Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday, July 15th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for IT World Canada.com.
There won’t be the usual review of news highlights today because I’m off this week. So I’m going to go straight into a discussion I had recently with American cybersecurity expert Eric Cole.
Eric brings a wide range of experience, having been a hacker at the CIA, chief technology officer at McAfee, chief scientist at Lockheed Martin, a commissioner for cybersecurity under President Obama, a ransomware negotiator and cybersecurity consultant with his current firm, Secure Anchor.
(The following transcript has been edited for clarity. To hear the full conversation play the podcast)
Howard: With the Russia-Ukraine war going on, do you wish you were still a hacker with the CIA?
Eric Cole: I can quickly and confidently say no. And the reason is because now there’s way too much red tape and rules. One of the nice things about being a hacker in the early-to-mid 90s is this was brand new territory. We basically created it, forged it. Which meant we created the rules — which meant there were no rules. So we really were able to do whatever was needed in order to accomplish the mission. The problem today is that is hard with [the U.S.] government. Hacking requires a high level of creativity. You must be able to colour outside the lines and go outside the box. However, the government now has so many rules that limit creativity. That makes it very, very hard to really be a creative hacker today.
Howard: Describe the state of cybersecurity in the private sector and government in advanced countries such as U.S. and Canada. Would you call it good, fair awful?
Eric: I would call it a high state of confusion. And the reason is there’s a lot of misinformation out there. If you talk to a lot of executives and a lot of decision-makers, they really don’t understand how bad the problem is — whether it’s a real problem, whether it’s not. The media tends to give out partial or incorrect information that sort of misleads people on what’s really happening, And you really don’t have a lot of communication within the organization between the technical staff and the executives. So while there’s money and resources being spent and overall are doing an okay job, there’s a high level of confusion because of that lack of communication of accurate information.
Howard: You’ve written that the biggest problem in cybersecurity today is that there’s no communication between IT and executives.
Eric: If I had to summon up the biggest problem with corporations — and even government — and cybersecurity is the lack of an effective well-defined chief information security officer. Many companies have somebody with the CISO title, but the problem is in many cases — not all, but in many cases — it’s viewed as a technical career track. A CISO is not a technical position. If you take a world-class security engineer and give them the CISO title they will fail because it’s not a technical position. The best way I can describe a CISO is a world-class translator. They must speak technical, they must speak business. Companies that have world-class CISOs that effectively translate are doing a great job with security. The problem is, those companies are few and far between.
Howard: So how does a CISO learn how to communicate with the business suite?
Eric: By doing that over and over again. The example I love giving is a muscle in a gym. If you go to most gyms and you look at the real muscle heads most have some muscles that are overdeveloped and some that are underdeveloped. And the reason is simple: You work the muscles you like and ignore the ones you don’t. The same thing happens with technical folks: Their technical component is overworked and the business side is underworked. A couple of quick things I recommend: Read business books. Every night for one or two hours give up Netflix and read business books to get familiar with it. On weekends hang out with business people. Talk in business circles. The problem is most security engineers hang out with security engineers. Which means their technical skills are going to get better and their business skills are going to get weaker. If you want to be a CISO you have to change your environment, change who you associate with and change the information that you focus on and absorb.
Howard: You’ve said prevention is ideal, detection is a must. Can you expand on that?
Eric: The easiest and best thing to do with a cyber attack is to prevent it, to stop it from happening. The problem is with preventive technology. You can only stop things that are 100 per cent bad 100 per cent of the time. So if you have some issues or problems that 80 per cent of the time are bad that means 20 per cent of the time is good — which is most of the attack vectors we’re talking about. You can’t prevent them because if you do you’re blocking legitimate traffic. Companies today are trying to block all the attacks. But when that fails they have minimal to no detection. So detection is all about looking at traffic correlating: Looking for anomalies, looking for [bad] behaviors and looking for activity that shouldn’t be on the network. And the attack has to be detected in a timely manner, because what a lot of people miss is the goal of cybersecurity is not to prevent attacks. The goal of cybersecurity is timely detection to minimize the damage to your organization.
Howard: One of the things that I got from your book Cyber Crisis is there are four things that IT should do: Make sure that all servers that are visible from the internet are up-to-date, fully patched, contain no critical data, and if they have encrypted data make sure the cryptographic keys are stored on a separate server. You’ve said that if these principles would have been followed none of the major breaches that we’ve seen recently would have happened.
Eric: If you look at almost all of the major breaches that happened when I wrote the book — the book’s about a year old — they all really come down to servers that have known exposures, are missing patches, are accessible from the internet and have contain critical data that are not properly encrypted. So it really comes down to those basic solutions. And in a lot of cases we like making things more complicated than they need to be: We want to go in and spend a lot of money — and please don’t get me wrong. There’s some great tech out there. I’m not saying that if you just do those four things you’re magically secure. But the problem is we’re focusing on advanced techniques and tactics. The simple, foundational items that are needed to support that [great tech] are not being done.
Howard: Why not? It seems to be the easiest thing.
Eric: What I always say when I give presentations is common sense is not always common practice. What happens is in a lot of organizations, I believe, is there’s a lot of turnover in IT and security. As new people come in they just make the assumption — the false assumption — that the foundation of the house is solid and let’s just focus on renovating the rooms. Let’s go in and focus on the advanced techniques and tactics. But they don’t realize that they need to step back and check and make sure that the foundation is solid.
Howard: Infected attachments and links. These are some of IT’s biggest problems because that’s how malware gets spread. You’ve said if you block attachments and embedded links from unknown entities that will lower the odds of being victimized. But how does IT determine what’s an unknown entity?
Eric: A couple of ways. But the simplest is, ‘Have you had communication with that entity in the past?’ None of this is 100 per cent, but it works very well. Most of the communication that you’re going to have with outside entities is usually initiated internally. So I would send an email out to somebody and then they would send the email back — and that that would be trusted. If we get an unsolicited or an email where I’ve never communicated with that entity before, those are the ones that we’re talking about. And the thing that’s important here is we’re not saying block the emails. We’re not saying delete them All we’re saying is if it’s a new email from a new source that you’ve never communicated with before why not just temporarily remove the attachments and disable the links until it’s been verified or validated whether it’s legitimate or not?
Howard: But what does IT do if a hacker has hacked my email and uses that to send you an email with an infected attachment?
Eric: That’s when you have other options. One is you have other solutions in place like endpoint security. Virtual machine isolation one of the things we do with a lot of our clients: You run email and web browsers in separate virtual machines. That way even if they [staff] do get infected you’re isolating and containing them … By running applications that have high risk in separate virtual machines you’re basically creating a zero-trust environment. Another question is why are we using email as a file transfer mechanism? That’s not really what it was created for. More mature organizations block all attachments, and they have separate file transfer tools for doing file transfer. You use email just for email.
Howard: You’ve mentioned zero trust. It’s a big buzzword. There’s a lot of misunderstanding over what zero trust encompasses, and what organizations have to do in order to have a true zero-trust environment. What are your thoughts about how to clean this up?
Eric: The way you clean it up is by adding other words to zero trust. Are we talking zero trust at a host level, at a network level, at a server? Zero trust is like saying ‘transportation vehicles.’ Well, that covers a lot of things. Are we talking cars? Airplanes? You need to add a little specificity around it, because at the highest level zero-trust is just saying that you create an environment where if any entity gets compromised it’ll have zero impact on any other entity. The question is, what is the entity? An entity can be a computer, an application or a server. And that’s where the confusion comes in. There are so many categories of the entity that unless we put characterization and specificity around what level of zero trust we talking about it makes it really hard to get to an implementation and detail level.
Howard: Here’s another problem: Misconfigured data on cloud storage. At least once a week there’s a new story about a researcher discovering unprotected data from an Elasticsearch and it’s stored on AWS or on Azure and it’s open to anyone who can figure out how to find it. And apparently it’s not that hard. All you have to know is how to use Shodan. What can IT do about this?
Eric: That really just comes down to good standard operating procedures and practices that people have to always follow when they’re setting up or storing data. They follow a set of procedures. A lot of it really comes down to shadow IT, where it’s so easy for anyone in the organization to basically go and set up AWS. It takes five minutes — you put it on a credit card. Some of these services are US$5 a month, and boom you’re now running servers that are exposing corporate company data. A lot of it also comes down to really training IT staff to say [to the rest of the firm], ‘This is what you can do, this is what you can’t do and these are the repercussions for doing that.’ There has to be a lot more control gates and mechanisms in place. The way you stop shadow IT and rogue behavior is enforcement.
One of our clients had employees constantly setting up storage on AWS and leaking sensitive data. I told them every time somebody does that fire them. And I guarantee you after three or four people are let go from the company and you show this is serious they’re not going to do it anymore. But the company said, no, that’s too strict a mechanism.
Howard: In an interview earlier this year you said that your firm sets up a distributed database system for customers so that only 15 per cent of their records are in any database. Should that be a standard that IT tells management, ‘We can set things up so that the worst thing that happens is we lose 15 per cent of our data?’
Eric: It’s a solution to a problem. I always like caveating that if you have a lot of sensitive data from different organizations and different entities, that’s definitely an option. Just to give a little more focus on that solution set, we do a lot of work with law firms where they have a lot of very, very sensitive client data from different customers. So in that case, it’s not only very straightforward but it’s very logical to set up to really minimize or reduce exposure. Now, if you’re in a large financial transaction or healthcare environment we might recommend other solutions where you want to better protect and secure, because that might create a lot of unneeded complexities. But that is an option that should be considered, with other options, of what is the best way to reduce risk while managing and allowing the functionality that’s needed for the business units to operate.
Howard: Cyber experts always say no technology or combination of technologies that can absolutely guarantee there won’t be a loss of data, so I’m just wondering whether if the IT leaders should give a firm number like that to management — 15 per cent — is that something that that management would want to hear, is that something that would help IT get management’s head around just what the cybersecurity thing is? Then they can assure management that they’re getting something from for their money.
Eric: That’s why we do that, and it’s a very effective tool because it goes back to what we said earlier, which is a world-class chief information security officer speaks business. Business is about numbers, risks and per cent. The problem I have is I work with a lot of CIOs and CISOs and they’re like, ‘Well, Eric, I don’t want to commit to a number, and I’m like ‘Then, you’re useless in terms of the executives because if you go to an executive — which is what a lot of CIOs and CISOs do — it could be bad. It could be really bad. They [executives] want to understand four things: What could happen; what is the likelihood, give me a number/per cent of that happening; what is the cost if it occurs; and what is the cost to fix it? They want and need numbers to make a business decision, and as long as a CIO or a CISO refuses to give numbers they’re going to be ineffective in their job. It might not be perfect, it might not be exact, but you need to give numbers so they [executives] can make appropriate decisions.
Howard: In May the United States passed legislation mandating security incident reporting to the government. Up here the Canadian government just introduced proposed legislation for mandatory security incident reporting. What’s your opinion on the value of this? How important is it that governments know about security incidents or breaches of security controls? And should that information be public? Rght now the proposed reporting is private to to security agencies. But maybe if there was some public naming and shaming that would encourage companies to devote more resources to cybersecurity.
Eric: I’m okay with the reporting if it’s tied to clear regulation and compliance. So if you have a regulation that says you must do x and if you don’t do x and have a breach then that should be reported. But to me this idea that whenever you have a breach companies now have to not only disclose it but give the details and give everything else what are we accomplishing? Versus the risk or exposure we’re giving to that company, because we know — especially in the United States — there’s no such thing as private reporting when it comes to the government. They have more leaks than a bucket with holes in it. The point is if the government now starts getting to this oversight level where you almost tell us about every single breach then the government has to accept liability for the exposure that’s going to occur to those companies. I think what’s happening is we’re reacting to a problem, which is companies are not implementing effective security measures to protect clients’ data. But we’re doing it with the wrong solution. The solution should be what the United States is finally doing, which is passing a federal law on data protection and data security that companies have to follow to protect their data. Just like Europe did with GDPR many years ago. The focus needs to be on setting a bar with regulation and compliance. This whole idea of mandatory reporting is not a solution to a problem that solves anything. It just makes it worse.
Howard: Who should take the lead for cyber security? Governments through regulations or businesses?
Eric: In a perfect world it should be done by companies. Companies should step up and implement appropriate security measures. However, if they don’t then the government needs to step in. The Colonial Pipeline [ransomware attack] last year in my mind was the Enron moment for cybersecurity. Enron was a publicly-traded company and they did a lot of really bad things. At that point the government said, ‘You should have been able to self-regulate. You clearly weren’t able to, so we’re now going to step in and regulate.’ Private companies should have been able to manage it [cybersecurity], but clearly they haven’t been able to do so, or they’re unwilling to do so. So, unfortunately, we are at the point now where I do believe the government needs to step in and basically provide oversight and direction on what is or is not appropriate security.
Howard: You’ve said that people — and I think you mean executives — should have two computers: A Windows computer for their work and a computer with a different operating system for checking [work] email. Why? What if I download something that I need, like a report, and I need to transfer it to my work computer?
Eric: Once again, it’s a solution. Not a solution for everyone. But what I always try to do is not what most people in cybersecurity say: ‘No, no, you can’t do this. You can’t do this. You can’t click on this link. You can’t open this attachment.’ I have a Windows computer at my desk that I use to work on documents, on reports, do spreadsheets. And I have an iPad that I use only for checking email and surfing the web. It’s not that Windows is more vulnerable. Windows is as secure as the other operating systems if you look at the actual data. But because Windows still has one of the highest install bases 90 per cent of most attacks target the Windows operating system. So today if you’re running a non-Windows operating system, such as an iPad or Android, you have a 90 per cent chance that malware isn’t going to run or be effective on that platform. Second, even if it did it was the 10 per cent that was an attack for an iPad. Because all I’m doing is checking email or surfing the web if it gets infected I just reimage it. I just restart it up again and we’re off to the races. So it’s just an easy way to create separation between those two.
To answer your other question, I don’t exchange documents and email. We have a separate platform that we use for exchanging documents with our clients in which you log in, register and set up. So if you need to send me a document we would use a proper mechanism that I could then utilize on my desktop to access that document.
Howard: If you have three things to say to IT leaders including CISOs about how they can lower the risk of of their company falling to an attack what would you tell them?
Eric: One, you need to be able to speak and communicate Business. You must be able to translate between technical problems and the business for executives. Second, when you’re a security engineer you focus on identifying problems but when you’re a CISO you must focus on identifying solutions. Be solution-oriented. Don’t focus on what is wrong, focus on the solution you need to be able to fix the problem. And third, have accurate data. You should have network visibility maps. You should know all your servers, all your systems, all your patch levels and where your data is. If you don’t have those basics — asset inventory, data management and configuration management in place — do not pass Go, do not collect $200. That needs to be your priority. The problem is most CISOs focus on all the advanced technology and overlook the fact that they have a broken foundation for their house.