Podcast Transcription


Dr. Christine Izuakor:

Welcome to the Veriato Insider, which is a podcast covering some of the latest trends and things to know in cybersecurity. This podcast is sponsored by Veriato, which is an award-winning employee monitoring and insider threat detection software provider. So to learn more about how Veriato can help protect your company, check out veriato.com. I'm Dr. Christine Izuakor, your host for today's segment. And today we're covering what we can learn from the most concerning breaches of 2021 thus far. It's been an eventful year. Any cybersecurity professional will tell you that one of the keys to remaining secure is by staying informed of what's happening around the world and using those, sometimes quite honestly, misfortunes that we see happening in different industries and countries as lessons that we can all use to further protect our own companies. And so observing some of these trends and the high profile impact of occurrences, paying attention to that is of course super important.

85% of breaches involved a human element.

And so that makes this conversation around the recent series of events critical. Now, recent attacks, like the ones that we've seen on the Colonial Pipeline, for example, the Florida water system, are super important to keep an eye on, right? Because they show just how vulnerable some of these technologies, and organizations, and cities, and regions and everything across the board can be. Now, before I get too far into things, I would like to welcome Zack Jones as our special guest for today's podcast. Zack has been in the cybersecurity industry for six years and has worked across various domains, including project management, business development, vulnerability management, and more. Zack holds a number of certifications, including his CISSP, ethical hacking cert network plus certification. Also earned a bachelor's degree in applied physics from the University of Indiana. And one of my favorites volunteers in ways that help teach children the basics of STEM.

So super important to support that next generation. Zack made a ton of valuable insight and experience to this topic. And so very excited to have you, Zack. Thank you for joining and welcome.

 

Zack Jones:

Thank you. I'm excited to be here, Christine. And I've got to say it's a real pleasure to kind of talk early on in the year about what's happened already. It's been a crazy first what? Five, six months of the year from a cybersecurity perspective. And despite all of the news, I think there are a couple of these big breaches, these big threats that have really popped out, like you said, Colonial Pipeline, Oldsmar water, the Microsoft Exchange stuff that's coming out has also been huge. So I'm excited to chat about it a little bit and share my insights and the bit that I've spent kind of looking into these events.

Dr. Christine Izuakor:

Awesome. And before we jump into that, maybe just give us a little bit more about your background.

Zack Jones:

Yeah, absolutely. So I've spent most of my career in cybersecurity. I kind of got started in the IT audit side of things, small regional banks, stuff like that. But then I pivoted into the hardcore red teaming, trying to sneak into buildings, proper pen-testing. I've worked with clients from across the spectrum, including airports and foreign governments, to just mom and pop shops, 12th person audit and accounting firms. So through that opportunity, I've kind of honed in on the space where programs from a cybersecurity perspective are starting to mature. That's really the sweet spot I enjoy because that's where all the value can be created is once a company decides we want to invest, or we know we need to mature in this space, that's where all the value can really be created as that maturation process is going on, as the roadmaps been laid out. So that's where I really liked to spend a lot of time personally and professionally, which is kind of helping guide that maturity process.

Dr. Christine Izuakor:

Awesome. Thank you for that. Now, once again, we are so pleased to have you be a part of this discussion on the most concerning breaches. To kick us off, again, a lot has happened this year. What are some of the most concerning breaches and threats that you've seen to date in your opinion? And why are they so significant?

Zack Jones:

Yeah, absolutely. So top three, Oldsmar water, that's the water treatment plant down in Florida, where there was a basically full compromise of the system that was able to actually change levels of chemicals going into water systems. Now it was caught very early on, so it never actually led to impact or threat to human safety. And in that industrial control system space with water treatment plants, there's lots of physical backups and processes that likely catch this.
But the point is a cybersecurity intrusion led to a real-world change. And I think that's one of the most important things we need to start understanding is the simple cybersecurity gaps from some of the basics, whether it's MFA, remote access. I don't think anybody knows exactly what happened in the Oldsmar case yet, or at least completely. But what we do know is cybersecurity basics probably could've prevented this. But the real takeaway is that OT security, operational technology security, that's going to be one of the big headlines for the next few years to come as companies in charge of these critical infrastructure sectors or it's just simple things like HVAC systems and the target breach years ago. OT security is really a spot that hasn't received a lot of attention or investment. I think we're going to keep hearing more and more about that.

Critical Infrastructure breaches remain a hot topic for 2021

And that's why the Oldsmar breach is really, it's important for us to understand that simple changes in the integrity of a system can lead to these cascading impacts. It's not a system going down, it's not the information being exfiltrated, it's a change of data where the system is still able to operate. Those are really hard to detect, and they're even scarier to think about what some of the impacts could be. But like I said, a lot of the OT industries that are responsible for protecting human life and safety, have physical backups. They've got resiliency built in. So it's not necessarily the end of the world, but it is bringing a lot more attention to OT security, which has traditionally kind of been a specialty branch of cybersecurity. But anyone running operational technology systems, industrial control systems, it's time this year, if not several years ago to start investing and learning in this space.

The other one that's on everybody's mind right now is the Colonial Pipeline. Now, this is a breach at a system that controls a lot of operational technology and industrial control systems, but the breach actually never really impacted those systems. It just impacted the IT side of the house. So if you think about it, there's the OT side of the house and the IT side of the house. And Colonial made the decision to shut down their networks so to speak, to prevent the ransomware infection from potentially impacting the OT systems, which are a lot harder to recover. So this is I think, going to be another trend we continue seeing in the next few years and definitely the rest of this year, is that ransomware getting into the IT side of the house in a lot of these systems, it's going to result in downtime on the OT systems, the actual flows, and processes, manufacturing, pipelines, whatever it is. Just because of the threat that the ransomware could spread to those systems, which are much, much harder to recover.

And then the final one is the Microsoft Exchange vulnerabilities that have come out. I mean, I think this is a pretty straightforward one where any massive global product like Microsoft Exchange servers, vulnerabilities are going to be found in them. But the rate at which they're being exploited is increasing significantly. I just heard a new phrase, which I love on the Security Now podcast with Steve Gibson, which is, NTTI, needs time to inventory. And yeah, it's the concept of how long does it take before a vulnerability is actually discovered on the open internet. You think of systems like Shodan, which are actively scanning and trying to inventory all of the vulnerable systems or at least open ports on the internet. Estimates are starting to become 15 minutes to 30 minutes before a public-facing vulnerability that's known to the public is actually identified and indexed on these public systems.

So I think that's the big takeaway from the Microsoft issues is your policy to patch all critical and high vulnerabilities within 30 days or even 24 hours, it's not going to cut it anymore. We're looking at 15 to 30-minute intervals before they're going to be identified and potentially exploited. So I think those are the three big ones that have kind of, again, it's shifting what it means to be cyber safe online, and just having any kind of external attack surface. Because these are new problems or rather these are problems we've struggled to solve when we had 30-day patch windows and now we have 30-minute windows. So it's going to change the equation a lot.

Dr. Christine Izuakor:

Yeah. Right. A lot of really good points. Everything from this shift that I'm quite honestly, not surprised to see, but I would say a little bit, I feel like it's refreshing to see the conversation shifting more from all of the hype that you see around data breaches and data leaks, which are still super important, right. We want to protect data, but to this bigger picture of there's more than data, right? There's this operational technology and these things that have the potential to impact a much more, I would say, sensitive things like life, right, than data. And so to your point, there are controls and things that these critical infrastructure places, especially, put in place, but definitely something that needs much more attention to date. So you've touched on some of this a bit, but just so that our listeners have some clear things to walk away with in terms of lessons, what major lessons do you think companies can draw from some of these attacks that have happened over the last few months?

Zack Jones:

Yeah. So especially on the OT security side, this is kind of my personal crusade I'm on, process versus the exception. It's a simple concept. But I think in most enterprises, especially large ones, the OT systems are always the weird stuff, that 5% we deal with at the end of a process. They're not really thought of at the beginning of projects or in the design phases of new tool implementations. Because it's the 5% that's really hard to handle. The unpatched system that's still Windows server 2003, or maybe it's even older than that. They're the system that you have kind of designed, and implemented, and ameritize from a financial and operations perspective for a 20-year life cycle. And that's just not how most technology, most IT is designed. We're talking about five to seven years before the Windows operating system is out of date.

So I think that's where companies can just all tooling, all cybersecurity challenges aside, just start looking at these OT systems is part of the process and design the process to handle, to manage, to provision, to segment, whatever the case is as part of the process, rather than an exception. Because in a lot of cases, the exception is never actually dealt with. The number of breaches or cybersecurity incidents that can be traced back to IT risk acceptance is pretty alarming. And you can't blame anybody. There's still Windows server 2003, 2008, which had been end of life for years on nearly everyone's network. It's just a fact of life. And there are right ways to do that. It's not fundamentally wrong to have them on the network, but if they're not built into the processes, how to handle that, how to properly protect, mitigate, compensate before it, that's going to be a perpetual problem. And eventually, it's going to be the source of the breach. If it hasn't already been.

I think some of the other things that are kind of important to understand is maybe stop trying to run your own infrastructure if you don't have to. That's especially a call-out towards the Microsoft Exchange issues. In a lot of cases, if you're struggling to patch servers in a 30-day window or a 60-day window, maybe you do need to think about upgrading to a cloud service or a SAS model like Office 365 for your email.

I'm not trying to sell Microsoft products by any means, but honestly, let's get one piece of your tech stack out of the door, try and stop worrying about patching Microsoft Exchange servers and having the open outlook web access ports open on your firewalls. Just get it all out of your environment and let somebody else handle it. And I think that's true of a lot of different systems that companies are kind of holding on to and saying, we feel like we need to have control over this and manage it ourselves. Honestly, it's almost never worth the headache at the end of the day. And I think that's a really easy way to remove a lot of the perpetual cybersecurity risk from your organization is pushing for cloud, push for SAS. You're going to hear it over and over again, but there really are a lot of security benefits. Instead of spending money trying to get that patch window down to 30 minutes, just get it out of your environment altogether.

Dr. Christine Izuakor:

Yeah, really good points there, especially on, I think integrating security into process versus living in that constant cycle of risk exceptions. Right. That's never a good look and can end badly in so many ways. As well as this idea of, and I'm a huge fan of cloud deployments and SAS at this point. And so yeah, I think essentially outsourcing your maintenance and patching through these deployments can help reduce risk as well. So good points. Now I want to dig into the pipeline issue a bit more. So according to reports back in January, antivirus company Bitdefender said that it was quote-unquote, happy to announce a startling breakthrough, right? That they'd basically found a flaw in the ransomware that a group is known as Darkside, right, was using to attack businesses across the US and Europe. And so companies facing demands from this group could basically download a free tool from this vendor to decrypt their data and avoid paying millions of dollars in ransoms from these hackers. Brilliant. Right. A great thing to do.

Now today, the creators of the ransomware, right, have leveraged reverse engineers and penetration testers to download that same decrypter, this assembles it, reverse engineer it and figure out exactly why this tool can decrypt their malicious ransomware. And so a day later, right, they basically deployed a patch to fix their own malicious ransomware in a way that's more effective against these attacks. And so we've talked about kind of patching already as it is. They have their own versions. It seemed to be very quick as well, but it's a prime illustration of the fact that cybersecurity is still very much a cat and mouse game. Right. And as an industry, what do you think we can do to shift that or continue to stay ahead of the curve? Because it just continues to be a problem.

Zack Jones:

Yeah, for sure. I think there's a handful of things we can do to stay ahead of the curve. But the number one is investing in people. Honestly, at the end of the day, technologies are going to change, philosophies are going to change, threat actions are going to change. But your pool of cybersecurity talent that exists at an industry level or at your company, that's what you've got. That's whom you have to defend the trenches, so to speak. So you either need to invest more into training those staff. And I've really got to say, you have to invest in creating more cybersecurity professionals in general. I think it's the responsibility of every company with a cybersecurity department and budget, to have at least part of that budget set aside to train IT professionals on cybersecurity. Or train people that have never been in the field before on cybersecurity. Because the skills gap is huge. It's growing. You're going to end up in a bidding war for another cybersecurity talent to come over.

So the best thing every single person that controls a cybersecurity budget can do is just earmark part of that to create new cybersecurity professionals. Whether that means hiring people straight out of college or with zero years of experience, or taking veteran IT professionals and teaching them the bit they need to know to learn how to apply their trade, their IT skills in the cybersecurity space. And I just, there are lots of really great programs I think in every major city. Europe is one of them here in Chicago, which I'm a huge supporter of. But also internship programs in general. It's critical for every company to be building more cybersecurity professionals because it's the only way we're going to outpace the cybersecurity criminals that are in their own right businesses that are patching their systems and trying to develop better software to get money from the rest of us. So it's an arms race. And the only way we're going to win is by creating more of us than there are of them.

Dr. Christine Izuakor:

I love that answer. I feel like you took the thought right out of my head. I feel like, you know this already, but again, creating cybersecurity professionals and developing people, and building a talent pipeline is probably one of my biggest passions and favorite topics. So that was not a setup. I'm pleasantly surprised to hear that level of response and passion, a topic that I could go on and on about. So again, [crosstalk 00:17:23].

Zack Jones:

Oh, no doubt. Yeah.

Dr. Christine Izuakor:

As we wrap up here, are there any final thoughts that you want to add?

Zack Jones:

I'm probably going to say the final thought is in OT cybersecurity, which is near and dear to my heart. I've worked at it for years. And I really feel that a lot of companies don't know where to start or feel like they're so far behind, there's no hope in sight. The reality is OT cyber threats are a lot less mature than enterprise-level threats. You don't have ransomware gangs that are targeting OT systems in the same way they're targeting just the average Windows seven workstation. OT systems are, they're unique. They're special. They're normally deployed for decades at a time instead of years. There's no normal patch cycles. The joke in the industry is you don't have a patch Tuesday as you do with Windows. You have patch September, which is one month out of the year, you're going to patch something.

So understanding that OT cybersecurity is still in its nascency and really trying to get any type of a program started in that space, any type of a full-time equivalent dedicated to it, or even people part-time, and then taking the time to understand how the operation actually uses the technology to figure out if there are better ways to secure it. I just think that's so, so important. And from a maturity perspective, you might be able to skip some steps. You don't have to take your OT program, which might be 10 years behind where the rest of your cybersecurity program is, and slowly inch it forward. You can just skip the whole network architecture, segmentation step and go straight to a zero-trust network architecture approach.

You can jump over the last 10 years of cybersecurity products, development, processes, and just go to whatever's on the cutting edge now. Go to your cloud deployment. It might not make sense in every OT case, but there are some really interesting use cases where you can talk about what would it look like if we just rearchitected the entire system now from a cybersecurity perspective, and kind of skip some of the steps that would normally take thousands of dollars, many people, years to get done. And just skip to whatever is going to be next, zero-trust network architecture, AI, and machine learning technologies. There's always something new coming out.

Dr. Christine Izuakor:

Yep. I agree. Sounds like a much more efficient process. Well, hey, really good points. Thank you so much for contributing your perspective. That concludes the Veriato insider podcast for this week. This podcast has been brought to you by Veriato, which is an award-winning cybersecurity company recognized by Gartner for its solutions anchored around four core areas of cybersecurity protection. These include employee monitoring and web filtering, insider threat protection, employee investigations, and ransomware support. So again, to learn more about how Veriato can help protect your company, check out veriato.com. Now, thanks again, Zach, for joining us. This has been amazing.

Zack Jones:

Oh, it's my pleasure. Thanks so much for having me.

Dr. Christine Izuakor:

Of course. And thanks to everyone for tuning in and listening. I'm Dr. Christine Izuakor, the CEO of Cyber Pop-up. And it has been our pleasure to share these insights with you. So until next time, stay safe and secure insiders.


Listen To Podcast Watch Podcast