Why is Cybersecurity Important - Best Cybersecurity Practices

December 14, 2020

The Cyber Rants Podcast

Episode 9 - The Cybersecurity Gold Rush

This week Zach, Mike, and Lauro rant about the pitfalls of the "arms race" of new cybersecurity tools. The team also talks about the best cybersecurity practices and why cybersecurity is important for businesses. In addition, they propose strategies for evaluating and implementing cybersecurity tools with a holistic approach instead of chasing the shiny new products that promise to answer all problems.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber security criminals and now here's your hosts mike rotondo

zach fuller and lauro chavez hello and welcome to the cyber rants podcast this is your co-host

zach fuller joined by mike rotondo and lauro chavez and uh it is a beautiful friday on the

the morning of this recording we are excited we we pray that our voices would be heard that the

truth would come out with with great might and success

yes that yes that our voices would be heard and that we would change the world of cyber security

forever next we move on to our beloved co-host and of course anchorman with the news

mr mike take us away just a warning there have been no chemicals ingested other than caffeine

prior to the recording of this podcast i i did have two cups of tea non-caffeinated tea this

morning so i'm a little a little wired it was peppermint peppermint it's getting crazy sorry

i'm not commenting on your beverage choices all right news of the day hey the big news is

unauthorized access of FireEye red team tools yep FireEye got hacked uh they believe it's a nation

state that did it i'm going to point east and perhaps it was true because only a nation state

could have taken fire down right now yeah it's not some guy in his basement wearing this hoodie with

the tinfoil on the windows and mom bringing him in stoppers like twitter it'll be some 14 year

old like you said sure he had a really good script so anyway according to FireEye that's who did this

i'm nation state packers for hire group develops a new power pepper in memory malware i just like

saying power pepper but anyway it's a brand new malware that was found by kaspersky by the death

stalker group and uh it's hitting europe in the middle east since about 2012 it's now coming to

a organization near you organizations continue to get hit hard by cyber attacks and that is latest

statistics a quarter of global organizations were hit by seven or more cyber attacks in the last

year according to trenton micro that's not good and the vast majority of those 83 percent of those

organizations expect such attacks are somewhat or very likely to be accessible in the next 12 months

so a lot going on hiding skimming malware behind social media sharing icons this is a new thing

uh so now they're attacking um social media and hiding skimming malware and a lot and

in conjunction with that hackers hide web skimmer inside website css files so be careful what you're

buying online uh because you never know vmware fixes zero day vulnerability reported by the nsa

there was a zero day um and i'm trying to try to group stories together so nsa russian state

hackers exploit new vmware vulnerability to steel data so one was posted on the fourth where they

say it was fixed the one on the seventh says that the russians are now exploiting this zero day so

perhaps everybody has not fixed it yet payment card skimmer group using raccoon infosteeler to

stealing data ransomware tax target backup system compromising the company insurance policy this is

pretty insidious that's pretty smart you go for the backup systems first they're not noticed

destroy the backups then go after production makes sense so more case made before offline

storage of backups uh as well as online storage so uh remember those big old tape machines

may want to get another one official campaign targets 200 million microsoft 360 365 accounts

again microsoft is in the crosshairs uh as usual and that one's out there as well zero click

wormable rce vulnerability reported in microsoft teams so not only are they getting 365 they're

going after teams ransomware forces hosting provided net gain to take down data centers so

now we're going after data centers this has just been reported on the 24th and on the 4th

so a lot of things going on not all of them good but uh here's lauro to tell you about some

vulnerabilities hold on i got some questions so was that death stalker crew is that was that the

name of that hacker group that's released in yeah so so they're it's harry potter stuff now i'm just

okay well they were formerly called the decepticons so they updated to the death

stalker group so yes gotcha okay i'm pretty sure they're not complicated

some very sophisticated we're gonna get ourselves i'm gonna shut up death stalkers

anyways that's why i keep all you know recently i bought some 100 megabit zip tapes and i just have

i've got all my data on zip drive so there you go that's how you offline backup like a champ

for vulnerabilities this week i guess a big one to talk about probably should be talked about is the

uh the fortinet stuff that got leaked out but the pumped kicks hacker who released uh almost 50 000

ips and some of the ips have included gov sites which is well okay anyway so this is cve 2018 and

here's the here's the kicker here and i don't know if anybody noticed this so so this this attack

allows you to steal account names and passwords using the ssl vpn service right so the or any

any system without any fortinet vpns that have that running all right let me back up in any case

it's it's a pretty insidious vulnerability to have right okay because you're going to leak a username

and a password that can then be used to log in by somebody and so the cve is 2018 right for

2018 so it's been around a couple years if you haven't patched it and but here's the last part

it's one three three seven nine it's it's elite vulnerability it is indeed i don't know if that's

coincidence or not or you know they planned that but in any case look upgrade to version five four

or version six if you're below six you're gonna have problems um so from five four to six you're

gonna have issues so upgrade from six and up you're gonna be okay and so that's really the

big one drupal's got some issues adobe's got some issues this week if you're using oracle just like

the last several weeks they've really just been trickling out a bunch of random vulnerabilities

um this is not anything injection based but it's the sterilization so it's going to come up from a

compliance perspective so if you're running oracle make sure you get that patched and that's it but

seriously though if you've got a two-year-old ssl vulnerability you probably should patch it because

you're no doubt on the list from pumped kicks i wonder if he works with death stalker crew i

don't know maybe they wouldn't have maybe you have to have harry potter names to work for their guys

i didn't watch those movies enough there was a guy named how slytherin to be in their crew i

don't know i don't know maybe you they have like a weird name i don't know if they allow pumped kicks

i like power pepper burst a little bit yeah power pepper is great power pepper picked a patch of

pickled peppers there you go it's the full the full name they're just power pepper for sure

makes sense to me well hey let's talk about well actually an expansion on our previous

conversation from last week we uh talked about some cyber security industry challenges

and the fact that it's a young industry and still trying to figure itself out and that

everybody complains about the lack of cyber security professionals in the country which

yes it's true we need more but very few people talk about the severe underutilization

of security professionals and kind of the big bureaucracies and the politics that

they're caught up in that are taking millions of valuable hours away from some very smart people

in our country and elsewhere that are fighting against cyber crime so we covered that last week

let's dive into some other topics here so one is this kind of product and tool

gold rush that's going on and has been for the last couple years where venture capital and uh

different investment groups are just pouring money into cyber security tools and products almost

blindly so there's this kind of chase it's this uh almost like the dot com era of build a cyber

security tool you'll get rich it doesn't have to be a good tool it doesn't even have to work

or provide any value whatsoever but if it's got a cool name and brand and promises to do magic

in your environment then you could sell that company for hundreds of millions of dollars and

that has certainly happened over and over anyway interesting dynamic on that i think you know

our approach is always you know people are your most valuable asset but i think a lot of the a lot

of the kind of unknowing um people out there that are trying to secure their environments are caught

up in this and they're kind of in the sea of infinite tools and products and technologies that

all promise to do great things but they're missing a lot of the core elements any thoughts on that

i wholeheartedly agree tools are not the savior sorry for you tool companies that are listening to

us but you know you need a couple we use them but you know you can't just buy a tool as a company

and then not do anything with it you can't fully deploy it i'm gonna i can't tell you how many

times i've been in a company and they have you know five different tools redundant capabilities

and if they just took one tool and took it all the way out to its full deployment model

they wouldn't need the other four tools but they're still paying for them and i mean i mean

i went into one company that had a beta version of a very expensive software running in their

environment and they just kept renewing it and they didn't have the logins for it and they just

because you know the guy that used to management manage it left and the guy that backed him up left

and they just don't you know they're not doing it so um you really need to do a tools inventory

and you really need to decide what you really need and then fully spell them out as far as or you

deploy them as far as possible because otherwise you're just throwing money away totally and a lot

of people out there probably you know technologies are probably side hobbyists right they do things

like how many how many chop saws would you have right how many chainsaws would you have i mean

if you're if you're cutting turkey if you're if you're making tree art that's a different story

okay so right there might be some type of like hey i've got like 14 chainsaws what are they

picking on me for yeah um no i'm not talking about that but i mean just in general of purpose-built

items to have right i mean you only have you only have one microwave right when we have

one fridge well i have two because one's full of beer and other things but it sits outside

again you know you're not you shouldn't stack your tools right and mike you're absolutely right

and you certainly see that a lot and i think the other thing that i see happen right for for using

technical professionals is that there'll be a requirement and it's like we've got to have cyber

security and the portal you know get it or whoever else to hire somebody and when the person gets in

they'll they'll basically bench them you know it's like they're on the team that

we're in the jersey but they're sitting on the bench not really allowed to do a lot

you know they've been asked to basically do a limited amount of things they're more for more

like executive clout of saying that we we've done this right um i recently did a pen test for an

organization and when i was going over it with the the development team the development lead said you

know it's funny the last time you did this you go so we're kind of in an a plus and i was like yeah

just like last time and he goes he goes you know my my boss he's like that's all he goes around

saying he goes he didn't see the report he didn't look at the report all he heard was that we got an

a plus and he goes around saying governor applause and so it's it's it's literally like that right

and um i think a lot of professionals get you know kind of put on the bench and that's just it's

a waste of talent yeah you know what you could do if you didn't buy so many tools

you could actually uh afford to to pay your security and tech professionals more and

get better talent and create a better environment which would get a lot more done sure or you could

use free stuff i mean you could you could also hire i mean that's a way to tell is like are your

are your professionals intelligent enough to securely deploy some of the the free stuff out

there like i use snort as an example um works for me right mod set offers web application firewall

profiles okay but it's not for the faint of heart okay you've got to have some engineering talent

to go and deploy these tools successfully but they're there um i think another one is the

OAuth zap to it so if you've got if you hire a professional the first thing they come to you and

say is that and so again you know not talking crap about tool companies but just looking at it from a

business perspective because you're cybersecurity has always been seen as a as a big cost department

previously so don't make it worse make intelligent decisions so if you you as a new employees come

and say okay all the stuff you guys had is not gonna work we're gonna need these new tools now

and you know any boss should question that type of rhetoric coming from a security individual that

you just hired so it goes it goes both ways right it's like businesses think that in replacement of

humans they can use technology which is a obviously we know that that doesn't work it's

a waste of money as well as is hiring individuals and then not allowing them to do their jobs again

another waste of money and then hiring individuals that just want to come in and rip out stuff that's

already working probably without doing an an adequate analysis and letting management decide

um and then requesting a whole bunch of new money and new tools should also be

questionable and it typically doesn't work either those individuals typically have a high turn rate

and they'll leave in a couple years and you'll be in what you were talking about mike right where

it's like everybody left and we're just rooting you in the beta well you and i have both worked at

companies where the sales profi- or the security professional is sidelined and is being dictated

the security controls by some guy in sales and in product development because they have to get to

market and they have to satisfy this customer and they have to decide the other thing and

that's another problem i mean and outside of that it's the oh well you guys don't make us

money you lose this money by making us secure well actually a lawsuit over breach of data

is going to lose your client a whole lot of money and they ain't going to make us look good

you see a lot of that too where you know the right people have to make the right decisions

and we're not seeing that in this market right now we're necessarily in this market but speaking of

like 2020 but we're not seeing in the general culture of of companies and that you know the

security people are being silenced in the in the almost sacrificed to the dollar when in

reality in the long term by not listening to security first it actually makes things worse

so they'll throw them to the pit too to the right they'll throw the lions the moment that something

in the application's broken or gets hacked or you know there's some company like security scorecard

comes along and finds some big weakness and flags you right as a high risk yeah why didn't you take

care of this yeah exactly um and and i think it's you know i think zach would probably say

uh they'd have to put words in your mouth but it'd be like they didn't market it right right they

should have they should have marked cyber security better than it would have been it would have been

more more it would have been accepted a little um easier in the process right yeah well you look at

you know the the seesaw role for you know both small and large companies is a role that is

still it's so critically important because we're all relying on technology but it's still kind of

shunned it doesn't it doesn't hold the same weight in most organizations as like the cfo

you know or or even the cio right it's it's uh it's kind of just put down as more of an

operational thing uh more you know just just you know don't let us screw up too bad kind of thing

but um yeah you know i think there's there's a lot of benefit there but that that's another

problem is a lot of the um people um growing up through the tech world you know that to be able to

kind of translate there's you're so focused on the job and what it is that you're doing to go

back and think of it from a completely different angle you know like a cia ceo might look at it or

cfo might look at it it's hard thing to do right if you haven't if you haven't been in their shoes

um it's very tough so i think there needs to be more more education on among cyber security

professionals translating the the value of what they do uh across the organization i know that's

a big struggle for csos but it's it's still one of those under understood things and then

on top of that you kind of have that that level of breach fatigue like yeah we've heard it so

much what you know let's just just stay quiet you know we're going to keep going like we are

and well i'm pretty much i had a season once tell me in a really large organization i had a lot of

respect for he he had a hard time just like in any big company or there's politics there just

in bureaucracy between departments he told me he said you know as cisso is one of those positions

that has the illusion of influence and and the re and the absolute reality of blame

yeah it's a thankless thankless role i mean it is it is it's like you know it doesn't matter if

you're doing your job you're you're the security customers right which are typically employees they

you know they'll shut you right for turning off you know things that they did they were able to

do like administrative access you know stupid things right um they weren't able to run mouse

jiggler anymore i mean you know who who doesn't miss that how do you dare you turn off farmville

no oh gosh yeah speaking of that i mean there's there are a lot of assets that example right

there you know productivity can go through the roof uh when you turn off farmville or

you know so that relating that all back to kind of how we started the tools

side of things i mean tools are critical but and i think a lot of organizations i think it's it's

human nature to want the easy way out right so so when when a certain solution is promised to

you through a tool vendor you know a product or service um that's it sounds like it's gonna make

everything better a lot of times that doesn't happen but people jump on it because they want

that you know that easy button like the staples easy button you know and so tools you know is so

critic i mean critical right we have to use and we have to leverage our capabilities with tools

and there's some incredible products out there that we use with clients all the time so we're

certainly thankful for them and thankful for the people developing them i'm just a little

annoyed by the industry as a whole because i think there's a an overarching weight placed on them

and i look at it like take it down to a simple fact right like look at a bunch of soldiers on

the ground in war if you give a soldier a rifle and great training that soldier is going to be

extremely effective if you give them three rifles and not much training or not much direction or

strategy it's gonna be very ineffective right because it's just more crap to carry around you

know you can only really be proficient with one at a time right i mean yeah tools you could you could

use a handful but you know that's just kind of an analogy that that shows how we're looking at this

right we can't just load people down because most people aren't gonna have the capacity to run all

these things anyway so why not focus on you know the human expertise really really focus on that

in the organization um the quality of environment for those professionals and and let them do their

thing yeah and if you if you're coming in do it do an accurate analysis of what tools are deployed

how how maturely they're deployed the return on investment that you feel like they're getting

at the current deployment level versus the cost of installed a new tach right and make sure

you're thinking about these things and and also leaders make sure you're you're remembering that

having one guy run it all is not a smart move especially if he's he or she's done a really good

job of implementing the technology or technology set now you've got to back that intelligence up

with at least two more so think of that triangle you've got to have a triangle of human backup and

resilience and intelligence and engineering to front and adequately support any one technology

you have in the organization that is the critical tech so vulnerability scanning is an example

right or a patching solution right whoever whoever's managing puppet yeah that doesn't mean

spend five hours a year looking over the guy's shoulders there's job switching right where you

change places where he runs a tool or she runs a tool for a week or a month you know to make sure

that they're proficient should that primary you know get hit by a bus or whatever or covid or

coveted bus or you know all three or you know with covet yeah a bus with covid or gets hit

with a death stalker crew or maybe pumped kicks kicks you yeah or get some power pepper pickled

pickled pepper patch power pepper yeah the back of the bus well there there's another issue too that

we could spend many episodes on but i figure we'll just touch on today um and that's uh you know i

call it the elephant in the room right and that is a cyber security industry issue is just the

sheer volume of compliance requirements popping up it's it's like the the requirement of the week

almost um and that's that's just an interesting dilemma i think there's they're they're certainly

well intended right and i think there's a lot of great aspects um to different requirements and a

lot of brilliant people working on them but from a business perspective it can be very very hindering

like we've been getting a lot of outreach from kind of mid market or smaller organizations

about cmmc um you know they're doing business with the department of defense and the cmmc

regulation coming coming out is just mind-blowing to them you know grant we could argue that yeah

nist 800 171 has been a requirement for years now and so you know kind of should have known or

started to align to it but nobody really dropped the hammer on that you know and and so it's kind

of just brushed by the wayside so now cmc so that's just one example i mean there's certainly

others with you know ccpa and gdpr as those came out i mean just it's a big deal for companies so

i don't know and i don't know what you guys think my view is that you're you're kind of getting in

the way of organizations in one aspect you're you're making them do something which is great

for those that would otherwise not do anything but it also is causing organizations with limited

resources to decide well do i chase the framework of the week or the compliance requirement of the

week or do i align to an industry standard framework and really build a holistic program

and i'm much more in favor of the building a holistic program uh to secure your organization uh

across the board no i wholeheartedly agree with that yeah you need to you need to have a secure

framework a standardized framework not a you know something based on this cias something

of that nature or you know one of the other many frameworks to ensure that you are actually taking

care of the company the other thing is that i just ran into a client that was you know get did

the continual confusion of well we're compliant with socks so that makes it secure and it's like

no that does not make you secure that makes you compliant right so that's the next battle that

needs to be fought as well and that's the eye they have one one sliver of their environment secured

so it's so it's it is kind of a ridiculous way of thinking but um you can't fault people for you

know kind of just not not wanting to understand i mean sometimes it's just it's a it's a it's a

grossly large uphill climb to to to implement some of these programs and organizations that

have just been led to be run amok you know right we're simple things just like you know deploying

attack to like they have a bunch of replacement text for active directory if you don't want to

apply to directory i'm not going to name drop on here but anyways one of the more popular ones

you know we'll use the local security policy on the boxes windows and and mac which is cool and

you can you can do things that you could do in active directory with it which is pretty

awesome but here's the catch the individuals all register so you have everybody's email which is

perfect but in order to make a policy work you have to match a username to a machine name and

people uh well organizations that have that have hired individuals that don't know how to deploy

you know one of these programs um very maturely they end up having the naming convention of all of

the laptops and desktops are all over the place right they didn't have any kind of

standardized naming convention it's just named like whatever and so now what would

be uh you know something that might take two hours to install on along 100 machines

now turns into like an eight-month endeavor of changing computer names that's a good use of time

so yeah powershell scripts you know you can't get the users to run them for you and it's just oh man

it's simple things right that'll bite you later you're just like why yeah like in theory this

should have taken a couple hours but here we are you know eight months later in theory the death

star should have survived i mean technically it did right i mean that's just what they keep

doing over and over again is let's just build a super planet machine that has a giant laser

why but since we're coming up on time you know we'll wrap it up you know with this and that is

that for those you know those people listening that really need to implement a security program

for the first time with you know first of all it comes down to people right tools and

technologies are great they're helpful but don't get overburdened by them um you know there's a

there's kind of a diminishing uh level of returns that that occurs and you know the more you stack

on top of each other so keep that in mind and when you're building when you're looking at all these

compliance requirements just remember that putting an industry standard framework first and making

that your priority like nist csf or 800 171 853 cis controls is phenomenal especially for smaller

organizations where the other ones are are less palatable those are you know all great frameworks

to follow and and you don't have to reinvent the wheel right these things are out there

it's it's a prescription of here's what you need to do to in order to have a robust and acceptable

uh cyber security program for your organization so look those up again

nist you can search a nist frameworks and then or cis control center for internet security

take a look at those follow their guidance just pick one and run with it if you're not if if

other organizations aren't imposing or clients not imposing a specific framework they're all a

great place to give you guidance in order what you don't again you don't have to reinvent the wheel

and make this up there's no like magic or secret sauce that's all out there for you so one thing

to keep in mind when you look at these frameworks they look daunting but in reality if you're doing

industry best practices you may be already 60 to 70 compliant totally don't be intimidated

by the spreadsheet yeah you'd be surprised how many organizations we check that think they're

in really bad shape and they're really not that bad off um you know this isn't this isn't the

mid-2000s anymore a lot of the tech is you know somewhat secure out of the box as long as you

don't muddle with it right and does zach's point if you know the frameworks are light and and also

if you're if you're a contractor like was said earlier the new dfars um interim rule is out

so make sure you go and read what's required that their magic sauce and that unfortunately is going

to be required to have some form of a milestones chart with dates on your gaps keep that in mind

magical plan of action milestones as prescribed by the department of defense so yeah it'll be

interesting to see how many people how many organizations come back with above a 70

on that or request for extensions yeah yeah i'm going to guess that number's higher

continue to extend and extend and extend until one day cmmc comes out well well thanks again

uh for joining us everyone have a great week and we will uh see you next time take care

Episode 9 - The Cybersecurity Gold Rush

Send Us Your Questions & Rants!

Categories

Archives

Transcript