Hello everyone, I am Sowmiya Rajamanickam, and you are listening to Secure Insights – A Series of conversations with industry experts, influencers, and leaders in the IT Security space. In this podcast I have with me MarkHoupt – Chief Information Security Officer at DataBank. Mark has over 25 years of experience in information technology and security in various industries
Having a variety in OS within network would anyway help in prevention or increase the chance to be victimized
Having hardening operating systems — said that meet specific security standards doesn’t prevent them from being attacked but does prevent from becoming the victim.
Let me give you an example of a situation that occurred, there are DDoS attacks that looks to exploit a number of connections that a server can handle. Usually there are reflective attacks and SYN type of attacks. What they desire is to overload the server, and leaving open the sync acknowledgement function that occurs in initial condition. If the server is not hardened to timeout and left open, then server can become a victim of DDoS attack that would otherwise do nothing, but drop off and allow the server to continue to operate if the hardening wasn’t placed.
How can enterprises ensure, that it is not avoiding critical functionalities of a security tool, during customization?
Lot of us in the security industry we trust the security tool we have. There are couple of ways to avoid being a victim to threats or vulnerabilities that comes from tools. Firstly, we need to get our vendors and make sure they are doing everything that they say they’re doing. For example, if you have a vendor putting together a signature or some sort of a threat protection signature like an intrusion protection system. You need to make sure that their research department is doing everything that’s possible to ensure that false positives are not are a part of their environment. The other thing you need to do is just do due diligence against your vendor to make sure that they are conducting their security program, as diligently as you would do so. One of the biggest areas that we need to focus on, in regard to that is what happens with Insider threats, security awareness training, background investigations that occur on your vendors personnel.
Just this past week, a major U. S. vendor had an insider threat, stole data from their database and sold it to criminals. Now, I happen to know this vendor, they’re very good vendor and do have a good security program in place. In this particular situation, the employee that was on the inside, simply was gone rogue. So, we have to not only do our background investigations at it, but you also have to continually see how vendors monitor their systems. They also need to continually monitor their own code. Having those vendors, do the same due diligence on themselves, as we do it within our own environment, so running web applications scans against the code, having third parties evaluate or test the code before it’s deployed is a significant thing that can be done by a vendor to ensure that it’s reliable, that in itself doesn’t have its own ability again.
Just this past, 60 days, we’ve seen a couple of vendors, for example like LastPass, that had a vulnerability within its code and so those vendors need to do more due diligence to make sure that they are meeting the standards that we place upon ourselves, but ultimately it’s the chief information security officer of the purchasing side, that’s responsible for making sure that his or her vendors that meet their standards.
What’s your thoughts on – digital identities for citizens – do you see security issues that might come up later on.
Absolutely but I don’t think anybody has got a good solution on this. Because there are cultural differences across the world, governments, requirement differences. Here, in Unites States one of the challenges is the transportation system. For example. In US starting from October 2020, we are required to have a real ID in order to go through the transformation security administration checkpoints in the airport to get on commercial airlines that we fly.
There has been lot of questions on how secure and how different really is the real ID that’s being provided. There has been some vendors that has been stepped up the plate. There is vendor named Clear, that allows to type biometric in your real ID which are your passports and driver licenses, so that we can tie our biometric controls to them.
Some real push back on that in the United States, for example, because there’s a lot of people in our United States, don’t want the federal government to have biometric data or other types of identifiable data on each citizen. Whereas in other countries that may actually be expected from birth. Wherein the United States, that’s not expected, so there’s a lot of challenges that are ahead with this kind of situation that may occur and we need to take a look at and as an industry and working with the various federal governments, we need to come up with a solution that can that can handle this problem
How much of engagement does the senior management do for IT security budgets and compliance?
Senior management with IT security budgets, it’s always a battle because the senior management of a company that want to always be making money. So, it’s the chief information security officer who should be the senior executive within the company, that’s representing compliance and security to address their budget from a cost and a profit perspective. So, as a CISO, I need to show my company, where there is going to be profit from the tools, that I put in place. There should not just always be a cost effective, and should also be a profit as we move forward
Do you think data breaches, ransom ware can be mitigated fully or to some extent controlled using AI and ML tools
I definitely think AI and various learning tools can help with ransomware, but like any type of threat that exists out there, I don’t believe they can ever be fully controlled. As soon as we come up with a AI tool or with a solution to battle ransomware, the people that are using ransomware will change their tactics in order to get around I mean that’s the case with every threat that we have, and you know, if you look at a lot of Brian Krebs articles on security, going all the way back, 10 or 15 years, when he was talking about the pharmaceutical industry that was heavily at least managed outside of a lot of the Russian, a type of Eastern European type of situations. You know those guys are actually the background behind ransomware and so what they’ve done is they’ve realized that you know 10 or 15 years ago. They can send an email message that says: Hey go by this type of pharmaceutical. Somebody would click on it. They would go, spend a bunch of money in the pharmaceutical to be sent to them was either a cheap knock off or maybe the person would even lose their money. They would never receive the pharmaceutical. Well, they they’ve morphed into this. Ransomware works same kind of thing. You sent an email or send a phishing attack, or they get the person clicks on it and they pop up.
Once a ransomware attack, was occurring the end you paid the ransom, you would actually get the encryption key. Now they’ve morphed, and they are not even getting the encryption key anymore, the attackers are doing everything they can to circumvent any type of systems that have been put in place, and they will continue to do so. And AI and other types of tools have their place and if they are properly managed their properly maintained, they can be a good defense. The people that will get attacked will be those that either don’t have the AI or improperly managing the AI because regardless of how much AI you have? You still have to have a human, behind it to properly managing it, properly coding it and making sure that AI stays within the bounds of its authorization, and its boundaries of code and responsibilities. So as long as we’re managing maintaining AI, it will be a good defense, but it could also be something that that could cause some challenges.
What’s your thoughts on Zero trust?
It is a buzz word. It is something that I believe the vendors have created. My thought process on zero trust is a little bit different than I know that some of my colleagues have. And so, I do like to speak on the matter. So, I look at zero trust, first of all, as something is a myth
For us to walk in as chief information security officers and have zero trust in our environment. It creates a negative culture that I don’t think any of us really want to deal with. I would rather come into a situation, that have a positive culture, positive thought process and say look lots of time Zero trust is applied towards a person rather than a process or a technology. And I think we need to come in and think of our people positively. Yes, I realize that insider threats are a major piece of the environment, so we have to deal with, but there are ways that we can handle, maintain and manage that.
So, I think first of all Zero Trust is a negative term that we need to get rid of, but there’s a better way to do it and that’s trust but verify, and in saying that what I mean is that we have to have continuous monitoring inside of our environment regardless of what we are doing, we have to help to find things that will pop up as red flags to us, the yellow flags things that we have to have a key performance indicators that are showing us what’s going on in our environment, not just technologically, but also to our processes and our people.
Let me give you three examples. One is with our people. We need to have our managers trained and to understand when our people are under stress and when they are under distress and be able to help them manage through that, because almost every insider threat, where they’re doing something malicious, is doing so for some sort of gain for their own, whether that’s financial or they’re, trying to get back at the company or back in a manager for doing something that manager or the company that the person thought was negative against them. So, we need to train our management teams to be able to trust our people, but make sure that we understand how are people operating things that are bothering them. So that we can work through that.
On the process side, we need to make sure that our processes are solid and they’re, not out of date. Typically, a company will build a process and they will never go back and review that process until it’s so broken that it has to be completely rebuilt. If we are verifying our processes on a continual basis. I verify all my processes on an annual basis. Then we know the status of our processes and we can trust that those processes work.
Moving on to the technology side, we could have monitoring systems that will tell us the technology up and running? Are the reports that we’re getting from those systems are consistent, trending wise across you know, across the twelve month and eighteen months period. Are the systems operating within the standard from not just a security perspective, but also from a technological perspective? For example, are you seeing CPU spikes at certain times of the day, when there shouldn’t be CPU spikes. Are people logging in to systems when they shouldn’t be logging.
So those three things are areas that we can apply. You know various trust mechanisms to and be able to verify the trust that’s in place rather than walking in and assuming no trust exists. So, my thing is get away from zero trust and go to trust but verify and I think that will be in a better place.
Thanks for your time Mark. I very much appreciate it.
Mark A. Houpt
Chief Information Security Officer
As Chief Information Security Officer of DataBank, Mark brings over 25 years of extensive information security and information technology experience in a wide range of industries and institutions.
Sowmiya is a Software Developer in Sennovate. She is passionate about writing technical articles and building applications from scratch. With a great zeal to learn, she conducts podcast interviews with industry leaders in the IT space.