welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly
embellished truths about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways
all to protect you from cyber criminals and now here's your hosts mike rotondo
zach fuller and lauro chavez hello and welcome to the cyber ants podcast this is your co-host zach
fuller joined by mike rotondo and lauro chavez and today we're talking about the cyber security
even matter why do we care who cares you know do people care about cyber security we're gonna
unpack some of these things here and talk about what we see what's going on not only in the news
but just out there in the world the stuff that happens every single day that uh often doesn't make the news so we'll talk about that in just a moment but before we do mike you want to kick us
off with the news yeah so here's the headlines for today we've got some things from the feds going on
um there's a new bill to acquire cyber attack reporting in the u.s centers on the homeland security committee have introduced new legislation last september as in last month requiring critical
infrastructure companies to report cyber attacks to the federal government within hours the bill also aims to mandate most organizations to tell the federal government as they make
ransomware payments if enacted the cyber instant notification act of 2021 would require critical
infrastructure owners and operators to notify the cyber security infrastructure security agency cisa
within 72 hours if they are experiencing cyber attacks which is a loosely defined term but this
should be interesting considering sometimes it takes over a hundred days to determine that you've been hacked so uh yeah but i mean good stuff though right i mean that's not i mean i can't say
it would be a bad thing so you should update your incident responsibilities yeah it's just it's it's it'll be interesting to see how it's unworkable if anybody watching any of the hearings and
watching some of these senators ask questions they've got no idea what they're talking about half the time so that's my concern is that they're going to put together a law that is nonsensical so
true yeah i don't want to go down too too far down that hole but the facebook interviews were quite interesting us government mandating zero trust approach for software supply chains uh in the
wake of solarwinds attack last year the president used an executive order in may advocating for mandatory software bills and materials or s-bombs to increase software transparency and counter
supply chain attacks s-bombs are machine-readable documents that provide definitive record of the components used to build a software product including open source software since the executive
order software makers and buyers have been trying to make sense of how s bomb support supply chain security that would include yours truly this is the names three exceptionally dangerous behaviors
to avoid and i applaud sysa for this because they were so in-depth that we couldn't figure them out
uh not using mfa using default passwords and using end-of-life software i'm so grateful for
them telling us that apache just used another emergency patch for exploited flaws ic managers
hoping for a bit of respite after being warned to immediately patch their software earlier this week and it was actually last week are facing a fresh problem the previous fix didn't work as
advertised so there's another fix out there to fix to solve that issue report online consumers not
taking cyber security seriously and i think we're going to talk a bit about this but bitdefender uh releases report that analyzed and dissected cyber hygiene practices employed by consumers that shop
online and their findings weren't positive they surveyed over 10 000 consumers in 11 countries and
they learned that online shoppers are largely reusing passwords across multiple websites over sixty percent of consumers have experienced at least one security throughout their smartphone
and nearly half american parents don't oversee their children children's internet activity lastly
data masking is the answer to a data breach according to blue brooks according to the stats the rate of data breaches is growing rapidly every year compared to mid-year of 2018 where where the
number of reported breaches was up by 54 in 2019 combined data masking technologies with other data
protection techniques for example encryption data activity monitoring security information event
management and collectively implementing extensive data privacy protections it's an interesting read trying to sell you a product but it's interesting there's some interesting data in there there's
some additional headlines that we're going to post uh with the podcast uh thing on aws
there's more android issues the iranians are causing problems with some hacker hacking and
uh 7-eleven got breached with that lauro what do we got seven 7-eleven owned by the iranians
no they're collecting facial recognition without consent cost oh i thought it was the new
ransomware i didn't get my mountain dew i slurpee slurpee there my big slurp to tag along with your http server band-aid on top of a band-aid on
top of a diaper full of poo that would be apache http server and we do have an exploit for version
2.4.50 the path traversal and remote execution the rce has been modified to work on the version
again so please update to 2.4.5 immediately this exploit poc that has been validated by
several testers is available for all of you heads out there with netflix pro or messploit framework
which makes it even more terrifying so get that patched sonic wall sonic os7 has a host header
injection that will get you owned so if you're running uh anything sonicwall sonic os 7 make sure
that you're updating that um and for everybody out there on solar winds pretty pretty interesting
solar winds debacle here with an unquoted service path for one of the kiwi cat tools in version 3.11
that poc is validated and available for everybody with metasploit so make sure that you are checking
that out and getting that updated zach that's all i have for exploits can we talk about are you sure
because i didn't hear i didn't hear wordpress in there no i'm not saying that word anymore
it's it's the unnameable good it's good it's kind of refreshing refreshing i'm sorry i brought it up
but it's okay yeah it's not as it's you know i have a little christmas tree that hangs in the
uh things in the toilet room and it says microsoft on it well well outstanding we are going to unpack
a topic here about about whether or not people care about cybersecurity about data protection
what we can do about it most importantly right before we dive into that though let's take a
quick commercial break want even more cyber ants be sure to subscribe to the cyber rants podcast
get your copy of our best-selling book cyber rants on amazon today this podcast is brought to you
by silent sector the firm dedicated to building world-class cyber security programs for mid-market
and emerging companies across the us silent sector also provides industry-leading penetration tests
and cyber risk assessments visit silentsector.com and contact us today and we're back so
risk iq put out is a company that puts out this report every year called the evil internet minute
it's been out for a little while but i thought it'd be appropriate to reference here in this
discussion because one of the one of the big metrics that goes by is the amount lost to cyber
incidents per minute and that amount the amount lost or this is for companies around the world
every single minute to cyber incidents is 1.8 million dollars so 1.8 million dollars
a minute is basically being it's worse than being flushed down to the toilet down the toilet right because it's going into the hands of cyber criminals and they're using that to
increase their capabilities right they're putting that money toward terrorism and everything else so pretty pretty bad stuff going on there's compromised records five
000 per minute 525 000 compromised records per minute um there's 1095 ddos
attacks per minute distributed denial of service attacks per minute they're organized organizations
victimized by ransomware six per minute every single minute so pretty crazy stuff i mean the
numbers speak for themselves but i'm curious to hear what you guys think do people care
are people still treating and based on your news article mike it sounds like some of the studies out there showing that people are just not with all the stuff going on they just kind of throw up
their hands and say oh well so does cyber security matter do our do our do what do our lives matter
get into some deep philosophical questions why are we here zach why are we here i think we're here
to do a podcast and i don't mean to be be a downer but the topic is i think it's a little unfortunate
you know i think it is unfortunate um yeah you know i think it i think it matters i think there's a i think it's a very clear one and a zero i don't want to get binary with everybody
but i mean it really does seem like they're there's really not that middle ground we we
i think we have speaking from our clients that we have clients right all of our clients care
but when we're talking with clients potential clients right that may or may not have the
privilege to work with us um they seem to be that it's either one or the other right they care or
they don't and it's very clear that they don't and they probably won't care until something happens
and i think it by nature right nobody wants to do services on your vehicle
until you get a warning light on the dash i was gonna say right why change the oil you know regularly why not just kind of just run it and run it and run it right who cares about
prevention if it's if it's still going just keep it going right i think that's a lot of people's a lot of people's mindset when it comes to their use of technology
but i think the problem is still this and we still see this as i don't have anything anyone
would want to steal is that attitude or who's gonna care about my password at my amazon account
and my old navy account and my you know fanatics account you know what if they break in so what
it's those kind of things that you know it's a fundamental misunderstanding and i think one of the failings is that cyber security training for work is not translating to home
and i think that's part of the problem from a consumer perspective is they're not putting one in one together they're not they're not translating those practices
they're forced to at work to working at home to their own personal lives and i think
if you if you put an emphasis on that for in your training that it would benefit the worker at home
as well in their personal life those numbers may drop to a certain extent on the other side
cfos running compliance and security and i.t projects are looking at dollars and a lot of times
the technological voices the tag voices don't have a say in the manner and they're looking at dollars
and cents and trying to figure out how cheaply they can get away with getting something done and
they're failing to see the fact that mitigating a breach beforehand costs x number of dollars
after the fact can cost 10 times x because of the reputational damage the
replacement of rebuilding of systems and the loss of client faith and i think you have to
take the dollar and cents you have to be able to translate the cost of security measures to
you know why this benefits a company to get through some of those accountant springs
yeah yeah that's very much very much what we see and i think that they see
you're right they see the cost but it that coupled with if they knew a breach was going to
happen this year and it was guaranteed this year i guarantee the the proactive cyber security budget
would would be in place right away but i think another another kind of misunderstanding that
leads to poor decision making is that well yeah you know it could happen but it's probably very
unlikely that it'll it'll happen to us you know um you know ever much less within the next 10 years
and i think that that's a lot of the a lot of the thought process it's well it's probably just not
gonna happen to us it hasn't happened before why would it happen now that's true i think there's a
lot of dunning cougar effect happening right in in kind of both hemispheres of the business and
it always comes back to two things either a lack of knowledge over all three things lack of knowledge over confidence or a dollar problem
yeah you know what i mean um or you know i guess overstated confidence in their systems and i think
we see that a lot where they believe that they've deployed to a place where they're unhackable
right and then and then they have the kind of compounded delusion that well on top of that we don't have anything anybody would want i think there's those two things and and there
are certainly some very very very secure data and and there's some very well deployed architecture
however to you know think that nothing's undefeatable is well it's silly really um
especially with quantum computing um where it is today you know and so um we've
we've seen an increase in highly intelligent attacks carried out against organizations
well you can also yeah and add case in point the client just brought this up to us yesterday or the
day before camera which but remember the solution for getting rid of a hard drive drill hole through
it it'll be fine well now they're being able now they have technology out there that will now read a hard drive that just has something drilled through so people are going to great lengths
to steal data for a reason if they're going to that length to figure out how to reverse engineer
a hard drive that's had had a hole drilled through it to be able to pull that data yeah well i think
another another big misconception that we see um is that somebody else is taking care of security
right and that's that's another reason why it doesn't it sometimes doesn't get the budget it needs is because oh well we're in the cloud right we use office 365 or or and that's one thing but
when people say they use aws or azure so they're they're fine and and they're sock to compliant
it makes me cringe i think there needs to be a lot of education around why that is not the
case because you're in the cloud doesn't mean somebody else is taking care of your security for you yeah it's like daycare you know it's like do you just you know let anybody take your kids
sort of thing right i don't want this to sound like some circumlocution around um us you know selling services because what it doesn't matter if you use song sector
anybody else what's important is that you find some way to secure your business because what i guess what what we what the skin we have in the game is the same skin that every other american
has in the game is that the moment that you take this for granted and you have high confidence
over your systems unwarrantly so because you've never done a pen test or a technical assessment of any kind and something happens and you have to pay ransomware now you've just hurt everybody because
now all the same criminals that are attacking everybody else and they get through to you because you made mistakes now they have extra ammunition and you know monetary specifically ammunition
to now front more attacks against everybody else so you perpetuate the problem when you pay out
and it's um and it's concerning and i think that's that's a large reason why you see this legislation
try to come in where they're talking about you know they want to know if you've paid ransom because they want to try to track this money back to a criminal central um or a set of of
cells that they can pinpoint to that are that are warning attacks against american businesses so by
you know by being by not being proactive and not taking this seriously you weaken the rest of us um
in in the same way that and i don't even get in that conversation but the same way you could have about a vaccine with a a malicious virus that's going around okay and the same argument that you
could put there right that the whole thing makes us all better in this case it really does because um you know we're wielding technology these companies are being allowed to wield technology
in a manner that is unfortunately not secure and it's causing all the rest of the company's harm and additionally it's not so much necessarily 100 of the time they're going to steal data there's an
article i came across i think it was last week but i didn't share it or i may have put the headline into the podcast was a lot of ransomware now is simply being implementing something to mine
cryptocurrency that's all they're doing with it they're just trying to create a breach a whole a website arrow yeah monero got nailed uh yeah i mean that's that's all
they're trying to do they're trying to use it to mine cryptocurrency so what they're stealing from you is your your compute power and they're you know which translates loosely
to your electric bill and all that kind of stuff right but in reality once they've established that to use you for mining cryptocurrency they already have a foothold
right exactly i'll put you in the i'll i'll just walk it through you real quick i'm going to break into your systems and i'm going to say okay what do i have options to is there data here that's
worth selling on the dart net no is there data here that i can use to get into other systems
and other individuals if the answer is yes no that could be good what else is here okay so let's say i don't have any of that data i'm just looking at you know some files and some emails
there's nothing really here tangible but there's compute there's compute and there's dependencies what is this organization dependent on oh they have a sql database i'll just lock that up and
then i'll ask for a ransom there's no data in it that i care about but i'll lock that up ask for a ransom in the meanwhile on these two um on these two dell deprecated edge servers i'm gonna
load some crypto ransomware that is gonna lock it and while it's locked it's gonna mind for manero or whatever other crypto i choose and it's simple as that it has nothing to do with what you do what
you're doing what organizations that you serve or what clients you have in some cases right that may
be the case but a lot of times it's opportunistic i'm going to come in there i'm going to be like what can i do here i need to make money this is about money this isn't about you know i don't like
what you're selling on the on the internet this is about coming in and getting money out of you this
is about if you don't have data that i can sell or reuse i'm going to drop some form of gear on here
that's going to misuse your technologies and i'm going to move on and hopefully you don't notice it that would be my my best case scenario here is that if if i know you don't have enough money to
pay a large ransom i'm just going to drop a bunch of of of miners on your gear and because you're
not smart enough to figure any of this stuff out anyway and users are going to play about slowness and maybe you'll throw another server in for me to add throats more gear on later and i can just
continue to mine crypto on your hardware exactly it's a good idea to set up a honeypot with a fake
company financials file in it that shows 20 on the balance sheet so that they know
okay this is probably somebody that i don't want to demand a ransom from it's always worth worth
my time for the 20 bucks you know but uh it's as simple as that though really it really is
it's a game of economics right it's it's and it's no different it's the same thing with the war on drugs right i mean it's really about it really comes down to economics and so when we we make
um to dispel another myth right that that oh everything's hackable so why why bother right
well when we make it more costly for the cyber criminals um to do what they do um it's it's gonna
it's gonna hinder their business right so when their return on investment starts to go negative
well that's not a very good business to be in and they won't be in it for very long right so when it's harder for them to to get in actually make money out of breach in your environment that costs
them and so that's that's the name of the game and we need to look at it from the economic standpoint but let's let's talk a little bit i mean what do we do about all this because one of the things
and this is i don't know if i don't want to get too philosophical here but and maybe philosophical
maybe putting it that way as a stretch but i look at what's going on in the world um especially with
our you know the younger generations and stuff that are let's take tick tock for example not to
go too far down a rabbit hole but we saw through that that a lot of the younger people don't really
care about their data right they're putting it all out there anyway all their information sharing
freely kind of wide open economy um you know share or sharing economy i should say all this stuff
it's kind of been it's it's become more the norm and um how do we get them to understand that hey
you know giving um nation state threat actors a whole bunch of data about your personal life
is not maybe necessarily the best thing because if if we can't solve that right now i don't know that
the future generations are going to really care when it gets you know comes down to company data customer lists all that kind of stuff they're going to think oh well i don't care if people have
my you know information why why would anybody else care you know i think it's a it's a it's culture
shift that may be happening that we may need to correct and thankfully that's that's why we're doing this podcast and have our um you know 500 million listeners so we can make that change today
nice well i just did just to tie up the previous conversation with cyber criminal i think there's
a saying is that the the hungry human goes after whatever game he can catch or she can
catch right or we can catch anyways but yeah you know what i mean and so it it if you if it's hard
if it's hard okay you know it's hard to kill big game right and so you go after smaller stuff and
that's where you watch all these survival shows they're you know they're very seldom getting deer you know they're mostly for there's mostly mollusks and bugs and um you know so don't don't
be one of the um don't be one of the lower you know belly crawlers from a technology standpoint you know be an apex predator and if you're an apex predator um from a technology standpoint then you
can ford off a lot of lesser um criminals from their abilities to with their abilities to get
into your systems and cause you harm but how do we how do we make people care right so and
zach you mentioned tiktok just for those that don't know you know tick tock was you know it was dispelled as spyware for china and um i think that you know
however you look at it okay it's questionable software okay and and you're right people don't care they're putting anything that they want on there it's probably being leveraged for
machine learning right everything that every human does on there is probably leveraged to make the next robo um you know um i don't want to say the border here but you know
what i mean i'm saying that you know this is all going to go into some big learning program right some big data learning program all these videos and all the stuff everybody's doing and i think
it's a wonderful thing that everybody can share this type of creativity and close with one another
because i think that we should we should have that kind of liberty to to share this with everybody
right to share what we want with everybody and i want to say that share what we want with everybody that's where i think you draw that line is where people extract data that you're not aware of
or extract information from you that you didn't you didn't wish to provide right it's like coming
home and and you may have an acquaintance that you've met a couple times and they're sitting in your living room drinking your beer and you may like that person you're like you know i
invited you over here to drink beer with me but to come home and see you sitting in here drinking beer is just weird and and i think i already apologized i already apologize for that lauro yeah
look i'm gonna bring it up over and over again it's just weird all right like and so i think that's it if you've been wearing pants zach it might have been acceptable
that's exactly my point you forget one detail and you know you never hear the end of it no no no no
you don't in my underwear is even weirder okay so we don't need to get into this conversation
but that was just strange okay so yeah just remember you're clothed and fully clothed
and that might be okay but you know rhetorical side right i mean that that really i think is where you draw the line is where you willingly give this information versus someone you know
takes it um without your consent and that's the whole point of data privacy and and i think that
you know for the individual humans that own the right to their videos that they take and that they post on tick tock that's certainly one thing right but for the organizations and the companies
that have that data and use it to sell you stuff and use algorithms to you know pitch types of
things your way it's their responsibility to make sure that you have their consent to use that data
in that method and that they were protected with that data it you know just as you know
you take your drop you drop your craft at the shop you wanted to take care of your car you don't want to get it with scratches and dings all over it right i mean that's just
basic expectations of a service related industry you want your food to come out with no hair on it i get that right i mean everybody should get that this is just the same thing
and i think the way that you resolve it really is with unfortunately is going to have to have some legislation but cyber insurance i think is a great way to resolve it it's required to drive
and operate a dangerous piece of machinery well your technologies can be dangerous especially if they're getting used to attack other technologies that americans are using or to mine in their data
so you know where's where do we draw the line to say that if you operate technology in a manner that stores data that you need you must have cyber insurance
yeah and then cyber interest is going to require you to have you know a modern car with wheels and all that kind of stuff right that's the good thing i think about cyber insurance because even
though it's a reactive measure um the insurance companies are getting better and better about
asking you know doing more sophisticated security questionnaires which is which is
awesome right it's just to be able to get the insurance in the first place i think they've that certainly helped um the the problem that people face with the compliance stuff though
is that it's generally you know it's focused on one type of data or very industry specific it's not all-encompassing of their organization so a lot of companies still have it wrong they're
still chasing one compliance framework to the next rather than building a holistic security practice
and i think that just takes education right especially at the leadership level the executive level i mean i mean i think we really need to have more technology education from from the beginning
i mean from kids at school and stuff i mean yeah you know they might learn to type or whatever but
it's it's they're not learning the fundamentals of how their devices work and talk to each other
and that sort of thing so i think that can be tremendous another another thing that i would like to see as far in the education realm is the more data we can collect about on the breaches
and activities and what's going on and share kind of the some of the figures from the evil internet
minute report but if we were able to have more specific data by location of companies by industry
company size all of that and really break it down to a more granular level we could make it
hit closer to home with and i know that they're getting better but still a lot of that data is
very loose and it's it changes depending on where the source is and all that so we could get a more
definitive uh or better system of defining costs of breaches where they're happening where they're
the most likely average down times all those things and help people understand that for their
specific business then we get away from the broad kind of mind-boggling numbers we get down the
specifics and that way the cfo for example could say okay well i can pretty much guarantee that if
i don't do this in the next five years i'm gonna have to spend x amount of dollars and they'll have that figure dialed in much with with a lot more specific information so i don't know how we
how we do that uh by any means are people that are a lot better than me when it comes with you know data aggregation and all that but i think that that would be tremendous because
people got to wake up to what's going on and dollars and cents helps them do that
yeah it does yeah unfortunately well you know they're wielding you know it's it's just like uh
you know they can get a driver's license where you can drive a car if they're driving school we have organizations that can spin up these technologies on cloud infrastructure on a whim and just
use them you know it's like oh i got this code that this somebody wrote me i'm just gonna you know get somebody to put it up here and i've got now i've got this business and you know if you
market anything right you can gain trust and you can get people there and it's just kind of like a
you know it's just waiting to happen sort of thing it's uh unfortunately it's a sinkhole right it's
it's that you know it's there you have specific equipment to see it and it's just a matter of time so yeah i think hopefully cyber insurance will will help help people puts at least
some proactive measures in place good stuff today any final thoughts ideas any any ways that we can
change the world today in this episode love one another that's for sure i love you guys anyways
no nobody can't i think we i think we i think we uh i think we kicked around a lot today
well yeah i think i think it is important but for those of you listening if you have ideas if you have thoughts if you have um questions for us please go to cyberrantspodcast.com and
send them in send them our way or reach out on linkedin and then also all the news articles are
posted the links to the articles and stuff on cyberantspodcast.com pages so you can go look
through all the episodes um there's a lot of good stuff there and uh by all means let us know what
you want us to talk about future episodes uh we're interested in and what you're interested in we're here to here to kind of give back and and spread some good knowledge around so
reach out and have a great rest of your day thanks for joining and we'll talk next time
pick up your copy of the cyber rants book on amazon today and if you're looking to take your cyber security program to the next level visit us online at www.silentsector.com
join us next time for another edition of the cyber rants podcast
