Halycon AI
Last Month in Security 005: Shady Vendor Ethics and Ransomware Targets Chokepoints
The other week, the UK has its own Change Healthcare level attack where medical procedures were canceled at multiple London hospitals for weeks on end, and a critical emergency declared following a ransomware operation that disrupted pathology services provider Synnovis.
As well, CDK Global fell prey to a ransomware attack that led to a massive disruption in the US auto sales market and impacted hundreds of dealers to the tune of tens of millions in lost sales.
Point: The Change Healthcare attack revealed a financial chokepoint in the US healthcare system that impacted hundreds of providers and their patients, while the Synnovis attack similarly disrupted care at dozens of hospitals in the UK, and the CDK attack demonstrated how attacks on SaaS providers can similarly be a chokepoint.
Are we starting to see attackers consciously targeting these chokepoints? If not planned, are they taking notes for future targeting where - much like supply chain attacks – attacking one compromises many?
And of course, we all agree that it’s never a good idea to pile on after an attack by blaming the victims, but sometimes it’s like, “come on?”
Last year CISA alerted nearly 2,000 organizations about vulnerabilities that could be exploited in ransomware attacks, yet only about half took any action on the alerts. We already know that ransomware operators are adept at taking advantage of unpatched vulnerabilities and misconfigurations and are automating these aspects of their attack progressions – so why is patching not a priority?
There are only two reasons for an organization having failed to patch in a timely manner: they could patch but didn’t, or they wanted to patch but couldn’t. How much blame should we put on victim orgs if they are not doing all they can to help themselves?
Last but not least, we dive into the exposure of what is being referred to as the “Gili Ra’anan Model,” where CyberStarts – an Israeli investment VC – ran a CISO rewards program where they can “earn points” worth tens of thousands of dollars for “recommending and purchasing” vendors who happen to be in the CyberStarts’ portfolio of companies.
While there is nothing wrong with a CISO benefiting monetarily for lending their time and expertise to the evaluation of vendor offerings, the program gave the appearance of financially incentivizing CISOs to choose products that would earn them cash versus better protect their organizations, For reference, the CyberStarts portfolio has 22 companies whose combined value is $35 billion, and five of these companies are unicorns (including Wiz who just got bought by Google for $23 billion), and the portfolio companies have raised $1.8 billion in recent months.
Principal investor Gili Ra'anan, for whom the “model” is named, showed an internal rate of return of more than 100%, which is a very unusual figure even for the best funds in the world. So how much did this program influence the valuations, funding raises, stock prices, and subsequent acquisition of these portfolio companies? Are programs like this ethical, or can they be run in a more ethical manner?
The guys dig in...
About Our Guest:
Richard Greenberg, CISSP, President of ISSA-LA, is a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and speaker with over 30 years of management experience. Richard has been a CISO, Director of Surveillance and Information Systems, Chief of Security Operations, Director of IT, and Project Manager for various companies and agencies in the private and public sectors.
Your Hosts:
Anthony M. Freed, Halcyon Director of Research and Communications
Ben Carr, Halcyon Advisory CISO
The other week, the UK has its own Change Healthcare level attack where medical procedures were canceled at multiple London hospitals for weeks on end, and a critical emergency declared following a ransomware operation that disrupted pathology services provider Synnovis.
As well, CDK Global fell prey to a ransomware attack that led to a massive disruption in the US auto sales market and impacted hundreds of dealers to the tune of tens of millions in lost sales.
Point: The Change Healthcare attack revealed a financial chokepoint in the US healthcare system that impacted hundreds of providers and their patients, while the Synnovis attack similarly disrupted care at dozens of hospitals in the UK, and the CDK attack demonstrated how attacks on SaaS providers can similarly be a chokepoint.
Are we starting to see attackers consciously targeting these chokepoints? If not planned, are they taking notes for future targeting where - much like supply chain attacks – attacking one compromises many?
And of course, we all agree that it’s never a good idea to pile on after an attack by blaming the victims, but sometimes it’s like, “come on?”
Last year CISA alerted nearly 2,000 organizations about vulnerabilities that could be exploited in ransomware attacks, yet only about half took any action on the alerts. We already know that ransomware operators are adept at taking advantage of unpatched vulnerabilities and misconfigurations and are automating these aspects of their attack progressions – so why is patching not a priority?
There are only two reasons for an organization having failed to patch in a timely manner: they could patch but didn’t, or they wanted to patch but couldn’t. How much blame should we put on victim orgs if they are not doing all they can to help themselves?
Last but not least, we dive into the exposure of what is being referred to as the “Gili Ra’anan Model,” where CyberStarts – an Israeli investment VC – ran a CISO rewards program where they can “earn points” worth tens of thousands of dollars for “recommending and purchasing” vendors who happen to be in the CyberStarts’ portfolio of companies.
While there is nothing wrong with a CISO benefiting monetarily for lending their time and expertise to the evaluation of vendor offerings, the program gave the appearance of financially incentivizing CISOs to choose products that would earn them cash versus better protect their organizations, For reference, the CyberStarts portfolio has 22 companies whose combined value is $35 billion, and five of these companies are unicorns (including Wiz who just got bought by Google for $23 billion), and the portfolio companies have raised $1.8 billion in recent months.
Principal investor Gili Ra'anan, for whom the “model” is named, showed an internal rate of return of more than 100%, which is a very unusual figure even for the best funds in the world. So how much did this program influence the valuations, funding raises, stock prices, and subsequent acquisition of these portfolio companies? Are programs like this ethical, or can they be run in a more ethical manner?
The guys dig in...
About Our Guest:
Richard Greenberg, CISSP, President of ISSA-LA, is a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and speaker with over 30 years of management experience. Richard has been a CISO, Director of Surveillance and Information Systems, Chief of Security Operations, Director of IT, and Project Manager for various companies and agencies in the private and public sectors.
Your Hosts:
Anthony M. Freed, Halcyon Director of Research and Communications
Ben Carr, Halcyon Advisory CISO