August 23, 2024 • 28 mins
In this riveting episode of Breakfast Bytes, host Felicia sits down with Crystal Redmann, the inquisitive Operations Director from Redmann Farms, to dive into the intricacies of network security. Crystal brings forth compelling questions about network segmentation, shedding light on how this fundamental security measure can protect even the smallest of organizations.
As the conversation unfolds, Felicia and Crystal explore the evolving landscape of cybersecurity threats, particularly focusing on the alarming use of AI by cyber criminals. Through vivid analogies and real-life examples, Felicia illustrates the critical need for advanced security measures and the role of zero trust in safeguarding digital assets.
This episode promises to not only educate but also captivate listeners with its deep dive into the world of cybersecurity, making complex topics accessible and engaging for all. Tune in to discover practical insights and proactive strategies to protect your digital world.
Quick recap
Felicia and Crystal discussed the importance of network segmentation and micro segmentation for enhancing security, and the challenges of balancing security and functionality in an organization. They also explored the potential risks of deep faking in financial transactions, the evolving threat landscape, and the need for vigilance in device maintenance. Lastly, they emphasized the concept of zero trust in computer security, the significance of personal data protection, and the need for enterprise-grade security for home use.
Understanding Network Segmentation and Security
Crystal expressed her need to understand more about network segmentation and its benefits, particularly in terms of security. Felicia explained the concept of network segmentation, emphasizing its foundational role in network layer security. She elaborated on the concept of micro segmentation, which involves treating different assets differently based on their needs and requirements. Felicia highlighted that this approach can bring enterprise-grade security to even the smallest organizations, making it economically feasible and sustainable.
Security Profiling for Device Segments
Felicia discussed the importance of creating a security profile for different segments of devices, such as printers, to prevent unauthorized access, data leakage, and the spread of malware. She emphasized the need to restrict communication between devices to enhance security. However, she pointed out the challenges in implementing this approach across various devices, including TVs, printers, and corporate laptops, on the same subnet, stating that it would be practically and economically impossible. Crystal agreed with Felicia's assessment.
Balancing Security and Functionality in AI
Felicia discussed the importance of balancing security and functionality in an organization, using the example of the unregulated use of AI leading to potential risks. She emphasized the need for a governance system and leadership that prioritize risk management. Felicia also highlighted the potential of AI being used by cybercriminals, mentioning its use in creating deepfakes and its ability to collect and analyze vast amounts of data. She suggested using services like Abine's Delete Me to reduce the number of lists an individual is on and advised against publicly listing employees on company websites.
Deep Faking Risks in Financial Transactions
Felicia discussed the potential risks of deep faking in the context of financial transactions. She highlighted an instance where seven people at a company were deep faked, with one legitimate participant, who was the only one to realize the fraud. Crystal expressed her concern after learning about this case. Felicia further explained that AI could potentially execute a video conference call deep fake to manipulate financial decisions, emphasizing th
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Good morning. You're listening to Breakfast Bites, and I am here today with
Crystal Redman, who is the operations director from Redman Farms.
She's a rather inquisitive sort of person and came up with a number of technology-related
questions that she thought would be helpful to a variety of business leaders.
(00:24):
Leaders, and since Crystal's in charge of the technology leadership as the technical
point of contact sort of person for the Redmond Farms,
she came up with these lovely questions and sent them to me.
And I'm like, wow, those are really good ones for the show.
So do you have a question that you want to discuss with me today,
(00:49):
Crystal, and get to the bottom of some answers?
Oh so many Felicia okay so
many okay so randomly just so everybody knows like I'm not like you have not
told me what the question is so this is going to be totally off the cuff let's
go that's how our relationship has been so far my one of my biggest burning
(01:11):
questions is understanding network
segmentation i kind of
get it i understand why different there's different wi-fi networks for our business
all that good stuff but i need to know more like how does it improve security
are there some common mistakes that people make when they're implementing this what does the.
(01:35):
Typical person need to know? That's really, it's an excellent question.
And the reason I think it's such an excellent question is because network layer
security is the foundation.
It's absolutely the foundation. It's like when you're doing a house,
you have to have a lovely hole.
The hole has to be compacted and you have to have a lovely concrete foundation in there.
(01:59):
And it has to be all level and square and everything.
And if that isn't right, then everything else doesn't work quite right.
So the network is what everything else runs on.
You need that network to be correct. And network segmentation,
specifically micro segmentation, is actually better.
(02:19):
There's a wide variety of ways to do it. And I like to focus on things that
are the lowest total cost of ownership in terms of methodologies and things
that are the most sustainable.
So that means that that level of security or that type or that approach can
be attainable for even a very, very, very small organization of,
(02:45):
let's say, a business broker who works out of their house, a single individual.
So that means we can bring enterprise-grade security-level approaches to even a one-person office.
And that kind of approach is very important because a lot of the other network
segmentation approaches are economically infeasible at that scale.
(03:09):
Okay, so the way to think about segmentation is you are going to treat and classify
your jewelry box different than your underwear drawer,
different than your bookshelf, different than your refrigerator.
These are all different types of assets that you're storing in these different places.
(03:34):
And so you need to treat them differently. I mean, nothing's going to end well
if you take your underwear and your jewelry and your books and your food and
you stick them all together.
These are just, right? I mean, these are different things that have different needs.
You know, the books need to be on the bookshelf with their other books and they
can't be having milk next to it, getting it all wet.
(03:58):
Same with your underwear, you know? And jewelry, we typically want that to be
a little more protected.
And so the idea of micro-segmentation at its core is a concept that says we're
going to understand the assets,
and then we're going to enable the assets to do what the assets need to do.
(04:21):
Like a TV on a guest network, for example, needs to be treated differently than
a corporate laptop. top. But that's different than a printer.
And that's different from a switch.
These different things have different requirements.
And so if you create a security zone profile sort of concept around these and you segment them,
(04:45):
it becomes very easy to create a security profile for the segment that the printers are on.
You can say, well, my rule is I'm only going to put printers Now I can create
a security zone profile that protects those printers from being tampered with or hacked externally,
(05:08):
but also helps those printers avoid data leakage.
Like a printer, for example, could have, let's say it got a piece of malware
on it, which is totally possible. That can happen. Right.
But then everybody that's printing, every one of their print jobs might get
leaked to some unauthorized parties, and that's highly undesirable.
(05:31):
And so as a result of trying to avoid a situation like that,
you need to restrict what the printers can communicate with and thus restrict
what they can send data to.
And now some devices like a TV, that's what you would call an IoT device.
(05:52):
The IoT devices, you try your best to create a profile of what they can communicate with.
But some devices are just really poorly engineered.
And most TVs, I would say, are the antithesis of anything that's able to be secured.
But one of the ways that you keep corporate devices from getting ransomware
(06:18):
is to restrict what they can communicate with.
Well, if I had to go to the level of effort of mixing TVs and printers and switch
interfaces and telephones and surveillance cameras,
you know, and company computers, right? Corporate laptops.
(06:41):
Oh, and guest devices. If I had to do that all on the same subnet,
do you think I could protect anything?
Probably not. Right. It becomes very difficult if it's basically practically impossible.
It's impossible to do it at an economically viable level because you can't actually
(07:02):
know what traffic is occurring and what IP address at what time.
So there you go. I mean, most of IT, or I should say IT security,
is this balance between trying to protect assets, but still facilitating the
functionality that someone legitimately is authorized to do.
(07:24):
Notice I didn't say need, right, because it's not up for employees of an organization
to discern what they need.
It's up for the security management team to listen to them and say,
okay, I understand you want to do that. Now, what does company policy say about that?
And then let's see if maybe there's a company policy change that needs to happen.
(07:47):
I mean, a big example of that would have been when ChatGPT came out.
I think a lot of organizations failed to appropriately have an AI usage policy
before they allowed AI to be accessed in that way in their organization.
And really, they just introduced a whole lot of risk to the organization.
(08:07):
And network segmentation would have been a very easy way to turn that off if
it was allowed to be turned off.
But unfortunately, most organizations don't function that way.
And without a governance system like a policy and without leadership who are
thinking first about risk management,
(08:29):
then those things tend to go nowhere. So what do you think about that?
As an answer. Does that help you understand these?
Absolutely. I'm really glad you said AI because that reminded me of another
question I have for you. Okay, go for it.
How do you see AI being used by cyber criminals in the future? Are there.
(08:56):
New security threats on the horizon that we should be aware of that are coming. How serious is this?
I think it's wickedly serious. And I mean, I've actually already seen quite a lot of it's come out.
So one of the things that's super duper cool is we have a system called the
Breach Prevention Portal System.
(09:18):
And it's effectively a large scale on demand training platform,
training and assessment platform for individuals.
We can deploy it for residential home users and one-user businesses to large
businesses. It really doesn't matter.
It's really cool because we can just provide it to everybody.
(09:39):
One of the things that comes out of that sort of interaction is that becomes
a way to provide the answers to those very questions
to the staff at an organization across the board and to enable personnel managers
to know that the staff have taken that class or those courses,
(10:04):
maybe it's a couple courses,
and there's always an assessment at the end of it.
And how did they do on the assessment? Did did they complete the assessment?
So I've already seen where the criminals are using the AI.
And I have to mention something else that I think is quite relevant here,
is that we don't, on our company website,
(10:27):
we don't list the employees of the company with their photos and their names
and their fun proclivities or whatever.
And I have seen organizations do this and it's typically when those organizations
are driven by marketing people instead of operational security people.
(10:48):
That type of information is absolutely harvested by the criminals.
So criminals will also buy all kinds of people finder lists.
So using something like a service like Abine's Delete Me can be exceptionally
useful to an individual to help reduce the number of lists that they're on.
That service is very economical. And again, that's Abine Delete Me.
(11:11):
I really enjoy that service. I think they do a good job at that company.
And the criminals are collating all this data using AI.
They're also drafting messages now that are less prone to have spelling and
grammar mistakes because now they're not having to do it.
They're using AI for that. that they're utilizing AI to do deepfakes.
(11:35):
And that's the one that is really the giant meat and potatoes,
is the biggest bang for their investment
is when they're using AI tools to perpetrate deepfakes on people.
Because let's imagine that an organization didn't have their protocols together.
(11:57):
And if the person who or multiple people potentially who could be authorized
to do like a large wire transfer.
Well, what if they were not immune to getting deep faked and wire frauded?
Oh, this is where the problem comes in. Did you see the article about the guy
(12:21):
who was deep faked by like seven?
He had seven people at his company that were deep faked and he was on the receiving end of all this.
I think they had a conference call and he was the only, this was a video conference call.
And he was the only legit dude in that meeting. Did you see that article?
(12:41):
No, I did not. You'll have to send that to me. That sounds horrifying. I was scared.
I'm terrified now. It's pretty wild.
So imagine this dude. This guy was like the ACH wire transfer guy at a bank.
And he got deep faked in a conference call where there was like seven other
(13:06):
people in This was a video conference, right?
How long did he stay on this call?
I don't know. That information was not in the meeting.
But I think they got like $50 million.
Oh my gosh. Yeah, it was pretty crazy.
(13:27):
Anyway, so this is exactly what AI is doing.
So, right, if AI is that good now that it can do a video conference call deep
fake in order to get this guy to make it like a very large wire transfer,
this is exactly why people need, like, everybody needs this kind of training
(13:50):
that we have that's available.
I mean, it's really good training we have. And I've had nothing but very positive.
Commentary from people about like, yeah, you know, it's really cool. You got AI training now.
And, and that's really relevant. It's really practical and easy to understand.
It's like, yes, because it's a big deal. It's a big deal. So what do you think
(14:11):
about that as an answer to your question?
Wonderful. Your answers are always wonderful. So we have AI helping cyber criminals just go wild.
You don't even need that much knowledge, it seems. You just have AI to help you out here.
I assume that means malware is probably evolving rapidly?
(14:34):
Right there yes i
i think we adapt our strategy to counter like
these emerging risks well that yeah again
another fantastic question you have here you know i was thinking about your
your malware point it's become so super duper easy for bad actors to there's
(14:57):
kind of like two things that they're doing and i'm sure that i'm i'm underselling
it right one thing that they're doing is like scenario planning.
Oh, if I ran my malware and I did this, what's the probability of penetration
into said company or theft of data or whatever, right?
So they're now able to do much more sophisticated scenario planning,
(15:19):
which helps them tune and refine their attack.
The second huge piece is they don't even have to be able to write code anymore.
I mean, I mean, this used to be where malware coders used to actually have to write code.
Now, granted, for probably at least five to six years, there have been ransomware
(15:43):
rootkit sort of things you could buy on the dark web.
So this is you got some malicious actors who are coding wizards and they're
out there and they're basically building like a ransomware kit.
Kit and you could take a 10 year
old and some people have done this they'll take a 10 year old put
them at a computer and say okay use this application
(16:06):
to go make some ransomware and so here just a 10 year old with a computer and
this like ransomware wizard generator tool rootkit thing can go and generate
their own variant and so this is a key piece here is that
when there's, I believe there was like 100,000 new pieces of malware every hour around the world.
(16:33):
I mean, there's some sort of just completely outrageous statistics like that.
And so that's why signature-based...
Detection isn't that great anymore.
I'm not saying that people should stop using it. I'm saying that if they're
using a tool that is centric around that type of functionality,
it's going to be deficient in its capability set.
(16:55):
So what we use is we use something that's really a zero trust approach.
And that's where you really got to get to at the point with malware.
I could go back at least a decade and
i can tell you that even a decade ago if a
p if a computer got some malware on it
(17:17):
it was done absolutely done i
mean there was like no removing it so the
whole thing when people buy they pay the
the ransomware guys and then they get their you know decryption keys i mean
i just want to laugh at that type of stuff from the perspective of saying that
(17:37):
if you think If you think you're going to get data back that actually has integrity
that you can count on, I think that's a naive thing.
And if you also think that you're going to get usable systems from paying that
ransomware, I think that's also a very naive approach.
Because even 10 years ago, there was really no viable method for correcting
(18:00):
a computer that had been something malicious happened to it,
other than you have to wipe the whole thing.
I even saw, oh my gosh, I can tell you it was the year 2004.
This was a super long time ago. It was 2004 when I saw partition persistent malware. Malware.
(18:23):
So if you took a computer and had this nasty thing on it, you rebuild the whole thing.
And well, shortly thereafter, it was getting something nasty, infecting it again.
What was the one thing that continued to needed to be done there?
Well, it wasn't just format, the hard drive. It was all the partitions had to go too.
(18:45):
So this is something that you have to realize.
And sometimes you have to question, hmm, has somebody contaminated the BIOS on the motherboard?
Has it infected a USB attached device like a keyboard or a mouse?
You know some of these monitors now have like an integrated docking station
(19:08):
in them that has its own brain chip effectively it has its own motherboard right
so you're now in the world,
where you have to assume that everything is a threat and you have to use dynamic
live updating databases so we're talking about zero trust i have to protect my monitors now too.
(19:30):
Yes, yes you do.
I mean, you've always had to protect your monitors from nasty power surges,
but now monitors have firmware in them. Did you know that?
No, my mind is right now.
Okay, so I thought I would just plug it into the wall for a power strip,
(19:54):
and then you have that HDMI cable, you know, harmless.
We're good. I don't think about anything.
No, the HDMI cable is bidirectional in its communications capabilities.
And so the monitor has firmware, and something has to be able to update the firmware.
(20:15):
So So there are various communication channels.
Whereby a computer could do a firmware update, legit or otherwise, to that monitor.
Actually, this is exactly why I have a very, very strong love for mature and
(20:38):
enforced procurement policies.
If you have a procurement policy that does not allow your team to go down to
random store and procure things like a USB charger, in fact,
well, I mean, shoot, you've seen these business,
you've seen these news videos you have to have.
(20:59):
I mean, I feel like they're like all over the place where is somebody saying,
you know, do not plug into your mobile phone, you know, a random power cord.
I didn't sleep for a week after I read the article about these USB phone chargers
and what's on that could potentially be on them and the threats they pose after.
(21:21):
Wow. My mom was pwned then.
Oh, yeah. Yeah, well, I mean, this is one of the reasons why we use wireless
phone chargers, because that's a surefire way to be successful with that.
Rather than telling somebody, hey, only use the phone charger that came with
your phone, I'm saying, hey, don't use the wired phone charger at all.
(21:43):
Use a wireless phone charger.
And they're like, oh my gosh, I got to buy phones that are capable of that.
And I'm like, the quantity of phones nowadays that can't do that is getting
even smaller and smaller and smaller. So.
Bottom line, let's go back to zero trust.
Zero trust is effectively saying we have to assume that everything is malicious
(22:06):
until it's been inspected.
And this isn't a matter of scanning. It's a matter of do I know you?
So there's a classification process. Let's say there's an unknown thing that's
unclassified and it is attempting to do something on a computer.
Well, the protection tools will grab that thing and they will upload it into
(22:30):
a virtual machine in the cloud.
They will execute that thing on the virtual machine in the cloud.
So this is a terminology we call detonating. You know, it's detonated in a virtual
machine in the cloud, and then we get to find out what happens.
Does it hack that virtual machine or not?
(22:51):
And so this is a way of doing behavior observation and outcome observation.
Conservation there are also those sorts of processes that
are going on all the time like a great example is if you have
really good zero trust threat protection then it's
going to look at it and say oh we have microsoft
(23:11):
word is invoking a
powershell instance what do you think about
that crystal do you think that word should invoke powershell no
why would it need to that's exactly
right so it smells like something malicious
doesn't it okay it's so
(23:31):
zero trust is like we're we're gonna do we trust word yes we've classified microsoft
word but now we're still gonna watch it if microsoft word is doing something
weird then we have to think that word even though it's a legit tool.
Maybe it has a malicious plugin embedded in it or something.
(23:54):
This is no different than if you look at like a web browser,
take Edge as a web browser.
It can have a malicious browser plugin. And then that malicious browser plugin
can do nasty, naughty things.
So we got like about four minutes left.
So why don't you give me your next kind of small question if you have one? Small? I don't know.
(24:19):
Antivirus software. Now, I'm thinking back to the days when I first got a computer.
You know, you have that notency when you get pushed in and you're,
as far as everybody knew, everything was great. We're protected.
I guess, how has that changed since then? And how machine learning,
has that impacted AI machine learning, the effectiveness of this antivirus software? Is it effective?
(24:43):
Is it worth it? I don't know. Well, I don't even like to use the term antivirus anymore.
In fact, I pretty much stopped. As a modus operandi, I'm only utilizing the
terminology, you know, zero trust threat protection or, you know,
endpoint protection detection and response.
Response and the reason is because
(25:06):
these things really cannot be unmonitored anymore
so we do knock sock and mdr and without killing you with acronyms it's just
basically security monitoring security response actively 24 hours a day now
we only do that for the clients that subscribe to that service but.
(25:27):
But that's like, you know, having a little monitor, a protection system,
like having your own cop that's running around with you all the time.
Like, you know, the cop's going to watch who's coming in on your zone and should
you get to go visit Crystal or not.
And then how is somebody interacting with Crystal, right?
(25:49):
That's kind of like having your own personal cop. But we use a lot of machine
learning and AI for that to keep costs low.
And the system is really incredible.
And as a result of that, we have not had a single client get breached who was
(26:09):
under our full management.
The only times we've actually experienced issues is when, you know,
other people are involved that don't
have the same level of training or vigilance on this matter as we do.
But I don't really use the term antivirus anymore, just simply because antivirus
represents approximately maybe 10 to 15% of the kind of protection capabilities
(26:34):
that you need just for your individual computer,
right? That was my next question.
Is it enough for personal use? Do I need to supplement with other tools?
Something like I certainly do.
Yes. And so we get to the question of, is this economically viable?
And I really feel like so many people just think about this wrong.
(26:57):
They think, oh, well, this is only just for my home use. And it's like,
yeah, but it's your bank account.
You know, it's your identity. How many people do their tax return on their home computer?
I mean, how many people are interacting with their bank account and their bills
and their credit card and all of their personal photos and their personal files?
(27:20):
I mean, these are, you know, the family jewels.
I would think that they would be looking at this and going like,
well, I really need some enterprise grade protections here because that's how I think about it.
I'm like, how much time am I? Go ahead. As a normal everyday person,
I was guilty of this before.
I had no idea that all these threats existed that I was completely naive to
(27:47):
just go on Amazon, buy a monitor, buy a USB charger.
Who cares where it came from? Not even looking at the seller.
Did they just open a shop? No idea.
Just purchasing because, well, I have no idea the risks that are out there.
I don't know the big bad wolves out there. I do now.
I think a lot of people don't know or they don't care to know.
(28:08):
Yeah, brands definitely matter. I mean, I would only ever personally purchase
a SanDisk or a Western Digital.
That's it. And there's reasons for that.
And the brand matters.
For me, the whole thing around that is that I think that their firmware process
is done really good and it makes those devices harder to hack. So that's cool.
(28:31):
Well, we're out of time. Thank you so much for joining me.
I hope that you will come back and ask me some more of these questions because
I think your questions are fantastic.
Oh, absolutely. I promise I have a lot more for you. Okay. All right.
Talk to you next time. All right. Thank you. Bye.
Good morning. You're listening to Breakfast Bites, and I am here today with
Crystal Redman, who is the operations director from Redman Farms.
She's a rather inquisitive sort of person and came up with a number of technology-related
questions that she thought would be helpful to a variety of business leaders.
(00:24):
Leaders, and since Crystal's in charge of the technology leadership as the technical
point of contact sort of person for the Redmond Farms,
she came up with these lovely questions and sent them to me.
And I'm like, wow, those are really good ones for the show.
So do you have a question that you want to discuss with me today,
(00:49):
Crystal, and get to the bottom of some answers?
Oh so many Felicia okay so
many okay so randomly just so everybody knows like I'm not like you have not
told me what the question is so this is going to be totally off the cuff let's
go that's how our relationship has been so far my one of my biggest burning
(01:11):
questions is understanding network
segmentation i kind of
get it i understand why different there's different wi-fi networks for our business
all that good stuff but i need to know more like how does it improve security
are there some common mistakes that people make when they're implementing this what does the.
(01:35):
Typical person need to know? That's really, it's an excellent question.
And the reason I think it's such an excellent question is because network layer
security is the foundation.
It's absolutely the foundation. It's like when you're doing a house,
you have to have a lovely hole.
The hole has to be compacted and you have to have a lovely concrete foundation in there.
(01:59):
And it has to be all level and square and everything.
And if that isn't right, then everything else doesn't work quite right.
So the network is what everything else runs on.
You need that network to be correct. And network segmentation,
specifically micro segmentation, is actually better.
(02:19):
There's a wide variety of ways to do it. And I like to focus on things that
are the lowest total cost of ownership in terms of methodologies and things
that are the most sustainable.
So that means that that level of security or that type or that approach can
be attainable for even a very, very, very small organization of,
(02:45):
let's say, a business broker who works out of their house, a single individual.
So that means we can bring enterprise-grade security-level approaches to even a one-person office.
And that kind of approach is very important because a lot of the other network
segmentation approaches are economically infeasible at that scale.
(03:09):
Okay, so the way to think about segmentation is you are going to treat and classify
your jewelry box different than your underwear drawer,
different than your bookshelf, different than your refrigerator.
These are all different types of assets that you're storing in these different places.
(03:34):
And so you need to treat them differently. I mean, nothing's going to end well
if you take your underwear and your jewelry and your books and your food and
you stick them all together.
These are just, right? I mean, these are different things that have different needs.
You know, the books need to be on the bookshelf with their other books and they
can't be having milk next to it, getting it all wet.
(03:58):
Same with your underwear, you know? And jewelry, we typically want that to be
a little more protected.
And so the idea of micro-segmentation at its core is a concept that says we're
going to understand the assets,
and then we're going to enable the assets to do what the assets need to do.
(04:21):
Like a TV on a guest network, for example, needs to be treated differently than
a corporate laptop. top. But that's different than a printer.
And that's different from a switch.
These different things have different requirements.
And so if you create a security zone profile sort of concept around these and you segment them,
(04:45):
it becomes very easy to create a security profile for the segment that the printers are on.
You can say, well, my rule is I'm only going to put printers Now I can create
a security zone profile that protects those printers from being tampered with or hacked externally,
(05:08):
but also helps those printers avoid data leakage.
Like a printer, for example, could have, let's say it got a piece of malware
on it, which is totally possible. That can happen. Right.
But then everybody that's printing, every one of their print jobs might get
leaked to some unauthorized parties, and that's highly undesirable.
(05:31):
And so as a result of trying to avoid a situation like that,
you need to restrict what the printers can communicate with and thus restrict
what they can send data to.
And now some devices like a TV, that's what you would call an IoT device.
(05:52):
The IoT devices, you try your best to create a profile of what they can communicate with.
But some devices are just really poorly engineered.
And most TVs, I would say, are the antithesis of anything that's able to be secured.
But one of the ways that you keep corporate devices from getting ransomware
(06:18):
is to restrict what they can communicate with.
Well, if I had to go to the level of effort of mixing TVs and printers and switch
interfaces and telephones and surveillance cameras,
you know, and company computers, right? Corporate laptops.
(06:41):
Oh, and guest devices. If I had to do that all on the same subnet,
do you think I could protect anything?
Probably not. Right. It becomes very difficult if it's basically practically impossible.
It's impossible to do it at an economically viable level because you can't actually
(07:02):
know what traffic is occurring and what IP address at what time.
So there you go. I mean, most of IT, or I should say IT security,
is this balance between trying to protect assets, but still facilitating the
functionality that someone legitimately is authorized to do.
(07:24):
Notice I didn't say need, right, because it's not up for employees of an organization
to discern what they need.
It's up for the security management team to listen to them and say,
okay, I understand you want to do that. Now, what does company policy say about that?
And then let's see if maybe there's a company policy change that needs to happen.
(07:47):
I mean, a big example of that would have been when ChatGPT came out.
I think a lot of organizations failed to appropriately have an AI usage policy
before they allowed AI to be accessed in that way in their organization.
And really, they just introduced a whole lot of risk to the organization.
(08:07):
And network segmentation would have been a very easy way to turn that off if
it was allowed to be turned off.
But unfortunately, most organizations don't function that way.
And without a governance system like a policy and without leadership who are
thinking first about risk management,
(08:29):
then those things tend to go nowhere. So what do you think about that?
As an answer. Does that help you understand these?
Absolutely. I'm really glad you said AI because that reminded me of another
question I have for you. Okay, go for it.
How do you see AI being used by cyber criminals in the future? Are there.
(08:56):
New security threats on the horizon that we should be aware of that are coming. How serious is this?
I think it's wickedly serious. And I mean, I've actually already seen quite a lot of it's come out.
So one of the things that's super duper cool is we have a system called the
Breach Prevention Portal System.
(09:18):
And it's effectively a large scale on demand training platform,
training and assessment platform for individuals.
We can deploy it for residential home users and one-user businesses to large
businesses. It really doesn't matter.
It's really cool because we can just provide it to everybody.
(09:39):
One of the things that comes out of that sort of interaction is that becomes
a way to provide the answers to those very questions
to the staff at an organization across the board and to enable personnel managers
to know that the staff have taken that class or those courses,
(10:04):
maybe it's a couple courses,
and there's always an assessment at the end of it.
And how did they do on the assessment? Did did they complete the assessment?
So I've already seen where the criminals are using the AI.
And I have to mention something else that I think is quite relevant here,
is that we don't, on our company website,
(10:27):
we don't list the employees of the company with their photos and their names
and their fun proclivities or whatever.
And I have seen organizations do this and it's typically when those organizations
are driven by marketing people instead of operational security people.
(10:48):
That type of information is absolutely harvested by the criminals.
So criminals will also buy all kinds of people finder lists.
So using something like a service like Abine's Delete Me can be exceptionally
useful to an individual to help reduce the number of lists that they're on.
That service is very economical. And again, that's Abine Delete Me.
(11:11):
I really enjoy that service. I think they do a good job at that company.
And the criminals are collating all this data using AI.
They're also drafting messages now that are less prone to have spelling and
grammar mistakes because now they're not having to do it.
They're using AI for that. that they're utilizing AI to do deepfakes.
(11:35):
And that's the one that is really the giant meat and potatoes,
is the biggest bang for their investment
is when they're using AI tools to perpetrate deepfakes on people.
Because let's imagine that an organization didn't have their protocols together.
(11:57):
And if the person who or multiple people potentially who could be authorized
to do like a large wire transfer.
Well, what if they were not immune to getting deep faked and wire frauded?
Oh, this is where the problem comes in. Did you see the article about the guy
(12:21):
who was deep faked by like seven?
He had seven people at his company that were deep faked and he was on the receiving end of all this.
I think they had a conference call and he was the only, this was a video conference call.
And he was the only legit dude in that meeting. Did you see that article?
(12:41):
No, I did not. You'll have to send that to me. That sounds horrifying. I was scared.
I'm terrified now. It's pretty wild.
So imagine this dude. This guy was like the ACH wire transfer guy at a bank.
And he got deep faked in a conference call where there was like seven other
(13:06):
people in This was a video conference, right?
How long did he stay on this call?
I don't know. That information was not in the meeting.
But I think they got like $50 million.
Oh my gosh. Yeah, it was pretty crazy.
(13:27):
Anyway, so this is exactly what AI is doing.
So, right, if AI is that good now that it can do a video conference call deep
fake in order to get this guy to make it like a very large wire transfer,
this is exactly why people need, like, everybody needs this kind of training
(13:50):
that we have that's available.
I mean, it's really good training we have. And I've had nothing but very positive.
Commentary from people about like, yeah, you know, it's really cool. You got AI training now.
And, and that's really relevant. It's really practical and easy to understand.
It's like, yes, because it's a big deal. It's a big deal. So what do you think
(14:11):
about that as an answer to your question?
Wonderful. Your answers are always wonderful. So we have AI helping cyber criminals just go wild.
You don't even need that much knowledge, it seems. You just have AI to help you out here.
I assume that means malware is probably evolving rapidly?
(14:34):
Right there yes i
i think we adapt our strategy to counter like
these emerging risks well that yeah again
another fantastic question you have here you know i was thinking about your
your malware point it's become so super duper easy for bad actors to there's
(14:57):
kind of like two things that they're doing and i'm sure that i'm i'm underselling
it right one thing that they're doing is like scenario planning.
Oh, if I ran my malware and I did this, what's the probability of penetration
into said company or theft of data or whatever, right?
So they're now able to do much more sophisticated scenario planning,
(15:19):
which helps them tune and refine their attack.
The second huge piece is they don't even have to be able to write code anymore.
I mean, I mean, this used to be where malware coders used to actually have to write code.
Now, granted, for probably at least five to six years, there have been ransomware
(15:43):
rootkit sort of things you could buy on the dark web.
So this is you got some malicious actors who are coding wizards and they're
out there and they're basically building like a ransomware kit.
Kit and you could take a 10 year
old and some people have done this they'll take a 10 year old put
them at a computer and say okay use this application
(16:06):
to go make some ransomware and so here just a 10 year old with a computer and
this like ransomware wizard generator tool rootkit thing can go and generate
their own variant and so this is a key piece here is that
when there's, I believe there was like 100,000 new pieces of malware every hour around the world.
(16:33):
I mean, there's some sort of just completely outrageous statistics like that.
And so that's why signature-based...
Detection isn't that great anymore.
I'm not saying that people should stop using it. I'm saying that if they're
using a tool that is centric around that type of functionality,
it's going to be deficient in its capability set.
(16:55):
So what we use is we use something that's really a zero trust approach.
And that's where you really got to get to at the point with malware.
I could go back at least a decade and
i can tell you that even a decade ago if a
p if a computer got some malware on it
(17:17):
it was done absolutely done i
mean there was like no removing it so the
whole thing when people buy they pay the
the ransomware guys and then they get their you know decryption keys i mean
i just want to laugh at that type of stuff from the perspective of saying that
(17:37):
if you think If you think you're going to get data back that actually has integrity
that you can count on, I think that's a naive thing.
And if you also think that you're going to get usable systems from paying that
ransomware, I think that's also a very naive approach.
Because even 10 years ago, there was really no viable method for correcting
(18:00):
a computer that had been something malicious happened to it,
other than you have to wipe the whole thing.
I even saw, oh my gosh, I can tell you it was the year 2004.
This was a super long time ago. It was 2004 when I saw partition persistent malware. Malware.
(18:23):
So if you took a computer and had this nasty thing on it, you rebuild the whole thing.
And well, shortly thereafter, it was getting something nasty, infecting it again.
What was the one thing that continued to needed to be done there?
Well, it wasn't just format, the hard drive. It was all the partitions had to go too.
(18:45):
So this is something that you have to realize.
And sometimes you have to question, hmm, has somebody contaminated the BIOS on the motherboard?
Has it infected a USB attached device like a keyboard or a mouse?
You know some of these monitors now have like an integrated docking station
(19:08):
in them that has its own brain chip effectively it has its own motherboard right
so you're now in the world,
where you have to assume that everything is a threat and you have to use dynamic
live updating databases so we're talking about zero trust i have to protect my monitors now too.
(19:30):
Yes, yes you do.
I mean, you've always had to protect your monitors from nasty power surges,
but now monitors have firmware in them. Did you know that?
No, my mind is right now.
Okay, so I thought I would just plug it into the wall for a power strip,
(19:54):
and then you have that HDMI cable, you know, harmless.
We're good. I don't think about anything.
No, the HDMI cable is bidirectional in its communications capabilities.
And so the monitor has firmware, and something has to be able to update the firmware.
(20:15):
So So there are various communication channels.
Whereby a computer could do a firmware update, legit or otherwise, to that monitor.
Actually, this is exactly why I have a very, very strong love for mature and
(20:38):
enforced procurement policies.
If you have a procurement policy that does not allow your team to go down to
random store and procure things like a USB charger, in fact,
well, I mean, shoot, you've seen these business,
you've seen these news videos you have to have.
(20:59):
I mean, I feel like they're like all over the place where is somebody saying,
you know, do not plug into your mobile phone, you know, a random power cord.
I didn't sleep for a week after I read the article about these USB phone chargers
and what's on that could potentially be on them and the threats they pose after.
(21:21):
Wow. My mom was pwned then.
Oh, yeah. Yeah, well, I mean, this is one of the reasons why we use wireless
phone chargers, because that's a surefire way to be successful with that.
Rather than telling somebody, hey, only use the phone charger that came with
your phone, I'm saying, hey, don't use the wired phone charger at all.
(21:43):
Use a wireless phone charger.
And they're like, oh my gosh, I got to buy phones that are capable of that.
And I'm like, the quantity of phones nowadays that can't do that is getting
even smaller and smaller and smaller. So.
Bottom line, let's go back to zero trust.
Zero trust is effectively saying we have to assume that everything is malicious
(22:06):
until it's been inspected.
And this isn't a matter of scanning. It's a matter of do I know you?
So there's a classification process. Let's say there's an unknown thing that's
unclassified and it is attempting to do something on a computer.
Well, the protection tools will grab that thing and they will upload it into
(22:30):
a virtual machine in the cloud.
They will execute that thing on the virtual machine in the cloud.
So this is a terminology we call detonating. You know, it's detonated in a virtual
machine in the cloud, and then we get to find out what happens.
Does it hack that virtual machine or not?
(22:51):
And so this is a way of doing behavior observation and outcome observation.
Conservation there are also those sorts of processes that
are going on all the time like a great example is if you have
really good zero trust threat protection then it's
going to look at it and say oh we have microsoft
(23:11):
word is invoking a
powershell instance what do you think about
that crystal do you think that word should invoke powershell no
why would it need to that's exactly
right so it smells like something malicious
doesn't it okay it's so
(23:31):
zero trust is like we're we're gonna do we trust word yes we've classified microsoft
word but now we're still gonna watch it if microsoft word is doing something
weird then we have to think that word even though it's a legit tool.
Maybe it has a malicious plugin embedded in it or something.
(23:54):
This is no different than if you look at like a web browser,
take Edge as a web browser.
It can have a malicious browser plugin. And then that malicious browser plugin
can do nasty, naughty things.
So we got like about four minutes left.
So why don't you give me your next kind of small question if you have one? Small? I don't know.
(24:19):
Antivirus software. Now, I'm thinking back to the days when I first got a computer.
You know, you have that notency when you get pushed in and you're,
as far as everybody knew, everything was great. We're protected.
I guess, how has that changed since then? And how machine learning,
has that impacted AI machine learning, the effectiveness of this antivirus software? Is it effective?
(24:43):
Is it worth it? I don't know. Well, I don't even like to use the term antivirus anymore.
In fact, I pretty much stopped. As a modus operandi, I'm only utilizing the
terminology, you know, zero trust threat protection or, you know,
endpoint protection detection and response.
Response and the reason is because
(25:06):
these things really cannot be unmonitored anymore
so we do knock sock and mdr and without killing you with acronyms it's just
basically security monitoring security response actively 24 hours a day now
we only do that for the clients that subscribe to that service but.
(25:27):
But that's like, you know, having a little monitor, a protection system,
like having your own cop that's running around with you all the time.
Like, you know, the cop's going to watch who's coming in on your zone and should
you get to go visit Crystal or not.
And then how is somebody interacting with Crystal, right?
(25:49):
That's kind of like having your own personal cop. But we use a lot of machine
learning and AI for that to keep costs low.
And the system is really incredible.
And as a result of that, we have not had a single client get breached who was
(26:09):
under our full management.
The only times we've actually experienced issues is when, you know,
other people are involved that don't
have the same level of training or vigilance on this matter as we do.
But I don't really use the term antivirus anymore, just simply because antivirus
represents approximately maybe 10 to 15% of the kind of protection capabilities
(26:34):
that you need just for your individual computer,
right? That was my next question.
Is it enough for personal use? Do I need to supplement with other tools?
Something like I certainly do.
Yes. And so we get to the question of, is this economically viable?
And I really feel like so many people just think about this wrong.
(26:57):
They think, oh, well, this is only just for my home use. And it's like,
yeah, but it's your bank account.
You know, it's your identity. How many people do their tax return on their home computer?
I mean, how many people are interacting with their bank account and their bills
and their credit card and all of their personal photos and their personal files?
(27:20):
I mean, these are, you know, the family jewels.
I would think that they would be looking at this and going like,
well, I really need some enterprise grade protections here because that's how I think about it.
I'm like, how much time am I? Go ahead. As a normal everyday person,
I was guilty of this before.
I had no idea that all these threats existed that I was completely naive to
(27:47):
just go on Amazon, buy a monitor, buy a USB charger.
Who cares where it came from? Not even looking at the seller.
Did they just open a shop? No idea.
Just purchasing because, well, I have no idea the risks that are out there.
I don't know the big bad wolves out there. I do now.
I think a lot of people don't know or they don't care to know.
(28:08):
Yeah, brands definitely matter. I mean, I would only ever personally purchase
a SanDisk or a Western Digital.
That's it. And there's reasons for that.
And the brand matters.
For me, the whole thing around that is that I think that their firmware process
is done really good and it makes those devices harder to hack. So that's cool.
(28:31):
Well, we're out of time. Thank you so much for joining me.
I hope that you will come back and ask me some more of these questions because
I think your questions are fantastic.
Oh, absolutely. I promise I have a lot more for you. Okay. All right.
Talk to you next time. All right. Thank you. Bye.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.