Charles Fedorko Member Spotlight, Cyber Safety for Children, & Intel Briefing
[ Music ]
Luke Vander Linden: Hi there, listeners. This is Luke Vander Linden, vice president of membership at the Retail & Hospitality Information Sharing and Analysis Center, and this is the "RH-ISAC" podcast.
[ Music ]
We have a pretty packed episode for you this week, so I want to get to our great guests quickly. But I do want to point out one resource that might interest you. And this again is about the SEC's newly announced rules on cybersecurity and corporate governance. Last episode, I shared some analysis from our great partners at the National Retail Federation on the then very newly released rules and what's in them and not in the final version? The NRF is a great partner for us, especially in the policy work they do, which really frees us up to focus on our reason for being, and that's really the practical applications for our members. The RH-ISAC's vice president for intel operations Bryon Hundley put virtual pen to virtual paper and gathered together some thoughts on the areas that our members, and really every retailer and hospitality company, should pay close attention to, to respond to and to comply with those new rules. That includes having the right incident response protocols in place, clarifying the process to determine materiality because really the requirement to report is based on materiality. He also touched on training communications. So we posted his thoughts on our public facing blogs. You don't need to be a member to access them. Just go to rhisac.org/blog/ or click on Blog in the navigation under Resources. Go there, take a look. But coming up on this episode, we have three great guests. We shine the member spotlight on Charles Fedorko, director of IT security at Sage Hospitality. I will also speak with Ellen Sabin, who has just published a book for children on cybersecurity. And finally, I'll be joined by the RH-ISAC's own Lee Clark for the briefing. If you want to be one of our guests or just want to tell us about something on your mind, please make it relevant to cybersecurity in retail and hospitality. Shoot us an email at firstname.lastname@example.org, or if you're a member, hit me up on Slack or Member Exchange.
[ Music ]
All right, we are now joined by Charles Fedorko, director of IT security at Sage Hospitality. Charles, welcome to the RH-ISAC podcast.
Charles Fedorko: Glad to be here, Luke, thank you.
Luke Vander Linden: So your title notwithstanding, you're the CCO equivalent at Sage, right?
Charles Fedorko: Correct.
Luke Vander Linden: So great. We actually got to see each other face to face earlier this summer at The Hospitality Show in Las Vegas, so it's good to see you again. And thanks for agreeing to be our member spotlight both here on the podcast and on our blog. So let's shine that spotlight on you. I'm guessing not many people have heard of Sage Hospitality, so tell us a little bit about what it is, what it does, and what keeps you busy there?
Charles Fedorko: Sage is a hotel restaurant and spa management company, and we're based out of Denver, Colorado. We partner with real estate groups and hotel owners to manage their hotel restaurant spa investments, while also managing and designing our own hotel and restaurant investments. And what that means is Sage is the trusted partner that operates all business functions for our properties from HR and payroll to cybersecurity.
Luke Vander Linden: So you have your own hotels that you own, but then you also operate on behalf of other owners as well?
Charles Fedorko: That is correct.
Luke Vander Linden: I think this is probably part of the hospitality industry that almost no one who just is a regular stayer at hotels, a guest, knows about. Like they just assume that they're at a Hilton or a Marriott that's owned by them. So how many properties does Sage manage and slash own?
Charles Fedorko: So there's about, want to say, about 65 hotels, 30 restaurants, and about 10 spas.
Luke Vander Linden: Wow, exciting. And so what do you do there, as the director of IT security?
Charles Fedorko: I help and develop and implement this cybersecurity strategy here at Sage, trying to find ways to decrease risk and increase the security posture of Sage and the properties we manage. I maintain compliance. I follow privacy regulations, and I build and develop the policies here. And I continually seem to fill out audits and assessments. I also lead the security team here, and they manage and maintain and deploy security tools and monitor and respond to our security events. The team and I also collaborate on its response risk management, our projects and, you know, we want to make sure we align to our department goals.
Luke Vander Linden: So that's a much kind of bigger umbrella than a lot of our CCO's see just because I imagine it's a fairly efficient and tight operation you have there?
Charles Fedorko: Yeah, and it's, you know, we have a small team, but we've looked for ways to be efficient through our tools, through our processes and our people. So it's, you know, and with, you know, 100 locations, 65 hotels, you know, we have good, yeah, we have a good foundation here. And we know we're trying to mature on it. And at the same time, you know, we're trying to continuously improve on what we're doing.
Luke Vander Linden: So imagine when you were a kid, you didn't think someday that I want to grow up and work in cybersecurity? Because when you were a kid, I'm guessing, there wasn't such a thing as cybersecurity, so how did you make your way into this industry?
Charles Fedorko: Well, I have a liberal arts degree in English literature from the University of Rhode Island, and that's where I was first exposed to emerging technology. And what I mean by emerging is Telnet Unix at Gopher Protocol. And this was like the early 90s when Netscape was the hot browser at the time. And while I was in college, somehow I was hired to support the Alumni Foundation Network with no experience, and that's how I got started working in technology. Supporting users, I was loading programs. I was running cables, and I supported a token ring network to date myself a little bit more.
Luke Vander Linden: That's great. I think we're right around in college right around the same time. I had been to dial-up bulletin boards before. My very first email address was provided by my college, and it was an entirely -- it wasn't even Netscape -- it was entirely text-based system. I think was called Lynx, L-Y-N-X or something. But it was just.
Charles Fedorko: Okay.
Luke Vander Linden: You know, either I can't remember it was green or orange text on a black screen, but no one was talking about security back then, at least as far as I knew. So you got into IT that way, and you went right with your non-IT degree into IT?
Charles Fedorko: You know, for me, technology, it was new, and it was innovative, and it was exciting. And I just kind of, you know, as far as my mind work, it was the bright, shiny object that just was always attractive to me. And that was kind of like my background, you know? After college, you know, I was a snowboard bum, but then, you know, kind of had this technology background. So that's kind of like what I was focusing on when I was looking for jobs and whatnot. Yeah, just something I kind of always fell back to, but also, you know, kept on learning more and more and gaining more knowledge.
Luke Vander Linden: So how did that transition into cybersecurity from just IT?
Charles Fedorko: Yeah, sure, so, you know, over the years, I had, you know, multiple IT roles, and, you know, kind of system admin roles, tech support roles, IT management. So I was an IT manager for, here in Denver, for, you know, supporting a team of infrastructure and ops guys. And I was actually scammed once, and so that's kind of how I got into cybersecurity. I've rented a vacation property and made a wire transfer, and it disappeared. So that event was actually the catalyst for me to pivot and focus on cybersecurity.
Luke Vander Linden: How did they contact you, and what methods did they use? Was it cyber related, or was it just in general, being more aware of security?
Charles Fedorko: I was traveling back to the East Coast. I was going to a festival at Newport, Rhode Island.
Luke Vander Linden: Okay.
Charles Fedorko: And so since I knew I was going there, I was living in Colorado at the time, I told my family, hey, who's scattered around the East Coast, I'll be in Rhode Island. Come meet me. And I'll get a beach house. So I actually searched for a beach house on Craigslist, of all places. And I, you know, and then, you know, the owner at the time was super responsive. You know, we're emailing back and forth. The pictures look great, and so I made the wire transfer to book the house. And then I went out to Newport, Rhode Island, had a great time at this music festival with my friends, and then, you know, at the time -- and then during the festival, I started, you know, calling and texting the owner of the home, and then I noticed that the responses started to slow down more.
Luke Vander Linden: Wow.
Charles Fedorko: And yeah, and then I, you know, festival is over. I go to Narragansett, Rhode Island where I was renting the house. And I never forget. I turned the corner, and I just had this sinking feeling in my stomach. And then I walk up to the house. I knock on the door. The door opens. There's this like a huge family like all laid out on the -- in the living room after a long day at the beach. And I said I'm like, "Hi, are you renting the house this week?" And they all -- they say yes. So I am, and I'm like, "Oh, I thought I was," and I said sorry for bothering you, and, you know, and that's it. And yeah, I got scammed. Yeah, and then after that event, I, you know, the company I was working for at the time needed someone to raise their hand and take on the PCI compliance. So it was just perfect.
Luke Vander Linden: Wow, so how did your career develop from that point, starting off with PCI and then and to where you are today?
Charles Fedorko: You know, a lot of drinking from the fire hose, you know, with initiatives, but I learned a lot from the like third parties that we partnered with. You know, so, you know, at the time, you know, it was PCI compliance initiative, and I'm like, "Okay, what was that?" And it was remedying PCI compliance gaps, but I was working with a local PCI company, and I just learned a ton. I was a sponge. I asked a million questions at the time. And then I started to really figure out what cybersecurity meant and where I could take it. And then, you know, I kind of bopped around to companies that were looking for cybersecurity professionals, specifically. And then I got, you know, I started getting certificates, started reading, started doing workshops. And, you know, and then I guess I got to where I am honestly, a lot of reading, a lot of listening, and a lot of doing.
Luke Vander Linden: Yeah, it seems like this industry, the path to it, is different for everybody. Just because, you know, some people take a technical route. A lot of people don't, but they end up here. So that's great. So when we were in Vegas, you were on a panel moderated by the RH-ISAC's own Kristen Dalton. And the topic was securing hotel operations across multiple brands and owners, which is a huge challenge, and it's what you guys do. It sounds like a huge challenge just from coordinating different technologies and managing expectations up and down. Tell us a little bit about that experience for you.
Charles Fedorko: Yeah, perfect topic because brands make up about 65% of our hotels, with the rest being independent hotels. And just like you said, there's a lot of complexity within those factors when no hotel is truly the same. There are different standards. There's different systems. There's different network topologies, different IoT devices. And we inherit a lot of risk through all types of tech and security debt when we take over management of a property, but we've developed processes over time to simplify the approach of remediating that security and tech debt through foundational security controls. And I also gave the importance of cyber insurance. That was another topic I was talking about, and the indemnity to provide to cover any expenses before, during, and after a breach. And it's important to have cyber insurance, my feeling anyway. I mean, cyber insurance providers assist with covering the cost of fines and revenue loss that a breach could cause. And what's really valuable is some underwriters will provide experts to perform incident response and forensic services. And they also have services around breach readiness, like tabletop exercise, and they'll help you build a cybersecurity incident response plan.
Luke Vander Linden: Yeah, I've been hearing that more and more positive things about cyber insurance is that they'll -- it's not like other insurance, that they'll be the really a good partner for folks these days.
Charles Fedorko: Yeah, and like you said, it's the partnership. And it's, for me, it's another resource where I could reach out to these partners and understand what the cyber insurance landscape is looking at. And we all know the last couple years, you know, premiums are going up. Coverage is going down. And it's good. You know, I partner with them and learn about that, but also to realize that, you know, cyber insurance is somewhat normalizing with a decrease in ransomware attacks. So hopefully next year is going to be a better year for everyone that wants cyber insurance.
Luke Vander Linden: I think a lot of people view the questionnaires they get from their insurance company in a somewhat adversarial way. But really, it's, as you learn, as you mentioned, learning from lots of different sources. And if you truly view it as a partnership, the things they're asking you are maybe things that could point you in the direction to areas where you may not be focusing on.
Charles Fedorko: Can't agree with you more. We're use it as a gap analysis, and we have 65 properties. So that gap analysis we use against 65 different sites, and it's great to kind of -- every year you go in front of your underwriters or a group of underwriters either provided through your insurance broker and you basically telling the story about your cyber insurance program. Little masochistic, but it's a good experience.
Luke Vander Linden: Many partnerships are. So how does the RH-ISAC help with the work that you do with securing Sage and all your different properties and brands that you work with?
Charles Fedorko: Well, I was first introduced to the community when Sage was a member of the Travel ISAC group, which later merged with the RH-ISAC group. And, you know, for me, it's the sharing of resources available in the community. It's, invaluable. You know, not only is there, you know, no shortage of suggestions and opinions and recommendations, but the, you know, if I have a project coming up, and I'll just reach out to the RH-ISAC community. And, you know, if I'm challenged, I'll find out how members got over that challenge. Or even like if there's an initiative that comes up, but I'm really not sure if it makes sense at this time, whether it be budget, or if it's relevant to what's going on in my business right now. I'll reach out and, you know, see what members do and find out what [inaudible] specification they took and if it makes sense to us. It's, you know, but it's also cybersecurity teams come in all shapes and sizes, and, you know, we're a small team here, and I've been a team of one in other places. But, you know, it's the community makes a small team feel bigger because of the support that comes from RH-ISAC.
Luke Vander Linden: That's excellent. So, you know, looking at hotels, I think they have obviously unique challenges, even within our membership because of a lot of the IoT issues that you have. Yeah, tell us a little bit about those kinds of things and maybe what you've learned from some of your hotel, hospitality colleagues.
Charles Fedorko: Sure, IoT comes in a lot of shapes and sizes. And, you know, before we try to assess, you know, look, if you're in a hotel room, or, you know, or think about when you've been in one and think about all the different devices that are connected in a hotel room. But then it's outside the hotel room, like kiosks, and, I mean, you name it. Like so, you know, self-check-in kiosks, you know, anything that takes a credit card. And it's up to, you know, our cybersecurity department to assess those devices, you know, because, you know, we don't know where those devices are sending out to. We don't know like how they're handling our data. So you have to do a good job of protecting your guests' data, as well as your associate data. And just make sure that data is, you know, stored correctly, that it's not, you know, that it's transferring securely. And, you know, one thing that was really amazing when I was at The Hospitality Show was talking with Steve and Steve from Wynn, and Ken from, from Sands [assumed spelling]. And I was just amazed at what those gentlemen have to secure. I mean, walking through a casino, visual and audio stimulation is one thing, but it's just constant, you know, casino guests, you know, putting their credit cards and whatnot. And I couldn't believe. I couldn't imagine, you know, the task they have to screen that environment. But, you know, but during, you know, it amazed me. But you know, one thing about IoT devices, which was funny during the panel was, you know, Ken, the security at Sands was explaining how his IoT devices expand out to Japanese toilets at his casinos. And that's when we realized IT security isn't just about zeros and ones, but also about ones and twos.
Luke Vander Linden: Very good, very good, yes. I remember that, the Japanese toilet that's connected to the internet for some reason because why not? Seems like everything is. But yeah, it's just it's amazing to me, with hospitality, you have your guests are all about -- it's all about service. It's all about easing their time there, comfort. And a lot of times for them, it's a stressful environment because not everybody is used to travel. So just it's all set up for convenience and not necessarily for security. So, you know, for everything from you mentioned, you know, check in on your device with apps and just getting in, getting around the whole environments is just amazing.
Charles Fedorko: Guests are there for the experience. I mean, they're there to vacation. They're there for business travel. And same with our associates, you know? Our associates are here to do a job. And I feel it's up to us to take care of what they're not thinking about, their privacy, their data. It's for us to secure, and it's for them to enjoy the experience.
Luke Vander Linden: Right. So this is supposed to be a member spotlight, not about you and not just about work. So tell us a little bit what would you do in your free time?
Charles Fedorko: Sure. I mean, over the last five years, you'd think my hobby was taking certification tests and attending classes and workshops to gain knowledge, but I live in Colorado, and I take advantage of the national splendor as much as I can through getting outside and camping, hiking, snowboarding, biking, fly fishing, and I travel to take those --
Luke Vander Linden: Wow.
Charles Fedorko: Yeah, I travel to take those hobbies elsewhere. I'm a big fan of the World Surf League Pro Tour, which just finished up yesterday in Tahiti. Very exciting, the most dangerous wave on the planet.
Luke Vander Linden: You're not dialing in from Tahiti right now are you?
Charles Fedorko: No, no, I wish. Nah, I probably wouldn't be on a podcast right now. If I was, I'd be out in the water. But yeah, I play vinyl records. I see a healthy amount of live music. I have a garden. Yeah, I have a garden that keeps me busy here in Colorado, and I read a lot. And I love reading books that are or will be adapted into a TV series or movie to bring that story to another level of vividness. That's kind of been my thing over the last couple of years.
Luke Vander Linden: So do you read them before you see them on TV or film, or do you read them after?
Charles Fedorko: You know, sometimes I'll watch something. Oh, wait, it's a movie as well? I'll read something, and I'll figure out it's a movie, or vice versa. But I do prepare like Oppenheimer, the big Christopher Nolan, who I'm a Christopher Nolan fanboy for.
Luke Vander Linden: Oh, wow.
Charles Fedorko: I had to read Oppenheimer before I saw the movie.
Luke Vander Linden: So you're a Team Oppenheimer, not Team Barbie.
Charles Fedorko: Well, I did see Barbie, and I thought it sends a great message.
Luke Vander Linden: Oh, good.
Charles Fedorko: Yeah, and if Barbie had a book, I'd probably read it. And, but yeah, Oppenheimer, fantastic.
Luke Vander Linden: That's great. Well, thanks for joining us on the podcast, Charles. So when will we see you? When will I get to see you in person again? Will you be joining us at the RH-ISAC Cyber Intelligence Summit?
Charles Fedorko: Oh, definitely, I can't wait, love it. You know, just integrate more in the community to support the community and gotten a lot of people over the years. So I'm really looking forward to talking shop and sharing experiences, and of course, you know, there's always thought provoking panels and discussions. And honestly, I always seem to be inspired afterwards to, you know, just see where I could take my next career move or the next step in, you know, my career journey.
Luke Vander Linden: Excellent, that's great. Well, of course, if you want to join Charles and me and hundreds of your Retail & Hospitality cybersecurity colleagues, the summit is from October 2-4 in Plano, Texas. Charles, thank you so much for letting us spotlight you on the RH-ISAC podcast and looking forward to seeing you in a couple of months.
Charles Fedorko: You're welcome. Great to be here and great to support the community. Thanks, Luke.
[ Music ]
Luke Vander Linden: All right, I am now joined by Ellen Sabin, the president, founder, chief author, lots of titles probably, of Watering Can Press. Thanks for joining us in the podcast, Ellen.
Ellen Sabin: Thank you, Luke, I'm happy to be here.
Luke Vander Linden: So I don't think we've ever had an author before on the podcast, so tell us why we have you and what your relevance is to cybersecurity.
Ellen Sabin: Okay. Well, first off, thank you for having me. I always like being the first. I am the author of a series of children's books that engage children and adults and communities and companies in topics that are important to families, societies, and corporate life. And by doing that, I think you were engaging me because my newest book is a cybersecurity book for kids, which is used not only to educate children, but also educating children is the best way to educate their adults.
Luke Vander Linden: Yes, of course. As a father of a three-and-a-half-year-old, a one-and-a-half-year-old, I do the reading, not them. So you're getting the parents as well in your reading audience.
Ellen Sabin: Oh, Luke, and it gets worse. Wait until they're six and seven and eight, and you're shamed into behavior.
Luke Vander Linden: Oh, excellent, excellent. So you said this isn't the first book you've written? And is this what you had always planned to do, be a author of children's books?
Ellen Sabin: No, actually, the first 25 years of my career, 20 years maybe, my trainings in public health. And there is relevance to that in that I had a variety of jobs. I was a hospital administrator. I was in healthcare politics. And then I spent a long time as the head of the Flying Doctors of Africa doing international public health work. But the common denominator in public health work, which carries over to how I write my books, and frankly, also why I'm still very cause based. The common denominator is, in public health, we learn that the best way to get you to stop smoking or wear a seatbelt, or if you're in Africa use a malaria bed net, is to educate, as I was just implying, your seven, eight, nine, 10, or 11-year-old. Because not only will they start positive habits at a young age, but they will -- pick your word -- educate, shame, and trust you in modeling better behavior, if you engage it at that age. So taking a page from the script of public health, when I started writing these children's books, which the first one was a birthday present for my niece that took off, became a bestseller. And then one thing led to another, but when I started writing these, I realized that the approach could, would, should be very similar that often the topics I tackle, including, frankly, cybersecurity can be obnoxiously preachy, righteous, academic, boring, if not inspiring. So I took a page from public health and create activity books that really give kids agency and engage parents in learning and delving at the same time so that, by offering the book, we're getting both generations at the same time. So it really became my second career by mistake, but I have now written 13 books on different issues. And like I said, the cybersecurity one is my newest.
Luke Vander Linden: So that's a fascinating sociological observation that you can pick up a primary and secondary market, if you will, by going after the kids. So 13 books, what other, what all topics have you covered?
Ellen Sabin: My first one, which sort of inspired the transition, was promoting giving and charity and community awareness. It's called The Giving Book: Open the Door to a Lifetime of Giving. Very proud of it, very excited about it. And it was essentially my family's values and DNA which drove all of us to go into humanitarian work. And it was supposed to be a birthday present for my niece when she turned six. It was a handwritten book. I gave it to her, returned a couple months later from Africa to 700 emails in my inbox saying where can we buy the book? And a weird unfolding occurred, and one book led to a next. By the third book, I would only write a book when some corporate or community or philanthropic leader preordered at least 10,000 to get me to take on the topic in my activity style, interactive way. So the other books range from there's a grieving book for children, which I'm terribly proud of. There's a book called The Hero Book: Learning Lessons From the People You Admire, so all about promoting role models; an environmental book for kids; a financial literacy, health and wellness; a book that Autism Speaks initially compelled me to write, which is called The Autism Acceptance Book: Being a Friend to Someone with Autism; a special needs book; and a book that I was really honored to write that supports children whose parents are wounded in military service. And then lastly, I think I'm missing one or two, there's a STEM book for kids.
Luke Vander Linden: Okay, yeah, because that first one was written from your own experience and your own viewpoint, but all these other ones have taken so a lot of research, and you have to kind of delve into the topic and teach yourself before you can teach the kids and their parents.
Ellen Sabin: Huge amount of research. And it's just, I mean, as you bring that up, Luke, it's amazing how much more one needs to research and get it right to put in a 64-page fun, simple book for a child.
Luke Vander Linden: Right, because you're not just putting a blog out on the internet and hoping that you can stir up the pot, but it's really -- you're trying to educate, and it's on paper, so it means more. So what prompted you to write the one on cybersecurity?
Ellen Sabin: I was actually approached by a very large international bank who had seen my other books and took the first 30,000 to get me to write it. And then I really got into it. I mean, I know you have a copy of the book. You've seen it. So, you know, some of the folks on the back cover from John Pistole, who was the former deputy director of the FBI, and Ed Amoroso, to Suzanne Spaulding, and Keith Alexander. I mean, these people didn't just endorse the back cover. I learned a lot to write the book. But, you know what? Luke, I felt like that my approach could serve this population. It fell into the camp of, A, it's a really important topic for children, for families, and for companies and society.
Luke Vander Linden: Right, and it's never too early or too late to learn security awareness.
Ellen Sabin: Absolutely. I mean, I'll tell you a lot of our clients who have used the book and their companies have said, "Wow, like this is as helpful for my grandmother as it is for my kid." The lessons are the basic lessons, however you cloak them, and they're the same lessons up and down the age ladder. B, I felt like it is often presented, as I said, very sort of academically, or it's hard to make it exciting. And one of the recipes I think and hope that Watering Can Press books are known for are taking something, giving kids agency, getting them excited from the very cover where they write that they coauthored the book. You know, so they become a fun journey. So I thought I could do that with this topic after I learned enough. Big, big, big caveat there. And I also thought that many of my books are shared widely by companies. And I also thought there were really, really valuable touch points, that bridge, sharing the books with employees or with community partners or with schools or with nonprofit partners because there aren't too many ways to engage up and down the family ladder that also, you know, could be used. So I was excited about the challenge of doing that.
Luke Vander Linden: Excellent. So what are some of the lessons that are in the book? I don't want to do any spoiler alerts here, but so what message are you imparting here?
Ellen Sabin: Well, there's the general message I'll start with, but just by virtue of the book existing, I would love to encourage parents and others to start, like you just said, as early as possible. As soon as a kid has a device, it's time to start getting them excited about realizing if they want to join the cyber world. There's fun. There's excitement. There's great things they're going to do. And oh, yeah, also, there are things to learn, responsibilities, if they want to continue having fun and learning doing it. On the side, before I get to the specific lessons, some of the general lessons by the book existing are, hey, parents, hey, companies, by the way, companies need the next cadre of workforce of folks like you, and they're not going to have it if we don't start now. So parents, companies, nonprofits, schools, start early. B, these are family conversations. They go up and down the ladder. If you teach a child, that educates an adult. And if you teach an adult, that'll drill down to the children. In addition, before I get into the specifics, I'd say the book also greatly encourages the idea of having open communication so that children will ask questions, so that they won't keep their cyber world a secret, whether it's because they're playing online or doing whatever, but encouraging them to ask questions, letting them embrace their power to make smart decisions, exercising their critical thinking skills, which is key in cybersecurity, and guiding them also, frankly, to choose thoughtful and kind behavior to reduce cyber bullying, and enhancing their coping skills.
Luke Vander Linden: Right, because there's a whole other layer when you're talking with kids, not just the security awareness, but the cyberbullying aspect as well.
Ellen Sabin: I would add to that sentence, Luke, and say, not just with kids, but with adults. I think that we all could, would, should be more trained, not just in our awareness of what we say, but frankly, if we go a little deeper here and say what we put up online. Adults, you know, how many times have all of us sent something by mistake or posted something and thought, oh my god, that was supposed to be a surprise party. I shouldn't have put that up. And then, you know, whatever it might be, promoting the ability to be mindful, not just what we say, but of the risks and dangers. And now to really answer your question. Sorry, I didn't answer it yeah. But, you know, I mean, people can't see me, but I have the book in my hand. And if I just quickly flip through the pages, what are some of the key takeaways? They're fun. They're cool. I mean, the journey of the book starts with engaging kids, like I said, in agency. So helping them realize why in the world they should even care. The first chapter goes into things like what are your favorite devices? What do you do online? Like helping remind all of us we are, we do, and we will more and more and more forevermore live in the cyber world, so let's get excited and embrace what we get out of it. But then the next chapter is all about being cyber careful. So it's stuff that, you know, do you know with like the back of your hand, but that is good to remind not just children but adults about. Like, in children terms, stuff like being the boss of your personal information. You know, what's okay to share or not share? Or what does discretion mean? What's smart to post or not post? What are smart ways to think about passwords and tips about that? Even down to something that sounds sophisticated, but what's a password manager? Like these are things that you can make fun, or at least I think I hope I make fun. And then I get into, you know, other specifics like I call it careful clicking or pairing for your devices, things like, you know, what to make children aware of. You know, what's a virus? And what to be aware of. And what are these pop ups that they should ignore? And then basically drilling them into getting excited about asking and learning with an adult. So it brings the conversation back into a home to things that adults might want to research with their kids. Like what's multifactor authentication? Or, you know, what is Wi-Fi? Or you know, stuff like that. And then just to quickly say, I have other chapters, like a chapter on cyber kind, like you said. I talk about moderation. And then I bring it back to like this is a family affair and some fun activities, even a page where kids are encouraged to interview someone, just like you, Luke, who is a cyber expert, to get inspired about how cool that career is and how important it is and what it does for all of us. So there's a lot of really nitty-gritty tips that go up and down the age group for kids, parents, grandparents, any age group, but also drive these family conversations.
Luke Vander Linden: Yeah, those are some big topics, so that that's great. And thanks for putting the pitch in for considering the profession because that's obviously something that we're all very concerned about. So it'd be great if you could encourage them at a young age to go into the job. So I'm just wondering, you know, in your research, did you find anything that surprised you that you weren't aware of? That you said, oh, that's part of cybersecurity?
Ellen Sabin: That's a good question. You know, there was a lot that I got much more mindful about. I mean, I will say that while, you know, per the beginning of this interview, I've always used the tactic in behavior change that children are great change agents in a family. Always loved that. Always used it in my healthcare programs and now in my books. I don't think I was as aware as I am now, with the book being out for a while and a lot of companies using it for employee-focused programs, just how much that was true, how much bringing conversations into households helps and inspires adults to want to learn the topic. So that I learned, and then I also learned a lot more, frankly, about the bad guys. Cyber criminals, I hate to give them credit, but, man, they're smart. And, you know, during COVID, and with a lot of people and then after, you know, in these new days of a lot of people working from home, they're going out of their way in a really smart way to target kids or target work-from-home employees. Because they know that it's, I mean, I know you know this, but they know it's a weak link. So bringing the conversations into homes where children are using their parents' network and that. So I've learned a lot more about how cyber criminals will look at the weakest link, which often will be a child, you know, and use that. So unfortunately, I got a lot more suspicious.
Luke Vander Linden: I was just talking to one of my colleagues this morning about how this job has made me paranoid. And he said, "Yeah, that's a great thing."
Ellen Sabin: And actually speaking of paranoid stuff, like, sure, I always heard it's smart to say to yourself or to your children or your parents, hey, don't sign into your bank account at the airport on a public network. But I don't know that I digested that as much. And I do a lot of events for companies, for their employees, either reading events for kids and families or events for employees, like top tips on raising cyber-smart kids. And when I do the ladder, a lot of employees will start asking, oh, gee, you know, things like what I just said. Really? I, you know, talk to me a little deeper about public networks. What should I have my kid not do? You know, etc.
Luke Vander Linden: Right. The world is built for convenience more than security, usually. And that's the way we're wired too because the internet and just the changes over the last decade have made so much possible. But with that comes so much greater potential for people to use technology against us. You've mentioned a couple times how companies have used the book or someone using your book start off with larger orders. Tell me a little bit more about that model because it seems less about the individual purchases and more about kind of a mass-market abilities.
Ellen Sabin: Well, I will say there are, I mean, obviously, I love when my books spread because I only write one book a year. And I really, after 25 years in the nonprofit sector, a lot of this is very cause-based for me. So I care if a family gets the book and it changes their knowledge and behavior and makes them all safer. So I won't discount that at all because it affects and supports that family. However, most of the ways my books spread are more in bulk, where -- and I'll give you some examples. I mean, obviously you can imagine that CISOs and security education teams are often those that find this particular book. And it's been -- I have to say I love your community. And I just have to just do a quick pitch for your community because what I find is you guys combine amazing, critical thinking skills with strategic planning, with being gutsy enough to try new things because the bad guys always are. So you're innovative, and you're willing to try new things, which -- and last pitch for you guys -- there is an amazing passion that I found in my clients that marries really care about the cause with really smart corporate executives. So anyway.
Luke Vander Linden: No, you're absolutely right.
Ellen Sabin: Yeah, with that in mind, I have to say I'm ignoring some of my other books so I could work with CISOs more because they're so smart and fun. But how they use this book has been a blast. It's been, I mean, as you know, October is Cybersecurity Awareness Month. So a lot of people specifically will take the book for October, but also, January is Data Security Day, and April is Take Your Child to Work Day. And there's always touch points in a company, if not the ERGs or outreach. Companies have been a blast to work with, with the book. And, you know, obviously, there's a lot in it for them because the line between personal and professional use of digital devices is pretty much obliterated these days. So data breaches and network disruptions mean that promoting data security awareness among employees and clients is really more important than ever. So it's strategically valuable for them to promote best security practices in home settings, including training children. So ways that companies have brought in The Super Smart Cyber Guide For Kids has been, A, giving the books to employees at touch points like October Cybersecurity Awareness Month, January Data Security Day, April Take Your Child to Work Day, other touch points. Two, as I was saying, wink, wink, educate their kids, but really bring the topics to have family conversations and change employee learning and habit forming. So one is that. Another is by inviting me as the author, either in person or virtually, during those touch points or year round for interactive reading events with either their employees or their client families. It's this fun, cool event where kids have the book. It's not reading at them. They get to answer questions and read things, and their parents get to go, you know, in the background, listening and learning themselves. In addition, many of them have had me do events for their employees or clients, where it's just for adults. The speech is called Tips on Raising Cyber Smart Children. And it really goes through some of the top tips is often me speaking or sometimes is interactive dialogue with the CISOs and myself that really brings the -- drills in the message and, by the way, gets their employees really excited about learning cybersecurity. Because, I mean, you said you have a four-year-old, Luke?
Luke Vander Linden: Three-and-a-half, yeah.
Ellen Sabin: Three, okay, three and a half. Three and three months and five -- okay. You know, you'll do something that will protect your child. So you will want to learn about that. It will get you where you might not engage in a cyber education program in your company, your ears will perk up if there's a speech on -- offered on ways to keep your child cyber safe. Other ways the book has been used has been as branded swag at conferences that companies sponsor. A really interesting way that I'm finding is, you know, CISOs especially ones at companies where they're not the income-generating part of the business, which has many of them, buying an extra box and gifting it to board members and executives to go home to their household as a great way to get in conversations and show their importance. And then lastly, we've had some, you know, very socially-minded companies that have donated copies to local schools, nonprofits, Boys & Girls Clubs, because they care about, as we need to, teaching the next generation to get excited about this as a career.
Luke Vander Linden: Right, that's great. So if any of our listeners or members wanted to get their hands on a copy of the book, what's the best way to do that?
Ellen Sabin: Our website to see more and sample pages. Our website is wateringcanpress.com, wateringcanpress.com. On that site, individuals can either buy a copy, find links to buy an eBook version, which has sold on Amazon and other eBook sites. And then for companies interested in buying discounted bulk orders, on our website, wateringcanpress.com, there's contact information to contact us for discounted bulk orders for corporate programs. So emailing us at email@example.com let's those interested in buying bulk to do that.
Luke Vander Linden: Excellent. Well, fascinating book, great project, great product, and I'm glad you came on and told us all about it. I'm glad we're able to connect. Ellen Sabin, thank you very much for joining us.
[ Music ]
And now we're joined by Lee Clark, the RH-ISAC's own, with debriefing. Lee, take it away.
Lee Clark: Hey, Luke, thanks for having me. It's great to be here as always. So for this month, I wanted to highlight a couple of the major stories we've been seeing, right? We talked a little bit about Clop on a previous episode. And Clop activity continues, you know, unabated as they continue to announce new victims and published victims. But I didn't want us to become an all Clop all the time, so I thought we might take a minute to talk about other stories that have been sort of hitting the threat landscape recently.
Luke Vander Linden: Sounds like a plan. We don't want to be the Clop Shop.
Lee Clark: Sure, sure. So the first one that I was going to point out, we put this up on our blog a while back was that multiple international cybersecurity agencies released a joint alert on web application cross control attacks via IDOR vulnerabilities. And I'll freely confess this is something that I hadn't heard of [inaudible] happens in cybersecurity sometimes. I'll find out about a protocol or a tool or something that I haven't previously heard of. But IDOR stands for Insecure Direct Object Reference, I-D-O-R, and this is a system in web applications, right? So the Australian Signals Directorate Cybersecurity Center, the ACSC; the US Cybersecurity Infrastructure Security Agency, CISA; and the US National Security Agency, the NSA, released this advisory to warm vendors, designers, and developers of web applications, organizations using web applications, about these vulnerabilities. This advisory primarily consists of recommended defensive measures to mitigate these IDOR flaws that CISA talks about. And this is a pretty interesting report considering these things are typically urgent, right?
Luke Vander Linden: Yeah, so this is kind of out of the ordinary for this all hands on deck, kind of everybody, all these countries working together. So what prompted this urgent alert?
Lee Clark: Sure, so without venturing into wild speculation, I will say oftentimes these sort of vague, hey, look at these vulnerabilities, fix them in your networks, often, those announcements from an organization like CISA will be prompted by a campaign or an incident or something that they're witnessing behind the scenes that are not yet ready to fully disclose filings or anything to the public. Maybe they're pending investigation. Maybe they're getting ready to do some type of arrest or takedown operation or something, or maybe they just don't have enough information to fully give something to the public. So what they do instead is they release an operation, a memo that says, hey, these things are really dangerous. So right now, the RH-ISAC intel teams collaborating with -- and a lot of our member analysts -- to determine if anybody had seen any evidence not in open source of a potential incident or any chatter on the dark web that could indicate whether there's a campaign or a widespread significant incident going on involving either vulnerabilities. Thus far, I hadn't seen any indication of that in open source of a dark web on any significant campaign or incidents. We're going to continue to keep a lookout, and we will update the community, of course, as we find it, but this is one that I would recommend that listeners kind of keep an eye on as well because web applications are, of course, widely used and IDOR being a feature of those because it's also widely used across multiple industries. So it's one to keep in mind because CISA doesn't release these alerts for fun, right? They don't do it just for the thrill, that they have a reason for releasing this alert at this particular time, right? The next sort of fun story I wanted to talk about was, on August 9, researchers at Proofpoint reported technical details of a campaign that they've observed between March and June of this year that it's been leveraging the EvilProxy phishing-as-a-service tool. This is targeting executives at over 100 global firms. Should note that Proofpoint didn't identify the firms or even what industries those firms are in. Now, this campaign is using EvilProxy, the phishing-as-a-service tool, again, to target executives with a combination of attacker in the middle, AitM, and account-takeover tactics. And the reason I wanted to highlight this story and particularly for our briefing here is that our RH-ISAC member analysts regularly report strategic, technical, and open-source intelligence related to AitM, Attacker in the Middle, attacks, especially EvilProxy. EvilProxy is a very common, very popular tool, sold to multiple threat actors for use in ATO attacks, right? The RH-ISAC intel team has been tracking and reporting this type of attacker-in-the-middle activity and especially EvilProxy activity for at least two years now. Back in August of last year, Zscaler researchers released a report on technical details of another AitM campaign that they saw. They've been active since at least June of 2022. We assessed at that time based on timing and nearly identical tactics, techniques, and procedures that the campaign reported by Zscaler was likely directly connected to a campaign reported by Microsoft's intel team in the same months, right, back in August of last year. We made that assessment based on the timeframe and multiple TTPs. Now these TTPs, some could things like nearly identical registered domains, lurertowns [phonetic] being logged into by attackers eight minutes after researchers sent credentials to the attackers, phishing domains imitating financial organizations, phishing emails appearing to come from legitimate email addresses at legitimate organizations, and then emails containing links in the body or inside an HTML file attachment, right, and then phishing sites redirecting and hosting using diverse method. The sort of benefit of the attacker-in-the-middle approach is that it usually goes around multi-factor authentication. It's a MFA-bypass methodology, and that's one of the things that makes it, you know, sort of a little bit higher on the priority matrix whenever we'd look at it, right? We've released multiple reports, specifically on this tool, and on the types of attacks that this tool enables, as well as a little plug for our [inaudible] here, our Malpedia Galaxy and the RH-ISAC MISP instance includes a profile on the EvilProxy tools. That includes TTPs, public incidents of the tools used to send campaign, as well as indicators that we have from members directly related to the tool itself.
Luke Vander Linden: Well, that's great that, from your vantage point, from our vantage point, we're able to pull in those different reports and relate them to each other so we can see that it's one -- at least if it's not a unified attack, at least the same tool being used.
Lee Clark: Yeah, and discovering these patterns and codifying them and indexing them and keeping them in our record is beneficial because -- so the center of CCI is actionability. The things that we read, research, and produce have to lead decision-makers who receive products into a decision that can increase physical and cybersecurity protocols at an organization, right? The endgame of CTI is ultimately to improve cybersecurity in a material way. And by indexing those types of historical events and creating those pattern connections within a tool like MISP, especially when you combine that with technical intelligence that you have related to these types of attacks and these specific tools, that creates a historical background that helps develop context for a senior decision-maker. And that helps them make a more informed decision over time. So what this does is it creates a depth of reasoning for a decision that helps you ensure that your decisions are going to be more grounded over time, right? So I got to round this out with a brief discussion on the Gigabud Remote Access Trojan. This report came through in the course of a previous week or so on an Android banking malware that's been targeting institutions across multiple countries, specifically, in Asia, Southeast Asia, and Latin America. Right, this is a new Android-banking malware called Gigabud. One of the unique features of this is that it doesn't execute any malicious actions until the user is authorized into the malicious application by a threat actor via fraud, which makes it harder to detect. Now, this research comes from Group-IB, so we tend to rate their cyber-threat intelligence pretty highly, right? In addition, instead of using HTML overlay attacks, the Gigabud RAT gathers sensitive information, primarily through screen recording, right? So these are a couple of interesting things that enable the threat actors to trick the target into accessing their fraudulent tool, right, and to steal credentials in a couple of different ways, right? By recording the screen they can see what's being typed in to login pages. So this becomes interesting for our community in a number of ways, first, of which is geographic, right? These attacks primarily, since the beginning of the year, have been targeting organizations and users in Thailand, Indonesia, Vietnam, Philippines and Peru. The RH-ISAC is increasingly developing our membership base in the Asia and Pacific region, right? We do a monthly call with our members in the Asia Pacific region, as well as being in the beginning stages starting events. Luke, you've actually traveled a couple times to Asia to speak with members and prospects there about the benefits of the ISAC globally, right?
Luke Vander Linden: Yep, Australia specifically, but love to go back. I'd love to have an excuse to go back. But that's interesting, this is geographic. Does that mean it's kind of like a canary in the coalmine as well, that we can see this expand?
Lee Clark: Yeah, so it can be, right? It can be a number of things. Malware and cyber threat campaigns can be canaries in the coal mine to determine things are going to spread like, for instance, LAPSU$, originally primarily targeting banks in Latin America until it turned out they were targeting grocery stores, technology firms, globally, right? And originally, they started out. It could be a language element. There could be a language barrier based on how the threat actors are able to target, or it's always possible that this is, you know, connected to a nation-state nexus, and that nation-state has a particular interest in targets in the region that are listed here. Right, there's a few reasons that cyber attacks can be geographic, and one of them is the targeting of cyber threat actors. These may be organizations and places that the threat actors are familiar with and then may expand out later on as they exhaust the target-rich environment that's geographically near them. But we also find that geography can be helpful in running CTI investigations because occasionally attacks will be organization-focused. Occasionally, attacks will be industry-focused, but more often we actually see attacks targeting diverse organizations and target types, but they're often contained geographically for the reasons I discussed here. The second reason I highlight this is because banking malwares and ATM malware are quite frequently known to eventually turn into point-of-sale malware. Happens all the time like, Prilex, one of the most prevalent POS malwares that we see attacking retail organizations and trying to get in the middle of transactions at point-of-sale systems. Prilex started out as an ATM and a banking malware, right, and it was eventually repurposed and modified by various threat actors and went through a number of versions. It is now the most prevalent point-of-sale malware that we see out there. Not to mention the reuse of credentials by organizations and users between, let's say, bank accounts and loyalty rewards program at a hotel. It wouldn't be uncommon at all for an organization or for, you know, an individual user to reuse those credentials. And this is one of the benefits of a credential stealing attack like the Gigabud attack we're talking about here. Because if you been able to use your screen-grab ability to steal credentials for someone's bank, you probably also have their streaming login, or their hotel rewards login, or their airline points login, right? I hesitate to call it poor password management, even though that would be like the technical term of it. The average user doesn't have the knowledge or even resources or inclination to, say, use a convoluted password manager that will hold the keys for everything, right?
Luke Vander Linden: Just a couple of weeks ago, someone asked me what is the number one thing? You work in cybersecurity. What's the number one thing you would advise me as an individual not to do? And I said do not reuse your passwords.
Lee Clark: So I mean, this was like a frequent argument among cybersecurity practitioners is how do you protect grandma's streaming subscriptions and everything? And overwhelmingly, I come to -- and this is a huge no-no in the cybersecurity world. Every certification test you'll take will tell you that it's a poor practice. Write it down on a note card, and put it in grandma's drawer so she knows she can open up the drawer and see the password written down there. All right, if you're in an office place, that's an atrocious cybersecurity practice, and maybe it is for your grandma whenever the plumbers come over or something, right? But overwhelmingly, one of the -- you're absolutely right, Luke. Overwhelmingly, one of the biggest vulnerabilities every single industry, as well as average users out there who are protecting a personal cybersecurity, overwhelmingly, one of the biggest ones we see is the reused passwords. If you get one, you've got them all, right? If I get your streaming password, all of a sudden, I can start taking money out of your bank account, right?
Luke Vander Linden: So the old Post-It note, we do recommend it sometimes.
Lee Clark: Sometimes in isolated cases where it's not going to cause additional security things, or you're not going to get fired for a security breach, it's a perfectly effective method. But on the other hand, use a password manager. It is true. Now, all these things in cybersecurity have gives and takes, right? Multiple password managers have been compromised before, and data has been leaked, and everything is a gamble. These are the methods that we know provide the most bang for buck in terms of safety, right?
Luke Vander Linden: Well, thank you, Lee Clark, for joining us once again. You are of course the cyber threat intelligence analyst and writer for the RH-ISAC. Always appreciate you when you come on for the briefing.
Lee Clark: Thanks, Luke, and it's always a privilege to talk to the membership.
[ Music ]
Luke Vander Linden: Thank you to all of my guests for the scintillating conversations, Charles Fedorko of Sage Hospitality, Ellen Sabin of Watering Can Press, and our own Lee Clark. If you want to discuss anything you've heard today, or if you have an idea for a podcast segment, or you just want to be on yourself, or if you want more information about membership in the RH-ISAC, shoot us an email at firstname.lastname@example.org. As always, thank you to the production team who try their hardest to make it sound good for the RH-ISAC. That's Annie Chambliss and Marisa Troscianecki, and from the CyberWire, Tre Hester, Jennifer Eiben, and Elliott Peltzman. Thanks as always to you for listening, and stay safe out there.
[ Music ]