Artwork

Вміст надано The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society. Весь вміст подкастів, включаючи епізоди, графіку та описи подкастів, завантажується та надається безпосередньо компанією The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society або його партнером по платформі подкастів. Якщо ви вважаєте, що хтось використовує ваш захищений авторським правом твір без вашого дозволу, ви можете виконати процедуру, описану тут https://uk.player.fm/legal.
Player FM - додаток Podcast
Переходьте в офлайн за допомогою програми Player FM !

Cyberrisk Trends in 2025 with Tod Eberle of Shadowserver

35:23
 
Поширити
 

Manage episode 462226535 series 2442729
Вміст надано The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society. Весь вміст подкастів, включаючи епізоди, графіку та описи подкастів, завантажується та надається безпосередньо компанією The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society або його партнером по платформі подкастів. Якщо ви вважаєте, що хтось використовує ваш захищений авторським правом твір без вашого дозволу, ви можете виконати процедуру, описану тут https://uk.player.fm/legal.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.

In this episode, Justin interviews Shadowserver Foundation Alliance Director Tod Eberle about cybersecurity. Tod tells how his background as a prosecutor led to his interest in cybersecurity, how he encountered the non-profit Shadowserver Foundation, and how he left the public sector to work with them. He explains how Shadowserver provides actionable data to alert network owners and law enforcement of network vulnerabilities that need to be mitigated. He discusses trends in malware attacks, especially in ransomware. He shares his thoughts on ransomware threats of 2025 and the years to come. He provides tips on preparing your network against ransomware.

Listen to how you can harden your organization’s network against malware attacks.

Key Takeaways:

[:01] About RIMS and RIMScast.

[:14] Public registration is open for RISKWORLD 2025! RIMS wants you to Engage Today and Embrace Tomorrow in Chicago from May 4th through May 7th. Register at RIMS.org/RISKWORLD and the link in this episode’s show notes.

[:33] About this episode. We will discuss cybersecurity with Tod Eberle, the Alliance Director of the Shadowserver Foundation.

[:55] RIMS-CRMP Workshops! On February 19th and 20th, there will be a two-day virtual workshop for the RIMS-CRMP led by former RIMS President Chris Mandel and presented by the RIMS Greater Bluegrass Chapter, the 2024 RIMS Chapter of the Year.

[1:18] The next RIMS-CRMP-FED exam course will be held from February 4th through the 6th, 2025. Links to these courses can be found through the Certification page of RIMS.org and this episode’s show notes.

[1:34] Virtual Workshops! Chris Hansen will return on February 11th and 12th to lead the two-day course “Claims Management”. Gail Kiyomura of The Art of Risk Consulting will host the “Fundamentals of Insurance” virtual workshop on February 19th and 20th, 2025.

[1:58] On February 26th and 27th, Elise Farnham of Illumine Consulting will lead “Applying and Integrating ERM”. “Managing Data for ERM” will be hosted by Pat Saporito. That course starts on March 12th, 2025.

[2:20] A link to the full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode’s show notes.

[2:31] The RIMS Legislative Summit 2025 is back! It will be held on March 19th and 20th in Washington, D.C. Join RIMS for two days of Congressional meetings, networking, and advocating on behalf of the risk management community.

[2:49] This event is open for RIMS members only so if you’re not a member, join now! Visit RIMS.org/advocacy for registration details.

[3:02] Interview! Our guest Tod Eberle is the Alliance Director of the Shadowserver Foundation, a non-profit security organization working altruistically behind the scenes to make the internet more secure for everyone.

[3:15] Tod Eberle is with us to discuss the cybersecurity trends on his risk radar and the threats he wants risk professionals to be aware of as 2025 kicks into high gear. Shadowserver Alliance Director, Tod Eberle, welcome to RIMScast!

[3:41] Justin saw that Shadowserver Foundation was promoted by the National Cybersecurity Alliance and he thought it would be great to have a follow-up on his appearance there.

[3:54] Tod says the National Cybersecurity Alliance is a great organization. After working together with them for a year, they invited Tod to do a webinar. It was a great experience.

[4:28] Tod’s background is as a career prosecutor, starting as a county prosecutor in Western Pennsylvania in 1997. In 2004, Tod became a Federal Prosecutor in Pittsburgh for the U.S. Department of Justice.

[5:00] In 2014, He transitioned over to the National Security and Cybercrime section in Pittsburgh. Pittsburgh was at the forefront of cyber investigations by both the U.S. Attorney’s Office and the FBI. Tod wanted to be a part of that.

[5:34] The Pittsburgh office has run investigations and issued indictments against Chinese Military Intelligence officers and Russian GRU officers for hacking. In 2014, Pittsburgh had the first criminal indictment of nation-state threat actors.

[6:00] In that case, Chinese Military Intelligence PLA officers hacked into Pittsburgh companies Westinghouse, ALCOA, U.S. Steel, and United Steel Workers. Some forward-thinking folks at the FBI and the U.S. Attorney’s Office, particularly U.S. Attorney David Hickton, focused on cyber.

[6:29] That continued over the years until the present.

[6:46] To begin an investigation, the FBI and U.S. Attorney’s Office in Pittsburgh, need to have some aspect of an organization’s criminal activity touch that district, the Western District of Pennsylvania. A national ransomware case with one victim in Pittsburgh can be investigated.

[7:16] In the investigation of Russian GRU actors responsible for the destructive NotPetya malware attack, a district hospital’s network was attacked and destroyed. They expanded the investigation and charging documents to include other attacks around the country.

[7:58] In 2015 Tod was a prosecutor working with the FBI on an investigation. He was at Europol at the Hague in the Netherlands, a center that brings together investigators and prosecutors from different countries who investigate the same threat group through Europol and Eurojust.

[8:33] Tod met the Shadowserver Foundation non-profit group at the Hague in 2015. They were helping, through free technical support to the takedown operation, to dismantle the infrastructure of a crime group, using sinkholing and other security measures.

[9:08] Tod Joined the Shadowserver Foundation in January of 2023. He is the Shadowserver Alliance Director. As a small non-profit, everyone wears many hats. The Shadowserver Foundation is a 501(c)(3) in the U.S. and a separate non-profit legal entity in the Netherlands.

[9:47] The Shadowserver Foundation started about 2004. It celebrated its 20th anniversary in 2024. It began as a loose group of volunteers made up of cybersecurity researchers and technical experts who came together to help network owners and law enforcement.

[10:15] Over the years they became more structured and became a non-profit organization. It’s an unusual non-profit organization working 100% in operations. It works in three core areas. First, it’s the world’s largest provider of free, actionable cyber threat intelligence.

[10:45] Second, the Shadowserver Foundation does cybersecurity capacity-building around the world. Third, it also provides free support to law enforcement investigations and disruption operations with technical support and expertise. Those three things are its core mission.

[11:07] Justin notes commonalities between RIMS cyber risk reporting and the Shadowserver Foundation’s work. Shadowserver collects a vast amount of threat data daily. What are the patterns it sees for 2025?

[11:29] Shadowserver Foundation can help organizations mitigate risks. It collects cyber threat data at its data center in California through internet-wide scanning, honeypot sensors, sinkholing operations, and collecting and analyzing malware samples.

[11:57] Every day for free the Shadowserver Foundation takes that data and provides it to over 9,000 organizations around the world and to 201 National C-CERTs that cover about 176 countries.

[12:13] These reports identify exposed, misconfigured, vulnerable, compromised instances or devices on networks that need patching.

[12:25] The organizations that get Shadowserver’s data can be anything from banks to hospitals, universities, K-12 school districts, ISPs, local, state, and federal governments, small, medium, and large businesses, Fortune 500s, and NGOs; just about anyone can sign up.

[12:46] The idea behind this is that cyber security should be available to everyone, regardless of the ability to pay. Organizations can sign up at the Shadowserver Foundation website, and provide their contact information and network information with IP ranges and ASNs.

[13:12] The Shadowserver Foundation does its due diligence and if everything checks out, it automates those reports to go out to the organization daily. About 9,000 organizations sign up directly to receive daily reports.

[13:22] The Shadowserver Foundation also sends out data for entire countries to the national C-CERT designated to handle that in those countries. In the U.S., CISA gets hundreds of millions of events from them every day for all the U.S. It is the same around the world.

[13:52] Tod says that some things never change. Networks are breached primarily through phishing attacks, malicious links or attachments, and social engineering.

[14:09] One trend is a focus on vulnerabilities. Criminals exploit vulnerabilities in the network that aren’t timely patched and before they are patched. Shadowserver gives organizations an external snapshot view of their networks just as criminals are scanning for themselves.

[14:52] Cybercriminal groups increasingly leverage zero-day vulnerabilities to breach a network. A zero-day vulnerability is a flaw in software or hardware that’s unknown to the vendor and has no patch. The vendor has had zero days to fix the vulnerability after it has been discovered.

[15:16] That was the case with the Clop ransomware gang. In 2024, they started exploiting zero-day vulnerabilities in Fortra’s GoAnywhere software. That continued in May, with them exploiting Progress Software’s MOVEit file transfer application.

[15:38] Very recently, in December, the Clop Ransomware group claimed responsibility for using a zero-day vulnerability in Clio’s file transfer platform that breached victims’ networks.

[15:49] Cyber criminals extort victims and steal data with ransomware attacks. Risk managers in cybersecurity need to stay on top of critical vulnerabilities that often go unpatched. Those are often the easiest gateway into a network.

[16:26] Plug Time! RIMS Webinars! Resolver will be joining us on February 6th to discuss “4 Themes Shaping the Future of GRC in 2025”.

[16:38] HUB International continues its Ready for Tomorrow Series with RIMS. On February 20th, they will host “Ready for the Unexpected? Strategies for Property Valuation, Disaster Recovery and Business Continuity in 2025”.

[16:54] More webinars will be announced soon and added to the RIMS.org/webinars page. Go there to register. Registration is complimentary for RIMS members.

[17:06] Nominations are also open for the Donald M. Stuart Award which recognizes excellence in risk management in Canada. Links are in this episode’s show notes.

[17:17] The Spencer Educational Foundation’s goal to help build a talent pipeline of risk management and insurance professionals is achieved in part by its collaboration with risk management and insurance educators across the U.S. and Canada.

[17:35] Since 2010, Spencer has awarded over $3.3 million in general grants to support over 130 student-centered experiential learning initiatives at universities and RMI non-profits. Spencer’s 2026 application process will open on May 1st, 2025, and close on July 30th, 2025.

[17:58] General grant awardees are typically notified at the end of October. Learn more about Spencer’s general grants through the Programs tab at SpencerEd.org.

[18:08] Let’s Return to the Conclusion of My Interview with Tod Eberle of Shadowserver!

[18:49] Justin notes that In December of 2024, China attackers breached the Committee on Foreign Investment in the U.S. That is the government office that assesses foreign investments for national security risks.

[18:58] China also targeted the Treasury’s Sanctions Office after it sanctioned a Chinese company for its alleged role in cyberattacks.

[19:14] Tod thinks we should acknowledge that this is nothing new and nothing we should be surprised about. It’s been going on for many years and it’s going to continue. Justin was in the Federal government in 2013 and 2014.

[19:32] In 2015, it was announced that the U.S. Office of Personnel Management had been breached. Personal sensitive data for 42 million people were stolen.

[19:44] In May 2014, five Chinese military officers were indicted for computer hacking and economic espionage against companies based in Pittsburgh. This is nothing out of the ordinary. Unfortunately, indictments don’t seem to have a deterrent effect.

[20:21] Countries can deny the charges of hacking even with strong evidence of their involvement.

[20:37] There are different types of hacking, with different types of motivation. There is traditional espionage against U.S. government agencies. There is theft of intellectual property with nation-states trying to gain a commercial advantage in business.

[21:23] There are destructive hacks by nation-state actors, like the NotPetya attack, or attacks on the Ukrainian power grid and banking systems in 2015 and 2016.

[21:36] The Volt Typhoon threat actor group and its access to the U.S. critical infrastructure is one of the greatest national security concerns because of its potential to disrupt everything from water to power, to food, to transportation.

[22:10] The ripple effect that can come from those disruptions would be enormous. The Colonial Pipeline ransomware attack of a few years ago affected fuel supplies, commerce, and the prices of goods.

[22:31] Nation-state hacking is no longer just a concern for government agencies and companies that do business internationally, but it’s now a concern for all of society. There’s the potential to affect the daily lives of innocent civilians through attacks on critical infrastructure.

[23:16] Tod mentions another 2014 indictment out of Pittsburgh, on the GameOver Zeus Botnet takedown. Part of that was a crypto locker ransomware disruption. This was in the infancy of ransomware, for $300 ransoms. Now ransom demands are in the tens of millions of dollars.

[23:53] We have seen a huge evolution in ransomware. It’s not going away. One thing we’re seeing is bypassing data encryption and focusing on data theft. It’s easier and less time-consuming for the threat actors because they don’t have to map out the network.

[24:41] If a victim company had good backups and easy restoration, that was an issue ransomware actors had to deal with, so why would the threat actors bother with that? They just focus on easy data theft and extortion of ransom for the data.

[25:04] Tod thinks we will continue to see extortion. Ransomware continues to be the greatest concern for companies. The use of AI has been increasing both for defenders and attackers.

[25:14] A new ransomware group, FunkSec, is claiming large numbers of victims of extortion, encryption, and data theft. They seem to have ransom demands of less than $10,000. They have sold stolen data. Researchers think this is a less experienced group using AI to write code.

[27:22] Shadowserver’s very talented team collects the data. It’s free. They want to get it into the hands of those who can use it. The reports identify things that are seen to be misconfigured or unnecessarily exposed to the internet. Sometimes they can show if something is compromised.

[28:12] Shadowserver designates the events by severity level so the end user can prioritize their patching and address first the ones that are most critical and severe. The reports act both as an early warning system and a victim notification system if a device is seen to be compromised.

[28:59] The network owner needs to remediate that and patch it before further exploitation like a ransomware attack can occur.

[29:07] Shadowserver has two ways to detect that a device is compromised. The first is if they have indicators that tell them a device on the network is compromised. The second is with their support for law enforcement, law enforcement may share sensitive data with Shadowserve.

[29:32] When law enforcement does a takedown and they get victim identification data like IP addresses, they must do victim notification. Law enforcement isn’t scaled to do victim notification for hundreds of thousands of users. Shadowserver helps them with notifications.

[30:48] Shadowserver is very careful to share data responsibly. Company A will get the data they have for Company A and it won’t be shared with Company B and vice versa. Shadowserver views the data as belonging to that network owner.

[31:08] If a company authorizes Shadowserver and wants them to share their data with a third party, Shadowserver will happily do it. There are several companies with MSSPs to manage their security. If the company asks, Shadowserver will send the data to their MSSP.

[31:43] As a small, non-profit organization, not everyone has heard of the Shadowserver Foundation. They want people to know they have this data and they want to share it. It could be relevant for cyber insurance companies’ due diligence, with the insurance applicant’s consent.

[32:20] It’s important because those reports can show whether a network has remained healthy and secure over time. Tod would love to see Shadowserver be able to help more in the risk mitigation areas.

[32:56] Special thanks again to Shadowserver Foundation's Tod Eberle for joining us here on RIMScast! Check out this episode’s show notes for links to the Shadowserver reports we mentioned.

[33:07] Be sure to tune in next week for Data Privacy Day! We’ve got a special episode with James Burd, Chief Privacy Officer of the Cybersecurity and Infrastructure Security Agency (CISA). That’s going to be a good one!

[33:22] More RIMS Plugs! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in our show notes.

[33:50] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let’s collaborate and help you reach them! Contact pd@rims.org for more information.

[34:07] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information.

[34:25] Risk Knowledge is the RIMS searchable content library that provides relevant information for today’s risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more.

[34:41] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management.

[34:55] Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org.

[35:03] Thank you all for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!

Mentioned in this Episode:

RIMS Risk Management magazine

RISKWORLD 2025 — May 4‒7 | Register today!

RIMS Legislative Summit — March 19‒20, 2025

Nominations for the Donald M. Stuart Award

Spencer Educational Foundation — General Grants 2026 — Application Dates

RIMS-Certified Risk Management Professional (RIMS-CRMP)

RISK PAC | RIMS Advocacy

Shadowserver Foundation

National Cybersecurity Alliance

RIMS Webinars:

RIMS.org/Webinars

“4 Themes Shaping the Future of GRC in 2025” | Sponsored by Resolver | Feb. 6, 2025

“Ready for the Unexpected? Strategies for Property Valuation, Disaster Recovery and Business Continuity in 2025” | Sponsored by Hub International | Feb. 20, 2025

Upcoming Virtual Workshops:

“Claims Management” | February 11‒12, 2025 | Instructor: Chris Hansen

“Fundamentals of Insurance” | Feb. 19‒20, 2025

“Applying and Integrating ERM” | Feb. 26‒27

“Managing Data for ERM” | March 12, 2025

See the full calendar of RIMS Virtual Workshops

RIMS-CRMP Prep Workshops

Upcoming RIMS-CRMP Prep Virtual Workshops:

“Stay Competitive with the RIMS-CRMP | Presented by the RIMS Greater Bluegrass Chapter”

February 19‒20, 2025 | Instructor: Chris Mandel

Full RIMS-CRMP Prep Course Schedule

Full RIMS-CRMP Prep Course Schedule

Related RIMScast Episodes:

“Kicking off 2025 with RIMS CEO Gary LaBranche”

“Year In Risk 2024 with Morgan O’Rourke and Hilary Tuttle”

“AI and Regulatory Risk Trends with Caroline Shleifer”

“Cybersecurity Awareness and Risk Frameworks with Daniel Eliot of NIST” (2024)

Sponsored RIMScast Episodes:

“Simplifying the Challenges of OSHA Recordkeeping” | Sponsored by Medcor

“Risk Management in a Changing World: A Deep Dive into AXA's 2024 Future Risks Report” | Sponsored by AXA XL

“How Insurance Builds Resilience Against An Active Assailant Attack” | Sponsored by Merrill Herzog

“Third-Party and Cyber Risk Management Tips” | Sponsored by Alliant

“RMIS Innovation with Archer” | Sponsored by Archer

“Navigating Commercial Property Risks with Captives” | Sponsored by Zurich

“Breaking Down Silos: AXA XL’s New Approach to Casualty Insurance” | Sponsored by AXA XL

“Weathering Today’s Property Claims Management Challenges” | Sponsored by AXA XL

“Storm Prep 2024: The Growing Impact of Convective Storms and Hail’ | Sponsored by Global Risk Consultants, a TÜV SÜD Company

“Partnering Against Cyberrisk” | Sponsored by AXA XL

“Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh

“Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos

“Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL

“Elevating RMIS — The Archer Way” | Sponsored by Archer

“Alliant’s P&C Outlook For 2024” | Sponsored by Alliant

“Why Subrogation is the New Arbitration” | Sponsored by Fleet Response

“Cyclone Season: Proactive Preparation for Loss Minimization” | Sponsored by Prudent Insurance Brokers Ltd.

“Subrogation and the Competitive Advantage” | Sponsored by Fleet Response

RIMS Publications, Content, and Links:

RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community!

RIMS Virtual Workshops

On-Demand Webinars

RIMS-Certified Risk Management Professional (RIMS-CRMP)

RISK PAC | RIMS Advocacy

RIMS Strategic & Enterprise Risk Center

RIMS-CRMP Stories — Featuring RIMS Vice President Manny Padilla!

RIMS Events, Education, and Services:

RIMS Risk Maturity Model®

Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.

Want to Learn More?

Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts.

Have a question or suggestion? Email: Content@rims.org.

Join the Conversation!

Follow @RIMSorg on Facebook, Twitter, and LinkedIn.

About our guest: Tod Eberle, Shadowserver Foundation

Production and engineering provided by Podfly.

  continue reading

102 епізодів

Artwork
iconПоширити
 
Manage episode 462226535 series 2442729
Вміст надано The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society. Весь вміст подкастів, включаючи епізоди, графіку та описи подкастів, завантажується та надається безпосередньо компанією The Risk and Insurance Management Society, Inc., The Risk, and Insurance Management Society або його партнером по платформі подкастів. Якщо ви вважаєте, що хтось використовує ваш захищений авторським правом твір без вашого дозволу, ви можете виконати процедуру, описану тут https://uk.player.fm/legal.

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.

In this episode, Justin interviews Shadowserver Foundation Alliance Director Tod Eberle about cybersecurity. Tod tells how his background as a prosecutor led to his interest in cybersecurity, how he encountered the non-profit Shadowserver Foundation, and how he left the public sector to work with them. He explains how Shadowserver provides actionable data to alert network owners and law enforcement of network vulnerabilities that need to be mitigated. He discusses trends in malware attacks, especially in ransomware. He shares his thoughts on ransomware threats of 2025 and the years to come. He provides tips on preparing your network against ransomware.

Listen to how you can harden your organization’s network against malware attacks.

Key Takeaways:

[:01] About RIMS and RIMScast.

[:14] Public registration is open for RISKWORLD 2025! RIMS wants you to Engage Today and Embrace Tomorrow in Chicago from May 4th through May 7th. Register at RIMS.org/RISKWORLD and the link in this episode’s show notes.

[:33] About this episode. We will discuss cybersecurity with Tod Eberle, the Alliance Director of the Shadowserver Foundation.

[:55] RIMS-CRMP Workshops! On February 19th and 20th, there will be a two-day virtual workshop for the RIMS-CRMP led by former RIMS President Chris Mandel and presented by the RIMS Greater Bluegrass Chapter, the 2024 RIMS Chapter of the Year.

[1:18] The next RIMS-CRMP-FED exam course will be held from February 4th through the 6th, 2025. Links to these courses can be found through the Certification page of RIMS.org and this episode’s show notes.

[1:34] Virtual Workshops! Chris Hansen will return on February 11th and 12th to lead the two-day course “Claims Management”. Gail Kiyomura of The Art of Risk Consulting will host the “Fundamentals of Insurance” virtual workshop on February 19th and 20th, 2025.

[1:58] On February 26th and 27th, Elise Farnham of Illumine Consulting will lead “Applying and Integrating ERM”. “Managing Data for ERM” will be hosted by Pat Saporito. That course starts on March 12th, 2025.

[2:20] A link to the full schedule of virtual workshops can be found on the RIMS.org/education and RIMS.org/education/online-learning pages. A link is also in this episode’s show notes.

[2:31] The RIMS Legislative Summit 2025 is back! It will be held on March 19th and 20th in Washington, D.C. Join RIMS for two days of Congressional meetings, networking, and advocating on behalf of the risk management community.

[2:49] This event is open for RIMS members only so if you’re not a member, join now! Visit RIMS.org/advocacy for registration details.

[3:02] Interview! Our guest Tod Eberle is the Alliance Director of the Shadowserver Foundation, a non-profit security organization working altruistically behind the scenes to make the internet more secure for everyone.

[3:15] Tod Eberle is with us to discuss the cybersecurity trends on his risk radar and the threats he wants risk professionals to be aware of as 2025 kicks into high gear. Shadowserver Alliance Director, Tod Eberle, welcome to RIMScast!

[3:41] Justin saw that Shadowserver Foundation was promoted by the National Cybersecurity Alliance and he thought it would be great to have a follow-up on his appearance there.

[3:54] Tod says the National Cybersecurity Alliance is a great organization. After working together with them for a year, they invited Tod to do a webinar. It was a great experience.

[4:28] Tod’s background is as a career prosecutor, starting as a county prosecutor in Western Pennsylvania in 1997. In 2004, Tod became a Federal Prosecutor in Pittsburgh for the U.S. Department of Justice.

[5:00] In 2014, He transitioned over to the National Security and Cybercrime section in Pittsburgh. Pittsburgh was at the forefront of cyber investigations by both the U.S. Attorney’s Office and the FBI. Tod wanted to be a part of that.

[5:34] The Pittsburgh office has run investigations and issued indictments against Chinese Military Intelligence officers and Russian GRU officers for hacking. In 2014, Pittsburgh had the first criminal indictment of nation-state threat actors.

[6:00] In that case, Chinese Military Intelligence PLA officers hacked into Pittsburgh companies Westinghouse, ALCOA, U.S. Steel, and United Steel Workers. Some forward-thinking folks at the FBI and the U.S. Attorney’s Office, particularly U.S. Attorney David Hickton, focused on cyber.

[6:29] That continued over the years until the present.

[6:46] To begin an investigation, the FBI and U.S. Attorney’s Office in Pittsburgh, need to have some aspect of an organization’s criminal activity touch that district, the Western District of Pennsylvania. A national ransomware case with one victim in Pittsburgh can be investigated.

[7:16] In the investigation of Russian GRU actors responsible for the destructive NotPetya malware attack, a district hospital’s network was attacked and destroyed. They expanded the investigation and charging documents to include other attacks around the country.

[7:58] In 2015 Tod was a prosecutor working with the FBI on an investigation. He was at Europol at the Hague in the Netherlands, a center that brings together investigators and prosecutors from different countries who investigate the same threat group through Europol and Eurojust.

[8:33] Tod met the Shadowserver Foundation non-profit group at the Hague in 2015. They were helping, through free technical support to the takedown operation, to dismantle the infrastructure of a crime group, using sinkholing and other security measures.

[9:08] Tod Joined the Shadowserver Foundation in January of 2023. He is the Shadowserver Alliance Director. As a small non-profit, everyone wears many hats. The Shadowserver Foundation is a 501(c)(3) in the U.S. and a separate non-profit legal entity in the Netherlands.

[9:47] The Shadowserver Foundation started about 2004. It celebrated its 20th anniversary in 2024. It began as a loose group of volunteers made up of cybersecurity researchers and technical experts who came together to help network owners and law enforcement.

[10:15] Over the years they became more structured and became a non-profit organization. It’s an unusual non-profit organization working 100% in operations. It works in three core areas. First, it’s the world’s largest provider of free, actionable cyber threat intelligence.

[10:45] Second, the Shadowserver Foundation does cybersecurity capacity-building around the world. Third, it also provides free support to law enforcement investigations and disruption operations with technical support and expertise. Those three things are its core mission.

[11:07] Justin notes commonalities between RIMS cyber risk reporting and the Shadowserver Foundation’s work. Shadowserver collects a vast amount of threat data daily. What are the patterns it sees for 2025?

[11:29] Shadowserver Foundation can help organizations mitigate risks. It collects cyber threat data at its data center in California through internet-wide scanning, honeypot sensors, sinkholing operations, and collecting and analyzing malware samples.

[11:57] Every day for free the Shadowserver Foundation takes that data and provides it to over 9,000 organizations around the world and to 201 National C-CERTs that cover about 176 countries.

[12:13] These reports identify exposed, misconfigured, vulnerable, compromised instances or devices on networks that need patching.

[12:25] The organizations that get Shadowserver’s data can be anything from banks to hospitals, universities, K-12 school districts, ISPs, local, state, and federal governments, small, medium, and large businesses, Fortune 500s, and NGOs; just about anyone can sign up.

[12:46] The idea behind this is that cyber security should be available to everyone, regardless of the ability to pay. Organizations can sign up at the Shadowserver Foundation website, and provide their contact information and network information with IP ranges and ASNs.

[13:12] The Shadowserver Foundation does its due diligence and if everything checks out, it automates those reports to go out to the organization daily. About 9,000 organizations sign up directly to receive daily reports.

[13:22] The Shadowserver Foundation also sends out data for entire countries to the national C-CERT designated to handle that in those countries. In the U.S., CISA gets hundreds of millions of events from them every day for all the U.S. It is the same around the world.

[13:52] Tod says that some things never change. Networks are breached primarily through phishing attacks, malicious links or attachments, and social engineering.

[14:09] One trend is a focus on vulnerabilities. Criminals exploit vulnerabilities in the network that aren’t timely patched and before they are patched. Shadowserver gives organizations an external snapshot view of their networks just as criminals are scanning for themselves.

[14:52] Cybercriminal groups increasingly leverage zero-day vulnerabilities to breach a network. A zero-day vulnerability is a flaw in software or hardware that’s unknown to the vendor and has no patch. The vendor has had zero days to fix the vulnerability after it has been discovered.

[15:16] That was the case with the Clop ransomware gang. In 2024, they started exploiting zero-day vulnerabilities in Fortra’s GoAnywhere software. That continued in May, with them exploiting Progress Software’s MOVEit file transfer application.

[15:38] Very recently, in December, the Clop Ransomware group claimed responsibility for using a zero-day vulnerability in Clio’s file transfer platform that breached victims’ networks.

[15:49] Cyber criminals extort victims and steal data with ransomware attacks. Risk managers in cybersecurity need to stay on top of critical vulnerabilities that often go unpatched. Those are often the easiest gateway into a network.

[16:26] Plug Time! RIMS Webinars! Resolver will be joining us on February 6th to discuss “4 Themes Shaping the Future of GRC in 2025”.

[16:38] HUB International continues its Ready for Tomorrow Series with RIMS. On February 20th, they will host “Ready for the Unexpected? Strategies for Property Valuation, Disaster Recovery and Business Continuity in 2025”.

[16:54] More webinars will be announced soon and added to the RIMS.org/webinars page. Go there to register. Registration is complimentary for RIMS members.

[17:06] Nominations are also open for the Donald M. Stuart Award which recognizes excellence in risk management in Canada. Links are in this episode’s show notes.

[17:17] The Spencer Educational Foundation’s goal to help build a talent pipeline of risk management and insurance professionals is achieved in part by its collaboration with risk management and insurance educators across the U.S. and Canada.

[17:35] Since 2010, Spencer has awarded over $3.3 million in general grants to support over 130 student-centered experiential learning initiatives at universities and RMI non-profits. Spencer’s 2026 application process will open on May 1st, 2025, and close on July 30th, 2025.

[17:58] General grant awardees are typically notified at the end of October. Learn more about Spencer’s general grants through the Programs tab at SpencerEd.org.

[18:08] Let’s Return to the Conclusion of My Interview with Tod Eberle of Shadowserver!

[18:49] Justin notes that In December of 2024, China attackers breached the Committee on Foreign Investment in the U.S. That is the government office that assesses foreign investments for national security risks.

[18:58] China also targeted the Treasury’s Sanctions Office after it sanctioned a Chinese company for its alleged role in cyberattacks.

[19:14] Tod thinks we should acknowledge that this is nothing new and nothing we should be surprised about. It’s been going on for many years and it’s going to continue. Justin was in the Federal government in 2013 and 2014.

[19:32] In 2015, it was announced that the U.S. Office of Personnel Management had been breached. Personal sensitive data for 42 million people were stolen.

[19:44] In May 2014, five Chinese military officers were indicted for computer hacking and economic espionage against companies based in Pittsburgh. This is nothing out of the ordinary. Unfortunately, indictments don’t seem to have a deterrent effect.

[20:21] Countries can deny the charges of hacking even with strong evidence of their involvement.

[20:37] There are different types of hacking, with different types of motivation. There is traditional espionage against U.S. government agencies. There is theft of intellectual property with nation-states trying to gain a commercial advantage in business.

[21:23] There are destructive hacks by nation-state actors, like the NotPetya attack, or attacks on the Ukrainian power grid and banking systems in 2015 and 2016.

[21:36] The Volt Typhoon threat actor group and its access to the U.S. critical infrastructure is one of the greatest national security concerns because of its potential to disrupt everything from water to power, to food, to transportation.

[22:10] The ripple effect that can come from those disruptions would be enormous. The Colonial Pipeline ransomware attack of a few years ago affected fuel supplies, commerce, and the prices of goods.

[22:31] Nation-state hacking is no longer just a concern for government agencies and companies that do business internationally, but it’s now a concern for all of society. There’s the potential to affect the daily lives of innocent civilians through attacks on critical infrastructure.

[23:16] Tod mentions another 2014 indictment out of Pittsburgh, on the GameOver Zeus Botnet takedown. Part of that was a crypto locker ransomware disruption. This was in the infancy of ransomware, for $300 ransoms. Now ransom demands are in the tens of millions of dollars.

[23:53] We have seen a huge evolution in ransomware. It’s not going away. One thing we’re seeing is bypassing data encryption and focusing on data theft. It’s easier and less time-consuming for the threat actors because they don’t have to map out the network.

[24:41] If a victim company had good backups and easy restoration, that was an issue ransomware actors had to deal with, so why would the threat actors bother with that? They just focus on easy data theft and extortion of ransom for the data.

[25:04] Tod thinks we will continue to see extortion. Ransomware continues to be the greatest concern for companies. The use of AI has been increasing both for defenders and attackers.

[25:14] A new ransomware group, FunkSec, is claiming large numbers of victims of extortion, encryption, and data theft. They seem to have ransom demands of less than $10,000. They have sold stolen data. Researchers think this is a less experienced group using AI to write code.

[27:22] Shadowserver’s very talented team collects the data. It’s free. They want to get it into the hands of those who can use it. The reports identify things that are seen to be misconfigured or unnecessarily exposed to the internet. Sometimes they can show if something is compromised.

[28:12] Shadowserver designates the events by severity level so the end user can prioritize their patching and address first the ones that are most critical and severe. The reports act both as an early warning system and a victim notification system if a device is seen to be compromised.

[28:59] The network owner needs to remediate that and patch it before further exploitation like a ransomware attack can occur.

[29:07] Shadowserver has two ways to detect that a device is compromised. The first is if they have indicators that tell them a device on the network is compromised. The second is with their support for law enforcement, law enforcement may share sensitive data with Shadowserve.

[29:32] When law enforcement does a takedown and they get victim identification data like IP addresses, they must do victim notification. Law enforcement isn’t scaled to do victim notification for hundreds of thousands of users. Shadowserver helps them with notifications.

[30:48] Shadowserver is very careful to share data responsibly. Company A will get the data they have for Company A and it won’t be shared with Company B and vice versa. Shadowserver views the data as belonging to that network owner.

[31:08] If a company authorizes Shadowserver and wants them to share their data with a third party, Shadowserver will happily do it. There are several companies with MSSPs to manage their security. If the company asks, Shadowserver will send the data to their MSSP.

[31:43] As a small, non-profit organization, not everyone has heard of the Shadowserver Foundation. They want people to know they have this data and they want to share it. It could be relevant for cyber insurance companies’ due diligence, with the insurance applicant’s consent.

[32:20] It’s important because those reports can show whether a network has remained healthy and secure over time. Tod would love to see Shadowserver be able to help more in the risk mitigation areas.

[32:56] Special thanks again to Shadowserver Foundation's Tod Eberle for joining us here on RIMScast! Check out this episode’s show notes for links to the Shadowserver reports we mentioned.

[33:07] Be sure to tune in next week for Data Privacy Day! We’ve got a special episode with James Burd, Chief Privacy Officer of the Cybersecurity and Infrastructure Security Agency (CISA). That’s going to be a good one!

[33:22] More RIMS Plugs! You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in our show notes.

[33:50] RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let’s collaborate and help you reach them! Contact pd@rims.org for more information.

[34:07] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information.

[34:25] Risk Knowledge is the RIMS searchable content library that provides relevant information for today’s risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more.

[34:41] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management.

[34:55] Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org.

[35:03] Thank you all for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!

Mentioned in this Episode:

RIMS Risk Management magazine

RISKWORLD 2025 — May 4‒7 | Register today!

RIMS Legislative Summit — March 19‒20, 2025

Nominations for the Donald M. Stuart Award

Spencer Educational Foundation — General Grants 2026 — Application Dates

RIMS-Certified Risk Management Professional (RIMS-CRMP)

RISK PAC | RIMS Advocacy

Shadowserver Foundation

National Cybersecurity Alliance

RIMS Webinars:

RIMS.org/Webinars

“4 Themes Shaping the Future of GRC in 2025” | Sponsored by Resolver | Feb. 6, 2025

“Ready for the Unexpected? Strategies for Property Valuation, Disaster Recovery and Business Continuity in 2025” | Sponsored by Hub International | Feb. 20, 2025

Upcoming Virtual Workshops:

“Claims Management” | February 11‒12, 2025 | Instructor: Chris Hansen

“Fundamentals of Insurance” | Feb. 19‒20, 2025

“Applying and Integrating ERM” | Feb. 26‒27

“Managing Data for ERM” | March 12, 2025

See the full calendar of RIMS Virtual Workshops

RIMS-CRMP Prep Workshops

Upcoming RIMS-CRMP Prep Virtual Workshops:

“Stay Competitive with the RIMS-CRMP | Presented by the RIMS Greater Bluegrass Chapter”

February 19‒20, 2025 | Instructor: Chris Mandel

Full RIMS-CRMP Prep Course Schedule

Full RIMS-CRMP Prep Course Schedule

Related RIMScast Episodes:

“Kicking off 2025 with RIMS CEO Gary LaBranche”

“Year In Risk 2024 with Morgan O’Rourke and Hilary Tuttle”

“AI and Regulatory Risk Trends with Caroline Shleifer”

“Cybersecurity Awareness and Risk Frameworks with Daniel Eliot of NIST” (2024)

Sponsored RIMScast Episodes:

“Simplifying the Challenges of OSHA Recordkeeping” | Sponsored by Medcor

“Risk Management in a Changing World: A Deep Dive into AXA's 2024 Future Risks Report” | Sponsored by AXA XL

“How Insurance Builds Resilience Against An Active Assailant Attack” | Sponsored by Merrill Herzog

“Third-Party and Cyber Risk Management Tips” | Sponsored by Alliant

“RMIS Innovation with Archer” | Sponsored by Archer

“Navigating Commercial Property Risks with Captives” | Sponsored by Zurich

“Breaking Down Silos: AXA XL’s New Approach to Casualty Insurance” | Sponsored by AXA XL

“Weathering Today’s Property Claims Management Challenges” | Sponsored by AXA XL

“Storm Prep 2024: The Growing Impact of Convective Storms and Hail’ | Sponsored by Global Risk Consultants, a TÜV SÜD Company

“Partnering Against Cyberrisk” | Sponsored by AXA XL

“Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh

“Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos

“Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL

“Elevating RMIS — The Archer Way” | Sponsored by Archer

“Alliant’s P&C Outlook For 2024” | Sponsored by Alliant

“Why Subrogation is the New Arbitration” | Sponsored by Fleet Response

“Cyclone Season: Proactive Preparation for Loss Minimization” | Sponsored by Prudent Insurance Brokers Ltd.

“Subrogation and the Competitive Advantage” | Sponsored by Fleet Response

RIMS Publications, Content, and Links:

RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community!

RIMS Virtual Workshops

On-Demand Webinars

RIMS-Certified Risk Management Professional (RIMS-CRMP)

RISK PAC | RIMS Advocacy

RIMS Strategic & Enterprise Risk Center

RIMS-CRMP Stories — Featuring RIMS Vice President Manny Padilla!

RIMS Events, Education, and Services:

RIMS Risk Maturity Model®

Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.

Want to Learn More?

Keep up with the podcast on RIMS.org, and listen on Spotify and Apple Podcasts.

Have a question or suggestion? Email: Content@rims.org.

Join the Conversation!

Follow @RIMSorg on Facebook, Twitter, and LinkedIn.

About our guest: Tod Eberle, Shadowserver Foundation

Production and engineering provided by Podfly.

  continue reading

102 епізодів

Усі епізоди

×
 
Loading …

Ласкаво просимо до Player FM!

Player FM сканує Інтернет для отримання високоякісних подкастів, щоб ви могли насолоджуватися ними зараз. Це найкращий додаток для подкастів, який працює на Android, iPhone і веб-сторінці. Реєстрація для синхронізації підписок між пристроями.

 

Короткий довідник

Слухайте це шоу, досліджуючи
Відтворити