The State of Enterprise IT Security Podcast - S1 EP. 10: Chinese Hacking Documents, Vending Machine Face Image Database, NIST Releases Version 2.0

Cybersecurity The State of Enterprise IT Security Podcast - S1 EP. 10: Chinese Hacking Documents, Vending Machine Face Image Database, NIST Releases Version 2.0

Dive into episode ten of the State of Enterprise IT Security Edition with Brad Bussie, CISO at e360, as he explores a significant leak in China, a controversial vending machine at the University of Waterloo, and the exciting release of NIST CSF 2.0, offering insights into the evolving landscape of cybersecurity.


Brad Bussie's episode ten of the State of Enterprise IT Security Edition not only sheds light on specific cybersecurity incidents and developments but also provides actionable insights for technology leaders navigating the complex cybersecurity landscape.

A Peek into Pervasive State Surveillance

Brad kicks off the episode by discussing an intriguing leak from China, providing an unprecedented glimpse into the extensive state surveillance and espionage activities. This leak, involving a company suspected of cyber espionage for Chinese security services, unveils the depth of hacking activities targeting not only foreign entities but also domestic surveillance. "It's a rare window into state surveillance," Brad notes, emphasizing the global implications of such activities.

Vending Machine Privacy Concerns

The second topic shifts gears to a seemingly innocuous vending machine at the University of Waterloo, which inadvertently revealed a secret face image database of college students. Brad delves into the nuances between facial recognition and facial analysis, raising important questions about privacy, consent, and the thin line between technological convenience and surveillance. The incident sparks a broader discussion on data privacy regulations and the ethical use of technology.

NIST CSF 2.0: A Game Changer in Cybersecurity

The highlight of the episode is Brad's exploration of the newly released version 2.0 of the NIST Cybersecurity Framework (CSF 2.0). With the addition of the "govern" function, the framework introduces a strategic layer focusing on leadership, governance structures, and policy development. Brad breaks down the eight components of this function, underscoring its significance in enhancing cybersecurity governance. The update, as Brad points out, reflects the evolving threats in the cybersecurity landscape, aiming to improve usability and effectiveness for organizations across the board.

Listen to the Episode:


Watch the Episode:

Key Topics Covered:

1. Insider Leak of Chinese Hacking Documents: A significant leak from a company suspected of conducting cyber espionage for Chinese security services revealed extensive state surveillance activities, including hacking tools used to spy both domestically and internationally. The leak highlights the vast scope of surveillance and espionage conducted by China, involving various government and security departments.

2. Vending Machine Facial Analysis Controversy: An error in a smart vending machine at the University of Waterloo exposed a facial analysis system, sparking debate over privacy and the necessity of such technology in consumer devices. Despite claims of GDPR compliance and limited data usage for marketing effectiveness, the incident raised concerns about sensitive data collection without explicit consent.

3. NIST Releases Version 2.0 of Its Cybersecurity Framework: The updated framework introduces a "govern" function focusing on leadership and strategic risk management, enhancing guidance on cybersecurity supply chain risk management, and emphasizing integrated risk management. This represents a comprehensive update to address evolving threats and improve usability across organizations. with enforceability dependent on agency action and legal framework updates.

Links Referenced:

Read the Transcript:

00:00 Now, it's interesting that no one's really saying how this leak occurred from the perspective of China, but they are pointing a finger at the United States. And my thought is, I feel like they have a small taste of their own medicine. Hey, everybody. I'm Brad Bussie, chief information security officer here at e360. Thank you for joining me for the State of Enterprise IT Security Edition. This is the show that makes it security approachable and actionable for technology leaders. I'm happy to bring you three topics this week. First one, there's an online collection of chinese hacking documents that offer a rare window into pervasive state surveillance.

01:24 The second one, vending machine error reveals secret face image database of college students. And the third, NIST releases version 2.0 of its security framework. So with that, let's get started. First topic, the online collection of hacking documents really does offer a rare window into state surveillance. So we hear about nation state actors, especially China, but we do talk about Russia. This one is mainly on China, though, and I feel like we talk about this on a daily basis, sometimes a couple times a day.

02:36 This week, something pretty interesting happened. It appears to be an insider leak of company suspected of providing cyber espionage and targeted intrusion services for the Chinese security services. Now, this leak includes information about the Chinese government, telecommunication firms, online gambling companies, the Ministry of Public Security. I think there was like eleven provincial level security bureaus in there, and then somewhere around the number of 40 municipal public security departments.

03:26 And this is interesting. Chinese police are investigating this. They said it was unauthorized, and it is a highly unusual dump of documents. And it's from what we would consider a private security contractor. And this contractor is linked to the nation's top policing agency and other parts of the government. And it is a trove of information, and it talks a lot about hacking activity and the tools used to spy not only on foreigners, but also the Chinese as well. So on their own nation, which I think we all kind of knew that that was going on, but this does confirm it.

04:23 So the data has information about advanced, persistent threats, both attack and defense capabilities of the nation and who some of their most sophisticated hacking groups are. And the data shows how much the firm, this private firm, charged various Chinese ministries to hack other countries. So I found that pretty interesting. And I think the benefit from a leak like this is we get really a first hand account of how the nation state actors behave behind the scenes, how they run their business, and the kind of information that they're going after on behalf of the country or the party or against the country.

05:12 The second topic for today is a vending machine error reveals secret face image database of college students. Now, I think we all know that there's some level of surveillance, and we talk about this a lot from the social media aspect, but this is a vending machine. And this is coming from a story out of Canada at the University of Waterloo. And it's an M&M branded smart vending machine from a company called Invenda. And it went, we will say, out of order.

06:07 And it threw an application error message on the screen that said, Invenda vending facial recognition App Xe exception. And someone took a picture of the message and posted it on Reddit. So this brings up the question, why does a vending machine need facial recognition software? And the official answer is that the data is not in fact, facial recognition, it is facial analysis. So Invenda when questioned about it, what they said is that this means people detection solely identifies the presence of an individual.

07:09 They're looking for a person. Where facial recognition goes further and they're trying to discern the specific identity of a person. The Invenda solution, they're saying, can only determine if an anonymous individual faces the device. It then records how long they were facing the device, the approximate basic demographic attributes of the person. This is interesting, really. The vending machine technology, it's supposed to function as a motion sensor. It's going to activate the purchasing interface once it detects an individual.

08:12 And they're saying it doesn't have the capability to capture or retain or transmit imagery. Not sure if we believe that or not, but they're saying that data acquisition is limited to just assessing foot traffic and the vending machine, and I think it was the transactional conversion rates. So basically what they're trying to do is they're trying to see the demographic that's coming up to the machine, how long they wait, what they're buying, and they're saying they're going to take all of that and market more effectively.

09:11 But they then go on to say that the systems are GDPR compliant, they comply with the regulations, and they're saying that it's not something to be concerned about for that reason. But honestly, if they're not retaining any of this information, then why the statement about the GDPR, the retention and the transmission of data? I found that interesting. So the consequences for collecting sensitive facial recognition data without consent is really what this is about. And it's pretty unclear on the owner, and I'm not going to throw shade on them, but the owner of this company, they're really kind of taking a step and hiding behind the GDPR piece of it.

10:10 But I like the reaction from the college most of all. So the vending machines, they're all being removed by the college. It's not just this one. Yeah, this one through the error, but all of the vending machines are being removed and they're being replaced with something that doesn't collect or capture facial data, whether it is for facial analysis or recognition. Now, the third topic today is, I find the most exciting just being a cyber practitioner. But NIST has released version 2.0 of its cybersecurity framework.

11:03 And if you think back, version one, one was released on April 16 of 2018. And honestly, since then, a lot has changed in the cybersecurity landscape. I think one of the biggest components being ransomware, we talk about that pretty often. So I think the most value that you, as the listeners will get from this is I'm just going to break down some of the new pieces. We'll call this the new function. And what it is, is the NIST CSF 20. It introduces the govern function, and that's focusing on leadership and the commitment, leadership, governance structures and policy development for cybersecurity.

12:09 So think of this as adding a strategic layer to the framework. So if you're thinking about the NIST CSF wheel that everyone is probably pretty familiar with, we've got identify, protect, detect, respond and recover. And then on the inner ring now is the govern layer. So when I look at this and I think about what else outside of govern, the NIST CSF 20 does, there's some enhanced focus on a couple of areas that I found important. So one of them is cybersecurity supply chain risk management.

13:09 So there's more guidance on managing risks associated with vendors and other partners in the digital ecosystem. If you think back to a lot of the breaches that have happened over the past ten years, a lot of them have been from supply chain or third parties. So there's more guidance around third party risk management, measuring cybersecurity outcomes. And what I was looking at is the updated framework. It emphasizes defining and measuring the effectiveness of cybersecurity efforts, promoting data driven decision making, and then integrated risk management.

14:03 So it really encourages integrating cybersecurity risk management into what you could look at as the broader organizational risk framework. And what they're trying to get to is a holistic approach. Now, when I look at how many organizations are vested in the cybersecurity framework from NIST and the one one version, just think of it this way, that it still remains a valid framework, you can still keep using it. It's not like you have to run out and start 20 tomorrow. But I do think that there's a lot of value from it.

15:07 And 20, it's just building on the core functionalities of the one one version. And it's aiming to address evolving threats and really improve usability for all organizations. Because if you think of the origin story of NIST, it was really focused on a lot of regulated type of businesses. You've seen the Department of Defense and the federal government really latch on to a lot of the NIST framework, and then there's a bunch of other pieces, too. So I think what we're looking at is just a broader acceptance and scope for NIST, which I certainly appreciate.

16:11 So if I'm looking at the govern function, as we've talked about, I'm just going to briefly talk a little bit about the different components, because there's only eight of them. And I say that little tongue in cheek, there's only eight of them, but there's a lot of work to do within those eight. There's controls that you should be looking at, but I'll just go over them pretty quick. So the first one is establish a risk management program, and that's just emphasizing the importance of having a formal program to manage cybersecurity risks.

17:03 A lot of you have risk registers, a lot of you have GRC programs, but this is really putting a little more onus around govern then. Second one, assign risk management roles and responsibilities. And this is just clearly defining who, what role, what responsibility. And that's focused on cybersecurity risk management, and it's really crucial for accountability and just effective implementation of the framework. Third one, develop and document risk management processes, so establishing documented processes, ensuring consistency and repeatability in managing cybersecurity risks.

17:29 Fourth one, I feel like I'm saying risk a lot, but I am, for a reason, conduct the risk assessments. So really regularly evaluating and assessing cybersecurity risks, and this is essential for identifying vulnerabilities and prioritizing any mitigation efforts. The fifth one in govern, develop and implement risk treatment plans. So developing and implementing plans to address identified risks that really forms the core of any risk mitigation strategy.

18:00 The 6th one monitor risk management activities, and that's just like other parts of the framework, just continuously monitoring the effectiveness of your risk management activities and that's necessary to ensure the ongoing relevance and effectiveness of the program. The 7th one, communicate cybersecurity risks and risk management activities. Tell everybody what you're doing. So effective communication of cybersecurity risks and ongoing efforts, it's critical for raising awareness, and I've looked at this before and it's true, it's really gaining buy in from key stakeholders.

18:58 And the 8th one, maintain and update the risk management program. So regularly reviewing, updating and maintaining the risk management program and that's essential to ensure that it is continued, effective and supported in a dynamic threat landscape. So I would say overall NIST CSF 20, it does represent a significant update. It's offering more comprehensive guidance and addressing current cybersecurity challenges. And I will say again, organizations that are using CSF one one, it's still good, there's still a lot of value to that framework. It is at your disposal, but consider your path to NIST CSF 20.

19:38 Thank you for tuning in and I will talk to you next episode

Written By: Brad Bussie