We all know the word cybersecurity. While most people could define it, few implement it. In this session we chat about the basics of cybersecurity, how to implement it, and the cost of not doing so.
[00:00:00.290] - Narrator
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity. With your hosts, Jason Pufahl and Steven Maresca.
[00:00:11.600] - Jason Pufahl
Welcome to CyberSound. I'm Jason Pufahl, the Vice President of Security Services for Vancord.
[00:00:16.800] - Steven Maresca
And I'm Steven Maresca, Senior Security Engineer for Vancord.
[00:00:20.640] - Jason Pufahl
This is our first episode. I'm looking forward to being here. I don't know about you, Steve.
[00:00:26.220] - Steven Maresca
We'll find out soon.
[00:00:28.200] - Jason Pufahl
So today, we're going to talk about security fundamentals. It seems like probably the best place to start a first podcast. Set the ground. Work a little bit for really what we believe to be those primary things you need to be doing for any just reasonably well-developed security program. We'll talk a little bit about what is cybersecurity and really spend some time on who needs it and why and what the benefits would be for your business.
[00:00:52.350] - Jason Pufahl
So I think with that, Steve, I don't know if you want to take a quick stab at what is cybersecurity.
[00:00:56.980] - Steven Maresca
So cybersecurity, our philosophy overall, is that it's a mentality around how to prepare for unexpected events and mitigate risk at the end of the day. And that's a challenge at many organizations. Most often, risk is unknown. So part of the exercise is determining what risk you have and trying to prioritize how you respond to it.
[00:01:25.660] - Jason Pufahl
So it's interesting. We get questions, I think, all the time from people saying we want to know that we do some of these activities that we have no risk of a cyber attack. And it is all about risk mitigation and risk reduction. I was thinking the other day I do a lot of cycling. And so I was on the road. And it occurred to me that you can always get hit by a car if you're biking. The reality is, though, you can take some basic steps to make sure that you can continue biking and reduce the risk of getting hit by a car.
[00:01:58.240] - Jason Pufahl
So I'll run a blinker in the back, typically right on back roads. Sure, I could still get hit, but the reality is those two simple things reduce the likelihood that something bad is going to happen. Cybersecurity is absolutely no different. You really want to take basic precautions. You don't want to overcomplicate this. You want to make sure that your business can run, but you want to view it as safely as you can.
[00:02:22.520] - Jason Pufahl
So with that, is there anybody that you feel need cybersecurity in particular or any businesses that have particular needs around cybersecurity?
[00:02:35.080] - Steven Maresca
So cybersecurity is a universal discipline at all entities, personal, individuals, and organizations alike need to pursue. And it doesn't need to be complicated necessarily. Sometimes it's as simple as making sure that your laptop at home is up to date.
[00:02:50.210] - Steven Maresca
But the truth is that attackers and criminals are not really likely to discriminate. They're out for a cheap buck. And at the end of the day, it could be a bigger organization that gets affected or your parents at home. So most of the techniques that we talk about, most of the approaches that are relevant, transcend all of those environments. Obviously, some of them need to be more complex and more comprehensive, but the truth is that everyone is impacted with security threats large and small. So it's something that everyone needs to think about.
[00:03:28.030] - Steven Maresca
And frankly, today, even as individuals at home, we are increasingly familiar with that type of a risk. I don't know anyone who has not at this time receive some sort of a credit monitoring alert. It's almost [inaudible 00:03:46] at this point. Everyone has experienced it. They almost disregard it at this point. But that underscores just how pervasive the issue is, how frequently people are affected, and the fact that it spans the spectrum from individual to organization.
[00:04:01.280] - Jason Pufahl
So what's interesting to me about what you said is that emphasis on return on investment for attackers. And I think too often the idea is our company isn't going to get attacked because we don't have data that's valuable. And the reality is, cybercrime is really a business, right? The intent now is, generally speaking, to get money.
[00:04:28.380] - Jason Pufahl
So I think it falls into two categories. The idea that you're going to hack for that quick buck that you described, the ransomware concepts, the PII and resale of that on the dark web. And then there are companies that have legitimate data that some of these state-sponsored actors really do want. It falls into two buckets.
[00:04:51.920] - Jason Pufahl
But I think what we see so often is smaller companies that really just don't have a robust security program in place offer a really ripe opportunity for attackers to do something like a ransomware, where they encrypt all of the data and then basically extort people for money, not necessarily really complicated to protect against, but are really common thing that we see.
[00:05:15.490] - Steven Maresca
Smaller organizations don't have the staff to begin with. They may not have a dedicated IT person or even company. So their risk is relatively high. They may have acquired their equipment five, six years ago, and it stayed that way for the entire duration. We combat regularly the notion that attackers are sophisticated. And part of that, I think, is television, Hollywood, media, in general.
[00:05:46.980] - Steven Maresca
The truth is that most events are achieved by far less sophisticated actors than we imagined. And we have a presentation that we share a slide, where a hacker is the stereotypical guy wearing a hoodie shrouded in darkness. And we follow that with a secondary slide, which talks about the fact that it's really just an office environment with cubicles. That's the reality.
[00:06:14.590] - Steven Maresca
And it's organized. It's profit-driven. And frankly, anyone in any entity that can be squeezed for a dollar, even if it's minimal, is really the target of these entities. It's worth keeping in mind. Social Security numbers, credit card numbers, we consider them valuable. We consider them intrinsically part of our personal identity, but the truth is, there are like four dollars to be purchased.
[00:06:42.130] - Jason Pufahl
They're not as valuable as you think, which is fascinating. And I think I really like the point that you're making, though, around this being an organized activity. And people really do need to think about this in terms of an office environment, where there is a manager. There are people who are executing these attacks. They're planned and orchestrated. They're not typically an opportunistic drive by type attack.
[00:07:09.010] - Steven Maresca
Recognizing that the attackers themselves are [inaudible 00:07:12], so also, do organizations need to devote some resources to preparation? And there are basic steps that can be applied to protecting environments, to protecting data, and protecting reputation.
[00:07:26.000] - Steven Maresca
At the end of the day, we really implore everyone with computer resources and data that they consider valuable to simply update their systems. Our largest incidents that we manage on a regular basis are frankly, driven by systems that haven't been updated in a long time. They are sitting ducks to be attacked. They're not sophisticated, brand new, espionage-driven attacks.
[00:07:55.640] - Steven Maresca
And if organizations patches their foremost goal, if that's all that they do, which is not very costly most of the time, because it's using free materials released by software manufacturers, those companies will be better positioned to defend against the tax.
[00:08:13.450] - Jason Pufahl
And that's why we're calling this fundamentals, because you can do frankly free activities to reduce your risk. Patching and vulnerability management generally don't cost an organization anything. There are capabilities that are built into almost every modern operating system or potentially every security platform that you purchased.
[00:08:34.880] - Jason Pufahl
And attackers really are, again, going back to ROI looking for the quickest way to compromise an organization and potentially extract dollars. And if they can do that by using a currently known an exploitable vulnerability that you could pass for free, they're going to do that. TV describes these guys as incredibly sophisticated and creative when in reality, it's the shortest path to compromise that they're looking for.
[00:09:02.510] - Steven Maresca
Right. And free in terms of patching is also a reasonable theme for defensive tools and defensive techniques as well. Antivirus is available for free. If it's not deployed because of expense, that is not a reasonable justification. The same thing is true for practices and procedures, overall.
[00:09:24.460] - Steven Maresca
Your users don't necessarily need to have very complex passwords. They just need to have good password practices. If everyone is vigilant and conscious of their activities and regularly use passwords that are not easily guessed, everyone's in better shape.
[00:09:44.440] - Jason Pufahl
So spend a second on that, though. So what is good password practices? So is it rotating your password every 15 days? Is it something that complex?
[00:09:54.420] - Steven Maresca
So that's a reasonable thing to start on. Historically, everyone is aware of the notion that changing your password frequently is a good idea. We disagree. That causes people to act in ways that make their passwords less secure. I'm confident that listeners or people that you know may have encountered someone who just text another number on their password. That doesn't make it more secure. It just makes it easier to remember.
[00:10:22.940] - Steven Maresca
The truth is that if you use phrases that are memorable to you, but that are comprised of words which have no relationship to one another, you will be far, far more secure than rotating your passwords on a regular basis, or, for that matter, making them complex with unnecessary punctuation that makes them hard to read or hard to type.
[00:10:46.630] - Steven Maresca
If it sounds comfort to the advice that you've heard for 20 years, but the truth is that that's the route to protecting yourself and your systems.
[00:10:57.060] - Jason Pufahl
Well, then, fundamentally good password practices are having a unique password for essentially every business that you have or every site that you have. So if you think about it, you may have a great password. And if you use that password for every entity that you do business with, all it takes is one of them to have a compromise of some sort. And now, essentially, that password has been exposed for all your other services.
[00:11:23.300] - Jason Pufahl
So you really do want a unique, not user name necessarily, but unique passwords, certainly for every site or a company that you visit.
[00:11:31.870] - Steven Maresca
Right. Staff at many organizations will use their organizational email to sign up for some website for some service. If they use the same password, it's exposed if that third party gets hacked. And it's not hypothetical. It happens constantly.
[00:11:43.960] - Jason Pufahl
Right. Because it's complicated to manage all that. And there's password managers out there and there's ways to do this better, probably touch on that in the future. But password management is critical. It's effectively the keys to your organization, keys to your business. You really need to be mindful about how you protect that.
[00:12:00.360] - Jason Pufahl
I think the other area that, in my opinion, people don't emphasize enough, and in a way, we already spent some time talking about two key technical controls, organizations, I think, need to train their employees about what the risks are better than they do. Because in reality, going back to that password and the idea of email phishing and some of the other ways that people get employees to default credentials, it's a lack of understanding.
[00:12:28.910] - Jason Pufahl
So they send really well-crafted emails now. Phishing isn't like it was 10 years ago where it was riddled with misspellings and grammatical errors. They're really well done. And you need to train your staff how to identify these things because frankly, they're the frontline in almost any security program.
[00:12:47.350] - Steven Maresca
And furthermore, it is certainly our perspective and that of any ethical security company like us that tools and defenses are likely to fail. Training employee vigilance awareness of how attacks are actually going to be perceived how phishing emails might look. That's the way that you detect those things when your protections fail, not if, but when.
[00:13:11.200] - Jason Pufahl
So it's interesting. We're trying to keep these to a reasonable length. So that they're consumable in a drive. So the reality is we could go on and on about all the things that would go into to a robust security program. The purpose of this episode really is around that idea of fundamentals and those things that you can do that really, in my opinion, that every organization has the ability to do regardless of budget and should be doing, because they really make a reduction to that threat profile, that risk profile that you might have.
[00:13:46.780] - Jason Pufahl
We focused a little bit on security awareness. We focused some on patching. We focused some on credential management. I think the last thing I want to touch on before we wrap up a little bit was making sure that you're backing your data up. Too often, we see organizations, where they do have data that's critical to their business, maybe it's not Department of Defense classified data, but it's critical for your business to run, you have to back that data up.
[00:14:16.390] - Jason Pufahl
Data is king. It is the lifeblood of your business. If you don't have backups that you have tested, and verified, and can truly rely on, I would make that a priority, personally.
[00:14:28.550] - Steven Maresca
Right. And certainly, get those basics achieved, tested, validated, and regularly applied, and then you can move on to the more advanced initiatives. Because, honestly, it may be attractive to throw money at the problem, but if you don't have the underlying foundation bill, you will still remain vulnerable and at risk.
[00:14:51.720] - Jason Pufahl
Right. So I think on that note, we touched on a few high-level things relative to that concept of security fundamentals or core security capabilities, clearly, there's a lot of things that you can do to build out a more robust security program. The intent here is to introduce those things that we think are elemental for any security program, regardless of the state.
[00:15:14.600] - Jason Pufahl
Candidly, though, there's always topics we could touch on. We could spend more time on password management. We, frankly, spend more time on building out vulnerability management and patch management.
[00:15:24.530] - Jason Pufahl
So if anybody's interested in more depth on some of these topics, feel free to reach out to us. We're putting together episodes that we think are interesting. But if you have opinions of topics that you really want to hear, let us know. And we'll spend some time exploring those more in depth.
[00:15:41.220] - Jason Pufahl
And with that, I think we're up against roughly our time limit here. So we'll wrap up for the day. Thank you everybody for listening, and hopefully you got some value out of this.
[00:15:52.710] - Narrator
Stay vigilant. Stay resilient. This has been CyberSound.