A thought-provoking podcast with one of the best Cybersecurity experts, Dan Lohrman. Here, Dan opens on how data security is encapsulated in people process and technology. These three things are bound together where a data breach can be easily mitigated if people, process and technology are perfected in an organization.
Hello everyone, I am Sowmiya Rajamanickam, and you are listening to Secure Insights – A Series of conversations with industry experts, influencers, and leaders in the IT Security space. In this podcast I have with me Dan Lohrman – Chief Strategist & Chief Security Officer at Security Mentor. He is an internationally recognized cybersecurity leader, technologist, keynote speaker and author. He has more than 30 years of experience in the IT security space and has also been named one of the World’s Top IT Security Influencers
Hi Dan! Welcome to this podcast, it’s exciting to have you here …
1. If an enterprise has an open network, what and where is the possibility of getting attacked
Obviously, many ways of attacking. You know, you could spend a whole conference just on any of these but you think about malware you think about ransomware denial service attack of DNS poisoning just all of these different ways can be attacked by Bad actors and so you know that can come via email that can come via network that is wide open that you know literally poor system administration, you know poor password management maybe not using two-factor authentication could allow an authorized access or you know DNS poisoning basically bringing down that works or I could DDOS denial-of-service attack with see flooding the network with packets that could bring down a network.
I think one of the most Sinister ways right now though is even more quieter things. I mean ransomware is huge, you know the ability of somebody clicks on the link or does something or somehow spreads ransomware and that encrypts all of your data and United States especially right now but all over the world we’re seeing that hit government’s really causing a lot of very very serious disruptions to operations. I think one of the most Sinister ones is more The Quiet Ones where people gain access to your networks maybe to your emails and just sit quietly, watch and kind of learn your processes and procedures, learn about what you’re doing and the term we use in the U.S called wailing and know how familiar it is in other parts of the world but wailing is really going after the big fish. So, the idea that you know by them being in your network maybe being in your email learning how you do things and then doing a attack whereby they can simulate some kind of process that you do transfer funds to get people to take actions and maybe they think that’s coming from the chief in from information officer, the chief executive officer CEO or CFO Chief Financial Officer and get people to take actions that could really cause a lot of damage. So, these are always you know that people could be attacking networks
2. Enterprises are often targets for cyber-attacks, your advice on how to mitigate or minimize such attacks.
Yeah! great question. I mean I think obviously, the first part is you got to have a good risk assessment. A good assessment of what your network is vulnerable to. I generally recommend an outside group do that risk assessment third-party you can have internal ones as well but I mean obviously there’s a little bit of a bias when you have an internal risk assessment but obviously you want to pick a trusted partner and have them run penetration tests have them try and gain access to a network see where there are how they would attack it. Hopefully, you know it’s a good team they will come back and they will show you where those holes are, and they will walk you through that. It was beyond running an assessment and I know we’re going to talk in the next couple questions about some specific areas of like unpatched systems things but I would just I mentioned to you that the reality of attacks and defending against attacks really falls into three areas – its people, process and its technology. I mean a lot of focus on the technology piece but the people piece in many senses is huge it’s like some people think 80 to 90% of data breaches happen because of people issues. So, that means training your people making sure that they understand what their responsibilities are, what the company policies are in that they’re following.
Having a process of so many organizations start out well. They have a great secure system in place but they can’t keep it going over months and years they don’t constantly upgraded they don’t constantly keep their patches up to date but they don’t keep the processes up to date and that actors gain access to their networks. You know over time they learn and then of course we’re going to talk more about Technology Solutions as well but I mean I think a lot of people underestimate the people in the process they just think if they get the right technology they’re going to be fine but it really is people process and Technology.
3. Unsecured technologies like unpatched security upgrades – how well are organizations equipped to handle this
Yeah that’s good question. I mean clearly keeping up with patches is kind of an age-old problem we have. I’m a blogger, writer and people can read my stuff on government technology magazine in CSO Chief security officer magazine and I written about this many times. It’s hard in a couple minutes to talk and specifically but all the ways to do this but one of the first things is you gotta obviously know what your systems are. Obviously, Microsoft has for example, patch Tuesdays going on literally for almost more than 15 years. It started back in the early 2000s, but major systems are having regular patches and regularly being updated. So, if it comes down to whatever it may be with us an Oracle database with it’s a Microsoft operating system whether it’s whatever it is having automated processes in place that are going to be able to automatically update key systems and in some cases you don’t aren’t able to do that. So, you need to be able to test those patches make sure they’re not going to bring down and crash your system before they go live. So, having that repeatable process and there are a number of companies that have different ways you can scan all of your systems. I’m not going to start naming vendors here and but there are a number of very good vendors that have the ability to look at your entire Enterprise and see you know what are the vulnerable , what are the levels of operating system, what are the levels of application software database software and systems that you should have and then be able to automatically look at that and then see what the difference is, it automatically apply those if you try and do all this manually you’re bound to fail especially if you have a large Enterprise you have to be able to you know really have an automated system in place and a system that allows you to really thoughtfully consider you know do you want to apply every patch automatically do you want to test it first I know there are different opinions on this.
I think by and large you’ve got Mission critical systems oftentimes you know most organizations have a process whereby they want to test it first to make sure it’s not going to bring down operational software before they apply patches but you know making sure that you don’t fall behind like you know literally days or months behind because that’s really what caused the Equifax breach right? the data breach is were more than two months behind and applying a critical patch and really your systems whatever company you choose really needs to have a multi-layered approach that looks at one of the most critical patches would be the next most critical all the way down to the kind of optional or nice to have patches so you know it’s important to really have a an automated system in place with one of the reputable vendors that has a really good patch management system
4. Data breaches can be avoided early. given there are so many solution and service providers, is it case that organizations are ignorant or is it just a case of good solution or simply a budgetary issue
Yeah, I mean I think it really varies. That’s a great question you know why so many databases why we are still having it. I honestly think many people are you know behind where they need to be from a budget and a priority perspective but more and more, I say it’s be headed to 2020. The reality is a lot of people do have good budgets and they you know maybe five years ago or two years ago they didn’t have the staff they didn’t have the resources but a lot of times they do have the resources. Now I think there are some that don’t have the budgetary resources I think there are good Solutions, but I would also say that the Bad actors you know are ahead of the good guys. So, one of the things that I think is happening is really the complexity of systems in freshly large Enterprises makes it very difficult to keep up with as I mentioned the people the process in the technology a lot of times the technology works well but that actors are just going to go for the weakest link in the chain if you will they’re going to go for the end user who clicks a link and now all the sudden you’ve got ransomware or if that’s you know literally bringing in as an intern who’s really not an intern but they’re really working for the bad guys. You know there’s lots of ways that you may know if you were in the dark side of the internet or criminals quite frankly gain access to networks and they will try everything in the book and that’s why back to what I said earlier you really need to have penetration test that that will allow you to look at all the different aspects of it. I do think they’re really good Solutions in place. I think there are great products in place but again it’s not just the technology, it’s the people, the process in the technology a lot of times.
I’ve been in large Enterprises. For example, quick story I’ve worked with number of Enterprises both in government and the private sector where you go in and they’re not even running the latest version of the software or maybe their two versions behind. Going back about a decade there were a lot of systems in Michigan Government for example the latest version was like 11 I or 11g of Oracle and a lot of systems are running Version 9 they were way behind they weren’t keeping current and they just had all these different reasons that they weren’t doing what they needed to do but it’s real like I said it was the people and the training, it was the processes and the technology Oracle was willing to give them the latest technology to stop this breaches but they didn’t have the people and processes in place to do that. I think a lot of them have lot of Legacy applications, Legacy old applications that maybe can’t run on the latest version of operating system, those are some reasons. I don’t think many organizations are ignorant of cybersecurity as much anymore because you know it used to be that way they just didn’t believe it would happen to them but certainly in the United States more and more organizations realize that this is a core part of what they do.
The board’s, the chief executive officers, the advisors tell them that you’ve got to have a good cyber security team in place, but I’ll say the on this point, there is still a big challenge in cyber Talent. You know keeping and maintaining cyber talent and that’s part of the people side of this. I have a really great team and the teams doing fantastic things and then half of them leave and so you know filling those vacancies filling those positions or not having the Cyber team that can continue is a huge Challenge and as the Cyber Talent issue in the United States is a big big challenge million globally all over the world. I was just on a podcast yesterday with ISC squared and bright talk and they talk about you know half a million empty positions in the United States but you know like three million around the globe and empty position since so the bottom line is lot of people out there can’t find the right cyber talent to actually protect their Networks
5. What’s your take on industries that require immediate cyber security attention
Yeah, I mean you know I think biggest industries right now you know say all of them, but I mean clearly some are further behind others. You know I think if you look at the bank’s they’ve been spending certainly over the last decade you know fourteen fifteen sixty percent of their it budgets on cyber security and putting technology place to protect and automate and innovate their networks you know and finance has been kind of leaders they’re still trying to keep up but clearly they’re the leaders in the United States. government you know especially local government state government has had a lot of ransomware attacks there are a lot of small governments around the world that just they don’t have the budget they don’t have the resources and they aren’t putting enough emphasis on that so I’d say certainly Michigan been around the United States state local government probably other governments around the world another one is hospitals I mean the medical community medical devices you start thinking about all the different devices in hospitals a lot of them are vulnerable to attacks and so I think that’s another major area that needs more attention.
6. A Quick question Dan. Is Zero trust approach really achievable?
Is zero trust achievable? Wow! that’s a loaded question isn’t it? You know, I think it’s a goal you know, is it 100% achievable? probably not. Like many other goals there are a number of challenges that you have. I think that the whole zero trust methodology and the thinking around that is correct and is heading in the right direction but there is no 100% security. So, you know there’s nothing you can do that’s going to be perfect. I mean again I said this probably a theme in this podcast interview People, Process and Technology. The people part of it at some point you’ve got to have trust in your people, right? and so you know, you’ve gotta trust in a sense of, you’re hiring them, you’re training them, and then they are working. Now, there are things you can do, and you know there are protections and double protections and multiple layers of security you can put in place. So that zero-trust approach is much more effective and can be an improvement over many Enterprises today. I think many Enterprises are going in that direction.
Will we ever be perfect? well we ever have 100% security? the answer is no because there is always going to have vulnerabilities in our people, our processes and our technology. So, if people think before the fence and death and zero trust, you know three years from now they’ll be some other buzzword. I think they really address a reaction and some cases an overreaction as the pendulum swings one way and then another centralized, decentralized as it you know Cloud, mobile or on premise, you know we go back and forth think more and more movement to the cloud right now but you know the reality of it is, that I think zero trust is a good approach. I think it’s the right way to go but will it ever be 100% achievable? I don’t think so.
Okay thank you so much for your time Dan and I very much appreciate it
Thank you I really appreciate that everyone listening in. I really wish you all the best. I encourage you to connect with me on LinkedIn from all over the world and then also visit me govtech.com and my blog is called warming on cyber security and love to have you interact with me on my website.
Chief Strategist & Chief Security Officer at Security Mentor, Inc
Chief Strategist & Chief Security Officer at Security Mentor. He is an internationally recognized cybersecurity leader, technologist, keynote speaker and author. He has more than 30 years of experience in the IT security space and has also been named one of the World’s Top IT Security Influencers.
Sowmiya is a Software Developer in Sennovate. She is passionate about writing technical articles and building applications from scratch. With a great zeal to learn, she conducts podcast interviews with industry leaders in the IT space.