Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

Episode 8: The War on Cybersecurity

This week, Zach, Mike, and Lauro discuss the misperception of the critical points on what can happen if companies choose to not take Cybersecurity seriously, how it can affect more than a bottom line for a business, and what steps businesses can take to thwart initial attacks and protect themselves from Cyber Criminals. The team talks about proactive cybersecurity and why businesses need cybersecurity.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe! 

Transcript

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about on  their fancy website and trade show giveaways all  
to protect you from cyber security criminals and  now here's your hosts mike rotondo zach fuller and  
lauro chavez hello and welcome to the cyber rants  podcast this is your co-host zach fuller joined by  
lauro chavez and mike rotondo and in our usual  fashion we're going to kick it off with cyber  
security news mike an interesting week in the news  with thanksgiving since cyber criminals apparently  
don't eat turkey we've got office 365 phishing  abuses oracle and amazon cloud services or so  
they're now leveraging o365 to and aws to go ahead  and harvest credentials cisa warns of a password  
leak on vulnerable fortinet vpns more trouble  fortinet hackers are targeting mac os users with  
this updated malware uh very interesting  there's two new vietnamese apts out there  
that uh are targeting mac which is kind of  interesting which dovetails into our next story  
microsoft links vietnamese state hackers to crypto  mining malware campaign so that's out there that's  
apt-32 also called ocean lotus we have a mage  card attack convincingly hijacks paypal transition  
transactions at checkout so you know be careful  when you're doing that holiday shopping and hey  
wanna cries back so all vulnerabilities  open the door for wannacry ransomware  
um apparently there's still a lot of people that  aren't patching and wannacry is coming back fbi  
warns of bec scammers using email auto forwarding  attacks this is becoming a another thing 100  
percent rise in issues in this fbi and homeless  security warn of abt attacks on think tanks in  
the us apparently they're targeting think tanks  because you get a lot of ex government people  
that are that manage these things and manage ait  security there and they figure if they can break  
into these it'll give them a roadmap for breaking  into the u.s government so pretty smart move open  
source software security vulnerabilities exist  for over four years before detection so for all  
you guys out there using uh open source software  keep in mind there's some uh issues out there  
that have been around for a while google hacker  details zero click wormable wi-fi exploit to hack  
iphones more trouble for apple this is cve 2020  98444 um and that's it for the headlines lauro  
ocean lotus funny name no they don't  eat turkey and they don't make peace  
very yeah it is like a name of uh maybe  an air freshener or something yeah  
i had that last night at jade palace yeah i was  gonna say it sounds like a mixed drink at uh you  
know one of the places i frequent for sushi i  like it medium rare myself personally yeah oh  
yeah that's the best it's the best way to have  it yeah i was gonna say and and i hope they  
don't you know you can attack ocean lotus you  can attack think tanks that's fine just don't  
don't start attacking chicken nugget tanks because  that's when everybody here will be upset there  
you go for vulnerabilities this week well i guess  probably the main thing is uh i can't believe that  
microsoft is not on the list again however cisco's  up there so if you're running cisco and you've  
got the management controller there's multiple  remote code executions for that piece of software  
uh so patch that and then the other big thing is  if you're running wordpress and you got the site  
with the ultimate member plug-in they've got an  authenticated privilege escalation that's been  
validated so make sure you patch that or throw  a ward fence in front of that or something  
yeah there's really not a lot left for the for  this week um check your updates anyway i might  
have missed something so today we're going to talk  about cyber security industry challenges and this  
is a deep and dark gloomy topic and so i don't  know how long we're going to or how much we're  
going to get through because there's a lot to talk  about here but we want to keep it light and fun  
to bring your mud boots bring your mud boots i'm  wearing mine um but i say this a lot and it's not  
a hit on anybody but unfortunately as an industry  as a cyber security industry we're failing  
to adequately protect the backbone of our  nation's economy and our way of life right the  
cyber criminals are still winning no matter how  hard we try now there's a lot of brilliant people  
working on these problems a lot of people a lot of  boots on the ground so those of you in the cyber  
security profession we thank you keep fighting  the good fight but the fact that matters we're not  
we're not there yet right we got a lot to figure  out and as an industry the cyber security industry  
is is new it's relatively speaking there's  a lot we got to do we got to figure figure  
a lot of things out but one of the things that i  think that we have to do is that we have to look  
at this people people call it you know cyber  warfare and all this stuff i i think a lot of  
those people don't really have haven't been to war  don't really know what war really is but in war  
you gotta accomplish the mission with the  resources you have so you don't get the  
opportunity to say oh well we don't have enough  people right or oh we you know we're we're failing  
because there's such a shortage of cyber security  professionals out there that's called an excuse  
there is a shortage no doubt about it but we  can't we can't just rest on that and let the  
enemy win which is kind of what's happening right  now no matter what cyber security events i go to  
um they're always talking about that it's  like oh that's the problem that's the problem  
but i you know i think there's other  kind of deeper underlying issues  
that that we have to look at because we're  we don't have the option to sit here and wait  
for 10 or 15 years for these you know up and  coming cyber security professionals to really get  
you know seasoned and get kind of really getting  the groove of things really get to know what  
they're doing um if we actually are treating this  like war that's not really an option in my opinion  
anyway curious to hear what you guys saying  well you're right i mean you know i can't say  
it better than that it's your pain you know  at this point it's the people that can that  
can pay for the protection right or getting it  because you know ocean lotus is not sleeping right  
they don't care about making peace you know they  they have you know they have motives and they're  
going to carry those motives out regardless of  timing or people involved or collateral damage  
again so you know i guess it is it's in making  an excuse and i think that a lot of organizations  
um want to do something about it right and and i  think that they don't know how to do they don't  
know how to go about it and they don't know they  don't always get the um the budgetary requirements  
to go about it and i think that's probably maybe  that's one of the main drivers of this inaction  
that we're seeing right um i don't know maybe  all right one of the things just to add to that  
so you know i've had conversations in the past  with some cios and csos of some fairly large  
um even government agencies and from formerly from  the private sector and one of their comments was  
so if we get breached our stock prices takes  a hit for a couple months and then we're back  
you know i think it's the misperception that  you know there's a minor financial hit they  
they're missing the criticality of the  data they're missing the potential impact  
on people's lives they're missing bank accounts  get cleaned out in opportune times and you know  
um that sort of thing and i think that's you know  a lot of the issue with funding for this war or  
uh that's problem and then they they're missing  that the end goal of the cyber criminal sure it's  
caused mass disruption right i mean that's and  that's what they're causing i mean you know it  
it from from school systems to to everything else  i mean now that bitcoins again you know up there  
where predictions you know said it was going to be  to the twenty thousand dollar range there's gonna  
be even more probably crime to a bit um you know  you'll see more hits at these these exchanges and  
things like that and so now you've got you know  paypal who's who's you know basically accepted  
accepted the crypto game at this point  right where you can go through them  
now um as an exchange and so i think that's going  to warrant more crime towards holdings and people  
that are that are you know essentially huddling  or holding as they say um that cryptocurrency  
um because cyber criminals can basically take it  without any trace um and then they can use it for  
their activities right to fund their activities  and there's just millions of it out there  
um millions of dollars of it out there and and so  i think you'll see that community start to care  
too right and and that's your coinbase i think  is a great example right like what what cyber  
security team are they using right what are they  getting regular pen tests are that you know i need  
to throw that into the business you know into  the market of what we're looking at but it is  
the people that regardless of whether we  agree with it or not the people of the  
that make up the body of the american people that  are participating in these types of activities are  
using these places right so they're the ones that  are at risk to get to get taken taken advantage  
of or or you know even have all their crypto  stolen right in the same banks or anything else  
and if you look at if you're going back to you  know if you're really going to call this you  
know a cyber war you know war against cyber crime  right and there's always the the other big problem  
is that there's always a tipping point right and  where there's a point in which you know one side  
starts to gain ground over the other and and at a  certain point they've they've overtaken them right  
and so the the problem is that the way this works  um is with with asymmetrical warfare like um it  
you know it basically mirrors mirrors the way that  cyber criminals operate right and that mirrors the  
way we fight them as an asymmetrical style um and  so the the thing there is that it's it's really a  
war of attrition right so we're kind of fighting  this dispersed enemy what they're doing is they're  
just scraping away slowly scraping away resources  so while these you know certain unfortunately  
certain business leaders and such will say oh well  yeah we'll just let the stock price dip it's we'd  
rather you know take that risk than put money  into this well um the problem is you're funding  
the enemy with that and their and their their  power is growing stronger you know every every  
day that that happens and so as they take from  us it fuels them and the other side too is you  
know ransomware and such it actually results in  physical destruction i mean i mean it's known that  
you know various intelligence agencies and such  the vast majority of ransom payments go to funding  
terrorism talking about physical terrorism not not  you know not just cyber crime so um so that's not  
a good thing but i think there's some things that  we can rather than say you know basically kind  
that's a hard that's a hard point to drive  home zach i mean everybody needs to kind of  
you know there's another way to put that it's like  if you pay if you pay a ransom from a ransomware  
to a cyber criminal there's most likely going  to be someone strapped with something to them  
blowing something up in another place  because of that money that you gave them  
that's i mean that's as real as it gets right  this is i mean i don't think it gets any closer to  
closer to the meat than that i mean yeah i  mean it's a myopic view that many of these  
executives have is that you know i need to take  care of my job my company and this and then you  
know we'll deal with the issues when it comes  and i understand that to a certain perspective  
dealing with an issue when it comes but you  need to prevent or put every roadblock in  
place to prevent that issue from happening and  that's where we're failing right we're failing  
big there and and i think you know some of the in  some of the cyber insurance is you know going to  
look into that what did you do to protect yourself  why should i pay you this large sum of money when  
you've only had this policy for six months  right or a year or two years and you've got  
this massive breach and you're requesting  you know 15 million dollars you want to pay  
ransomware right you got you want to pay ransoms  to cyber terrorism and you know why should we  
pay this what did you do that that we would not  deem negligible and so i i hope that there will  
be some some form of checks and balances in in  the form of that right because at the end it is  
it's lead it's bad leadership calls right security  professionals or technical thresholds they want to  
do their jobs yeah i think the cyber insurance  thing actually feeds into a little bit of the  
negligence because they're like oh we're insured  right we'll do the absolute minimum and then one  
of the things that would be beneficial and i  don't know that we could change the industry  
but you know would be beneficial for the cyber  insurance companies um is to go ahead and say  
hey we're going to do a cyber risk assessment  before we write this policy for you as part of our  
underwrite oh that people want to do that you're  going to go through these steps you're going  
to get a pen test we're going to look at your  frameworks we're going to look at your evidence  
you're going to look at this then the other thing  and if you don't pass then we ain't writing you  
now exactly insurance companies are going to be  out there and they want to do business so they're  
not necessarily going to put their clients through  it but i would think that would be the best  
you know thing for the industry would be to  make that a requirement and if you'd like a  
you know insurance company out there and you  need some help with that you can reach out to  
to z fuller at style and he will gladly help  you out with that absolutely will help you  
well in all in all fairness to the the uh  insurance companies i think they have been  
getting more sophisticated you know over the last  few years we definitely see their kind of their  
questionnaires and such get more sophisticated  whereas we you know a few years ago it was do you  
have a pulse all right here's cyber insurance you  know whereas now they're actually doing a little  
more thorough vetting process but i think to your  point mike a full-blown like treat it like it was  
an actual third party real deal risk assessment  with the technical side all the pen testing and  
such and that way they get a good lens on it  and that affects your premium right you come  
in perfectly clean there's nothing that we can can  get to through the the pen test and great um you  
know then your your premium goes down and that i  think that's a great way to go i just don't know i  
think they're just wanting on underwrite policies  quicker nowadays and what do you think about car  
insurance they pull your driver's record right i  mean yeah it's not quite involved but still your  
rates are dependent upon your past production so  well actually even in current driving right they  
have that um you know that my you know like for  for my insurance company they have that it's kind  
of a safe driver program so you install an app on  your phone and it rates your driving based on the  
gyroscopes that are built into the modern phones  right and so it can tell your speed and how fast  
you stop and these sorts of things and it  um my son uses it and it adjusts his premium  
based on how well he's doing right i mean i  would imagine that they would they would have  
with all the infinite money that they have right  it would have some form of level of sophistication  
implement something that did similar right  where they could do a pulse check on the clients  
um you know from a you know from from from  i guess a you know risk perspective right  
a technical assessment risk perspective  and then and then get some sort of setting  
it you know any given time of the year and  then adjust their premium you know based on  
how many vulnerabilities they have i agree mike i  think the insurance thing kind of perpetuates it  
but another another problem that we have i think  getting back to the idea of uh we can't just  
say oh we don't have enough people we can't do  this um it's how we utilize the people that we do  
have because i i would say that there are some  brilliant brilliant minds all across the u.s  
in the cyber security field um but you get i  mean we in our capacities we get to talk to  
um you know for everybody from you know csos  to security analysts um all over the place  
and so many of them are just are just so tired of  being especially the the more experienced people  
are so tired of being in meetings six eight  hours a day and dealing with the corporate  
politics they're almost pulled away from actually  protecting the organization i know you guys have  
have quite a bit of experience with that with  some of the large you know fortune 500s and such  
you know the last company i worked at there were  weeks when i had 38 hours with meetings in a week  
yeah when you get to do work  on the weekends it's ridiculous  
well and then and then you you also have the  the old way of thinking of you know looking at  
it we'll implement a compliance framework but to  a limited scope area and we'll call that we secure  
our environment you know what i mean so yeah and  and sitting in meetings and trying to argue those  
points and and not being able to actually conduct  conduct real you know i would say you know real  
meaningful work yeah yeah and i always love  dealing with the meathead vp of sales who thinks  
he knows security because he read a story about  it in a newspaper article on it on the flight  
from uh you know here to new york and he's  going to tell us how to do things and that's  
always interesting because he's a vp so  he knows and security guys don't so yeah  
buying a boat doesn't make you a sailor yeah  that's a fancy jet ski you got there buddy bud  
good luck good luck in the ocean so that comes  down to really it's like what do we do about it i  
think it's organizations we've got to put uh cyber  security people a bit of a different bucket um i  
think than the rest and because you're recognizing  that hey it's hard to find them hard to keep them  
well let's do something about it let's change  the culture at least in their environment  
and make it better make it more palatable you know  i think of course now with covid the remote work  
is is the standard but um just just prior i mean  last year people were still pushing back again  
against having their their security professionals  work remotely or finding talent um uh you know  
kind of scattered around the country in order to  fill the roles um and then saying things like oh  
well you know we we i know we need this i know we  have this big gap in in talent but we got to have  
it in house sitting in this chair we can't use a  third party you know or we can't um outsource it  
to somebody else so that's i think there are a lot  of issues there and i think it just comes down to  
looking at um what is that corporate environment  or is your you know basically is your hr process  
the same for your security professionals as it is  for everybody else and if so if they're still you  
know getting pulled into all the bureaucracy in  the meetings and such then they're not doing the  
work that they were set out to do so you take  somebody that could be extremely capable if you  
just let them run and then um you're you're you're  holding back and uh we see that a lot uh out there  
in the business world these days you know  there's an insightful book called uh cyber  
rants i think that discusses that on page 63 and  following about how to what does the employee want  
how to keep a cyber security professional  and the options of them working remotely so  
excellence point shameless plug buy it on amazon  it's a great book yes we think he's not ashamed
what i can tell you is what's sad is that  the technology to work remote's been out for  
a really long time but the amazing amount of  vulnerabilities that we're finding because  
of covid that's pretty scary because that  a lot of those uh softwares have not been  
vetted properly or the tools have been set  up and then they've just been kind of left  
weak certificates or um you know the latest  microsoft issue with what was it called uh  
with rdp i can't remember anyway it's been out  there but it hasn't been i think it's becoming  
more perfected but we talked a couple weeks ago  uh where those pri the prices of the logins for  
remote access are actually dropping which tells  you there's been a whole lot of exploitation  
out there and they're figured out how to  get it so yep they're they're preying on  
it counting on the turmoil um and this is  certainly a term time of turmoil but um  
you know it's really a race to patch now because  you know they're taking the they're finding code  
and and from the patches they're they're reverse  engineering that to write exploits right kind of  
seen on the markets you'll see things that  are half written from a couple patches ago  
where they're counting on an organization to have  something you know something little that's that's  
not up to date that they that they can get around  or there's you know some remote execution piece  
for or injection piece for it that that is just  not written properly and they can do something  
and they know that no one's going to patch it for  the next year maybe or two years right so they'll  
have a good attack surface for a while i think  the the part of the problem too is the the common  
misperception of the hackers is lone guy  sitting in mom's basement wearing a black hoodie  
with tin foil on the windows eating a hot pocket  you know first off i love hot pockets yeah he's  
quite talking about like this in hot pockets  i love my mama and i don't mind living in her  
basement how do you do that you know in reality  these apts are corporate structure with you know  
with lots of money behind them and you gotta  fill out time sheets yeah this surprised me  
you see yeah you're like the hacker you think  you think your slim bean jeans coming in no you  
gotta fill out timesheets like everybody else if  you're gonna work for them yeah put a pie on yeah  
their severance package may be a little rougher  than the average corporate environment so  
yeah that's true there's that downside yeah  they have the behind the wood shed policy yeah  
termination procedure is literally a termination  procedure this is an awesome topic i think you  
know there's there's a lot more to talk about  i think we should we should continue the  
conversation here um but you know wrapping it up  for today there's just there's there are a lot of  
struggles out there the industry is figuring  itself out you know kind of take everything  
you uh you hear with a grain of salt except for  what we say that's that's perfect of course but  
uh but really you know there's a lot a lot of  marketing garbage out there a lot of stuff that  
a lot of snake oil sales um and a lot of a lot  of myths and hype and so i think as in in the  
business it's um and for those of you listening  that are in cyber security i think it's all of our  
jobs to really educate the public on on what's  real not just what uh you know we want to sell  
that day um and so we'll we'll certainly continue  this conversation uh thank you for joining us and  
have a great day