Samantha Schwartz on LinkedIn: A conversation with SolarWinds’ CISO (2024)

The business community at large may not have heard about the Log4j vulnerability — unless their security team has informed them patching might temporarily halt a business-critical application. The vulnerability is messy, appearing in millions of devices, and security teams are just trying to find where it might be across enterprise systems.As businesses search their networks for signs of Log4j, security practitioners are settling in for the long haul. Even with best efforts to patch, the vulnerability will linger.But this isn't the first marathon for the cybersecurity community. In fact, widespread cybersecurity vulnerabilities can persist for months and years.I asked security professionals what other vulnerabilities in their careers measure up to Log4j. I expected a universal answer, like EternalBlue. But what surprised me was that each person mentioned a different vulnerability, like ShellShock, Apache Struts or HeartBleed.For me, it's a signal that one security professional's Armageddon is not that same as another's. While the scope and impact of the Log4j vulnerability is unfolding in real time, the security community is familiar with bugs that remain threats. The issue is really becoming how quickly these widespread vulnerabilities are manifesting into attacks.What is your experience with a "marathon" vulnerability?https://lnkd.in/dPdJjdRM

8

JBS USA joined a long line of companies that paid a ransom following a cyberattack. REvil, a Russia-based #ransomware gang received $11 million from the meat processing company.The company said it was able to recover operations from encrypted backups, but JBS doesn't yet know how the attackers got into its systems.The JBS news follows closely watched hearings on the Hill where legislators scrutinized Colonial Pipeline's decision to pay a ransom. The FBI recovered about half of Colonial Pipeline's $4.4 million ransom. The law enforcement agency seized the proceeds from a bitcoin wallet, though the Department of Justice can't promise the same actions will be taken for future ransom payments.Hotly contested is the decision of whether or not to pay a ransom. In a Senate confirmation hearing Thursday, Chris Inglis, nominee for national cyber director, said that it's not appropriate to pay ransoms, though with critical operations at stake, it can feel feasible.But the FBI stepping in to recover funds complicates the issue. Will companies be more inclined to pay a ransom if there's a chance of recovering their funds?

6

While JBS expects to resume normal operations Thursday, it is the latest ransomware-related disruption to impact consumers — the American public is finally seeing real-world consequences of cyber. "They went after our gas and they went after our hot dogs," Former CISA Director Chris Krebs said on the Today Show this week.The FBI attributed the #JBS USA attack to REvil Wednesday. "We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable," the law enforcement agency said.REvil made its debut in 2019 and has since become a stalwart in #ransomware attacks. Since then, its operators, Evil Corp., became a sanctioned ransomware gang identified by the Treasury Department.Between a gasoline pipeline shutdown and stalled meat processing, President Biden is set to discuss the trail of recent cyberattacks by Russia-based actors with Russian President Vladimir Putin this month. What does the private sector need to do to adequately defend against known ransomware threats? https://lnkd.in/eVeg6xN

8

1

Today is 4/20. Maybe you celebrate, maybe you have no idea what the date represents.A few weeks ago I saw a fun fact on Twitter: The FBI has trouble hiring hackers because of its marijuana rules. Applicants cannot have used the substance for at least three years prior to joining the agency.Drawing the connection to the private sector, I wondered if companies had similar drug policies. No one really wants to be on the record about a federally illegal substance, but the general consensus shows there's informal tolerance as long as it doesn't impact job performance. With more and more state laws legalizing MJ, are marijuana #hiring restrictions outdated? Are they standing in the way of hiring much-needed #cybersecurity talent?

7

The White House is working on an executive order addressing software security; timely considering how quickly the Microsoft Exchange compromise is escalating (colliding with SolarWinds):

11

Disinformation became a regular vocabulary word in the last four or five years. Typically we hear it in the context of politics and conspiracy theories on Facebook. But disinformation hurts the enterprise too. After a European drug regulator disclosed a data breach — wherein the intruders manipulated the data before leaking it — I wanted to determine the impacts of malicious data manipulation on businesses.The leaked data revolved around the coronavirus vaccine, impacting organizations involved in its distribution. The hackers could have eroded consumer trust in the government agency, the vaccine manufacturer or the vaccine itself. Combating disinformation requires a cybersecurity and PR strategy. How does your company protect its reputation from dis- or misinformation campaigns?

17

The #CCPA has been breathing down the neck of Congress since 2018. But Democrats and Republicans haven't been able to compromise on a federal #dataprivacylaw, primarily in the areas of preemption and private right of action. Now, with the CPRA passed by voters and Dem-controlled House and Senate, perhaps there's a path forward for a law. It depends on what takes over our Capitol Hill's attention this year, and how much authority the FTC takes up.

2

2