Sound Security Advice That’s Perfect to Ignore

Sound Security Advice That’s Perfect to Ignore

It appears our security awareness training is falling short at the point of taking any type of real action. While most people are aware of the need for secure passwords, they don’t create secure passwords. They are taking the easier way out rather than the secure path which isn’t that far from the easy path.

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is Patrick Harr, CEO, SlashNext.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, SlashNext

SlashNext
With today’s transition to hybrid working, phishing attacks are becoming more prevalent than ever. Mobile phishing and credential harvesting are exploding and affecting business reputations, finances and most importantly, data loss. With new methods of phishing attacks appearing year over year, enterprises need more robust phishing protection to better protect this expanding attack surface and companies’ most valuable assets. Check out the report.

Full transcript

Voiceover: What I love about cybersecurity. Go!

Patrick Harr: I’ve been around the block for many, many years now starting back when at Novell, and I think what I’ve seen from that point 25 years ago to now, (A) it’s ever-changing, (B) I think we’ve shifted focus from just the network security inside-the-boundary point of view to now it’s all about the user. And with that, there’s always these ever-changing techniques of how the bad actors are attacking those humans or those users, and for us it’s about how do you stay ahead of the curve.

Voiceover: It’s time to begin the CISO Series Podcast.

David Spark: Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. Joining me for this very episode is the one, the only, Andy Ellis, who is also the author of the upcoming book – 1% Leadership – and then some side gig he has, he’s the operating partner at YL Ventures. We’re available over at CISOseries.com. Andy, grace everyone with your voice.

Andy Ellis: https://www.csoandy.com/book, you can get your preorders now.

David Spark: Okay. If you have not heard Andy plugging his book before, obviously you’ve never heard this show because he can’t stop getting a plug. In fact, in the show rundown, he squeezed some things about his book in here, which we got enough in here for now.

Andy Ellis: Unfortunately, David deletes them all, but one of these days I’ll get one through.

David Spark: Well, we’re going to trust that you’re going to hear plenty more about his book. Hey! I want to mention our sponsor today. They are a recurring sponsor. We love having them onboard. It is SlashNext, that’s slashnext.com. They deal with essentially messaging compromise issues, and of which we’re going to get into that topic in great detail. But first, Andy, I want to tell a brief story, and there’s a reason for this. Many years ago when I was a child, I’m going to say 11, 12 years old, I was a big fan of the Blues Brothers and the silly song of which they had done a cover of by the Chips, a song called Rubber Biscuit. Do you remember this song?

Andy Ellis: Vaguely. I’m tempted to pull it up, but I think we’d get into trouble if I added it into the podcast.

David Spark: But it is just purely a song of nonsense, okay? As a kid, I thought it was the funniest thing in the world. My grandfather didn’t have a clue what this whole thing was about, didn’t understand it. He couldn’t understand why I thought this thing was so funny. And I realized what happens now for me with my kids is they find certain things so hysterical. I don’t get it at all, and I realized to myself I’m having my Rubber Biscuit moment. This is my moment to not get it. Just like my grandfather didn’t get it, I’m not getting theirs. You have kids. Have you had your Rubber Biscuit moment?

Andy Ellis: I think not quite as much because I actually enjoy a lot of the same things my kids do. Like they play games the same way I do, they’re LARPing. But occasionally, they’ll use a word, and they won’t explain what it is. It took me like a year to figure out what “yeat” meant. And then when I successfully used it in a sentence, they were like, “Dad, we don’t use that anymore.” I’m pretty sure they’re just trolling me.

David Spark: So, it takes you a little while to get to the…

Andy Ellis: Yeah.

David Spark: …sped up. Well, I’ve just explained that I’m having these rubber biscuit moments constantly, and that’s what I’m referring to them as. My moment of, “It’s my turn to not get it.”

Andy Ellis: Good for you, I’m glad that you can recognize it, that’s pretty pog.

Patrick Harr: [Laughter]

David Spark: That gentleman laughing right there at Andy’s joke is our sponsor guest today. Thrilled to have him on. We had him on our Super Cyber Friday show, and we’re now getting him on the CISO Series Podcast. It is the CEO of our sponsor, SlashNext. The one and only Patrick Harr. Patrick, thank you so much for joining us.

Patrick Harr: Yeah, David, great to be here. And Andy, I’ll try not to do those plugs for your book.

Andy Ellis: Oh, feel free to do them too, I’m okay with that.

Patrick Harr:  [Laughter]

Close your eyes. Breathe in. It’s time for a little security philosophy.

4:11.705

David Spark: “People are not the weakest link, they’re just the top attack vector,” said Lance Spitzner of SANS Institute. He goes on to blame the security industry, and not the user, “We have gotten so good at using technology to secure technology that we are literally driving attackers to target the human.” And he says we need to focus on making security easier for the user since they’re target number one. So, LinkedIn loved this “top attack vector” way of looking at the problem, and I’m going to start with you, Andy, on this. How can we use that to drive a different security philosophy? Spitzner argued something we’ve talked a lot about on this show, and that’s making security simpler for the end user.

Andy Ellis: So, I’m absolutely in line with this, and I would actually say it’s not about making security simpler, it’s about making the system simpler and the interfaces that they present. We’re right in the middle of the week in which Elon Musk just bought Twitter. He’s moving fast, he’s breaking things. We’ll see, maybe by the time this airs, everything will either be broken or be repaired, but I think Nicole Perlroth had said, “Ask any security professional, and they’ll tell you speed is the enemy of security.” And I thought Heather Adkins had the best reply, she’s like, “No. Complexity is the enemy of security.”

It’s in the complexity that problems happen, and we have a lot of systems that are ill-thought-together. They’re very basic systems that get put together into these complex constructs where security hazards show up in those interfaces. And we expect humans to patch over them, and to somehow figure out that when you get an email that displays that it came from your CEO, you’re somehow supposed to figure out it didn’t come from your CEO and to not click the thing that the CEO said you’ll be fired if you don’t click. This is not a user problem; this is a complexity problem that the interface is just awful.

David Spark: All right, Patrick. This is speaking your language, isn’t it?

Patrick Harr: Yeah, 100%, and I go back to I said I used to work at Novell long ago, and I used to say, “People are people, not IP addresses.” And if you think about it, how we’ve evolved from network security to web security, email security, all these layers upon layers of security. It’s no wonder why, that as Andy highlights, the complexity is really borne out and then what’s the easy thing to blame? It’s the user, right? The human.

David Spark: You know what it is? It’s because that’s the thing that’s most visible to us.

Patrick Harr: Yeah.

David Spark: I think that’s why it’s an easy target.

Patrick Harr: Yeah. I mean, obviously, the bad actors recognize that because at the same time, humans are fallible, we’re distracted, we do a lot of stuff every day. And that’s the reason why I do think there needs to be a mindset shift from treating your users as adversaries, and really co-op them as part of your security environment. And what I mean by that, think about training here for a moment. We’ve talked a lot about training in the past, and every time someone fails that training test, they go on the top three visible list, and if they don’t do well we’re going to fire that person.

Well, I’d actually argue let’s make that even simpler, and I’d really like to say you want to augment the human. Make that human the superhuman, use AI controls as an example. So, you’re not as that human always reliant on my mistakes that I make. Because again, there’s no way in hell you’re ever going to train everything out of me or you or anyone else. If that was successful, there would not be a hell of a lot of cyberattacks. So, I think again, back to that point Andy was making, (A) make it simpler, (B) again, let’s use some of these new tools we have available to us, as I was highlighting, make that human a superhuman with AI. And we’re going to do a hell of a lot better in terms of stopping these cyberattacks.

Andy Ellis: It’s like this – what is the most common proximate cause of death? Heart failure. If I cut off your foot, you’ll actually die of heart failure because at some point your heart runs out of blood to pump. But would we blame your heart for the fact that your foot got cut off? Obviously not. But that’s similar, like we blame the user who clicked the link. Why was the link in their Inbox, and why was it unsafe to click?

David Spark: Well, this came up on an earlier episode, Andy, and you kind of went to town, and I was telling you the story that a friend of mine, she works in HR at a big company. They’re literally firing a mechanic because he just kept failing phishing tests.

Andy Ellis: Right!

David Spark: And your argument was the failure’s on the company.

Patrick Harr: Back to that point, take it out of the email before it ever gets to the user. Anyway. Let’s make the life simpler. I’ll just bring one other point, I was at a CISO conference last week, and one of the CISOs put up their dashboard of all these controls and KPIs, and I think it had about 60 different tools on this thing. And I said, “How the heck are you (A) measuring your success, (B) how are you managing 60 tools? And as we all know, there’s going to be cross-conflicts between tool A, B, C, D. And if you imagine that complex world and then you think about the human side of the equation, it’s no wonder why the easiest thing for these bad actors to attack is a human. Because we’ve actually, in many respects, focused on all these other things – network, web, identity, etc., etc. – but we’ve not made it easy for the humans to make it just dead simple stupid not to get attacked.

If you haven’t made this mistake, you’re not in security.

9:44.495

David Spark: What are the career mistakes cybersecurity professionals make? Vicente Aceituno Canal believes he’s already made a bunch, and he’s offering advice for others to avoid. Many of the tips are universal, like ignoring your network and not looking for a job when you don’t need one. But industry-specific ones include not learning the non-technical skills and ignoring and not accepting the current trends and topics. So, that’d be like zero trust and APTs, just avoiding them altogether. So, Andy, I’ll start with you. Have you made any of these mistakes and which ones stick out as the biggest ones to you or do you have bigger ones?

Andy Ellis: Oh, I’ve made lots of those mistakes and many more besides. I think looking at it from a career perspective, the answer is the single biggest mistake people make is they don’t take ownership of their career, and some of what’s in here is part of that. Like if you’re listening right now, I would like you for a moment – as soon as the podcast’s over, not right now – pause and imagine you just got laid off. What are you going to do? Right? There’s a whole thing, like how do you handle the layoff itself. But what is your next step?

And you’re going to discover, you’re going to be like, “Oh, I really wish that I had a network that included someone like X.” Okay. But once you figure out what you’re missing, go take those opportunities. If you say, “In two jobs, I want to be a director,” okay. Well, what do you need to learn to be a director? Don’t worry about your next job. Worry about two jobs from now. That’s how you do career planning is you think about where you need to get to to be able to take a future step because that will guide you into your next step. So, you own your career. Your boss does not own your career. Your company does not love you, it’s incapable of love. Your boss might be a wonderful person, but when push comes to shove, when they get told to cut head count and they only have so many dollars to go around, you might not make that cut. And it’s not about whether they like you or not, it’s just an economic decision. So right now take care of your own career.

David Spark: Good point. All right. I like that. Ask yourself what would you do today if you were laid off. And you were polite, by the way, you didn’t say “fired” which I thought was quite…

[Crosstalk 00:12:02]

Andy Ellis: I assume anybody who listens here is too good to be fired.

David Spark: Exactly.

Patrick Harr: And of course, Andy, I would just build on that just for one quick tidbit, I had this long ago. Also find a mentor. I think that’s really important as you’re doing your career planning. Doesn’t matter how young, how old. A mentor can really help you guide that career.

David Spark: So, Patrick, since your days at Novell, 25 years, have there been a few career missteps along the way?

Patrick Harr: That’s never happened, David.

David Spark: It’s never? Oh, geez.

Patrick Harr: Of course.

David Spark: I guess you’ve nothing to say on this topic

[Laughter]

Patrick Harr: Of course it’s happened. You always have the “what if?” I’d like to say I was going to be the CMO of Data Domain long ago, and actually chose to run my first cybersecurity company. Ended up selling that to George Kurtz. Now, of course, you have the “what if?” and on that basis, don’t always choose the sexy title. Choose what’s going to give you the most fulfillment and make sure you’re always… We’re not in this business not to also make money, so make sure you also…what’s going to be the most financially rewarding aspect is certainly something I’ve faced, in any career decision that you have.

Second, I would also point out because at times you may not do the things you love – love what you do because that’s just extremely important. I’m always a big fan of the three P’s – people, process, and passion – and if you don’t have that passion, I can come back to some of those things in the past. I may not have followed my own advice and certainly have learned through that “mistakes,” and make sure I really focus on something I have a lot of passion on.

Sponsor – SlashNext

13:45.821

David Spark: Before we go into our “What’s Worse?” scenario, I want to mention our sponsor today, and that is SlashNext. That’s actually Patrick’s company. So, let me explain something to everyone listening, that the phishing landscape is expanding. I don’t need to tell you that, if you listen to this show you know that. And how people work today has increased users’ exposure to cyberattacks, adding to the threats organizations already face.

So, the bad guys know that most email has at least some protections in place, as we had mentioned, and have therefore been turning their attention to alternative forms of messaging. Which we’re all using, by the way. This trend, combined with the fact that employees increasingly use the same devices for both work and personal purposes, has accelerated phishing by a whopping – get this – 61% compared to last year.

Security awareness training is only one part of the equation, and it’s not enough. Organizations must move from traditional security practices and last-generation tools to a more modern security strategy, including robust AI phishing controls that address all variations of phishing attacks and provides a broad range of protections. SlashNext protects the modern workforce from malicious messages across all digital channels. It detects threats in real-time to stop attacks via email, mobile, and web messaging apps across Office 365, Gmail, LinkedIn, WhatsApp, Telegram, Slack, Teams, and many other messaging tools. For more, check them out. I want our listeners to check them out at slashnext.com.

It’s time to play “What’s Worse?”

15:31.216

David Spark: All right, Patrick. Do you know how this game is played?

Patrick Harr: I do.

David Spark: All right. I always make Andy answer first, and then I want you to answer it, and I always love it when you disagree with Andy.

Andy Ellis: Obviously, I prefer you to agree with me.

Patrick Harr: It’s not going to happen, Andy.

Andy Ellis: Okay.

David Spark: Well, we’ll see. We’ll see how it rolls. This comes from J. David Christensen, CISO over at PlanSource. And actually, J. David or David, I don’t know how he goes by his first name, but we had actually a long debate on this discussion, and this is what we came to for the “What’s Worse?” scenario.

Here you go. Scenario number one, Andy. You’ve got a staff of middling employees that never get better, and they never leave. All right? Or you get a staff of superstars of which one leaves every month, and you can only replace him with the greenest of the green staffers. Which one’s worse?

Andy Ellis: How big is my team?

David Spark: I don’t know.

Andy Ellis: Okay. So, this one is actually… I like both of these scenarios.

David Spark: Okay.

Andy Ellis: I actually do not think that either one of these is bad, this is a “What’s Better?” scenario.

David Spark: All right. Well, there is always a “What’s Better?” When there’s a “What’s Worse?” there’s a “What’s Better?”

Andy Ellis: Yeah. So, I prefer the second scenario, so I’m going to say the middling group is the worse one, but I can manage in both sets. And the reason I’m saying that is I’m always a fan of hiring new people and building a training program to turn them into those superstars. So, if I’ve got a team that starts with superstars and has continuous turnover but we’re bringing in new people as that pipeline, like as long as my team’s large enough. If I’ve got six people and by the end of six months, I have no great people, no superstars, but just green people who haven’t come to terms with it, then I would switch my vote.

David Spark: Okay. That’s interesting to note. Okay.

Andy Ellis: But if I’ve got sufficient depth, I’m going to build a training program so that I can hire new people off the street and they’re going to become those superstars. And yeah, I’m going to lose them as soon as they become superstars, and I’m going to hire somebody in behind them, and I’m going to help everybody else solve the skills gap.

David Spark: All right, interesting answer. Patrick, you agree or disagree with him?

Patrick Harr: Unfortunately, I’m going to have to agree with him. I can’t believe it. I got to use a sports analogy. If you always look at the “best” football team and you always see the best coaches hired off that team if they win the Super Bowl, right? And so I think I’m always a fan of less is more. And so if you have the superstars, even though they’re turning over, to Andy’s point, as long as you can continually train, build that bench, I think those are the most successful teams. Because look again, back to the sports team. I hate the Patriots but let’s look at Belichick for a moment.

David Spark: Whoa. Wait a second.

Patrick Harr: Yeah, I know.

David Spark: You’re speaking to two Bostonians here.

Patrick Harr: I know, I know. I know, I know. I’m a Bronco fan, by the way. But nonetheless, be able to have that bench to draw from, but also see how the superstars excel. I think that’s the best experience.

David Spark: And I mean, I want to ask both of you. That’s kind of a charge for a leader to watch someone really green go up the ranks very fast. Yes?

Andy Ellis: Oh, absolutely. That’s the best thing ever. When I see somebody who I was their first employer, and then they go off and they do something amazing. And I’ll be honest – part of me always has that first thing of like, “Are they really qualified for that job?” and then I’m like, “Oh, yes. They are.” Because the challenge is when you hire somebody who’s green, that always colors your perception, you always will think of them that way. So, you have to actively work hard to be like, “No, no. This person has enough years, they’ve got the training, they’re going to excel at that, they’re going to be an amazing rock star.” And yes, absolutely.

David Spark: To point out, Patrick, Andy, there was one day you were both green yourselves.

Andy Ellis: Oh, absolutely. But most people don’t remember that besides me.

David Spark: Do you remember when you were green, Patrick?

Patrick Harr: Oh, 100%, yeah.

[Crosstalk 00:19:28]

David Spark: Was that your Novell days or pre-Novell days?

Patrick Harr: Probably the light green. No, it was definitely the Novell days. It is interesting when you look back. I mentioned of having a mentor. One of my mentors was actually my boss, he ended up working for me later on, but I think it was because, again, you want to shine.

The great thing about green people – they don’t necessarily have all the bad habits, right? So, as long as you’re giving them that coaching and give them those milestones to hit and have mentoring along the way, I look at those as far better than having perhaps back to that steady-state team that’s not great. I’d far rather have those green people that you can nurture and grow and make the superstars.

And ultimately, just as I worked for someone else and then they worked for me, I’m great going to work for someone else later on, right? And it’s just great when you see that career fulfillment. I have one particular guy that used to be an SE back at Novell, and now he’s SVP of one of the best cybersecurity companies out there. It’s just phenomenal to see that maturity and that growth and great, great success.

Please. Enough. No more.

20:33.222

David Spark: Today’s topic is business email compromise, many of you know it as BEC. I’ll start with you first, Andy. What have you heard enough about of with regard to business email compromise, and what would you like to hear a lot more?

Andy Ellis: So, I think I’m kind of tired of hearing about the interface between the email and the user, where like, “Oh, here’s this thing,” I’m like, “The user should have to solve this problem and know that it’s a problem.” And I want to hear more about the actions downstream. Why is it that this user with just one prompt is able to go do things that are dangerous for your business? To me, that’s the conversation I want to have is it’s a messaging problem, but it’s also a process problem, that we’ve built very shaky processes on insecure messaging protocols.

David Spark: So, it seems like the depth of this defense isn’t too deep.

Andy Ellis: There’s literally no depth on most of these defenses.

David Spark: All right. Patrick, I throw the same to you. What have you heard enough about with regards to business email compromise? What would you like to hear a lot more? And to our audience I should mention this is Patrick’s bailiwick with SlashNext, so I’m eager to hear the story of how you guys are handling this very issue at SlashNext. But first, what have you heard enough about? What would you like to hear a lot more?

Patrick Harr: I think number one, we hear this as BEC, I’m actually even seeing RFPs for “BEC solutions.” I would say again, number one, BEC needs to be BMC, business message compromise. Because email’s not the only attack vector now, and it’s really anywhere I can message you I can compromise you as a user.

David Spark: And let me just throw us out, that that is so true. Like, especially the younger generation. They avoid email like the plague.

Patrick Harr: Yeah, think about it. Discord. [Laughter] I know there’s no gamers out there, right?

David Spark: My kids, I don’t think they have looked at their email accounts, ever.

Patrick Harr: Yeah. No, they use Snap, or they use text message, iMessage, they’re far away from…

David Spark: Anything but.

Patrick Harr: Anything but. Slack. So, that’s point one, right? It really needs to be called business message compromise, not just business email compromise. And point two, to Andy’s point, there has to be depth in terms of what… People commonly think of BEC as like this natural language, Nigerian attack, “Change your PO destination.” It’s actually a lot more complex than that. There’s really three ways I attack a user through a message. I do a link-based attack, right? We’ve all had this. “Don’t click on these links,” everyone tries to train you. As we said before, those links should actually be removed out before they even present to a user. Second, there’s attachment-based attacks which obviously, you click here. Anyone out there got that html voicemail attachment? There’s many forms of PDFs, Word, etc. And that third way is the natural language type of attack, and that is, again, “Change your PO destination, send this wire here.”

But as I was highlighting before, we also see this in other messaging channels, right? In text message, “Call your IT Department immediately because your account got compromised.” So, it’s really how are you going to put, as I like to say, AI controls, that defense in depth in place. So, I’m actually back to this point, making that security much easier for the user. Not depending on the user, actually augmenting that user so I can strip these things out before they actually get compromised. And that’s what I would like to see a lot more of in industry is that focus on all message security across those three ways I can compromise those users as opposed to just one slice. Because I think it’s the totality of what people need to look at.

David Spark: So, I want to set the stage for our audience. I specifically want to know how is SlashNext handling this, and essentially providing some depth, which is what Andy was asking for.

Patrick Harr: Yeah, so I’ve said this a few times and sometimes we “get AI washing” out there. But I am a big, big fan of using AI machine learning to basically augment the human, as we said before. And so specifically in those messages what we do, we do have a “two-faced detection engine” that we built. (A) We’re doing this very, very large, preemptive sourcing threats out there in the wild where we’re looking. We actually detonate about a 100 million URL’s a day in virtual browsers. My team came out of FireEye so there is some analogy to the virtual sandbox and detonating malware in that context where we’re augmenting that human, where we use computer vision, natural language processing, behavioral intent to understand, again, what is this? Is this an attack? What are they attempting to do? Are they trying to steal your credentials? They trying to get you to download some software? Are they trying to get you to participate in a scam?

And so once we develop that very massive database, right now it’s about 700,000 zero hour attacks that we find daily, we then take a secondary [Inaudible 00:25:47]. Basically what we call “live scan” and put that in the email channel or put that in the browser channel effectively so you can, again, if you’re in Slack or Zoom, etc., I have the ability to do in real-time a live scan if we never found it in that database. Again, why is that important? We actually see very unique spear phishes to Andy and Andy alone, right? So, believe it or not, they may actually create that unique spear phish to you, Andy. And in that context, there’s no way for us to go through some preemptive sourcing of that threat, but what you do want to be is live on that browser canvas and say, “Listen. Maybe they are trying to steal your credentials,” and at that point, block it.

And then I would say take it one step further. You also want to do live training, right? Say, “Hey, don’t do this again.” And what you do find – again, I’m going to date myself for a moment – is it live or Memorex, meaning live or is it on tape, and in this context, what we find is you do that live reinforced training. You won’t see those high clickthrough rates, you won’t see that high participation rates in these threats. So, net/net, again coming back, if you apply this detection, two-faced detection using very, very significant machine learning, you have the ability to preemptively pull these threats out before they interact with the user. And in turn, nothing’s foolproof, but what we do see, if you buy into the stat that 90% of all successful cyber breaches start with that human messaging element, then you can prevent a significant number of these threats. And then back to that CISO dashboard I highlighted, I think you can now focus on some unique things that matter as opposed to try to use 60 different tools in your environment.

David Spark: And what I think I like in what you’re describing is you’re creating a nice combination of essentially doing the research, the threat hunting, applying the AI tools, but then also offering on top of it all the just-in-time training. For which many of these security awareness training programs also do as well, but they don’t offer sort of the other two elements that you’re saying. And as you have mentioned, and we’ve said many times on this show – people, process, and technology. No one stops it all.

Patrick Harr: Yeah, nothing stops it all, right? Nothing is foolproof. But what you can do is successfully, as I’ve said a few times, you can augment that human with AI, make them the superhuman. And in turn, I think we can do a fair amount of damage in terms of stopping these attacks. I think that’s actually the only way, whether it’s us or someone else. Interestingly enough, I was actually with Google, and it was the Google Chrome people. We’ve reported a 61% increase year over year in phishing attacks, basically the same thing that they’re seeing.

So, if you think about it, you look at the cybersecurity spend, it actually went up last year, yet we had breaches go up. If you also look under the covers, there’s significant investment in network security, significant investment in web security and identity. I think that’s the top three, but there’s this little thing called human security, which is predominantly training, and if we don’t invest there, again, add the AI controls there, I think you’re going to continue to see breaches go up, despite greater spending. And particularly when we’re going into downturns, there’s going to be a lot more pressure there. And so kind of to the CISO audience here, how do we make your job easier, also how do we make the user’s job easier, right? And make this, we’ve talked, remove that complexity, add the AI controls, and I think you’re going to do a significant amount of damage back to the bad guys as opposed to them doing that damage to you.

Pay attention. It’s security awareness training time.

29:31.380

David Spark: Cybersecurity awareness training doesn’t seem to be educating people to create more secure passwords. This is depressing stats. Get ready for this, Andy. According to Psychology of Passwords survey from LastPass, even though 65% of their survey respondents had some form of cybersecurity education, 62% almost always or mostly use the same variation of a password. It gets worse – 9 out of 10 respondents know that using the same password or a variation is a risk, yet only 12% said they use different passwords for different accounts. I will say there is one piece of good news, is that 2/3 did say they created stronger passwords for financial accounts, and some related things as well. So, something is sinking in, but not a lot, Andy. Is this cause for alarm or just more reason to require MFA and tools like SlashNext? Like what Patrick has.

Andy Ellis: So, as always, I do start out by saying this is a survey, so be very careful because there’s a lot of bias that slides in from who decides they’re going to respond and how the questions were worded and what someone wanted to put in. I’ll admit, I reuse passwords. Not all of my passwords, but there’s no sane way to not reuse passwords, especially when I have accounts that I have to share with a family member. And so we both have to know what the password is. It’s a pain in the neck.

David Spark: I don’t know about you, but I have tons of passwords. I couldn’t tell you what they are.

Andy Ellis: Oh, absolutely. I also have a lot that I don’t. I have things that are in password vaults, and I have three different password vaults, just to make life even more fun.

David Spark: I couldn’t break into most of my accounts.

Andy Ellis: Well, if I have access to my email, I can always just do a password reset. And trust me, I end up doing that way too often to get back into my own accounts. So, I’m absolutely in the, like, let’s get past passwords.

David Spark: Yes.

Andy Ellis:  So, I’m a big fan of MFA, especially if it’s FIDO2 compliant. I’m a huge fan of things that are truly passwordless. We need to get there and recognize that this whole authentication model of passwords was always a bad idea.

David Spark: Well, they knew it when they created it in the ’60s.

Andy Ellis: Well, if you go back, what was the point of a password originally? Like what did we draw this from? It was from Army encampments where the scouts as they were coming back had to shout out the password, so they didn’t get shot. This was literally the “Don’t shoot me until I get close enough that you can verify who I am.” It was not an authentication of you, it was a group-based authentication of like, “Please don’t kill me while I get close enough.”

David Spark: All right. Do you find these stats alarming or like, “Yeah, I kind of knew this was happening,” Patrick?

Patrick Harr: You know, I hate saying it, I think I kind of knew it was happening. There’s certainly been a lot of talk, as Andy was pointing out, about using passwordless, so I kind of think that’s a little bit of the buzzword now. And it is great if you’re doing FIDO2 compliance. But even then, we can just point to the recent – I don’t know if everyone saw this – Cisco got breached through a personal Gmail account of an employee, and that’s because they actually didn’t implement FIDO the right way in their environment. And so they were able to bypass that, corrupt the browser, back door into the network.

So I think, back to this point, I’m not surprised by the stats. What I think it does highlight is that you have to put a multilayer defense in place. (A) As we were talking, don’t rely on training, that’s number one, (2) put AI controls in place, particularly in your messaging channels because that’s basically where they “phish for the biggest game hunting” as a bad actor against the user. (3) Definitely, definitely implement MFA, FIDO2, passwordless. I would actually take it even one step further. I think you’re going to need – let’s call it the human factor authentication – by putting in that secondary, whether it be your face, whether it be, David, your DNA in the future.

[Laughter]

David Spark: My DNA to get into everybody’s account.

Patrick Harr: Exactly. I do think that’s going to be important, but bottom line I think it’s that multi kind of layered approach. Because there’s literally no way in heck I can remember the thousands of passwords…

David Spark: No, it’s impossible.

Patrick Harr: …you ultimately have. And I think, Andy, to your point, I can’t tell you how many times I hit that password reset because it’s probably every day where you forget something.

Andy Ellis: And the worst part is when you have multiple accounts with the same company – I’m looking at you, Ticketmaster – so it’s like, “Which email address am I resetting the password for this time?

[Laughter]

Patrick Harr: Well, now it even makes it more complex because you got the iCloud, or you know how Apple hides it through iCloud, you’re like, “I don’t even remember what happened there.”

David Spark: Well, we’re not going to solve the password problem alone, but we’re going to have to augment it some way, which we’re all kind of in agreement on this.

Closing

34:31.719

David Spark: And that brings us to the end of our show. Thank you very much, Patrick. Thank you very much, Andy. And thank you, Patrick, for your company SlashNext for sponsoring this and many other programs on the CISO Series. We greatly appreciate it. Now, I’m going to let you have the very last word. But first, Andy, any last thoughts?

Andy Ellis: Well, in just a few days it’s Hanukkah, so Happy Hanukkah, everyone. And for those of you in the minority religion that comes after it, Merry Christmas.

David Spark: Ah. There you go. Patrick, just to remind everybody, SlashNext, it’s slashnext.com. Any offer and are you hiring, by the way?

Patrick Harr: We are hiring. We’re expanding very rapidly. We’ve had great success in, I’ve said it a few times here, being able to use AI to augment those messaging controls and prevent these attacks from happening. So, I’ll just close by saying Happy Holidays, everyone. Hopefully get what you wish for, and don’t wish for that attack.

David Spark: In fact this, by the way, is the last episode of 2022. I didn’t even mention that. It is the last episode. So, for those of you listening, you’re not going to hear another episode until 2023, so enjoy this one. You know what? Listen to repeatedly maybe…

Andy Ellis: Over and over again.

David Spark: …next week.

Patrick Harr: Over and over again.

David Spark: Just listen to this episode again. [Laughter]

Andy Ellis: Yeah, every night of Hanukkah, just cue up this episode and listen to it.

David Spark: All right. And if someone mentions they heard you on this show, Patrick, that’ll get you in good [Inaudible 00:35:58].

Patrick Harr: Well, David, just for your audience or our audience here, I will give out, I’ve got a free voucher we’ll offer for our home version of our mobile app.

David Spark: Oh.

Patrick Harr: So, for those that are actually tired of being the IT professional for your parents, your grandparents, or your kids, this does protect them. Again, if they’re using Discord, it does protect them from let’s call it the “stupid human clicks,” and it really helps provide that layer of security, again, back to your parents or your grandparents, etc.

David Spark: Perfect gift for the holidays.

Patrick Harr: Absolutely.

David Spark: And by the way, here’s my tip for you Patrick and Andy and anybody else listening that is doing tech support for their parents – my wife and I have figured it out. I do tech support for her mom; she does tech support for my mom. Saves a lot of anxiety.

Patrick Harr: Ooh, ah.

David Spark: Oh, my God. I’m telling you – if everyone just decides to swap parents in terms of tech support…

Andy Ellis: Yeah.

David Spark: …it will solve a lot of problems. Because [Laughter] the child angst comes out when you’re dealing with your parent’s tech issues.

Patrick Harr: Yeah, David, I think that probably holds true if you want to teach your kid sports, right? Swap with a parent because you know your kids don’t like listening to you.

David Spark: Good point. All right. Thank you again, Patrick. Thank you, Andy. And thank you, everybody, for listening and supporting the CISO Series Podcast.

Voiceover: That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.