How do you manage the risk introduced by your own staff? This can range from having written passwords in plain sight to using insecure operating systems on BYOD devices. Staff can show almost as much creativity as threat actors when it comes to putting an organization at risk. But how do you quantify and start to remediate the risks they introduce?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our sponsored guest, Allan Alford, CISO, Eclypsium.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Eclypsium
Full Transcript
Intro
0:00.000
[Voiceover] What I love about cyber security. Go!
[Allan Alford] I love the fact that a whole group of strangers have all embraced the noble purpose of protection and that we all manage to get along and sort of head towards the right mission, at least for the most part.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the said CISO Series. My cohost for this episode, he’s had three jobs since we’ve started. It’s Mike Johnson.
[Mike Johnson] [Laughs]
[David Spark] He’s the CISO of Rivian. Mike, thanks for joining us.
[Mike Johnson] Wow. You know, when you put it in those words, David…
[David Spark] It sounds like you were a failure.
[Mike Johnson] Well, thanks. Yeah, appreciate that.
[David Spark] No.
[Mike Johnson] Yeah, thank you for the support, David. I’m so glad to be here.
[David Spark] I’m glad that you’re here as well. We’re available at ciso-dev.davidspark.dcgws.com. Our sponsor for today’s episode is Eclypsium. Trust your tech from core to cloud. More about Eclypsium later in the show. And in fact, Eclypsium is responsible for bringing our guest today, who I want to introduce because he was the second ever host of the CISO Series.
Actually, let’s say third. You and me, the first, and then he was the host of the second show on the CISO Series. He has gone on to do his other show himself. Actually, he has a show called the Cyber Ransom Podcast. And he is now over at Eclypsium as their CISO. Our sponsored guest and food friend of the show, none other than Allan Alfred.
Allan, great to see you back again.
[Allan Alford] Howdy, yawl.
[David Spark] All right, the reason I’m bringing you in early is because you have a long history in podcasting and because Mike has a long history in podcasting, this is something that has come up, and this is my podcasting pet peeves. I have a bunch of them. Before anything comes out of your mouth, I’m going to start with you, Mike, and then we’re going to get to Allan.
Give me one or two of your biggest podcasting pet peeves. And it’s about other people’s shows, not the brilliance that we create on this show.
[Mike Johnson] No, certainly not about this amazing show.
[David Spark] By the way, I don’t believe we’ve ever made a mistake. Have we, Mike?
[Mike Johnson] Not once. Not that anyone has heard. Editing is great.
[David Spark] Yes.
[Mike Johnson] For me, it’s the oddly inserted ads that have nothing to do with the show. I know why they have to do them, but they’re so distracting to get a commercial for toilet paper while I’m listening to something deep about financial news.
[David Spark] Well, the great thing about a toilet paper ad is that everyone uses it.
[Mike Johnson] Very true. Good point.
[David Spark] It is actually targeted to everybody.
[Mike Johnson] Yes.
[Allan Alford] Universal clickability.
[David Spark] But if you use one of these ad insertion services, you really have no idea. And it also changes by the location. I was saying I was in Amsterdam, and I downloaded some shows for the flight, and I got ads in lots of different languages.
[Mike Johnson] Even better. They’re more entertaining that way.
[David Spark] All right. Allan, your top pet peeve with the podcasting.
[Allan Alford] It’s when the guest switches from talking in a normal tone in the microphone, and then all of a sudden you get all the [Stutters] sounds as they get right on the mic and move their head around.
[David Spark] Or do they do the mic drift, where they fall of the microphone?
[Allan Alford] Yeah.
[David Spark] Go further away, and then they come back again, like that.
[Allan Alford] Yeah. That’s another good one. That’s another good one. Plosives, sibilance, and mic drift.
[Mike Johnson] We’ll try and replicate all of those today just for you, Allan. [Hisses]
[Laughter]
[David Spark] My least favorite is the ramp up, and it comes in many different forms. One is the, “How was your weekend, Allan, Mike?” Does anyone actually care? No, I don’t believe anyone does. And the second, like they want to start a topic, and there’s sort of an endless ramp up until they get to the point.
I don’t need the ramp up. Get to the point. That’s my aggravation.
[Mike Johnson] Cut to the chase.
[David Spark] Many hour-long podcasts could just be 20 minutes long. This show is not 20 minutes, nor is it an hour long. It’s somewhere in between. And we’re going to cut to the chase right now. Are you ready, Allan?
[Allan Alford] I am ready.
Let’s talk community.
4:27.119
[David Spark] What can a private organization do to foster public/private partnerships. We’ve seen a lot of top-down approaches recently, most notable CISA’s Join Cyber Defense Collaborative, but Christopher Whyte at CISO Online argued for more bottom-up approaches. He pointed to leveraging collective agency through civil defense groups, internalizing the need to speak publicly about risks and vulnerabilities as a net positive, using sources from academia, supporting workforce pipeline tie-ins, and investing in vendors that best benefit community security.
Any of these represent…and I know it…massive coordination. So, Mike, I’m going to start with you. How can we cut through and start seeing benefits across any of these as quickly as possible? And by the way, I think we’re all on board that we would love to have more public/partnerships. Yes?
[Mike Johnson] I think that’s true. I also think we’ve been talking about public/private partnerships forever. This is not a new topic in cyber security.
[David Spark] And these solutions, I think, are known but feen very arduous to achieve.
[Mike Johnson] I think that there is this presumption is what the solution is. Like what a public/private partnership looks like. There’s a belief that it is the government giving private companies threat intelligence. Those companies are then using that to defend themselves better. There’s this presumption that that’s what it is.
But the reality is there’s a lot that’s going on today that we just don’t give folks credit for. We have the architecture guides from CISA. We’ve got NIST (CSF) 2.0 was basically written in significant partnership between the government and private entities. The Cyber Safety Review Board, that’s one of those cases where you have private companies that are sitting on the Cyber Safety Review Board but are working on behalf of the CISA.
So, I think the reality is we have a lot of this going on today. It’s just not what people think they want. And that thing that they want isn’t going to work very well for the government because they can’t declassify information in order to pass it along to the private sector.
[David Spark] That seems like the giant rub there. Allan, what do you feel is working, not working, things could be sped up? Where do you stand?
[Allan Alford] I want to bring up open source right off the bat. I want to bring up the open source world. Because everybody has heard of the tragedy of the commons – this idea that if it’s a communal property, everybody will take advantage of it, and nobody will sustain it. Right? And if you look at the role of private sector versus government in society, private sectors is there to make money, create jobs, develop an economy, and government is there to maintain the things that nobody else would do.
It’s the communal infrastructure. The commons, if you will. And so for me, this idea that the open source movement is starting to see government support… Packages, and modules, and etc. that are being used all throughout society, everywhere, stuff that isn’t being maintained necessarily by an private individual or isn’t being secured by any private individual, governments are stepping in and contributing to open source and sort of solving that tragedy of the commons problem.
And so you’re starting to see some of that in the open source world. Then you see things like the chipsec project.
You see things like OWASP. There’s a lot of already excellent cooperation between the two entities. It’s already happening, and I think open source is a huge area for that to occur. And then you get into things like InfraGard. You get into things like the Open Source Software Institute. I’m back to open source.
But what those guys do in particular is they will take an off the shelf module like OpenSSL and they will run it through a FIPS 140-2 validation. And now everybody has a FIPS validated version of OpenSSL available to them. So, I think the open source world is really doing this a lot. And there’s smaller things, too.
Like Josiah Dykstra, who was at the NSA at the time, cowrote a book with somebody from the academy, somebody from the industry, and sort of all there jointly putting together a cyber book. There’s a lot of smaller examples. There’s a lot of bigger examples. But I tend to lean on open source when it speaks to sort of how the collaboration can occur.
How can we secure new technology without creating new risks?
9:04.349
[David Spark] Can we keep pace with risk assessments during the current LLM arms race? LLM being large language models. With the tech industry investing billions to stay on the cutting edge, monolithic benchmarks of performance and trustworthiness are almost impossible, argued George Hammond in a recent piece for the Financial Times.
Now, this might be true, but it also hides the fact that as an industry, we also struggle to do proper risk assessments on new technologies before the cloud. Take SaaS for instance. So, Allan, is this a real issue we need to figure out? Like doing risk assessments as we’re building these LLMS? Or is the disruptive potential of these ascendant LLMs causing us to over index this already existing problem?
Like we do this with any new technology. Are we just overstressing ourselves out with LLMs?
[Allan Alford] Yeah. So, in the ‘80s, we had the PC revolution. Once upon a time, everybody was on the centralized mainframe, and all computing was controlled centrally. Then these awful PC things started getting scattered across the four winds, and suddenly the risk profile and the attack surface changed, and everybody freaked about how can we possibly contain this mess.
Well, we did. And then came this thing called the internet in the ‘90s, and it started all over again. Distributed computing and stuff all over the planet, and how do we possibly contain. We did.
And then came the cloud revolution of the 2000s. Guess what? We secured it. So, I think there’s a lot of hype with each new wave that comes out. I think each new wave of technology gives us a moment where we’re thinking to ourselves, “Oh, no. How can we possibly?” But at the end of the day, it’s increased attack surface or it’s altered attack surface, and we just sort of accommodate that and include it in our risk register, and we just kind of move forward and start to take it on.
If you break it down and look at LLM, all we’re really saying is there’s a risk now that this new toy is out there that people are plugging data into, so there’s a risk of data going out the door into the LLM.
And then there’s the risk of the LLM itself hallucinating whatever kind of mess-ups might occur as you utilize it and incorporate it in your business life. Okay, so we’ve added really two categories of risk is about it, and one of them is solved by the same kinds of DLP technologies, and the other one is solved by human intervention and not just leaning hard on the LLM but assuming that a human needs to edit, review, and sort of double check facts and figures, and that sort of thing.
So, I don’t think it’s a daunting proposition, LLM. I think it’s overcomeable. I think we just add to our risk register. I think we alter our model of attack surface, and we’re getting to the same place we got with all the other revolutions that came before.
[David Spark] You got personal data going into SaaS. You got personal data going into LLMs. It’s the same thing, right, Mike?
[Allan Alford] Yep.
[Mike Johnson] I really view it as the same thing. There is a box that you put data into. It does something, and then the data comes back out. We have to think about it a little bit differently. But at the root of it, it’s the same risk that we’ve dealt…
[David Spark] By the way, is this your opening line to the board? “It’s a box. Stuff comes in. Stuff comes out.”
[Mike Johnson] Probably not to the board.
[Laughter]
[Mike Johnson] But at the same time, I’m not talking to the board about the risks of AI.
[David Spark] Good point.
[Mike Johnson] That’s not a conversation that we’re having. But if I am having a conversation internally around how are we assessing the risk of this new LLM that we’re wanting to use, we do talk about the fact that it’s similar to what we’ve seen before, so we should treat it the same way. As Allan was saying, you look at the data that’s going into it.
So, you have some controls around the data that goes into it. You worry about what happens with the data within the LLM. Is it mixing? Is it going to be training data for other models that other people can perhaps get the data back out? And then what are we doing with the data? Are we using that to make legal decisions?
In which case, we really need to make sure that we’ve got some review of that output. It’s the same thing that we deal with time and time again. It just looks a little bit different this time.
[David Spark] Honestly, it comes down to classifying it. If you don’t have it classified in the cloud, it’s a pain to manage it. If you don’t have it classified in the LLM, it’s a pain to manage. If you have it classified, you can manage it whether it’s in the cloud or the LLM. Am I right?
[Mike Johnson] If you know what data is going in and you know what data is coming out of it then you have a really good chance of securing it. But if you don’t know those things then you’re going to have a bad day.
[David Spark] And it doesn’t matter where the heck it is, you’re going to have a bad day.
[Mike Johnson] Exactly.
Sponsor – Eclypsium
13:49.792
[David Spark] Before I go on any further, I do want to tell you about our awesome sponsor, and that is Eclypsium. Now, this episode is sponsored by Eclypsium, the leader in supply chain security for critical software, firmware, and hardware in enterprise infrastructure. Now, CISO Series listeners can learn more about Eclypsium by visiting their site, eclypsium.com/spark.
Now, that’s a little extra add on. I’m going to spell it for you later. But there, you will find the “Ultimate guide to supply chain security.” It’s an on-demand webinar presented by Paul Asadooria called “Unraveling Digital Supply Chain Threats and Risk,” which is a paper on the relationship between ransomware and the supply chain, and a customer study with DigitalOcean.
So, there’s a lot of good stuff in there. So, if you’re interested in seeing their product in action, you can also sign up for a demo. And you get that all at the site I just mentioned. It is eclipisian.com/spark.
It’s time to play, “What’s worse?”
14:59.554
[David Spark] It’s time to play, “What’s worse?” Allan definitely knows how to play this, so I’m not going to explain it to him again, but I’ll explain it to our audience if this is the first time you’ve listened to our show. We have two horrible scenarios. They both stink, but it’s a risk management exercise.
You have to tell me which one of the two is worse. Now, this one came from the Twitter stream, @badthingsdaily. I essentially picked two of them that I thought were mildly comparable in terms of badness, and you have to decide, Mike, which one is worse. Are you ready?
[Mike Johnson] Yes.
[David Spark] Has there been a time I said, “Are you ready,” and you said, “No, David. Let’s wait for at least 15 minutes.”
[Mike Johnson] David, I was born ready.
[David Spark] Is that what your mother says?
[Mike Johnson] Yes, absolutely. She knows. She knows. She knows I’m on…
[David Spark] You came out of the womb, and she said, “Plow the fields.”
[Mike Johnson] And I was just out there that day.
[David Spark] There you go. This is the first scenario. Subscribers to your newsletter are reporting targeted attacks towards the emails they subscribed with. Not good. Your newsletter list has been getting attacked. Or your on call, so your on call SOC, your MSSP, whatever, is super pumped because they haven’t seen any incoming alerts for a while.
And a while, we don’t know how long that is but for a while. All right.
[Mike Johnson] For a while.
[David Spark] Mike, which one of these is worse?
[Mike Johnson] Wow, okay. So, in the first one, you have basically a known compromise. Something, somewhere, somehow they’ve gotten a hold of these email addresses. You don’t know how they got them. That’s kind of the first…
[David Spark] Somebody leaked them.
[Mike Johnson] They’re out there. And the second one is everything is just quiet, and you don’t know why.
[David Spark] Which who knows, maybe they really are quiet. Maybe [Distortion 00:16:56] are so fantastic that you have rebuffed everything, and nobody can even get the outer shell that you could even see anything. Or all the hackers have decided to take some time off. And I’m saying the criminals. The criminal hackers.
[Mike Johnson] Sure, that could totally be the case.
[David Spark] It’s never happened, but maybe it could.
[Mike Johnson] Never happened that way, and that one kind of comes across to me as it’s quiet, but it’s too quiet.
[David Spark] It’s like when the kids are in the house, and you don’t hear any noise. What’s wrong?
[Mike Johnson] Yeah. Yeah, what’s wrong. And so one of the things that I’ve been pretty consistent on this show is the unknown is always more concerning to me. And…
[David Spark] You have said that before.
[Mike Johnson] The first one, I kind of like… Okay, this is a problem. Basically I can figure out what happened in that first case. The second one, it could be quiet that all of our detection and monitoring is offline, and the attackers have just been running rampant. Who knows what they’ve done.
[David Spark] Or nothing could have happened.
[Mike Johnson] Yeah, I’m an optimist, but I’m also in security. So, I don’t believe that nothing happened. To me, the unknown is the worst one. So, the second is the worst one.
[David Spark] Because you don’t like free floating anxiety. But Allan, do you love free floating anxiety?
[Mike Johnson] No.
[Allan Alford] I’m actually going to agree with Mike, and here’s why. The newsletter email list, who knows where those addresses were also used. It may not have been you. For all you know, it’s everybody who attended the same conference or everybody who went with whatever. I mean I tend to give the same address out when I subscribe to things, sign up for things, talk to vendors, go to shows, etc.
It’s not the same address I use for my daily life. Right? So, if that’s the one getting hit, it could have been used all kinds of places, so I’m not going to take the credit, or the blame, or say I’m culpable just because there seems to be a Venn Diagram of overlap.
I’m not going to worry about that one so much. All is quiet on the western front, on the other hand. That’s a whole other story. Because at a minimum, you should be seeing the bot traffic. You should be seeing the attempts. Everyone knows you take a Windows box, you slap it on the internet with no firewall, it’s going to be compromised within milliseconds.
And you will see ten bajillion attempts from the bots just looking for and scanning for, “Does it have this vulnerability? Does it have that one?” You’ll even get hit with the bots that are looking for an Apache/Linux combo on your Windows box. You’ll still see all that stuff. So, if you’re not seeing any of that in your SOC, you’re blind.
[David Spark] All right. Allan agrees with you, but I think he gave a more detailed answer, so Allan is more correct than you are.
[Mike Johnson] Way to go to, Allan.
[Allan Alford] Wow, I’m correct.
[David Spark] More correct.
[Mike Johnson] More correct.
[David Spark] You get two gold stars. Mike only gets one.
[Mike Johnson] Oh.
Please, enough. No, more.
19:42.400
[David Spark] Today’s topic is supply chain security. Mike, this is a ludicrously hot topic, so I’m going to begin with you. And actually, you work for a business where you are dealing with this more than you’ve ever dealt with before. So, what have you heard enough about with supply chain security, and what would you like to hear a lot more?
[Mike Johnson] You really kind of hit it with that point. When I joined the company that makes physical things… The supply chain is very different than when you’re making software. And I really think we talk too much about the supply chain and referring to it as just software. That’s what people go to.
That’s what people talk about. They talk about your open source libraries. And so I’ve heard enough about just limiting it to open source and whether or not you’re using open source. What I would really like to hear more about is looking at supply chains holistically. The fact that it’s not just are you using an open source library.
You’ve got an entire chain that you have to worry about here. And so I’d like to see more of just let’s be more holistic and more broad based when we’re talking about supply chain and supply chain security.
[David Spark] Let’s see the full picture because there’s a lot to it. I remember when we had the CISO for Lexmark on. And I can’t remember the number, but it was like an endless number of suppliers he had to worry about for printers and copiers at Lexmark. All right. Allan, I throw this to you. It is the bailiwick over at Eclypsium.
What have you heard enough about when it comes to supply chain security, and what would you like to hear a lot more?
[Allan Alford] Yeah, so this is what we do. And let me start with my own personal background on all this. I grew up in a video conferencing industry. That’s where I first really dove into a security career, transitioning from an IT career was at…
[David Spark] Polycom, correct?
[Allan Alford] Yes, sir. I was at Poly Com. And we made endpoints. We made audio endpoint. We made video endpoints. We made backend infrastructure that switched, and bridged, and did all the magical things on the backend that you have to do. And so I grew up not with AppSec but with ProdSec, which to me is inclusive of AppSec.
Yes, there was tons and tons of software in these devices, but there was also a boatload of hardware. And hardware is mixed so amazingly. You’ve got CPUs. You’ve got GPUs. Everyone knows about those. When you get into BIOS, and you get into firmware, and you get into embedded code, and you get into integrated systems, there’s all of this other stuff going on.
There’s FPGAs. There’s… FPGAs, for those of who don’t know, picture a chip that you just Lego brick tons and tons of code into, and you can build out a code stack inside a chip with what might be open source, might be a manufactured, proprietary, privately owned, maybe some combination thereof. There’s so much code below the surface.
Just so much stuff below the surface.
And prior to that, I actually worked at a company that manufactured full systems. You know, putting chips on motherboards kinds of things, and these guys even subcontracted for the military. And it was amazing to see one change to one chip on the product line, and what all was involved, and the convolutions that had to be gone through.
So, you’d start with let’s say a Japanese chip. You’re cranking out this motherboard, and chip number 13 on the board is some particular Japanese chip that does some particular thing. And then one day you find out there’s a comparable chip coming out of the Philippines that does all the same stuff and can be an equal substitute, and it costs .05 cents per unit cheaper, which for a manufacturer that’s cranking a million dollars an hour, a million dollars a day on the assembly line, these little, tiny differences in price matter hugely.
But then you have to validate and verify the integrity of whatever you’re getting, right? The DOD is concerned about these things. The private sector should be as well. And so you get to a state where you’re looking at things like BIOS, firmware, CPU, GPU, all these types of things all have loaded stuff in them, and you get into questions about whatever that stuff is.
So, question number one – does it have the integrity? Is it really the right version that it should be? Is it what it claims to be? That’s question number one. Because you may have third parties trying to interject or interfere. Number two, is it the one recommended by my manufacturer? Is it up to date?
Is it the right, current one? Number three, is it in some way, shape, or form altered, or compromised, or doing stuff off the board? You know, the data in and data out, is there anything fishy going on? You have to start looking at all these kinds of things. So, Eclypsium steps in and does exactly that.
That’s exactly what we’re doing over there. We’re looking at all this stuff.
[David Spark] Let me pause you for a second. I’m interested in the story. What have you seen? What kind of behavior do you see often?
[Allan Alford] Yeah, we’ve seen bad guys insert code. Code that was doing things like sniffing and detecting. Way back when I was in IT, before I was even in security… We’re talking like late ‘90s I want to say. There was a big scandal where Cisco supply chain…the actual official supply chain where you’re ordering your Cisco parts from your dealers, it turns out that a whole bunch of bootleg Chinese cards made it into the market.
And these cards were found to be deployed at places like US Navy Intelligence. [Laughs] And it’s not just, “Hey, we’re not getting the goods we paid for.” It’s like, “Wait a second, this is the switch at the center of my network through which all of my data passes. What’s on that board, and what’s it doing?
What’s it sniffing? What’s it looking at? What’s it relaying and sending out to the cloud?” Or, well, back in those days, there was no cloud, but you get the idea. So, it’s these kinds of things. We see this stuff. We see the bad guys stealing data.
[David Spark] But let me pause. I realize that a lot of people buy a device, and to them, it’s a black box.
[Allan Alford] Yeah.
[David Spark] And correct me if I’m wrong. Eclypsium is saying, “Here’s what’s going on in your black box.”
[Allan Alford] Yeah, exactly. We’re cracking it open and showing you what’s happening. And there’s other manufacturing concerns. Picture a mainstream PC manufacturer…I won’t say which one….who offers two products lines of laptops – one aimed at consumers and one aimed at business. The promise to the business is we will maintain the same chips, and chip sets, and units over time.
For a three-year contract, you’ll get the same system. So, if you order one replacement one two and a half years from now, it’s going to be guaranteed to be the same machine. You can fire the same software onto it. Everything is going to work consistently, and predictably, and all that. But their consumer line is free for all.
Just whatever the cheapest chip of the week is is what goes into that sucker. And even after that three-year cycle, you’re going to re-up chips. This stuff is occurring all the time, always. And when I first signed on with Eclypsium, of course being the nerd I am, the very first thing I did was I said, “I want access to the tool, and I want to load it at home on the home network.” And I blasted it onto absolutely everything on a home network that I could find and put it on, and I started sniffing around and looking.
And mind you, I already have EDR. I already have Next Gen AV. I already have all the stuff running. Eclypsium found I want to say it was a grand total of seven things on my network that weren’t right.
[David Spark] Like give me an idea.
[Allan Alford] Well, this one was the really scary one. I actually updated the BIOS myself on my main gaming PC, and I went to what I thought was the official manufacturer’s website and downloaded what I thought was the official real BIOS.
[David Spark] To our audience, Mike just made a very distressing face.
[Allan Alford] Everything looked legit. And of course, I’m over on a Taiwanese site downloading the English language version, etc., etc. Yeah, Eclypsium went through it and was like, “Yeah, that’s not the real one, dude.”
[Laughter]
[Allan Alford] I don’t know what it was doing. I don’t want to know what it was doing, but I nuked, eradicated, and got on the right one very promptly after that.
[David Spark] So, it’s amazing. You could think you’re doing all the right things, but it just goes back to, “This is what’s going on in the black box you just bought.”
[Allan Alford] That’s exactly it. And we’re expanding. So, Eclypsium is getting beyond just firmware and BIOS now, and we’re starting to look at software. We’re starting to look at IOT devices and all manner of other stuff out there. I mean, you’ve got cameras on your network. You’ve got video conferencing endpoints, audio endpoints.
There’s all kinds of stuff. The printers… The potential to dig into this stuff is vast. We’re just constantly growing in scope of what we identify and find.
What annoys a CISO?
27:30.695
[David Spark] Everyone has seen a coworker with a password laden post-it on their monitor. Coworkers putting systems at risk isn’t anything new, but a recent thread over on the cyber security subreddit tried to tease out the most common. One of the most common was putting confidential data on personal devices and accounts.
Another was actively bypassing automated email protection systems to let them send sensitive data in the clear. And leaving computers unlocked was another common pain point. Now, several commented that the mere existence of coworker was the worst offender. We know that. We know the safest computer is the one that’s turned off and not connected to anything.
And of course, the classic BYOD running Windows 7. So, I’m going to start with you, Mike. Which of these are the easiest to manage, and which are the trickiest? And you can bring in your own that I have not mentioned.
[Mike Johnson] So, first, a brief rant. I don’t consider passwords on post-it notes to be viable threats anymore for most orgs.
[David Spark] Allan is giving the thumbs up. He agrees with you.
[Mike Johnson] The only place where that happens is in movies and TV shows. As long as you aren’t some sort of evil genius in a TV show, you’re probably okay with post-it notes.
[David Spark] Have you hired an evil genius?
[Mike Johnson] Not that I’m aware of. I haven’t seen any post-it notes.
[David Spark] There you go.
[Mike Johnson] So, I think we’re okay. But overall, this list… I mean it’s interesting. And aside from the having coworkers point, there’s generally technical controls for all of them. DLP can handle putting confidential data in the wrong place. Idle timeouts can make sure your computers are locked.
BYOD can be handled with conditional access. All of those can be handled with technical controls. But one of the things that was mentioned and I don’t think you mentioned it, but it was in the article was intentionally defeating controls to send sensitive data in the clear. That one is really difficult to deal with.
You’ve essentially got an employee who’s working against you. They’re actively defeating your controls.
[David Spark] But this can be done two different ways – maliciously and, “I’m just trying to get my job done.”
[Mike Johnson] Exactly. And the latter means that your security team isn’t doing what they’re needing to do. They’re not listening to the input.
[David Spark] “I need a tool that can do this, and you can’t do it. So, I’m going to do it my own app,” and hence, we get Shadow IT.
[Mike Johnson] Exactly. Yes. And therein lies tears because you’re now Shadow IT everywhere. That’s why we do have to be very careful with our policies and make sure we’re empowering the workforce. That’s the only way that you can deal with that one, but the rest of these we can just solve with technical controls.
So, I’m not worried about most of them.
[David Spark] Allan, you’re on board with sticky notes with the password is no big deal. Is there an issue that does become a big deal outside of what Mike said, or do you want to double down on that?
[Allan Alford] I’m going to double down on what Mike said, and I’m going to give you my super simple maxim that we must all remember in this field. Any security control must acknowledge how the affected employee is measured. That’s it. That’s the simple statement. If we are implementing security that gets in the way of how an employee is measured in their daily tasks and job, they’re going to bypass that security however fiercely they can do it.
Right? That’s the single biggest concern is our sales getting in the way of employees doing their jobs. As soon as we do that, as soon as we make security the uncomfortable choice, as soon as we make security contrary to what they know they need to do to be successful in their jobs, that’s when we’re actually screwing it up.
Right?
Post-it notes, not that big of deal. It’s more of a trope than it is a risk. Don’t use public Wi-Fi is another one. Everybody always say, “Don’t use public Wi-Fi.” We’ve got firewalls. We’ve got VPN. We’ve got SASE. We’ve got ten bajillion technologies. I’ll hop on public Wi-Fi. And I’m cautious about what I do, and I make sure the encryption is happening, and I’m okay with it.
It’s not that big of deal. I don’t know if you remember maybe about eight years ago, every conference you went to, the do dad they gave out, the swag they gave out was that little USB block data/allow power adapter.
[David Spark] Right. I picked one up at RSA.
[Allan Alford] And we all thought we needed those. We had them everywhere eight years ago. When’s the last time you saw one of those?
[David Spark] I saw one at RSA this current year. I grabbed one.
[Mike Johnson] Did you really? Because I haven’t seen one in forever. I haven’t seen one in forever.
[Mike Johnson] Wow.
[Allan Alford] And it’s because people are pretty smart about, “Oh, that’s actually power. Oh, that might be data.” And even then, the phone says, “Do you want to trust this source?” No! No, I don’t. Again, we have protections, and we have controls for these things.
[David Spark] Yeah, the phone can tell you if data is going through.
[Allan Alford] Yeah. So, I can power off my PC all day long without allowing data exchange, and it doesn’t pop up and show as a device that is a data storage device. You just tell it no. You’re going to run power. You’re not going to run data. It’s pretty straightforward.
[David Spark] But this also speaks to the security community as well in that you talked about how are employees using technology, and both of you listed off a slew of different things that protect them. Because we’ve been watching and listening, and if everyone is going to do this, yelling at them constantly to stop doing it is not going to get everyone.
So, we need essentially a fail safe system to deal with it. Do you think we have been in all cases or most cases working in this direction?
[Allan Alford] I think we’re headed there. I think more of us are aware of how it needs to go, and I think the feedback from the community that we’re serving is pretty blunt when we’re screwing it up. I think we just need to be better listeners, and I think we’ll get through there. Imagine you’re in the marketing department and your whole job is to get a thousand emails out the door every day.
And then somehow, some security solution that Allan employs, or deploys, or whatever is keeping that thousand down to some smaller number because of false positives, and blockages, and whatever. At some point, you’re just going to be mad at Allan. It’s pretty straightforward.
[David Spark] Well, no, you’re going to look for another solution. And there are other solutions.
[Allan Alford] Yeah.
[David Spark] And you can be mad at Allan. You can do both.
[Allan Alford] Right. Why not both?
[Laughter]
Closing
33:47.025
[David Spark] All right, Mike, close us out on this.
[Mike Johnson] So, Allan, thank you for joining us. It was great kind of getting the gang all back together again. So, it was so wonderful to sit down with you again. Thank you for joining. One of the things I really want to highlight to the audience though, your comment about security must acknowledge how employees are measured.
I think that’s great. I think people really need to take that with them and recognize our job is to help make the employees be productive. And if we don’t understand what makes them productive, we’re going to probably totally wreck their productivity. So, I really think that’s a quote that folks should take with them.
So, thanks for sharing that. Thanks for sharing your knowledge, your experience, but really thanks for giving me the opportunity to sit down and hang out with you again.
[Allan Alford] Aw, shucks.
[David Spark] It’s awesome to have Allan back. Now, Allan, before you say anything else, I’m going to let you have the last word here. I do want to mention your awesome company, and that’d be Eclypsium. Trust your tech from core to cloud. Supply chain security. We talked about it. Allan gave a great description of how they’re doing it.
Just know what the hell is happening with your devices. Like what’s in that thing that you don’t really know what’s in it? I think that’s awesome. Check them out. Eclypsium.com/spark. That’s my last name. All right. Allan, I’ll let you have the last word. Tell us anything you’d like about yourself, Eclypsium, whatever.
[Allan Alford] Yeah, so the one thing I wanted to mention is if you go and look at the database of known exploits…not vulnerabilities but known exploits, you will see that there is actually more below the OS than above the OS. Stop and think about that for a moment. That’s insane. The greater majority are actually not being addressed by EDR, not being addressed by Next Gen AV, not being addressed by SOC/SIEM.
Eclypsium is there, digging through that layer and solving those problems, and that’s huge. So, I mean, I love Eclypsium. I joined for a reason.
I mean you guys know, I’m friends with half the industry, and there’s lots of places I could go. And Eclypsium is the one I chose. I believe in the product. I believe in the team. I believe in the vision and the mission. I think we’re solving a huge problem that is not being solved elsewhere. And like I said, the sky is the limit.
The amount of stuff we are ingesting and starting to solve for is…we’ve expanded in the software. It just goes crazy from here. It just gets bigger, and bigger, and bigger. And soon, you’ll be able to come to us and say, “I want to verify the integrity, authenticity, and security of, fill in the blank,” and we’ll be able to do so.
[David Spark] That is damn cool. Remember, eclypsium.com/spark. Check it out. Thank you so much, Allan. Thank you very much, Mike. And thank you to our audience. We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cyber Security Headlines Week In Review. This show thrives on your input.
Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.