Hacking Humans 1.24.19
Ep 33 | 1.24.19

Opening your eyes to the reality in which we live.


Jessica Barker: [00:00:00] A lot people can think, oh, hackers would never want my data. Why would anyone be interested in me? So making them understand, A, how cybercrime works and the fact that it often isn't targeted and, B, why information that they handle would actually be of interest to criminals.

Dave Bittner: [00:00:15] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. This is the show where, each week, we look behind the social engineering scams, the phishing schemes, the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:35] Hi, Dave.

Dave Bittner: [00:00:36] We've got some fun stories to share. Later in the show, Carol Theriault returns. She's got an interview with Jessica Barker from Cygenta. They're going to be telling us all about proper ways to train your employees. But first, we've got a quick word from our sponsors at KnowBe4.

Dave Bittner: [00:00:53] So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.

Dave Bittner: [00:01:20] And we are back with some interesting stories to share. Joe, I'm going to kick things off this week. Ransomware, of course, is a popular way for bad guys to make money.

Joe Carrigan: [00:01:30] It's a great way to monetize hacking.

Dave Bittner: [00:01:32] Yeah. It's actually fallen off in popularity in the past year or so. And a big reason for that is that folks have gotten better at having backups of their data.

Joe Carrigan: [00:01:42] Ah.

Dave Bittner: [00:01:42] So the ransomware is not as effective. People can restore their backups. But there's a story from a CSO online about protecting backups from ransomware. And there's some - some good stuff in here. First of all, you want to have multiple backups.

Joe Carrigan: [00:01:56] Right.

Dave Bittner: [00:01:56] There's an old saying that one is none.

Joe Carrigan: [00:01:59] Right.

Dave Bittner: [00:01:59] You know, where if you only have one backup, you might as well have no backups.

Joe Carrigan: [00:02:02] I will tell you the first thing of computing that I learned from one of my early, early mentors - a man by the name of Jeff Russell - who was the guy that operated the computer lab at Frostburg State University back in the '90s. And he said the first four rules of computing are backup, backup, backup and backup.

Dave Bittner: [00:02:19] (Laughter) Right, right. Some good stuff to dig in here with. I mean, first of all, you need to back up in more than one location.

Joe Carrigan: [00:02:27] Yes, off-site backups.

Dave Bittner: [00:02:27] So if you have a physical backup, you know, let's say a hard drive sitting next to your computer, well, it's probably a good idea to have one in the cloud as well.

Joe Carrigan: [00:02:34] Exactly, or off at a distant location. Like, maybe if you have family members, you could just say, here, just hold on to this hard drive for me.

Dave Bittner: [00:02:42] Mmm hmm, I do that as well.

Joe Carrigan: [00:02:42] Yep.

Dave Bittner: [00:02:42] I'll regularly take something home, stick it in a safe place in the house - a safe or just even under the stairs.

Joe Carrigan: [00:02:49] Right. Yep.

Dave Bittner: [00:02:49] You know, someplace cool and dry. So if there's a fire at the physical location, then you have a backup.

Joe Carrigan: [00:02:56] Correct.

Dave Bittner: [00:02:56] But there were some interesting things in here that I hadn't really considered before. One of the things they pointed out in this article is the importance of giving your backups different credentials than your regular system.

Joe Carrigan: [00:03:09] Hmm.

Dave Bittner: [00:03:09] Because more and more, as the ransomware grows more sophisticated, the folks who are writing the ransomware, they're going after your backups as well.

Joe Carrigan: [00:03:17] Right.

Dave Bittner: [00:03:17] And...

Joe Carrigan: [00:03:18] Because that's the economic incentive, right?

Dave Bittner: [00:03:20] Right.

Joe Carrigan: [00:03:20] We're seeing this as an economic fight between two sides. One is the criminals who want to monetize ransomware, and the other one is the potential victims who don't want to have to pay.

Dave Bittner: [00:03:29] Right.

Joe Carrigan: [00:03:29] So they're paying for these backups. And now the criminals want to encrypt those as well so they can get their money.

Dave Bittner: [00:03:35] Right. I could see how, you know, I have a backup on my system. And I think I'm all set to go.

Joe Carrigan: [00:03:40] Right.

Dave Bittner: [00:03:40] But if that backup is using the same credentials as the system, one of the things they point out here is that quite often, the folks who are doing the ransomware, they'll get in your system. And they'll hang out for a while before they encrypt.

Joe Carrigan: [00:03:50] Right.

Dave Bittner: [00:03:51] They can be in there for months gathering information, gathering credentials and so on and so forth.

Joe Carrigan: [00:03:56] Laying low, as it were.

Dave Bittner: [00:03:57] Yeah. So you want to have your backups have independent credentials from your system itself so that if they get the credentials to your main system, that doesn't mean that they automatically have access to your backup, where they can mess with that or subject that to the ransomware as well.

Joe Carrigan: [00:04:13] So I'm sure that - that backup vendors are now happy to tell you about how to secure your backups against ransomware. So it's, you know - it's just another step in the arms race that is security.

Dave Bittner: [00:04:24] Yeah.

Joe Carrigan: [00:04:25] And cybersecurity.

Dave Bittner: [00:04:25] Yeah, and I think about, even, if you have an encrypted backup and you password protect that encrypted backup.

Joe Carrigan: [00:04:32] Right.

Dave Bittner: [00:04:32] Just have that be an independent password that's not related to anything else.

Joe Carrigan: [00:04:36] Yeah.

Dave Bittner: [00:04:36] Of course...

Joe Carrigan: [00:04:36] If that encrypted backup has a file and then the attackers encrypt that with their own key, then I still can't access it.

Dave Bittner: [00:04:43] Yeah, that's true. But that's the point of having it in a different place...

Joe Carrigan: [00:04:46] Right, right.

Dave Bittner: [00:04:47] Offline from the main system...

Joe Carrigan: [00:04:49] Yeah, that's...

Dave Bittner: [00:04:49] ...Physically disconnected.

Joe Carrigan: [00:04:50] The best way to do it is to physically disconnect it from your computer and keep it somewhere else.

Dave Bittner: [00:04:54] Yeah. So once that backup executes, physically unplug it. (Laughter). And carry it, stick it in a drawer. Take it somewhere else. Some good reminders here, have multiple backups and have separate credentials for those backups to help protect yourself from things like ransomware.

Joe Carrigan: [00:05:09] Yeah.

Dave Bittner: [00:05:10] All right, well, that's what I've got this week. Joe, what do you got?

Joe Carrigan: [00:05:12] So I have this story that comes from myonlinesecurity.co.uk.

Dave Bittner: [00:05:14] OK.

Joe Carrigan: [00:05:17] And the author of this website is saying that there is a phishing attack that is sending out infected Excel documents and word documents.

Dave Bittner: [00:05:25] OK.

Joe Carrigan: [00:05:25] All right, and the file contains a macro that will then try to download a keylogger - either HawkEye or Agent Tesla. Those are just two names of these commodity keyloggers. And a keylogger is just a piece of malware that does exactly what it says. It logs every keystroke that you make on your computer and reports it to a server somewhere.

Dave Bittner: [00:05:44] Right. So they're looking out for your passwords, your...

Joe Carrigan: [00:05:45] Right.

Dave Bittner: [00:05:46] Yep, yep.

Joe Carrigan: [00:05:47] So if they see a username or something that looks like a username or an email address, the next thing they're going to look for is a password. Agent Tesla is particularly nasty because it will also capture your clipboard.

Dave Bittner: [00:05:58] Oh.

Joe Carrigan: [00:05:58] Which is where password managers might store passwords temporarily.

Dave Bittner: [00:06:02] Right.

Joe Carrigan: [00:06:02] So if you get infected with this one, it's a really powerful piece of malware that can really mess your day up.

Dave Bittner: [00:06:09] Yeah.

Joe Carrigan: [00:06:09] There are lots of different versions of these malicious messages in these documents. And they all exploit a vulnerability that was made public in 2017.

Dave Bittner: [00:06:19] All right.

Joe Carrigan: [00:06:19] So once again, we find that a vulnerability from two years ago now is being used to exploit things. So everybody, update your systems.

Dave Bittner: [00:06:27] Oh, I see. Yeah.

Joe Carrigan: [00:06:28] Here's the social engineering angle of this. First, they're spoofing legitimate businesses and real people at those businesses.

Dave Bittner: [00:06:35] OK.

Joe Carrigan: [00:06:36] The attackers have got a list of these businesses and people there. So if you go - you get an email from someone you don't know and you Google them, you'll find them. They're there.

Dave Bittner: [00:06:45] I see.

Joe Carrigan: [00:06:45] Right? So it lends sort of a credence to itself.

Dave Bittner: [00:06:47] Right.

Joe Carrigan: [00:06:48] OK, so here's the clever part. Office versions since 2010 have had this thing called protected view, which doesn't let you edit the document and doesn't let any macros run.

Dave Bittner: [00:06:57] And that's the default setting.

Joe Carrigan: [00:06:58] That's the default setting on these things, right?

Dave Bittner: [00:06:59] Right, right.

Joe Carrigan: [00:07:00] So you have to - for every document you open, you have to actually enable editing or enable macros. But one of these Word documents contains just text that says, here are the instructions to view the contents of this document. And it's just instructions on how to enable macros for that particular version of Office.

Dave Bittner: [00:07:19] Oh.

Joe Carrigan: [00:07:19] Right? Another one of these documents contains a statement that reads, if your document has incorrect encoding, enable macros. And then it has a bunch of gibberish after it to make you think that your document has incorrect encoding.

Dave Bittner: [00:07:31] So you open up the document.

Joe Carrigan: [00:07:32] Right.

Dave Bittner: [00:07:33] And in both of these cases, it's - it's pretending like there's something that you want to view that you can't view until you enable the macros.

Joe Carrigan: [00:07:40] Correct. So that's where the social engineering happens on this, is it happens in the document. And...

Dave Bittner: [00:07:45] They're trying to be helpful.

Joe Carrigan: [00:07:46] They're trying to be helpful, exactly.


Dave Bittner: [00:07:48] Right, right. Yeah.

Joe Carrigan: [00:07:50] So the site says - and I agree with this - never ever, ever enable macros on something.

Dave Bittner: [00:07:55] Yeah.

Joe Carrigan: [00:07:55] Just don't do it. There's no reason for anybody to send you a document that has macros enabled. I guess there's probably some business reason that somebody's going to come up and say. But - but generally speaking, an unsolicited document should never have macros enabled.

Dave Bittner: [00:08:07] Well, it's a red flag.

Joe Carrigan: [00:08:08] It's a red flag, exactly.

Dave Bittner: [00:08:09] Yeah. If somebody sends you something that has macros enabled, then you know that's a red flag.

Joe Carrigan: [00:08:14] Right. Don't do it.

Dave Bittner: [00:08:14] Don't - be extra suspicious. Yes. Yes, there are very few - I can't - I don't recall ever needing to enable macros in any document ever, in the decades I've been using those kinds of things.

Joe Carrigan: [00:08:26] Nor can I.

Dave Bittner: [00:08:27] Yeah. Like you said, I'm sure they're out there.

Joe Carrigan: [00:08:29] Yep.

Dave Bittner: [00:08:29] And I'm sure our listeners will let us know. But yeah, just don't do it. All right, it's a good story, interesting stuff. It's time to move on to our Catch of the Day.


Dave Bittner: [00:08:43] This week's Catch of the Day comes to us from a listener, a particular listener, friend of the show.

Joe Carrigan: [00:08:47] Yep.

Dave Bittner: [00:08:48] Do we want to say who he is?

Joe Carrigan: [00:08:49] He's a super-listener, Chad.

Dave Bittner: [00:08:50] Super-listener Chad.

Joe Carrigan: [00:08:52] Right.

Dave Bittner: [00:08:52] Sent us this. This is an interesting series of text messages between super-listener Chad and someone claiming to be a celebrity.

Joe Carrigan: [00:09:02] Someone claiming to be Nathan Fillion on Twitter.

Dave Bittner: [00:09:04] Yeah.

Joe Carrigan: [00:09:04] And if you are paying attention closely, you will notice that Nathann is spelled with two N's at the end of Nathan.

Dave Bittner: [00:09:12] I see.

Joe Carrigan: [00:09:13] Which is - the actual Twitter handle is @NathannFillion, with two N's at the end of Nathan. So it's actually a very well-spoofed account. It has the same picture that Nathan Fillion has on his actual Twitter account.

Dave Bittner: [00:09:24] Mmm.

Joe Carrigan: [00:09:25] It is not a verified Twitter account though.

Dave Bittner: [00:09:26] OK. Well, let's read through this. I will play the part of the celebrity.

Joe Carrigan: [00:09:30] OK, and I'll be Chad.

Dave Bittner: [00:09:31] And you can be Chad. Here we go.

Dave Bittner: [00:09:33] (As @NathannFillion) Thanks for liking my page and all the support you've given me through all these years. I hope you never stop watching my movies. How long have you been a fan?

Joe Carrigan: [00:09:41] (As Chad) Since "Firefly." But I've enjoyed a lot of your work. Some of my other favorites are probably Captain Hammer from "Dr. Horrible" and "Castle." I also liked your role on "Santa Clarita Diet." And I'm really enjoying "The Rookie."

Dave Bittner: [00:09:54] (As @NathannFillion) That's great. How would you love it if I get you a free VIP ticket for a meet and greet with me?

Joe Carrigan: [00:10:00] (As Chad) That would be great. But I live in Ohio, not sure when I could make it out to California. I guess I'm assuming you're in California. But if you are, I have a very good friend who lives there. She's in Oxnard. She is also a huge "Firefly" fan. It was actually how I met her.

Dave Bittner: [00:10:17] (As @NathannFillion) According to my schedule, my team and I have to be in Ohio in about two weeks for a filming on The Rookie. Every fan is important to me. And I have a team that picks out active fans on my fan page, and you stand out. I want to use this medium to extend a hand of personal friendship.

Joe Carrigan: [00:10:35] (As Chad) Wow, that's awesome. I would love to meet in person. Where are you going to be in Ohio?

Dave Bittner: [00:10:41] (As @NathannFillion) I will be at Custar. I would love us to keep in touch. But I'm afraid you might give out my number if I handed it to you.

Joe Carrigan: [00:10:48] (As Chad) Not a problem, I understand. You can always reach me here. Wait. Custar, Ohio, are you sure that's right?

Dave Bittner: [00:10:55] (As @NathannFillion) Yes, that's right. I barely come on here. Is your phone number private and secure?

Joe Carrigan: [00:11:00] (As Chad) Yes, it sure is.

Dave Bittner: [00:11:03] (As @NathannFillion) Do you have WhatsApp?

Joe Carrigan: [00:11:05] (As Chad) Uh no, sorry.

Dave Bittner: [00:11:07] (As @NathannFillion) It's OK. Here's my number. Text me now so I know it's you. I get random texts at times.

Joe Carrigan: [00:11:15] And this is where Chad terminates the conversation.

Dave Bittner: [00:11:17] Yeah.

Joe Carrigan: [00:11:18] So the red flag for Chad in this conversation was when @NathannFillion says he's gonna come to Custar, Ohio.

Dave Bittner: [00:11:26] (Laughter) OK.

Joe Carrigan: [00:11:26] Right? If the guy had said Toledo...

Dave Bittner: [00:11:28] Yeah.

Joe Carrigan: [00:11:28] ...Right, which is a relatively small city, then that wouldn't have fired off a red flag. But Custar, Ohio, has a population of about 200 people. Why would this guy - why would Nathan Fillion be going to Custar, Ohio?

Dave Bittner: [00:11:41] Yeah, interesting.

Joe Carrigan: [00:11:43] So that's what tipped him off. And that's - that's when Chad noticed that the account wasn't verified and that the account handle has an extra N in it.

Dave Bittner: [00:11:49] But an interesting thing here because I don't know if you've ever had the pleasure of interacting with someone you admire online, with some sort of celebrity. It is a thrill.

Joe Carrigan: [00:11:58] It is.

Dave Bittner: [00:11:59] You know, it is absolutely a thrill for someone you have been a fan of or admired. And so the point here is that it's easy to get caught up in that thrill and be taken down a path when you think you're dealing with someone that you admire or someone you're a fan of.

Joe Carrigan: [00:12:13] Yeah. It's one of those disarming things that short-circuits our thinking.

Dave Bittner: [00:12:17] Right.

Joe Carrigan: [00:12:17] And it's - it's what these social engineers do. It's why they use these fake accounts.

Dave Bittner: [00:12:21] Yeah. It's interesting. I wonder how they sort of focused in on Chad's location. I wonder if there's any location information or something, or just the fact that he said he was from Ohio, you know, they just randomly picked a location on a map. But good for Chad for - (laughter) for sniffing this out and not going down this path. You could see how lots of people could come down this path.

Joe Carrigan: [00:12:44] Absolutely.

Dave Bittner: [00:12:44] Yeah.

Joe Carrigan: [00:12:45] Absolutely. A less astute listener would have sent the text. And then they have your phone number. And then, God only knows what happens next.

Dave Bittner: [00:12:51] Yeah. All right. Well, thanks to Chad for sending that in. That is our Catch of the Day. Coming up next, we've got Carole Theriault with her interview with Jessica Barker from Cygenta. But before we get to that, a message from our sponsors KnowBe4.

Dave Bittner: [00:13:08] And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course. But they also need to understand that they can be hooked by voice calls. This is known as vishing or by SMS texts, which people call SMShing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.

Dave Bittner: [00:13:55] Carole Theriault is back, and she has an interview with Dr. Jessica Barker from Cygenta. They're going to talk about training and, specifically, ways to get your team on board to be trained.

Carole Theriault: [00:14:07] Today I'm diving into cybersecurity training. Basically, if you work online, I wouldn't be surprised if your boss announces you are attending a mandatory cyber class this year. Having employees able to spot cyber traps that bypass technology lowers a company's overall exposure to threats. That's a win. But how do you get employees on board? For cybertraining to work, they must be engaged, interested. How do you go about that? And what can a company do if they haven't the resources to hire a top cyber trainer?

Carole Theriault: [00:14:37] Jessica Barker of Cygenta was kind enough to give us the lowdown. She's an expert on the human side of cybersecurity and trains companies all around the world. Now, just a little aside here - just before our interview, a chimney where Jessica was staying decided to start crumbling. Now, workers on the case did their best to tiptoe, but you can occasionally hear some background noise. I'm sorry about that.

Carole Theriault: [00:14:59] As soon as was on the phone, I dived into the deep end and asked Jessica, how did she bypass the technophobe barrier?

Jessica Barker: [00:15:06] So obviously, one of the key things is understanding what will make it relevant to them. So you don't want to just talk blanket about cybersecurity. And you don't want to give examples that won't be relevant to the people in the room. So you need to understand what their day job is and how cybersecurity relates to them because a lot of people can think - oh, hackers would never want my data. Why would anyone be interested in me? So making them understand, A, how cybercrime works and the fact that it often isn't targeted and, B, why information that they handle would actually be of interest to criminals.

Carole Theriault: [00:15:41] And how do you respond to that question? Say someone in your class said - why would an attacker or a cybercriminal focus on me?

Jessica Barker: [00:15:48] So one thing would be talking to them about their job, what they do and information they handle in that regard. But then another thing is just their personal lives, their personal information - so you know, their bank details, their personal data, their health data, their credit card. All of this information that you have and that you exchange when you're using the internet as a personal user all has a value. But then the people that you work with, the information you handle as part of your job - all of that will be relevant in one way or another.

Jessica Barker: [00:16:19] So for example, if I'm working with a small company who might think - oh, you know, hackers are only going to go after the big guys. Well, then it's talking to them about some of the companies that they work with, the supply chain that they're a part of.

Jessica Barker: [00:16:33] And I might share examples - Target would be the obvious one - where a third-party supplier - there, it was the air conditioning company - that was hacked to get into the bigger company. So it's always about picking those examples that show them - actually, this has happened before. This has happened to people like you who didn't expect it, and these were the consequences.

Carole Theriault: [00:16:53] So would it be fair to say, like, a good method of getting people to pay attention is drive up the fear factor in a way to make them realize that there are risks out there they may not be aware of?

Jessica Barker: [00:17:04] Yeah. I wouldn't see it as as driving up the fear factor. I would see it as just opening their eyes to show them the reality of, this does actually happen - without wanting to terrify them or scare them unnecessarily but just showing them, OK. This is the reality that we're living in, and these are the consequences that it has - and then moving on to, this is how it works. So for a lot of people, they hear about a cyberattack; they hear about phishing emails, whatever it might be. But it's very intangible. And for a lot of people, they don't understand how any of that works. So then doing demos - like, showing them, this is what happens on the attacker and the victim side, for example, if you click on a link in a spear phishing email.

Carole Theriault: [00:17:48] Right.

Jessica Barker: [00:17:49] And then their eyes are opened just to, like - oh, OK. Now I get it. Now I see.

Carole Theriault: [00:17:54] So your job is to have people who don't follow best practice to understand the point of following best practice when it comes to cybersecurity. Would that be fair?

Jessica Barker: [00:18:02] Yeah, exactly. It's about making sure - on one level, working with the organization to make sure that the best practices are there, that they're communicated - you know, that they're logical but they're proportionate; but then also helping to communicate those to people as to why the policy says to have good passwords or be careful about the links you click on or this, that and the other.

Carole Theriault: [00:18:25] But do people ever ask you about - what can the company take from me? - so more of a privacy agenda, for example? Do they kind of say things like - can the company read my emails if I send them from my work email or from my work computer?

Jessica Barker: [00:18:39] Yeah. It's rare, to be honest. You would expect that question to come up more. But people don't ask that so much. People have, in the past, where they've kind of said - how much can I be doing personal stuff on my laptop? - or whatever it might be. But I think either people know not to or people don't even consider it. I don't think there's many people in the middle, if that makes sense.

Jessica Barker: [00:19:00] And I think the other thing is people maybe don't want to ask the question.


Carole Theriault: [00:19:04] That's fair. That's fair - because I suspect people think - oh, if I'm using my personal Gmail on my work laptop, there's no way they could see what I was writing.

Jessica Barker: [00:19:14] Yeah.

Carole Theriault: [00:19:14] Right? And the answer is really no, guys out there.

Jessica Barker: [00:19:18] Yes. Yeah. I think a lot of people probably don't even consider it. But they also don't want to ask the question 'cause they don't want to admit that they're doing personal stuff at work.


Carole Theriault: [00:19:29] Yeah. Secret. We all do, guys.

Jessica Barker: [00:19:30] Yeah.


Carole Theriault: [00:19:33] So another question for you. Do you think that the Russia hacking news scandal and the Facebook exposing less-than-desirable working ethics has impacted how people see cybersecurity and social engineering?

Jessica Barker: [00:19:47] Yeah. I do think it has, actually. I think what we've seen over the last couple of years is things like, you know, the stories around Russia with the Facebook scandals, with just the kind of rolling news of cyberattacks and data breaches, and constantly hearing about, you know, TalkTalk and other big breaches and incidents, WannaCry. Things that have really hit the headlines have massively driven home cybersecurity in general. And then some of them, because they've been focused on social engineering, has really raised the awareness levels around the human side and the fact that this isn't all technical.

Carole Theriault: [00:20:24] Are you finding that companies are basically going, gee, we really need to pay attention to this? Because if this is happening on a personal level, in terms of things like Facebook, we are more at risk. And I've heard lots of numbers bandied around about how many threats actually have a social engineering component to the attack. So I've seen numbers as high as 90 percent. So it makes me think that people see employees as a significant risk to their company.

Jessica Barker: [00:20:52] Yeah. I think that's really changed in the last few years, as well. I've been working in cybersecurity and with this focus for about eight years. And when I started out, I would have to really explain to people in the industry what I did. A lot of people wouldn't get - why are you focusing on the human side? Like, what does that even mean? Whereas now, everybody gets it. And, you know, I don't really get that question anymore of, like, well, what do you actually do? What does the human side mean?

Jessica Barker: [00:21:20] So that's massively changed in the last couple of years. And also more and more companies that want to do something around it, some are very mature and will know exactly what they want to do around awareness, behavior, culture. Others will come to us, and they'll say, we know we need to do something on the human side, but, like, where do we even start? What does that look like for a company like us?

Carole Theriault: [00:21:43] That's great 'cause that was my next question. How does company A, how do they know they're going to be investing in someone good? What are some tips, I guess, on finding a good cyber training consultant to help you?

Jessica Barker: [00:21:53] Yeah. It's a difficult one because it's not as defined, I think, and there's not been as much focus in the industry as to working on the human side. So it can be, I think, a little bit confusing for companies that want to, for example, focus on their awareness, their behavior, their culture. So we get a lot of word-of-mouth recommendations. We'll have done something for one company, they recommend us to others. And so that's often, I think, how it works in this industry. A lot is based on trust and on your network.

Jessica Barker: [00:22:22] One thing is, you know, talking to companies and finding out what is their approach and seeing if it's aligned with where you want to be. So thinking about, you know, your company, what it looks like. Thinking about what is going to be most effective for the culture. And then going out to companies out there and seeing what are their offerings. And if you - you know, you might be interested in a cultural assessment to see, actually, what's going on here? We might, as an InfoSec team, think we know what some of the issues are, but actually what are levels of awareness like? What are people's values around cybersecurity? Are they reading the policy? Do they pay any attention to training?

Jessica Barker: [00:23:00] Answering some of those questions can then be really helpful to go on and do an awareness campaign to understand, OK, how are we going to target our awareness messages, and what do we want to get out of it? What behaviors do we want to see improve in the next year, three years, five years?

Carole Theriault: [00:23:17] I mean, I'd love if all companies did that. But I suspect, mostly, it'll be mid-to-large companies that have the resources and the capacity to think that strategically. And what about the smaller guys? So the guys that maybe don't have budget for outside training, how do they go about - you know, maybe they have 10 employees, and they want them to be safer. If there were, like, three big pieces of advice, you know, for them, what would you tell them?

Jessica Barker: [00:23:41] So having someone that can just talk about cybersecurity, talk about what it means in that company, is really helpful and it can be done in a fairly informal way in a smaller company. So that's one tip I would have for smaller organizations. Another thing is to make best use and take advantage of the resources out there.

Carole Theriault: [00:24:01] Yeah.

Jessica Barker: [00:24:01] So for example, the U.K. National Cybersecurity Center, they have great resources particularly aimed at small companies. And then look at the training platforms you already use. So for example, if people are using something like Pluralsight then there's so many resources on there that can be used throughout the company to raise more cybersecurity awareness. Or something like Cybrary. Again, lots of free resources on there that people can use to do training that's right for their role, for their pace, for their kind of position in the company.

Carole Theriault: [00:24:32] I did a few Cybraries (ph), actually. I thought they were very good.

Jessica Barker: [00:24:35] Yeah. I think they're great. And there's so much stuff that is free and valuable and, you know, provides great guidance out there. It's just a case of someone taking the responsibility to find it and share it with people and check that it's good enough for people to use.

Carole Theriault: [00:24:52] So maybe smaller companies would be wise to, in 2019, you know, to allow an employee that might be interested in technology to take half a day a week to go and learn and study and provide tips to the company. And even if they did that for three months, right, they would be at a much better cyber, you know, place in terms of best practices than they are today. I think that would be true for most companies out there that are small.

Jessica Barker: [00:25:19] Yeah. That would be amazing. And then of course, there's loads of local events and conferences and things happening, like B-Sides or the DefCon local groups, which are usually either free or really low-cost. So yeah, if a small company can give someone a little bit of time to develop their interest and go along to a free event or a local conference and networking event where they'll maybe learn a bit more, make some good contacts, which the company could maybe make use of if they need to. Then I think that's a win-win for everybody.

Carole Theriault: [00:25:48] Now, do you think that part of the problem actually is that business owners and directors and managers assume that Kevin in finance or Jeanine in marketing know more than they actually do? - because I'm sure in the interview process, they're like, oh, yes. I'm very computer savvy. I know all the programs.

Jessica Barker: [00:26:09] I think this is partly, sometimes, down to the culture we have around not just cybersecurity but technology in general, where people can feel that they don't want to be exposed as not knowing as much as they should. And they don't want to be the one asking the stupid question. So if the infosec team go in and do a presentation, do a training session. And then they'll say, oh, does anyone have any questions? People don't necessarily want to be the one to put their hand up and say, yeah, that didn't make sense to me at all.

Carole Theriault: [00:26:38] Yeah, yeah. Just because people are nodding doesn't mean they've actually taken in everything you've said. (Laughter) That's very true.

Jessica Barker: [00:26:44] (Laughter) And this is an issue we have in the industry, where we've seen people who are really, super technical and, you know, absolutely fantastic at the technical side of cybersecurity but maybe don't know, have never learned, have never been taught how to communicate that stuff.

Jessica Barker: [00:27:01] And then suddenly, they might find that they're being made responsible for doing awareness-raising training. But they don't know how to do that. They know what they want to communicate. But they don't know how to do so in a way that is actually engaging and effective and will get people to listen to them and go away and change their behaviors.

Carole Theriault: [00:27:20] Well, I think if they listen to this episode, I think they will be on the march toward changing their behavior.

Jessica Barker: [00:27:25] Well, this is what we're trying to do (laughter).

Carole Theriault: [00:27:27] Dr. Jessica Barker from Cygenta, a pleasure as always speaking with you.

Jessica Barker: [00:27:31] Likewise. Thanks, Carole.

Dave Bittner: [00:27:34] All right, interesting stuff. Thanks again to Carole Theriault for producing that story for us. Jessica Barker, of course, really knows her stuff and happy to have her on the show as well.

Joe Carrigan: [00:27:44] Yeah, I thought that was a very, very good interview. The one thing that I actually got a little bit triggered on here, Dave...

Dave Bittner: [00:27:51] (Laughter).

Joe Carrigan: [00:27:51] ...Is the age-old question of, why would an attacker target me?

Dave Bittner: [00:27:54] Yeah.

Joe Carrigan: [00:27:55] This is one that really irritates me.

Dave Bittner: [00:27:56] OK.

Joe Carrigan: [00:27:57] Everybody needs to understand that you have something of value to an attacker. It may not be of much value, but these people are doing this en masse. And they're automating things. It's of value to them.

Dave Bittner: [00:28:08] (Laughter) You're good enough.

Joe Carrigan: [00:28:09] Right.

Dave Bittner: [00:28:09] You're smart enough.

Joe Carrigan: [00:28:10] And doggone it...

Dave Bittner: [00:28:11] People want to hack you (laughter).

Joe Carrigan: [00:28:13] People want to hack you. Hackers don't just go after the big companies. They target the smaller companies because they are easier to attack. They don't have the huge defense budgets.

Dave Bittner: [00:28:21] Yeah.

Joe Carrigan: [00:28:22] Right? There is a great Black Hat video out there. If you just Google how the Feds caught Russian mega-carder Roman Seleznev...

Dave Bittner: [00:28:33] Yeah.

Joe Carrigan: [00:28:34] ...Then you can watch that video. And you can watch how this guy targeted small businesses, infected their machines and stole credit card information from them. One of these businesses actually went out of business as a result of this - shut down...

Dave Bittner: [00:28:48] Yeah.

Joe Carrigan: [00:28:48] ...Gone...

Dave Bittner: [00:28:49] Yeah.

Joe Carrigan: [00:28:49] ...Because they got sued by so many cardholders that they just couldn't survive under the weight of those lawsuits. And they had to close.

Dave Bittner: [00:28:56] Right.

Joe Carrigan: [00:28:57] So yeah, small businesses should care about this. Everybody should care about this. I want to say that both Carole and Jessica recommended Cybrary, which is a great resource headquartered right here in the great state of Maryland.

Dave Bittner: [00:29:09] (Laughter) Yes, yes. Yup, yup.

Joe Carrigan: [00:29:12] So if you want to check that out for getting training for people in small business, the training's all free, video-based training. There is some premium training that you have to pay for, but most of it's free and an excellent resource. And finally, the one thing I wanted to touch on here is that bridging the gap between technical people and non-technical people has always been a really big issue in this field, right?

Joe Carrigan: [00:29:33] Early on in my days as a software engineer - or actually not even a software engineer, just a developer - I had a manager tell me, you need to get better (laughter) at communicating with the users - right? - because they don't - you know, this was during the requirements. And we were doing an iterative process. And we were gathering requirements very frequently. So you have to be able to speak the language.

Joe Carrigan: [00:29:55] The communication skills are absolutely essential. And when it comes to going - to communicating cybersecurity information or best practices or whatever, you really need to have your communication processes. You need to have good communication skills here.

Dave Bittner: [00:30:10] Yeah. And I think...

Joe Carrigan: [00:30:10] It's imperative.

Dave Bittner: [00:30:11] I think, also, this notion of not being afraid to ask the dumb question...

Joe Carrigan: [00:30:16] Right.

Dave Bittner: [00:30:16] But I think there's two sides of that because I think we've also been in the room where somebody asks that basic, rookie question and the person sitting across from them goes, ugh.

Joe Carrigan: [00:30:26] Right.

Dave Bittner: [00:30:26] You know? And no, you - I mean, have empathy.

Joe Carrigan: [00:30:28] Don't do that.

Dave Bittner: [00:30:28] No, have empathy. And for the person answering that question, reinforce it and say, I'm really glad you asked that question because it's really important that everyone understands that. I...

Joe Carrigan: [00:30:38] Right. That's a good question.

Dave Bittner: [00:30:40] Yeah. I'm sure some people probably know all about that. But just in case you don't, let's do a refresher on that.

Joe Carrigan: [00:30:45] When somebody asks a basic question, that means that the speaker has made an assumption - an incorrect assumption about the audience. Right?

Dave Bittner: [00:30:54] Yeah, that's a good point. That's a good point. So just have some empathy for those people. And don't be afraid to ask that question. It's...

Joe Carrigan: [00:30:59] Right.

Dave Bittner: [00:30:59] To me, I think that's an empowering thing to have - it's a sign of confidence to be able to ask that - what is a dumb question...

Joe Carrigan: [00:31:08] Right.

Dave Bittner: [00:31:08] ...What you're afraid people might perceive as a dumb question...

Joe Carrigan: [00:31:11] Yes.

Dave Bittner: [00:31:11] ...Because it's not. If you're wondering, chances are there's somebody else in the room who's wondering the same thing.

Joe Carrigan: [00:31:15] Absolutely.

Dave Bittner: [00:31:17] All right. Well, that is our show this week. Thanks to everyone for listening.

Dave Bittner: [00:31:19] And of course, thanks to our sponsors at KnowBe4. They are the social engineering experts and the pioneers of New-school Security Awareness Training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.

Dave Bittner: [00:31:36] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.

Dave Bittner: [00:31:43] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:32:00] And I'm Joe Carrigan.

Dave Bittner: [00:32:01] Thanks for listening.