July 10, 2023 • 41 mins
In episode four of the Logically Speaking podcast, our host Steve sits down with Chris Novak, Managing Director of Cybersecurity Consulting at Verizon Business. The two delve into the most significant cybersecurity threats facing organizations today and share a glimpse into the future. Listen as Chris offers his predictions for the evolution of the cyber landscape over the next five years and hear an in-depth discussion on the proliferation of ransomware and its impact on businesses. At the conclusion of the conversation, Chris highlights the top three actions organizations must take to prevent a cyber incident.
Episode highlights:
- Insights into the most significant cybersecurity threats
- Future predictions for the evolving cyber landscape
- The impact and proliferation of ransomware
- The top three actions to prevent a cyber incident
Watch this episode on YouTube, with additional insights from our guests!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to Logically Speaking, where we discuss the latest trends and challenges of cybersecurity.
(00:12):
We speak with top experts in our field.
We're here to help you learn how to keep your data safe, your operation sound, and your
business ready for whatever comes next.
This is Logically Speaking.
Today's guests we have a really special guest, an old friend, co-worker of mine, Chris Novak,
who's the managing director of Verizon Cybersecurity Consulting.
(00:33):
He's had over 20 plus years of cybersecurity industry experience, ranges from field work
to working with Fortune 100 C-suite and board advisory roles.
In 2022, he was appointed to President Biden's cybersecurity review board.
He was named a top security leader by Security Magazine.
(00:54):
He has been a contributing offer to the Verizon Databrige Investigations report since 2008,
as well as featured in TV, radio, print ad, still waiting for him to get on Joe Rogan's
podcast.
But he's also a member of Forbes Technology Council, where he frequently writes on the
(01:14):
topic of cybersecurity.
Chris holds a Bachelor of Science degree in computer engineering from Rensselier Polytech,
which I didn't get accepted to Chris.
I applied, but I didn't get accepted to.
I had to settle for NYU computer science.
He's got a CISO certificate from Carnegie Mellon, and he actively maintains a CISSP,
(01:35):
CISA, PCI, QSA, PFI, and a litany of other certifications.
Chris, thank you for joining us today.
You can probably, you know, I'm sure that you have your choice of podcasts, and so I'm
glad that you chose us.
Absolutely.
Thanks for joining us today.
Yeah, my pleasure.
Happy to be here.
So I know that we have just a short amount of time.
(01:56):
I wanted to talk a little bit about, maybe you could share, start with your experience
outside of what I discussed, and maybe we can start there.
And then I've got some questions specifically about our listeners are in that mid-market
space.
And so open to hearing about your experience, and then we can talk a little bit about that.
(02:17):
Sure.
Yeah.
So I mean, you know, you got the background just right there.
I've been in cybersecurity now for well over 20 years.
It's been a passion of mine since the very beginning.
And actually, I've always found it interesting when I talk about kind of how I got into the
field because, you know, I think people hate it and love it at the same time because I
say it's kind of an accident.
And that's because when you go back that far, cybersecurity wasn't a thing.
(02:39):
There were no degrees or anything like that you can get in cyber, you know.
To your earlier point, it was basically computer science or computer engineering or some kind
of derivative of one of those two.
But you couldn't get a degree in it and most people, if you asked, would have thought it
was something from like science fiction movies at the time.
So it was kind of an interesting wild ride.
And obviously it's been fun to watch the industry kind of grow, develop and, you know, innovate
(03:02):
over that time period.
Yeah.
No, it's funny you mentioned that because I got my start deploying Raptor firewalls
back in late.
And those at the time were the DOD standard.
They were viewed as the unhackable firewall and firewalls were all the rage back then.
And then this cool thing called intrusion detection.
(03:23):
Yes.
We were like, what?
You know, so it's so funny to kind of be in the industry as long as we have and to be
able to, I like you stumbled upon it.
I had a CEO of one of the largest bars in New York City who said, I don't know anything
about cybersecurity or we call it InfoSec back then.
(03:44):
That's right.
Yeah.
In fact, if you called it cybersecurity, people would kind of smirk at you like, all right,
what are you trying to make this into being?
It was always InfoSec.
And she had the fourth thought to say, well, I don't know much about this InfoSec, but
if you can make a couple of bucks out of it, go ahead, build a pack.
Yeah, neat.
So I appreciate your time.
(04:04):
Look, I want to know a little bit about what your team is doing today and maybe like the
biggest cybersecurity threat that you see out today in this mid-market space that our
listeners are in.
Sure.
You know, I'd say, you know, when you look at it from a pure threat landscape standpoint,
there's a number of things that hit the mid-market.
(04:26):
And honestly, I would tend to argue that the mid-market's going to see a lot of the same
things that the rest of the world and the rest of the markets are seeing.
Probably areas where maybe they're a little bit unfairly hit isn't a lot of things like
ransomware and more of the, I would say, kind of automated attacks.
Because generally speaking, we find that they're more challenged as it relates to getting budget
(04:46):
and resources, right?
Two of the things you need most.
And in a world where we both know cybersecurity is a hot market, so maybe you can get budget,
but finding resources is extraordinarily hard.
Keeping those resources can be just as hard if not harder.
So usually what we find is kind of striking that balance of getting what they need to
(05:08):
deploy adequate protection against some of these attacks, which, you know, when you think
about it, it's kind of like a regular kind of kinetic war in a way that, you know, can
you lob an attack that is very inexpensive for you to lob, and very expensive for the
other side to defend or vice versa, right?
That can really impact the economics of war, if you will.
(05:29):
And, you know, I think cyber, we see a lot of the same thing and the mid market typically
is challenged in a lot of those regards.
So you brought up an interesting, and you put it in kind of warlike terms, right?
So what is someone like the attack vectors that you're seeing that are most successful?
(05:50):
I mean, we hear about ransomware, we hear about fishing all the time.
Is there anything out there that you can kind of look out on the horizon that could be as
like, you know, if you had your crystal ball, what you're starting to see, trends, you know?
I'd say probably the biggest thing if I were to kind of look out there on the horizon, and
we're already kind of starting to see this develop a little bit, but I think we're going
(06:12):
to see more of it.
And that is the use of AI, and I know it's become very buzzwordy.
But the fact of the matter is, you know, you were mentioning earlier when we were talking
about RSA and, you know, all the different things kind of being shared on the show floor
and all the different technologies that vendors are using.
But at the same time, we also see that the threat actors are exploring how they can take
(06:33):
advantage of it, right?
And, you know, a lot of times people will say, oh, some key identifiers of, you know,
fishing or social engineering attacks are, you know, misspelled words, grammar, you know,
something sounds too formal, too casual.
The ability for you to go to one of these platforms and say, write a message that looks
like this using this style of language, it can do it fairly easily.
(06:56):
And I think as we see that evolve over time, there's an opportunity, opportunity, unfortunately,
for the threat actors to leverage that to automate and expedite the crafting of that.
You know, for example, a lot of the things that we look at on the defensive side or the
detection side is patterns, you know, where we see things that a threat actor is doing
(07:17):
common from attack one to two to three to four, it makes it easier to block the subsequent
attacks because they're just repeating it.
If they're able to leverage something like generative AI to be able to create more nuanced
and scalable versions of that, all of a sudden, maybe many of these attacks don't look as
common as they used to, which makes it harder and harder for the defense to be able to detect.
(07:40):
And so I'd say if I was looking out on the horizon, I don't think that's mainstream by
any means yet, but I think we'll get to a point where it will become more mainstream,
unfortunately.
Yeah, I was, I was listening to the testimony of the CEO, I believe it was of open AI.
Oh, right.
Yeah.
And he, he shared about the, you know, his concern about the malicious use and the harm
(08:07):
that it could, I mean, that was pretty, I mean, to me, that was pretty telling.
And you gave one use case.
It's interesting because we're using it in a way where, you know, we're using AI, open
AI to like target and prospect and to, you know, from a sales standpoint, which is really,
(08:28):
you know, from a marketing and a content.
I mean, it's actually pretty, pretty encouraging to see that it's creating that window.
But I guess on the flip side of that, malicious actors can also do that and be very, very
targeted in kind of how they're scripting these phishing emails and such.
And so how do you counteract that?
(08:49):
Because I always feel like we're in this cat and mouse, you know, mode where a malicious
actor can leverage something like AI.
How could we leverage AI to counter that?
Is that, is there anything that you've seen?
So I mean, I do think that there's more opportunity for us on the, the defensive or the, the, the
good, the good side of the equation than there is for the kind of offensive or, you know,
(09:15):
ill will use of the technology.
And I think part of it is, I think there's a better ability for us to collaborate, invest
and build bigger, better, scalable solutions.
Whereas I think the threat actors, the cost of building something like this is tremendous.
I think, you know, nation states will be able to leverage it and be able to advance it.
But I think you're more individual threat actors, you're more organized crime groups.
(09:38):
I think it'll be more challenging for them to scale it in a similar way to what the defensive
side can do.
I think it'll be harder for them to, you know, harness that power, expand their resource pool.
A lot of the challenges that we all face, but obviously they've got to be able to do
that on the criminal side and be able to engage more people in order to further that.
And I do think we'll have an opportunity to overcome that.
(10:00):
But I think like everything with security, it's always a cat and mouse game, right?
We come out with a better firewall.
We come out with some kind of exploit to try to take advantage of a vulnerability.
And we go back and forth.
And I think it's more about, you know, hey, how do we kind of look ahead?
Where do we see the future going?
How do we invest in those right places to try to make sure that we stay in front of it?
(10:20):
So I do think that the future is still bright, even if some of the AI opportunities may have
some bleak uses as well.
Yeah.
I want to shift focus just a little bit and talk about industries.
So you've been in the industry a long, long time.
And what industry do you see investing the least amount in cybersecurity?
(10:45):
Is there industry that's lagging in terms of cybersecurity investment that needs to
catch up based on, because you serve all markets, right, in your role?
What industry do you see, and, you know, vertical industries that I'm referring to,
which ones do you think invest the least amount in cybersecurity and kind of need to focus
on it more?
(11:05):
Yeah.
So I mean, I would say this kind of ebbs and flows a bit over time.
The areas where I think we'd say we see more of the challenges, for example, would be in
things like education, health care, they've been hit very, very hard.
And then I think also, you know, if you look at it from a size and scale perspective, generally
speaking, you're smaller and more medium to mid-sized businesses typically struggle more
(11:30):
because the large enterprises, they generally have large IT teams, large InfoSec or cybersecurity
teams.
But usually if you kind of look at it like a pyramid, you start getting about halfway
down that pyramid, there's a tremendous amount of organizations that live in the bottom half
of the pyramid, but they don't necessarily have the same level of resources to apply
toward cybersecurity, or maybe in some cases, as you move even further down to the small
(11:54):
business arena, they may not even be tracking on it at all.
There was a study I was reading just the other day, and I don't remember the exact study,
but the numbers were surprising in terms of the amount of organizations that said cybersecurity
and cybersecurity resiliency weren't even really on their roadmap.
Now, again, these were more of your small to mid-tier businesses, but again, it tells
(12:16):
you that they're still not entirely tracking on this as being a need.
And I think it's also complicated by the fact that, you know, the economy is in a weird
kind of rocky, questionable state, right?
Nobody really knows where we are or where we're going.
And I think that also creates challenges for more of your small and medium-sized businesses
(12:38):
to struggle with figuring out where are they going to make investments.
Your larger organizations typically are better capitalized and have more of a longer term,
you know, roadmap and strategic planning and vision.
Yeah.
I mean, it doesn't strike me as odd, right?
No.
I mean, you have the small organizations with the more finite budgets, they have to choose
(13:00):
where they put their, you know, their limited resources.
However, and I want your opinion on this, I've found that the small organizations are
incapable of recovering from an event, an outage, disruption when it comes to ransomware,
(13:23):
cyber attacks or, you know, anything like that, that their recovery or their impact is greater
from an overall business standpoint.
Like some of them quite possibly could not recover enough to actually be back in business
in a reasonable amount of time.
Are you seeing that as well or is that just, what do you see in instances of like that
(13:48):
where a small to medium business gets shut down for two weeks, three weeks at a time
and then recovering that loss revenue?
Yeah.
So, I mean, it's unfortunate, but we've seen cases like that where organizations have
not recovered from, you know, an incident to our breach.
And obviously, we never want to see that happen, you know, and that's obviously why we try
(14:10):
to be very proactive, you know, kind of share the information and the research that we do
like the data breach investigations report and such.
But you're absolutely right.
There are circumstances where organizations, they're just, I'd say, a combination of not
being well prepared, not having the right, you know, say partner ecosystem in place to
help them either in advance or when an event occurs, or they think that it's not going
(14:33):
to happen to them.
There's somebody else that they believe it would likely happen to first.
And so as a result, they don't take the necessary steps.
And, you know, to your point of the impacts of these events, you know, for a small to
medium sized business, the impacts of a cyber event can be very oversized.
You know, if you get hit with a multimillion dollar ransomware demand, then you don't have
(14:55):
the resources in place to either pay the ransom, do it quick enough or have the appropriate
backup and resiliency functions in place.
There may not be a recovery option for you or the recovery timeline might exceed what
your capabilities are.
And that definitely creates issues.
We've also seen organizations lean on things like cyber insurance.
But again, that's, I would say that's maybe that's kind of like a crutch, you know, and
(15:19):
like a crutch, you still need to have some strength in you to be able to move, right?
The crutch doesn't walk you.
The crutch helps you walk, right?
And so I think that is a tool or an enabler.
But again, it's not everything.
Organizations still need a fair degree of, you know, robust, you know, infrastructure
processes, etc.
And, you know, everyone will tell you that that's not going to be the end all be all
(15:41):
that's just going to be kind of one of the tools in your toolbox, if you will.
Yeah, it's interesting you brought up cyber insurance.
So yesterday I was meeting with the mid-sized company about 2,000 employees and asked them
about their incident response plan.
And I got this sheepish look on their face like, we need your help on that.
(16:06):
And I said, well, what about, you know, who do you have for digital forensic investigations?
Because, oh, we rely on our cyber insurer.
Okay, you have cyber insurance.
That's great.
What about local law enforcement, right?
Do you have the contacts with federal and local law enforcement should you need to?
And she just, again, just looked at me like with this blank stare.
(16:28):
So we walk through and I have to admit I learned this from you is to have that three-legged
stool, right?
You need to have your legal counsel.
You need to have law enforcement.
And then you need to have a third party incident response company on retainer to be able to
respond no matter how large or small an organization because you've always said it's not a matter
(16:52):
of if it's a matter of when.
And so being aired, right?
That proactive.
So I appreciate that.
I've carried that message on.
And if I could just add on to that too, Steve, that, you know, and I always tell organizations
that, you know, it's funny because sometimes I'll speak with the smaller organizations
and they'll say, look, excuse me, the large organizations have it easy because they've
(17:12):
got all these resources and budget and all these things.
And, you know, they've got the, and, you know, an entire in-house staff that may be larger
than a small business, right?
They could have 100 people on their incident response team.
But even still, those large organizations will have third parties that they lean on.
And what I always tell people is it doesn't matter the size because at the end of the
day, you could have one massive incident that out, you know, out weighs your capabilities
(17:37):
or you could be faced with multiple incidents on multiple fronts and you can only scale
so much, you know?
And so kind of having, you know, almost like a mutual aid agreement of sorts, you know,
having, you know, incident responders or even in some cases more than one firm that you
can lean on, I think is really beneficial because nobody wants to be caught in that
position where an event occurs and you have to go to your CEO and say, hey, you know,
(17:59):
unfortunately we never plan for a contingency for what might happen here and now we're really,
really stuck or, you know, we have to engage someone but it, you know, we don't have an
agreement with them so it's going to take, you know, a week to get something done and
that's not a situation anyone wants to be in.
Yeah, yeah.
No, those are cautionary tales for sure.
(18:19):
Sure.
So I want to shift again and ask you kind of again to open your crystal ball and see
how do you think the cybersecurity landscape will change over the next five years?
I won't ask you to look out 10.
If we looked back 10, we would go, wow, we never anticipated some of these things.
(18:43):
But in the next five years, how do you see the cybersecurity landscape changing in this
market that we're kind of talking about, this mid-market?
And again, you know, I won't hold you to it.
That's fair.
So I would say, you know, kind of continuing from the previous kind of conversation we had
around generative AI, I think that is going to continue to be a challenge and I think
(19:06):
that's only going to get more challenging as time goes on as the capability becomes
more readily available to everybody.
And I think that, you know, kind of your small to mid-market organizations are going
to struggle because like anything, generally speaking, when there is newer, more innovative
technology kind of going back to that pyramid, generally it's the organizations at the top
(19:28):
of the pyramid that can afford to beta test and try all that stuff out and really kind
of get their arms around what's involved with it much more quickly than organizations may
be further down that pyramid.
So I think we're going to continue to see threats on that landscape.
I think the other thing too, if we're looking out into the future, I think there's also
risk around things like quantum computing and the potential for that to impact, you know,
(19:50):
cryptography.
There's also risk for folks who may not be familiar.
Obviously the world of what we revolve around and everything that's important to us exists
largely because of strong cryptography or encryption.
It protects that information, right?
The conversation we're having here is going over an encrypted connection.
You know, you pick up your phone, you send a message, you know, whatever it is you're
(20:11):
doing, you interact with your bank, it's all encrypted.
And obviously the concept or the concern that exists here is thinking out into the future
with the advancements of quantum computing, there's a much greater ability that at a future
state we're going to be able to break the encryption of today in a relatively short
period of time.
And, you know, what's given most people comfort is historically we've thought it's going
(20:34):
to take hundreds or thousands of years to break the encryption.
By then you and I aren't going to care if someone has access to our data because we'll
be long gone.
But with quantum, there's the potential that that can happen in a much more real time fashion.
So obviously there's a need for us to be looking at things like quantum resistant encryption
in order to make sure that communications and data remains, you know, safe and protected.
(20:58):
So if I was kind of looking out there in the future, I'd say those are probably some of
the more kind of substantial, but maybe a little bit more reaching concerns.
I think we'll continue to see evolutions of also more of the traditional current day events
like ransomware, extortion, you know, targeting of individuals, you know, one of the other
(21:18):
trends we're starting to see pick up is targeting of executives, you know, historically we've
seen, you know, more of the end user population or the consumer population being hit.
Now we're starting to see that kind of bubble up where the the C-suite is actually being
targeted now because threat actors are looking at them as being, you know, either less protected
(21:38):
in in an odd twisted sort of way or organizations are making more exceptions to the rules and
the policies for them, you know, a CEO or a CFO doesn't want to have to change their
password every 90 days or, you know, they want to be able to use a personal device instead
of a corporate device.
And so all of these things bring about risk to individuals in the organization that have
(21:59):
access to a lot of really sensitive information.
Yeah, you bring up an interesting point in terms of like top executives because most
of the time they tend to be the ones who want to be the exceptions of the rule.
And so that opens up a vulnerability that seems to be exploited.
(22:20):
And so you have more exposure from that standpoint.
I couple of weeks ago, I got a text message and this is I see this happening more and
more, I got a text message from our CEO saying, Hey, this is this is Josh.
And I got a new phone.
Can you call?
(22:40):
Can you text me back on this line?
And I was like, it's Saturday morning.
Never reaches out to me on a Saturday morning this early.
And so I texted Josh on the cell phone that I had.
And I said, did you get a new phone?
He goes.
I go, you want to play with a threat actor?
You know, it was pretty funny.
(23:02):
I just blocked it.
But it's right.
It's true that that becomes the, you know, the attack pattern becomes more fear fishing
and targeted in nature.
You're right, because I remember when we first started with the DBIR, it was all about credit
cards.
It was all about social security numbers.
(23:22):
It was all about, and that was where the breaches were happening most frequently.
Now they tend to be more surgical in nature.
Absolutely.
Yeah.
I think when you look at things like AI and the ability to, you know, I mean, you saw
that message and obviously it triggered you to respond as you did, which I think is great.
(23:42):
I think a lot of people would be fooled by something like that.
The other thing also is for individuals where there's a lot of information about them out
there, you know, the other thing that we're also seeing are things like deep fakes.
And so for example, someone will get a phone call that sounds like you or me because they've
used AI to generate a voice that sounds and speaks like you or I.
(24:04):
And so they'll say, Hey, this is, you know, this is Steve Rivera.
I need you to do this.
And someone's going to say, okay, it sounds like Steve and this is the way Steve speaks.
So I'm going to listen to it.
Right.
And so there was actually an interesting, there was an interesting segment on 60 Minutes
where this exact situation had played out and they'd showed a demo of someone getting
(24:25):
a spoofed phone call.
So the caller ID looked like it was coming from that person.
And then they used AI to generate a conversation with that person using essentially a deep
fake version of their voice, which, you know, it's scary.
And, you know, there's a lot of organizations now too that are using voice prints for authentication.
You know, there's a lot of financials that are starting to use that as a way to try to
(24:47):
simplify and reduce friction, but now there's the challenge of if we can deep fake someone's
voice, then there's the potential we can get into, you know, their bank account brokerages,
things like that.
So it creates a lot of interesting challenges.
Wow.
You brought up something that absolutely scared me now that we're doing a podcast, right?
And we're recording our voices.
(25:07):
You're like, maybe I got to use one of those voice changers.
But then how would you recommend countering that?
Is it multi-factor?
Is it challenge and response?
I mean, how do you propose to educate your user community with something like that?
(25:31):
Because now it truly is zero trust, even voice, right?
So that's right.
So how would you recommend that our listeners kind of tackle that?
Or anything?
So I think, you know, to your point, zero trust, I think is kind of where we're heading,
you know, whether we were intending to be there or not.
I think that all of this just as further evidence of the need for that, especially when you're
(25:53):
not necessarily in the presence of the individual to be able to verify that it's really them,
right?
And I think it's more and more challenging nowadays because of the fact we're doing more
things remote.
So you know, you trust that I'm me and I'm trusting that you're you.
For all we know, this could be an AI conversation that is happening between two computers.
(26:14):
But you're right that I think, you know, ultimately it comes down to a combination of zero trust
and a combination of multi-factor authentication and strong multi-factor authentication, I
think is really the only way to really, you know, adequately be able to tackle that kind
of problem.
Great.
No, I appreciate that.
So I did want to ask because you you have a certain visibility into because of the partnerships
(26:39):
that that you have forged and your experience.
What are some of the threat actors that you're starting to see that are becoming very prevalent?
And you know, and maybe you can share a little bit about their methodology and the process
that they use.
Sure.
Yeah.
(27:00):
I would say that a lot of it comes down to financial motivation.
You know, you mentioned earlier some of the things that we have historically seen targeted
and since the beginning of us collecting data, right?
And if you think of the DBIR now we're about to come out with our 16th iteration of it,
right?
So it's 16 years running even longer in terms of data collection.
(27:23):
And since the beginning of our data collection, one of the things we've always found is that
the majority of threat actors are motivated by financial gain.
Now that's not to say that's the only motivating factor.
We do see a small percentage that is espionage.
And you know, I always tell people to kind of caveat it because the news typically is
much more interested in espionage related cases that makes for better TV, right?
(27:45):
But the reality of it is if you think about the kinds of crime that you might encounter
in your normal everyday life, you're probably not regularly encountering, you know, espionage
types of incidents as you walk through your neighborhood, or at least I hope you don't.
Most of the crime that we all experience is financially motivated.
It's, you know, petty theft.
(28:07):
It's you know, breaking into someone's car, breaking into someone's home, breaking into
a business, but even in all of those physical cases, typically the goal of the actor is what
can they steal that they can sell?
And generally speaking, we see the same kind of motivation on the cyber side of things.
Like it's a combination of what can they steal and sell?
(28:27):
And also what can they extort and get paid for?
Like things like ransomware attacks.
So I think we're going to continue to see a lot of that as we go forward.
The tradecraft that they use either to get their tooling or their ransomware into the
environment kind of shifts back and forth.
You know, a lot of it again, coming back to social engineering, whether it's, you know,
(28:49):
fishing or pretexting types of attacks or other forms, but ultimately for them, it's
how do they get paid and then how do they move on to the next one?
And it's interesting because if you kind of compare and contrast the early days of breaches
versus kind of more of what we see current day, in the earlier days, these events played
out over much longer time horizons.
(29:12):
You know, we'd see breaches that would run for weeks or months or even in some cases
years and it's not to say those events don't still happen today.
But when you think about it from a threat actor motivation perspective, they want to
get paid and they want to get paid quickly.
They're generally not in it just to mess around and have fun.
There are some of those, but most of them it's a payday for them.
(29:34):
It's a job.
And so the quicker they get paid, the quicker they can move on to the next one.
And things like ransomware and other forms of attacks like that generally result in them
getting paid much, much more quickly than your traditional data theft and sale because
they need to get in, they need to get the data, they need to get it out, they need to
find a deeper dark web market to sell it, they need to connect with a buyer.
(29:56):
So all of that can take time in order for them to ultimately get from breach to monetization,
whereas ransomware, you know, very much, you know, reduced the timelines and the level
of effort in a lot of cases that they need to exert.
I want to ask your opinion about something.
And again, I know it's just your opinion and I want to caveat that, but like, you know,
(30:19):
the proliferation of ransomware, I think, is because many people choose to pay the ransom.
So if we stop that spicking, we will see that that attack vector or method will cease or
at least.
So do you have an opinion as to whether a company should pay the ransom or not?
(30:45):
And then kind of as a follow up, do you see cyber insurance eventually going away in terms
of paying out ransoms, because it's like, it's a lost leader, right?
So I'm interested in your thoughts.
Great question.
And there's a lot of debate on this topic.
So I would say that I think cyber insurance is not going to go away.
(31:07):
I think it's going to be here forever.
I think it's a fast growing market.
And honestly, it's interesting.
There was a study that was done a while ago as to what the number one reason was that
organizations bought cyber insurance.
And the top reason was pay ransoms.
People were concerned of not being prepared and able to pay a ransom, pay it quick enough.
And so they bought cyber insurance and a lot of cyber insurance brokers, that's kind of
(31:30):
how they marketed it.
You know, this is the downfall or the outcome that can happen if you get hit and you don't
have an ability to pay and 48 or 72 hours, whatever the demand is, buy cyber insurance
and we'll take care of that for you.
And then I think they got quickly overwhelmed with the amount of claims that rolled in.
I agree with you that choking off the money supply generally is a great way to restrict
(31:50):
any kind of threat actor, right?
We see that in many different cases around the world.
So I think from my perspective, my recommendation is always avoid paying.
And the way I think we get to that is being better prepared, having the right, you know,
policies and procedures in place.
One of the most popular things that my team gets involved with today are things like ransomware
(32:12):
breach simulations.
In fact, we've even done it internally for Verizon, where we actually walk through what
a real event would look like, feel like, smell like, taste like, like you got to be there.
You got to feel it and say, these are the events that are unfolding and this is the clock that's
on you to respond.
And these are the repercussions or consequences.
(32:34):
And you know, I think the only way you get to a point of being able to avoid paying is
feeling that you are prepared enough that you've got the right resilience in your organization
to say, we won't pay.
These are our plans.
We're going to execute them and we will be fine.
It's typically organizations end up paying when there's a breakdown or the plan doesn't
(32:55):
execute properly or something else like that happens, or maybe they don't have any plan
whatsoever at all.
And so that's typically where we see that play out.
And the other advice I always give people because sometimes there's a notion that, well,
if I pay the ransom, it's done.
But the reality of it is in most organizations, that maybe works, right?
(33:16):
And I say maybe because sometimes the key doesn't always decrypt properly or the tool
doesn't always work properly or the threat actor doesn't respond with a decryption key
at all, all of these things can happen.
And then still at the end of the day, even if everything decrypted great and you had
the best possible experience with a threat actor, you still have to go through the process
(33:40):
of doing the root cause analysis to figure out how they got in and make sure you've addressed
the issue.
Because as you know, one of the other things I always say is that every time you pay a
ransom, it also kind of puts a target on your back because others, other threat actors now
know you either will or have the wherewithal to pay, or you've got a cyber insurance that's
going to stand in and pay for you.
So if I can get in there in the next 30 or 60 or 90 days and hit you again, maybe there's
(34:05):
a good chance I can get that payday as well.
So I think there's an element of, you know, there's a potential for repetitive incidents
that can also occur there.
But I don't think cyber insurance is going away.
I think ultimately what we're going to see kind of the long answer to your short question,
Steve, is I think that the requirements to get the insurance are going to get ratcheted
(34:25):
up.
The insurance companies are going to say, if you want this level of coverage, you need
to prove this level of resiliency.
And the premiums are also going to go up to care for the fact that the claims are starting
to roll in more heavily.
Yeah.
No, I was, I was involved in a CISO round table last week in Chicago.
Oh, by the way, Dave Ostertex says hello.
(34:48):
And I was, I was involved in this cyber insurance round table and that's exactly what we talked
about.
Everyone in the room talked about the premiums going up by a factor of two, three, four times
and the requirements, you know, MFA or monitoring or and these, these certain baseline requirements
(35:10):
that they didn't think they needed to have previously now are being required by the cyber
insurance.
So it's, it becomes that balancing act of do you pay the premium, do you self insure
or do you roll out these countermeasures?
When you mentioned the breach simulations, you know, I partook in a few of those that
(35:33):
your team used to lead.
And I will tell you, they always appeared to me like dungeons and dragons, right?
And your team being almost like the, the dungeon master and throwing out these scenarios and
then continuing to evolve the scenarios.
And the clients always found incredible value in that because they always found something
(35:56):
that they could improve on or something that they had not considered.
And so I always found incredible value in that.
So I'm glad you mentioned that because I find that having that muscle memory increases the
rate of success or the probability of success when an incident does occur.
(36:17):
Absolutely.
So, you know, kind of in closing Chris, I'm hoping that you might be able to just two
to three things that our listeners can kind of take away from, right?
And talk two or three things that they could do to prevent becoming a victim or to having
an incident that might be catastrophic.
(36:38):
Sure.
Yeah.
So I'd say if I had to, you know, give you a couple, one, you already mentioned the breach
simulations, which I think is hugely important because, you know, I think that a lot of organizations
that actually reminds me of a conversation I had, and this was a number of years back
before we even offered breach simulations that, you know, as CISO had said, hey, you
know, is there a way you could kind of help us orchestrate like a small breach?
(37:01):
One that gets our executives attention on the problem gets me the budget I need, but
not so massive that, you know, we all lose our jobs, right?
I mean, and you know that that he was kind of not entirely serious or at least I don't
think he was.
But that's kind of, you know, where the idea of the breach simulations really was born
out of was organizations were struggling because historically creating a policy is easy.
(37:23):
You go tell an intern, hey, write us a policy that does this, follow this framework.
And in a couple of weeks, you're going to have a policy document.
But the thing that we're always pushing on organizations is you need more than, you know,
a book on a shelf that says we've got a policy.
There actually has to be something that you can exercise and you can go through, as you
said, kind of have that muscle memory.
And you also need to make sure that the senior leadership, the executive leadership is on
(37:47):
board because to your point in the Dungeons and Dragons game that kind of plays out, usually
the issue we see is on paper, everyone's in full agreement in practice when it actually
comes time where someone has to make the hard decision of X or Y. That's when all of a sudden
everyone starts disagreeing with what we have in the policy and they want to go do something
else.
(38:08):
So having that simulation really makes it real.
The other thing that I always say, and this one's kind of a back to basics kind of recommendation
and that is asset inventory, probably one of the most boring recommendations I can put
out there, but I'll tell you that there's so many breaches that my team has helped organizations
investigate where it comes down to the entry point or the entry vector was an asset that
(38:31):
the organization just wasn't even aware of wasn't tracking on.
And if you're not aware of the assets that you have, and I know this sounds trivial and
maybe everyone will say, Oh, I've got that covered.
I challenge you to go back and check it because inevitably that's usually what we find is
it's an asset that's not being tracked and therefore there's no vulnerability scanning.
There's no patch management that's happening.
(38:52):
And so as a result, it becomes this wide open target for exploitation that threat actors
are just going to zoom right in on, take advantage of and then move within the organization.
And then that kind of dovetails to another one that I'd say is also very critically
important and that is kind of a combination of vulnerability and patch management and
things like pen testing and red teaming really kind of putting the screws to that team and
(39:16):
see how well are you performing on all of those metrics?
How well are you able to keep up on your patch rotations?
It's interesting when we look at things like log 4j, that was a big newsmaker in terms of
kind of the vulnerability and kind of cyber supply chain landscape.
And one of the things that we found out of that was the majority of the exploit attempts
(39:42):
that were going after that kind of vulnerability.
In terms of scanning and looking for potential targets and trying to exploit a log 4j vulnerability,
the majority of that attack targeting happened in the first 30 days after it was essentially
announced.
So having a robust plan that you can execute on is very much a critically important item.
(40:04):
No, I appreciate that.
I wanted to comment on two of the things you said.
First was the accent inventory, right?
I thought, you know, folks that I meet with, it's not a one time event, right?
It's a continual because networks evolve.
Absolutely.
They change, assets come and assets go and user access as well, right?
(40:28):
It's who has access to what systems when.
You mentioned the incident response plan or having that book on the shelf.
I recently had an occasion where a customer had an incident and called us and we were
ready to jump in and we asked, okay, your system's got encrypted.
Where's your incident response book?
(40:50):
And it was just crickets silence.
It's on the laptop.
It's on the desktop that is not encrypted.
Sure.
I've seen that before as well, or I've seen like the backup environment is connected to
the production environment and ransomware runs through all of it at once.
Yeah, that's that's bad news.
So it's, you know, for our listeners, right?
(41:10):
It's print out the book, have one in the office, have one at home, you know, so, so you don't,
I mean, these basic things oftentimes get overlooked in the event of an emergency.
These are the things that become massive issues when you don't have readily handy.
Well, Chris, I really, I can't thank you enough.
(41:33):
For your insights and your time and such a provocative conversation for our listeners.
Well, that's all for this episode.
Make sure you take time to listen to our next episode of logically speaking and stay cyber
first and future ready.
Welcome to Logically Speaking, where we discuss the latest trends and challenges of cybersecurity.
(00:12):
We speak with top experts in our field.
We're here to help you learn how to keep your data safe, your operation sound, and your
business ready for whatever comes next.
This is Logically Speaking.
Today's guests we have a really special guest, an old friend, co-worker of mine, Chris Novak,
who's the managing director of Verizon Cybersecurity Consulting.
(00:33):
He's had over 20 plus years of cybersecurity industry experience, ranges from field work
to working with Fortune 100 C-suite and board advisory roles.
In 2022, he was appointed to President Biden's cybersecurity review board.
He was named a top security leader by Security Magazine.
(00:54):
He has been a contributing offer to the Verizon Databrige Investigations report since 2008,
as well as featured in TV, radio, print ad, still waiting for him to get on Joe Rogan's
podcast.
But he's also a member of Forbes Technology Council, where he frequently writes on the
(01:14):
topic of cybersecurity.
Chris holds a Bachelor of Science degree in computer engineering from Rensselier Polytech,
which I didn't get accepted to Chris.
I applied, but I didn't get accepted to.
I had to settle for NYU computer science.
He's got a CISO certificate from Carnegie Mellon, and he actively maintains a CISSP,
(01:35):
CISA, PCI, QSA, PFI, and a litany of other certifications.
Chris, thank you for joining us today.
You can probably, you know, I'm sure that you have your choice of podcasts, and so I'm
glad that you chose us.
Absolutely.
Thanks for joining us today.
Yeah, my pleasure.
Happy to be here.
So I know that we have just a short amount of time.
(01:56):
I wanted to talk a little bit about, maybe you could share, start with your experience
outside of what I discussed, and maybe we can start there.
And then I've got some questions specifically about our listeners are in that mid-market
space.
And so open to hearing about your experience, and then we can talk a little bit about that.
(02:17):
Sure.
Yeah.
So I mean, you know, you got the background just right there.
I've been in cybersecurity now for well over 20 years.
It's been a passion of mine since the very beginning.
And actually, I've always found it interesting when I talk about kind of how I got into the
field because, you know, I think people hate it and love it at the same time because I
say it's kind of an accident.
And that's because when you go back that far, cybersecurity wasn't a thing.
(02:39):
There were no degrees or anything like that you can get in cyber, you know.
To your earlier point, it was basically computer science or computer engineering or some kind
of derivative of one of those two.
But you couldn't get a degree in it and most people, if you asked, would have thought it
was something from like science fiction movies at the time.
So it was kind of an interesting wild ride.
And obviously it's been fun to watch the industry kind of grow, develop and, you know, innovate
(03:02):
over that time period.
Yeah.
No, it's funny you mentioned that because I got my start deploying Raptor firewalls
back in late.
And those at the time were the DOD standard.
They were viewed as the unhackable firewall and firewalls were all the rage back then.
And then this cool thing called intrusion detection.
(03:23):
Yes.
We were like, what?
You know, so it's so funny to kind of be in the industry as long as we have and to be
able to, I like you stumbled upon it.
I had a CEO of one of the largest bars in New York City who said, I don't know anything
about cybersecurity or we call it InfoSec back then.
(03:44):
That's right.
Yeah.
In fact, if you called it cybersecurity, people would kind of smirk at you like, all right,
what are you trying to make this into being?
It was always InfoSec.
And she had the fourth thought to say, well, I don't know much about this InfoSec, but
if you can make a couple of bucks out of it, go ahead, build a pack.
Yeah, neat.
So I appreciate your time.
(04:04):
Look, I want to know a little bit about what your team is doing today and maybe like the
biggest cybersecurity threat that you see out today in this mid-market space that our
listeners are in.
Sure.
You know, I'd say, you know, when you look at it from a pure threat landscape standpoint,
there's a number of things that hit the mid-market.
(04:26):
And honestly, I would tend to argue that the mid-market's going to see a lot of the same
things that the rest of the world and the rest of the markets are seeing.
Probably areas where maybe they're a little bit unfairly hit isn't a lot of things like
ransomware and more of the, I would say, kind of automated attacks.
Because generally speaking, we find that they're more challenged as it relates to getting budget
(04:46):
and resources, right?
Two of the things you need most.
And in a world where we both know cybersecurity is a hot market, so maybe you can get budget,
but finding resources is extraordinarily hard.
Keeping those resources can be just as hard if not harder.
So usually what we find is kind of striking that balance of getting what they need to
(05:08):
deploy adequate protection against some of these attacks, which, you know, when you think
about it, it's kind of like a regular kind of kinetic war in a way that, you know, can
you lob an attack that is very inexpensive for you to lob, and very expensive for the
other side to defend or vice versa, right?
That can really impact the economics of war, if you will.
(05:29):
And, you know, I think cyber, we see a lot of the same thing and the mid market typically
is challenged in a lot of those regards.
So you brought up an interesting, and you put it in kind of warlike terms, right?
So what is someone like the attack vectors that you're seeing that are most successful?
(05:50):
I mean, we hear about ransomware, we hear about fishing all the time.
Is there anything out there that you can kind of look out on the horizon that could be as
like, you know, if you had your crystal ball, what you're starting to see, trends, you know?
I'd say probably the biggest thing if I were to kind of look out there on the horizon, and
we're already kind of starting to see this develop a little bit, but I think we're going
(06:12):
to see more of it.
And that is the use of AI, and I know it's become very buzzwordy.
But the fact of the matter is, you know, you were mentioning earlier when we were talking
about RSA and, you know, all the different things kind of being shared on the show floor
and all the different technologies that vendors are using.
But at the same time, we also see that the threat actors are exploring how they can take
(06:33):
advantage of it, right?
And, you know, a lot of times people will say, oh, some key identifiers of, you know,
fishing or social engineering attacks are, you know, misspelled words, grammar, you know,
something sounds too formal, too casual.
The ability for you to go to one of these platforms and say, write a message that looks
like this using this style of language, it can do it fairly easily.
(06:56):
And I think as we see that evolve over time, there's an opportunity, opportunity, unfortunately,
for the threat actors to leverage that to automate and expedite the crafting of that.
You know, for example, a lot of the things that we look at on the defensive side or the
detection side is patterns, you know, where we see things that a threat actor is doing
(07:17):
common from attack one to two to three to four, it makes it easier to block the subsequent
attacks because they're just repeating it.
If they're able to leverage something like generative AI to be able to create more nuanced
and scalable versions of that, all of a sudden, maybe many of these attacks don't look as
common as they used to, which makes it harder and harder for the defense to be able to detect.
(07:40):
And so I'd say if I was looking out on the horizon, I don't think that's mainstream by
any means yet, but I think we'll get to a point where it will become more mainstream,
unfortunately.
Yeah, I was, I was listening to the testimony of the CEO, I believe it was of open AI.
Oh, right.
Yeah.
And he, he shared about the, you know, his concern about the malicious use and the harm
(08:07):
that it could, I mean, that was pretty, I mean, to me, that was pretty telling.
And you gave one use case.
It's interesting because we're using it in a way where, you know, we're using AI, open
AI to like target and prospect and to, you know, from a sales standpoint, which is really,
(08:28):
you know, from a marketing and a content.
I mean, it's actually pretty, pretty encouraging to see that it's creating that window.
But I guess on the flip side of that, malicious actors can also do that and be very, very
targeted in kind of how they're scripting these phishing emails and such.
And so how do you counteract that?
(08:49):
Because I always feel like we're in this cat and mouse, you know, mode where a malicious
actor can leverage something like AI.
How could we leverage AI to counter that?
Is that, is there anything that you've seen?
So I mean, I do think that there's more opportunity for us on the, the defensive or the, the, the
good, the good side of the equation than there is for the kind of offensive or, you know,
(09:15):
ill will use of the technology.
And I think part of it is, I think there's a better ability for us to collaborate, invest
and build bigger, better, scalable solutions.
Whereas I think the threat actors, the cost of building something like this is tremendous.
I think, you know, nation states will be able to leverage it and be able to advance it.
But I think you're more individual threat actors, you're more organized crime groups.
(09:38):
I think it'll be more challenging for them to scale it in a similar way to what the defensive
side can do.
I think it'll be harder for them to, you know, harness that power, expand their resource pool.
A lot of the challenges that we all face, but obviously they've got to be able to do
that on the criminal side and be able to engage more people in order to further that.
And I do think we'll have an opportunity to overcome that.
(10:00):
But I think like everything with security, it's always a cat and mouse game, right?
We come out with a better firewall.
We come out with some kind of exploit to try to take advantage of a vulnerability.
And we go back and forth.
And I think it's more about, you know, hey, how do we kind of look ahead?
Where do we see the future going?
How do we invest in those right places to try to make sure that we stay in front of it?
(10:20):
So I do think that the future is still bright, even if some of the AI opportunities may have
some bleak uses as well.
Yeah.
I want to shift focus just a little bit and talk about industries.
So you've been in the industry a long, long time.
And what industry do you see investing the least amount in cybersecurity?
(10:45):
Is there industry that's lagging in terms of cybersecurity investment that needs to
catch up based on, because you serve all markets, right, in your role?
What industry do you see, and, you know, vertical industries that I'm referring to,
which ones do you think invest the least amount in cybersecurity and kind of need to focus
on it more?
(11:05):
Yeah.
So I mean, I would say this kind of ebbs and flows a bit over time.
The areas where I think we'd say we see more of the challenges, for example, would be in
things like education, health care, they've been hit very, very hard.
And then I think also, you know, if you look at it from a size and scale perspective, generally
speaking, you're smaller and more medium to mid-sized businesses typically struggle more
(11:30):
because the large enterprises, they generally have large IT teams, large InfoSec or cybersecurity
teams.
But usually if you kind of look at it like a pyramid, you start getting about halfway
down that pyramid, there's a tremendous amount of organizations that live in the bottom half
of the pyramid, but they don't necessarily have the same level of resources to apply
toward cybersecurity, or maybe in some cases, as you move even further down to the small
(11:54):
business arena, they may not even be tracking on it at all.
There was a study I was reading just the other day, and I don't remember the exact study,
but the numbers were surprising in terms of the amount of organizations that said cybersecurity
and cybersecurity resiliency weren't even really on their roadmap.
Now, again, these were more of your small to mid-tier businesses, but again, it tells
(12:16):
you that they're still not entirely tracking on this as being a need.
And I think it's also complicated by the fact that, you know, the economy is in a weird
kind of rocky, questionable state, right?
Nobody really knows where we are or where we're going.
And I think that also creates challenges for more of your small and medium-sized businesses
(12:38):
to struggle with figuring out where are they going to make investments.
Your larger organizations typically are better capitalized and have more of a longer term,
you know, roadmap and strategic planning and vision.
Yeah.
I mean, it doesn't strike me as odd, right?
No.
I mean, you have the small organizations with the more finite budgets, they have to choose
(13:00):
where they put their, you know, their limited resources.
However, and I want your opinion on this, I've found that the small organizations are
incapable of recovering from an event, an outage, disruption when it comes to ransomware,
(13:23):
cyber attacks or, you know, anything like that, that their recovery or their impact is greater
from an overall business standpoint.
Like some of them quite possibly could not recover enough to actually be back in business
in a reasonable amount of time.
Are you seeing that as well or is that just, what do you see in instances of like that
(13:48):
where a small to medium business gets shut down for two weeks, three weeks at a time
and then recovering that loss revenue?
Yeah.
So, I mean, it's unfortunate, but we've seen cases like that where organizations have
not recovered from, you know, an incident to our breach.
And obviously, we never want to see that happen, you know, and that's obviously why we try
(14:10):
to be very proactive, you know, kind of share the information and the research that we do
like the data breach investigations report and such.
But you're absolutely right.
There are circumstances where organizations, they're just, I'd say, a combination of not
being well prepared, not having the right, you know, say partner ecosystem in place to
help them either in advance or when an event occurs, or they think that it's not going
(14:33):
to happen to them.
There's somebody else that they believe it would likely happen to first.
And so as a result, they don't take the necessary steps.
And, you know, to your point of the impacts of these events, you know, for a small to
medium sized business, the impacts of a cyber event can be very oversized.
You know, if you get hit with a multimillion dollar ransomware demand, then you don't have
(14:55):
the resources in place to either pay the ransom, do it quick enough or have the appropriate
backup and resiliency functions in place.
There may not be a recovery option for you or the recovery timeline might exceed what
your capabilities are.
And that definitely creates issues.
We've also seen organizations lean on things like cyber insurance.
But again, that's, I would say that's maybe that's kind of like a crutch, you know, and
(15:19):
like a crutch, you still need to have some strength in you to be able to move, right?
The crutch doesn't walk you.
The crutch helps you walk, right?
And so I think that is a tool or an enabler.
But again, it's not everything.
Organizations still need a fair degree of, you know, robust, you know, infrastructure
processes, etc.
And, you know, everyone will tell you that that's not going to be the end all be all
(15:41):
that's just going to be kind of one of the tools in your toolbox, if you will.
Yeah, it's interesting you brought up cyber insurance.
So yesterday I was meeting with the mid-sized company about 2,000 employees and asked them
about their incident response plan.
And I got this sheepish look on their face like, we need your help on that.
(16:06):
And I said, well, what about, you know, who do you have for digital forensic investigations?
Because, oh, we rely on our cyber insurer.
Okay, you have cyber insurance.
That's great.
What about local law enforcement, right?
Do you have the contacts with federal and local law enforcement should you need to?
And she just, again, just looked at me like with this blank stare.
(16:28):
So we walk through and I have to admit I learned this from you is to have that three-legged
stool, right?
You need to have your legal counsel.
You need to have law enforcement.
And then you need to have a third party incident response company on retainer to be able to
respond no matter how large or small an organization because you've always said it's not a matter
(16:52):
of if it's a matter of when.
And so being aired, right?
That proactive.
So I appreciate that.
I've carried that message on.
And if I could just add on to that too, Steve, that, you know, and I always tell organizations
that, you know, it's funny because sometimes I'll speak with the smaller organizations
and they'll say, look, excuse me, the large organizations have it easy because they've
(17:12):
got all these resources and budget and all these things.
And, you know, they've got the, and, you know, an entire in-house staff that may be larger
than a small business, right?
They could have 100 people on their incident response team.
But even still, those large organizations will have third parties that they lean on.
And what I always tell people is it doesn't matter the size because at the end of the
day, you could have one massive incident that out, you know, out weighs your capabilities
(17:37):
or you could be faced with multiple incidents on multiple fronts and you can only scale
so much, you know?
And so kind of having, you know, almost like a mutual aid agreement of sorts, you know,
having, you know, incident responders or even in some cases more than one firm that you
can lean on, I think is really beneficial because nobody wants to be caught in that
position where an event occurs and you have to go to your CEO and say, hey, you know,
(17:59):
unfortunately we never plan for a contingency for what might happen here and now we're really,
really stuck or, you know, we have to engage someone but it, you know, we don't have an
agreement with them so it's going to take, you know, a week to get something done and
that's not a situation anyone wants to be in.
Yeah, yeah.
No, those are cautionary tales for sure.
(18:19):
Sure.
So I want to shift again and ask you kind of again to open your crystal ball and see
how do you think the cybersecurity landscape will change over the next five years?
I won't ask you to look out 10.
If we looked back 10, we would go, wow, we never anticipated some of these things.
(18:43):
But in the next five years, how do you see the cybersecurity landscape changing in this
market that we're kind of talking about, this mid-market?
And again, you know, I won't hold you to it.
That's fair.
So I would say, you know, kind of continuing from the previous kind of conversation we had
around generative AI, I think that is going to continue to be a challenge and I think
(19:06):
that's only going to get more challenging as time goes on as the capability becomes
more readily available to everybody.
And I think that, you know, kind of your small to mid-market organizations are going
to struggle because like anything, generally speaking, when there is newer, more innovative
technology kind of going back to that pyramid, generally it's the organizations at the top
(19:28):
of the pyramid that can afford to beta test and try all that stuff out and really kind
of get their arms around what's involved with it much more quickly than organizations may
be further down that pyramid.
So I think we're going to continue to see threats on that landscape.
I think the other thing too, if we're looking out into the future, I think there's also
risk around things like quantum computing and the potential for that to impact, you know,
(19:50):
cryptography.
There's also risk for folks who may not be familiar.
Obviously the world of what we revolve around and everything that's important to us exists
largely because of strong cryptography or encryption.
It protects that information, right?
The conversation we're having here is going over an encrypted connection.
You know, you pick up your phone, you send a message, you know, whatever it is you're
(20:11):
doing, you interact with your bank, it's all encrypted.
And obviously the concept or the concern that exists here is thinking out into the future
with the advancements of quantum computing, there's a much greater ability that at a future
state we're going to be able to break the encryption of today in a relatively short
period of time.
And, you know, what's given most people comfort is historically we've thought it's going
(20:34):
to take hundreds or thousands of years to break the encryption.
By then you and I aren't going to care if someone has access to our data because we'll
be long gone.
But with quantum, there's the potential that that can happen in a much more real time fashion.
So obviously there's a need for us to be looking at things like quantum resistant encryption
in order to make sure that communications and data remains, you know, safe and protected.
(20:58):
So if I was kind of looking out there in the future, I'd say those are probably some of
the more kind of substantial, but maybe a little bit more reaching concerns.
I think we'll continue to see evolutions of also more of the traditional current day events
like ransomware, extortion, you know, targeting of individuals, you know, one of the other
(21:18):
trends we're starting to see pick up is targeting of executives, you know, historically we've
seen, you know, more of the end user population or the consumer population being hit.
Now we're starting to see that kind of bubble up where the the C-suite is actually being
targeted now because threat actors are looking at them as being, you know, either less protected
(21:38):
in in an odd twisted sort of way or organizations are making more exceptions to the rules and
the policies for them, you know, a CEO or a CFO doesn't want to have to change their
password every 90 days or, you know, they want to be able to use a personal device instead
of a corporate device.
And so all of these things bring about risk to individuals in the organization that have
(21:59):
access to a lot of really sensitive information.
Yeah, you bring up an interesting point in terms of like top executives because most
of the time they tend to be the ones who want to be the exceptions of the rule.
And so that opens up a vulnerability that seems to be exploited.
(22:20):
And so you have more exposure from that standpoint.
I couple of weeks ago, I got a text message and this is I see this happening more and
more, I got a text message from our CEO saying, Hey, this is this is Josh.
And I got a new phone.
Can you call?
(22:40):
Can you text me back on this line?
And I was like, it's Saturday morning.
Never reaches out to me on a Saturday morning this early.
And so I texted Josh on the cell phone that I had.
And I said, did you get a new phone?
He goes.
I go, you want to play with a threat actor?
You know, it was pretty funny.
(23:02):
I just blocked it.
But it's right.
It's true that that becomes the, you know, the attack pattern becomes more fear fishing
and targeted in nature.
You're right, because I remember when we first started with the DBIR, it was all about credit
cards.
It was all about social security numbers.
(23:22):
It was all about, and that was where the breaches were happening most frequently.
Now they tend to be more surgical in nature.
Absolutely.
Yeah.
I think when you look at things like AI and the ability to, you know, I mean, you saw
that message and obviously it triggered you to respond as you did, which I think is great.
(23:42):
I think a lot of people would be fooled by something like that.
The other thing also is for individuals where there's a lot of information about them out
there, you know, the other thing that we're also seeing are things like deep fakes.
And so for example, someone will get a phone call that sounds like you or me because they've
used AI to generate a voice that sounds and speaks like you or I.
(24:04):
And so they'll say, Hey, this is, you know, this is Steve Rivera.
I need you to do this.
And someone's going to say, okay, it sounds like Steve and this is the way Steve speaks.
So I'm going to listen to it.
Right.
And so there was actually an interesting, there was an interesting segment on 60 Minutes
where this exact situation had played out and they'd showed a demo of someone getting
(24:25):
a spoofed phone call.
So the caller ID looked like it was coming from that person.
And then they used AI to generate a conversation with that person using essentially a deep
fake version of their voice, which, you know, it's scary.
And, you know, there's a lot of organizations now too that are using voice prints for authentication.
You know, there's a lot of financials that are starting to use that as a way to try to
(24:47):
simplify and reduce friction, but now there's the challenge of if we can deep fake someone's
voice, then there's the potential we can get into, you know, their bank account brokerages,
things like that.
So it creates a lot of interesting challenges.
Wow.
You brought up something that absolutely scared me now that we're doing a podcast, right?
And we're recording our voices.
(25:07):
You're like, maybe I got to use one of those voice changers.
But then how would you recommend countering that?
Is it multi-factor?
Is it challenge and response?
I mean, how do you propose to educate your user community with something like that?
(25:31):
Because now it truly is zero trust, even voice, right?
So that's right.
So how would you recommend that our listeners kind of tackle that?
Or anything?
So I think, you know, to your point, zero trust, I think is kind of where we're heading,
you know, whether we were intending to be there or not.
I think that all of this just as further evidence of the need for that, especially when you're
(25:53):
not necessarily in the presence of the individual to be able to verify that it's really them,
right?
And I think it's more and more challenging nowadays because of the fact we're doing more
things remote.
So you know, you trust that I'm me and I'm trusting that you're you.
For all we know, this could be an AI conversation that is happening between two computers.
(26:14):
But you're right that I think, you know, ultimately it comes down to a combination of zero trust
and a combination of multi-factor authentication and strong multi-factor authentication, I
think is really the only way to really, you know, adequately be able to tackle that kind
of problem.
Great.
No, I appreciate that.
So I did want to ask because you you have a certain visibility into because of the partnerships
(26:39):
that that you have forged and your experience.
What are some of the threat actors that you're starting to see that are becoming very prevalent?
And you know, and maybe you can share a little bit about their methodology and the process
that they use.
Sure.
Yeah.
(27:00):
I would say that a lot of it comes down to financial motivation.
You know, you mentioned earlier some of the things that we have historically seen targeted
and since the beginning of us collecting data, right?
And if you think of the DBIR now we're about to come out with our 16th iteration of it,
right?
So it's 16 years running even longer in terms of data collection.
(27:23):
And since the beginning of our data collection, one of the things we've always found is that
the majority of threat actors are motivated by financial gain.
Now that's not to say that's the only motivating factor.
We do see a small percentage that is espionage.
And you know, I always tell people to kind of caveat it because the news typically is
much more interested in espionage related cases that makes for better TV, right?
(27:45):
But the reality of it is if you think about the kinds of crime that you might encounter
in your normal everyday life, you're probably not regularly encountering, you know, espionage
types of incidents as you walk through your neighborhood, or at least I hope you don't.
Most of the crime that we all experience is financially motivated.
It's, you know, petty theft.
(28:07):
It's you know, breaking into someone's car, breaking into someone's home, breaking into
a business, but even in all of those physical cases, typically the goal of the actor is what
can they steal that they can sell?
And generally speaking, we see the same kind of motivation on the cyber side of things.
Like it's a combination of what can they steal and sell?
(28:27):
And also what can they extort and get paid for?
Like things like ransomware attacks.
So I think we're going to continue to see a lot of that as we go forward.
The tradecraft that they use either to get their tooling or their ransomware into the
environment kind of shifts back and forth.
You know, a lot of it again, coming back to social engineering, whether it's, you know,
(28:49):
fishing or pretexting types of attacks or other forms, but ultimately for them, it's
how do they get paid and then how do they move on to the next one?
And it's interesting because if you kind of compare and contrast the early days of breaches
versus kind of more of what we see current day, in the earlier days, these events played
out over much longer time horizons.
(29:12):
You know, we'd see breaches that would run for weeks or months or even in some cases
years and it's not to say those events don't still happen today.
But when you think about it from a threat actor motivation perspective, they want to
get paid and they want to get paid quickly.
They're generally not in it just to mess around and have fun.
There are some of those, but most of them it's a payday for them.
(29:34):
It's a job.
And so the quicker they get paid, the quicker they can move on to the next one.
And things like ransomware and other forms of attacks like that generally result in them
getting paid much, much more quickly than your traditional data theft and sale because
they need to get in, they need to get the data, they need to get it out, they need to
find a deeper dark web market to sell it, they need to connect with a buyer.
(29:56):
So all of that can take time in order for them to ultimately get from breach to monetization,
whereas ransomware, you know, very much, you know, reduced the timelines and the level
of effort in a lot of cases that they need to exert.
I want to ask your opinion about something.
And again, I know it's just your opinion and I want to caveat that, but like, you know,
(30:19):
the proliferation of ransomware, I think, is because many people choose to pay the ransom.
So if we stop that spicking, we will see that that attack vector or method will cease or
at least.
So do you have an opinion as to whether a company should pay the ransom or not?
(30:45):
And then kind of as a follow up, do you see cyber insurance eventually going away in terms
of paying out ransoms, because it's like, it's a lost leader, right?
So I'm interested in your thoughts.
Great question.
And there's a lot of debate on this topic.
So I would say that I think cyber insurance is not going to go away.
(31:07):
I think it's going to be here forever.
I think it's a fast growing market.
And honestly, it's interesting.
There was a study that was done a while ago as to what the number one reason was that
organizations bought cyber insurance.
And the top reason was pay ransoms.
People were concerned of not being prepared and able to pay a ransom, pay it quick enough.
And so they bought cyber insurance and a lot of cyber insurance brokers, that's kind of
(31:30):
how they marketed it.
You know, this is the downfall or the outcome that can happen if you get hit and you don't
have an ability to pay and 48 or 72 hours, whatever the demand is, buy cyber insurance
and we'll take care of that for you.
And then I think they got quickly overwhelmed with the amount of claims that rolled in.
I agree with you that choking off the money supply generally is a great way to restrict
(31:50):
any kind of threat actor, right?
We see that in many different cases around the world.
So I think from my perspective, my recommendation is always avoid paying.
And the way I think we get to that is being better prepared, having the right, you know,
policies and procedures in place.
One of the most popular things that my team gets involved with today are things like ransomware
(32:12):
breach simulations.
In fact, we've even done it internally for Verizon, where we actually walk through what
a real event would look like, feel like, smell like, taste like, like you got to be there.
You got to feel it and say, these are the events that are unfolding and this is the clock that's
on you to respond.
And these are the repercussions or consequences.
(32:34):
And you know, I think the only way you get to a point of being able to avoid paying is
feeling that you are prepared enough that you've got the right resilience in your organization
to say, we won't pay.
These are our plans.
We're going to execute them and we will be fine.
It's typically organizations end up paying when there's a breakdown or the plan doesn't
(32:55):
execute properly or something else like that happens, or maybe they don't have any plan
whatsoever at all.
And so that's typically where we see that play out.
And the other advice I always give people because sometimes there's a notion that, well,
if I pay the ransom, it's done.
But the reality of it is in most organizations, that maybe works, right?
(33:16):
And I say maybe because sometimes the key doesn't always decrypt properly or the tool
doesn't always work properly or the threat actor doesn't respond with a decryption key
at all, all of these things can happen.
And then still at the end of the day, even if everything decrypted great and you had
the best possible experience with a threat actor, you still have to go through the process
(33:40):
of doing the root cause analysis to figure out how they got in and make sure you've addressed
the issue.
Because as you know, one of the other things I always say is that every time you pay a
ransom, it also kind of puts a target on your back because others, other threat actors now
know you either will or have the wherewithal to pay, or you've got a cyber insurance that's
going to stand in and pay for you.
So if I can get in there in the next 30 or 60 or 90 days and hit you again, maybe there's
(34:05):
a good chance I can get that payday as well.
So I think there's an element of, you know, there's a potential for repetitive incidents
that can also occur there.
But I don't think cyber insurance is going away.
I think ultimately what we're going to see kind of the long answer to your short question,
Steve, is I think that the requirements to get the insurance are going to get ratcheted
(34:25):
up.
The insurance companies are going to say, if you want this level of coverage, you need
to prove this level of resiliency.
And the premiums are also going to go up to care for the fact that the claims are starting
to roll in more heavily.
Yeah.
No, I was, I was involved in a CISO round table last week in Chicago.
Oh, by the way, Dave Ostertex says hello.
(34:48):
And I was, I was involved in this cyber insurance round table and that's exactly what we talked
about.
Everyone in the room talked about the premiums going up by a factor of two, three, four times
and the requirements, you know, MFA or monitoring or and these, these certain baseline requirements
(35:10):
that they didn't think they needed to have previously now are being required by the cyber
insurance.
So it's, it becomes that balancing act of do you pay the premium, do you self insure
or do you roll out these countermeasures?
When you mentioned the breach simulations, you know, I partook in a few of those that
(35:33):
your team used to lead.
And I will tell you, they always appeared to me like dungeons and dragons, right?
And your team being almost like the, the dungeon master and throwing out these scenarios and
then continuing to evolve the scenarios.
And the clients always found incredible value in that because they always found something
(35:56):
that they could improve on or something that they had not considered.
And so I always found incredible value in that.
So I'm glad you mentioned that because I find that having that muscle memory increases the
rate of success or the probability of success when an incident does occur.
(36:17):
Absolutely.
So, you know, kind of in closing Chris, I'm hoping that you might be able to just two
to three things that our listeners can kind of take away from, right?
And talk two or three things that they could do to prevent becoming a victim or to having
an incident that might be catastrophic.
(36:38):
Sure.
Yeah.
So I'd say if I had to, you know, give you a couple, one, you already mentioned the breach
simulations, which I think is hugely important because, you know, I think that a lot of organizations
that actually reminds me of a conversation I had, and this was a number of years back
before we even offered breach simulations that, you know, as CISO had said, hey, you
know, is there a way you could kind of help us orchestrate like a small breach?
(37:01):
One that gets our executives attention on the problem gets me the budget I need, but
not so massive that, you know, we all lose our jobs, right?
I mean, and you know that that he was kind of not entirely serious or at least I don't
think he was.
But that's kind of, you know, where the idea of the breach simulations really was born
out of was organizations were struggling because historically creating a policy is easy.
(37:23):
You go tell an intern, hey, write us a policy that does this, follow this framework.
And in a couple of weeks, you're going to have a policy document.
But the thing that we're always pushing on organizations is you need more than, you know,
a book on a shelf that says we've got a policy.
There actually has to be something that you can exercise and you can go through, as you
said, kind of have that muscle memory.
And you also need to make sure that the senior leadership, the executive leadership is on
(37:47):
board because to your point in the Dungeons and Dragons game that kind of plays out, usually
the issue we see is on paper, everyone's in full agreement in practice when it actually
comes time where someone has to make the hard decision of X or Y. That's when all of a sudden
everyone starts disagreeing with what we have in the policy and they want to go do something
else.
(38:08):
So having that simulation really makes it real.
The other thing that I always say, and this one's kind of a back to basics kind of recommendation
and that is asset inventory, probably one of the most boring recommendations I can put
out there, but I'll tell you that there's so many breaches that my team has helped organizations
investigate where it comes down to the entry point or the entry vector was an asset that
(38:31):
the organization just wasn't even aware of wasn't tracking on.
And if you're not aware of the assets that you have, and I know this sounds trivial and
maybe everyone will say, Oh, I've got that covered.
I challenge you to go back and check it because inevitably that's usually what we find is
it's an asset that's not being tracked and therefore there's no vulnerability scanning.
There's no patch management that's happening.
(38:52):
And so as a result, it becomes this wide open target for exploitation that threat actors
are just going to zoom right in on, take advantage of and then move within the organization.
And then that kind of dovetails to another one that I'd say is also very critically
important and that is kind of a combination of vulnerability and patch management and
things like pen testing and red teaming really kind of putting the screws to that team and
(39:16):
see how well are you performing on all of those metrics?
How well are you able to keep up on your patch rotations?
It's interesting when we look at things like log 4j, that was a big newsmaker in terms of
kind of the vulnerability and kind of cyber supply chain landscape.
And one of the things that we found out of that was the majority of the exploit attempts
(39:42):
that were going after that kind of vulnerability.
In terms of scanning and looking for potential targets and trying to exploit a log 4j vulnerability,
the majority of that attack targeting happened in the first 30 days after it was essentially
announced.
So having a robust plan that you can execute on is very much a critically important item.
(40:04):
No, I appreciate that.
I wanted to comment on two of the things you said.
First was the accent inventory, right?
I thought, you know, folks that I meet with, it's not a one time event, right?
It's a continual because networks evolve.
Absolutely.
They change, assets come and assets go and user access as well, right?
(40:28):
It's who has access to what systems when.
You mentioned the incident response plan or having that book on the shelf.
I recently had an occasion where a customer had an incident and called us and we were
ready to jump in and we asked, okay, your system's got encrypted.
Where's your incident response book?
(40:50):
And it was just crickets silence.
It's on the laptop.
It's on the desktop that is not encrypted.
Sure.
I've seen that before as well, or I've seen like the backup environment is connected to
the production environment and ransomware runs through all of it at once.
Yeah, that's that's bad news.
So it's, you know, for our listeners, right?
(41:10):
It's print out the book, have one in the office, have one at home, you know, so, so you don't,
I mean, these basic things oftentimes get overlooked in the event of an emergency.
These are the things that become massive issues when you don't have readily handy.
Well, Chris, I really, I can't thank you enough.
(41:33):
For your insights and your time and such a provocative conversation for our listeners.
Well, that's all for this episode.
Make sure you take time to listen to our next episode of logically speaking and stay cyber
first and future ready.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Burden
The Burden is a documentary series that takes listeners into the hidden places where justice is done (and undone). It dives deep into the lives of heroes and villains. And it focuses a spotlight on those who triumph even when the odds are against them. Season 5 - The Burden: Death & Deceit in Alliance On April Fools Day 1999, 26-year-old Yvonne Layne was found murdered in her Alliance, Ohio home. David Thorne, her ex-boyfriend and father of one of her children, was instantly a suspect. Another young man admitted to the murder, and David breathed a sigh of relief, until the confessed murderer fingered David; “He paid me to do it.” David was sentenced to life without parole. Two decades later, Pulitzer winner and podcast host, Maggie Freleng (Bone Valley Season 3: Graves County, Wrongful Conviction, Suave) launched a “live” investigation into David's conviction alongside Jason Baldwin (himself wrongfully convicted as a member of the West Memphis Three). Maggie had come to believe that the entire investigation of David was botched by the tiny local police department, or worse, covered up the real killer. Was Maggie correct? Was David’s claim of innocence credible? In Death and Deceit in Alliance, Maggie recounts the case that launched her career, and ultimately, “broke” her.” The results will shock the listener and reduce Maggie to tears and self-doubt. This is not your typical wrongful conviction story. In fact, it turns the genre on its head. It asks the question: What if our champions are foolish? Season 4 - The Burden: Get the Money and Run “Trying to murder my father, this was the thing that put me on the path.” That’s Joe Loya and that path was bank robbery. Bank, bank, bank, bank, bank. In season 4 of The Burden: Get the Money and Run, we hear from Joe who was once the most prolific bank robber in Southern California, and beyond. He used disguises, body doubles, proxies. He leaped over counters, grabbed the money and ran. Even as the FBI was closing in. It was a showdown between a daring bank robber, and a patient FBI agent. Joe was no ordinary bank robber. He was bright, articulate, charismatic, and driven by a dark rage that he summoned up at will. In seven episodes, Joe tells all: the what, the how… and the why. Including why he tried to murder his father. Season 3 - The Burden: Avenger Miriam Lewin is one of Argentina’s leading journalists today. At 19 years old, she was kidnapped off the streets of Buenos Aires for her political activism and thrown into a concentration camp. Thousands of her fellow inmates were executed, tossed alive from a cargo plane into the ocean. Miriam, along with a handful of others, will survive the camp. Then as a journalist, she will wage a decades long campaign to bring her tormentors to justice. Avenger is about one woman’s triumphant battle against unbelievable odds to survive torture, claim justice for the crimes done against her and others like her, and change the future of her country. Season 2 - The Burden: Empire on Blood Empire on Blood is set in the Bronx, NY, in the early 90s, when two young drug dealers ruled an intersection known as “The Corner on Blood.” The boss, Calvin Buari, lived large. He and a protege swore they would build an empire on blood. Then the relationship frayed and the protege accused Calvin of a double homicide which he claimed he didn’t do. But did he? Award-winning journalist Steve Fishman spent seven years to answer that question. This is the story of one man’s last chance to overturn his life sentence. He may prevail, but someone’s gotta pay. The Burden: Empire on Blood is the director’s cut of the true crime classic which reached #1 on the charts when it was first released half a dozen years ago. Season 1 - The Burden In the 1990s, Detective Louis N. Scarcella was legendary. In a city overrun by violent crime, he cracked the toughest cases and put away the worst criminals. “The Hulk” was his nickname. Then the story changed. Scarcella ran into a group of convicted murderers who all say they are innocent. They turned themselves into jailhouse-lawyers and in prison founded a lway firm. When they realized Scarcella helped put many of them away, they set their sights on taking him down. And with the help of a NY Times reporter they have a chance. For years, Scarcella insisted he did nothing wrong. But that’s all he’d say. Until we tracked Scarcella to a sauna in a Russian bathhouse, where he started to talk..and talk and talk. “The guilty have gone free,” he whispered. And then agreed to take us into the belly of the beast. Welcome to The Burden.