How to Lead a Cybersecurity Culture

TOM: Welcome, everyone, to March 2nd – is that what it is today? March 2nd edition of Deeper Dive. We do these every Tuesday at 2 p.m. Today’s topic is how to lead a cybersecurity culture, or just have a cybersecurity culture. What does that look like? What do you have to do to start that endeavor?

Today we’ve got Kindsey on the line, ready to put links in the chat, I hope.

KINDSEY: Yep, always. Hi.

TOM: So anybody have any questions, drop them in chat or – I don’t know if we’ve got Q&A. Yeah, Q&A. You can put it in either one. We’ll monitor both of them. This is real informal, so feel free to ask any questions as we go along.

My name’s Tom Kirkham, Founder and CEO of IronTech, in case you did not know that. Been in technology for 40 years, about, roughly. Seen a lot of things, done a lot of things. So let’s get started.

The very first thing – and if anyone has attended other webinars of ours, you know I spend some time talking about the NIST Cybersecurity Framework. If you’re in the water utilities, you have this thing called the American Water Infrastructure Act, I think, AWIA. That’s about security – understanding where you are, what you have to do, and how well you’re prepared to be resilient. Others of you are in different industries, but the same principles, regardless of whether you have regulations or things you have to comply with

…

…Framework, the very first thing you have to do is identify. You have to identify where you are, what you have in place, and what you need to protect. It’s one of the 5 things, but it’s the very first step. Before you protect, before you detect, respond, and recover, you really have to identify. A captain has to know the condition of his ship.

What do I mean by identifying? You’ve got to know what your assets are. Do you have industrial control systems? You have to monitor those. Are you at great risk for ransomware? What data would be catastrophic if it were held for ransom or it was deleted or it was stolen? Credit card information, accounting information, personnel records. You’ve got to know what those assets are.

Then, you have to understand your risk, and you have to understand the risk at a high level. Some of you may answer to a board of directors or to a mayor or to an owner of the company or shareholders or whatever – everyone’s accountable to everyone, really. You may have to answer to your customers. Why did their data get stolen?

If you don’t understand the risk – going back to the ship thing, if you don’t understand if your engines are in good shape, if the food’s safe or whatever, you don’t really know what’s going on and you’re not being a good captain of your ship. You have to analyze risk. What is the risk? And everything has a risk. Your risk is much higher from a cybersecurity standpoint if you don’t know what your assets are, what needs to be protected.

If your organization has a very low security awareness maturity level, like they don’t know how to recognize a phishing email or they’re not even on alert for them, even in the back of their mind, they don’t worry about that, organization awareness is kind of low.

What technical controls do you have in place on a cybersecurity standpoint? These are very, very obvious things. You know that you’ve got physical controls and administrative controls around the office door. You know when the office door is unlocked, you know when it’s locked, what hours it’s open, what hours it’s not, who has a key, who’s authorized to be there afterhours. You have to have that same security mindset and understanding – you don’t have to know how it works. You don’t have to know that it uses artificial intelligence and machine learning to stop these threats. You just have to know from a high level that, “Oh, this is a big risk of mine, so I need this technical control in place, or else I’m subject to that threat.” So you have to at least know and have a good idea of what technical controls you have in place.

And then, just like with the door locks and everything else, you have to know what kind of administrative controls you have in place. We’ll talk about some of those, but a good example of that is, how are passwords handled?

Let’s look at some of the things that we see when we do a security assessment. When do a security and risk assessment for organizations, those are some of the things we try to discover, and then we assign low, medium, or high risk to those things and the best way to go about protecting them.

And this is in no particular order, but one of those things that we discover – and I’m sorry if I’m cutting in and out. Mary says – how bad is it?

KINDSEY: You’re good on my side. You’ve had a few times cutting out, but it’s not bad at all.

TOM: Okay. Let me get the mic a little closer to me. I’ll see if this works. I’ve noticed everybody’s been complaining about the microphone’s not close enough. I think I may have it set wrong. Let me start over here.

One of these things that we see in an organization that has high risk things is they do not monitor backups. An IT guy or their IT staff has set up a backup and that’s it. “Oh, it’s all automatic. You don’t have to think about it,” and all of that. You have to monitor backups in case you need them. And it’s not just for cybersecurity threats, but it’s also for natural disasters or file corruption, any number of things that can occur that require you to retrieve a backup of a Word document or a QuickBooks file or any number of things. An industrial control system database needs to be backed up.

If you don’t monitor those things, then you don’t have a backup. You basically are gambling that that automated process is going to work, day in and day out. It’s not going to hit a software glitch, the computer’s not ever going to be turned off or the power’s not going to be off, the destination will never fill up – like if it’s a local drive and you do backups to it, you just assume that local drive will never get full, you never have to do maintenance on it. Or you’ve reached your quota on your online backup account, you’ve gone over 1 terabyte and now backups aren’t going to it. You just assume that all those things are never going to happen. You’re operating on wishful thinking, and that’s not the way that I know you guys run your organization, day in and day out.

You have to think about that in the technology world too, because things can go wrong. You have to pay somebody, whether it’s in your company or outside, someone’s got to be paid to monitor those backups and make sure they work, day in and day out. We see that right there a lot. I can’t tell you how many stories I’ve read where someone’s had a ransomware attack and they refuse to pay the ransom, they go to their backup and discover that it hasn’t worked for 2 months and no one knew because they didn’t check them. There’s any number of ways that those can fail.

Another thing that we see quite often is poor password hygiene. What do I mean by that? If you share a set of credentials in your organization amongst other people – same set of credentials, tom@irontechsecurity and password is “password” and everybody knows it – Kindsey knows it, Matt knows it, Curtis knows it, everybody in the organization knows it and they use those same sets of credentials, that’s a problem. Because if one of those people lets out those credentials or they get compromised, that increases my attack surface for my set of credentials.

Everyone should have their own unique set of credentials for whatever it is you’re logging into, if at all possible. Sometimes the software doesn’t allow you to do that, but if possible you should do that.

Another thing you shouldn’t do is openly tell anyone what your set of credentials is. It’s not a matter of trusting your colleagues. It’s a matter of decreasing your attack surface.

Another thing – actually, password management and “sticky note” password management are related, but what is the password management technique? When we do assessments, we see people write them down in a desk drawer, they’re taped on a sheet of paper, they’re put on a sticky note on the monitor, or they just reuse the same password over and over on multiple sites. That puts you in a high risk category. You’ve increased your attack surface dramatically by reusing the same sets of credentials.

And then bad passwords. A bad password doesn’t have to be as simple as “password” or “password1234.” It could be anything that’s in the dictionary, a word. It could be your pet’s name, your children’s names. Oh gosh, I’d even say your mother’s maiden name. That’s okay for a security question for a password reset of something to verify. It’s okay. I’m not saying it’s great, but it’s okay for that. But those are things hat can be either brute forced, like a dictionary, or simply going to your Facebook page to find out what your kids’ names are, or your favorite team. Mine might be Razorbacks or Banana Slugs. If my favorite team is UC Santa Cruz Banana Slugs and I’ve graduated from there and it’s all over my Facebook page, that’s an easy thing to try if somebody’s trying to break into my stuff. But if it’s a dictionary attack, that’s all automated. They don’t even have to know who you are to break those passwords. So you don’t want to use anything that’s in a dictionary.

Preferably it would be randomly generated and then stored in a password manager, and it gets to the point where if you use a password manager, you don’t even care what your password is, nor do you know. All you know is it’s secure about 10 different ways.

Another thing that we see – and this is especially relevant to the breach in – what’s the name of the town?

KINDSEY: Oldsmar?

TOM: Yeah, Oldsmar, Florida. I just know it’s in Pinellas County. I know exactly where it is. But yeah, Oldsmar. One of the things they did is they opened up their industrial control system to the public on a Windows 7 machine. There’s about nine ways to Sunday things wrong with that idea. Number one, Windows 7 is out of date. There’s no security patches being made for it anymore. Number two is you never plug a computer directly into the internet. I’m a security expert and I don’t do that. Within a second, that computer directly plugged into the internet is being attacked.

Now, you may say, “That’s ridiculous! Why would somebody attack my computer if I directly plug it into the internet?” It’s because they don’t know. They don’t know who you are. All they know is they’ve got automated bots running, sees an IP light up – because there is a finite number of Ips – and this automated bot automatically starts scanning the ports and scanning for vulnerabilities and cataloging those things for further research to hack.

With COVID, in March of last year, the first month of people beginning to work from home, we saw a tenfold increase in remote access attacks. LogMeIn, TeamViewer like Florida used – oh, and by the way, there’s another breach that’s not public, but it’s the same thing. So I know there’s more than two people out there that are doing this, opening these things up and not having any security around remote access. Tenfold increase in remote access.

Criminals respond to current events. That’s why you see these emails soliciting donations for the latest natural disaster. Many, many of those are criminals that are just trying to take advantage of the situation. Same thing with COVID and remote access. They knew that people were going to begin working from home, companies were going to be scrambling to get remote access turned on, and more often than not, they do a piss poor job. They’re more interested in making sure they can get up and running rather than securing that remote access.

The right way to do it is to put security first. That’s part of being a good leader. Do not turn on remote access unless it has adequate security, such as multi-factor authentication and/or a virtual private network. This is part of being a leader on cybersecurity. You’re responsible for all the risk the organization has. You’re not just responsible for operations. You’re not just responsible for finance, or even IT. One of your responsibilities is to keep that organization safe and sound.

When this remote access thing all of a sudden flipped the switch and your attitude is “We’ve got to get everybody up and running when they’re working from home as soon as possible” without considering the security component of it, you dramatically increase the risk to the organization. You have to do both. They’re not exclusive to each other. Security has to be considered first, and that’s what good leaders do.

And then finally – and this is related to the Florida breach – we discover things like Florida where they had no least privileged policy. Not only were the same credentials shared for their TeamViewer account, so no one had unique credentials like I mentioned earlier, but everybody in the organization could remote in. I’d be willing to bet there’s probably only three people that needed to access that. But they let anybody in.

So that’s why a script kiddie, or perhaps a malicious employee or former employee, did the very basics of finding these devices on the internet – because you can do this you don’t even have to go to the Dark Web – and found it and started playing around with it. We know it wasn’t a nation-state or even a criminal enterprise. There was no money to be made, so that pretty much leaves out the criminal part. And it wasn’t a nation-state because they would never, ever hack a place that simply. They would want to do it more stealthily, not be discovered. So you restrict access to only those people that need it.

A really quick test. Let’s say any of you using QuickBooks – let’s say you’ve got two people in the office using QuickBooks, but you’ve got eight people in the office. I want you to go to your network neighborhood, then go to the server or wherever it’s stored, and see if there’s access to the QuickBooks shared folder. I’ll bet you there is. What’s happened is it’s simpler to share a folder on a network to everybody than it is to Susie and Bill, who are the only two people that need access to QuickBooks. And once again, it’s not not trusting your colleagues. It’s about lowering the attack surface. Security first. You’ve got to think that way.

Which brings us to security attitude. Let’s suppose you’ve been through, I don’t know, 20 or 30 of my webinars, and you’ve heard me on my soapbox 20 or 30 different times and you go, “Oh man, Tom, I get it, I get it. You’re preaching to the choir.” And I appreciate you. What I want you to do is take the next step and increase that security awareness in your own organization. You are messengers of this, whether it’s to your bosses or to your other colleagues that you work with. You have to elevate all of them.

Where their attitude is it’s not worth the trouble, or it’s a hassle to use a password manager, you’ve got to get them over the hump of them not understanding the importance of securing the business, just like they understand the importance of locking the door to the office at night. They would never in their wildest dreams – they would say, “Oh my God, Bill forgot to lock the front door last night. I hope nobody walked in and stole stuff or did anything malicious.” It’s the same thing with cybersecurity. They just don’t understand the scale and the automation and the number of people and how huge the hacking industry is, and how automatic it is.

Sometimes you have people in there, “Oh, there’s no way they’re going to attack us. No one’s ever heard of us. We’ve got 50 customers and we’re in a small town. Why would anybody in Russia attack us?” That’s one of the myths that I talk about. Just to reinforce that, they don’t know, they don’t care. They’re just running a numbers game because they’re doing it at scale. And those other myths that we’ve talked about. Your IT guy says, “Antivirus is good as it is.” That’s another myth.

It’s up to you to get these things done, and it has to come from the top down. If the leader of the organization just hands it off to the office manager or to the organization manager and says, “You make all of this happen, but it doesn’t apply to me. I’m not going to go through the security awareness training,” or “I don’t want you to put that stuff on my computer where you can monitor for threats. That makes me paranoid” – well, that’s not a top-down approach.

The leader of the organization has to do more than manage and delegate. He truly has to be a leader when it comes to cybersecurity so that whole attitude is improved amongst the entire organization, and people say, “Oh, Bill, I can’t give you those credentials, but I’ll set you up an account where you can create your own credentials to get into this piece of software.” “Oh, I can’t write this down on a sticky note because Susie may see it and use that against me.” Sorry, I didn’t mean to get into the personal deal. “Susie may out of convenience log in with those credentials.”

So it’s got to be pervasive throughout the whole organization. And if anyone’s on that network, whether it’s a mayor or an owner of the organization, if they’re on the network and they’re not doing everything that everyone else is, your attack surface practically is the same as it was before you even did any of the other things to try to stop cyberattacks. In fact, those types of roles are generally higher threats because they tend to do a lot more things on the computer and go to a lot more websites. They’re not focused every day on a specific set of tasks. Often, those people in those positions have to look at big picture stuff and synthesize that. “How does that affect finance and operations and marketing and hopefully cybersecurity? And then I’ll have to coordinate with everybody else and make sure we’re on the same playing field.”

And then finally, just turning it over to IT – which you know, I’ve already been through that a lot. It’s not an IT issue. It’s a security issue. IT has a different set of objectives, and turning it over to finance to find out if we’ve got the budget for it is unacceptable. You have to increase your security.

I mean, it depends on where you are. The only way to find out where you are is to do an assessment. But you don’t have the budget – well, if it sems like it’s unimportant, of course you don’t have the budget for it. No one’s got unlimited money. But cybersecurity is a real, serious threat, and I can’t stress how big of a threat it is enough. Some people accuse me of being Armageddon; some people accuse me of exaggerating. Those people in that town in Florida are not now. How embarrassing that is. How much trust was lost in that community over the quality of the drinking water.

I mean, it’s not as bad as Flint. That wasn’t even a cyberattack. But it’s on its way. “Is that all it takes to contaminate our water supply? You didn’t do anything to protect us? Now I’m going to go get it tested. I don’t know if I should trust you.” That’s a hard thing to get back. Especially when it was so negligent, what they did. It really was super, super negligent. I think – and I wasn’t there – I would speculate that you almost have to go out of your way to do that. Regardless, at the very least it was super negligent.

Finance doesn’t get to make the call. IT doesn’t get to make the call. Who gets to make the call is the boss. The boss that answers the phones for the newspaper reporters. The boss that’s interviewed by the FBI, “Why did this happen?” – or the EPA, the Department of Environmental Quality or whatever it’s called in your state, your bar association, HIPAA, finance, SEC. Visa, MasterCard. All of this data that you protect is subject to a lot of compliance and regulations, and if you do nothing, at best you’ll be out of a job. That’s what leadership is. It’s instituting change.

Here are some other ones that, generally speaking, are low to medium. We see that a lot of organizations cannot even identify a phishing email where they’re trying to hook you on something or con you to do something. Over 90% of the cyberattacks that are successful occur because someone inside the organization unwittingly allowed that to happen. So they have to have security awareness training so they can identify things like phishing emails.

There’s always improvement to understanding what risk they’re undertaking. We already know just from the fact that they set up a security assessment with us that they’re already starting to understand the risk. What we’re doing is shining light on it, saying, “You’re vulnerable here, you’re vulnerable here, you’re vulnerable here. These are the most common threats in your industry, your particular company. These are who is more likely to attack you and what they want and how they’re going to go about it,” so you put your defenses in place appropriately.

If you’re two nations at war and your opponent has no air force, then you know you can go bomb and strafe and everything completely free of any risk. We do the same thing from a defensive. We’re offense and defense. The bad guys and the good guys, offense and defense. We know that a lone wolf attack would be very unusual for a law firm unless they are representing clients that are victims of terrorism or something like that. It’s kind of a low-risk thing for a lone wolf to attack a law firm. If you’re a divorce attorney, your number one threat is ransomware and other criminal. The rest of it, eh, not so much. Personal injury, yeah, pretty much ransomware and other criminal enterprises, other scams, things like that. You have to understand what your threats themselves are.

No understanding of the threat vectors or the attack vectors. How is that ransomware going to hit these computers? What’s the most likely way? That’s some of the things we uncover in an assessment for your particular organization. Identify those threat actors. Nation-states, criminals, and all the rest. That’s what we help do for your organization, and any good security assessment will help you identify those things.

Another one is a public email domains. If you’re using Yahoo or AOL, please get off of those. They are so insecure. Have been insecure for the last 30 years. Besides that, are those really appropriate in a business setting?

Update your computers. Update the software. Keep everything patched. The Florida thing, once again, it’s Windows 7. You have to rotate computers. They have a lifespan. And computers are so cheap these days, they’re disposable. You get 4 years on average out of a desktop, you’re doing fine. Throw it away, get a new one. Or recycle it, get a new one. That’s what you want to do. But more importantly, you’ve got to keep it patched. Keep security updates on it, stay on top of it.

And no disk encryption. It’s a low to medium risk, but it’s actually higher if you have laptops because if that disk is not encrypted at rest and the laptop is stolen or lost, and there’s no disk encryption at all, then anybody that gets it can get that data off of it. That Windows password really doesn’t stop anybody. It doesn’t stop them on a Mac, either. All you’ve got to do is plug the drive directly into another computer, and if the disk isn’t encrypted, you can read and write everything that’s on there. All of the data that you think is safe in your office – well, if it’s on a laptop or mobile device of any type, iPhone, iPad, Android device, whatever, it must be encrypted at rest.

I’m just a hair over. Give us a call, send us an email. There’s a link in the chat to fill out a form to begin the security assessment process. Love to talk to you. Or if you’ve got any questions, be happy to answer. Does anyone have any questions? I can’t believe Mary doesn’t have a question.

KINDSEY: I’m not seeing anything just yet.

TOM: Okay. Well, if you think of something after the fact, you can just drop an email to sales@irontechsecurity.com. I’ll take a look at it and let you know.

The most important takeaway – if any of you have not done a security and risk assessment, please, please, please get one done, with us or somebody, to find out what the condition of your ship is. Then you get to make the call of what you’re going to do going forward. It could be nothing. Maybe you’re okay. But if you don’t know, you can’t improve it, and you’re just uncertain. Maybe you can’t sleep at night. That’s the first step.

Sometimes people call us about penetration testing and they’ve never been through an assessment. Penetration testing is the last thing you do. That’s usually months past beginning this. You really need all your security defenses in place, understanding really well what your risks are, what risk you’ve been willing to accept, your business case for that risk, your technical case for the risk, and then and only then do you spend the big bucks for a penetration test.

That’s the way it works. We did – what was it, a couple of Deeper Dives back, Kindsey?

KINDSEY: Yeah.

TOM: Yeah. You do a security and risk assessment, and the second one you can do – and sometimes we do this first, depending on the prospect – we do a vulnerability assessment, which is more technical. And then finally, for some, we do penetration testing.

At any rate, that’s it for this week. What do we have on deck for the next episode?

KINDSEY: Next Deeper Dive is Why You Should Trust Us.

TOM: Should we be doing that, or should we get an outside vendor to host that?

KINDSEY: We could.

TOM: I wonder about that. Hmm. I’ll ponder upon that. We may have a guest, we may not. Not sure. But it just seems kind of weird, us telling people why they can trust us. You know?

KINDSEY: Yeah.

TOM: Eh, at any rate. Actually, in all seriousness, we’re going to go through some of the controls we use. We can’t tell you everything that we do, simply because it increases our attack surface. But we’re going to go over a lot of the things we do to keep from becoming breached and to help protect our clients.

And I can tell you flat out that one of those things is we do not tolerate anybody in the organization that does not take security seriously. That is, no warning – well, it depends on how egregious the lapse of security is and intentions and all this, but let’s just leave it at we don’t tolerate that. We have got to stay secure.

So tune in next week. Should be a good show. Thanks, everybody.