A Look Back at Foolish Security Policies of Past and Present

Are bad security policies of yesteryear just because we didn’t know any better at the time, or were they some bozos idea of legitimate security yet the rest of us knew it was just security theater?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest is Dr. Diane M Janosek (@dm_janosek), deputy director of compliance, NSA and senior legal advisor for Women in Cybersecurity.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Code42

As the Insider Risk Management leader, Code42 helps security professionals protect corporate data and reduce insider risk while fostering an open and collaborative culture for employees. For security practitioners, it means speed to detection and response. For companies, it means a collaborative workforce that is productive and a business that is secure. Visit http://Code42.com/showme to learn more.

Full transcript

[Voiceover] What I love about cyber security. Go!

[Dr. Diane M Janosek] What I love about cyber security is of course the people who are totally amazing. But what I also love about cyber security is that it’s constantly changing, and constantly evolving, and so it just causes us all to keep learning. I just love learning. And so the flipside to that is you can’t rest on your laurels. You got to keep learning and learning. So, if you’re not a high learner and committed to constantly improving yourself, it’s not the field for you. But if you are, it is the best field ever with the best people.

[Voiceover] It’s time to begin the CISO Series Podcast.

[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, who you heard on the very, very first episode, probably not sounding nearly as good as we do now, it is Mike Johnson.

[Mike Johnson] It’s all because I have a better microphone, David. It’s all the microphone.

[David Spark] We talk about how amateurish we were…

[Laughter]

[David Spark] They’re still there for you to hear. And by the way, I also want to point out I edited the first two episodes. So, if you want to hear what good editing sounds like compared to bad editing, listen to the first two and then start listening to episode number three and on. And you’ll hear what good editing sounds like. We are available at CISOseries.com. This is just one of many programs we do on this show. I’m going to get to that in just a second. But I do want to mention our sponsor, who has been a phenomenal, phenomenal sponsor of the CISO Series. That is Code42. They are all about helping you with insider threats, and not the malicious kind predominantly but rather the non-malicious kind, which is really the major problem a lot of companies have. More about that later in the show. But I did mention that we have a lot of shows on the network. And if we timed everything correctly, Mike, tomorrow will be the first episode of the brand new show on the network.

[Mike Johnson] Oh.

[David Spark] It’s possible you will be… And I don’t know because I’m going to rope you in to be a judge. I don’t know if you know this yet, but I am roping you in to be a judge. It’s possible you may be on the show that’s going to drop tomorrow, too. I have no idea yet. But this show is called Capture the CISO, and what it is, it’s essentially Shark Tank. But instead of investors, it’s CISOs. And before the show actually is recorded, all of the CISO judges will have watched demo videos of the companies. And so they come to the show with already knowledge, prepared to ask questions of the reps of the different companies about their products. They will actually be grading these companies on three levels – is it innovative, does it actually fill a real need, and how easy is it to deploy. They’ll be rating on a scale of one to ten, and then we will pick a winner. And then the winner of the first three episodes will go to our final episode as well. It’s pretty fun. It’s pretty exciting. This has literally been one year in development. I hope to God that what I am saying right now actually happens because we got a lot more to do. Because we’re recording this in April, and God willing this is all going to happen the way we want it to happen.

[Mike Johnson] Let’s get it going. That sounds exciting. Count me in, David.

[David Spark] By the way, I’m not going to be the host. We have a different host. I will have already introduced her. It’s Johna Till Johnson the CEO, of Nemertes Research. She will be the host of the new show.

[Mike Johnson] Awesome. Yet another voice on the network. That’s great.

[David Spark] It can’t be the David Spark show. That’s the bottom line. It can’t be. We need a lot less of me is what we need. All right, with that said, I want to introduce our guest who I’ve been working very hard to get on the show and was super, super excited, especially because we’re going to touch a subject we’ve never touched on the show before. She’s a complete expert on this topic, and I’m thrilled – that subject being space and security in space. Here’s what I’m excited to mention is she just got a PhD in cyber security, specifically on space. And she’s also the senior legal advisor for Women in Cyber Security. But this is going to be the first podcast where we can refer to her as a doctor because prior to this no podcast has she been heard as a doctor. So, are the first. It is Dr. Diane M. Janosek, deputy director of compliance at the NSA. Diane, thank you so much for joining us.

[Dr. Diane M Janosek] Thanks for having me, David.

If you haven’t made this mistake, you’re not in security.

4:39.470

[David Spark] Obsolete security policies. Mike, you initiated this very discussion about obsolete security policies on LinkedIn, and you got a flurry of responses. Now you started complaining about the clean desk policy, which by the way I am a strong personal believer of. But others responded with password rotation, remediate every vulnerability, mandatory AV, annual security awareness training, banning Cloud services, preventing paste in the password field, prohibiting company logos on laptops, and wet signatures on documents. Some of these I actually had never heard of, Mike. But what did you learn from the responses, and were these security policies the correct thing to do with what we knew at the time?

[Mike Johnson] The key thing I learned was that I’m not alone in the world.

[David Spark] Well, people love to complain. Let’s just start with that.

[Mike Johnson] The fact that other folks are like, “Oh, this is my opportunity to complain about that one thing that I’ve always wanted to complain about,” which is great. And seeing the passion that other folks had for some of these obsolete folks. A lot of them made sense at the time that they were written. There was even a time the one that I complained about, the clean desk policy, that one actually made sense. The reality is for most of us a lot of these policies are obsolete. The world has evolved. The threats have changed. I’m far more worried about what someone halfway around the world is able to do to impact the security of my organization than someone who’s coming into one of my physical offices. Right now today I don’t even have physical offices. More to the point, I’ve got over a thousand physical offices where our employees are working from home. So, so many of these, they made sense at a point, and they don’t anymore.

[David Spark] So, you believe they were legitimate at one time?

[Mike Johnson] Some of them.

[David Spark] Not all of them. Okay, not all of them. [Laughs]

[Mike Johnson] Some of them were just dumb always. The ones around not allowing to paste into a password field. That was just dumb. We should never have disallowed that. No company logos on laptops or banning Cloud services…

[David Spark] That one I had never heard of before – the no company logos on the laptops.

[Mike Johnson] I can back into why someone thought they were a good idea, but they were theater. They did not provide any actual benefit in terms of security. So, some of these were always stupid. Some of them are ones that we need to evolve, and we need to make sure that we’re not ticking off our employees with bad policies, or our users, our customers. I’ve been frustrated personally myself trying to past a password from my password manager into a field and been denied. It’s just so frustrating.

[David Spark] By the way, if it’s like 20 digits, chances are pretty high you’re going to screw it up.

[Mike Johnson] Exactly.

[David Spark] [Laughs]

[Mike Johnson] Maybe it’s one that my password generator generated, and it’s like a 30-character password. And I’m sitting here having to transpose upper, lower, weird character… I’m going to fail.

[David Spark] You can do it three times and then be locked out.

[Mike Johnson] Yes.

[David Spark] There you go. All right. I’m throwing this one to Diane. Diane, you have gone through many security policies through your life. I’m going to guess that some have annoyed you. Maybe because where you workyou may not be able to say which ones you would love to have them die. But what are you able to tell us of password policies maybe listed here or of your own that you feel are a little obsolete?

[Dr. Diane M Janosek] Well, I appreciate that. A lot of the security policies are rooted traditionally like in physical security when you would lock up your desk, and lock up the door, and lock up the safe, and all of that. And when I started, we still had all of the rotational security devices and the locks on the different types of file cabinets. Then you had the lock on that door, and then you had the lock on the other door. So, I am happy that those things have kind of evolved since having… Literally you’d have to get the key for this, and then the key for that, then the key for the next thing. And we had one day where we had a new employee start and was literally locked inside the SCIF. I got a call that she was still inside, and she couldn’t get herself out because of the physical security policies that were assigned with the authentication, as well combined with the cyber security policies. But we literally had to have somebody go back to the office and physically let her out from the outside. That’s how crazy some of these policies are. But I think there’s a lot of similarities to that in the cyber security space as well. So, it is interesting to see where we’ve come from and where we’re going. Some are good, and some aren’t all good.

[David Spark] Let me ask you, is there some type of telltale behavior, Diane, of a security policy of like, “Maybe we should stop doing this as in it’s really obscuring people being able to work, or it’s actually not showing any noticeable level of security.” What are kind of some of the telltale signs?

[Dr. Diane M Janosek] I think just to think about the telltale signs of time to logon. If you’ve got 10,000 employees, and it takes three different authentications to get in, and it takes everybody four minutes, to me that’s an incredible amount of wasted time in terms of the monetary investment for that. We did a cost analysis [Inaudible 00:10:12] and every minute of additional training cost the federal training XYZ amount of money. So, it was in our interest to have efficiency in logons, not just in everything else we do. But when you’re sitting there waiting for things to get all the different authentications, it really… I do think that that is not a best practice because people just get frustrated, and then they try to work around it. They try not to lock their computer so they can come back. And then it just loses the value of the security protocol in the first place.

[David Spark] That’s a good point. If you make it too difficult, people will try to work around it because they just want to do their job.

[Dr. Diane M Janosek] Yeah, right.

How scared should we be?

 10:47.480

[David Spark] We know that critical infrastructure is a prime target for nation site cyberattacks. And unfortunately there’s a dearth of cyber protection around critical services such as water and power. But another area that is still critical is space or more specifically satellites. There are currently 6,500 satellites orbiting our planet. They’re integral to cellular communications, GPS navigation, weather monitoring, and managing IOT devices like for agriculture. This according to Josh Lospinso in an article on “The Hill.” Now, compromises on satellites can range from actually taking control of systems to spying for purposes of espionage. And it’s not theoretical as attacks are already happening. So, I’m going to actually start with you, Diane, or probably stay with you since you truly are the expert here. What’s being done currently with security in space, and how can others who are not directly involved in these industries create some type of positive impact?

[Dr. Diane M Janosek] Well, thanks for asking me that question. Space security really is evolving, especially we’ve seen with the activity with Russia and Ukraine, with the amount of cyber-attacks that were going on that preceded the physical war. We’ve also seen in open source material that there’s also attacks on some of the satellite links as well and satellite jamming. So, we now know that it is really operational in terms of peoples’ daily lives, in terms of being able to access our devices, send information, secure information, and then transmit intelligence or just basic news of where different things are going on in the bigger country can really happen through attacks on space. So, your question, if I understood it properly, David, was…

[David Spark] What is being done currently, and what can the average person do? So, let’s start with what’s being done currently.

[Dr. Diane M Janosek] So, right now there is two different areas of space. Usually it’s countries. Countries have investments in space, and then there’s also industry investment in space. So, commercial investment. And then there’s also the partnerships between the public and private partnerships as well. But I would like to give you an example of what’s actually happening in space in case some people aren’t fully aware of different things. So, there’s space junk. If a satellite gets launched and it doesn’t fully launch, it comes back down to the earth. We’ve seen large chunks of different space debris land in the ocean around the world, and it could have hit houses and things like that. So, people aren’t always aware of that. They may have heard about it but not fully aware that that really does happen, and that’s why there’s alot of sensitivity in terms of space launches and then also the return to the earth as well. The reentry is also a significant issue in terms of just the security of the devices themselves. But if we’re talking about the physical satellites, I think if I could… If I could just mention real briefly… So, we mentioned a couple of things about why we need satellites. If they took out certain satellites around…just pick a particular one, ground transportation would be halted. Planes would be frozen or grounded. Financial markets would be frozen.

Phone services would fail. Power stations and water treatment plants would stop functioning. Our military response to certain attacks could be detrimented because of the ability to transmit information. So, it really could be… A war in space could happen fairly quickly with one particular satellite being taken out. So, if you asked me what’s going on today, what I can tell you is that it’s been publicly acknowledged and I’ve written about it – both Russia and China have demonstrated that they can take out a satellite from space. So, most people are thinking of weapons from the ground that are launched, and then you can take out a plane. Well, can you take a satellite that’s 2, 300 miles above the earth? Not right now, but that’s what they’re working on. But what they can do is space to space war. There’s actually space on space attacks. Our adversaries have demonstrated that, and so that’s something to be aware of.

[David Spark] Is that a satellite to satellite attack?

[Dr. Diane M Janosek] Yes. And the exemplar…if people are interested in just hearing a little bit more about that, the one that people may be aware of was in 2007 when the Chinese took out their own weather satellite with another satellite. Then another one that happened that people may be aware of is what happened with Russia where they launched a satellite, and that satellite launched like a little sister satellite. They called it an inspection vehicle or inspector vehicle. And then that satellite then about six months after it was launched and started orbiting issued a projectile essentially as a weapon and took out another satellite. So, it was truly war on war in space.

[David Spark] Was that, I’m sorry, a physical attack where literally…?

[Dr. Diane M Janosek] Yes.

[David Spark] Wow.

[Dr. Diane M Janosek] It was not just jamming, and it wasn’t just like spoofing, or denial of service, or malware, or some type of taking over the command of a satellite. It was physically an attack. So, they call that antisatellite. It’s an ASAT attack, but it’s a very particular attack where it’s happening from space to space. So, that’s happening that we know that capabilities are out there to do that. The bottom line with the cyber security threats to space assets, which includes satellites, it includes the communication devices. So, the commercial industry is recognizing now that they have to be postured for physical attacks as well as cyber attacks in space. And so they are actually preparing and investing in that. Currently there’s a 350 billion dollar investment in space in 2021, which is expected to grow to 1 trillion in 2040. That is primarily to ensure resiliency in space assets when they build them from the ground. Like literally when they start building them and then launching them. So, they’re building in a little bit more resiliency in terms of the ability to prevent both cyber attacks and physical attacks. So, that’s one of the reasons why that budget is dramatically going to jump to 1 trillion in 2040 for space investments.

Sponsor – Code42

16:48.971

[Michelle Killian] From our insider product telemetry data, we found that about 20% of data exfiltration is happening after an employee leaves.

[Steve Prentice] This is Michelle Killian, director of information security at Code42.

[Michelle Killian] So, when a user is terminated, they still have access to potentially valuable information, and we don’t even know about it.

[Steve Prentice] This is just one of the areas exacerbated by the work from home trend that shines a light on potential access control gaps in things such as SaaS applications where control can be lacking, and protocols are insufficient.

[Michelle Killian] The last two years have really driven the trends that we’re seeing with insider risk. First is the continued adoption of Cloud technologies. We are constantly rolling out new technology. But when we look at these fantastic tools, we’re really still lagging behind on use and training of them. How many of our users were actually trained on how to use those when we rolled them out. And if they were trained, how many were able to contextualize that training in the moment.

[Steve Prentice] This is where their product INCYDR comes in.

[Michelle Killian] It’s amazing to me how often I hear, “Well, security or IT never said anything, so what I did must have been okay.” The beauty of a tool like the INCYDR is that we’re actually providing some of that visibility, so we can response when a user, for example, shares a document publicly versus just with the person they intend to share it with.

[Steve Prentice] For more information, visit code42.com/showme.

It’s time to play, “What’s worse?”

18:25.108

[David Spark] All right, Diane, I know you listened to an episode of this show, so you know what this is. It’s a game. It’s a risk management game. I give you two hypothetical situations. You can’t change them. They are what they are. But you have to just determine from a purely risk perspective which one is worse. And I make Mike always answer first, so here we go. This comes from Ross Young, a past guest, and has submitted many wonderful “what’s worse” scenarios. He has a phenomenal podcast himself, which is taking off by the way, doing very well, called CISO Tradecraft. So, please check that out as well. And here’s his scenario. What’s worse, Mike, your procurement takes 12 months to onboard new vendors, or it takes 12 months to remove a bad employee? And by the way, when I say bad employee I don’t mean like they’re like malicious or anything. They could be a lot better than what they are. They’re just not a good employee. You’re like, “Eh, I think I’d like to get rid of this person.” All right? So, what’s worse? Procurement takes 12 months, or 12 months to get rid of someone who’s kind of a loser.

[Mike Johnson] This is an interesting question, Ross. On the one hand if you’re taking 12 months to onboard a vendor there’s productivity loss. You’re theoretically…this vendor was going to solve all of our problems, and it’s taken us 12 months to get them. And we’ve got 12 months of impact versus it takes 12 months to…

[David Spark] Get rid of all employees, by the way. It’s not just one employee. Any employee you want to get rid of.

[Mike Johnson] Any underperforming employee. So, as you said, setting aside the malicious employee… We’re assuming that you can take care of those very quickly. And so what we’re left with…

[David Spark] Yeah ,so you’re looking at two different levels of loss of productivity is what you’re looking at.

[Mike Johnson] Yes. And from my perspective, again, as usual, they both suck. The way that I look at when you’ve got an underperforming employee is they’re kind of pulling everyone else down with them.

[David Spark] But if you don’t have a piece of…a vendor that you want on board that could also pull you down if you’re using a piece of software they don’t want.

[Mike Johnson] Like you said, David, they both suck.

[David Spark] [Laughs] I’m just throwing that out there.

[Mike Johnson] I really do think if I’ve got this situation where any underperforming employee is going to be stuck with for 12 months, and that’s going to pile up… You’re going to get more, and more, and more of them, you’re really going to have that much more of a drain on your company. A drain on your performance, and frankly people aren’t going to want to come and work there because they’re going to hear about this reputation of all these bad people, all these underperforming people working for this company. So, in my mind, that’s the worst of the two. They’re both bad.

[David Spark] That’s a good point that it may get out. All right, Diane, I’m throwing this to you. Do you agree or disagree with Mike? And by the way, no pressure here. I love it when my guests disagree with Mike.

[Mike Johnson] He truly does.

[Dr. Diane M Janosek] I think I disagree.

[Mike Johnson] Great.

[Dr. Diane M Janosek] Okay, so I think the process piece is much riskier. You suggested the employee because the employee is the morale and the inability to recruit new talent if this was this view out there. I do think that having due diligence built into your processes is really, really important today because at least 50 to 60% of cyber-attacks are happening because of issues within the supply chain. They did a survey just a couple of months ago, and the CEOs of the fortune 500 companies, 60 to 70%, maybe close to 80 said they did not have visibility into their supply chain to even assess the risk. So, when you’re bringing on a supplier, third party provider, to your company you want to really make sure they know what type of data protection policies they have in place, how are they managing their Cloud services if they’re using them.

[David Spark] Well, it’s very possible after 12 months you do know this, but it’s going to take 12 months to get them onboard.

[Dr. Diane M Janosek] It’s true. But let’s say if you have your shareholders, your board of directors…if you have a major loss because of a provider that you’re partnering with or one of your service providers are partnering with, the whole company could be at risk. So, your whole company’s resiliency in terms…

[David Spark] Or is it just a security department? Mike, good point.

[Dr. Diane M Janosek] Yeah. Okay, so I… [Laughs]

[David Spark] Again, it’s a game called “what’s worse.” We’re just trying to find which one causes more damage, so I like your answer. Anything to add, Diane?

[Dr. Diane M Janosek] No, except that we’re all wedded to efficiency, so neither one is very good.

[David Spark] That’s the game.

[Laughter]

Why are we still struggling with cyber security hiring?

23:07.489

[David Spark] “Diversity is fundamentally important, but the degree to which individuals feel included, accepted, and treated equally is critical, too. Without that, efforts to raise diversity are virtually meaningless,” said UK’s National Cyber Security Center in their 2021 Decrypting Diversity Report. In the report, about 70% of both diverse and white candidates felt they could be themselves, and about one in five diverse candidates experienced some form of discrimination. Now, I do not know how that compares to the nondiverse candidates. Also want to mention of those experiencing a discrimination incident, a higher proportion of men, 76%, than women, 55% chose not to report an incident. There were a variety of responses to people feeling barriers to their advancement. So, this report actually makes it difficult to fully understand if minorities are having a tougher time, but the report does bring up a really good point that if you don’t make people feel included then diversity efforts are pointless. So, for existing diverse employees…I’m going to start with you, Mike…what have you done, and can you do to address issues of inclusion?

[Mike Johnson] This is a tough one. One of the challenges of not tackling inclusion along with diversity is very well laid out in this article. That you might be able to hire people, but you can’t retain them. They’re like, “This is a terrible place. This is a toxic work environment. I’m out of here.” And again, they’ll carry that reputation with them, and it just kind of becomes a terrible place to work. This whole concept of bringing your whole self to work is really a part of that – that anyone can feel like they can be themselves. And you see time and time again, especially around elections, that companies try and frown on that. They try and say, “Well, you can’t be your whole self. You can’t talk about X. You can’t talk about Y.” And when it really comes down to it, doing something about this is learning, is understanding, is trying to figure out where your own unconscious biases might be. Your own actions, how they might be influencing others and how they might be making other people feel like they can’t bring their whole self. So, I can’t really say, “This is the thing that I’m doing. This is what magic, how I’m solving it.”

[David Spark] No, but you point out being continuously aware that it is an issue…

[Mike Johnson] Yes.

[David Spark] That is the thing to do actually. That is actually a thing to do. Diane, because we never talked about this. It’s like we talk a lot about diversity in hiring, but we don’t talk about diversity retainment. This is what this is through inclusion. How have you seen this dealt with?

[Dr. Diane M Janosek] So, I think the report came out about three years ago on female CISOs that more were leaving the field than coming into the field. So, the retention of female CISOs was really, really low. The departure was really high. So, I think there’s… So, there’s probably something behind that. But regardless of that, if you’re asking me in terms of where are we today, I think at the end of the day we are all humans. And we have an innate need to belong. If you’re in an organization that is committed to you knowing that you’re part of the team, or you understand what the vision is and what the mission is, and that you feel like you are contributing, you can bring your whole self to work. So, if you have a chief diversity officer and a diversity plan, that’s great. But if it’s missing the sense of belonging in the workplace and the sense of positive contribution, that’s really the ticket, which I think the leadership training really goes a very long way.

And then the last thing I was going to mention on gender diversity that I found that works is they do say that in the workplace there is a gender diversity and that females do want to make sure as they go higher up the chain that they’re still able to contribute, and give back, and have a personal satisfaction as well as a professional satisfaction. So, the personal satisfaction stays equally high as the professional satisfaction. So, if we can articulate in cyber security that it is incredibly meaningful and rewarding because we are making peoples’ lives safer or making our nation safer and that they are making a difference in changing peoples’ lives, that personal and professional satisfaction is there. And if they have a sense of belonging, they will come, and they will stay. And they will feel like they have a sense of purpose and be really excited to be there and to learn. That’s why I just love the cyber security professionals that I work with – because that’s who they are. They’re there to make a difference, and they’re there to keep learning.

What’s the motivation to do this?

28:06.759

[David Spark] Take time to study high profile attacks as they often become trend setters. Mark

Nunnikhoven of Lacework, who we’ve had on our other podcast, has a really good piece on Dark Reading where he highlights some of the techniques of Lapus$. Now, that’s the criminal collective that breached Okta. Now, we learned from this that their motives were between extortion and chaos. They were going after user accounts, exploiting MFA and actually bribing employees and going to actually third party ones. They were going after employees’ personal devices, which are often not as secure as the company devices. And they aimed to gain Cloud access and control others’ access to that Cloud access. To sum up, they’re trying to take advantage of individuals’ weaknesses. For example, not understand how MFA works or being lured by money. While this attack stinks, Mike, I’ll start with you, do you see it as a net positive as you’re better understanding the attacker’s techniques and you can adjust your security program accordingly? And I’m not saying their specific techniques, but when it’s this high profile, there’s a lot of monkey see, monkey do going on as well.

[Mike Johnson] You should always take the opportunity to learn from incidents that others are having to deal with. It’s rare that you get the opportunity to really understand the techniques of an attacker. Understanding those techniques is highly educational. If you look at Microsoft posted a document about the Lapus$ attackers and the types of techniques that they used. You can then go and look at this is the laundry list of what’s hot right now. To your point, David, I don’t know that I’d call it monkey see, monkey do, but they…

[David Spark] Well, trendsetters. They are trendsetters.

[Mike Johnson] Another podcast they basically talk about it’s not stupid if it works. This is really that concept. Attackers see things that are working today, and they’re going to go, “Oh, well, that works. I’m going to go and use that same technique. If that technique is working elsewhere, I’m going to give it a shot.” That means that you as a potential target are going to see those attacks. And when you have this essentially roadmap, these are the things that are others are seeing that tells you what you need to work on that tells you, you should go and see what your defenses look like against those particular attacks, how you’re prepared for them, and maybe even test them yourselves before somebody else does.

[David Spark] Excellent point. All right, Diane, super high profile attacks. I’m assuming you see those kind of things all the time. I want to go back to my term, trendsetter. Do they literally set trends? Like if you see one, you see a lot of copycat type attacks similar that follow suit?

[Dr. Diane M Janosek] It’s interesting that you use the word “trends” because in the intelligence arena we always use the word patterns. We’re looking for patterns. So, I think during COVID we saw a lot of ransomware attacks and cyber-attacks on hospitals because hospitals were the big thing. Everyone needed to go to the hospital to get their COVID care. And then all of a sudden that was a big I guess you could call it trend. But the way that I look at it is it’s patterns by sector generally, or maybe patterns by regions. And so then we saw there was starting to be a certain pattern with attacks on agricultural entities being cyber-attacks. Then they moved to some of the water treatment facilities. Then they moved to the energy sector like we saw with the gas lines. And then now we’re seeing there’s more frequently a lot of big ticket retail. So, there are patterns, but then you have to kind of look at kind of what’s the behavior involved, who is a threat actor, are they copycat actors, or is it the same type of entity kind of just moving around and doing things. So, it depends upon the sophistication of the threat, but I do think that you’re right – that if you can see how easy it is there will be trendsetters, but the lower kind of threat actor could be a lower type of capabilities. But on the higher end, we look for measured trends with significant impacts and how they’re kind of going around the world in terms of where the different events are happening. I primarily look at it by sector or by region.

[David Spark] Then just going back to what Mike had said earlier, do you then, “Okay, this is a pattern of a kind of attack. Let’s see how we are set up for that very kind of attack.” And then you look at your defenses and go, “Oh, well, we’re good here, here, and there. But here, maybe not so good.” Do you just essentially look at that as a roadmap to test your own environment?

[Dr. Diane M Janosek] Absolutely. We definitely do that. And if you take a look at the NSA’s cyber Twitter account, as well as DHS CISO’s website, they often release when they find out different patterns are happening. They’ve now gone into the tradition or thing of releasing probably the last 18 months or so some of these critical advisories saying, “This is an attack that’s happening based upon this vulnerability. You need to patch this. You need to do this. You need to avoid this particular hardware.” They’re sharing that information more readily because if it’s happening to us, or it’s happening to our partners, or our critical infrastructure partners we want to be able to share that to avoid future incidents down the road. So, we absolutely do that, David.

Closing

33:30.638

[David Spark] Awesome. And that is a great place to button up today’s conversation. Thank you so much, Diane. Thrilled to have you on. And as your first podcast as a doctor now of cyber security. PhD in cyber security.

[Dr. Diane M Janosek] Thank you.

[David Spark] No one is going to ask you for medical advice, are they, with that?

[Dr. Diane M Janosek] I hope not. I hope not. I have an identical twin sister with a medical degree, so they could ask her.

[Mike Johnson] Oh.

[David Spark] My dad was a doctor. And when he was at parties, people would ask him medical questions. Which mildly he was always sort of agree to answer medical questions, but he always had this fantasy of saying to someone who starts asking him…getting into medical questions in the middle of a party just goes, “All right, strip. I’ll examine you right now.”

[Laughter]

[Dr. Diane M Janosek] I don’t think I’ll do that. [Laughs]

[David Spark] All right, I’m going to have you have the final word here, and I’m assuming the NSA is hiring because I always ask that. But also you can talk about what you’re doing with the Women in Cyber Security. But you have the very last word. I do want to mention our sponsor, Code42. It is literally like it sounds – code42.com. Insider threats, the non-malicious kind. Guess what? It’s happening all the time whether you know it or not. For more on that, check them out at Code42.com. Mike, your last thoughts.

[Mike Johnson] Diane, thank you so much for joining us. We covered a lot. The range was all over the place in the episode today, so I thank you so much for joining us and sharing your vast experience, your vast knowledge in all of these different areas. So much that our audience is going to be able to take form this. I personally love the discussion of cyber security in space. That’s not an area that I deal with.

[David Spark] Literally I don’t think we’ve touched that ever on this show.

[Mike Johnson] Right. And so I think, again, I personally took a lot from that. So, thank you for me. But also thank you for our audience. They’ll have a lot to take away from this as well, so thank you so much for coming on our show and sitting down with us to have the conversation.

[David Spark] All right, your final thoughts. And please feel free to promote anything. And if you’re hiring, let us know and where to find and all that other good stuff.

[Dr. Diane M Janosek] Great. Well, thank you, David. Thank you, Mike. So, if I could just give a quick plug… I did get my PhD from Capitol Technology University, who is actually one of the regional hubs for the Nation’s Centers of Academic Excellence in Cyber Security. So, they cover about eight states. They’re recognized by NSA and DHS as being a leader in that. With my degree, since I was going through it and they didn’t have a space security degree, they now have a space security PhD program that you can do online. They are down the street from NASA literally in Laurel, Maryland. So, if folks are interested in that, you can definitely look that up. And they are a wonderful, very hands on, small school – will walk you through that with a lot of great masters programs as well. So, that’s a quick plug for that. The National Security Agency of course is hiring. We hire in multiple disciplines to support our foreign intelligence mission, as well as our cyber security mission.

We love linguists, as well as data scientists, lots of different network security professionals. We have so many things that you can tap into. We have a lot of information available at NSA.gov. We hire students. We hire people that have worked in the field for a long time and want to come work for the government or folks that are just fairly new. We have lots of development programs to help folks get interested and get engaged, as well as school. We have a national cryptologic university for which I used to be the commandant, the 23rd commandant. And so we teach stuff worldwide in these unique areas as well. So, the last plug I would give is I’m very, very active in Women in Cyber Security, which is really just a professional networking organization that you have a place to belong. So, I would just encourage everyone to find a professional network that you feel like you belong, you can bounce things off of. And then when you do come to work, you can be your best self. And last thing is thank you for engaging and embracing the cyber security discipline because our whole nation needs every single one of you for this fight. It’s truly a fight, and you’re all making a difference. So, kudos to every single one listening. So, thank you so much.

[David Spark] Tip to all our future guests – that’s how you make a plug. That’s exactly how you do it. Thank you very much, Diane. That was excellent. And by the way if people want to get in contact with you, what’s the best way to get in contact with you?

[Dr. Diane M Janosek] LinkedIn is good. We also have our NSA public affairs has a speakers request right there on their website on NSA.gov. So, either one would work.

[David Spark] I filled out that form to get you on this show.

[Laughter]

[David Spark] Some of the most bizarre questions I’ve ever answered.

[Dr. Diane M Janosek] But I’m here. But I’m here.

[David Spark] But she’s here. Trust me… I want the audience to know, sometimes there’s a lot of hoops that I have to go through to get a guest on this show, and I went through a few to get Diane here. So, thrilled to have you here, Diane. Thank you very much. Thank you, Mike. Thank you to our sponsor, Code42. And thank you to our audience. We greatly appreciate your contributions. Again, that is not an empty saying. I mean it. I truly mean it. Please send in those “what’s worse” scenarios, your questions, any other concerns you may have. We want to hear it. And also if you go to the participate section, there’s a way to record a question. We would love to use your audio of a question on a show. Go ahead and do that. please do that. Or you can send audio any other way you want to do it. You don’t have to use that way. Just send me an MP3 file that works as well. Thank you for listening to the CISO Series Podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.