Weekly Video: October 3, 2022
10–3–2022 (Monday)
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors., and you can find us online at coastalcyber.io
Today is Monday, October 3rd, and this week we’re going to talk about an old story and a brand new story why that matters to PE-and venture-backed firms.
Lost of lessons to learn, and we’re going to try to do it in 5 minutes or less.
LA Unified School District’s Ransomware Saga Continues
Microsoft Exchange Zero-Day
LAUSD’s Ransomware Saga Continues
For those of you who haven’t been following this story closely over the last month, let me get you caught up with the most recent developments.
First of all - let’s recognize that we are now ONE MONTH into this incident, and we are nowhere near being out of the woods.
Over the weekend, on Saturday, the threat actors made good on their threat to leak the data they had stolen during the ransomware attack, though details are scarce on the content and impact.
LAUSD Superintendent Alberto Calvalho told the LA Times that:
“Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”
Paying the ransom is a very difficult and tricky situation - one that you should discuss with counsel. It’s got implications from sanctioned entities by the US Treasury Department, and upcoming ransom payment notification implications from regulators like NYDFS - which will soon require not only written notification of payment, but explanation of why you paid and what other avenues you tried before paying.
In short, LAUSD’s ongoing saga should highlight to leaders in all industries the depth and disruption that ransomware attacks can truly create. They’ve had to open an incident response hotline for impacted staff, students, and families, amongst all the other facets of this event.
We’re a month into this breach, and we haven’t even gotten to the leaked data yet - or the fallout, lawsuits, the fact that it may contain FERPA-regulated data, and all the other activities that lie ahead.
The leadership of the district has likely been extremely distracted by this event - at the same time as they should be focused on getting another school year started.
Give them credit for mostly maintaining operations, but this is an impact that few organizations can truly afford. Can yours? If not - it’s a great time to revisit your security controls, run a table top, review your incident response plan and forensic / legal relationships, etc.
Remember - your cyber insurance renewal is always just around the corner.
Microsoft Exchange Zero Day
This week, two new zero-day vulnerabilities were disclosed for on-premise Microsoft Exchange, an email solution.
As a reminder, zero-day vulnerabilities are ones that do not have a patch available to them, and were previously unknown - both by the creators of the software and your IT and security teams.
This is an important one for several reasons.
First, it highlights the fact that new vulnerabilities are just part of the process. We’re going to continue to find them, it’s the nature of software, and we need to build systems and infrastructure to deal with them.
It also highlights the visibility on widely used software platforms - obviously the ones with the most targets can seem like the best ones to exploit, from a threat-actor’s perspective.
The other one that’s interesting here is that this is the on-premise version of Exchange that’s vulnerable. If you’re running in the cloud, or Microsoft365, this issue doesn’t effect you.
The other challenge, of course, is whether or not your team would even be able to identify and respond to the malicious activity were you vulnerable. Do you have sufficient logging in place? Do you have the ability to query those logs and look for these indicators of compromise? We’re in some highly technical areas now, and there are lots of companies who people and technology simply aren’t up to the job.
I often see legacy technology stacks in privately owned companies that have been a little under supported in the last few years for two reasons:
The technology seems to be “working” - so why undertake a modernization effort?
The staff may not have the skills and abilities to move to the cloud or upgrade to new platforms.
We’re in a unique time where tenured IT and security folks may not have gotten ongoing training, and thus their expertise can be limited to the software they use on a daily operational basis - which is fine, until it isn’t.
And when it isn’t - when these things eventually don’t work from a security perspective, the risk is that you end up in the same position the LAUSD finds themselves in.
It can be difficult to think strategically about these sort of issues, but moving to more modern and robust technology stacks - including the cloud - really can make a difference. It’s not a panacea, and certainly has its own risks, but you’ll need to weigh the cost of maintaining versus migrating for yourself.
Fundraising
The dry powder continues to stack as we enter Q4.
$28.7B in newly committed capital last week, which brings our Q3 totals to more than a quarter trillion dollars ($252.7B)
Mind blowing, really. Stay the course out there, even when the waters seem choppy and all the winds seem like headwinds.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
LINKS: