580 their products, including taking some of the steps I just 128 00:07:29,580 --> 00:07:35,040 mentioned. But until now, the FDA did not have legal authority 129 00:07:35,040 --> 00:07:39,600 to require medical device makers to include cybersecurity plans 130 00:07:39,600 --> 00:07:42,660 for their products in their submissions to the FDA for 131 00:07:42,660 --> 00:07:47,550 market approval. I spoke with Dr. Suzanne Schwartz of the FDA 132 00:07:47,580 --> 00:07:52,860 who heads up the FDA's medical device cybersecurity effort and 133 00:07:52,920 --> 00:07:56,220 for medical devices, specifically, but she thinks 134 00:07:56,220 --> 00:08:00,240 that this is a very significant development and she says the FDA 135 00:08:00,240 --> 00:08:04,320 is very optimistic about this law having a positive effect on 136 00:08:04,320 --> 00:08:09,180 cybersecurity in the overall health care ecosystem long term. 137 00:08:09,480 --> 00:08:14,070 That's because unlike many, if not most legacy medical devices 138 00:08:14,070 --> 00:08:18,300 that are unused today, upcoming generations of medical devices 139 00:08:18,300 --> 00:08:22,560 now will be required to address security concerns upfront, 140 00:08:22,800 --> 00:08:26,700 hopefully making those products more secure as those newer 141 00:08:26,700 --> 00:08:31,110 products also begin to age out. Now, since the legislation was 142 00:08:31,110 --> 00:08:34,800 only signed into law by President Biden last week, the 143 00:08:34,800 --> 00:08:37,920 FDA is still assessing the details of how it will implement 144 00:08:37,920 --> 00:08:43,260 the new law and enforce the law. While some of the larger, more 145 00:08:43,260 --> 00:08:46,530 established medical device makers today have already been 146 00:08:46,530 --> 00:08:48,750 doing many of the things that are called for under the 147 00:08:48,750 --> 00:08:52,470 legislation, including things such as coordinating 148 00:08:53,100 --> 00:08:57,240 vulnerability disclosures, designing security into their 149 00:08:57,240 --> 00:09:00,870 new products, these new requirements are likely to be 150 00:09:00,870 --> 00:09:05,340 more of a shock to some of the smaller and newer specialty 151 00:09:05,340 --> 00:09:09,930 device makers and less mature vendors for which cybersecurity 152 00:09:09,930 --> 00:09:13,050 has not been a very high priority. So it'll be 153 00:09:13,050 --> 00:09:16,320 interesting to see as the year plays out how the FDA 154 00:09:16,320 --> 00:09:19,890 regulations get fleshed out and how device makers respond. 155 00:09:21,240 --> 00:09:24,000 Anna Delaney: And Marianne, how does this new law combined with 156 00:09:24,030 --> 00:09:27,570 the 2021 year - the cybersecurity year launched by 157 00:09:27,690 --> 00:09:28,950 President Biden? 158 00:09:29,280 --> 00:09:32,250 Marianne McGee: Well, Dr. Schwartz says that it meshes, 159 00:09:33,030 --> 00:09:35,730 for instance, you know, the software bill of materials 160 00:09:37,050 --> 00:09:41,580 that's called for under the executive order. You know, 161 00:09:41,580 --> 00:09:44,550 there's a bunch of other things that are kind of similar and, 162 00:09:44,550 --> 00:09:48,000 you know, again, the FDA has sort of been pushing for these 163 00:09:48,030 --> 00:09:52,020 things for a while. Some of these provisions were part of 164 00:09:52,020 --> 00:09:54,690 standalone bills that were introduced over the last year or 165 00:09:54,690 --> 00:09:59,610 so. That just never gained traction, but they surprisingly 166 00:09:59,610 --> 00:10:02,310 showed up in this budget bill of all things, and plus the FDA 167 00:10:02,310 --> 00:10:08,220 gets $5 million in spending funds to support these efforts. 168 00:10:08,220 --> 00:10:12,780 And that could include hiring new cyber experts to be involved 169 00:10:12,780 --> 00:10:16,470 with assessing the new products that these submissions involve. 170 00:10:16,860 --> 00:10:19,860 Anna Delaney: Yeah. Just to be clear, this law pertains to new 171 00:10:19,860 --> 00:10:22,530 devices. Not all, right? 172 00:10:22,620 --> 00:10:23,160 Marianne McGee: Right. 173 00:10:23,790 --> 00:10:27,540 Anna Delaney: Great positive news indeed. Matt, back in 174 00:10:27,540 --> 00:10:30,570 December, we saw ransomware attacks against Rackspace' 175 00:10:30,570 --> 00:10:33,840 hosted Microsoft Exchange environment. You got more 176 00:10:33,870 --> 00:10:35,580 information to add to the story I believe. 177 00:10:36,480 --> 00:10:39,900 Mathew Schwartz: I do. And we did see this big attack against, 178 00:10:39,900 --> 00:10:44,130 as you say, the hosted Exchange environment at Rackspace. So 179 00:10:44,130 --> 00:10:48,300 this is primarily hits small and mid-sized customers who were 180 00:10:48,300 --> 00:10:53,250 using Hosted Exchange services. And the TLDR there is they're no 181 00:10:53,250 --> 00:10:57,540 longer going to be using Hosted Exchange services. Rackspace is 182 00:10:57,540 --> 00:11:01,680 no longer going to provide it. They are moving everybody to 183 00:11:01,770 --> 00:11:05,550 what used to be known as, I guess, Office 365, Microsoft 365 184 00:11:05,670 --> 00:11:09,240 now to get their email. There's a couple of other ways they can 185 00:11:09,240 --> 00:11:11,820 get their email as well. Rackspace offers its own email, 186 00:11:11,850 --> 00:11:15,720 they can go there if they want. But Microsoft 365 is what a lot 187 00:11:15,720 --> 00:11:19,170 of people are recommending, and possibly they should have been 188 00:11:19,170 --> 00:11:23,100 doing it already. I'll leave that debate open to others. But 189 00:11:23,250 --> 00:11:28,380 Rackspace says that the Play ransomware group is behind the 190 00:11:28,380 --> 00:11:32,490 hit against it. So there's a lot of detail to unpack here. I'm 191 00:11:32,490 --> 00:11:37,080 going to do it real quickly. There is a series of attacks 192 00:11:37,110 --> 00:11:40,890 that came along last September, which had been attributed to a 193 00:11:40,890 --> 00:11:46,050 nation state attack group with alleged ties to China. They were 194 00:11:46,050 --> 00:11:51,240 using some exploits to hit Exchange. And these two exploits 195 00:11:51,240 --> 00:11:55,350 are referred to as ProxyNotShell. Just to be 196 00:11:55,350 --> 00:11:59,160 confusing. Back in 2021, there was another hit on Exchange 197 00:11:59,190 --> 00:12:02,970 called ProxyShell, which used three exploits. This is 198 00:12:02,970 --> 00:12:06,240 different but looks similar. So they were able to use these two 199 00:12:06,240 --> 00:12:11,430 exploits to execute code remotely on Exchange servers. 200 00:12:11,670 --> 00:12:17,130 Bad news. Microsoft has shipped a patch for this problem for 201 00:12:17,130 --> 00:12:20,940 Exchange in November, and a lot of people started to put the 202 00:12:20,940 --> 00:12:24,690 patch in place. The patch helped protect organizations against 203 00:12:24,780 --> 00:12:30,540 this attack. Rackspace chose not to install the patch. Now before 204 00:12:30,540 --> 00:12:33,420 you rush to judgment, a lot of people didn't install the patch 205 00:12:33,450 --> 00:12:38,610 because it was causing problems with OWA - Outlook Web Access. 206 00:12:39,330 --> 00:12:42,120 People who installed the patch reported that they oftentimes or 207 00:12:42,120 --> 00:12:47,040 in some cases, at least, could no longer use OWA, which is a 208 00:12:47,040 --> 00:12:50,820 problem. So Rackspace and others decided to hold fire, they 209 00:12:50,820 --> 00:12:54,840 instead used workarounds, or mitigations that Microsoft has 210 00:12:54,840 --> 00:12:58,650 specified could be used instead, until you can get the patch in 211 00:12:58,650 --> 00:13:04,470 place. What those mitigations apparently didn't protect 212 00:13:04,470 --> 00:13:10,560 against was a different kind of attack, which used a certain 213 00:13:10,560 --> 00:13:15,630 exploit, not from ProxyNotShell in the first instance. And then 214 00:13:15,630 --> 00:13:19,710 in a second, activated the second ProxyNotShell 215 00:13:20,130 --> 00:13:25,260 vulnerability in order to ... execute code remotely in 216 00:13:25,260 --> 00:13:27,780 exchange environments. So attackers were able to 217 00:13:27,780 --> 00:13:30,870 accomplish the same thing using a slightly different attack 218 00:13:30,870 --> 00:13:37,020 chain. We know this because CrowdStrike was brought in to 219 00:13:37,020 --> 00:13:42,120 investigate at Rackspace. And on December 28, it issued a report 220 00:13:42,210 --> 00:13:45,330 into a series of attacks it said it had traced to the Play 221 00:13:45,330 --> 00:13:50,280 ransomware group, which appeared to be ProxyNotShell attacks, but 222 00:13:50,280 --> 00:13:55,230 which in fact, it found used this other vulnerability, a zero 223 00:13:55,230 --> 00:13:59,520 day exploit, had not previously been known. And then with that, 224 00:13:59,550 --> 00:14:02,130 change it together with the second part of ProxyNotShell, 225 00:14:02,400 --> 00:14:05,610 which even if you'd applied those mitigations in November, 226 00:14:05,640 --> 00:14:09,180 but not the patch, the mitigations did not protect you. 227 00:14:09,780 --> 00:14:12,090 CrowdStrike investigated at Rackspace. It didn't say 228 00:14:12,090 --> 00:14:15,060 Rackspace is one of the victims, but Rackspace said it was one of 229 00:14:15,060 --> 00:14:18,060 their victims. It came forward and said - a lot of people rush 230 00:14:18,060 --> 00:14:21,270 to judgment here and said, "oh, we didn't patch against 231 00:14:21,300 --> 00:14:25,140 ProxyNotShll mitigations." They said, "we did mitigations. 232 00:14:25,470 --> 00:14:30,060 Microsoft's mitigations didn't note that this other exploit was 233 00:14:30,090 --> 00:14:35,880 a risk we might face for not having patched." Like I said, 234 00:14:35,880 --> 00:14:39,090 there's a lot to unpack there. Did Microsoft know that there 235 00:14:39,090 --> 00:14:42,450 was this zero day flaw in the wild that can be used against 236 00:14:42,450 --> 00:14:45,900 Exchange? I've asked them. I haven't heard back. Probably, it 237 00:14:45,900 --> 00:14:49,740 didn't though or it probably would have put out the word to 238 00:14:49,740 --> 00:14:54,090 alert people. So interesting to hear some takeaways. Don't rush 239 00:14:54,090 --> 00:14:57,720 to judgment, I suppose, in some cases. On the patch and parish 240 00:14:57,720 --> 00:15:02,130 front. I mean darned if you do, darned if you don't, right? 241 00:15:02,790 --> 00:15:06,090 People who rushed to install the patch would have seen the 242 00:15:06,090 --> 00:15:09,510 inability to access OWA. This is a problem, especially if you're 243 00:15:09,510 --> 00:15:11,820 Rackspace and you got thousands of companies using your 244 00:15:11,820 --> 00:15:17,640 services. So they, like I said, held fire. But it turns out that 245 00:15:17,670 --> 00:15:20,520 one of the mitigations that you now need to use because there's 246 00:15:20,520 --> 00:15:24,570 no fix for the zero day flaw yet is to deactivate OWA if you 247 00:15:24,570 --> 00:15:28,590 haven't already done so, because that's how attackers broke into 248 00:15:28,590 --> 00:15:33,720 these organizations. And so, you can see why Rackspace may have 249 00:15:33,720 --> 00:15:37,320 decided just to ditch Hosted Exchange. They're still trying 250 00:15:37,320 --> 00:15:41,010 to get all of the emails recovered from the attack. 251 00:15:41,940 --> 00:15:45,300 December 2, there's still - some customers have got their emails 252 00:15:45,300 --> 00:15:48,360 back and migrated over to a different platform, but they're 253 00:15:48,360 --> 00:15:51,000 still in the process of restoration. Thousands of 254 00:15:51,000 --> 00:15:55,020 companies impacted. It's a really big mess. There's already 255 00:15:55,020 --> 00:15:57,780 been a class action lawsuit filed against Rackspace. But 256 00:15:57,780 --> 00:16:00,210 it's just fascinating. These additional details that have 257 00:16:00,210 --> 00:16:02,850 come to light. It looks like Rackspace tried to do the right 258 00:16:02,850 --> 00:16:09,090 thing. And somebody came up with a way to still get around those 259 00:16:09,120 --> 00:16:10,020 mitigations. 260 00:16:11,340 --> 00:16:14,370 Anna Delaney: Complex story. You've provided very helpful 261 00:16:14,370 --> 00:16:17,400 details there, Matt. So what do we know about this ransomware 262 00:16:17,400 --> 00:16:18,990 group Play in the tactics. 263 00:16:20,550 --> 00:16:22,950 Mathew Schwartz: They're one of a number of ransomware groups. 264 00:16:23,220 --> 00:16:27,030 One of the things we don't know is if Play was able to 265 00:16:27,030 --> 00:16:31,050 exfiltrate data, were they able to steal Microsoft Exchange 266 00:16:31,050 --> 00:16:35,880 mailboxes. Rackspace hasn't commented on that yet, despite 267 00:16:35,880 --> 00:16:40,350 being asked. I suppose we could see data breach notifications if 268 00:16:40,350 --> 00:16:43,920 this did happen. But I think it has just concluded its 269 00:16:43,920 --> 00:16:48,330 investigation. And so additional detail will no doubt be coming 270 00:16:48,330 --> 00:16:51,660 to light. But there's a lot we don't know yet. Again, 271 00:16:51,690 --> 00:16:53,820 hopefully, we will see some additional detail come out. 272 00:16:54,840 --> 00:16:59,190 Kudos to CrowdStrike - difficult phrase there - especially in the 273 00:16:59,190 --> 00:17:01,980 new year for releasing this information. It's very 274 00:17:01,980 --> 00:17:05,430 actionable and helps other organizations in the same 275 00:17:06,390 --> 00:17:09,810 situation, meaning they use Hosted Exchange to protect 276 00:17:09,810 --> 00:17:10,380 themselves. 277 00:17:12,000 --> 00:17:14,970 Anna Delaney: Very good. Well, we await further details. Thank 278 00:17:14,970 --> 00:17:19,200 you, Matt. So finally, last week, last year, and last month, 279 00:17:19,980 --> 00:17:22,740 there's only one week of the year, I can say that. We 280 00:17:22,740 --> 00:17:26,310 discussed general predictions for 2023. And this week, I want 281 00:17:26,310 --> 00:17:30,780 you to don your Nostradamus hats again, and share one word or 282 00:17:30,780 --> 00:17:35,070 trend or a topic or a technology or even a ransomware group which 283 00:17:35,070 --> 00:17:38,340 you believe will dominate the industry headlines this year. 284 00:17:38,580 --> 00:17:39,300 What would that be? 285 00:17:40,050 --> 00:17:46,800 Tom Field: One word for you, Anna? Plastics. No, sorry, that 286 00:17:46,800 --> 00:17:51,840 was from the Graduate. One word though, close. Platforms. 287 00:17:52,200 --> 00:17:58,140 Anna Delaney: Okay. Another P. Marianne, your word? 288 00:17:58,380 --> 00:18:02,490 Marianne McGee: I'm going to say vendors. Even the conversation 289 00:18:02,490 --> 00:18:05,460 we just had here today, you know, it's all about vendors, 290 00:18:05,730 --> 00:18:10,530 the security of vendors and how vulnerable their clients are to 291 00:18:10,530 --> 00:18:13,770 things that happened to them. Especially in health care, you 292 00:18:13,770 --> 00:18:16,230 know, a lot of the attackers, for instance, are kind of 293 00:18:16,230 --> 00:18:17,850 saying, "Okay, we're not going to go out for the hospital 294 00:18:17,850 --> 00:18:21,630 directly, but let's go over, let's go after a vendor that has 295 00:18:21,630 --> 00:18:25,500 many hospitals as their clients." So I think that's 296 00:18:25,500 --> 00:18:26,850 going to be a continuing theme. 297 00:18:28,710 --> 00:18:29,280 Anna Delaney: Mathew? 298 00:18:31,350 --> 00:18:34,350 Mathew Schwartz: I'm going to say ransomware simply because we 299 00:18:34,350 --> 00:18:37,410 continue to see so much innovation with ransomware 300 00:18:37,410 --> 00:18:40,140 wielding groups. And while we see groups spinning off and 301 00:18:40,140 --> 00:18:45,660 trying other tactics, they are, I think, stoking the fires 302 00:18:45,930 --> 00:18:48,570 inside organizations, even if people aren't cybersecurity 303 00:18:48,570 --> 00:18:53,490 experts in terms of defense, and knowing they need to sharpen 304 00:18:53,490 --> 00:18:56,130 their game, and not knowing what's going to hit them next. 305 00:18:56,220 --> 00:19:00,150 So I think it is a useful forcing function for people to 306 00:19:00,150 --> 00:19:03,180 better understand cybersecurity. And I think it's an unfortunate 307 00:19:03,180 --> 00:19:05,250 cybercrime trend, and that they're going to keep hitting 308 00:19:05,250 --> 00:19:08,760 organizations and extorting hundreds of millions of dollars. 309 00:19:09,900 --> 00:19:11,820 Tom Field: And I feel bad that didn't qualify my answer: 310 00:19:11,820 --> 00:19:14,940 platforms. I say that because at a time when there are economic 311 00:19:14,940 --> 00:19:18,270 pressures on organizations, and they're looking to consolidate 312 00:19:18,270 --> 00:19:21,660 their tooling, and deal with fewer of Marianne's words: 313 00:19:21,690 --> 00:19:25,170 vendors, so they don't suffer more of Matt's word: ransomware, 314 00:19:25,560 --> 00:19:28,770 I see organizations shifting somewhere, at least, talking 315 00:19:28,770 --> 00:19:32,820 about shifting from point solutions to platforms. 316 00:19:35,340 --> 00:19:36,900 Mathew Schwartz: Yeah, and a lot of platforms give you better 317 00:19:36,900 --> 00:19:39,450 security as well. I mean, they will give you more out of the 318 00:19:39,450 --> 00:19:44,430 box security with all of the right presets activated so that 319 00:19:44,430 --> 00:19:47,100 you have a harder time shooting yourself in the foot. Sorry to 320 00:19:47,100 --> 00:19:47,610 interrupt you. 321 00:19:48,030 --> 00:19:50,160 Tom Field: Spot on. So there you go, Anna. Your word? 322 00:19:50,760 --> 00:19:55,080 Anna Delaney: China. I think Russia dominated 2022. I think 323 00:19:55,080 --> 00:19:57,960 we'll be seeing a lot more action from China. We're already 324 00:19:57,960 --> 00:20:04,260 seeing some. Watch this space. We will compare these answers in 325 00:20:04,290 --> 00:20:05,910 December of this year. 326 00:20:06,420 --> 00:20:07,800 Tom Field: Will you put these in an envelope, put it up there on 327 00:20:07,800 --> 00:20:08,880 your safe deposit box? 328 00:20:09,060 --> 00:20:12,660 Anna Delaney: Have to remember. Well, Tom, Marianne and Matt, 329 00:20:12,660 --> 00:20:14,880 it's always a pleasure. Thank you very much for starting off 330 00:20:14,880 --> 00:20:16,530 the year with me today. Thank you. 331 00:20:16,800 --> 00:20:17,880 Mathew Schwartz: Thanks for having us back. 332 00:20:19,380 --> 00:20:21,270 Anna Delaney: And thank you so much for watching. Until next 333 00:20:21,270 --> 00:20:21,600 time.