The purpose of a CISO and a cyber program is to reduce the costs associated with cybersecurity. I said this to colleagues at a social mixer this week and their heads almost exploded. “Shouldn’t we be trying to stop and mitigate risk?” “We need to spend more money on cyber, not less.” “I can’t believe you, of all people, think we need to be doing less!”

Audacious Proposal

“Do you want to give up and let the bad guys win?” I want businesses to understand that cybercrime is a part of business in the exact same (not metaphorical) way as shoplifting, employees stealing office supplies, customers slipping on the floor, vandalism, executives abusing power against employees, hurricanes, power failures, earthquakes, flooding and taxes.

The goal in all risk management is to reduce the costs associated with the mishaps not to make them impossible.

CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) was released on December 10, 2021 outlining a vulnerability in Apache Foundation project Log4j (https://logging.apache.org/log4j/2.x/index.html). This vulnerability can be used by a remote attacker to execute code without authentication. This vulnerability is also known as Log4Shell.

WitFoo Precinct 6.x utilizes log4j in the WitFoo Streamer & Apache Kafka Docker containers that manage the message processing pipeline. Other custom WitFoo containers (including Cassandra 4.01) do not utilize log4j.

As of 0940 Eastern Standard time on Saturday, December 11, 2021, WitFoo has completed the following mitigation steps:

I have been fortunate enough to have the opportunity to spend October on the Big Island of Hawai’i at a friend’s home while we button up the 6.2 release of Precinct. My wife and I were able to visit the Crater Overlook at Mount Kīlauea this week. Mount Kīlauea is the home of the Hawai’ian goddess Pele who controls the flow of lava (among other things.) Peering over the crater to see new earth being born under a canopy of ancient stars was breath taking and quite frankly an existential experience.

No Such Thing as Lava Insurance

In talking to locals, we were surprised to learn how inexpensive real estate is on the Big Island. When we inquired why that was true, we learned that there is no such thing as lava insurance. Driving the 2 hours from Waimea to the peak of Mount Kīlauea, we observed large lava flows dotted with huts and temporary housing that have accepted that another destructive lava flow is imminent.

The 2020 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3) has been released and can be viewed here: https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf. I highly recommend all in SECOPS take a moment to grok the content. I’d like to share a few of my observations.

High Level Takeaways

Reading the report reinforces a few concepts that have not yet made it into the mainstream thought of SECOPS:

Raspberry Pi is a fantastic tool for learning and experimentation. To assist our trainers, students and partners, we have created a build of Precinct to run on a Raspberry PI4. The WitFooPi is not supported as a production appliance but is great way to have Precinct in the palm of your hand for capture the flag, session training and lab testing.

Build Requirements

WitFooPi has the following requirements. Precinct performs advanced analysis on data and will stretch the ARM architecture to its limits. Active cooling is a must to prevent overheating the unit. You will also need a 128GB SD Card, a Pi enabled Precinct license and the Pi image file.