Matt Fusaro 00:21
Jason Pufahl 00:24
Well, it’s Cybersecurity Awareness Month. The theme, the theme this year is See Yourself in Cyber. Four things we can do; enable multi-factor authentication, use strong passwords, recognize and report phishing, and update your software. Could it be more boring? Truly, could it be more boring? I see myself in cyber being bored this year. This is horrifying that we’re still talking about all of these, in my opinion.
Matt Fusaro 00:59
I also am not sure I understand the title or the theme, yet.
Jason Pufahl 01:03
I don’t know. I mean, they’re just a bunch of technologies they threw out there. They’re important. I don’t want to, I don’t want to diminish their importance, but we’ve been talking about them for, I don’t know ever, forever?
Steven Maresca 01:17
And yet, they are evergreen. So perhaps that’s why they’re coming back out, I don’t know.
Jason Pufahl 01:24
So multi-factor, I get that people are sort of now adopting it after a bunch of discussions. So maybe that one, strong passwords, for crying out loud.
Steven Maresca 01:35
Here’s my take on this, and my understanding of what CISA put out is that this is trying to focus on the linkage between home and work or personal activities. I think, you know, generally speaking, it’s better on the job, right?
Jason Pufahl 01:53
Because businesses are forcing people to do it?
Steven Maresca 01:55
Yeah, that’s all. That’s real simple. And people are lax at home.
Jason Pufahl 02:00
And mainframes are going away, to your point a minute ago, when we were chatting about seven character passwords.
Steven Maresca 02:03
Any day now.
Jason Pufahl 02:06
Any day now, recognize and report phishing. I can’t stand it. I can’t stand showing people images of a common phishing message anymore where it says, “Dear sir” and there’s a misspelling, and there’s a sense of urgency. Haven’t we learned? I mean really, I guess people haven’t learned, but here we are talking about it year in and year out to the point where we have to make a whole month about it.
Matt Fusaro 02:38
I think it’s funny that, you know, all these training companies come out, and all this material is out there and they all say the exact same thing. Nobody’s doing anything different.
Jason Pufahl 02:46
Steven Maresca 02:48
The most refined ones, you know, use a live actors, they’re trying to make it comedic and it’s forced. Yeah, maybe you capture some people who are less likely to read the content or something like that. But, there’s only so far you can go.
Jason Pufahl 03:03
And people fall for it, I mean we do the phishing testing, and the numbers are sort of always the same. And I get that it’s getting a little more, sophisticated is not the right word, I think well written, you know, maybe well-crafted some of these emails. But trust your gut, be careful. I mean how many times can you say it? We stop a lot, enough gets through to be a problem. So we have to keep talking about it.
Matt Fusaro 03:30
Jason, you seem really depressed about it.
Jason Pufahl 03:32
I am, I am.
Matt Fusaro 03:33
I know It’s starting to get cooler out, winter’s coming.
Jason Pufahl 03:36
It’s rainy today. So the reason, it’s the reason because I actually honestly kind of look forward to cybersecurity month each year. And I feel like it’s an opportunity to actually have the conversation around salient security topics. And so when I when I did see See Yourself in Cyber come up, and I saw what the kind of highlights were. I really, I really was bummed out by the fact that we’re still talking about these things.
Steven Maresca 04:06
But you know, it’s kind of like Valentine’s Day being the only one day, you know, a year that you’re supposed to show your iterations for someone.
Jason Pufahl 04:12
So lucky, that I could, I’ve been committed to ignore Valentine’s Day, forever.
Steven Maresca 04:17
Well, your wife is special.
Jason Pufahl 04:18
We’re lucky in that way.
Steven Maresca 04:19
Yes. But you understand the point, right? It’s not just once a year in one month. It just, it’s somewhat silly from that standpoint. I want to turn it on its head. I suspect that all of this with the repetition, frankly, the painful droning on on subjects that don’t really shift dramatically, is attached to the idea that security needs to be 100% accurate and successful at every juncture or it’s a failure, which is, it’s not stated explicitly in everything that’s, you know, behind security awareness, right. But, that notion is an underlying sort of thought process, doesn’t teach people to say, hey, you know, it’s okay if you fail. Everybody does it. It’s okay if you made a mistake, just learn from it, or, you know, understand what the normal rates of failure are and aim for that. Because, frankly, that is success.
Jason Pufahl 05:19
So, that’s interesting. So you’re saying, let’s put a positive spin on it. It’s okay if your organization fails some percentage of legitimate phishing,
Steven Maresca 05:30
There’s loss of budgets every year, there’s an expectation that your equipment is going to fail, and you need to replace it. That’s how everything else works.
Jason Pufahl 05:41
It’s true, but a single failure of an employee responding to a phish could result in a significant compromise, right, and that is one of the challenges on this. So, I appreciate the positive spin, failing by responding to a phishing message is a little different than a server failing, and having then to restore from backup.
Steven Maresca 06:01
But that hypothetical can apply in lots of different ways if you’re creative about it, I think, you know, reframing it is more helpful than repeating it constantly. Because there’s a potential of treating, teaching people that, hey, you know, even the really adept security practitioners will trip up occasionally, these things are getting good. That doesn’t mean the same message repeated over and over again, is going to make the layperson more effective, right.
Matt Fusaro 06:32
You make a good point in some areas of there, I’m not sure I’m 100% on board yet, but you do make a good point. And that, you know, we spend a lot of time, like you said, trying to get to 100%. But we we aren’t spending enough time, kind of just accepting what data is telling us that people are going to fall for phishing, period, like, either our education has to get a lot better, or we need to have processes in place that just assume people are gonna fall for phishing.
Jason Pufahl 06:59
Yep. It’s like driving on the road, right, somebody might bump you, you can be the best driver in the world, doesn’t mean you’re you’re immune to an accident.
Steven Maresca 07:07
Retail businesses build in an assumed rate of theft. I mean, maybe it’s more appropriate to shift the conversation in that direction. That’s where I’m coming from.
Jason Pufahl 07:19
Alright, so I’ll buy that for a second then. So let’s shift down to updating your software. Is there any, so I’ve got a look at you, can you craft legitimate reason why there is a company that doesn’t, and don’t use,
Steven Maresca 07:37
Am I the optimism whisperer here?
Jason Pufahl 07:38
Well, you are, right now you are, right. OK, I get that there could be an old system that runs some arcane piece of hardware, I get that right. But, I’m talking about just modern OS’s, modern software that you’ve written, or that you’ve purchased, that isn’t patched, like how often have we been on the other side of an incident where you’re like, patches were out that would have protected you and you elected not to install them for six months. How are we still talking about this?
Steven Maresca 07:39
I’m going to reframe it entirely, and not make it optimistic, no, I’m going to say stop the wishful thinking. Just because your hands on keyboard occasional attempts to patch things or you know, how you live your life in terms of protecting your laptop or your servers if you’re in that particular area of the field. It’s not enough. I mean, we know that the systems that we see are going to be unpatched, it’s a constant, it never ends.
Jason Pufahl 08:33
And I’d say it’s not a security task, sure, it has security implications. But that’s just operational. That’s, I have an IT department, we need to maintain things. It’s putting in oil in your car, that’s it. I don’t know, it’s on the list, it’s on the list, I can’t believe it. But actually, that’s not true, I can believe it because we’re faced with it. But I thought I did, I did I found this year’s list pretty disheartening.
Matt Fusaro 09:03
It’s a rebuilding year. You know, it’s like the Red Sox this year, it’s a rebuilding year, they leave a million people on base.
Jason Pufahl 09:11
Yeah, I don’t think there’s going to be rebuilding this year. Honestly, the only one that I looked at and said alright, MFA feels like it should be there, we’ve been talking about for a while, people have treated it like a more challenging issue than probably it is, in a lot of ways. It’s not as technically difficult, maybe as it was, but we’re seeing the movement there. I feel positive about the direction we’re headed with MFA. But the other three I struggled with, as might becoming clear, through the podcast tone today.
Matt Fusaro 09:41
Yeah, especially the update. Updating is getting a lot easier now, you know, things like hot patching are becoming more popular. That’s one of the biggest reasons why people didn’t update softwares. They didn’t want to reboot or they just never restart their computers, like my wife.
Steven Maresca 09:57
I can imagine it’s connected to just habit at this point in many respects. Hey, you know, that annoys me I’m gonna tell it to go away, because it popped up and I don’t like that,
Jason Pufahl 10:06
Or you know, I remember in 2007 when I installed a patch and it crashed my server, therefore that must still happen, right. We get that. So, somebody did have a slightly different take on the idea, See Yourself in Cyber, which was talking a little bit about, sort of careers in cyber, and we actually had a podcast a little bit where we talked about some of the things that people can do in this space, in this career field. Certainly, you know, the focus of that was trying to get more women into the cybersecurity space, more people of color in the cybersecurity space. I think that’s, that’s a really good message. And for that takeaway, right, it is a really interesting field, minus maybe the four things that they’re highlighting here, and there’s a lot of opportunity, I think, for new people to come into the field and really find a place for themselves that’s intellectually challenging, that isn’t well defined.
Steven Maresca 11:09
So, you know, I think it’s important to sort of recognize that some people don’t join, because of the way that they perceive people to be cynical in our field, I mean, we’re kind of demonstrating that in a reasonable way, in a reasonable way. But those that are practitioners, I do think, need to remember that it’s a rare person who completely learned on their own. It’s probable that they had mentors, it’s probable they sought out other venues for helping themselves learn. And if we have to interpret it in that context, which is reasonable here, then, you know, reach out to somebody, teach them something without, you know, making them feel like they’re silly, for asking you a question. That’s probably a good message to share with the people who are more in the field who look outward toward those who aren’t.
Jason Pufahl 12:00
Yeah, I mean, it is, it can be easy to be jaded sometimes when you look at some of these things, right. But we deal with a lot of interesting things. I think part of the reason that I felt discouraged is, these are pretty easily addressable. And I want to help people in companies that have been victims of really intentional targeted, challenging incidents, not the sort of that that drive by, hey, we exploited a known vulnerability and as a result, now you’re spending a lot of money to remediate something that you could have dealt with easier, like you get, you do get a little bit tired of that, because these are, these are fixable things, easily fixable things. So I don’t really know, you know, normally I know how to end these. And I’m not really sure. I’m not really sure today, because I feel like if you’re not keeping your software up to date, if you don’t have a program in place to sort of educate your workforce around the dangers of phishing. If you’re not using strong passwords, I don’t even know what to say, but and then, you know, if you’re not thinking about MFA, you definitely should be doing all those things. You know, we’re happy, we are happy to help actually implement them, if people are interested in that. But, you know, there’s a lot of work to be done in the security space. This is the low, low hanging fruit for sure. So, yeah, on that on that positive message, I don’t know if either of you have anything you want to add at the end.
Matt Fusaro 13:28
I think, you know, as boring as this may be, sometimes fundamentals are good, right? It’s almost like a little, back to the baseball reference, a little bit of spring training for everyone. Maybe, maybe a fall training, if you will.
Jason Pufahl 13:41
So maybe people should go back and listen to our fundamentals podcast, because maybe that’s it too, right. We’ve talked about this now, twice, over the last year, we’ve had our first one and like our 40th was a fundamentals one. And here we are at Cybersecurity Awareness Month talking about similar things.
Steven Maresca 13:58
And if anybody else seems to think that these are, you know, normal, typical, well worn topics, that’s great, but self assess to see if you’re actually meeting all those requirements. And if you’re not, maybe there’s some work to do,
Jason Pufahl 14:11
Right, and so there are posters, and training materials and a whole variety of things on the Cybersecurity Awareness Month website, that’s CISA.gov. You can pull all that stuff down, I think, stay safe online, I think the stuff is linked there as well. Use that, use those things internally, post those posters on bulletin boards and send them out to folks. You know, get the message out for sure if you’re struggling with any of those. So as always, we’re happy to chat more about this. We appreciate everybody’s listening and we sincerely hope that you got some value out of today’s podcast. Thanks for listening.
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.