In this episode of Breakfast Bytes, vCISO Felicia King of QPC Security uses an example of dark web data and how it can be leveraged. She describes how operational maturity in an organization can make that organization more competitive, lower risk, improve collaboration, improve culture and employee retention, while reducing risk.
She explores why actioning relevant, specific data is more critical than simply having it available. Learn how the combination of constant training and right data can effectively reduce risks and add value in a business of any size. These methods are practical for large and small organizations. QPC has deployed these tools and methods for orgs as small as one user!
This episode takes you through the potential uses of dark web data and platforms like Telegram, leading to better risk mitigation strategies. Felicia, with her hands-on approach, shares the best practices adopted for her own clientele. She emphasizes empowering end users by presenting them the relevant information at the opportune moment. By fostering a culture promoting consistent training, businesses can enhance operational efficiency and employee satisfaction while reducing conflict.
The episode also stresses upon a culture of shared responsibility to make risk management more cohesive and less confrontational. The responsibilities lie not only with the CEO, but also under the active purview of CTO, CIO or CISO in an organization.
With the advent of affordable cybersecurity training platforms capable of dark web monitoring, organizations can now lower risks attributed to their data. But what makes the real difference is how these platforms are utilized. The episode extensively discusses the gap between compliance and security, drawing focus towards the need for proactive, contextual security measures.
Discover the significance of a cultural shift, with due attention to training, policy enforcement and personal responsibility in maintaining top-notch information security. A well-informed staff equipped to deal with real-time issues, not only boosts productivity but also helps in managing IT costs. Tune in to this episode and delve into the world of dark web data, risk management, and securing a technology-driven business environment today.
Check out our supporting article on getting value from dark web data.
https://www.qpcsecurity.com/2024/04/25/dark-web-value/
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Good morning. You're listening to Breakfast Bites, and I'm Felicia King.
On today's show, I'm going to talk to you about dark web monitoring data and
what relevance it has to risk management to your organization.
And I frequently cover these sorts of topics where certain individuals will
(00:22):
engage in irrational descriptions of,
you know, fear-laden things like telling people that,
oh, you have to have all this dark web data monitoring and na-na-na-na-na-na.
And it's like, my position on it is that it's all about the paradigm.
Having the data doesn't really help you if it isn't specific,
(00:45):
relevant data, and if it isn't designed into a workflow that's actually directly
actionable for the business and staff in the business to be able to truly use
it in a cost effective manner to reduce risk.
So let's talk about that.
You know, having data, any kind of data, isn't terribly useful.
(01:09):
It's a matter of what are you doing with the data. So I think when you're thinking
about dark web data and other things such as maybe data that's on Telegram.
Then it's really important to talk about how you might utilize that data.
And that's what I'm going to go into here.
So this whole discussion kind of originated from
(01:33):
some other IT service providers were asking me whether or not I thought there
was a market or an interest in the business community for things such as monitoring
Telegram for dark web data.
Well, okay, at a high level, what is Telegram?
Telegram is basically a social networking communications and data exchange system
(02:01):
that is perceived by many to be so secure that they're comfortable using it.
All right, that's the best way of describing it.
I don't use Telegram myself, and I'm not going to make any opinion about Telegram
other than I don't feel any compelling need to use it. Okay.
(02:22):
Apparently, some forensic incident response companies have actually found bad
guys exchanging data on Telegram.
And so the question came up, well, is this something we ought to be monitoring for?
And is this a service that should be offered to clients? So I'm always,
(02:45):
as a CISO, I'm always very interested in how do we empower the end user?
How do you put forth a solution for a customer that empowers each and every
one of the people in their organization to be part of the information security
(03:06):
risk management of that company?
You know, how do you empower people? Paying another external party for a service
is not as good as getting that data when it's very specific, very tangible,
very actionable, right into the hands of the end users themselves specifically.
(03:32):
Specifically, and at relevant times, and at user-friendly ways,
accessible ways, that the ways in which they could be aware of the risk and
things they can do to manage that risk are very directly actionable by them.
So I'm a huge proponent of empowering users, educating them,
(03:57):
making them self-sufficient, and really driving that organization to operational
maturity to enable every single individual in that organization that has a computer
login ID to be able to be part of the solution instead of the problem.
Part of this is coming from a paradigm of 30-plus years of experience that information
(04:24):
security risk management, it's not an IT problem.
It's actually an HR management problem. I mean, over 90% of the problems that
I observe most of the time are people problems.
And it's organizations not having policies or people not following policies,
organizations not having processes or people not following processes.
(04:48):
People not understanding what other people's roles and responsibilities are in the organization.
People not having training on how to appropriately or efficiently utilize the
technology that the organization has.
So I recently observed that across our client base,
(05:09):
probably most of the staff is only utilizing the technology that their employer
pays for to maybe about a 50% efficacy level.
Well, how does that gap get closed, right?
How do people utilize that data better, those tools better, more efficiently, right? Right.
(05:32):
So bottom line is, how does the company get more value for what it's already invested in?
And that investment is the payroll of the people and the technology that the people use.
The answer to that is really twofold. First, to create a culture that says that it's OK to do training.
(05:52):
In fact, to establish an education or an expectation that staff will allocate
a certain amount of time per week to do training.
I don't want to see an allocation per year. Like, oh, we're going to send you
to one training class per year.
As an approach, I really haven't seen that work. What I have seen really move
(06:16):
the needle on everything, whether we're talking information security risk management,
gee, how do I use the phone system? How do I use the password manager?
What is the policy for this? How do I more effectively collaborate with others?
Whatever the heck it is, having a culture of doing training once a week,
that moves the needle. It absolutely moves the needle.
(06:39):
But that culture has to be accompanied with enforcement.
So I just said two things, right? I said, create a culture of where training
is accepted and promoted.
And two, HR needs to enforce that.
Very, very cost-effective for even the smallest SMB.
(07:03):
Let me just say three employees.
Very, very cost-effective. for them to have access to excellent training platforms
that are self-service for staff on pertinent technologies on demand.
(07:24):
So, creating a learning curricula of their own or a particular line manager,
a team manager may designate a specific training curricula for their team.
This now establishes a method of being able to onboard new employees and get
them up to speed as quickly as possible.
(07:46):
It makes it easier on HR managers to be able to set expectations.
It lowers IT costs. It raises employee satisfaction.
It reduces employee frustration because they're having difficulties with the
processes of the organization or the technology the organization,
(08:06):
or whatever else is covered.
And this isn't just about information security risk management.
You could and probably should have things in there like sexual harassment training.
What about customer service training?
What about effective writing training? What about just simply having a mechanism
whereby you may come up with a new policy as a business on something like,
(08:31):
what are we going to do with AI? Is it acceptable to use chat GPT?
When or what kind of data is it acceptable or unacceptable for us to use chat GPT?
Okay. How do you then get that messaging out to your entire team?
And how do you affirm and validate that they have participated in training sufficiently
(08:56):
and that they have accepted the required policies on at least an annual basis.
Okay, so a lot of this stuff that I'm talking about are operational maturity factors that,
are so incredibly valuable. And yet now, with today's technology,
(09:19):
is also so incredibly accessible to even the smallest of organizations,
like literally as small as three users.
We even have some circumstances where a single user environment wanted the solution,
and we obviously enabled them to have it.
So that's super duper important because I went to this realm of talking about
(09:44):
the education piece and that culture because this is pivotal to being able to
have an organization as a strategy reduce its risk,
manage its risk, and to the most cost-effective manner, utilize the data that it already has.
(10:05):
Okay, so let's pivot back to this practical example of dark web data on Telegram.
So that would really be data such as like, these usernames and passwords are compromised.
They're known to all the bad guys in the world.
And now this is risk to the organization. So, what
(10:27):
I've actually quite successfully done at
our client base who wishes to have this level of operational
maturity is we've implemented systems that present the relevant data to the
end user at the time that it's relevant. of it. Two examples.
(10:51):
Let's talk about the first example of there's some dark web data that is specific
to that end user, and that end user still actually has a valid account in the company system, right?
So I don't care about somebody who hasn't been part of the business for the last five years.
That identity doesn't exist anymore.
(11:14):
Sure, you could make an esoteric argument that says that that data existing
out there presents some level of risk to the organization.
Sure. But this is all about return on security investment.
So how much effort would you have to do to be able to put in to get any sort
(11:38):
of even an assessment as to whether or not there was risk there?
I'm not looking to add more IT consulting expense.
I'm not looking to add more burden on internal IT or internal audit. it.
I'm looking to empower end users to have specific, direct, actionable information.
(12:04):
And then I'm trying to empower HR managers to be able to validate that their
staff is being effective with those approaches.
So again, let's talk about these two systems I'm talking about.
In the first realm, there's a system that looks for this dark web data,
(12:25):
and it looks at a specific user and it says, is this actually a valid account
enabled in that organization still?
Because if it's not a valid enabled account, well, what exact risk exists?
If it's compromised credentials, but the account doesn't exist anymore.
(12:49):
Well, those compromised credentials are not going to get you anywhere.
You can't do anything with them.
So where exactly is the risk? I don't think it's there.
So the first line basis, you know, looks for dark web data, you know,
there's this, this, and this type of compromised data or data sitting on dark
web about this person with this email address.
(13:11):
And that could include credentials, it could include compromised medical data,
could be personally identifiable information, could be a number of things.
So first off, let's present that data to the end user.
And then depending upon what's found, present them.
Training that teaches them how to overall, not only in their work capacity,
(13:38):
but in their personal life as well, to manage that risk.
So first, let's do things, let's learn how to do things better in a new way
so that we can minimize the risk of these bad mojo things happening in the future.
And let's at least make sure that we're more aware of the ways in which bad
(13:59):
guys might leverage the existing compromised information to be able to attack
you in the current time frame.
These various things, and then also to help raise the awareness of that person
about what they can do on the work level and the personal level to become a harder target.
(14:23):
All right. So that's all very empowering, very, very low cost to the organization.
And it's darned effective.
The more educated all staff in an organization can become about understanding
that information security and physical security, for that matter,
(14:48):
that's not an IT problem.
That's an everybody problem.
And that's culturally a massive problem that I find across the board is this
concept that, I mean, you see it most prevalently, it seems like,
in sales and marketing, where sales and marketing,
you know, like we're on a hot deadline and we want to get to this trade show,
(15:09):
or we have this marketing campaign that We want to get out on this time frame
or we have this webinar that we're going to do or whatever that particular effort is.
And they have a specific deadline for it and they're trying to meet that deadline.
And they see anything that slows them down as a business impediment.
(15:31):
And 98% of the time, they're
not interested in having patience for or understanding that their activities
may actually be introducing unmanaged risk into the organization.
(15:52):
So I just want to clarify that there's a pretty substantial,
I mean, like a tectonic level of difference between something that is break-fix.
Like, you know, I've been doing this for the last five years,
I've had this functionality for the last five years, and now today it doesn't work.
That is completely different than something that says, oh, I decided to go do
(16:15):
shadow IT and I signed up for this new software as a service platform.
Well, that's shadow IT.
Whether or not the VP of sales authorized that, or some other executive management authorized that,
that doesn't mean that that's authorized with regards to the third-party information
security risk management policy or a risk management policy of any shape, size, or flavor.
(16:41):
The CEO of the company is actually not in charge of IT security.
The reason is because that's not their wheelhouse.
That responsibility for the policies and protections of technology and the risk
management of technology that has been delegated to the CIO,
(17:04):
the CISO, or the CTO in an organization, and sometimes all three as a team.
So the actual conversation about,
I want to use this new marketing automation platform, That needs to be happening
with the person who's in charge of information security, risk management,
(17:26):
and technology at the organization.
I'm not saying don't talk to the CEO about it. I'm saying that simply having
an authorization from the CEO to go do something is not actually an operationally
mature nor secure process.
When the culture of an organization is established that everyone,
(17:48):
everyone must be part of the risk management process of the organization.
Then these discussions are so much less adversarial and much more collaborative.
And I would really encourage you to establish an operationally mature culture
(18:10):
of your organization because no one is better off with regards to any sort of toxicity or drama.
Nobody wants it. Drama is a productivity killer.
So if we can establish a paradigm that says, let's work collaboratively together
(18:31):
instead of thinking that IT is the opposition,
you're going to be in a much more competitive position than your competitors
because your team will holistically be able to execute faster for lower cost.
Probably with higher quality because you're getting the intelligence of more
(18:52):
people involved to get to the outcome you're looking for.
This is no different than you may have an internal finance person,
but you probably use an external tax preparer.
There's always going to be this collaboration between your external experts and your internal team.
(19:15):
And undoubtedly, a better outcome is arrived at by leveraging the knowledge
of all of the experts available to you that are pertinent to the technology
or pertinent to the tax code or pertinent to the transaction,
whatever it happens to be.
Okay, so I talked about basically two
(19:37):
key elements here with regards to how do we use data on the dark web to really
meaningfully decrease risk for an organization at an incredibly low total cost of ownership.
So first off, I talked about this, like a cybersecurity awareness training platform,
(19:59):
for example, that monitors that dark web and it says, is this user active?
And if they are an actually enabled active user, present that information to them at next logon,
make them aware of the data so that they can assess their risk objectively at
a personal level and from a work perspective.
(20:20):
And then they can also take the training that is the dark web risk management training.
And then HR managers can know that they have completed that training successfully
because there is an evaluation test through the system.
(20:40):
And this is all fully automated. So the other
piece that we love to employ is one that delivers data directly to the end user
associated with a credential that is currently in use that has a compromised password.
(21:01):
So key element, what I'm saying here, listen carefully to this distinction.
It isn't the fact that there's just some compromised credentials available on the dark web.
If somebody has had compromised credentials from the 2017 LinkedIn breach,
but they've changed their credential
and they've enabled multi-factor authentication, well, who cares?
(21:26):
That LinkedIn breach, while sure,
data like PII data got compromised, it no longer presents a credential risk
because the password has been changed and multi-factor authentication has been enabled.
So pretty much everything that is reasonably feasible to do with regards to
(21:48):
mitigating the risk of that particular credential compromise has already been effectuated.
So what is not an effective paradigm or process is one where that dark web data
goes to the IT department, and then the IT department is somehow supposed to
do something with it. I mean, it's just, it's preposterous.
It's totally ineffective. We don't use that approach at all.
(22:10):
So instead, we use a system whereby the end users store their business-related credentials
in a company-sanctioned, extra-high-security password management utility.
And they do that in accordance with company policy and company training.
(22:33):
This is where the HR component and the training comes in.
The ability of that tool to tell
an end user that a password that
they are currently using has been
compromised and is known on the dark web well that
is a hundred percent based upon whether or not that end user was following company
(22:55):
policy by storing the credentials for their various accounts in the company
sanctioned password manager right so if you as a company are providing a company
sanctioned password manager to your employees,
but you do not enforce the employees using it and using it properly,
(23:18):
then it isn't going to have the desired effect.
Then all that you have is compliance theater.
Sure, you can check the box on your cyber insurance application that says,
yep, we have a company password manager.
But you know what you don't have is you don't actually have security.
Compliance is not security. And certainly compliance theater is not security.
(23:42):
And it isn't security by itself without it actually being in the right paradigm
is not real risk management.
So as a CISO, the approach that I like to use is one where people are trained,
people know what the policy is, the line managers, team managers, HR managers,
(24:04):
they all know and they promote the same culture of education.
Self-service, personal responsibility, and to be part of the solution,
not part of the problem, right?
They support all of those and they regularly advocate that in their company culture.
And then the end users are able to know, utilizing the provided technology,
(24:27):
that, oh, oh, there's this applicant tracking system as an example.
And my credential for that applicant tracking system happens to be compromised.
Uh-oh, that's a problem. Well, they would only really know that that credential
is compromised if they were actually storing the current credential in their
(24:50):
company password manager.
And in that case, then the artificial intelligence that runs directly and only
on the inside of that local instance of the company password manager is able
to compare the data feed from the service provider associated with this is the
stuff that's on the dark web,
(25:11):
and it will compare it against the locally stored credential that's inside of
the password manager vault system.
Now, this is super important that you understand.
I am absolutely not saying that the IT department or anyone else in the company
has awareness about what the password
(25:32):
is to that account because the credential is stored in that vault.
That isn't the case. The information in that vault and the design of the password
manager are secure and segmented with the specific intent of keeping that to
an individually scoped level,
but still providing transferability in case of the need for business continuity.
(25:55):
So there really is no adverse impact whatsoever of storing the credentials in
there. Okay, There's none.
And it delivers the opportunity for the end user to be presented a real-time notification.
So, it delivers that real-time notification to the right person that a currently
(26:18):
in use active valid credential has been compromised.
It presents it directly to that
end user so that they can take direct and urgent action on that finding.
They can do it fully self-service with no need to put in an IT support ticket.
(26:39):
Furthermore, because they're so able to quickly change their credential and
update their MFA methods on that account and they've had the proper prerequisite training,
they literally can solve this problem for themselves faster than it would take
them to put in an IT support ticket, right?
(27:01):
I really can't stress that enough to you.
If you can empower the staff at an organization to securely self-service the
majority of the challenges that they have,
especially risk management issues or things that you need the end users to risk
(27:22):
manage in order to protect the posture of the organization,
that is so incredibly powerful and it's so incredibly cost effective.
And I think it actually makes an organization much more financially competitive.
It makes the end users happier because they're able to resolve their own issues
and your IT costs go down and people are able to focus more on productivity
(27:45):
because it's no longer some sort of a dramatic issue that it's going to take their time to resolve.
Because like I said, they can fix a lot of these issues in as much time as it
would have taken them to put in an IT support ticket.
But this only happens if the management team in the organization establishes a culture of training.
(28:08):
Personal responsibility, and sets and enforces policies around how staff must
be part of the information security risk management posture of the organization.
Good morning. You're listening to Breakfast Bites, and I'm Felicia King.
On today's show, I'm going to talk to you about dark web monitoring data and
what relevance it has to risk management to your organization.
And I frequently cover these sorts of topics where certain individuals will
(00:22):
engage in irrational descriptions of,
you know, fear-laden things like telling people that,
oh, you have to have all this dark web data monitoring and na-na-na-na-na-na.
And it's like, my position on it is that it's all about the paradigm.
Having the data doesn't really help you if it isn't specific,
(00:45):
relevant data, and if it isn't designed into a workflow that's actually directly
actionable for the business and staff in the business to be able to truly use
it in a cost effective manner to reduce risk.
So let's talk about that.
You know, having data, any kind of data, isn't terribly useful.
(01:09):
It's a matter of what are you doing with the data. So I think when you're thinking
about dark web data and other things such as maybe data that's on Telegram.
Then it's really important to talk about how you might utilize that data.
And that's what I'm going to go into here.
So this whole discussion kind of originated from
(01:33):
some other IT service providers were asking me whether or not I thought there
was a market or an interest in the business community for things such as monitoring
Telegram for dark web data.
Well, okay, at a high level, what is Telegram?
Telegram is basically a social networking communications and data exchange system
(02:01):
that is perceived by many to be so secure that they're comfortable using it.
All right, that's the best way of describing it.
I don't use Telegram myself, and I'm not going to make any opinion about Telegram
other than I don't feel any compelling need to use it. Okay.
(02:22):
Apparently, some forensic incident response companies have actually found bad
guys exchanging data on Telegram.
And so the question came up, well, is this something we ought to be monitoring for?
And is this a service that should be offered to clients? So I'm always,
(02:45):
as a CISO, I'm always very interested in how do we empower the end user?
How do you put forth a solution for a customer that empowers each and every
one of the people in their organization to be part of the information security
(03:06):
risk management of that company?
You know, how do you empower people? Paying another external party for a service
is not as good as getting that data when it's very specific, very tangible,
very actionable, right into the hands of the end users themselves specifically.
(03:32):
Specifically, and at relevant times, and at user-friendly ways,
accessible ways, that the ways in which they could be aware of the risk and
things they can do to manage that risk are very directly actionable by them.
So I'm a huge proponent of empowering users, educating them,
(03:57):
making them self-sufficient, and really driving that organization to operational
maturity to enable every single individual in that organization that has a computer
login ID to be able to be part of the solution instead of the problem.
Part of this is coming from a paradigm of 30-plus years of experience that information
(04:24):
security risk management, it's not an IT problem.
It's actually an HR management problem. I mean, over 90% of the problems that
I observe most of the time are people problems.
And it's organizations not having policies or people not following policies,
organizations not having processes or people not following processes.
(04:48):
People not understanding what other people's roles and responsibilities are in the organization.
People not having training on how to appropriately or efficiently utilize the
technology that the organization has.
So I recently observed that across our client base,
(05:09):
probably most of the staff is only utilizing the technology that their employer
pays for to maybe about a 50% efficacy level.
Well, how does that gap get closed, right?
How do people utilize that data better, those tools better, more efficiently, right? Right.
(05:32):
So bottom line is, how does the company get more value for what it's already invested in?
And that investment is the payroll of the people and the technology that the people use.
The answer to that is really twofold. First, to create a culture that says that it's OK to do training.
(05:52):
In fact, to establish an education or an expectation that staff will allocate
a certain amount of time per week to do training.
I don't want to see an allocation per year. Like, oh, we're going to send you
to one training class per year.
As an approach, I really haven't seen that work. What I have seen really move
(06:16):
the needle on everything, whether we're talking information security risk management,
gee, how do I use the phone system? How do I use the password manager?
What is the policy for this? How do I more effectively collaborate with others?
Whatever the heck it is, having a culture of doing training once a week,
that moves the needle. It absolutely moves the needle.
(06:39):
But that culture has to be accompanied with enforcement.
So I just said two things, right? I said, create a culture of where training
is accepted and promoted.
And two, HR needs to enforce that.
Very, very cost-effective for even the smallest SMB.
(07:03):
Let me just say three employees.
Very, very cost-effective. for them to have access to excellent training platforms
that are self-service for staff on pertinent technologies on demand.
(07:24):
So, creating a learning curricula of their own or a particular line manager,
a team manager may designate a specific training curricula for their team.
This now establishes a method of being able to onboard new employees and get
them up to speed as quickly as possible.
(07:46):
It makes it easier on HR managers to be able to set expectations.
It lowers IT costs. It raises employee satisfaction.
It reduces employee frustration because they're having difficulties with the
processes of the organization or the technology the organization,
(08:06):
or whatever else is covered.
And this isn't just about information security risk management.
You could and probably should have things in there like sexual harassment training.
What about customer service training?
What about effective writing training? What about just simply having a mechanism
whereby you may come up with a new policy as a business on something like,
(08:31):
what are we going to do with AI? Is it acceptable to use chat GPT?
When or what kind of data is it acceptable or unacceptable for us to use chat GPT?
Okay. How do you then get that messaging out to your entire team?
And how do you affirm and validate that they have participated in training sufficiently
(08:56):
and that they have accepted the required policies on at least an annual basis.
Okay, so a lot of this stuff that I'm talking about are operational maturity factors that,
are so incredibly valuable. And yet now, with today's technology,
(09:19):
is also so incredibly accessible to even the smallest of organizations,
like literally as small as three users.
We even have some circumstances where a single user environment wanted the solution,
and we obviously enabled them to have it.
So that's super duper important because I went to this realm of talking about
(09:44):
the education piece and that culture because this is pivotal to being able to
have an organization as a strategy reduce its risk,
manage its risk, and to the most cost-effective manner, utilize the data that it already has.
(10:05):
Okay, so let's pivot back to this practical example of dark web data on Telegram.
So that would really be data such as like, these usernames and passwords are compromised.
They're known to all the bad guys in the world.
And now this is risk to the organization. So, what
(10:27):
I've actually quite successfully done at
our client base who wishes to have this level of operational
maturity is we've implemented systems that present the relevant data to the
end user at the time that it's relevant. of it. Two examples.
(10:51):
Let's talk about the first example of there's some dark web data that is specific
to that end user, and that end user still actually has a valid account in the company system, right?
So I don't care about somebody who hasn't been part of the business for the last five years.
That identity doesn't exist anymore.
(11:14):
Sure, you could make an esoteric argument that says that that data existing
out there presents some level of risk to the organization.
Sure. But this is all about return on security investment.
So how much effort would you have to do to be able to put in to get any sort
(11:38):
of even an assessment as to whether or not there was risk there?
I'm not looking to add more IT consulting expense.
I'm not looking to add more burden on internal IT or internal audit. it.
I'm looking to empower end users to have specific, direct, actionable information.
(12:04):
And then I'm trying to empower HR managers to be able to validate that their
staff is being effective with those approaches.
So again, let's talk about these two systems I'm talking about.
In the first realm, there's a system that looks for this dark web data,
(12:25):
and it looks at a specific user and it says, is this actually a valid account
enabled in that organization still?
Because if it's not a valid enabled account, well, what exact risk exists?
If it's compromised credentials, but the account doesn't exist anymore.
(12:49):
Well, those compromised credentials are not going to get you anywhere.
You can't do anything with them.
So where exactly is the risk? I don't think it's there.
So the first line basis, you know, looks for dark web data, you know,
there's this, this, and this type of compromised data or data sitting on dark
web about this person with this email address.
(13:11):
And that could include credentials, it could include compromised medical data,
could be personally identifiable information, could be a number of things.
So first off, let's present that data to the end user.
And then depending upon what's found, present them.
Training that teaches them how to overall, not only in their work capacity,
(13:38):
but in their personal life as well, to manage that risk.
So first, let's do things, let's learn how to do things better in a new way
so that we can minimize the risk of these bad mojo things happening in the future.
And let's at least make sure that we're more aware of the ways in which bad
(13:59):
guys might leverage the existing compromised information to be able to attack
you in the current time frame.
These various things, and then also to help raise the awareness of that person
about what they can do on the work level and the personal level to become a harder target.
(14:23):
All right. So that's all very empowering, very, very low cost to the organization.
And it's darned effective.
The more educated all staff in an organization can become about understanding
that information security and physical security, for that matter,
(14:48):
that's not an IT problem.
That's an everybody problem.
And that's culturally a massive problem that I find across the board is this
concept that, I mean, you see it most prevalently, it seems like,
in sales and marketing, where sales and marketing,
you know, like we're on a hot deadline and we want to get to this trade show,
(15:09):
or we have this marketing campaign that We want to get out on this time frame
or we have this webinar that we're going to do or whatever that particular effort is.
And they have a specific deadline for it and they're trying to meet that deadline.
And they see anything that slows them down as a business impediment.
(15:31):
And 98% of the time, they're
not interested in having patience for or understanding that their activities
may actually be introducing unmanaged risk into the organization.
(15:52):
So I just want to clarify that there's a pretty substantial,
I mean, like a tectonic level of difference between something that is break-fix.
Like, you know, I've been doing this for the last five years,
I've had this functionality for the last five years, and now today it doesn't work.
That is completely different than something that says, oh, I decided to go do
(16:15):
shadow IT and I signed up for this new software as a service platform.
Well, that's shadow IT.
Whether or not the VP of sales authorized that, or some other executive management authorized that,
that doesn't mean that that's authorized with regards to the third-party information
security risk management policy or a risk management policy of any shape, size, or flavor.
(16:41):
The CEO of the company is actually not in charge of IT security.
The reason is because that's not their wheelhouse.
That responsibility for the policies and protections of technology and the risk
management of technology that has been delegated to the CIO,
(17:04):
the CISO, or the CTO in an organization, and sometimes all three as a team.
So the actual conversation about,
I want to use this new marketing automation platform, That needs to be happening
with the person who's in charge of information security, risk management,
(17:26):
and technology at the organization.
I'm not saying don't talk to the CEO about it. I'm saying that simply having
an authorization from the CEO to go do something is not actually an operationally
mature nor secure process.
When the culture of an organization is established that everyone,
(17:48):
everyone must be part of the risk management process of the organization.
Then these discussions are so much less adversarial and much more collaborative.
And I would really encourage you to establish an operationally mature culture
(18:10):
of your organization because no one is better off with regards to any sort of toxicity or drama.
Nobody wants it. Drama is a productivity killer.
So if we can establish a paradigm that says, let's work collaboratively together
(18:31):
instead of thinking that IT is the opposition,
you're going to be in a much more competitive position than your competitors
because your team will holistically be able to execute faster for lower cost.
Probably with higher quality because you're getting the intelligence of more
(18:52):
people involved to get to the outcome you're looking for.
This is no different than you may have an internal finance person,
but you probably use an external tax preparer.
There's always going to be this collaboration between your external experts and your internal team.
(19:15):
And undoubtedly, a better outcome is arrived at by leveraging the knowledge
of all of the experts available to you that are pertinent to the technology
or pertinent to the tax code or pertinent to the transaction,
whatever it happens to be.
Okay, so I talked about basically two
(19:37):
key elements here with regards to how do we use data on the dark web to really
meaningfully decrease risk for an organization at an incredibly low total cost of ownership.
So first off, I talked about this, like a cybersecurity awareness training platform,
(19:59):
for example, that monitors that dark web and it says, is this user active?
And if they are an actually enabled active user, present that information to them at next logon,
make them aware of the data so that they can assess their risk objectively at
a personal level and from a work perspective.
(20:20):
And then they can also take the training that is the dark web risk management training.
And then HR managers can know that they have completed that training successfully
because there is an evaluation test through the system.
(20:40):
And this is all fully automated. So the other
piece that we love to employ is one that delivers data directly to the end user
associated with a credential that is currently in use that has a compromised password.
(21:01):
So key element, what I'm saying here, listen carefully to this distinction.
It isn't the fact that there's just some compromised credentials available on the dark web.
If somebody has had compromised credentials from the 2017 LinkedIn breach,
but they've changed their credential
and they've enabled multi-factor authentication, well, who cares?
(21:26):
That LinkedIn breach, while sure,
data like PII data got compromised, it no longer presents a credential risk
because the password has been changed and multi-factor authentication has been enabled.
So pretty much everything that is reasonably feasible to do with regards to
(21:48):
mitigating the risk of that particular credential compromise has already been effectuated.
So what is not an effective paradigm or process is one where that dark web data
goes to the IT department, and then the IT department is somehow supposed to
do something with it. I mean, it's just, it's preposterous.
It's totally ineffective. We don't use that approach at all.
(22:10):
So instead, we use a system whereby the end users store their business-related credentials
in a company-sanctioned, extra-high-security password management utility.
And they do that in accordance with company policy and company training.
(22:33):
This is where the HR component and the training comes in.
The ability of that tool to tell
an end user that a password that
they are currently using has been
compromised and is known on the dark web well that
is a hundred percent based upon whether or not that end user was following company
(22:55):
policy by storing the credentials for their various accounts in the company
sanctioned password manager right so if you as a company are providing a company
sanctioned password manager to your employees,
but you do not enforce the employees using it and using it properly,
(23:18):
then it isn't going to have the desired effect.
Then all that you have is compliance theater.
Sure, you can check the box on your cyber insurance application that says,
yep, we have a company password manager.
But you know what you don't have is you don't actually have security.
Compliance is not security. And certainly compliance theater is not security.
(23:42):
And it isn't security by itself without it actually being in the right paradigm
is not real risk management.
So as a CISO, the approach that I like to use is one where people are trained,
people know what the policy is, the line managers, team managers, HR managers,
(24:04):
they all know and they promote the same culture of education.
Self-service, personal responsibility, and to be part of the solution,
not part of the problem, right?
They support all of those and they regularly advocate that in their company culture.
And then the end users are able to know, utilizing the provided technology,
(24:27):
that, oh, oh, there's this applicant tracking system as an example.
And my credential for that applicant tracking system happens to be compromised.
Uh-oh, that's a problem. Well, they would only really know that that credential
is compromised if they were actually storing the current credential in their
(24:50):
company password manager.
And in that case, then the artificial intelligence that runs directly and only
on the inside of that local instance of the company password manager is able
to compare the data feed from the service provider associated with this is the
stuff that's on the dark web,
(25:11):
and it will compare it against the locally stored credential that's inside of
the password manager vault system.
Now, this is super important that you understand.
I am absolutely not saying that the IT department or anyone else in the company
has awareness about what the password
(25:32):
is to that account because the credential is stored in that vault.
That isn't the case. The information in that vault and the design of the password
manager are secure and segmented with the specific intent of keeping that to
an individually scoped level,
but still providing transferability in case of the need for business continuity.
(25:55):
So there really is no adverse impact whatsoever of storing the credentials in
there. Okay, There's none.
And it delivers the opportunity for the end user to be presented a real-time notification.
So, it delivers that real-time notification to the right person that a currently
(26:18):
in use active valid credential has been compromised.
It presents it directly to that
end user so that they can take direct and urgent action on that finding.
They can do it fully self-service with no need to put in an IT support ticket.
(26:39):
Furthermore, because they're so able to quickly change their credential and
update their MFA methods on that account and they've had the proper prerequisite training,
they literally can solve this problem for themselves faster than it would take
them to put in an IT support ticket, right?
(27:01):
I really can't stress that enough to you.
If you can empower the staff at an organization to securely self-service the
majority of the challenges that they have,
especially risk management issues or things that you need the end users to risk
(27:22):
manage in order to protect the posture of the organization,
that is so incredibly powerful and it's so incredibly cost effective.
And I think it actually makes an organization much more financially competitive.
It makes the end users happier because they're able to resolve their own issues
and your IT costs go down and people are able to focus more on productivity
(27:45):
because it's no longer some sort of a dramatic issue that it's going to take their time to resolve.
Because like I said, they can fix a lot of these issues in as much time as it
would have taken them to put in an IT support ticket.
But this only happens if the management team in the organization establishes a culture of training.
(28:08):
Personal responsibility, and sets and enforces policies around how staff must
be part of the information security risk management posture of the organization.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.