In the News

Naomi Buckwalter, director of product security at Contrast Security, said the problem is rooted in the fact that CI/CD security has historically been overlooked by busy security teams.

"After all, development and operations teams generally 'own' what goes on within their build pipelines, and security teams don't necessarily want to be overly prescriptive when it comes to how software is built at their organizations. Indeed, the phrase 'staying in your lane' comes to mind when talking about CI/CD security."

—Naomi Buckwalter

INTERVIEW The cybersecurity practices that led up to the stunning Change Healthcare ransomware infection indicate "egregious negligence" on the part of parent company UnitedHealth, according to Tom Kellermann, SVP of cyber strategy at Contrast Security.

During the attack, ALPHV aka BlackCat criminals made it into the medical corporation's IT systems, stole a ton of protected health data, and then brought hospitals and pharmacies' prescription and billing services to a standstill, preventing patients from receiving medications and treatment as expected.

Kellermann spoke to The Register about the snafu after UnitedHealth CEO Andrew Witty testified to US lawmakers about how ALPHV's affiliates used stolen credentials to remotely access a Citrix portal that didn't have multi-factor authentication enabled. 

David Lindner, CISO at Contrast Security, said it's not a great idea to store secrets in environment variables because they lack sufficient security controls, and rely solely on access controls to the running machine.

"Environment variables are typically easily accessible by any process running on the same machine, making them vulnerable to exposure if an attacker gains access to the machine. They can leak through accidental logging, inclusion in debugging dumps, or be visible in process listings."

—David Lindner

Storing secrets in environment variables also makes managing and rotating them across different environments more difficult, Lindner added.

Tom Kellermann, SVP of Cyber Strategy at Contrast Security, sees the Russia issue as the central point to address: “Ransomware groups enjoy a pax mafioso with Russian intelligence services. The cybercriminals not only enjoy protection from prosecution, but they are armed with zero days by Russian intel to sow havoc in western cyberspace thus creating a free fire zone.”

Tom Kellermann, senior vice president of cyber strategy at security firm Contrast Security, suggested that Russia state-sponsored actors may be behind the attacks, as they have "punitively escalated their destructive attacks against U.S. cities as revenge" for a recently passed Congressional aid package for Ukraine. However, no culprit for the attack has yet been identified.

If software were a plate of food, its “bill of materials” would let eaters know which ingredients are fresh, and which ones have reached their sell-by date.
Naomi Buckwalter, director of product security at Contrast Security, recently demo’d the company’s free tool—software composition analysis (SCA)—for generating the ingredient list known as a software bill of materials, or SBOM.

Commenting on the fact sheet, Tom Kellermann, senior vice president of cyber strategy at Contrast Security, wrote in an emailed statement “These are not hacktivists. Rather, they are cyber militias, and their attacks are geared to poisoning the U.S. water supply. Water utilities have never been sufficiently funded for cybersecurity, and now they are on the front lines.” 
He added that the U.S. government must endow cybersecurity grants to these critical infrastructures, “as we face a clear and present danger.”

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said those responsible for the spate of critical infrastructure attacks should not be described as “hacktivists."
“Rather, they are cyber militias, and their attacks are geared to poisoning the U.S. water supply,” he said.
“Water utilities have never been sufficiently funded for cybersecurity, and now they are on the front lines. The U.S. government must endow cybersecurity grants to these critical infrastructures, as we face a clear and present danger.”

Contrast Security Senior Vice President of Cyber Strategy, Tom Kellermann, stated: “The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups. REvil was top of the list.”

“This underscores pure negligence on the part of UnitedHealth,” Tom Kellerman, SVP of cyber strategy at Contrast Security, said via email. “Negligence in cybersecurity led to systemic breaches across the U.S. healthcare industry. The long-term effects of this massive breach will be felt for years to come.”
[The story also ran in Healthcare Dive.]

Tom Kellermann, Contrast Security senior vice president of cyber strategy, said that cybersecurity companies are “increasingly targeted by nation states for the purposes of island hopping.” He said it’s important to “remember that all cybersecurity companies develop software and in many cases they are not rigorous with their DevSecOps. This has been a banner year for zero days and thus runtime security must be implemented to mitigate the exposure.”

Software complexity is exploding. Modern applications and application programming interfaces (APIs) comprise hundreds of repositories, frameworks, components, platforms, containers, services and connections. The rapidly increasing use of third-party, open-source libraries and AI-generated code is aggravating the challenge.