A Threat Actor Just “Liked” My Dashboard Screenshot

By
David Spark
-
Threat Actors like my dashboard

Data leaks are hard enough to deal with when caused by threat actors. But organizations also must handle self-inflicted wounds. Recently a CISO got called out for posting a screenshot of their security dashboard online. Why do these types of incidents happen and how should an organization assess the risk it introduced? 

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining me is our guest, Jamil Farshchi, evp and CISO, Equifax.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Varonis

Ready to reduce your risk without taking any? Try Varonis’ free data risk assessment. It takes minutes to set up and in 24 hours you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. Get started for free today.

Full Transcript

Intro

0:00.000

[Voiceover] Best advice for a CISO. Go!

[Jamil Farshch] My best advice for a CISO is question whether it’s something that you really, really want. And I’ve heard this from a bunch of folks throughout my career, and I think it’s spot on. I think a lot of folks look at the role, and they think about all the perceived glory, and seat at the table, and all those things.

But I don’t think that they fully appreciate all the time the grind that the role is and the stress that it entails, and the anxiety that it always creates on a day to day basis. So, I think you really have to want it if you’re going to be successful in this space. So, just be sure that it’s something that you actually want to do.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. I don’t know if you’re aware of this but if you want to get more content from the CISO Series, you can go to our web address, and that’s at ciso-dev.davidspark.dcgws.com. Many people don’t know this, Mike… Mike is my cohost for this episode.

Mike, say hello to the audience.

[Mike Johnson] Hello, audience.

[David Spark] Do you know who is responsible for naming this organization, our media company, CISO Series?

[Mike Johnson] I do not. This is news to me.

[David Spark] It’s my wife. You know what she also named? She named our show, Defense in Depth. She came up with that one.

[Mike Johnson] Two for two.

[David Spark] And I believe she’s also responsible for the name of our show, Capture The CISO. I have not paid her anything for this.

[Mike Johnson] Did she name the Cyber Security Headlines show?

[David Spark] No, that one I came up with. That was a…

[Crosstalk 00:01:42]

[Laughter]

[Mike Johnson] Okay. Okay, so you managed to name one of these.

[David Spark] Yes, I did. I did come up with Cyber Security Headlines, but she named all the other shows. There is a little bit of trivia that people don’t know is that she is responsible for all the naming…not all but the critical naming of many of our programs and our organization name, for that matter.

[Mike Johnson] Future trivia question at a bar near you.

[David Spark] Future trivia, when we become big enough that people at bars know who we are.

[Mike Johnson] We’re already there, David.

[David Spark] I, by the way… Let me ask you if you’ve ever done this… I was at a bar chatting with a woman who was a little inebriated, and she all of a sudden wanted to talk business. And she was really kind of on the drunk side. I was like, “Maybe we shouldn’t be talking business if you’re this inebriated.”

[Laughter]

[David Spark] And then the next day, she reached out, and I’m like…you know, via LinkedIn, and I’m like, “Do you remember me?” [Laughs]

[Mike Johnson] “Do you remember where you agreed to sell me that particular product at a 99% discount? Let’s move forward with that deal.”

[David Spark] Oh, by the way… I think I might have told you this story. I had a situation where there was a product I was using. They drastically changed their pricing model, which literally shot the prices up skyward. And I had a problem with how the product worked. They said, “What if we gave you an 80% discount?” I was like, “What?” And this was for a SaaS based software.

And I was like, “So you’ve been gouging me that much?” [Laughs]

[Mike Johnson] Yeah, they broke the news the hard way to you, David.

[David Spark] Yeah. If you’re gouging me, we’re not going to do business together at all.

[Mike Johnson] You’ve been overpaying for quite some time.

[David Spark] First of all, this was when they wanted to change the model drastically, which I wasn’t interested in. The previous model, they were overpaying, too, but I was… It wasn’t like at a hellacious level. I didn’t mention our sponsor. Let me mention our sponsor. Our sponsor for today’s episode is Varonis – long-time sponsor of the CISO Series.

We love having them onboard. And not only that, they’re also the leader in data security. More about exactly that and what they can do to help you detect anomalous behavior and help improve the way you manage risk later in the show. So, I am excited to bring our guest on, who we had on Defense in Depth.

Actually it was a long time to get him on Defense in Depth. And once we had him on Defense in Depth, I said, “Would you like to come on CISO Series Podcast?” And he said, “Of course, would love to come on. As long as I’m on with Mike Johnson.” He said, “Anybody else, forget it.” [Laughs]

[Mike Johnson] Sure, that’s exactly how that… Thank you for continuing to cuddle my ego, David.

[David Spark] I want you to know, the only time I lie is when I can pump up somebody else’s ego. That will be the only time I lie.

[Mike Johnson] [Laughs] Thank you.

[David Spark] Just to make you… And, by the way, our audience… No, if you’re not following this person on LinkedIn, you should be, because he posts amazing posts, gets great discussions going. And in fact, many of our segments today are based on his discussions. Let’s bring him on. He is the EVP and CISO over at Equifax, Jamil Farshch.

Jamil, thank you so much for joining us.

[Jamil Farshch] Thank you so much for having me.

[David Spark] And was it true that you said, “Only if I can be on with Mike Johnson.”

[Jamil Farshch] Of course that’s true, yeah.

[David Spark] You see? He’s going with the lie, too.

[Mike Johnson] Yes. Yeah, I appreciate that now.

Are we having communication issues?

5:13.917

[David Spark] One of the toughest jobs in cyber security and particularly for a CISO is communication. Jamil, you recently wrote on LinkedIn… You remember, people? I mentioned this. That it would be the one thing you would fix about cyber before anything else. Since we can’t snap our fingers and wish it fixed, one of the things you recommended to help improve communications was, “Always be on the hunt for captivating.” You suggest anything that could grab someone’s attention, from visuals to cultural references.

So, I’m going to just throw out one in general – anytime you can make an analogy or a metaphor about something, man, that sticks. But I want to hear from you. Give me examples of how you’ve actually done this. Made something captivating and stick. And what was the net result of that?

[Jamil Farshch] You mentioned LinkedIn. I do it on there all the time.

[David Spark] Yes, that’s why I said, “People, check it out.”

[Jamil Farshch] Yeah. Even earlier this year, I did a post about that show that was… “Last Of Us” about the fungi and used that as the basis for calling out risks. And how we talk about risks all the time, but unfortunately many of them go unaddressed. And just like in “Last Of Us,” those unaddressed risks can sometimes cause a calamity in the distant future.

But a more specific one, in terms of my day to day, we had a board meeting earlier this year, and I was trying to cover AI and the security risks. And so instead of just putting together a slide with a bunch of bullets on things to worry about, I created a deep fake of my CEO, and I showed it to the board.

[David Spark] Wow.

[Jamil Farshch] And it changed the game. They all… You could look around the table, and they were just in awe of what AI can do and how easy it is to be able to completely replicate somebody else, top to bottom, voice and all, to be able to execute this kind of thing. So, it’s things like that that truly move the needle, I think.

And I can tell you this today – there is no doubt that every single on of my board members, because of the approach that we took there, understands what the risks are, and they take them seriously.

[David Spark] Showing a deep fake. That is a great, great move. All right, throwing this one to you, Mike. What have you done that really stuck, that really captivated your audience?

[Mike Johnson] The metaphor concept is really a good one. You can take a technical challenge out of our jargon, out of our gobbledygook that we always talk amongst ourselves, and relate it to someone that is used to. It’s always great to use physical security metaphors because people interact with those on a daily basis at their home, just going out in the world.

I used one talking about doors, and locks, and keys to really talk about containers, and perimeters with inside perimeters, Defense in Depth kinds of concepts. And in that situation, it was this business leader needed to make a call one way or the other on a direction, and they didn’t understand the technical aspects of it.

And it’s not their job to understand that. So, by using the metaphors and putting it in terms that they could very easily relate to, it allowed them to make the decision on the path to take versus either analysis paralysis or, frankly, maybe going in the wrong direction, thinking they understood what was going on.

So, that was really the outcome of it.

[David Spark] And let me… Quickly, from both of you, why is it so critical to do this? To make sure your audience gets it versus, “Eh, I trust you, Jamil. You know what you’re doing.”

[Jamil Farshch] Because it makes it relatable, and it sticks. So, let me give you an example. I talk about partnership all the time. And I have a personal story that I can highlight that’s not cyber related, but I think it really drives the point home. So, during COVID, it’s the middle of the night.

I’m in bed. My wife… At the time, I had a… She was, what? Three-years-old little daughter in her crib. And I get woken up. It was at 1:16 AM in the morning. I had four Atlanta PD officers in my bedroom. And I’m like, “What is going on?” And I sleep like a log, so I just completely have no idea what’s happening.

Turns out what happened was someone broke into my house.

[David Spark] Whoa.

[Jamil Farshch] In the middle of the night while we were home. So, it was a home invasion. And one thing leads to another, and I’m like, “How did the APD get into my house? How did they know this happened?” And it wasn’t… They had bypassed my security system, and the glass break and all that stuff didn’t work, which was awesome.

Make sure you test your home security system is some advice there. So, that didn’t work. My dogs didn’t do anything. They were just sleeping away, just like I was. So, nothing stopped them except for this one thing. My next door neighbor heard the glass break, looked out their window… I live in the city, and so our houses are fairly close together.

Heard the glass break, saw the people literally climbing into my house, and called the police.

And so, boom, they came. Who knows what would have happened if they had not contacted them, because none of us knew anything it, obviously, because we were sleeping. But because of that, the intruders ran away, and the police were there to save the day. So, that’s exactly what we deal with in security.

It’s that kind of partnership, that kind of insight that we get can save the day. It can be the difference between having a normal day and having a very, very bad one. And so I tell that story just as an example of how you can bring personal stories into the work we do everyday that gets people to remember and truly associate and understand the topics that you’re trying to discuss.

What’s the best way to handle this?

11:26.740

[David Spark] How do we get better at making cyber security a team sport? We’ve seen this with ISACA groups that are industry focused, but those are usually private to private partnerships. How are public entities playing along? Now, on CSO Online, Christopher Burgess pointed to Big Pipes, a group of private and FBI security professionals working to disrupt DDoS booster services as an example.

We know these partnerships have value, but how have you experienced them in terms of outreach, and what kind of value do they offer versus working strictly with just your industry colleagues, Mike?

[Mike Johnson] Yeah, so there is another one to call out. I think it’s just called the Ransomware Taskforce. Big Pipes is a much cooler than name Ransomware Taskforce.

[David Spark] They both work.

[Mike Johnson] But an advantage that you with working with the public sector, specifically law enforcement, even on a global basis is they can actually arrest people. Your industry peers, unless you’re in a very specific industry, can’t do that.

[David Spark] As much as we would like to.

[Mike Johnson] As much as we would like to. And that’s really a way of increasing the pain to our adversaries. If they actually have to worry about prison time then their actions will change.

[David Spark] That’s an interesting level, because often you have said, “I designed my security program just to make it not cost affective or worthy to break in.” But, yeah, that layer of, “Hey, we actually work with the feds. It could be a bad situation for you,” beyond just that.

[Mike Johnson] Yes. And, again, it’s additional costs and risks for the attacker. And if they’re assuming that more and more companies are having similar conversations with their law enforcement and not sweeping things under the rug, it increases the risk, and that increases the cost. So, that’s really an advantage about these public/private partnerships.

There’s others, but that’s one of the obvious ones.

[David Spark] What’s been your experience, Jamil?

[Jamil Farshch] I’ve had a fantastic experience with government and public/private partnership, especially as of late. I’m going to hearken back to another LinkedIn post that I wrote earlier this year. We were the target of an attempted ransomware attack earlier in ’23, and we got a heads up from CISA 124 hours before the attack hit us.

[David Spark] Oh my God. That’s a nice warning.

[Jamil Farshch] Yeah, exactly 124 hours. And so yeah, we had a fantastic heads up. And as a result, we were able to test all our controls, make sure everything was in place. And so by the time it eventually landed, it was super boring. I mean, there was nothing to see because we had gotten that heads up.

I think that is an example of the type of benefit that organizations derive from establishing those partnerships in advance. The problem I see is that there just continues to be this old tape being played about these partnerships and how they’re one sided or whatever.

But I think just like with anything in life, nothing comes from nothing. And so to expect that you’re just going to magically get this gift dropped into your lap after putting in no effort whatsoever to establish a relationship and to build those communication channels, I think it’s just plain unrealistic.

And so at least from my experience, having put in the time and effort to make sure that those relationships are there, the communication channels are established, I get a tremendous amount and my team gets a tremendous amount of value out of working with the government and with those public/private partnerships.

[David Spark] It is just like the story you said about your neighbor. I’m assuming you had a relationship with your neighbor before your neighbor put that call in.

[Jamil Farshch] This is true.

Sponsor – Varonis

15:25.569

[David Spark] Before we go on any further, I do want to mention our spectacular sponsor, and that would be Varonis. Thank you, Varonis, for supporting the CISO Series through all these many years. Now, listen to what Varonis can do. Go from data darkness to automated data protection with Varonis – the leader in data security.

It’s a dozen security products in one. Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches without adding more work onto your team. Within minutes, you’ll be equipped to detect anomalous behavior, ensure compliance, and remediate risk to your sensitive data in the cloud and on prem – kind of like what a security team does, right?

Varonis can help. Reduce your risk without taking on any and see Varonis in action today at… I’m going to give you a website. I want you to remember this. It’s varonis.com/cisoseries. Check them out.

It’s time to play, “What’s worse?”

16:39.171

[David Spark] All right, Jamil, you’re familiar with this game?

[Jamil Farshch] I am.

[David Spark] All right. Two bad scenarios. You’re not going to like either one of them.

[Jamil Farshch] I’m a little nervous.

[Mike Johnson] [Laughs]

[David Spark] You have to tell me which one is worse. I’m going to have Mike answer first. This one is a little bit more involved, so you may want to take a note or two. This comes from a new submitter. We’ve never had something from him before. It’s Aaron Stanley, who’s VP of security for dbt Labs.

And here are the two scenarios. Scenario number one – you run a mock incident exercise where the number one outcome is the realization that because of how your support and security functions are staffed, it would likely take weeks, maybe even months, before you could affectively communicate to impacted customers that you had experienced a security incident.

This delay would violate most, if not all, of your contractual obligations with enterprise customers and could get you in trouble with the regulators. I know, it’s not sounding good. When you read this out to your executive team and recommend the hiring of additional support and security staff, which would necessitate canceling one of your major feature branches this year, they say they would rather accept the risk.

Okay, just so you know, Mike, both of these at the end, they accept the risk, so don’t use that as your tool of, “Oh, I’ll take that one because they accept the risk.” All right? Just so you know. Because the next one ends that way as well.

[Mike Johnson] Okay. So, this is still just number one.

[David Spark] That’s just number one, okay?

[Mike Johnson] Okay.

[David Spark] So, you understand the situation here. It’s going to impact customers. You’re not going to be able to tell them. You’re going to violate a ton of contractual obligations and regulators. And you offer a solution, but you’d have to shut down a branch, which would hurt the business. All right, scenario number two – you run a mock incident exercise where the number one outcome is realization that due to a technical decision made long ago it would be impossible for you to identify which customers were impacted by a security incident in your production environment.

Engineering estimates that the fix would require them to cancel one major customer feature this year. The executive team decides that this is an acceptable risk. Which one is worse?

[Mike Johnson] Okay, so I think I have these. So, the first one… Essentially this is a response versus detection question.

[David Spark] Well, it’s you can detect, but you can’t identify.

[Mike Johnson] Okay. So, in the second scenario, we know something happened. We just don’t know which customers it happened to?

[David Spark] Yes, so it’s going to be like playing Russian roulette with your customers.

[Mike Johnson] Right. And in the first one, we can theoretically detect who it happens to but it takes us forever to figure out who that is.

[Jamil Farshch] I thought they were both coming from a crises exercise, so aren’t they both theoretical?

[Mike Johnson] Yeah.

[David Spark] It’s like you know you have this fallibility is what it is. It hasn’t actually happened, but you know it. And the exec team is taking the risk in either scenario.

[Mike Johnson] Sure. But the first one, the fallibility is the length at which it would take to notify.

[David Spark] Correct.

[Mike Johnson] Okay. So, the way that I see this… And, Aaron, we’ll have a conversation later about submitting, “What’s worse,” questions and making them really difficult. Aaron and I have known each other for a while, so that’s where that comes from.

[David Spark] Okay.

[Mike Johnson] So, I can give him a hard time. What I would say would be that inability to notify within a regulatory requirement window, that really is going to be the worst case of these two. That gets you into fines. That gets you into potentially very large fines and maybe even having to change where you do business.

That’s really going to be the worst of these two scenarios. The second one, it’s going to really suck to have to send out a broad notification of, “All right, well, we think everyone is impacted because we can’t tell who precisely is impacted.” That’s essentially what you have to do.

[David Spark] Yes.

[Mike Johnson] Is you have to assume everyone is impacted.

[David Spark] But you know what? We’ve all received those emails. Like, “You may have been…”

[Mike Johnson] Right.

[David Spark] And a lot of us ignore it, too.

[Mike Johnson] Exactly. And so it’s painful, for sure. These both suck. But at least in that second scenario you’re able to meet your regulatory obligations, and that’s the one that I would prefer. So, really I think the one that is worse is the it’ll take us forever to notify. We’re going to get regulators very unhappy with us.

That’s the worst of the two.

[David Spark] All right, Jamil, agree or disagree?

[Jamil Farshch] I agree. That’s exactly what I would do, too, and it’s the same logic I sort of went through as well.

[David Spark] So, really the blame is right now on Aaron for not making this enough for you? Is that what you’re saying? Mike, do you want to dress him down fully now?

[Mike Johnson] No, no, no. And, Aaron, thank you for the question. It really is when you’re looking at response… And we’ve talked about this on other episodes. Is the way that you respond is what really matters the most. And in this scenario… And we’ve unfortunately been in situations where you can’t tell exactly who was impacted.

But really not being able to notify in a timely fashion really is going to be the more painful one.

Are we making the situation better or worse?

22:01.825

[David Spark] So, last year the Bipartisan Policy Center released its Top Risks in Cyber Security 2023 report. Now, Jamil, you were a coauthor on it. So, let’s dig into where that report stands a year later because we’re at the end of 2023 that we’re recording this. By the way, people are hearing this a little bit later.

Just so you know, we’re recording this at the end of December 2023. So, some of the risks were spinning the hits, like talent scarcity or the cyber arms race, but two risks stood out, and these are the ones I want to focus on, was lagging corporate governance. That’s the lack of technical expertise on boards.

And the other was overlapping, conflicting, and subjective regulations. Essentially calling out the patchwork of laws we’re operating under. So, isolating these two in particular, Jamil, do you see any improvement on either of these, or have they gotten worse?

[Jamil Farshch] Were you digging me with that spinning the hits comment a second ago?

[Laughter]

[David Spark] This is a line I say to my sisters all the time when they complain about something. I go, “You’re just spinning the hits, aren’t you, right now.” So…

[Jamil Farshch] Well, I think we all… You know, it’s funny, when we completed that, we were debating about… We were like, “Man, a lot of this stuff… These are vulnerabilities that…these are weaknesses that we’ve had forever.” And we finally… We thought about switching it up, but they were like, “No, because these are actually what the risks are.

Whether it’s past this prologue or not, we’re going to stick with what we believe is true.”

[David Spark] No, but that’s why I pulled out those two – because those were quite unique to the list. I should just mention that Mike and I, we’ve talked about this. We’ve covered like what we’ll see next year and… We’ve been doing this for the past five years. And pretty much the list is what we saw last year but just more of that is really what it’s always been.

[Jamil Farshch] It’s true. It’s true. I mean, the one that we missed, honestly, last year was AI.

[David Spark] Yes.

[Jamil Farshch] We did not have that in there. Although, I don’t know, in many respects I’m sure that it’s really had a significant impact from a risk perspective this year.

[David Spark] But a significant impact of attention perspective. But let’s go back to these two about the lagging corporate governance and sort of the subjective patchwork of regulations. What do you think? Are we improving or falling apart on this?

[Jamil Farshch] I think one has improved. I mean, if you look at the data, the number of corporate directors with cyber security expertise has increased this year ever so marginally. Nevertheless, I think that is an improvement. And I think that certainly in the wake of the SCC rules, I think we’re going to see more and more of that in the future.

Now, whether those roles will be filled by more CISOs, I’m not sure. But certainly there will at least be some more technical expertise that will be in the boardrooms, which I think will be useful. I also think because of those rules, the SCC rules, that there has been a much greater focus on governance, cyber governance in general, and so I think that one has improved.

I think in terms of the…

[David Spark] Well, there’s just been a lot of press on it in general. Like people are just reading about it more.

[Jamil Farshch] Yeah, but the press has driven a lot of discussions in boardrooms. I mean, I can’t tell you how many CISOs I’ve talked to over I mean just the last couple months alone that have had active dialogues with their boards of directors, with their GCs, with their securities lawyers on this topic and are making changes and building out processes in the wake of it.

So, I think all of that is largely good. So, improvement there. Now, in terms of the harmonization of everything, I’m not sure that we’ve seen much advancement and improvement there, but the NCD has an initiative on it. I know CISA Director Easterly is working on this. And so I know that there are a lot of eyes on the problem, and so I would expect that we are going to see some progress on it this year or in ’24.

But to date from a practical standpoint, I haven’t really seen anything tangible come out yet.

[David Spark] Here’s the opportunity I see. And actually I see one lawyer that’s actually trying to pull this off is… I use a payroll service, and we have employees like all over the country, in different states. And there are different state tax laws all over the states. There is no conceivable way I could keep track of all this nonsense.

I think there is a huge opportunity for some kind of middle layer, an organization, to keep track of all these regulations for everybody. And then you just sort of do a pay as you go service, like I do with the payroll, to deal with this. What do you think of that, Mike?

[Mike Johnson] That totally exists. It’s called outside counsel.

[David Spark] Just outside counsel? They know all the laws already?

[Mike Johnson] They do. Or if they don’t, they can get you the answer.

[David Spark] Forget the outside counsel. I’m looking for the SaaS service.

[Mike Johnson] Well, I think where you start having those challenges is there is not really bright lines, and you end up having to make decisions on the fly. Especially where you have laws on the national level that conflict with each other, where you have one country saying, “You must protect this data,” and another saying, “You must preserve this data, and you must give it to us.” Those really are challenging at a global level.

And so I don’t see that changing anytime soon because the root of that is sovereignty. Take, for example, the data residency laws that we see quite often either being debated or potentially being passed. China has a data sovereignty law. India has a data sovereignty law. And that is in conflict with some of the ways that the services that we operate really work.

So, I think that actually gets worse before it gets better, unfortunately, because countries will continue passing laws with their own best interests in mind. And that is what they should be doing. That is really what a government is expected, is to protect its citizens. And it’s going to take some hard core debate at a global level to really make any significant improvements there.

Dumb CISO mistakes.

22:01.825

[David Spark] How bad is a self-inflicted data leak? Now, this recently came up on the cyber security subreddit with the submitter saying their CISO published their vulnerability dashboard on LinkedIn. As one commenter suggested, the CISO might have just signed up for a free pentest. Now, others suggested following the same procedures you would with any other data leak – analyzing what was actually exposed and follow up procedure based on that.

That’s the key question for everyone – what, honestly… I’ll start with you, Mike. What honestly can a dashboard show that could be damaging if actually leaked?

[Mike Johnson] So, I really feel like we’re missing something here. Like this is…

[David Spark] The dashboard could say anything, obviously. But…

[Mike Johnson] Exactly.

[David Spark] But I’m just saying in the spectrum of dashboards you’ve seen, like, “Oh, geez, I’d never want that one leaked.” Or, “If that one is, it’s a bunch of red, yellow, green lights. It won’t tell you anything.”

[Mike Johnson] I mean, you can have some detailed dashboards that are basically, “Here is the path of ownership to… If you really want to get at this data, here’s a very clear path to get to it.” It’s unlikely, but it could exist.

[David Spark] That’s the worst case scenario. And also… And it’s a photo, and you’ve got the admin password on the screen.

[Mike Johnson] Right. I think the thing to keep in mind is with dashboards like that, you actually have to assume that there is an adversary in your environment who can see it.

[David Spark] And we’re saying someone posted this on Reddit, I think.

[Mike Johnson] Sure. Sure. But, I guess, really what my point is, we should be careful about our dashboards in the first place, such that actually publishing it… I mean, maybe that’s actually a bright line of is this a dashboard that you would… How bad would it be if you actually posted this dashboard publicly?

That’s a thought exercise, to look at your dashboards.

[David Spark] Do you ever think about that?

[Mike Johnson] Nope. Hadn’t thought about it until just now.

[David Spark] All right.

[Mike Johnson] And I think if that is the case then that dashboard needs to be tightly access controlled. But if it’s a dashboard that it’s not the end of the world… Maybe it doesn’t feel great if it gets out, maybe that’s actually something you can share internally broadly with your company and can use to drive change within your organization.

Maybe it’s something that we don’t have to keep secret internally because being more open with it internally gets you more results. But, again, if it’s something that you don’t want to see a screenshot of externally you probably need to have strong access controls around it.

[David Spark] All right, Jamil, I throw this to you. How awful would be a screenshot of a dashboard? Would it be… And, again, I know this is like, “How long is a piece of a string.” But in terms of best and worst cases you’ve seen, what do you think?

[Jamil Farshch] Well, just to level set, you’re talking to a guy who actually exposes his cloud security to all of his customers, so I have a pretty meaningful tolerance and focus on transparency. But that said, I don’t know what this dashboard was exactly, but I can imagine some of the dashboards that I’ve seen… And a lot of them nowadays get pretty detailed.

But if it’s got things like an IP address of an asset, or the OS type, or the CVE, I mean, that could be pretty damning and pretty useful to the bad guys, especially if it’s sitting there on the open internet. So, I guess I’d have to see what specifically this was.

But I think the first thing I would do is just go and delete all my social media accounts because I clearly am not very adept at using them. But I think I generally agree with what…I think you said, the broader sentiment was, which is just follow your standard processes in terms of responding to it.

I mean, I look at the intelligence driven approach, and you try to figure out, “What was the exposure? How easily can it be exploited? Is there any kind of activity out in the wild that would potentially affect this? Do I have countermeasures in place?” Sort of go through the list to be able to help manage that situation.

The technical part of the situation. The ego part, not sure you can really do much about that.

[David Spark] Well, we’re not here to control people’s egos. Although, we started the show pumping up Mike’s ego, didn’t we?

[Mike Johnson] Yeah, so this is a great way to wrap it up. We’ve bookended it with talking about egos.

[David Spark] Egos. Well, we’re talking about tearing down people’s egos at the end, which we’re not doing. Hey, I’m very thrilled pumping up your ego, Jamil, that you joined us today, because it’s a thrill. It’s a treat to have you on the show. It’s awesome.

Closing

33:01.183

[David Spark] With that said, we’re wrapping up this show. I want to thank our sponsor, Varonis. You remember? The leader in data security. I gave you a web address, and I’m going to give it to you again. I want you to check it out. It’s Varonis.com/cisoseries. Go check out how they can help you reduce risk without taking on any.

See Varonis in action. Go there today. I also want to thank you, Mike. Mike, do you have any…? By the way, Jamil, you get the last word. Mike, any last words you’d like to say on today’s episode?

[Mike Johnson] Jamil, thank you for joining us. I’ve been a fan of you on LinkedIn, and so it was great to finally get the opportunity to sit down and chat with you. I really like your concentration on relationships and partnerships. I know it is something that we talk a lot about on this show, but you gave some really great examples, both from your personal life with the neighbor and also talking about the public/private partnerships.

Thanks for sharing those stories, and thanks for joining us.

[Jamil Farshch] Well, guys, this has become my favorite podcast, and so you can call me anytime. I’d be…

[David Spark] Hold on. You need to… I didn’t have to put that quote out there.

[Laughter]

[Jamil Farshch] I genuinely appreciate the opportunity. You guys keep fighting the good fight. You’re on the front lines, and I think you’re really making a difference by helping to inform and educate the whole cadre of security folks out there. And you’re going to help build up that next generation of cyber leaders.

So, thank you very much.

[David Spark] Thank you very much, Jamil. Thank you very much, Mike, and thank you very much to our audience. We greatly appreciate your contributions and listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week In Review. This show thrives on your input.

Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.

David Spark
David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.