Proof of Concept: The Corporate Risk of Using Social MediaAlso: Navigating US Privacy Laws; Ransomware Trends
In the latest "Proof of Concept," Lisa Sotto of Hunton Andrews Kurth LLP and former CISO David Pollino of PNC Bank join Information Security Media Group editors to discuss the many new privacy laws in the U.S., current ransomware and scam trends, and handling the potential corporate risk of sharing information on social media.
Anna Delaney, director, productions; Tom Field, vice president, editorial; Lisa Sotto, partner and chair, global privacy and cybersecurity practice, Hunton Andrews Kurth LLP; and former CISO David Pollino of PNC Bank - discuss:
- Navigating the increasing number of different U.S. privacy laws;
- How ransomware is evolving;
- When sharing information on social media might be a corporate risk and what to do about it.
Named in The National Law Journal's "100 Most Influential Lawyers," Sotto serves on the Hunton Andrews Kurth executive committee. She was voted the world's leading privacy adviser by Computerworld magazine and has earned the highest honor from Chambers and Partners as a "Star" performer for privacy and data security. Recognized as a "leading lawyer" by The Legal 500 U.S., Sotto chairs the Department of Homeland Security's Data Privacy and Integrity Advisory Committee and is the editor and lead author of "Privacy and Data Security Law Deskbook." She has represented the U.S. Chamber of Commerce in Indonesia and has advised the Serbian government on global data protection law. Sotto is co-chair of the International Privacy Law Committee of the New York Bar Association and chair of the New York Privacy Officers' Forum.
Pollino has more than 25 years of experience in information security, fraud prevention and risk management. He has focused on financial services for 20 years and was the chief information security officer of Bank of the West and a divisional CISO at PNC. He has held multiple leadership positions in security and fraud, including Wells Fargo, Washington Mutual and Charles Schwab. Pollino has authored multiple books and white papers focused on cybersecurity and fraud.
"Proof of Concept" runs semimonthly. Don't miss our previous installments, including the May 16 edition on how Big Tech backs passwordless and the May 23 edition on how can we improve industry collaboration.
Anna Delaney: Hello, welcome to Proof of Concept, the ISMG talk show where we discuss the cybersecurity and privacy challenges of today and tomorrow with industry experts and how we could potentially solve them. We are your hosts. I'm Anna Delaney, director of productions at ISMG.
Tom Field: I'm Tom Field. I'm senior vice president of editorial, ISMG. Anna, always a pleasure to see you.
Delaney: Always. So Tom, how is New York this morning?
Field: New York was the easiest trip I have ever had coming into the city. It is the Juneteenth holiday. And it was a breeze coming from the airport to Manhattan. So, very happy to be here today.
Delaney: And do tell the world, why are we both in New York today.
Field: We're here for our first live event in New York City, our first live summit since the fall of 2019. We have our cybersecurity event going on tomorrow in Midtown. And we've got phenomenal speakers and agenda. John Kindervag, Lisa Sotto, whom we're going to meet later in this discussion here. We've got Ari Redbord, Claire Le Gal from MasterCard. And we've got truly an all-star lineup of speakers and topics for tomorrow. What do you look forward to?
Delaney: I'm looking forward to moderating a couple of sessions. I think this is the biggest ISMG event of the year. Usually, it's your New York event. So I'm excited. That's my first with you. I'm looking forward.
Field: Anna, any event we have these days is the biggest after the last couple of years.
Delaney: Yeah, for sure. So there's always a buzz. There's a lot of adrenaline, there's excitement to meet people again. I've got a couple of panels that I'm moderating, first talking with CISOs, about whether the Russia-Ukraine war has accelerated or even stalled their cyber plan. We're going to be talking about what threats they're observing, how they're responding to heightened threat activity, if at all, how they're maintaining cyber resilience in wartime, and what potential disruption they're preparing for as the war continues. So looking forward to that topical panel discussion. And then there is another panel, but fraud related: the challenge of P2P, peer to peer payment fraud. So, in particular, we're looking at the Zelle payment app and the challenge around impersonation. One of our speakers, David, will have thoughts on this later. But I don't know if you know this, Tom, Zelle is America's most popular payment app. It's free, easy to use, and proven popular with the criminals. So we're going to be looking at Zelle in particular, and other social engineering scams or trends and the challenges for banks and consumers and regulators. And how do we prevent this in the first place? So there's a lot going on, a lot to discuss. But, as I mentioned before, I'm looking forward to seeing everybody in person — speakers and attendees.
Field: Exactly. I've got a session tomorrow afternoon with John Kindervag, the godfather of zero trust. It's going to be a town hall. We are going to sit there, have a conversation, and take questions from the audience and try to dispel some of the myths and unrealities about zero trust. So I'm excited about that. I am also hosting a more private session with Chris Pierson, the founder and CEO of BlackCloak. And we're going to be talking about the growing need for executive protection outside the traditional perimeter for the 12 hours of day when senior leaders and board members aren't within an office. It's fascinating topic and it's getting a lot of traction. So looking forward to continuing that conversation as well.
Delaney: Yeah, rich topics and discussions. Tom, you mentioned Lisa earlier, why don't you go ahead and formally introduce her.
Field: Yes, we're going to have a conversation here with one of our frequent guests and contributors, Lisa Sotto. She is partner and chair of the global privacy and cybersecurity practice at Hunton Andrews Kurth LLP. I believe she has been called the princess of privacy. Is that right, Lisa?
Lisa Sotto: Priestess of privacy.
Field: Priestess of privacy. We're privileged to have her here today. Lisa, so much going on here. Talk about the current landscape, which I feel changes every other week. How are enterprises managing when it comes to juggling five different privacy laws? And it could be six if today wasn't a holiday.
Sotto: You're right, Tom. It's been an incredibly busy time. We’ve gone from zero to 60 in just a few short years. And just to recount a little bit, let's remember that until 2020, we did not have a comprehensive privacy law in this country at all. What we were known to have was a sectoral regime, meaning we regulated by industry sector. So we had healthcare privacy rules, we had rules around financial data, rules around kids' data collected online for kids under the age of 13, rules around credit reporting data, drivers' data, video rental records, and the like. So we had a sectoral regime very much out of step with the rest of the world. And then in 2018, now effective January 1, 2020, everything changed with the California law. California really changed the landscape in the United States for privacy in implementing and putting into place a comprehensive omnibus privacy law for Californians. And not to be outdone, several states followed suit. So we now have Virginia, Colorado, Utah, and Connecticut, to have comprehensive privacy laws for residents of those states. And this has dramatically changed the landscape in the United States. And it also brought extraordinary compliance challenges. We're on a bit of a collision course, trying to manage all of these five laws.
Field: Talk about where that collision course leads to, because my understanding is, this isn't as easy as you pick the most stringent and adhere to that, and you're going to be okay.
Sotto: You're exactly right. Unfortunately, these laws are not harmonized with each other, they're not consistent. We think of these laws in two buckets. California stands alone, and its rules are quite different from the other four. Now, the other four do fall into one bucket, and that they're reasonably similar, but they're not the same. So it's very important to remember that. I think the key to managing all of this is to try to harmonize the key concepts, and focus on the key concepts or things like transparency, providing privacy notices, consent for the use of sensitive data, where it's appropriate service provider management, training, data security enforcement. So those are the key principles that underpin any privacy law around the world. And we need to be thinking about those key principles with respect to the U.S. laws as well. And if you put a framework in place to manage those key principles, you'll get a good 70 or 80% of the way there.
Field: Now, at the same time we have a new draft of a federal privacy bill. What does it mean? And can we handicap the chances of it getting anywhere?
Sotto: I would not predict. This is hard. On June 3, the House and the Senate released a new comprehensive privacy bill called the American Data Privacy and Protection Act. The bill provides for the usual privacy rights that we see: the right to access your data, the right to deletion correction, portability, and it also imposes data minimization obligations. And we're seeing that around the world. There are requirements for express consent for the use of sensitive data. There's a requirement for privacy policies. And I'll just note, this is important and new, that there is now in this bill, a requirement to put reasonable security measures in place. And it would be a comprehensive security requirement at the federal level. So as to state preemption, and this is the question that we get all the time because we just talked about the five and you're right about six, and we're not Juneteenth, as to state preemption there is, there's a good chunk of the bill that addresses state preemption, and it is limited. It is not as extensive as some would like it to be. So, for example, general consumer protection laws are not preempted. Facial recognition laws are not present preempted. Illinois' BIPA, the Biometric Information Privacy Act, is not preempted. And then the other key question is private right of action. Is there one and yes. In this bill, there is a limited private right of action with a host of exceptions, as well as a limitation on damages. So, you know, the question in my mind is what are the roadblocks to passage and it is the usual suspects. It's a private right of action. It's State preemption. And then I'll also note that the bill would create a new FTC Bureau called the bureau of privacy and query whether partisan tensions on either side will consider that either appropriate regulation or over regulation.
Field: Fair points. Claire will be discussing this. Meanwhile, as legislation happens, ransomware continues to burn. What are the ransomware trends you're paying attention to as we approach mid year?
Sotto: Yeah, good question. Well, it was a slow start to the year for the ransomware actors. So that was a little bit of a surprise, but they are back in full force. There is no stopping that train. There are now reportedly more than 60 ransomware collectives and they are wreaking havoc as they always have done. We're seeing some bigger demands. The demands used to be one to five million. Now we're seeing some that are truly moonshot demands — 10 million and up, and sometimes much higher than that. And they're not negotiating down quite as much as they used to be able to negotiate very significant discounts. Not so much anymore; there seems to be a little bit less willingness to do that. I'll also just note another disturbing trend. The threat actors are now contacting third parties. So they're not only contacting the company that has been hit, but they're also looking through the data and finding customers or business partners or service providers whose data is in the mix. And they're contacting them. And that increases the leverage that they have and forces the hand of the ransom party to go ahead and pay. And I'll also note on the other side of the scale, we now have a very active federal government with respect to ransomware. So we saw the passage of the strengthening American Cybersecurity Act, which will require for critical infrastructure, not quite in place yet, but will require a 72-hour notice obligation when an attack has occurred. And then when you pay ransom, you needed to notify within 24 hours of doing so. We now have 24-hour reporting obligations for pipelines, for surface transportation. And we have a proposed SEC rule that would require notice within four business days to the world. It's a disclosure obligation.
Field: We continue to live in interesting times, and Lisa, you're going to continue to be busy.
Sotto: Indeed. Thank you very much, Tom.
Field: Thank you. And with that, we have much more to talk about in terms of fraud and scam. So, Anna, let me turn this back to you in a conversation with our next guest.
Delaney: Thank you very much. That was excellent. I'm very, very pleased to welcome back the brilliant David Pollino, former CISO of PNC Bank. Very good to see you, David, thanks for joining us.
Pollino: Thanks for the invitation. Glad to be here.
Delaney: So David, following on from Tom's question to Lisa, what are the ransomware trends you're observing? And is there anything different that you're picking up on?
Pollino: I think it's a twofold answer. One is more of the same. And there's some things that we can highlight from the recent Verizon 2021 Data Breach. But looking at some of the technical aspects of some of the variants that are out there, right now, the ransomware actors are getting smarter. So there's at least one variant out there that's been reported to utilize the web browser as the primary mechanism for infection, bypassing some of the traditional email controls that could be in place. Many of the email controls also involve rewriting the URL to do some sort of behavioral detection. If it's a watering hole attack or some other type of browser-based attack that does involve email, then you bypass part of your control suite, as well as delivering payloads from known good sites by embedding those into areas that have been compromised or give you the ability to publish content to the site. So the takeaway from that is that we need to continue to make sure that our controls are evolving and staying up to date with current threats, because the criminals out there are making sure that they're innovating as time goes on. And then more of the same as Lisa mentioned, the ransomware attacks seem to continue to have a twofold impact, not just getting your data back but disclosing the data to the public, talking to your customers. And as she brought out, the paydays have gone up. So that combined with the continuance of remote workers, shows that we have a pretty high or large attack space that we need to worry about, and that ransomware, much like many of the cybersecurity trends, will continue to evolve over time, but will never go away.
Delaney: Right! But thank you, I appreciate that insight. Another trend we're seeing is job scams or job seekers scams. They're on the rise since remote work became necessary and popular now, what are the trends you're seeing and the potential impact?
Pollino: Well, like we just talked about with ransomware, job sites might be one of the ultimate watering hole attacks. If you're looking to find somebody with top secret access, you could potentially post a fraudulent job position advertising such as need for top secret access, or maybe it's cash management or fraud prevention or even ransomware control expert. And then you could utilize that to either infect the particular individual or in some cases, you could set up fraudulent job interviews, gather information from them. I have heard from some security researchers that not every job interview is with the intent of finding the ideal candidate for positions. Sometimes job postings could be related to gathering information, learning what other firms are doing. And it may ultimately end up being a waste of time. So when it comes to job scams, you need to be very careful. And many of the search firms are also these very small companies. So typically, when you give advice to somebody about whether they should click on a link, you tell them to do some research. And sometimes you can do research on companies that have been in business for an extended period of time. Other times, it's a little bit more difficult. So being able to do adequate due diligence on small search forums is a challenge, especially if they're utilizing some of their own technology. You may see the job posting on LinkedIn or Dice or one of the other online job boards, but then it links you out to some smaller information gathering from candidate management site. And what's the tech behind that? Has that site been compromised? Is it a malicious site? Trying to figure out whether or not you should continue applying for that position can be a bit of a challenge. I've been approached many times over the years by search firms looking for a candidate for senior job security positions. I will typically research the firm. In many cases, I will not call or email the information that's provided within that unsolicited connection. I'll call the main switchboard. And it's amazing for heads of security positions, how many times I've called a headhunter, who's been recruiting for many years for security jobs. And they tell me, I'm the only one who's ever gone through that extra effort of due diligence. Do you think security professionals would be a little bit more paranoid than the rest and try to make sure that they weren't setting themselves up to be ripped off? I even had one headhunter that was contacting me for a CISO position. And he sent me a link, one of those tiny URLs to a site with more information about it. And I told them that nobody qualified for this position would click on that link. But that ended our conversation there pretty quickly. But it goes to show that you need good OpSec and personal protection, if you're in the market. And most people whether or not they're actively looking for a job, or actively being solicited, and in some cases might take a look and see if the grass is greener out there. So you have good OpSec yourself, especially as security professionals. One thing just to follow up on Lisa's comments as well as what you'll likely hear from Ari every time you talk to him. Money meals are still a thing. They are not as common as they used to be, because the ransom and some of the payoffs are now being performed through crypto and crypto has its own mechanisms for laundering funds by exchanging it with different types of currencies. But you still need to be wary of money meal scams, they are still out there and that they will crop up from time to time. The adage remains true, especially with job positions. If it sounds too good to be true, then it probably is.
Delaney: Fair point. As employees we are always encouraged to share on platforms like LinkedIn. When might that sharing be a corporate risk do you think?
Pollino: Yeah, it's a very interesting conversation as organizations vary on what they want shared and what their policies are. Many organizations would not want their sensitive information shared over job sites; LinkedIn, Twitter, those types of things. That could include the technologies that are being utilized, security controls, confidential project names, and even the org chart information. So each company has to sit down and figure out what is appropriate from a sharing perspective for them. And make sure that they're taking the appropriate educational steps to let users know what is appropriate and what is not appropriate. It's common and TTPs for pentesters, and intelligence professionals. Job sites are a great source of OSINT. I've heard some stories about professionals, either penetration testers or people working for government agencies, which are trying to compromise a particular organization. They'll look not just on the standard job sites like LinkedIn, but they'll also look at forums and see who's posting with particular usernames with questions about particular operating system, database versions, or security tools. And just by looking at that information, you can derive a lot of information about the internal structure and the control environment that they have. I know from personal experience, there was one criminal that called pretending to be a helpdesk individual. And he used the lingo from LinkedIn, at least that's the best we could figure out because he had an internal jargon that was used to say, "Hey, I'm calling you because of this site. And this access and this mechanism need you to reset your password." Standard social engineering thing. But the information we think was derived by looking at LinkedIn information that was being posted. And the criminal in this particular instance, even had his own LinkedIn page purporting to be part of the organization in a geography that was consistent with the organization, and also put some of that lingo on the fraudulent LinkedIn page. So it is an area of risk that that companies at least need to sit down and say, are we doing what we need to do when it comes to managing the information that's being shared here?
Delaney: I appreciate that overview. That's excellent for scams and what you're seeing. In that particular case you highlighted, how far down the line did it get?
Pollino: You can read about that one in the media. The criminal was ultimately arrested. He was able to get some success, not a company that I worked at, but other companies, and it was a pretty successful attack. That's for sure.
Delaney: Well, these criminals keep on trying and keeping us on our toes. But thank you, David. Well, I'd like to welcome you all back to the studio. So final question. Six months of the year remaining. Let's look to the second half of the year. We have Russia still in Ukraine, the economy is tumbling. What are we going to be focused on by year's end? Lisa, any thoughts?
Sotto: Sure. Well, as David said, more of the same. We are hyper vigilant now because of the war in Ukraine. And we've been hyper vigilant for the last few years. But all of our efforts are stepped up. And I think that the threat level will continue to remain high. And we will continue in the foreseeable future to keep all hands on deck in the security area. On the privacy side, there is little question that additional states will join the party as well. We're going to certainly see more states passing laws. So we're crossing our fingers for a preemptive federal law.
Delaney: Good, busy indeed. David?
Pollino: Yeah, as we've talked about earlier, when it comes to ransomware, and some of those other threats that we have, if you look at the organizations that are being hit, they're the organizations that are still utilizing some of the very antiquated security approaches, not utilizing MFA, having flat networks, not utilizing zero trust technologies. The attacks seem to be naturally progressing more towards those weaker institutions. So institutions need to make sure they're making the proper investment proactively because, as Lisa said, with paydays going up, being a successful target of a ransomware attack can be very expensive. And to circle back to the question around social media and what types of things could be exploited for organizations, it's important for organizations to clearly articulate what they want good behavior to be, have that in policy, educate their users, monitor — not create a police state where they're checking on everything that their users are doing — but make sure that if there are things that are sensitive to the organization, confidential information, project names, IP, that those things are kept out of the OSINT so companies can continue to protect their secrets.
Delaney: Appreciate these insights.
Field: Anna, I would add to that, as I think about this, I agree with everything that Lisa and David said. What's happening in Ukraine has cast a cybersecurity shadow over the world. And we're continuing to see ramifications of that. But think about it. We also have got significant elections upcoming in the U.S. this year. What impact might outside interference have on those? We have last year's Executive Order continuing to progress and we're continuing to have conversations about things such as a software bill of materials, and also would caution that here we are mid-year 2022. And we have not seen our Kaseya of the year, or Colonial Pipeline, or Log4j. Every day, I feel that that other shoe is going to drop and at some point, it will. At the same time we're seeing economic conditions globally go into areas we've not seen for generations in some cases. I think as you look to the economy this year, it may well be that the rich won't continue to get significantly richer. But I like to think that the poorly secured will continue to get better secured because of these storms that are brewing and the momentum that we have.
Delaney: Well said! You say we've not seen a Kaseya. Well, what holiday — what U.S. holiday — do we have coming up?
Field: Fourth of July is coming up very quickly.
Delaney: Let's touchwood here. Well, that is unfortunately what we have time for. Thank you very much, Lisa, David, and Tom, as always. Thank you very much for watching. Until next time!