Risky Business Part 1
October 30, 2020
Guests
Paul Simmonds, CEO at The Global Identity Foundation
Hart Brown, Risk Management Leader and ethical hacker
Description
To round out Cybersecurity awareness month, we bring you the first episode of the 2-part Engage cybersecurity spotlight series, “Risky Business”. In a period marked by a sharp rise in cyber attacks, just last week the US Cybersecurity & Infrastructure Security Agency issued an alert around ransomware activity targeting healthcare and the public health sector. To get an expert’s insight on the new threat landscape, hosts Kelly Lawetz and David Chauvin welcome career Chief Security Officer, Paul Simmonds, as well as Risk Management Leader and ethical hacker, Hart Brown, who introduces a unique perspective on measuring and mitigating risk. We hope you can join us.
Transcript
DAVID CHAUVIN (HOST): Welcome to Engage a Genetec podcast.
"Are you frightened? Yes, I know what haunts you!"
KELLY LAWETZ: It is one of the biggest threats to your online information.
DAVID CHAUVIN: If you thought ring rates were scary, try this out for size.
KELLY LAWETZ: Every 11 seconds, a business somewhere falls prey to a cyberattack, adding up to an estimated 20 billion price tag in 2021.
DAVID CHAUVIN: Imagine large-scale criminal organizations responsible for the bulk of ransomware attacks globally. They operate a bustling business more lucrative than the entire global illicit drug trade. I'm David Chauvin.
KELLY LAWETZ: And I'm Kelly Lawetz. And this is Engage, a Genetec podcast.
DAVID CHAUVIN: To wrap our Cybersecurity Awareness Month series of articles and posts, we'll be taking a look at the new threat landscape, the expanding attack surface for cybercriminals, and the strategies that businesses can employ to mitigate the risks.
KELLY LAWETZ: In the first half of the show, I'll be speaking with career CEO and founder of the Global Identity Foundation, Paul Simmonds, and get his take on the dire risks of relying on perimeter protection and the benefits of zero trust.
DAVID CHAUVIN: Then we'll turn the discussion to the complex art and science of cybersecurity risk management, with risk modeling expert and certified ethical hacker Hart Brown of the consulting firm R3 Continuum.
Interview with Paul Simmonds
KELLY LAWETZ: But first, my conversation with former AstraZeneca CEO Paul Simmonds. In a recent survey conducted by Genetec for our annual State of the Industry survey, only 30 percent of respondents cited cybersecurity as a priority. So, I started by asking Paul what he thought of that stat.
PAUL SIMMONDS: I would have said that's pretty normal. If you speak to the board and get the board to rate what the risks are, generally, yes, cyber will be there. It'll probably be about number five or six. And as we all know in business, really only the top three get real attention.
KELLY LAWETZ: So why do you think cybersecurity is not getting the attention?
PAUL SIMMONDS: People don't get it until they get hit with something big. It tends to take a big shock to wake people up to the risk. So, people don't perceive it as a risk. So, when you look at the other dangers that businesses face, quite often, it doesn't deserve a rating in that top three. Unless you get a ransomware attack that takes your entire business down, but then what is the, you know, businesses and undoubtedly senior managers and the board go? Well, yeah, but what is our actual probability of that happening? And because you can't quantify that, it's complicated for them to perceive the risk.
KELLY LAWETZ: Most enterprises are in the process or have moved their operations and applications to the cloud. Is there such a thing as a security perimeter in a cloud-based world?
PAUL SIMMONDS: I think people would like to tell you there is, but in reality, no, there isn't. And there hasn't been. I mean, there hasn't been a security perimeter for a long time for probably 95 percent of companies. I mean, that's what Jeriko was telling you nearly 20 years ago, certainly 15 years ago. You still need to keep out the lump-sum, the Internet. So, the script kiddies, the junk that is just traveling the Internet on a day-by-day basis, that you need a course filter for most corporations of some description. But as an actual security perimeter, it doesn't exist. It does not. The trouble is that many companies are still operating with insecure machines assuming that it's inside my frame; therefore, it's okay. So, they move to that, and that's why they're getting hit. That's why when the bad guys get inside, and the bad guys will get inside, that's relatively trivial. Well, when they do get inside, they will then attack this and that and everything that's out there. And, yeah, you will get infected if the ransomware gets in. Will, it spread inside your organization? Of course, it will because they're still operating with the mentality that it's more secure if it's inside my perimeter. I wouldn't say it's secure, but the mentality is it's safer inside my perimeter. But that premise went at least ten years ago.
KELLY LAWETZ: Can you take us through the evolution of identity and how it's been used to manage access to IT systems?
PAUL SIMMONDS: Yeah. So, way back when you begged enough and filled in enough forms, you got an account on the mainframe, and the mainframe was a god with a small g, but IT access treated it like that. And if you were lucky enough, you got this account. And so, you signed your life away to get an identity, a user account on the mainframe. And then, of course, you know, history says what came along was minis and micros and eventually PCs. And as the proliferation started, people started to realize that it was mainly Sun driving this. Sun Microsystems began to realize that this was a very inefficient way to do things. Let's create a user account once you dedicate a machine to looking after that user account and then passing that to the other 15 or 20 minis that you've got sitting in your organization. Then you need Data Management 101 money, manage one bit of data in one place as authoritative. The problem is that it worked fine when you had 20, 30, maybe 50, even 100 machines. The problem is, you know when I was CEO at AstraZeneca, we had one hundred and thirty-eight thousand devices connected to our internal network. It does not scale on that account. Why? Because it's a risky thing. IT says I am Paul Simmonds, so IT manages the active directory in most people's cases because we were a Microsoft shop. So, I log in to the active directory username and password, and IT takes he might be Paul Simmonds because he's got his password correct. So, there's a high probability he's Paul Simmonds, but we can't guarantee it. And Active Directory turns into a binary is Paul Simmonds and passes that binary on to hundred and thirty-eight thousand other devices inside the organization. It doesn't matter whether that device gives me the lunchtime menu or access to the corporate results going to the city because the risk profile on those data is different. Therefore, you have to ask. One of the fundamentals with identity allows the system to give me the data and make a risk-based decision about Paul Simmons. So, if it's lunchtime menu, do I even need to tell you I'm porcelains? Just give it to me because it's just the menu of what's in the canteen at lunch if it's going to the city. Its corporate results, a large corporation, is the most valuable piece of data because it affects share prices. The system has to be sure that the confirmation is along the lines of, yes, it's Paul Simmonds, but also, yes, he's a member of the board. Yes, they are physically geo-located inside corporate headquarters. Yes, they are on a corporate machine. There's a whole bunch of other identity factors, the identity, the device, the geolocation of the person, et cetera, et cetera, et cetera. And you need all of that information to say, yeah, okay, fine, we're happy enough to take the risk of giving them that information.
KELLY LAWETZ: So, how are corporations doing today? Are they applying any of that?
PAUL SIMMONDS: You know, very few are. Some of the more enlightened companies are doing bits of it. Still, there aren't the standard interfaces to do that level of granularity without an awful lot of custom work. And ultimately, most corporations and Microsoft shops say, well, the active directory is good enough for us. Thank you very much. Some of that's being built in an interactive guide by Microsoft but not to the extent we need to do it properly in a corporation, let alone globally.
KELLY LAWETZ: Can you take us through the principles of zero-trust networking and zero-trust identity?
PAUL SIMMONDS: Yeah. So, zero-trust is straightforward based on it is starting with that depressurization concept because that's where it came from, which is the border is ineffective as a security perimeter. So, therefore, you have to throw that away as an assumption and do something differently. In other words, operate with zero trust of the fact you're on a corporate network. So that's what it started as. There are many solutions out there, and there are companies that will tell you about my product and solve all your zero trust problems. Now, that is 100 percent BS. Just like everything else in security, there is no silver bullet. It is a question of looking at your architecture and saying, what are my business problems? What do I need to do? How do we accomplish what the business needs to do securely without assuming that somehow, we are secure inside our perimeter? Those companies who have done that already have it paid off in spades with the pandemic because guess what? We're all operating outside the corporate world. And my favorite cartoon was a tick sheet that said I was your zero-trust strategy defined. And then the Pixar CEO, CTO, CISO, COVID-19. And, you know, like most jokes, the reality is because it's so true, most people, zero-trust strategy have been dictated by having to do something quickly because of COVID-19. So that's zero-trust and the privatization and the challenge. And this is why it leads neatly to zero-trust identity because if you have everything outside your perimeter, two challenges remain for you. And the first challenge is how you manage data, your data, and an environment you can't control? The second one is, how do you manage identities in an uncontrollable environment? The first one is getting pretty well taken care of. Many people are working on it, from products you can buy to research on morphic encryption and lots of other stuff. The more significant challenge is how do you manage identity in an uncontrollable environment? Some of the acid tests are actually how a US entity or a British entity trusts an anonymous Chinese identity trying to access the system? In other words, zero-trust. I have no confidence whatsoever in the entity that is trying to connect to me. That entity might be a person; it might be a system; it might be a device. I have no trust whatsoever. So how do I up my trust level to the point that I can trust it to let it have access to do what it's trying to do? And that's the principle we're working on and solving. I'd like to think about what we're doing with Global Identity Foundation.
KELLY LAWETZ: Can you tell me more about what you and the Global Identity Foundation are doing to manage those risks around identity?
PAUL SIMMONDS: Yeah, so simple, and it goes back to some of the principles we've briefly discussed already, which is how much do I trust? So, first of all, you have to throw away this concept and fixate on users, people, and identity. The first thing you have to understand is that people are just one of the five entity types out there, so we talk about entities rather than people. So, you've got people, you've got devices, you've got organizations, you've got code. And they include self-protecting data. Self-protecting data is also code. And you've got agents and agents, and everyone gets what their agents think of an agent. Like, you know, when I lived in the corporate world, I had a PA, and I had agency over my corporate calendar to put meetings on my behalf. They had access to my corporate credit card to book hotels and flights. So, it's an entity that has agency. So, I have agency over my under 18-year-old children, for example. Of course, as we get into the future, the agency will become more critical because we're already seeing the genesis of agents out there like Siri, Google, and various others. So, agents, they're the fifth entity type. And the key here is just as humans do, is do you understand the context. This is turning identity on its head; how do humans do identity and trust? Because ultimately, it's trust and risk are what we're talking about. And the answer is we do context. So, we look at what someone is trying to do and the context they're trying to do it.
KELLY LAWETZ: Last question, what are your thoughts on buying cyber insurance and the fact that most policies include paying for ransomware?
PAUL SIMMONDS: I mean, it's that fundamental principle of do you pay a ransom, full stop, I mean, and it doesn't matter whether it's a captive held by the Taliban or your data held captive by the bad guys in, you know, somewhere strange in the world that you can't identify. The principle is we do not pay the ransom because you shouldn't pay the ransom. After all, all that encourages them to continue doing it. Suppose I was listening to this and getting hit next week by ransom. In that case, I'd talk to the professionals because there are some fantastic resources out there to get your data back without paying. Some great decryption tools are all publicly available if you know where to look. So that's number one. Yes. Cyber insurance. I am unconvinced about cyber insurance, except for needing to pay the ransom. I think the insurance industry does not understand cyber because they put too many riders in for what is excluded to protect themselves. And when your push comes to shove, and you need to claim you go. We can't argue because of this, this, this, and this. I've had malware inside my organization. We've now found out because it's now reared its ugly head. But, when we look at it and look at the logs and go back and we get the experts to look at our records, it's been there for the last two years, which is not unusual generally is about 18 months. And the insurance guys go, well, hang on a second. You know you took this policy out 12 months ago. It was inside your organization 18 months ago. Forget it. We're not paying out. They'll find a way. I mean, you know, people find this significantly, you know, in America with health insurance. It's deny, deny until the point that you can, you know, you have to force your case. The possible exception is paying a ransom. Suppose it comes down to that if that is the only way to get your data back again. But again, it's one of those things that if you've got a good CSO and a good, you know, management team, you have gamed those scenarios already. Suppose you haven't gained those scenarios, and you're an executive listening to this. In that case, the one thing you should be talking to your security team about is running an exercise inside your business. A practice where you get a significant ransomware hit that decrypts or encrypts all your critical data, and you can't get it back. So, what are you going to do? Because when it happens, guess what? Guys who have delivered that ransomware has put you on the clock. That ransom is going up on a half daily basis being the Halloween season.
KELLY LAWETZ: I think we'll end on that scary note. Yeah. Paul Simmons, thank you so much for taking the time to speak with us today.
PAUL SIMMONDS: Welcome, Cheers.
Interview with Hart Brown
DAVID CHAUVIN: In a period marked by an uptick in cyberattacks, particularly ransomware campaigns, the victims may not be surprising. Just this week, the US Cyber Security and Infrastructure Security Agency issued an alert around ransomware activity targeting health care and the public health sector. Core to the tactics is exploiting the urgency of medical test results to extort payment. At least one death in the US has already been attributed to this. Additionally, the coronavirus and speed for information created a field day for cybercriminals to drop malicious payloads into networks. This brings us to our next guest.
HART BROWN: This is Hart Brown, senior vice president of R3 Continuum, a psychologically-based crisis management firm. I've now been in space crisis management, security, cybersecurity for the last twenty-five years.
DAVID CHAUVIN: I started by asking Hart if he thought the private and public sectors were doing enough to mitigate the risks of costly cyberattacks.
HART BROWN: The simple answer, and it's easy to say this, the simple answer is no. Right. And why can I say that? Why? Because we see increased numbers of potential attacks. We're seeing increased numbers of those attacks being successful against organizations in complicated situations. So that's the simple answer is, have we done enough? No. Then the next question is, what does that mean in today's environment where you have competing stresses, risks, and interests from a public health perspective and cyber privacy perspective? There's a lot of things playing out at the same time. So, there will need to be at some point in time once we get past potentially this immediate risk of the public health crisis. Indeed, with a public health crisis, we need an increased amount of public health-related information campaigns. From a behavioral standpoint, we refer to them as nudges. We're trying to nudge necessarily people to make better choices. So, we will need to have a public campaign about cybersecurity to allow people to accept that we should and shouldn't be doing certain things in the digital environment.
DAVID CHAUVIN: And so, talk about competing resources. A McKinsey report showed that 70 percent of CIOs forecast a reduction in cybersecurity budget in 2021 from their organization. Not because the organizations don't take cybersecurity seriously, but because all the budgets are going down. As you mentioned, these competing resources from an employee wellness perspective, those budgets are going up for obvious reasons and good reasons. But a lot of things are being shifted. Business, in general, is down, budgets are going down. And because of that, cybersecurity is one of those sectors that most decision-makers agree the budgets will be reduced. But, again, I put myself in the shoes of a state actor or a private packing group. That seems like a fantastic opportunity to go in and attack, whether it's corporate espionage or to gather personal information on individuals. Are you scared at all of a statistic?
HART BROWN: You know, none of that is a surprise. Unfortunately, we can see that this plays out day by day. I think the challenge of the current situation with the financial and budgetary restrictions; it's not something we could do much about, at least for the following year. From our perspective, when we look at covid-19, we're looking at two to three years, likely to start from a risk reduction environment next summer with hopefully vaccination and treatments. Now, you overlay the virus behavior on individual behavior and economic behavior. Those timelines are roughly the same. So economically, we're probably not going to be fully back where we would all want to be for a few years. So, the budgetary pressure is just a natural part of the process that opens up, again, potential risks for adversaries, especially very sophisticated adversaries. What we've seen certainly and there's been a bit of migration, but we see attacks in school systems. It's a straightforward sort of low-hanging fruit from a hacking perspective because schools were never designed to be virtualized. They never really had the infrastructure to do anything like this. Now they've got an attack surface that's quite large, and immediately, schools became a relatively easy target for hackers. Then we attained seeing more of them, and they started becoming more serious. We've seen several events related to health care and hospitals compounding the day's issues with a public health crisis. Indeed, those that are now going after more and more of the research and development, the vaccines, those individuals or companies working on treatments, and we see attacks towards those. Now we see the subsequent migration. Are the attacks more towards the political system, and what's happening in the upcoming election? So many target opportunities for hackers during this time frame when budgets are reduced during that same time frame.
DAVID CHAUVIN: I'm sure you watched the social dilemma.
HART BROWN: Of course. What I want people to know is that everything they're doing online is being watched/is being tracked. Every single action you take is carefully monitored and recorded.
DAVID CHAUVIN: What did you think? Was it a bit too dramatic, or do you think the message was on point?
HART BROWN: No. Look, you know, social media in general, especially now, as we all know, there's an uptick in the use of social media platforms. All of those platforms have challenges associated with them. And our ability to disconnect now is becoming harder and harder. We just can't leave things at the office and go home. So, we find ourselves utilizing these types of platforms and services on a twenty-four-hour basis. In many cases, looking for an affirmation or how many likes and clicks you can get. But we're constantly connected to these types of platforms, and I think it's just a natural issue of where we are today. But they do provide a significant opportunity and window for hackers and others to learn information about you. And we see those being put into more and more socially social engineering types of attacks.
DAVID CHAUVIN: With more data being shared, whether it's because you have a smart lock at home or any other device that asks you for some of your data and the fact that now people are working from home using their devices because a lot of reports that came out from DHS, from FBI on a significant rise in cyber-attacks, phishing scams. And there was one report that showed that 47 percent of that home employees fell for phishing scams due to what they call at home distractions and kids running around. So, they're not; they're paying half attention. So, is there even though there's a significant risk for personal information being harvested and taken over? I assume you agree that it increases the risk and liability in businesses when at-home employees become four hundred percent more likely to fall for phishing attacks?
HART BROWN: And you see the same kinds of potential issues related to behavior sneak in here. So, when you're on a corporate network, you're on a VPN. You have a certain number of restrictions that typically an organization would abide by and hold on to close in office type of environment. So, you can't go to specific sites. You can't do certain things when you're in a home environment that tends to change. As you mentioned, you have distractions. You have children wanting you to look something up really quick, or you need to do something relatively quickly. And all of a sudden, if you can't, you don't see that you're able to do that on the corporate device. So, you'll start migrating to more personal devices. Then suddenly, you see more information being transferred to personal devices because it's not easy to do what you want at home on a corporate system. So absolutely, the distractions are an issue. It is a different environment. They're likely to do other things and add on top of that aspect of the pandemic. Now, when you see something come across your email or text and claiming to have information about covid or something important, you're more likely to click. So, during any major disaster, whatever that may be, there is a natural uptick in cyber-related activity to try and take advantage of people's weakness during that time frame.
DAVID CHAUVIN: Recently, the concept of cybersecurity insurance has become more mainstream for enterprises. I know that's one of your areas of expertise. What's your opinion on these cyber insurance policies? Do they protect the right people the right way, or is it just something new? The trend in the insurance world is to jump on to a potential issue - potentially.
HART BROWN: Like everything else, insurance policies are not all created equal. We might think they are: I buy home insurance, and I can buy it from several people and probably all the same. Well, that's not necessarily true yet. Very few people go through and read all of their insurance policies. So, from a cyber perspective, many exciting things are coming into that and have come into play. If an event occurs, you have immediate potential access to resources to forensic IT-related firms that can start assessing and addressing what's going on. Suppose there's been an exfiltration of data or something that may have occurred beyond that that requires, you know, regulatory announcements. In that case, these firms can help make those types of reports. So, you're not having to do this all on your own and figuring it out as you go. So, you get the surge of resources, you get those kinds of things. And then certainly from a liability perspective, if there are lawsuits and others against the organization now, these types of policies can come in and help support the related issues financially to liability. You know, all of those come into play. We're starting to see insurance companies establishing specific components of their policy that allow for organizations to improve their IT infrastructure post-event. So, there's money set aside for them to create those sort of improvement measures. So, there are a lot of things in there. The challenge with the policies and those interested in that space is conversing with your insurance company. And I always start talking about scenarios, don't necessarily dive into the complicated language of an insurance policy. Just start asking questions. What happens if what happens if what happens if? Will the policy respond? And getting those answers certainly will help you to make a better decision on who you potentially buy your insurance, your cyber insurance coverage with.
DAVID CHAUVIN: Still considering the increased risk of people being remote and the significant increase in the number of attacks, companies need to protect themselves better. Is that an accurate statement?
HART BROWN: There's no doubt. Based on where we are today, with the number of attacks and more people starting to say that I go back to data protection is becoming a human right there. So, more and more people are likely to be unhappy, upset with an organization if they don't do the right thing. And that tends overtime to degrade trust, confidence, and leadership and create that that that liability issue, and reduce loyalty from a customer standpoint.
DAVID CHAUVIN: Great. Well, that's all I had. Thank you very much for your time. Any final thoughts that you want to share with our audience on risk crisis, on COVID, on cybersecurity, anything that's top of mind that you'd like to share?
HART BROWN: The last thing I would just say, this has been a great conversation. Thank you very much. The last thing I would say is that what we're starting to see worldwide is a highly polarized type of situation for several reasons. And that polarization aspect starts to create anxiety and animosity between different groups on different sides of a potential issue. So, politics simply being one that we see right in front of us with that type of environment. We see there's no doubt there will be an increased aspect related to potential violence from individuals as it relates to unrest and others around the world. The following is that more and more groups are starting to become active in cyberspace and are using that cyber component rather than a physical component to go after organizations. And so that trend we certainly see for the next six months a very high risk for potential conflicts to arise. Indeed, within the next 18 months after that, the threat continues to increase depending on what happens. So, unfortunately, I know we have a lot of risks. We're dealing with a lot of issues right now, cyber being one of them. But I think you're going to see that cyber component, the problem related to conflict or cyber becomes part of it, indeed in the next six to 18 months increased dramatically.
DAVID CHAUVIN: So, it's on us to be more aware of what we read, what we click on, and we try to influence - that, but accurate.
HART BROWN: Absolutely!
DAVID CHAUVIN: Fantastic. Well, thanks again for your time. This was a great conversation—Hart. I wish you the best and good luck over the next few months. I'm sure you'll be very busy with everything that's going on.
HART BROWN: Thank you, David. Appreciate it.
DAVID CHAUVIN: Take care.
Engage, a Genetec podcast is produced by Bren Tully Walsh; the executive producer is Tracey Ades, sound design is provided by Vladislav Pronin with production assistance from Caroline Shaughnessy. Engage, a Genetec podcast is a production of Genetec Inc. The views expressed by the guests are not necessarily those of Genetec, its partners, or customers. For more episodes, visit our website at www.Genetec.com on your favorite podcasting app or ask your smart speaker.