Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode 6: Educating and Encouraging CyberSecurity

This Week: Internet safety at work can be tricking so Zach, Lauro, and Mike discuss how Cybersecurity professionals can be active with organizations in their cybersecurity approach, along with encouraging continuing education and participation by other employees in the workforce. Learn what it takes to develop a cybersecurity strategy today!

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe! 

welcome to the cyber rants podcast  where we're all about sharing the  
forbidden secrets and slightly embellished  truths of corporate cyber security programs  
we're ranting we're raving and we're telling you  the stuff that nobody talks about and their fancy  
marketing materials all to help you protect  your company from cyber security criminals  
and now here are your hosts mike rotondo zach  fuller and lauro chavez hello and welcome to the  
cyber rants podcast this is your co-host zach  fuller joined by lauro chavez and mike rotondo  
and we have a good show today continuing on the  methodology or the steps needed to take to build  
a proactive cyber security program but first  mike why don't you kick us off with the news  
hey good morning i've got uh some news here for  us today that um should be pretty interesting i  
stayed away from the election since we're tired  of talking about it uh first thing is that unc  
1945 a sophisticated threat actor using oracle's  solaris zero day exploits uh this exploit puts in  
backdoors into solaris servers which is uh great  news we found another thing to break another thing  
we have is sneaky office 365 phishing inverts  images to evade detection basically what's  
happening is images are being inverted in order  to get past um get past antivirus software um  
how to deal with escalating phishing threats  there's been 21 000 new phishing attacks a day  
they've moved beyond the simple corporate  email and civil credential stealing so  
it's becoming a huge huge problem uh toy  maker giant mattel disclosed a ransomware  
attack yep they're going after your  toys uh this is back in july that it  
actually happened but they're just releasing  it now um emote detection surge 1200 percent  
that's always good news um particularly hitting  the pacific area japan and australia are noting  
the largest increases but it's coming to the  us um bec attacks increased most industries  
invoice and payment fraud was raising by 155  percent uh that's always you know good news as  
well uh they're still going after the businesses  officer 65 is still the primary conduit for that
this is out of the arizona members alliance  china and other foreign governments are using  
professional networking social media sites  to target people with u.s government security  
clearances so uh they're tacking through linkedin  facebook etc uh so be real careful your social  
media this comes directly from the fbi uh the  fbi shares technical details on iran's fake proud  
boys and emails it's pretty detailed information  that the and i shared about how this is all done  
uh attacked attached to a ddus piece as well  uh so it's a it's a pretty good read wordpress  
has finally passed a three-year-old high sev  rte bug uh this is uh finally done it's been  
out in the wild for three years but wordpress has  finally patched it fishing gangs are using google  
drive to trick people into visiting malicious  websites uh this is found by tripwire it's an  
interesting read as well there's uh instructions  for this one coming out in russian and in english  
and that's all we got for today so lauro anything  up with you with with vulnerabilities oh yeah  
you know i don't think there's ever going to  be a week where i'm going to say no we have we  
have zero vulnerabilities but i think uh yeah so  certainly something important to talk about this  
week um and it's also interesting to note that  this time of year we always kind of see a ramp  
and the cyber initiated activities right where  everybody's doing more online shopping especially  
with coven people are not wanting to wait lines  at stores so there's a lot more you know i'd  
say electronic misbehavior happening during this  time of year so you know just just be wary of of  
the coupons and things that you you receive from  retailers and in your inboxes yeah make sure you  
validate those uh through the website before  you click and open those um so if you have an  
account you should be able to log in and see if  you've been credited with anything in any case for  
vulnerabilities it off i guess if you're running  firefox or thunderbird make sure that you uh run  
a patch there's some there's a big collective of  patches that are there out for these these pieces  
of software that are very common for web browsers  and email uh some pretty scary stuff in there but  
i really want to talk about the oracle web logic  server remote connect execution vulnerability  
uh uh unauthenticated mode uh so if you remember  maybe from october um oracle uh released  
essentially that that their weblogic server was  was vulnerable to to a pretty pretty serious  
uh attack scenario that was a proof of concept by  a researcher who goes by the handle of jang and  
essentially he was able to export the weblogic  server uh with one single http get request now  
at the time it was understood that there was an  authentication piece required for this and now  
it's been released anybody who has weblogic  explodes with the vulnerability still there  
is an unauthenticated capability to exploit those  vulnerabilities so if you're running weblogic in  
any form um you know get that installed i think  you know this is just a huge black eye to oracle  
but it should be right with one of their bolt-on  services um you know weblogic based on java  
and um you know following sdlc you know it's as  simple as that this is something that something  
this year should have should have been something  that was caught in development phases for these  
guys so i don't know that oracle is larger  organizations they are having excuse really  
to pull off something this large i mean it's just  as unexplainable as something from microsoft does  
like blue like the blue line of exploits um so  that closes it down for vulnerabilities this week  
um zach what we got all right well thank you mike  and lauro um yeah a lot of crazy stuff happening  
this year um it's it's interesting from our shoes  too in the business with silent sector we are just  
seeing a a massive influx of business this time  of year and it's it's always happened right i mean  
that's kind of q4 is busy for for everybody in our  industry it seems that a lot of cyber security and  
compliance initiatives get pushed to the to  the last minute right and then they need to be  
finished before december 31 uh 31st and there's  you know budgets budget restrictions or budget  
considerations around that and then at the same  time people are planning for next year so um yeah  
our series here is right out of our books our book  cyber rants you know of course available on online  
on amazon but this is right from the chapter  eight steps to implementing your cyber security  
program so for those people that are looking  to build a security program for the first time  
or just want some considerations to improve  what they have this is absolutely for you  
and uh think about this stuff as you go in to the  next year um you know where where can you improve  
or what er what items can you put in place to  start building a truly proactive and resilient  
security programs that's what uh today's about in  the last few episodes so the last few episodes we  
covered the first four steps uh of the eight steps  to implementing your cyber security program so  
step one uh just a recap for those just joining us  for the first time is to obtain leadership support  
right pretty pretty straightforward step two is to  understand your current risks and vulnerabilities  
step three define a path to a proactive posture  and then step four is build alliances across  
business units to facilitate change so today we're  in step five and six and step five is really have  
cyber security professionals educate employees and  allow for participation in cyber activities so in  
other words security professionals shouldn't be  just kind of working in a vacuum or working in a  
bubble in a dark room somewhere they should be  active in various areas of business helping to  
educate and power and train both technical and  non-technical people right it doesn't really  
matter because everybody in the organization has  some uh piece of the cyber security posture that  
they need to maintain regardless of what they're  doing and so we've talked a bit about training  
programs and such but in this part we go a little  bit more in depth in terms of getting getting with  
hr and connect to make sure the messages resonated  and so on um do you guys have any experiences you  
want to share on this or any any uh examples or  any tips that you want to provide our listeners
yeah sure i mean i think uh you know i'm sure mike  i both have quite a bit to say about this area um  
i think one of the one of the important things  to note is that that you know the message of  
security needs to be you know kind of you know  kind of echoed throughout the whole organization  
to be successful right everybody is on your  team right all the employees sales call center  
it doesn't matter um doesn't matter what  components of your business are there they're  
all part of the security team so um i think one  of the one of one of the most beneficial things  
i think i can talk about in in retrospect of some  of some time um spent in various places was that  
one of the one of the orders one of the  marching orders from cyber security and  
leadership when they decided to to you know have  that support for cyber security a program and make  
that pride throughout the organization they wanted  security now inserted into certain key pieces of  
the business so the business was writing you know  internal applications that were there were big  
massive enterprise level applications and so that  that architectural review for the web web app was  
you know had our had security architecture  that was that was represented in those meetings  
and you know in those whiteboard sessions where  they were talking about you know adding on new  
built on components or any custom enhancements  the customers will request and it also  
included a change review so if anything that  was happening in the organization from uh  
from a network infrastructure perspective or  any of the heavily heavy lifting middleware  
applications that were getting getting moved  around or moved about there was always some  
form of cybersecurity representation in  those conversations that were occurring  
um and so nothing was done in a vacuum now without  some form of cyber security component that had  
some form of consultative ability to say okay  that's great this looks good but you know let  
let's put in these security components that  come with the application or let's roll it  
into some existing network compartment that  we have that's already secured that's made  
for these sorts of tools right a shared services  zone or something like that um and then you know  
it it comes all the way out to um you know  this conversation where we're talking about  
you know even even the in incentivification  of being a being part of the program i think  
um mike wouldn't you say i mean i guess that's  what i had to put it right is it everybody is  
kind of part of this cyber recruiting program  and i guess there is some um there's some level  
of benefit to incentifying some good practices and  housekeeping that can occur in your organization  
for cyber security i don't know maybe gift  cards i don't know i've talked about that before  
but you i'll let you roll on your thoughts on  that part well i mean it's 100 organization-wide  
you know effort from you know your physical  security people to you know your ceos and  
etc i mean i don't i can't tell you how many  people i know that talk about how i had to go  
through that you know stupid security training  today or that stupid security onboarding stuff  
that we have to do every year blah blah blah so i  just click through everything and in reality there  
has to be a way to make it so it's i don't know  much more important much more personal much more  
um the employees have to understand and i  think what has to happen is you have to get  
away from the canned we went out and bought this  service and then we're going to replay the same  
you know powerpoint slides every year and then  you have to sign off with it so we can take the  
pic tick the box um that makes everybody  happy that we had security training  
and i think that's what the down one of the  downfalls is i think it has to be personalized  
for each company and it has so they have to be  able to call out you know we use xyz organization  
this or application and this is what we need to  do and this is why we need to do it and this is  
what could happen if we don't do it you know uh  lawsuits and you know against us and you know we  
get sued if we reach pi data and um you know if we  get sued this the financial impact of the company  
and the financial impact impacted the company  trickles down to the financial impact to you ms  
mr missus employee uh so that's that's really  where uh the emphasis needs to be and and i think  
when it gets personalized rather than it  just being some stupid corporate thing i have  
to do to keep my job and you know make  my manager happy um i think it'll be  
more effective so i think that's from a training  perspective that's what really needs to be seen  
and you know like i said we've seen too many  things where you're just taking the box so  
um and that's really that's really my feelings  on training and that's what i've seen too much  
of uh is that we have the training overloads there  was a large company international company that i  
worked at not literally the onboard training i  think it took us 16 hours to do two days worth  
because you had all this different ridiculous  compliance stuff of the hr piece for you know  
because we were international we had to  do the european and the asian and the us  
training in this game you know it's got to the  point where it's mind numbing so it all just  
gets lost and and i think it really needs to  be streamlined from a whole full perspective  
company-wise so i i think some of the the newer  products out there at least kind of making cyber  
security fun you know like you know like the no  befores and stuff you know they're making it where  
it's it's a little more interactive it's a little  more you know storytelling um it's a little more  
personalized i think from a real life perspective  which is you know i think helpful for people who  
wonder about this stuff and see this thing  you know happen and i always like to see the  
the reactions we get when we do uh when we do  a risk assessment and you know we get access to  
something and you know or we you know we're able  to infiltrate and again obtain access to something  
always the reaction of leadership people when  they actually see it happen or they can they can  
look through the video footage or they can look  you know look at the log files of the evidence  
screenshots and they can actually see it happen  and they're just like okay wow and it does change  
their perspective but um you know some i guess  it gets everybody racks in a different manner  
some some require that sort of a demonstration  and some you know come upon that like we know  
some of our clients right they see it before it  happens they're like okay we want to i want to be  
able to sleep at night i think we you know we've  heard that recently um and i guess that's a good  
segue to the to the next section right where we're  really kind of talking about that you gotta you  
know your strengths and weaknesses and recognize  shortcomings that's i think an important thing  
when you're trying to build this this  proactive plan is to always kind of have a  
status check on where the risks are right  what new changes are happening what new  
you know i mean just just the continual scanning  i think is is pivotal in making a huge difference  
but i mean you can't just scan you have to analyze  the scan you have to actually look at the data  
to understand what's happening right why  these things are happening why these things  
are occurring on the on the data that's coming out  of the scanner and then understand if any of these  
are going to expose the rest of the organization  based on how you build your architecture  
and so sometimes an answer is going to be yes  sometimes it's going to be maybe right with  
conditions placed right and then we're going to  have to go through are those conditions probably  
not so if you can just get in the basic concept in  this case of that continual vulnerability scanning  
in turn most most importantly external because  everybody's scanning you i think that's probably  
one of the the fundamental uh facts of being on  the internet of things right if you're connected  
you have a public presence doesn't matter if it's  a refrigerator um or you know a corporate oracle  
server running um running weblogic it's all  getting scanned right for for for those those  
scorecard companies like security scorecard and  and you know these these risks matrix companies  
that are that are scanning you and all the bad  guys so it's inevitable it's going to come up  
it's better that you know what's out there on your  public-facing pieces um first and foremost before  
anybody else finds out so when changes happen  if you're running scans nightly when the dev  
chaining makes the change you're gonna be able to  look and see if something else happened okay and  
you're going to get that scan in the morning and  come out you'll be able to have your morning news  
and coffee finger build look at that scan and say  okay what changed and if you whiteboard what's on  
there the important things it'll be a lot easier  to instead of you know building a complex pivot  
tables and things like that in your spreadsheets  it'll be easier order dashboard if you're not  
going to have a sim to look at this data it's  simple put it on a whiteboard and it could be just  
a whiteboard assist by you right i mean we're not  you don't have to be a a fortune 50 company with a  
massive massive dashboard capability and all this  log parsing where you can you know just look at  
a dashboard i mean that's great if you had that  sophistication you know let's say this but i mean  
you know i think a lot of the organizations are  probably not to that level and um whiteboard it  
look at it at least you'll be able to understand  what that um what that exposure is and then you  
can you can see what the changes are and i think  from there you can then look at the rest of the  
risk assessment but you know i'll always say  that just because of what what i what i guess  
what parts i play in in the organization so i  don't know exactly let's let's not forget too  
about the the strengths and weaknesses of the  team right because he really nothing happens  
in cyber security without the people behind it and  so um for example one of the things it will do for  
clients is go in and assess the the essentially  maturity level of the organization in comparison  
with the best in class for their industry and  create the road map to get there and support them  
so they can uh mature their security department  from within and it's kind of that that teach a  
man to fish concept right where they can go in and  learn to grow on their own and so that's another  
big piece right and that's a lot of a lot of the  struggle around building and maintaining security  
posture comes with the the struggle of finding  and retaining the right uh the right talent so  
that that can be a big shortcoming uh for a  lot of organizations so i'd encourage you to  
um look at both the technical aspects but also  the um certainly the human element aspects but um  
uh that said you know we're we're coming up  on time here but uh we know we'll leave it  
with uh ancient infosec proverb from the book  the cyber security program is either growing or  
dying there is no pause for stagnation and that  is the truth hopefully your security program is  
always continuing to grow and uh is not dying  um but until next time keep this stuff in mind  
reach out anytime you need any support you have  any questions just need a sounding board to let us  
know and uh thank you for joining us have a great  day