Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode 9 - The Cybersecurity Gold Rush

This week Zach, Mike, and Lauro rant about the pitfalls of the "arms race" of new cybersecurity tools. The team also talks about the best cybersecurity practices and why cybersecurity is important for businesses. In addition, they propose strategies for evaluating and implementing cybersecurity tools with a holistic approach instead of chasing the shiny new products that promise to answer all problems.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe! 


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber security  criminals and now here's your hosts mike rotondo  
zach fuller and lauro chavez hello and welcome  to the cyber rants podcast this is your co-host  
zach fuller joined by mike rotondo and lauro  chavez and uh it is a beautiful friday on the  
the morning of this recording we are excited we  we pray that our voices would be heard that the  
truth would come out with  with great might and success  
yes that yes that our voices would be heard and  that we would change the world of cyber security  
forever next we move on to our beloved  co-host and of course anchorman with the news  
mr mike take us away just a warning there have  been no chemicals ingested other than caffeine  
prior to the recording of this podcast i i did  have two cups of tea non-caffeinated tea this  
morning so i'm a little a little wired it was  peppermint peppermint it's getting crazy sorry  
i'm not commenting on your beverage choices  all right news of the day hey the big news is  
unauthorized access of FireEye red team tools yep  FireEye got hacked uh they believe it's a nation  
state that did it i'm going to point east and  perhaps it was true because only a nation state  
could have taken fire down right now yeah it's not  some guy in his basement wearing this hoodie with  
the tinfoil on the windows and mom bringing him  in stoppers like twitter it'll be some 14 year  
old like you said sure he had a really good script  so anyway according to FireEye that's who did this  
i'm nation state packers for hire group develops  a new power pepper in memory malware i just like  
saying power pepper but anyway it's a brand new  malware that was found by kaspersky by the death  
stalker group and uh it's hitting europe in the  middle east since about 2012 it's now coming to  
a organization near you organizations continue to  get hit hard by cyber attacks and that is latest  
statistics a quarter of global organizations were  hit by seven or more cyber attacks in the last  
year according to trenton micro that's not good  and the vast majority of those 83 percent of those  
organizations expect such attacks are somewhat or  very likely to be accessible in the next 12 months  
so a lot going on hiding skimming malware behind  social media sharing icons this is a new thing  
uh so now they're attacking um social media  and hiding skimming malware and a lot and  
in conjunction with that hackers hide web skimmer  inside website css files so be careful what you're  
buying online uh because you never know vmware  fixes zero day vulnerability reported by the nsa  
there was a zero day um and i'm trying to try  to group stories together so nsa russian state  
hackers exploit new vmware vulnerability to steel  data so one was posted on the fourth where they  
say it was fixed the one on the seventh says that  the russians are now exploiting this zero day so  
perhaps everybody has not fixed it yet payment  card skimmer group using raccoon infosteeler to  
sign up siphon off data and they're creating  what uh fake web pages using messengelies and  
stealing data ransomware tax target backup system  compromising the company insurance policy this is  
pretty insidious that's pretty smart you go for  the backup systems first they're not noticed  
destroy the backups then go after production  makes sense so more case made before offline  
storage of backups uh as well as online storage  so uh remember those big old tape machines  
may want to get another one official campaign  targets 200 million microsoft 360 365 accounts  
again microsoft is in the crosshairs uh as usual  and that one's out there as well zero click  
wormable rce vulnerability reported in microsoft  teams so not only are they getting 365 they're  
going after teams ransomware forces hosting  provided net gain to take down data centers so  
now we're going after data centers this has  just been reported on the 24th and on the 4th  
so a lot of things going on not all of them  good but uh here's lauro to tell you about some  
vulnerabilities hold on i got some questions so  was that death stalker crew is that was that the  
name of that hacker group that's released in yeah  so so they're it's harry potter stuff now i'm just  
okay well they were formerly called the  decepticons so they updated to the death  
stalker group so yes gotcha okay i'm  pretty sure they're not complicated  
some very sophisticated we're gonna get  ourselves i'm gonna shut up death stalkers  
anyways that's why i keep all you know recently i  bought some 100 megabit zip tapes and i just have  
i've got all my data on zip drive so there you  go that's how you offline backup like a champ  
for vulnerabilities this week i guess a big one to  talk about probably should be talked about is the  
uh the fortinet stuff that got leaked out but the  pumped kicks hacker who released uh almost 50 000  
ips and some of the ips have included gov sites  which is well okay anyway so this is cve 2018 and  
here's the here's the kicker here and i don't know  if anybody noticed this so so this this attack  
allows you to steal account names and passwords  using the ssl vpn service right so the or any  
any system without any fortinet vpns that have  that running all right let me back up in any case  
it's it's a pretty insidious vulnerability to have  right okay because you're going to leak a username  
and a password that can then be used to log in  by somebody and so the cve is 2018 right for  
2018 so it's been around a couple years if you  haven't patched it and but here's the last part  
it's one three three seven nine it's it's elite  vulnerability it is indeed i don't know if that's  
coincidence or not or you know they planned that  but in any case look upgrade to version five four  
or version six if you're below six you're gonna  have problems um so from five four to six you're  
gonna have issues so upgrade from six and up  you're gonna be okay and so that's really the  
big one drupal's got some issues adobe's got some  issues this week if you're using oracle just like  
the last several weeks they've really just been  trickling out a bunch of random vulnerabilities  
um this is not anything injection based but it's  the sterilization so it's going to come up from a  
compliance perspective so if you're running oracle  make sure you get that patched and that's it but  
seriously though if you've got a two-year-old ssl  vulnerability you probably should patch it because  
you're no doubt on the list from pumped kicks  i wonder if he works with death stalker crew i  
don't know maybe they wouldn't have maybe you have  to have harry potter names to work for their guys
i didn't watch those movies enough there was a  guy named how slytherin to be in their crew i  
don't know i don't know maybe you they have like a  weird name i don't know if they allow pumped kicks  
i like power pepper burst a little bit yeah power  pepper is great power pepper picked a patch of  
pickled peppers there you go it's the full the  full name they're just power pepper for sure  
makes sense to me well hey let's talk about  well actually an expansion on our previous  
conversation from last week we uh talked  about some cyber security industry challenges  
and the fact that it's a young industry and  still trying to figure itself out and that  
everybody complains about the lack of cyber  security professionals in the country which  
yes it's true we need more but very few  people talk about the severe underutilization  
of security professionals and kind of the  big bureaucracies and the politics that  
they're caught up in that are taking millions of  valuable hours away from some very smart people  
in our country and elsewhere that are fighting  against cyber crime so we covered that last week  
let's dive into some other topics here  so one is this kind of product and tool  
gold rush that's going on and has been for the  last couple years where venture capital and uh  
different investment groups are just pouring money  into cyber security tools and products almost  
blindly so there's this kind of chase it's this  uh almost like the dot com era of build a cyber  
security tool you'll get rich it doesn't have  to be a good tool it doesn't even have to work  
or provide any value whatsoever but if it's got  a cool name and brand and promises to do magic  
in your environment then you could sell that  company for hundreds of millions of dollars and  
that has certainly happened over and over anyway  interesting dynamic on that i think you know  
our approach is always you know people are your  most valuable asset but i think a lot of the a lot  
of the kind of unknowing um people out there that  are trying to secure their environments are caught  
up in this and they're kind of in the sea of  infinite tools and products and technologies that  
all promise to do great things but they're missing  a lot of the core elements any thoughts on that  
i wholeheartedly agree tools are not the savior  sorry for you tool companies that are listening to  
us but you know you need a couple we use them but  you know you can't just buy a tool as a company  
and then not do anything with it you can't fully  deploy it i'm gonna i can't tell you how many  
times i've been in a company and they have you  know five different tools redundant capabilities  
and if they just took one tool and took it  all the way out to its full deployment model  
they wouldn't need the other four tools but  they're still paying for them and i mean i mean  
i went into one company that had a beta version  of a very expensive software running in their  
environment and they just kept renewing it and  they didn't have the logins for it and they just  
because you know the guy that used to management  manage it left and the guy that backed him up left  
and they just don't you know they're not doing  it so um you really need to do a tools inventory  
and you really need to decide what you really need  and then fully spell them out as far as or you  
deploy them as far as possible because otherwise  you're just throwing money away totally and a lot  
of people out there probably you know technologies  are probably side hobbyists right they do things  
like how many how many chop saws would you have  right how many chainsaws would you have i mean  
if you're if you're cutting turkey if you're if  you're making tree art that's a different story  
okay so right there might be some type of like  hey i've got like 14 chainsaws what are they  
picking on me for yeah um no i'm not talking about  that but i mean just in general of purpose-built  
items to have right i mean you only have you  only have one microwave right when we have  
one fridge well i have two because one's full  of beer and other things but it sits outside  
again you know you're not you shouldn't stack  your tools right and mike you're absolutely right  
and you certainly see that a lot and i think the  other thing that i see happen right for for using  
technical professionals is that there'll be a  requirement and it's like we've got to have cyber  
security and the portal you know get it or whoever  else to hire somebody and when the person gets in  
they'll they'll basically bench them you  know it's like they're on the team that  
we're in the jersey but they're sitting on  the bench not really allowed to do a lot  
you know they've been asked to basically do a  limited amount of things they're more for more  
like executive clout of saying that we we've done  this right um i recently did a pen test for an  
organization and when i was going over it with the  the development team the development lead said you  
know it's funny the last time you did this you go  so we're kind of in an a plus and i was like yeah  
just like last time and he goes he goes you know  my my boss he's like that's all he goes around  
saying he goes he didn't see the report he didn't  look at the report all he heard was that we got an  
a plus and he goes around saying governor applause  and so it's it's it's literally like that right  
and um i think a lot of professionals get you  know kind of put on the bench and that's just it's  
a waste of talent yeah you know what you  could do if you didn't buy so many tools  
you could actually uh afford to to pay your  security and tech professionals more and  
get better talent and create a better environment  which would get a lot more done sure or you could  
use free stuff i mean you could you could also  hire i mean that's a way to tell is like are your  
are your professionals intelligent enough to  securely deploy some of the the free stuff out  
there like i use snort as an example um works for  me right mod set offers web application firewall  
profiles okay but it's not for the faint of heart  okay you've got to have some engineering talent  
to go and deploy these tools successfully but  they're there um i think another one is the  
OAuth zap to it so if you've got if you hire a  professional the first thing they come to you and  
say is that and so again you know not talking crap  about tool companies but just looking at it from a  
business perspective because you're cybersecurity  has always been seen as a as a big cost department  
previously so don't make it worse make intelligent  decisions so if you you as a new employees come  
and say okay all the stuff you guys had is not  gonna work we're gonna need these new tools now  
and you know any boss should question that type  of rhetoric coming from a security individual that  
you just hired so it goes it goes both ways right  it's like businesses think that in replacement of  
humans they can use technology which is a  obviously we know that that doesn't work it's  
a waste of money as well as is hiring individuals  and then not allowing them to do their jobs again  
another waste of money and then hiring individuals  that just want to come in and rip out stuff that's  
already working probably without doing an an  adequate analysis and letting management decide  
um and then requesting a whole bunch of  new money and new tools should also be  
questionable and it typically doesn't work either  those individuals typically have a high turn rate  
and they'll leave in a couple years and you'll be  in what you were talking about mike right where  
it's like everybody left and we're just rooting  you in the beta well you and i have both worked at  
companies where the sales profi- or the security  professional is sidelined and is being dictated  
the security controls by some guy in sales and in  product development because they have to get to  
market and they have to satisfy this customer  and they have to decide the other thing and  
that's another problem i mean and outside of  that it's the oh well you guys don't make us  
money you lose this money by making us secure  well actually a lawsuit over breach of data  
is going to lose your client a whole lot of  money and they ain't going to make us look good  
you see a lot of that too where you know the  right people have to make the right decisions  
and we're not seeing that in this market right now  we're necessarily in this market but speaking of  
like 2020 but we're not seeing in the general  culture of of companies and that you know the  
security people are being silenced in the in  the almost sacrificed to the dollar when in  
reality in the long term by not listening to  security first it actually makes things worse  
so they'll throw them to the pit too to the right  they'll throw the lions the moment that something  
in the application's broken or gets hacked or you  know there's some company like security scorecard  
comes along and finds some big weakness and flags  you right as a high risk yeah why didn't you take  
care of this yeah exactly um and and i think  it's you know i think zach would probably say  
uh they'd have to put words in your mouth but it'd  be like they didn't market it right right they  
should have they should have marked cyber security  better than it would have been it would have been  
more more it would have been accepted a little um  easier in the process right yeah well you look at  
you know the the seesaw role for you know both  small and large companies is a role that is  
still it's so critically important because we're  all relying on technology but it's still kind of  
shunned it doesn't it doesn't hold the same  weight in most organizations as like the cfo  
you know or or even the cio right it's it's  uh it's kind of just put down as more of an  
operational thing uh more you know just just you  know don't let us screw up too bad kind of thing  
but um yeah you know i think there's there's  a lot of benefit there but that that's another  
problem is a lot of the um people um growing up  through the tech world you know that to be able to  
kind of translate there's you're so focused on  the job and what it is that you're doing to go  
back and think of it from a completely different  angle you know like a cia ceo might look at it or  
cfo might look at it it's hard thing to do right  if you haven't if you haven't been in their shoes  
um it's very tough so i think there needs to  be more more education on among cyber security  
professionals translating the the value of what  they do uh across the organization i know that's  
a big struggle for csos but it's it's still  one of those under understood things and then  
on top of that you kind of have that that level  of breach fatigue like yeah we've heard it so  
much what you know let's just just stay quiet  you know we're going to keep going like we are  
and well i'm pretty much i had a season once tell  me in a really large organization i had a lot of  
respect for he he had a hard time just like in  any big company or there's politics there just  
in bureaucracy between departments he told me he  said you know as cisso is one of those positions  
that has the illusion of influence and and  the re and the absolute reality of blame  
yeah it's a thankless thankless role i mean it  is it is it's like you know it doesn't matter if  
you're doing your job you're you're the security  customers right which are typically employees they  
you know they'll shut you right for turning off  you know things that they did they were able to  
do like administrative access you know stupid  things right um they weren't able to run mouse  
jiggler anymore i mean you know who who doesn't  miss that how do you dare you turn off farmville
no oh gosh yeah speaking of that i mean there's  there are a lot of assets that example right  
there you know productivity can go through  the roof uh when you turn off farmville or  
you know so that relating that all back  to kind of how we started the tools  
side of things i mean tools are critical but and  i think a lot of organizations i think it's it's  
human nature to want the easy way out right so  so when when a certain solution is promised to  
you through a tool vendor you know a product or  service um that's it sounds like it's gonna make  
everything better a lot of times that doesn't  happen but people jump on it because they want  
that you know that easy button like the staples  easy button you know and so tools you know is so  
critic i mean critical right we have to use and  we have to leverage our capabilities with tools  
and there's some incredible products out there  that we use with clients all the time so we're  
certainly thankful for them and thankful for  the people developing them i'm just a little  
annoyed by the industry as a whole because i think  there's a an overarching weight placed on them  
and i look at it like take it down to a simple  fact right like look at a bunch of soldiers on  
the ground in war if you give a soldier a rifle  and great training that soldier is going to be  
extremely effective if you give them three rifles  and not much training or not much direction or  
strategy it's gonna be very ineffective right  because it's just more crap to carry around you  
know you can only really be proficient with one at  a time right i mean yeah tools you could you could  
use a handful but you know that's just kind of an  analogy that that shows how we're looking at this  
right we can't just load people down because most  people aren't gonna have the capacity to run all  
these things anyway so why not focus on you know  the human expertise really really focus on that  
in the organization um the quality of environment  for those professionals and and let them do their  
thing yeah and if you if you're coming in do it  do an accurate analysis of what tools are deployed  
how how maturely they're deployed the return on  investment that you feel like they're getting  
at the current deployment level versus the cost  of installed a new tach right and make sure  
you're thinking about these things and and also  leaders make sure you're you're remembering that  
having one guy run it all is not a smart move  especially if he's he or she's done a really good  
job of implementing the technology or technology  set now you've got to back that intelligence up  
with at least two more so think of that triangle  you've got to have a triangle of human backup and  
resilience and intelligence and engineering to  front and adequately support any one technology  
you have in the organization that is the critical  tech so vulnerability scanning is an example  
right or a patching solution right whoever  whoever's managing puppet yeah that doesn't mean  
spend five hours a year looking over the guy's  shoulders there's job switching right where you  
change places where he runs a tool or she runs a  tool for a week or a month you know to make sure  
that they're proficient should that primary you  know get hit by a bus or whatever or covid or  
coveted bus or you know all three or you know  with covet yeah a bus with covid or gets hit  
with a death stalker crew or maybe pumped kicks  kicks you yeah or get some power pepper pickled  
pickled pepper patch power pepper yeah the back of  the bus well there there's another issue too that  
we could spend many episodes on but i figure we'll  just touch on today um and that's uh you know i  
call it the elephant in the room right and that  is a cyber security industry issue is just the  
sheer volume of compliance requirements popping  up it's it's like the the requirement of the week  
almost um and that's that's just an interesting  dilemma i think there's they're they're certainly  
well intended right and i think there's a lot of  great aspects um to different requirements and a  
lot of brilliant people working on them but from a  business perspective it can be very very hindering  
like we've been getting a lot of outreach from  kind of mid market or smaller organizations  
about cmmc um you know they're doing business  with the department of defense and the cmmc  
regulation coming coming out is just mind-blowing  to them you know grant we could argue that yeah  
nist 800 171 has been a requirement for years  now and so you know kind of should have known or  
started to align to it but nobody really dropped  the hammer on that you know and and so it's kind  
of just brushed by the wayside so now cmc so  that's just one example i mean there's certainly  
others with you know ccpa and gdpr as those came  out i mean just it's a big deal for companies so  
i don't know and i don't know what you guys think  my view is that you're you're kind of getting in  
the way of organizations in one aspect you're  you're making them do something which is great  
for those that would otherwise not do anything  but it also is causing organizations with limited  
resources to decide well do i chase the framework  of the week or the compliance requirement of the  
week or do i align to an industry standard  framework and really build a holistic program  
and i'm much more in favor of the building a  holistic program uh to secure your organization uh  
across the board no i wholeheartedly agree with  that yeah you need to you need to have a secure  
framework a standardized framework not a you  know something based on this cias something  
of that nature or you know one of the other many  frameworks to ensure that you are actually taking  
care of the company the other thing is that i  just ran into a client that was you know get did  
the continual confusion of well we're compliant  with socks so that makes it secure and it's like  
no that does not make you secure that makes you  compliant right so that's the next battle that  
needs to be fought as well and that's the eye they  have one one sliver of their environment secured  
so it's so it's it is kind of a ridiculous way  of thinking but um you can't fault people for you  
know kind of just not not wanting to understand  i mean sometimes it's just it's a it's a it's a  
grossly large uphill climb to to to implement  some of these programs and organizations that  
have just been led to be run amok you know right  we're simple things just like you know deploying  
attack to like they have a bunch of replacement  text for active directory if you don't want to  
apply to directory i'm not going to name drop  on here but anyways one of the more popular ones  
you know we'll use the local security policy on  the boxes windows and and mac which is cool and  
you can you can do things that you could do  in active directory with it which is pretty  
awesome but here's the catch the individuals all  register so you have everybody's email which is  
perfect but in order to make a policy work you  have to match a username to a machine name and  
people uh well organizations that have that have  hired individuals that don't know how to deploy  
you know one of these programs um very maturely  they end up having the naming convention of all of  
the laptops and desktops are all over the  place right they didn't have any kind of  
standardized naming convention it's just  named like whatever and so now what would  
be uh you know something that might take  two hours to install on along 100 machines  
now turns into like an eight-month endeavor of  changing computer names that's a good use of time  
so yeah powershell scripts you know you can't get  the users to run them for you and it's just oh man  
it's simple things right that'll bite you later  you're just like why yeah like in theory this  
should have taken a couple hours but here we are  you know eight months later in theory the death  
star should have survived i mean technically  it did right i mean that's just what they keep  
doing over and over again is let's just build  a super planet machine that has a giant laser  
why but since we're coming up on time you know  we'll wrap it up you know with this and that is  
that for those you know those people listening  that really need to implement a security program  
for the first time with you know first of  all it comes down to people right tools and  
technologies are great they're helpful but don't  get overburdened by them um you know there's a  
there's kind of a diminishing uh level of returns  that that occurs and you know the more you stack  
on top of each other so keep that in mind and when  you're building when you're looking at all these  
compliance requirements just remember that putting  an industry standard framework first and making  
that your priority like nist csf or 800 171 853  cis controls is phenomenal especially for smaller  
organizations where the other ones are are less  palatable those are you know all great frameworks  
to follow and and you don't have to reinvent  the wheel right these things are out there  
it's it's a prescription of here's what you need  to do to in order to have a robust and acceptable  
uh cyber security program for your  organization so look those up again  
nist you can search a nist frameworks and then  or cis control center for internet security  
take a look at those follow their guidance just  pick one and run with it if you're not if if  
other organizations aren't imposing or clients  not imposing a specific framework they're all a  
great place to give you guidance in order what you  don't again you don't have to reinvent the wheel  
and make this up there's no like magic or secret  sauce that's all out there for you so one thing  
to keep in mind when you look at these frameworks  they look daunting but in reality if you're doing  
industry best practices you may be already 60  to 70 compliant totally don't be intimidated  
by the spreadsheet yeah you'd be surprised how  many organizations we check that think they're  
in really bad shape and they're really not that  bad off um you know this isn't this isn't the  
mid-2000s anymore a lot of the tech is you know  somewhat secure out of the box as long as you  
don't muddle with it right and does zach's point  if you know the frameworks are light and and also  
if you're if you're a contractor like was said  earlier the new dfars um interim rule is out  
so make sure you go and read what's required that  their magic sauce and that unfortunately is going  
to be required to have some form of a milestones  chart with dates on your gaps keep that in mind  
magical plan of action milestones as prescribed  by the department of defense so yeah it'll be  
interesting to see how many people how many  organizations come back with above a 70  
on that or request for extensions yeah yeah  i'm going to guess that number's higher
continue to extend and extend and extend until  one day cmmc comes out well well thanks again  
uh for joining us everyone have a great week  and we will uh see you next time take care