Today on the Day Two Cloud podcast we’ve got a security humdinger! Guest Mick Douglas is here to talk about a couple of issues that plague IT security. First, companies are in business to do business, but security controls often get in way. When push comes to shove, doing business always takes priority—and it should.
Second, IT vendors deliver insecure products to customers, and expect customers to bolt on security controls after the fact. He compares this to buying a car, but the buyer has to add their own brakes, seat belts, air bags, and other safety features. That’s how we’re doing IT now. He argues for a significant shift in how we do cybersecurity and how organizations and security professionals should think about cybersecurity, compliance, and more.
Mick is a Managing Partner at InfoSec Innovations. This episode is based on a Twitter thread Mick posted.
We discuss:
- The friction between running a business and security constraints on business operations
- Why many security people are actively harming their organizations
- Rethinking security practices and security education
- Shifting focus to what attackers do once they get a foothold
- Defending against attackers and regulators
- The impact of cyber-insurance
- More
Sponsor: CDN77
Why should you care about CDN77? To retain those 17 out of 20 people who click away due to buffering. CDN77 is a global Content Delivery Network (CDN) optimized for video and backed by skilled 24-by-7 support. Go to cdn77.com/packetpushers to get your free, unlimited trial.
Show Links:
@bettersafetynet – Mick Douglas on Twitter
“cyber security isn’t important… and that’s OK.” – Mick’s Twitter thread
Why Data Breaches Don’t Hurt Stock Prices – Harvard Business Review
FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers – Federal Trade Commission
Transcript:
[00:00:01.130] – EthanWhy should you care about CDN 77 to retain those 17 out of 20 people who click away due to buffering? CDN 77 is a global content delivery network optimized for video and backed by skilled 24/7 support. Visit CDN 77 dot slash packet pushers to get your free unlimited trial. [00:00:33.130] – Ethan
Welcome to day two. Cloud. And today we got a security humdinger for you, Mick Douglas, managing partner at Infosec Innovations. Who says humdinger? I don’t even know why I said that, Ned, but it was quite a show, wasn’t it? [00:00:46.240] – Ned
It really was. And we got into sort of, does cybersecurity matter? And why might it not matter as much as you think it does? [00:00:55.650] – Ethan
So please enjoy this conversation with Mick Douglas, managing partner at Infosec Innovations. Mick Douglas. Welcome to day two, Cloud. And, Man, I don’t think you’ve been on the show before. In fact, I know that you have not. So why don’t you introduce yourself to the audience? [00:01:10.560] – Ethan
Who are you and what do you do? [00:01:12.310] – Mick
Hey, everybody. My name is Mick Douglas. You can follow me at Twitter, at least for now. We’ll see how Twitter goes at better safety net. And I run a consultancy firm called Infosec Innovations, and I’m an instructor for Sams, and I’m a member of the Ions Research faculty as well. [00:01:31.470] – Ethan
Okay, so uber security nerd, to say the least. Mick. Now, we had you on the show because you had this provocative Twitter thread, and you argued in this Twitter thread that cybersecurity isn’t important. I think that’s exactly what you said right in the first tweet of that, which naturally grabbed a lot of people’s attention, because, of course, cybersecurity is important, Micker. That’s one way we could react to that. So on the surface, even I would say saying cybersecurity isn’t important and then arguing for that is kind of an irresponsible thing. So maybe you got to set us up for this thread, man. Explain it. [00:02:04.760] – Ethan
What are you getting at? [00:02:06.310] – Mick
Well, there’s a couple of things to unpack out of this. First of all, I think that from a business perspective, it really isn’t important. The business is concerned about making money. Selling stuff in cybersecurity, in many instances, is an active impediment to that. And if you are doing cybersecurity in that way, you need to get out of the business hands down. There’s even a more subtle thing that I’m getting at or attempting to get at in that thread, and it’s kind of a theme that I’ve been nudging against what is, quote unquote, conventional cybersecurity. And I think that there needs to be actually a lot fewer cybersecurity professionals. And what we think of as cybersecurity should actually be just a functional requirement of it. When you buy a car, it comes with all the safety features enabled, set up, ready to go. You don’t buy a car at dealership and then have to go to your neighborhood mechanic to get brakes and airbags all installed and that’s how we’re doing it right now. We’re delivering criminally insecure products, and people are deploying them, not knowing any better. They’re using these defaults, and they’re getting crushed by the adversaries. [00:03:25.550] – Mick
And little wonder that the scoreboard shows what it does. So what we’re doing doesn’t work. If you don’t like the output, reduce the input. And therefore, I think we need to start radically shifting how we do cybersecurity and what we think of as cybersecurity. And this is a thread to get. [00:03:45.510] – Ethan
That conversation started, but you don’t want you said cybersecurity professionals. We have too many of them, and yet that is one of the great shortages out there. It’s talked about a lot. [00:03:56.570] – Mick
No, we have a shortage of competent professionals. We have too many people that are in the field that are effectively script kiddies. We make a great deal of joking and fun at, oh, look at this script kiddie attacking my network. And yet there are far too many script kiddie defenders. If you’re the type of person that scans a file with an antivirus product and you’re like, that’s cool, that’s an insurmountable barrier, congratulations, you’re a script kiddie because you don’t understand the attacks, nor do you understand how your antivirus product works. And I realize that this is very controversial. I realize that this hurts to hear. And frankly, I’m taking a deliberately provocative stance. I’m not 100% correct, I know that, and yet I think I’m more right than wrong when it comes to this. [00:04:50.100] – Ned
You’re certainly going to raise some hackles when you tell a large swath of people that what they’re doing is a wrong, and B ineffective. [00:04:57.310] – Mick
Well, I’m actually going to nudge it even further. [00:05:02.290] – Ned
Okay? [00:05:02.760] – Mick
Not only what they’re doing is ineffective, it’s actually harming their organization. [00:05:08.490] – Ned
Well, expand on that. What do you mean that it’s actively harming the organization? [00:05:11.910] – Mick
Well, so much of what we do as computer security actually amounts to it ritual just to play cards all face up. Last week I was teaching SaaS 504, which is Hacker Techniques and Incident Response. A lot of people come into that class thinking, hey, we’re going to show you how to do Incident Response, and we actually do a little bit of a switcheroo on them, and we say, yes, we’ll show you Incident Response, but we’re going to show you actually what attackers do, how they think, how they approach your network. And there’s this one module in day two where we talk about attacks against Windows environments. And one of the things that’s a very sobering and eye opening moment for students quite frequently is they’ll be taught. There’s these guides out there that if you change the local administrator account from administrator to something else, it makes it hard for the attackers. And I just show them, like, here’s a script on GitHub that’s actually accessing the user ID of the local administrator account. And so you could name it to whatever you want. The tool doesn’t even slow down. But congratulations, you now have this really convoluted naming convention of is it machine name? [00:06:33.310] – Mick
Local administrator? Is it like some crazy key colo? Do you have to do this? Lookup, and a lot they’re not all as egregious as that, but a lot of the things that we do slow the machine down. Like, how many agents do you have installed on your corporate machine? We do things like DLP. DLP does help, but it is the thinnest of thinnest of protections. And yet it’s also one of the most expensive security tools to deploy, maintain, let alone licensing. So there are things that we do. I’m not saying that we should pack it up, go home and sit in a corner and cry, but what I am saying is we do need to critically review what we’re doing, because a lot of it really isn’t moving the needle like we think it is. We’re working way too hard and spending too much effort, too much money. And when you look at the scoreboard on how things are going, it’s not getting better. It’s actually getting actively worse. [00:07:41.010] – Ned
Right? And the argument is, like, if you’re on the blue team, the defender team, all you have to do is make one mistake. One mistake is all you have to do. And I’ve heard that argument before. I don’t necessarily know that holds water. I see you shaking your head. [00:07:54.710] – Mick
So there’s a truth there. There’s a truth there. So I’ve done both offense and defense, and I’ve been doing offense for super large organizations to super small organizations. And yes, the attacker only needs to get in once. But it was Egypt really renowned hacker. You should check him out if you’re not familiar with him. He said, yeah, that’s true. You get in once. But once the attacker is in your network, the equation flips, and you need to only detect them once to start pulling the thread and unraveling things. And so I feel a winning thought pattern that not enough organizations have is that we should prevent what we can and then detect everywhere and start focusing on what do attackers do once they get on a machine? That’s where things become much easier from a detection standpoint, because they’re going to be doing things like, hey, is their app lock or running on this machine? Like in a windows environment. Nobody asks that. Ever. Ever. Like, there’s two people who ask that an auditor or like an insurance underwriter or an attacker like Bob and HR is never going to say, hey, y’all, is their app locker running on here? [00:09:17.270] – Mick
And so many times I’ve gone in where I’ve assisted on an incident response, and people are like, man, there is no way that we would detect the attack. I’m just looking at the default logs, and I’m just like, well, hey, did you see that this user, quote unquote user, made this query? And that query has never, ever been done in your organization. And I get that you don’t have the tooling to detect that as easily, but you could and start looking for these artifacts instead of, like, antivirus lighten you up. [00:09:58.910] – Ethan
Okay, but still, bending that to the argument of cybersecurity is not important. You’re making the larger point that we’re doing cybersecurity as a practice. Wrong. A lot of what we’re doing is somewhat pointless and gets in the way of the business making money. So are you saying we want to be secure, but we don’t want to be secure at the expense of the business being profitable? [00:10:28.170] – Mick
Well, this is a tough question to answer. Actually, it’s a deceptively tough question. What you’re really asking is, how much do we invest in cybersecurity? And my belief is that you want good enough security, that you have resilience against most attackers, and that you can quickly detect and respond to adversaries when they’re on their network. Now, where I think a lot of organizations kind of hop the rails is that they build a compliance only cybersecurity framework. So PCI says that we need to do XYZ, NIST says we have to do X-Y-Z. And just for instance, we’re a healthcare organization. And HIPAA says we need to do XYZ. They put all that stuff into a bag, shake it, and say, all right, here’s what cybersecurity looks like. And the problem and this is something that many defenders haven’t really thought through, is that most adversaries worth their salt in a lab environment will replicate all the compliancy requirements that you need to hit. And frequently. Like for my own consultancy, what we do is we have a lab and we do 100% secure to whatever standard you’re going to be doing. I don’t know a single that has 100% compliance with these frameworks. [00:11:53.760] – Mick
So we are actually testing in an environment that’s harder than your environment. And so when we get to do the Pen test, it’s like the shackles are released. Little wonder we’re running at a million miles an hour, because we’ve been training harder than the reality. And I want to be clear, I’m a small consultancy. We’ve been in business for five years. We got a small crew. If your adversaries aren’t doing that, I’d frankly be ashamed and disappointed in them. [00:12:24.610] – Ethan
Well, and you haven’t mentioned social engineering either, which I think is where a lot of cyber criminals it sounds so dramatic, but get their foot in the door, they do some form of social engineering. Get on the inside. And then a lot of your either regulatory compliant network and security controls and your compensating controls, because those are the things that make those auditors happy, those compensating controls. That’s how they get around them. [00:12:52.010] – Mick
Well, I think social engineering or other methods are how attackers get in the initial way, because that’s one thing that I wish surprise, surprise, hollywood doesn’t get everything right about how it comes to hacking and cybersecurity. And usually attackers will get in with some sort of client side attack. Like they’ll send a weaponized link or do a drive by download style attack or malicious attachment. And that user AWS, part of their job has to open those attachments. Since we’re going sacred cow tipping on this recording, one that really angers me is we always blame the user. Oh, this user opened up a weaponized PDF. Well, if it’s in scope in a pen test, one of my favorite things that’s like money in the bank in terms of an attack is I will make a malicious PDF. I will deliver it to the sales team and say, hey folks, we’re about to open up an RFP. Here’s the details on how you’re going to bid on that RFP process. If you’re interested, open up the PDF, read it, and you have until this day to ask any questions. I want to be clear about this. If that salesperson does not open that PDF, fire them because that’s their job. [00:14:19.400] – Mick
They open PDFs up like that all day. Same with HR people. I’ll send them weaponized office documents like, hey, here’s this resume, or hey, here’s this new rules that are coming out on employee labor law and you need to know about this. They have to open up those PDFs or PDFs and Word documents. I’ll send your accounting team and Excel documents. So I’m getting in, right? And that’s one of the things that I feel like we’ve put way too much focus in prevent and not enough in detect. And we need to kind of also shift management’s expectations. The attackers will get in. And I’m not okay with that. I don’t want them in. But we need to start treating that as, hey, it’s just going to happen. They’re going to get in. Let’s start focusing on when they get in. Can we detect and collapse that dwell time? [00:15:23.450] – Ethan
Okay, so the argument you’re really making then is we’re spending too much money on prevention, on building big thick brick walls that you can dig under or go around in some way and still get in the door. And where we need to focus our spending is on prevention, or not on prevention, but on detection. Now that if we assume they’re here and this isn’t a terribly new idea within cybersecurity, the whole presumption of breach that’s been talked about now for a few years, if you assume you’ve been breached, then how do you detect that and then how do you mitigate from there? But that’s a little harder to spend money on, Mick, because it’s really easy to sell a firewall. This is the thing that keeps all the bad guys out. Okay? That’s a thing. I can visualize it, I can buy it, spend money on, and it makes sense to me as a CIO, maybe. [00:16:11.590] – Mick
Well, one of the things that I do, and this also is going to be very controversial, is when client takes us on if they’re willing to really start walking the life less ordinary when it comes to cybersecurity. We chat with the CISO, we chat with their CFO and their CTO and we say, look, you’re going to have to defend against what the attackers are actually doing, but you also have to defend against what the regulators and auditors are expecting of you. And that’s not always the same thing. And I have a very frank conversation with them of, is it okay if we start tracking your regulator as a threat on your risk register? And they’re just like some of them are like, yeah, but can that be like an unofficial thing? Because the optics on that are going to be insane. And I’m like, all right, that’s fine, but as long as you’re understanding that’s the mental model that you need to have because there are effective things that are in the regulatory frameworks, but not all of them. I mean, you could pare down I would say you could probably cut most regulatory frameworks down to just a few actions in terms of collapsing patch time, micro segment the network and then have good user account hygiene. [00:17:38.430] – Mick
And you are way ahead of the game. And that’s so much lighter than what a lot of the regulatory bodies are expecting of Orgs. [00:17:48.090] – Ned
Yeah, I’ve dealt with PCI, DSS, and the checklist that was involved in things you had to do was ridiculously long and to a certain degree, you give up and you’re like, okay, well, I’m going to write in this compensating control and that one Billy or Sally is never going to do this thing. And if we do, it’ll be double checked by somebody else. Sure. But yeah, actually complying with the regulations doesn’t mean you’re secure, it just means that you’ve checked all the boxes in a list. And I know for a fact when we were done implementing it, okay, this is fine, but it’s not secure. Like we have to add these other things that are not even in the compliance checklist to make sure it’s actually going to secure us against attackers. [00:18:33.990] – Mick
Yeah, absolutely. And I think that that’s where you can potentially have conversations with your Pen testers and say, hey, how can we really kick the tires? And see, here’s what our security stance is right now. Do we tick all these boxes for hitting PCI compliance? Like, do the controls actually work? And then two, is there any way that we can repurpose some of these to provide meaningful defense against what the adversaries are really doing? [00:19:08.110] – Ned
I think it’s a question of motive, right? What’s the reason behind deploying the security or ticking the boxes in the checklist? If you’re worried that you won’t get that certification so you can’t do business, then your motivation is to tick the boxes, not necessarily implement good cybersecurity. If I’m talking to my CFO, they care about ticking the boxes so they can continue to do business without getting penalized by whatever organization. So as a cybersecurity professional or just someone in it, how do I change that conversation so that they might care about both or does it even matter? [00:19:45.770] – Mick
So that’s going to likely be a per organization culture question what do they care about? In my experience, they want to do what’s right as long as it’s not too burdensome. And so I think that for the last decade or so I’ve been trying to reframe the conversation of it and cybersecurity can and should be about revenue protection. And if you start thinking about it in that way, there’s reasons to invest in it. If you see it and cybersecurity as something we have to do in order to do business, you’re a cost center and you’re funded appropriately. But if you’re revenue protection, well, that’s a thing and orgs know how to accommodate for that. Let’s start doing things appropriately. And that also you’ll start seeing orgs when they have these conversations, they’re doing security very differently. The difference between monitoring a web service or a web server, looking at those logs from a security standpoint and also looking at these logs to see oh hey, not enough people are putting stuff into the shopping cart. Let’s make an alert for an attack versus like a SQL injection and let’s do an alert to the marketing team because we’re not getting enough clients per hour or enough orders per hour. [00:21:18.730] – Mick
Very thin difference. The alarm goes to just different teams. I’ve got a couple of my clients who actually have a Sore, a security orchestration and automated response. So when the SIM, the logging system receives notice that not enough purchases were made, the security automation response, notifies the marketing team and will place additional ad impression campaigns into the checkout box and it’s just for the security team or I’m sorry, the marketing team to double check like, yeah, do we want to spend this? Because they didn’t want it fully automated and they have like a human circuit breaker and then they can just press go. And that’s why, I mean, cybersecurity isn’t important. It shouldn’t be important, it shouldn’t be a separate discipline. It should be baked into everything and kind of just go away in a lot of ways. [00:22:12.650] – Ethan
Let’s PaaS the Pod podcast for a bit. Research suggests that 17 out of 20 people will click away to the buffering or stalling and I am definitely one of those 17. There’s lots of stuff to watch out there and there’s no reason to wait around. If your company delivers online media, consider CDN 77. They are a globally distributed content delivery network and they’re optimized for video on demand as well as live video. CDN 77 is not some newcomer to the scene. They are used today by many popular sites and apps including Udemy, ESL, gaming, live sports and various social media platforms. And that makes sense to me. CDN 77 has scale. They have a massive network with distribution points all over the globe and plenty of redundancy. While that means you shouldn’t have problems, what happens when you do need tech support? CDN 77 offers 24/7 support staffed by a team of engineers. No chatbots, no tickets getting routed around queues while no one actually does anything. Just no nonsense dedication to your issue. To get your online media back to 100%. To prove that CDN 77 will work for your content delivery, visit CDN 77. [00:23:24.120] – Ethan
Com packet pushers to get a free trial with no duration or traffic limits, that’s CDN 77. Com packet pushers. For a free trial, you can push hard for serious proof of concept testing. CDN 77. Com packet pushers. And now back to this week’s episode. [00:23:47.270] – Ethan
But there’s still an element from your Twitter thread. Okay, let me back up a second. [00:23:52.270] – Mick
Sure. [00:23:52.640] – Ethan
The working title of this podcast is Cybersecurity Isn’t Important. That is how you led and you provocatively phrased the lead into that Twitter thread of yours. And we’ve been talking for the last 20 minutes about how important cybersecurity is, the opposite of that mostly with an emphasis on rethinking how we thinking about it in the context of the business, I think. But there’s another element here of maybe we’re overdoing it, adding too much security, spending too much, and maybe if we get breached because we didn’t spend as much as we should have cyber insurance, maybe that covers us, you know, that kind of thing. And that’s more of a businessy way to think about security. First of all, Mick, is that a fair assessment of some of the points you were making at the Twitter thread? [00:24:39.590] – Mick
Yeah, absolutely. And I wish there were a visual way to convey this, but we’re in a podcast. What I will do with my clients is build up, hey, here’s the attacks you’re facing. And then each column I’ll show, like, here’s your different defensive, preventative and detective controls that you have. Where are you spending too much time and effort and start talking about which ones we can jettison. And then also, what are you missing and where can we add things as appropriate to address these particular issues that you’re worried about? I think that many orgs, especially in more heavily regulated industries, will default to let’s spend more so that we are covered. And as a consultant and as somebody who used to work in the corporate environment, I saw that all the time when, hey, we’ve got these two vendors. Let’s go with this name brand, because namebrand and there were a lot of innovators that actually had superior product, better support that would languish because they didn’t have that name recognition and they needed to be able to defend, hey, we went with name brand. So that’s tough. And then to your point about cyber insurance or just other insurance packages helping address things, I am hugely in favor of this. [00:26:13.430] – Mick
The reason why just boils down to math. You could spend a million dollars to protect $10. It’s stupid, but you can do it. [00:26:24.520] – Ethan
Yeah. [00:26:25.000] – Mick
And so what you’re shooting for, or at least initially what I was shooting for early in my career was, is there a way that I can get spend to just match the risk of that thing being exposed and hit that inflection point. But that’s dumb because there’s no profit in that. So what you really want to do is shift your risk a little. I don’t know how you’re going to model this graph, but you’re going to shift your risk one way or the other. And what you’re trying to do is lower your costs and have insurance that covers the rest. And you’re hoping that you have a resilient enough security fabric that you will detect in your occurrences of having to pay. The deductibles are minimal but predictable. [00:27:18.210] – Ethan
But you don’t just buy a cyber insurance plan and get that. There’s still expectations of the insurance company of what your security architecture is. So are we kind of overstating how we get to in the model you just described, get to a profitable place? [00:27:35.490] – Mick
Well, again, this is you’re defending against different entities. In this case, you have to defend against the underwriters of your policy. And they’re looking to see is your program mature enough that you’re not going to be calling in every other day saying, hey, it happened again. So a big part of that is proving to them that you have the prevention and detection that we’ve been talking about. And I want to be clear, there are some more risk adverse insurance underwriters out there that ask for things that are frankly unreasonable and their policy coverage just isn’t where you need it to be. It would be another whole podcast episode for me ranting about how cyber insurance works. It’s not at all like what you’re used to if you think like auto insurance or homeowners insurance. The equivalent analogy, and even this is probably too broad, is if you buy a cyber insurance policy, and then if that were like buying a car insurance policy and you get in a car wreck and then you call them up and say, hey, I got in a wreck. They’d be like, oh, well, unfortunately, you’re only covered for wrecks by semis that are painted orange. [00:29:02.810] – Mick
It’s very niche and the escape clauses are really rough. And also a lot of orgs are relying on the, you know, they get sold like, oh, you know, by our policy and you’ll get these special, you know, response ninjas that will repel down a helicopter and help you in your moment of your hour of need. Right? And that’s true except when it’s a broad occurring event. So with log for J, there were some issues with log for J and what happened is a lot of orgs were making these calls saying like, hey, we need help, we need this solar win, same thing. And they said, cool story. Your number 478 in line because we’ve got all these other policies that we’re tending to, right? [00:29:51.000] – Ned
And more and more that is the case that there’s these open source projects that are used by a massive number of people and if there is a bug found in one of those open source projects it’s going to impact the industry as a whole. It’s not going to be just you got breached, it’s oh no. Yeah, like you said, you’re number 4362 in the line of people that now need help. So I think that pushes the problem back a little bit to open source development and the problems with the fact that everybody’s using these but nobody’s necessarily maintaining them with the level of attention that they need. [00:30:29.610] – Mick
I would shift the focus slightly. It’s not open source, it’s monoculture. Because if it’s open source or not, it’s can I make an exploit that has outsized impact. So that’s why we see people attacking Windows all the time. Windows is no more or less secure. In fact it really pains this lifelong Linux admin to say it deep press. Maybe I’ll get kicked out of use Nick for saying this, but Windows is actually more secure than almost every Linux that’s out there now. Like when you install it default. [00:31:08.530] – Ned
Oh man, that was the sound of 1000 people unsubscribing to our podcast. [00:31:14.550] – Mick
The hate mail I’m going to get, the trolls I’m going to get but it’s true, attackers go for Windows because why attack some edge thing? Now if I need to attack that thing for some victory condition, I would. But if I want biggest bang for my buck I’m going to hit everything and that’s a bigger problem that we have. I think that the problem is we’ve got such monoculture in our ecosystems and it’s actually worse in the cloud. One of the things that I’m saddened by is that a lot of people are like oh my gosh, how did you do this attack against this infrastructure? Because I have your in my lab, in my cloud environment, I have your container. How often do people actually custom build their own OS’s? And I realize that that’s insane, right? You shouldn’t be doing that. But if you’re running stock Alpine, if you’re running Core OS, I know what those defaults are. I know how to play around with that because I got it in my own lab. And so we need to start thinking about how do we leverage these realities? And I know this sounds really bizarre but keeping with my theme, the attackers are going to get in when it comes to the cloud. [00:32:44.950] – Mick
Here’s a pop quiz for you all. When was the last time you said, hey, what are my s three buckets that are out there? You never do an AWS CLI s three LS you don’t, you just use that bucket because it’s there and you know it exists. So start thinking about what are. These weird forms of enumeration and post exploitation reconnaissance that attackers do because they don’t know our environment, and get over the fact that these containers are read only. The attackers are just using that as a jumping off point. [00:33:25.950] – Ethan
In your argument on Twittermic. We keep going back to all the security things we should be doing, but there was still an element in your Twitter thread of, it’s okay to let some things go because at some point it’s just not worth spending the money on it. Where do you draw that line? [00:33:42.710] – Mick
Well, that’s a tough thing. And that’s where I’m actually frankly glad that as a consultant, I don’t make that decision. That’s really going to be up to a couple of folks at an organization that should be a choice between the Chief Risk Officer, the Chief Financial Officer, and probably the CISO. Again, as I said, you can spend a million dollars to protect ten. So figure out what is enough security, what is enough spend, and try to stick the landing there. And then when you get breached, you need to have your here’s everything we’re doing, and be able to flip that storybook open and say, what more should we have done? And I want to be clear, part of the way of making that story a sellable story to regulators and others is that you see it as an ongoing journey. Hey, here’s where we’re at. And we’re spending this amount to make this next change in the next quarter, the next year. Security should be a journey, not a destination. And so I’ll own it. There is a certain amount of hand waving. I’m clearly passionate about cybersecurity. I’m still advocating that we do cybersecurity. [00:35:01.640] – Mick
It’s just the way we’re doing it is unimportant and ineffective. [00:35:07.730] – Ethan
Okay. But one of the things that’s kind of bugged me about this thread here is it feels like we’re talking about it in the business terms, money. We can build a spreadsheet, we can build a model, and we can determine what’s worth or not worth doing from a bottom line perspective. But there’s another argument to be made here that businesses have a moral, not necessarily a legal or profit driven obligation to be secure. So is there a point of discussion to have there around the morality of our absolutely. [00:35:41.950] – Mick
So a couple of questions that immediately spring to mind is what is this organization doing? If they’re a water treatment plant, they absolutely have some moral obligations that go beyond just normal cybersecurity. Same in the health care sector. In the financial sector, they too, if they don’t take care, yes, they’re going to get fined. But also, like Grandma and Grandpa’s retirement plan just will evaporate potentially. But the flip is unlike, say, raw sewage getting dumped into a stream somewhere, we have insurance for businesses so that if Grandma and Grandpa’s insurance just evaporates, they should, in theory, be able to get some relief. And so I do think that there’s an ethical element and that’s really hard to quantify. But that’s why we’re seeing at the board level, there’s these equity and inclusion committees that are now being formed to try to track and quantify that. Because until fairly recently, most organizations, just by the demands of capitalism, especially like ones with publicly traded stock, the way the system works, they’re psychopathic. And that’s not good or bad, it’s just that’s how they are because they’re focused on the stock price. Devil may care for everything else. [00:37:12.140] – Mick
And so there’s a societal recognition that they do need to start doing things like equity, inclusion. There’s things like environmental issues that need to be addressed. So I see that as hopefully another future evolution. Fingers crossed. I don’t know if that will happen anytime soon. [00:37:33.890] – Ned
Right. And you’ve mentioned a few times how regulatory and compliance stuff could be another adversary. It’s not necessarily effective in improving cybersecurity, but at the same time you mentioned like, security should be baked into things. Like when you buy your car, you expect the seatbelts to work and for the airbag to deploy. And the reason you can expect that is because there’s the National Highway and Traffic Safety Administration who said, hey, car manufacturers, you actually have to start doing these things and we’re going to test you on it. So do you think another regulatory body would be the solution? Or is there like, how do we actually get security baked in in the way that you’re thinking? [00:38:13.790] – Mick
I don’t know. And this is a tough one where this is beyond me. The whole reason that the National Highway Transportation Safety Administration was formed was because activists were saying, hey, when you get in to a low speed crash, you shouldn’t die. And bonkers as it sounds, there was a ton of pushback and maybe we do need to get there. I don’t know. I know that the industry is terrified of that. The whole reason that we have PCI, flawed though it is, is because in the late 90s, early 2000s, it was bad. I mean, the amount of breaches that were happening I worked at a company that was providing services to this sector. And the amount of breaches that happened, they weren’t big, big breaches, they were small breaches, but they were all over the place. And so there were some standards enacted which eventually got folded into PCI. And things are better. As flawed as PCI is, things are better. And that’s an industry response to avoid government regulation. Maybe that’s a path forward. I don’t know. [00:39:35.110] – Ethan
So here’s a story that was published, a press release from the Federal Trade Commission in the United States that really relates to this. I can’t say that no one went to prison. There was no court case. It’s not that sort of a thing. But the FTC got ugly with the company Drizzley, which is an uber company. And James Corey. Relies Reyes. James was an officer in the Drizzley organization and the FTC alleges that Drizzley and Reyes failed to implement basic security measures. And they said specifically some things, didn’t use two factor authentication for GitHub. They didn’t limit employee access to personal data. They didn’t develop adequate written security policies. They didn’t train employees to use those procedures that apparently weren’t written. And more, they documented a bunch of things that were inferior about the security in the Drizzley that they feel should have been in place to prevent the breach and the exposure of public information. And the penalties that the FTC imposed were kind of laughable. None of them were financial. The FTC waived the flag and said, hey, there could be financial penalties under certain circumstances, up to 40 odd thousand dollars per incident person impacted, et cetera. [00:40:55.570] – Ethan
But there were none of those. The enforcement action was, okay, guys, you have to destroy unnecessary data and prove to us that you did it. You got to limit future data collection, disclose what you’re collecting and why, implement an information security program, et cetera. And if James Cory Reyes goes to other companies, all of these specific enforcement actions that were applied there will follow him to whatever company he goes to. So he’s got kind of like almost a personal stigma. They’re really going after him. Specifically. I don’t know why. Maybe he was a bad guy in Twitter that no one liked, and so he was an easy target or something. I’m not sure. So this doesn’t feel like it’s got a lot of teeth, but it was public. It’s a thing that happened, and it’s pretty recent. So maybe that marks a change, a change in view from the government perspective that the industry needs to pay attention to. [00:41:51.170] – Mick
Maybe I would contend that it probably doesn’t, especially for larger organizations. I’ve been trying like hell to find organizations that have gone under due to regulatory fines or even just breach info, and I’ve found a handful of small orgs. But in every instance, these orgs appeared to have been teetering on the edge due to other issues, and this was just the thing that pushed them over the edge. But if you want a real sobering view on the economic realities of being a breach and how, like, public regulation impacts it, in 2015, the Harvard Business Review did a study, and it’s I forget the title. It’s something like, why breaches? Don’t impact stock price. So there’s a slight depression that takes place, and it lasts well, yeah, two to three quarters, I believe. And then stock continues going up. I don’t know. It becomes very difficult to argue, hey, you’ve got to do this because we’re protecting your and the is like, yeah, cool story, bro. Thank you. We got this. And they will take the hit and then move on. And that’s what you’re up against, really, is, hey, if we get hit, we can still function as an.org. So what we really need is to have a decent strategy to stop most attacks, and then for all the rest will be like, look, we’re doing all this stuff you got us. [00:43:35.510] – Mick
And I think that gets to another act that I grind against in Twitter all the time, is we all hear that the Apt apt? What does Apt stand for? Advanced persistent threat. They’re not advanced, they’re just adequate. They’re doing enough in order to get into your environment, do their fraud, and get out. Why wouldn’t adversary do else? And so I don’t know. I will say, though, with this Drizzley thing, it could potentially be interesting. There are some brands that this would worry them, but for most, I don’t think it would. [00:44:20.210] – Ned
Right. The worst thing that happens is that consumers hear about it as long as they’re not actually inconvenienced by it. [00:44:28.550] – Mick
Yeah. [00:44:29.510] – Ned
Then I look exactly what you’re talking about. I look at companies that have had major breaches over the last five to ten years, right. And if you look at their stock prices, almost all of them actually have seen gains. [00:44:41.350] – Mick
Correct. [00:44:42.080] – Ned
What’s the financial incentive behind that to avoid a breach? As long as the consumer can still buy your widget at some point, then there is no incentive. [00:44:53.220] – Mick
Yeah, well, I’m so jaded at this point that I can actually write the PR statement that Drizzley is going to write if they haven’t done so already. And it’s we really appreciate the guidance and expertise that the FTC has given us, and we look forward to collaborating with them on preventing this issue from continuing to manifest and solve any other potential future issues. Drizzley protects security very seriously, and then they’ll talk about all the controls and how much money they spend, blah, blah, blah, blah, blah. And for anyone impacted, here’s your credit reporting for one year. That’s how it goes. [00:45:35.660] – Ned
Here’s what you get, even though you can get your credit reports for free. [00:45:39.950] – Mick
Well, it’s a credit lock monitoring type stuff. It’s like an enhanced thing, but it’s basically like if you and I were to buy this online, it would be like $40. But there’s actually bulk resellers of this now, and it’s something like fractions of a dollar. [00:45:59.090] – Ned
I think of Equifax was trading at maybe like $100 right before their big breach. And at their peak at the end of last year, they were trading at almost $300 a share. [00:46:11.830] – Mick
Yeah, that’s discouraging, actually. Now that tells me that should be my strategy by the post breach dip. [00:46:20.630] – Ned
And then ride the wave, especially if it’s not ransomware. Like ransomware has its own animal because it actually does inconvenience customer. [00:46:29.370] – Mick
Yeah, that one’s different. That’s actually an operational attack that happens over cybersecurity. They’re over the cyberspace. I don’t know. We need to start treating that as a different thing. [00:46:42.270] – Ned
Yeah, but if you just EKS data, it’s probably okay. But let’s try to end on a positive note. Okay, so I’m going to ask you what can a security professional do if they’re in that position to implement less security but be more effective and also maybe communicate their needs up to the CISO or whoever their manager is? [00:47:09.690] – Mick
So a lot of it is how you communicate with senior leadership. And what senior leadership really cares about is, are we going to jail? That’s their first question. And then the next one is, are we going to get fined? And then what? Everything that you do is, hey, we’re not going to jail, and here’s why. And you tell them, here’s the things we’re doing. We’re not going to get fined, or we’re likely to not get fined as much because here’s what we’re doing. Here’s the narrative. And that helps. The other thing that you can do as a cybersecurity professional is actually find those instances where cybersecurity actually helps the business. Every cybersecurity professional will say, hey, you got a patch, patch, patchy, patch, patch, patch. How many pros out there are helping organizations build regression tests so that they can have a patch validation program that’s fully automated and it doesn’t even have to cost a ton of money? Like, you can go out and get Apaches J meter and it will record any arbitrary transaction. You record that transaction, you can run it and rerun it, make sure that you’re good. It’s good for unit testing, it’s good for load testing. [00:48:25.580] – Mick
But when patches come out, you can validate that those scripts still work, apply the patch, run those, and if the transaction still works, guess what? That patch didn’t impact that transaction. And so you can roll things out. That’s something where security should be actively helping along. And don’t just tell people to do things. Make it easier for them to do those things. [00:48:52.410] – Ned
That is the key right there. Don’t just point the finger, because most security teams I ever dealt with were telling me, you go do this, you go implement this. But if they were there with me, if they were shifting left with me instead of just pushing the burden, that is huge. [00:49:09.550] – Mick
Also, I’ve radically shifted on how I do things, and I’ll own it. Without this kind of caveat, I would be a hypocrite of the highest order. But I run that agent, I run that configuration on my own machine before I have somebody else do it. And so I can look them dead in the eye and say, hey, I didn’t even notice this thing, and you won’t either, and here’s why. And that brings, like, a moral authority there that’s lacking. Otherwise, the next thing I do is I work with the executives and get them doing that thing. And once I once I’ve proved that it works on us, it works on the executives. Anybody who wants exceptions now has an uphill battle. I’m more special than the executives. Are you, though? Are you really? [00:50:04.190] – Ethan
Well, Mick, this has been a great discussion. I’ve enjoyed this very much. Now, if you’re out there listening, you heard us reference Mick’s Twitter thread. Mick mentioned why data breaches don’t hurt stock prices, an article on the Harvard Business Review, and the article about the FTC taking action against Drizzley. All that is linked in the show notes. You can find those day Two cloud IO or Packet Pushers net nick, if people want to follow you or interact. [00:50:26.560] – Ethan
With you, how can they do that on Twitter? [00:50:29.410] – Mick
At bettersafetynet on Twitter@bettersafety.net. [00:50:33.870] – Ethan
Indeed. And thanks to you for listening. Thanks, Nick, for appearing at Virtual. High fives. If you are out there having tuned in, you are awesome for making it all the way to the end. If you have suggestions for future shows, Ned and I want to hear them, you can hit us up on Twitter at day two cloud show or fill out the request form. [00:50:51.380] – Ethan
Day two. Cloud IO. Just go. Day two. Cloud IO. It says the word request. Click it, there’s a little form and. It’Ll send us your thing. [00:50:59.220] – Ethan
And then we’ll go research that topic and talk about it. And if you’d like to interact with our community, you do not have to scream into the technology void alone. The Packet Pushers Podcast network. We have a free Slack group that is open to everyone. Whether you work in an industry, whether you’re just a practitioner, everybody can join this free Slack group, packetbushers. Net slack, and join. It is a marketing free zone for engineers to chat, compare notes, tell war stories, and solve problems together. [00:51:26.170] – Ethan
Go ahead. Packetbushers Net Slack. I’m in there. You can see me in there and chat with me and get into my DMs and all that weird stuff. Until then, just remember, cloud is what happens while it is making other plans.
Podcast: Play in new window | Download
