Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode #30 - Beware of these Top 10 Cybersecurity Myths

Zach and Lauro discuss 10 common cybersecurity myths that are causing business leaders to make poor decisions and making companies an easy target for cyber criminals. They clear up these myths and share how you can be better informed if you hear something that doesn't sound quite right. Learn about the most common cybersecurity questions on this week’s episode.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber criminals  and now here's your hosts mike rotondo  
zach fuller and lauro chavez hello and welcome  to the cyber ants podcast this is your co-host  
zach fuller and today i am joined by lauro  chavez mike rotondo is out on vacation so lauro  
before we dive into our topic of the day which  is cyber security myths and dispelling those  
why don't you kick us off with the news and the  exploits all right yeah thanks mike hope you  
enjoy your vacation um so for the headlines  this week a couple interesting things bell  
jim's interior ministry uncovers a two-year-long  compromise of its network uh belgium's federal  
public service interior has suffered a complex  sophisticated and targeted cyber attack when  
the microsoft released out-of-band security  updates for exchange server in early march  
uh fixed zero day vulnerabilities exploited  uh basically they they fell in line um with  
this particular place and and and uh it says here  that the attack broke out in april of 2019 meaning  
that they did not exploit the exchange flaws to  get in so interestingly enough the complexity of  
this attack indicates that an actor who has  cyber capabilities and exhaustive resources  
can perpetuate an active attack against the  state a nation state federal service interior  
so interesting there again i think we see that  a lot where a lot of organizations are breached  
and they're breached for a long time before  they figure it out another one here u.s to  
regulate pipelining cyber security the united  states department of homeland security to issue  
its first ever set of cyber security regulations  for pipelines according to the washington post  
news comes into the wake of the recent ransomware  attack on the colonial pipeline that knocked  
operation systems offline for five days triggering  panic buying that led to fuel shortages in the  
southeast so i think what's interesting is that  that 4.4 million ransom that that was paid um  
you know that the scada network itself wasn't  compromised the pipeline um you know operates on  
this was a a ransomware attack to the corporate  network but it was the fear of the unknown that  
caused the organization to turn the pipeline off  so i i always think that's kind of interesting
that's a great myth and it ties in with  today because i hear a lot of people that say  
oh did you hear about the pipeline the hackers  shut it down right yeah it's a greatness
just turned off their own button yep  yep misspelled bust- this one's busted  
yeah myth busted so so this is interesting too so  this is this is basically titled ransomware unmask  
and so a dispute reveals the ransomware ttps right  and so so here's a group and an actor offering to  
negotiate with victims that has shed light on  the rise of ransomware consultants interesting  
okay this revealed that the operational methods  of ransomware hackers and what they use to get  
organizations to pay so ransomware consultants  research victims to gather intelligence  
for realistic ransom demands and conduct the  negotiations on behalf of the ransomware group  
the core reason that ransomware groups are  looking for these types of services is that  
all they are they're proficient at gaining  access to the victims and encrypting the data  
they're less proficient at extracting ransom  payments as criminal profits from ransomware  
attacks grow to nearly 370 million in 2020 the  ecosystem of accompanying services and actors  
continues to undergo greater professionalization  interesting right they're looking for ransomware  
consultants like the negotiators on on you  know what what what they'll negotiate with  
the organization to get their data back  weird you think it's like just you just go  
to ransomware and and  put in your info and and hire somebody yeah yes  
i pictured in the movies like you know two  two people have to meet and they're kind of  
in disguise right and they meet at a booth in a  restaurant and it's always like uh it's always  
like some diner that was built in the 60s or 70s  in kind of a a little bit lower end part of town  
that's how you meet your ransomware consultant  that's how you meet him there yeah over  
over some cabbage rolls or something you know  anyway the new ponemon institute study reveals  
cloud account compromises cost organizations over  6 million annually interesting so cloud account  
compromises right and so proofpoint uh you know  cyber security compliance company basically and  
an iot research organization released the results  of a new study on the cost of cloud compromise  
and shadow i.t the average cost of account  compromises reached 6.2 million over a 12-month  
period according to over 600 it and i.t security  professionals in the u.s in addition 68 of these  
survey respondents believe cloud account takeovers  present a significant security risk to their  
organizations with more than half indicating  the frequency and severity of cloud account  
compromises has increased over the last 12 months  so interesting so it illustrates essentially that  
leaving saas security into the hands of end  users or lines of business can be quite costly  
so yeah if you if you can't secure your own  prison stuff you certainly doesn't make you  
qualified to secure your cloud account stuff so  um you know super interesting that that's that's  
coming up and it basically stated magnified  is fewer than 40 percent of respondents that  
organizations are diligent in conducting  uh cloud app assessments before deployment  
okay this is mainstream news if i were to repeat  that right risks are also magnified as fewer than  
40 of respondents say their organizations are  vigilant and conducting cloud app assessments  
before deployment you need to assess what you're  doing before you deploy anywhere right i mean  
there should be some sort of sign-on and last but  not least iranian hacking group agrius pretends to  
encrypt files for ransom but destroys them instead  so the group and the combination of its own  
um tool sets readily available for an offensive  security software basically as a destructive  
wiper or a custom wiper tuned ransomware  variant as they're calling it basically  
um but the ransomware group such as maze and conti  doesn't appear that ags is purely motivated by  
money instead they basically just like to destroy  stuff so um this is you know really kind of  
cyber destruction or cyber espionage but it's  at its um finest so very very interesting here  
and for exploits uh this week i guess  i'll jump into that as well thanks mike  
um a couple wordpress things i want to bring up uh  if you're running uh plug-in cookie law bar make  
sure that you've got that patched and if you're  reading the ready rest uh restaurant reservation  
plug-in uh there's a there's a sword cross-site  scripting as part of that so so make sure you're  
updating that as well and what i want to bring up  that i haven't validated but sounds interesting is  
that there are exploits listed for a coven 19  testing management system 1.0 so this is used  
by hospitals and some of the the test facilities  that set up the the testing management system for  
coven 19 is a patient essentially database and  accessing system and there are a couple things  
there are cross-site scripting for admin and a  blind sql injection with authentication bypass  
which i think is is interesting so um for those  out there in the health management organizations  
if you're listening if you're using that covet  19 testing management system check what version  
you're running 1.0 is vulnerable to a couple  nasty things and that should certainly be upgraded  
most most certainly and that's that's it  for exploitation and the news this week  
zach what are we talking about thanks lauro 1.0  is never a good version so update update update um  
well well yeah a lot happening um it's interesting  how many of our you know myths actually came out  
in the news so let's just go through here and i  actually have a list of 10 common myths that we  
hear that just come up in discussion and nobody's  fault right it's it's you know these are generally  
from people that are outside the industry that  are that are misinformed and uh make assumptions  
about things that aren't entirely correct now the  problem is making assumptions when it comes to  
cyber security oftentimes is what gets people  breach and so the first major assumption that  
we hear a lot of organizations is that we're  too small to be a target for cyber criminals  
why would they come after us why would they uh  look for us how would they even find us right  
customers even have a hard time finding us how  would a hacker find us the cyber criminal find  
us but of course there's mass scanning  and it's not like they're just after you  
lauro your thoughts on that uh anybody when you've  got humans that are bored at work probably and if  
you know you're you're small enough to not have  any web filtering controls who knows what your  
your humans are doing on your computer systems  and if you're touching the public fabric of the  
internet just like you said you're gonna get  scanned your services are gonna get scanned um  
you know it's it's they're actively looking  for low-hanging fruit and and so you know  
typically these small organizations are prime  pickings because they don't they're startups  
or you know in whatever case they don't have a  lot of the innate security controls they need  
and they're just trying to get stuff out on the  internet and get their you know get get things  
running and their proof of concept and and so  yeah certainly a big myth um you you will be  
you will be identified eventually if you you're  doing anything dns or public ip related period or  
if you have humans that are surfing the internet  and they don't have training something eventually  
will will default you yep and that uh that means  easy target well the next target number two it  
kind of dovetails off that well we don't have  anything a cyber criminal would want i've heard  
i've heard um oh well we don't store credit  card data or personally identifiable information  
or protected health information right so we don't  have anything a cyber criminal would want right  
now you got compute you got money are you  making money is the answer is yes and you're  
using compute and the answer is yes then you're  something a cyber criminal wants yeah if and if  
you don't have money or compete then you're  right you're actually right you don't have  
anything to say you don't have anything if you  have to make no money zero money or zero and  
zero computers which um that's that's a rare type  of business these days um but uh that's that's um  
you're probably not not going to be a victim  in that case everybody else everybody else has  
a typewriter yeah if you've got a typewriter  and a five and a quarter disc nobody wants you
there's probably somebody out there still  after after whatever information you're in but  
um or you're maybe if that's the case you're in a  really crazy ultra classified business that's so  
so secret that you have to go back to the  old ways of doing things so the uh the old  
intelligence community uh uh tactics so to speak  but um what is that what is that substitution  
ciphers on clay tablets is that what we're saying  yeah there you go rot 13. um well yeah absolutely  
you know that you never know i mean it could go  back to microfilm and um and stuck in a bark chip  
that's dropped off in a planter box you know  somewhere and uh somebody else picks it up and  
and yep that's that's how you're uh that's how  you're communicating now because email's just not  
not gonna cut it anymore if so if you're in  that business kudos to you um awesome stuff  
uh we have everybody else intelligence yeah um so  that said and if you're in that business you got a  
lot more to worry about um than cyber criminals  like assassins and stuff so anyway i digress um  
number three our it team is responsible for  cyber security the oh the it team handles that  
i'm sure they do yeah not the case well  partially the case sometimes the case best case  
um they've done a little bit  right they've not deployed things  
you know open-ended and you know put management  consoles public facing and things like that um  
but typically typically they're you know and i  think we we talk about this a lot they're they're  
busy doing day-to-day iot tasks and cyber security  not only does it require a secondary skill set  
um it requires secondary work and a lot of the the  main your main itops individuals aren't going to  
have that type that type of cycle to do right or  to carry out so look hopefully there's there's  
architecture involved and things have been put  in mildly securely but i would wouldn't hold the  
task to them if they have a amount of other work  especially just have one it guy yeah or like like  
you said i mean different tools different mindsets  different um backgrounds i mean it cyber security  
they're so they're cyber security and i t both are  such vast industries vast subjects now nobody can  
be an expert at everything so you can have you  know brilliant brilliant i.t people we work with  
a lot of companies that have just brilliant i.t  people within their team but they also recognize  
that hey this is where our our skill sets combined  kind of stop um you know can you help us on the  
cyber security side and then um it's also from an  organizational governance perspective it's checks  
and balances right does your you don't have your  um bookkeeper performing your audits uh right so  
why would your why would your i.t team do that for  the the security technologies so yeah great point  
excellent uh discussion you know and i think  that's one that's it's we recognize as myth  
but a lot of still organizations still live by  that that just oh no the it team is just going  
to take care of that stuff for us right and they  they do play a critical role in security obviously  
but there's uh there's certain limitations  there but we're going to take a quick break  
and come right back want even more cyber ants  be sure to subscribe to the cyber rants podcast  
get your copy of our best-selling book cyber  rants on amazon today this podcast is brought  
to you by silent sector the firm dedicated to  building world-class cyber security programs  
for mid-market and emerging companies across the  us silent sector also provides industry-leading  
penetration tests and cyber risk assessments  visit and contact us today  
all right and cyber security myth number four  this goes right back to that the news article  
you mentioned uh we are using cloud services so  we're secure we're all set it's in the cloud it's  
good microsoft's handling and google's handling  it what are what are most of the breaches that  
we investigate what do those have to do with  i don't know for some reason it seems like  
cloud environments i don't know cloud  environments yeah so you know if if you're  
uh it's i don't even want to i don't even want to  do it i just i'm trying to talk can we just move  
on to the next should we just be the next one okay  so it's already talking about it cloud security  
secure stuff in the cloud you know  we're we're beating a dead horse here  
we do hear smaller organizations um say that oh  yeah we're in office 365 or all we use is you know  
google g suite and dropbox and you know quickbooks  is in the cloud and and that's those are and we  
use slack you know and so oh we're secure we don't  need a security program we got those things and  
they just handle it but um that that could be a  whole let's save that for a whole nother episode  
sometimes yeah there's a lot to unpack there  there's a lot to unpack especially when you're  
migrating stuff to the cloud and i think real  quickly before we move on we've assessed several  
organizations that have had a pretty secure solid  web app and then they've moved it to azure or  
aws or something else and the code base you know  has to have altercations which caught which have  
caused some exploitable vulnerabilities that we  were able to catch and they were able to fix but  
that just goes to show you that you you can't  just migrate things to the cloud right there's  
there's a lot of things that change there's  a lot of security services that need to be  
um checked and and that configuration or over  the the whole environment needs to be validated  
absolutely well to be continued on cloud services  uh there are tremendous advantages to them  
but we need to have a whole episode or five  on just that topic so this the fifth the fifth  
cyber security myth and by the way these are in  no particular order but uh all all of them come  
up so the fifth is i'm smart i wouldn't fall for  a phishing scam right there that wouldn't fool me
i fell for my own phishing scam you know send  out an internal email that turns out to be a  
phishing email and yeah you know that's  brings up a good point i mean i remember  
a client that we did a batch of fishing tests  for uh during the ramp up of covid and they were  
apparently i mean they look to the users  like they were internal emails coming from  
the president of the company dictating  a policy and what was our what was our  
open rate on that i think it was a  hundred percent yeah i remember everybody
now i will say we made the email  look very convincing but we had 100  
100 clickability on that on that  bait right there all the fish spot  
on that one that's what cyber cyber criminals  are doing now though they're they're looking  
they're matching the signature blocks they're  matching the names all that even spoofing domains  
all of that i mean it can be tremendously  difficult to catch some of these other others look  
very very legitimate they'll do research uh they  on on people and do more targeted spear phishing  
attacks especially especially on security  professionals i.t professionals executives  
they'll spearfish and it's it's your  your cousin that you haven't talked to  
for a year but you've been you know really wanting  to do that next vacation get together with their  
family or whatever i mean it can they can get very  sophisticated and their ingredients is getting a  
lot better now with ai than you know database  stuff right so they're they're actually they're  
actually doing doing a good job now they're  they're harder to decipher and you know the last  
person that we heard say that they were too smart  to click on an email cause me hundreds of hours of  
my life and an investigation of the breach that  was somebody clicked on a 100 amazon gift card  
man it does happen it was worth a try right it  only ended up costing the company millions but  
a hundred bucks on amazon so everybody's i think  none of us should say that we wouldn't fall for  
it we could say that we're pretty confident in  our abilities but that being said you never know  
what's out there and there's other scams too think  about this wishing uh elicitation of information  
right it's like the whole human intelligence world  right i mean there's people i guarantee you right  
now nation state actors are getting people that  live in the us hired in u.s companies where they  
want to gain access so good goes much much deeper  than fishing that's just the entry-level stuff but  
it can get into a deep dark world when you when  you really think about the extent of what goes on  
especially in a government and uh government realm  but also within the terrorism realm so yeah the  
new training is going to be like how to know your  co-worker is a mole yeah yeah exactly that's ah  
that's excellent we should offer that do we offer  counter intelligence courses for organizations  
and everybody's watching out for each other you  like working in an agency so the next number six  
here is oh a third party provider is going  to make sure we're secure right this i have  
a cyber security company it's a managed security  services provider mssp they're going to secure us  
obviously we wouldn't bring that up if it wasn't  a myth yeah absolutely i think that the services  
need to be you know looked at it you know making  assumptions that you know on a limited statement  
of work that they're going to do everything for  you and make you 100 as foolish to think and even  
if they did to be consider yourself 100 um defense  posture is still foolish to think yeah absolutely  
and and there are a lot of limitations that  right so mssps can certainly have a a place in  
a security program but generally you have to think  about the business structure right the business  
structure is generally selling tools technologies  and and getting those configured plugging them  
in monitoring those remotely through a sock  and such but that's not a defense in-depth uh  
program right it's not a holistic cyber security  program so there's a lot more to think about  
in terms of the strategy the organization the  governance the human element the culture right  
um all these things have to go into place right  so it's not just a matter of monitoring dashboards  
remotely in your secure there's a lot more to it  in any organization that tells you they're gonna  
set you up and make you secure and and do it all  on their own without your involvement or with with  
minimal involvement i mean that's that's a bunch  of bs right that just doesn't unfortunately that  
just it can't be done it'd be nice right but it it  just it takes both sides to truly build a defense  
in-depth yeah scenario you wouldn't you wouldn't  want that organization operating in a vacuum  
on your behalf anyway you know what i mean they  need to you know make sure that they operate as a  
wing of the business right so exactly we we might  even if we power through we might even get through  
all 10 myths here and there are certain answers  that these are top 10 but number seven we're  
compliant with our regulations so we're good right  we're secure compliance is not security uh wrong
not big big red flag right oh we're hipaa  compliant we're fine oh we're pieces yeah to what  
scope i always ask right what scope to what scope  are you pci compliant is it the whole company or  
did you want it to scope right or hipaa compliancy  the same thing right did you is the whole company  
every business asset hipaa compliant or did you  limit the scope to just you know these specific  
machines right i think that's that's a that's a  tall giveaway right there when an organization is  
limited scope for a security framework and then  kind of use that as a as a as an excuse to be  
secure like what do you mean scope we use stripe  we're good we're secure you know there's a lot  
more there yeah that's the thing to remember  and for those people are seeing that don't  
aren't involved in the compliance side remember  compliance is generally focused on a specific  
segment of your organization like pci or specific  data set like hipaa right as protected health  
information phi so that's what they're focused  on even the your other requirements like ccpa  
and such gdpr that's that's focused on your  customer data right but it it doesn't care  
so much about the rest of the organization  all the things that are required to operate  
that organization for it to function it's more  generally more data driven whereas if you look at  
a holistic security framework like a nist csf or  cis controls or something like that then you're  
looking at a a broader security posture for the  whole organization and compliance will become a  
lot easier if you're aligned to a broader security  framework so number eight cyber security is com  
confined to the digital environment right  cyber security is just digital it's about  
digital things which of course is not the case  because you have to have physical protection to  
protect those digital things and humans are using  those digital things and are known to screw up  
they are and i was funny one of the news uh  articles that i i didn't bring forward this  
morning was about uh usb drops being back on the  rise which i think is an interesting thing but i i  
had to weigh the interest for the other stuff too  so but i figured i'd fit it into this part of the  
myth but that was part of the news uh segment um  from from the headlines that we got was that the  
usb drops are back on the rise because humans  are interested in what could be on there right  
yeah that's that's the old trick to put put a a  co-worker's name on it and write write private  
or something like that and somebody else will pick  it up you know drop it in the bathroom or whatever  
and people pick it up and oh i'm going to snoop  on on steve you know see what he's up to right  
all you have to all you have to do is label it  snapchat stills and then everybody will pick it up  
yep and then the other thing too you got got to  think about physical security right we do these  
assessments where we go and look at the security  program from a physical perspective right what  
can i get to why walking in the office and a  lot of times you know you can walk right into  
network closets and get connectivity you can you  know there's wireless right that that whole side  
of the the uh the equation as well and ranges and  such so you have to look at your your physical  
defenses throughout the organization your  awareness rights of social engineering uh  
physical intrusion type testing that sort of  thing so there's a lot more than just uh on  
you know your antivirus on the computers that you  know and kind of limiting it to that so of course  
any listeners with background and stuff will  know that but it's common myth that we need to  
share uh with the the world that isn't educated in  these things um number nine everything is hackable  
so we're just going to take our chances right why  bother why bother the cyber criminals i mean they  
can they can breach solarwinds microsoft all that  you know why why should we even even bother but  
the reality is yes that's cur that's correct but  the why bother part is because if you have a good  
security program in place your damage is going to  be limited and confined to a much smaller point  
almost to the point where it's it's negligible  to you know the point of no damage right plus  
you owe it to you owe it to your country you owe  it to your family you owe it to your employees  
and to the you know the board of directors  and the investors to you know do your best  
job to you know secure your computing systems  right as part of your business so i think it's  
you know everybody's depending on you to do the  right thing right so it's certainly not an excuse  
absolutely yeah it's not just it's not just  the the soldiers in other countries right  
defending the us right that you know absolutely  critical part but we all have our part here  
within the u.s to do this to secure our systems  our infrastructure right because that can't  
be defended externally we we all have a i  think a ethical moral obligation to do this so  
do it anyway right even if you don't want to but  finally number 10 how we see cyber security today  
is how it's going to continue right you know  and of course that's not the case right because  
we have some big things coming up in quantum  computing for instance that i think are going to  
be game changers what do you think happened with  with quantum computing and with what's going on  
in in five minutes or less if five minutes or  less i'll do it in just a minute because i think  
this is a you know this is for a completely  separate podcast but i think the breakthroughs  
in quantum computing and you know if you've  played with the ibm quantum experience you  
i think you can understand the capability  there with entanglement and superposition  
and how that is going to translate to classic  computing it's going to essentially turn us turn  
this turn all this stuff into a dinosaur you know  your your fancy brand new mac mini or whatever  
might as well be an e-track tape at this point and  so i think we're we're seeing the dawn of a new  
competing an evolution in computing right and what  that's going to mean for for cyber security is  
going to change a lot i think the entire industry  is going to change a lot but but what we know  
um today is certainly changing rapidly and  um as quick as we came into you know having  
phones on our wrists right in the form of of the  apple um apple watch and things like that um i  
think we'll see quantum come into our lives a lot  faster so i think a lot of this is going to change  
yeah absolutely well it and there's not  not to be fear monger or anything but  
there's some things to consider right like  our aes 256 encryption that we're you know  
people are relying on now i mean that could go  right out the window um and who knows how much  
information is being encrypted information  is being just harvested and held  
now that potentially down the road be decrypted  with a quantum computer very quickly well that  
was the thing yeah no great great point you know  we've spent the last you know half you know a  
decade almost you know compiling massive databases  right like hadoop's famous for this right but  
massive just massive amounts of data because we  you know we collected it we couldn't we couldn't  
look at it at all we couldn't parse it all at the  time but quantum is going to give us that ability  
to give us that ability now to be able to to look  through those those databases and and get data out  
very quickly and very efficiently in ways that  you know that we haven't been able to do that  
before and you know like you said the encryption  is going to have to change uh as well as lots of  
other things you know i know everybody's got  you know you know there's a cryptocurrency  
um you know kind of world out there right where  individuals have a lot of faith in blockchain  
and when you look at how blockchain's developed  on classic computing you'll need a version of  
that for quantum if you expect to stay ahead of  the game otherwise it's going to be on the same  
8-track tape as everything else right yep your  old your old uh your trust and current blockchain  
be no more but uh interesting interesting stuff  i mean that that opens up a whole whole other  
can of worms definitely and there's going to be  a lot of infrastructure upgrades i think in the  
in our lifetimes um most definitely so something  to consider something to watch out for but that  
said hope you enjoyed this episode uh about cyber  security myths and i hope we busted some of those  
myths for you if if you actually had you know been  following those or thought there was some truth  
in them and then if not you keep these top  of mind because realize that people still  
still think this way so if you  already knew all this outstanding but  
share it with the world because it needs to get  out there because there's still a lot of people  
making very critical business decisions following  these myths and that of course make some easy  
targets for cyber criminals so lauro any final  thoughts before we jump off here no none at all  
zach it's been fun everybody enjoyed the  show today all right we missed you mike  
hope you're listening yeah we missed your vacation  yeah i hope you enjoyed the show um by the way the  
articles and such are being put on our website for  the podcast so just go to  
and you can see the article titles and links  and such to those and if you like the podcast  
subscribe reach out let us know what you want us  to talk about in future episodes and questions  
you have and we are happy to address those but  have a great day and we will see you next week