Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

 

Episode #71 - Managing Cybersecurity in a Changing Economy

Inflation and other economic factors are affecting companies large and small. Some organizations are cutting budgets but still have security and compliance requirements to maintain. This week, the guys discuss what organizations can do if they need to reduce spending, how to get the most bang for your buck, plus mistakes you don't want to make during turbulent times. 

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe!

10103417-small

Send Us Your Questions & Rants!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly embellished truths
about corporate cyber security programs we're ranting we're raving and we're
telling you the stuff that nobody talks about on their fancy website and trade show giveaways all to protect you from
cyber criminals and now here's your hosts mike rotondo zach fuller and lauro
chavez hello and welcome to cyber ants podcast this is your co-host zach fuller joined
by mike rotondo and laura chavez and today we have a little bit of a
different type of topic that i think is very valid right now so
we've been in this long long run up in the economy which is great um and the tides are turning right and as they
always do it's all cyclical right there ups and downs and my humble opinion i think it's been inflated far too long
but that's another maybe another topic uh what we're going to talk about today though is for those
companies out there that are being a little more tight with their budgets um those those technology leaders that are
um you know getting requests from the executive team from the board to
be a little bit more stringent and reduce their spending so we're going to talk about that what we need to do to
reduce spend where you really get the most bang for your buck in terms of cyber risk management and what areas you
can kind of set aside or postpone for a little bit so we'll dive into that but before we do mike why don't you kick us
off with the news morning and welcome to the news uh for all those of you that are living the casual life
flaws of smart jacuzzi app can be exploited to extract users data so be careful with your
intelligent jacuzzi researchers have identified vulnerabilities in jacuzzi brand llc's
smart tub app web interface that can reveal private data to hackers security
researcher and ethical hacker from eatonworks has identified a security flaw on the smart tub feature of the app used in the hot tubs manufactured by
jacuzzi the flaw exists in the app's web interface and as per the researcher it allows a threat
actor to view and abuse the personal data of the hot tub users no reports of
anybody being cooked or boiled some of the data that can be provided is first and last names email addresses view
details of every spot check its owner and remove their ownership which might mess with your warranty furthermore he
can also view user accounts this is a little closer to home mitel zero day used by hackers and suspected
ransomware attack hackers use a zero to exploit on linux based mitel my voice voip appliances for initial access was
believed to be the beginning of a ransomware attack the vulnerability lies in the mitel service application appliance component of my voice connect
used in sa-100 sa-400 and virtual sa allowing an attacker to perform a remote
code execution in the content service of the appliance mitel recently was exploited by threat actors for high
volume ddos amplification attacks the new report by crowdstrike the company says that a zero-day remote code
execution spawn now tracked as cbe 2022 29499
is rated as a 9.8 which is a critical for those of you trying to hire according to the fbi stolen pii and deep
fakes used to apply for remote tech jobs federal bureau of investigation warns of increasing complaints that cyber criminals are using american stolen pii
and deep fakes to apply for remote work positions the remote work or work from home positions identify these reports
include information technology and computer programming database and software related job functions the fbi
said notably some reported positions include access to customer pii financial data corporate i t databases and or
proprietary information so do those background checks new phishing message method that bypasses mfa using microsoft
webview 2 apps a new phishing technique uses microsoft edge webview 2 applications to steal victims
authentication cookies allowing threat actors to bypass multi-factor authentication when logging into the
stolen accounts the new attack is called 2 dash cookie stealer they could have
been more creative with that and consists of web view to executable that when launched opens up a legitimate
website's login from inside the application uh the the story has all sorts of cool graphics in
there take a look at that but it shows you what it does but using this technology apps can load any website into a native application and have it
appear as it would if you had opened it in microsoft edge this is reminiscent of something we used to do to abuse
internet explorer where you'd create a fake google page and then implement a iframe behind it you can control the
computer from there be careful lockwood 3.0 introduces the first ransomware bug bounding program lock bit ransomware
operation has released lock bit 3.0 introducing the first ransomware bug bounty program and leaking new extortion
tactics and zcash cryptocurrency payment options with the release of lockpit 3.0
after beta testing for the past two months with their new version already used in attacks the operation also introduced the first bug bounty program
offered by ransomware gang asking security researchers to submit by reports in return for rewards ranging
from 1 000 to a million dollars so you know at least they're uh becoming
more professional there's a couple of hacks things you want to be aware of latest open ssl versions affected by our
memory corruption microsoft fixes bugs that let hijackers hijack azure linux clusters
and the evilnum hackers return the new operation targeting migration org so there's a there's a bunch of stuff out
there uh but you know i think the most important thing we have to take away is uh make sure you secure your jacuzzi all
right laura any vulnerabilities yeah we've got some certainly got some vulnerabilities with exploits this week i think it's so interesting that some of
these brilliant cyber criminals will work you know for for thousands of hours to come up with just a very very clutch
you know hacker tool and they're like what do i want to call it and let's call it jerry you know i mean it's
always something random that doesn't even meet the amount of work that that went into the product so reference to
your cookie stealer uh so for exploits this week got two things and i think this kind of fits in line with with you know part of the
topic that we have today with with economic changes and and companies are looking places to better spend their money
um they're looking for places to you know maybe cut down on some of those costs well that brings us to today with
the qdpm which is a free web-based project management tool that is
something that businesses are using to you know probably give them a more cost effective
affordable way of doing project management however if you are using qpdm be careful because there is a remote
code execution vulnerability with an exploit payload that's been tested and verified for that product so if you are
using that uh ktm version 3 i believe this infects all the way up to version 9.1 so keep that in mind and then moving
on to other um other i'd say budget to base tools pandora fms is a
network management tool that allows you to do lots of things logging aggregation
network monitoring things like that like so for device and host monitoring again pandora fms has a remote code execution
for it so lots of companies if you go to the the fms pandora site you'll see that they've got some really big names that
are using their brand of tools however this remote kit execution is going to going to cause problems for version
seven all the way through version seven four two so if you've got pandora fms and
you're leveraging that for your infrastructure awareness make sure you're patching because there are
payloads out there available for this remote code execution and they are unauthenticated so with that zach what
are we talking about today inflation there's a lot there's a lot to talk about it'll be interesting to see where this goes but uh
long story short there's it's no secret right tides are changing stock markets been
been dropping um you probably those listeners you probably see that in your own portfolios right and and um if you
have a big crypto portfolio it's definitely dropped so um that being said
a lot of companies are looking at this and saying okay well tides are changing time to be a little bit more conservative as it always happens right
so there's going to be a little bit of a knee-jerk reaction oh no change is occurring and then we settle back into
kind of your normal life even if it's a down economy um you know i don't think
anybody anticipates another great depression although there are the the doom and gloom people out there that
always think that but that being said we're going to talk a little bit about where can we cut budgets where can we
um spend our money to get the most out of it and we're going to dive right into
that after a quick commercial break want even more cyber rants be sure to
subscribe to the cyber rants podcast get your copy of our best-selling book cyber
rants on amazon today this podcast is brought to you by silent sector the firm dedicated to building
world-class cyber security programs for mid-market and emerging companies across the us silent sector also provides
industry-leading penetration tests and cyber risk assessments visit silentsector.com and contact us today
and we're back with the cyber ants podcast let's dive right in with the changing economy if you are a
technology leader or even just you know just business leader in general you're looking to be a little bit more tight
with budget or really get the most bang for your buck when it comes to cyber risk management let's talk first
about your top priorities what do you need to focus on first what are those things that
are are inevitable that you got to do no matter what goes on in the business environment
any any uh lists i'm not necessarily looking for a list but any any thoughts on you know kind of what's the first
thing that you would you would consider so good question zach what what services that you've got cyber security specific
right that are you know because i think that's kind of the core of our topic today cyber security you know processes
that you know you need to do better spend on there are i think there are a few processes that are occurring that
are vital to you know the security posture and risk reduction of the organization and those are things like
internal and external vulnerability scanning and your penetration testing and and all of the you know kind of proactive
uh tools that are that are maybe in place today that are providing you a purview of your your overall risk i
think those are probably some of the most important things to keep on and then i guess you know i don't know there's there's compliance and issues
mike what do you think well you can't cut back on compliance i mean you just can't period end of the
story um even for those uh compliance frameworks like hipaa that don't mandate
an annual annual cyber annual risk assessment
they do mandate risk assessments or analysis of the framework
but they don't mandate an annual one the industry expectation is that you do do
an annual one for hipaa uh pci annual sock two annual you really don't have a
choice so inside of those regulated structures you have to ensure that
you're still maintaining all of those things that make you compliant even pausing them for three months or six
months to save money in the short term will cost you more money in the back end
when you go to that audit and and really there's other things you can cut
uh before you cut cyber security and i'm not just saying that because that's what we do it's too critical and and also if you
look at the environment around us i mean that fbi alert that we had in the beginning in the news talking about how
they're using deep fakes now to fake remote workers you have to be diligent in your employees you have to keep your
employees and as a matter of fact uh for you smaller to mid-sized companies you need to invest more in
your employees right now because they're just going to get picked up by a bigger company that has a deeper pockets if you don't
so if they're worried about their jobs they're going to bail and you know that's just the way it is
yeah and i'll just i'll add to that there's according to that cyberseek there's almost 800 000
available cyber security positions across the united states alone so it's it's you know i'll agree with
mike it's very important that you you you know treat your all of your your technical personnel really well during
this time i think when you know when when companies are
investor heavy right they've got you know angel investors and they've got investment dollars coming in to fund the
business that the very first place they try to cut is usually people right and i think
you know we've we've even seen some of that they try to you know shorten their development team or you know their technical team
and just keep in mind that the individuals if you're cutting people to to make the numbers meet
um you're probably not going to be able to get those people back a shameless plug cyber security can be helped by by
silent sector if you are short on people but just anticipate that who you let go
today you're probably not going to get back tomorrow when you need them because the industry is rampant with open
positions right now and if you if you bail on your employees and they
and you you you reduce your manpower they're probably not going to come back and when things do ramp back up to
normal as zach said this is cyclical so when things come back and you're going to be trying to hire up people you're
not going to be able to find them but that is i think where uh you know again shameless plug where
companies like silent sector can assist is that fundamentally we're more cost effective
than you know managing a whole team of cyber security professionals but that's not necessarily what's best for your business so keep that in mind
yeah i mean when the bob show up and say they're gonna you know let go of your key developers and hire some interns and
you know farm some of it out to singapore that isn't the best plan for you for most cyber security perspective
especially if you're dealing with deep fakes in the u.s who knows what's overseas so you got to be very trusting
in your security and the last thing you want to do in a challenging economy although we're not officially in a
recession is give an excuse for someone to go somewhere else
if there's a if you get breached if you have a problem if you have downtime due to ddos or whatever
people are just going to shop you somewhere else so cyber security will actually investment making you more stable secure sound will
make you money in the long run zach you've talked about this was it cyber security risk to revenue or something like that yeah you know i think um well
you're absolutely right i mean when the bob's come in and say what would you say you do here
that's you know i'm a people person i deal with the people so well that's
going to drive drive people away and and you're right so the risk to revenue methodology absolutely this is this is
going to be a time so one keep your people right that's kind of the bare minimum if you have
talented technical or security professionals keep them uh if you don't
hey guess what might be a good time to get some right because they're leaving these jobs that are saying oh we you
know you're you're pretty low on the totem pole and we don't really appreciate your skill set right i hate
to say it but that's how a lot of employers are treating their people and and they're leaving so this might be
a good opportunity for you to snatch up some good some great talent out there for your team with that if you are in an
organization that does not have the capacity capability or you're cutting spending and you need outside help still
an organization again shameless plug like science sector comes in what we do is we work with organizations to really
use cyber risk management as an asset to grow revenue especially those b2b companies
landing large enterprise contracts after the big fish this is a time
in the market that uh i've really been waiting for i'm excited about because this is a time that's
going to differentiate companies this is going to to separate the winners from the losers right the ones with the best
services are gonna succeed the ones with good reputation are going to succeed the ones that have just been floating by
because you know people have been throwing money at stuff as in the in the climbing
economy um those are going to go by the wayside and so it's an excellent time to be in business and and make smart
decisions so i'd say you know i'll echo that obviously compliance of course i mean it is
compliance and guess what nobody's going to say oh well you know maybe you didn't make make your revenue numbers last
quarter but so you don't have to worry about compliance this quarter you know there that doesn't happen unfortunately
it's just that just the nature of the beast and those requirements are only getting more stringent but the um the other side of
the coin is well now you can start differentiating yourself from your competition showing a higher
level of service a lower level of risk to your your organizations that you're working with and your prospects and
they're going to be more likely to move forward with you likewise as these large enterprises
cut their budgets a lot of times what they're doing makes more sense for those for those of
you who run software as a service companies out there you probably have a solution that saves them money right
over having a whole team of people do something maybe you've developed a product that solves that problem
whatever the case is well this can be a good time to step in and use that to your advantage so i'd say you know with
with cyber risk management um know where your risks are right
keep your people and then use that to your advantage as we move forward but let's just say let's just get down into
more we're talking a bit strategic let's talk a little bit at a tactical level if you have to cut budget within your
let's take a framework like in any framework a nist or cis and you look at the controls
that are in those frameworks are there certain areas where you could say maybe we could
postpone or we could delay for a quarter or two in in these areas
that are not compliance related or maybe not um you know requiring a huge staff
to run centralized logging comes to mind for me where you're doing log aggregation
sometimes those projects can can be very very long and very complicated and
i think that's probably one of the places because logging is occurring right it's just not it's not being
centralized off host so those are probably um areas that could
be you know pushed back and postponed for months that won't really cost you a lot of proactive security right
proactive risk reduction logging is typically more reactive you
get a log event after something's occurred so it's great for forensic investigations but it's if you're
looking at you know ways to to you know keep to keep the risk reduced but also you know
don't strain your budgets and you're you're in the middle of maybe looking at those projects or forecasting
for centralized logging to to meet nist or or anything else pci
that's probably a place that i would recommend that you could you could push that off for for a quarter pretty easily
and not not reduce the overall um you know security posture of the organization
that's an interesting point so focus really more on shift more from the proactive and reactive side and maybe
weight the proactive side much more heavily than the reactive i i would certainly yeah
well then keep in mind threat actors know you're cutting right so they're going to get more active
and they're going to be probing for it so it's not to use scare tactics but you know if you're going to pull back your
defenses and consolidate and you know pull people off the line for lack of a better word
they're going to find those holes and so if you do something like oh we're not going to be scanning or we're going
to skip the pen test this year or we're going to do that that's all going to that's all going to create risk we're
not going to apply these patches we're not going to do this you have to keep your hygiene going
um you know and if i had to say you know where to cut i'd say cut your hr department so
and outsource it to someplace else [Laughter]
hr legal yeah yeah i mean that can all be outsourced
middle middle management's also coming to mind too right yeah exactly how many supervisors do you need i mean do you
really need eight different bosses to tell you about the tps reports
yeah i'm going to need you to fill out those tps reports before you leave for the long weekend this weekend
did you get that memo uh let me get you another copy of the memo so
you make a good point mike i think to use an analogy you know wolves wolves are going to look for the weak the weak
part of the pack right and that's how they're going to attack they're going to isolate the you know the the elderly you
know game and their or the young game and they're going to they're gonna go after that and that's exactly what's
gonna happen here and so you know to i guess to tie on to what mike's name if you're if you're looking
for places to cut make sure you're looking you know internal right you know internal organizationally that that
aren't a direct support to the risk reduction of your organization right so
like mike said you can't you know all these frameworks are or are you know i don't want to call them perpetual
motion machines but they essentially are they're forever machines once you start doing sock 2 or pci or nist or hipaa
assessments an internal audit those things don't stop you have to measure yourself continuously year after year
and then you're doing readiness assessments during that year to get ready for the next one and so those are places that for that that that
compliance hygiene and that that cybersecurity hygiene you can't really you can't really ignore those things because they will cost you in the end so
you know i'd look i look at other inner departments that that may you know they they facilitate a you know
a need for the business of course right but are they stopping are they stopping the wolves from from taking out your crop i
mean that's really the the answer that you need to come to right what what's
what's playing a major role in the reduction of a risk for my company and what's not and i think that's that's a better way to look at cutting costs for
cyber security especially if you're getting asked by investors to you know make the numbers meet better
and then for you engineers out there i actually have two points here uh companies will cut
the top salaries as well as junior employees so there may be actually a talent pool out there because the top
sellers sometimes go and they're like oh these guys are higher priced we can fold this down to the lower price guys
so you're going to have that gap in there that's going to create weakness as well in companies so you need to be able be
cognizant that you can't cut all your senior people senior people you're going to go find a job somewhere else without a problem
anyway but um you know so that's that's something to be keeping an eye on for the talent pool
for those of you that are in that engineer position that are um out there and they're concerned about
your jobs some advice from someone who survived the downturn of the dot com and the 2008
stay an engineer don't go into management stay an engineer keep your skills strong
and frosty and just keep working on that because you always need the guys to dig
the ditches and and to do this you know and and to do the proactive cyber security you
don't always need management i can't tell you how many friends of mine um [Music]
that went into in the early.com here i went into the director's positions and managers positions and all that kind of
stuff as soon as that dot com bubble burst they're unemployed they're working at burger king do you want fries with that
you know that whole nine yards i stayed employed i bounced from contract to contract to contract
actually increased my income because my technical skills are solid i wasn't looking for you know management or
titles but you know stayed strong on those things and that's how you survive something like this
so if the downturn goes hard you know i'm not saying that we're gonna head for that i think we're a long way from there
that i'm not trying to forecast him and gloom i'm just giving some advice of that that's how you stay relevant
yeah stay technical no that's i think that's really sound advice mike and i'll echo that if you're if you're an
engineer out there make sure you stay technical i would i would you know even you got to think if you're getting a you
know 20 000 pay raise to go into management that really doesn't amount after taxes to that much money more
money not for the risk that you take to your you know to your future
and you know to the to the current to the current job market engineers again are always going to have
work and and if you're you're thinking about going to cyber security or you're even part of an it engineering team
that's been coined cyber security right because they can't afford to hire cyber security so they're they're dual hatting your your i.t
engineers as cyber security engineers as well that's great because like i said you know there there are almost 800 000
available jobs in the united states for cyber security professionals um that's i
i want to say it's something like 25 to 30 to one right now jobs for one qualified individual
so you know if a company doesn't see if your company in this time and they're trying to make numbers meet right i
don't want to call it neo-capitalism but if they're if they're looking at the numbers and they're not caring about their people then you know hold your
head high and you'll have no problem going to find another job someplace else and then yeah what what will happen is
mike and i can tell you they'll they'll let you go and then they'll they'll beg you to come back in three months and you
know just you know you'll already have a happy life by then so i wouldn't worry about it thanks for the memories
stay technical and stay classy that's that's that's a good tip now the other
if i if i were to pull out my crystal ball here and look
you know a couple months down the road if companies are
laying off people cutting budgets for cyber and for risk management in
general the attackers are like you guys said are going to be
taking advantage of that full advantage of that in which case it's going to hurt those companies more when they get breached
and many of them will go out of business i mean that's just that's just the reality
of the beast depending on what goes on with it you know that economy and all that stuff right so
um it's so business leaders are forced to make this decision because right now they're considering this kind of
state of financial risk right if we didn't meet our sales numbers if our customers are slashing their budgets
what do we do so i would just urge people to remember
that the cost of a breach is exponentially more than the cost of
proactive cyber security so when you're weighing when you're factoring that in think about your
your your financial risk not only in terms of revenue generation from your
current client base or prospects or you know people in the pipeline but also the
what if this highly likely attack occurs right and because we're seeing it all over i mean
it's happening all the time and um unfortunately it's causing a lot of harm
to companies as more and more organizations are breached our our
ransoms are demanded or wires are sent out that aren't recovered whatever the case may be that's going to
leave a smaller pool of course for attackers to go after therefore more heavily concentrated on
certain types of organizations and um therefore doing more
putting more effort into attacking those organizations so it'll be interesting to see that's that's doom and gloom i don't
think it's really going to go to that level but uh if it were we always think of you know primary alternate
contingency and emergency plans right what's our pace plan what is you know what do we do how do we account
for these what ifs and that's just something that goes through my head from a business leader's perspective you know
how do we think about financial risk as a whole and how do we factor in cyber security to that i think it's
important thing to think about i don't have all the answers for you but something to something to reflect on
yeah and and share with us in the comments you know if um if there's you know you ideas or
thoughts that you have based on the topic today but you know to kind of circle back about the proactive things you know continual patching and scanning
has to be done if you're if you're reducing software development or you're reducing it engineers
you've got to think that your business runs on these technologies that are out on the public public-facing internet and if you don't have developers to do
software checks for updates that are getting put in if you're reducing those teams that means you're reducing the
quality assurance that's occurring before changes happen and if you're reducing the quality assurance before
change is happening you're pushing changes that haven't been thoroughly vetted you're going to you're going to
accidentally put something in place that's going to be a straw hat and it's going to cost the business so
while those people you know again you know sometimes you know big investors they
don't care they want to see the dollar amounts they don't understand that they have more to risk when they reduced when they reduce team
members but um you know those proactive those proactive um
activities that are occurring the continual patching and continual vulnerability scanning software
development lifecycle um you know initiatives that are that are looking at at quality assurance of the code before
it goes into production those are necessary necessary processes
that that actually real in real world time reduce your risk right by having an
extra set of eyes looking at the code just in case somebody made a mistake if it gets pushed to production i guarantee
you someone's going to find it and you can you can listen to the news every week with this podcast and the exploits
that we give and it doesn't even it doesn't even touch the number of items that are there that are coming out on
the on the you know the world wide web of things of companies getting hit and software getting plugged um simply
simply because of of mistakes that humans are making and the other mistake that you'll make is reducing your your manpower force
and thinking that you're gonna still have the same results uh with security posture that's unfortunately not true
and don't go to uh wordpress to save money on your website either yeah
sorry we've gotta i've gotta i've got a wordpress plugin that'll replace you you
know it'll get hacked but it'll replace you well
yeah i mean of course we don't have all the answers for everybody but hopefully this helped people understand really
where the necessities are and what to focus on at least on a high level as well as at a
little bit at a tactical level where you can focus your time and efforts kind of what's truly important
and i think the reality is it varies for every company out there so we can't possibly
uh tell you specifically what's right for you unless you know you reach out and we we have
that discussion but for every organization will be a little bit different but we hope this helped you at
least start to think about these things and and plan for contingencies plan for
um if if revenue numbers aren't met if budgets are slashed what do we do what's
important where do we focus so hope you enjoyed this episode mike laurel do you have any final words of
wisdom before we jump off here cut your hr department
tell us how you really feel mike cut your hr department leave your engineers in place they're the ones that
are keeping your business well there's a lot of things that you can outsource before you cut your
internal i.t resources and no one's going to care about your internal ic security more than your internal i.t people
you care more about your stuff than other people do regardless of what they may tell you so
right and you know keep those people in house and keep them happy and uh
you know invest in them during this time because they'll feel valuable and trusted and
empowered um as opposed to cutting things you know um yeah if you want to get rid of the
snacks in the break room everybody's got to understand that right we can all afford snacks but you know
just raise the prices to the soda machine you know make it five bucks for soda instead of 50 cents or whatever but
like maybe you only have the margarita machine on thursdays and fridays instead of five days a week i don't know
yeah yeah exactly yeah and check out your executives aren't making like ridiculous travel you know uh you know
ridiculous travel expenses you know you know living living these crazy lives right flying back and forth on the
company plane things like that but you can outsource your hr and accounting and and all kinds
of uh legal and everything else but yeah don't don't get rid of the don't get rid of your engineers that are that are
actually helping keeping everything together that'd be the worst mistake they're gonna be the hardest hardest to
replace it's going to be tough but the other thing too is there are a lot of companies that are just doing awesome and there are a lot of companies that
are really going to do great um regardless of the of turbulent times or
whatever's in front of us you know i mean nobody can really really forecast the future but um i'd say use this to your
advantage get out there land enterprise contracts find out where they're cutting
costs and where your tool or product can help and um step in and and make it
happen reach out if you need anything and um thank you for listening to the cyber
ants podcast comment let us know what you want to hear about what topics are of interest and please rate and share
the podcast so we can get the word out to more people our mission is really to help companies all over the nation all over
the world really better secure their organizations better protect their employees their customers our
stakeholders everything we need to do that we're in a big big fight against cyber crime here
so thanks for being part of that and helping out and we'll see you on the next episode