Podcasts
Threat Vector
Ep 48
Threat Vector 1.2.25
Ep 48 | 1.2.25

Mastering the Basics: Cyber Hygiene and Risk Management

Show Notes
Transcript

Daniel Ford: You know, where are you at, you know, in your journey? Because cybersecurity is a journey. It's never a destination. And it has consistently and constantly evolved over time. And I don't see that ending anywhere in the near future. Where do you want to be? And when you take a look at your organization and take a look and determine what is the -- what you believe is going to be the most common way in which you're going to get breached. And in those areas when you focus on that maturity journey, those are the ones you want to try to get to a five. There's some things you should strive for that five on the maturity scale. And then everything else should be at baseline. It takes a long time. And cybersecurity is going to take a long time to be mature. The bigger the organization, the longer it's going to take. [ Music ]

David Moulton: Welcome to Threat Vector, the Palo Alto Networks' podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] Today, I'm excited to welcome Dr. Daniel Ford, Chief Information Security Officer at Jovia Financial Credit Union. Dr. Ford is known for his robust background in cybersecurity, including his experience in federal and private sectors, as well as a deep passion for advocating cybersecurity awareness and education at every level. Today, we're tackling the essential topic: cyber hygiene and risk management. Cyber hygiene serves as the foundation for every security program, influencing not just an organization's security posture but also its resilience against both known and emerging threats. As cyber-attacks grow increasingly sophisticated and frequent, businesses of all sizes are realizing the importance of strong cyber hygiene and risk management. It's more than a set of best practices. It's a framework that can protect people, their data, and the digital economy. So, to guide us through this journey, Dr. Ford is here to share his insights on why mastering the basics of cyber hygiene are critical for every organization and individual navigating today's digital landscape. [ Music ] Here's our conversation. Dr. Daniel Ford, welcome to Threat Vector. I'm very excited to have you here today.

Daniel Ford: David, thanks for having me on. I'm really looking forward to our conversation today.

David Moulton: People in security want to make the world a better place and I feel that as well. But also, you touched on this idea that you were curious. You wondered how something worked, and then you made it work. And then you wondered how to reverse it. Are folks that are more curious -- are they more successful in security? Is that a trait that you've seen in the people that have worked for you and worked with you?

Daniel Ford: Absolutely Curiosity, I think, is likely the number one trait. Because in part -- and nothing against my colleagues on the IT side of the house. But they typically are very much focused on delivering technology for a business need. And they get onto the next one. They don't necessarily -- it's not necessarily that they're not, maybe not curious. But they are much more in a build or, you know, troubleshoot mode. And that's because a ticket came in. Whereas my colleagues in cybersecurity, we got to know everything they have to know, and we have to know how it breaks. We have to know how it could be attacked. We have to know how to protect it. And that -- those pieces of it, how a threat actor could break it changes all the time. All it takes is the next software update and we have potentially different software bugs.

David Moulton: But I'm wondering if there was a moment in your career early on that, you know, challenged your perception of what security could be and has shaped your perspective on your work and the industry in general?

Daniel Ford: Probably when I started working for Homeland Security is when things really changed because I went from -- and we go back to 14 where it's one individual. In this particular case, it would be a targeted attack by my younger brother to, oh my gosh, some bad things can happen to good and innocent people. So a little bit larger to now it being global. It is a global thing that can just affect anyone at any time. And you don't even have to be another nation-state. You could be some lone wolf person wanting to just wreak havoc, you know. Like, you know, let's just take, you know, the comic book aspect. All it takes is a joker, and you're poisoning a water supply. And that person could have been all the way around the world.

David Moulton: It sounds to me like you found something that lit your passion. And when we started the conversation about coming on Threat Vector, you told me about your passion for improving the world through cybersecurity. And I'm starting to hear that. Are there other things that drive this mission for you personally?

Daniel Ford: Yes. Jovia, where I work, I -- one of the reasons why I chose to work for Jovia and maintain working there is I'm kind of given a platform to make the communities in which we serve a better place. And I'm able to do that through cybersecurity. Credit unions are -- were founded on people helping people. And while there are not-for-profit, they still have to, you know, make revenue. But the biggest difference between a credit union and a bank is that banks are owned by shareholders. Credit unions are owned by its members. And we tried to take those profits and get it back to the member. But with that, you know, we're very big on financial literacy. And I have this aspect of how, in today's world, can you have financial literacy without some type of cyber literacy? Because all of our assets are primarily digital. Very few people are handing out cash nowadays. They're going to Venmo you. They're going to Zelle you. They're going to pay with a credit card. They may be paying with a virtual credit card. And with that, Venmo and Zelle became a whole new target of scams and people that are looking to steal money in an easier way, a much more digital form. They don't have to go after, you know, the bank or credit union themselves. They can go after the customers and the members and trick them. So we do that. We go out there in. We go to the schools. We go to the universities. And I'm hoping to do much more because this -- the cyber -- you know, criminals out there are going to just keep going after those that just don't know the basics on how to protect themselves. And it's really disheartening. I see, you know, all of the complaints. And those complaints are like, people are losing their life savings because they got scammed. They gave them their username and password. They hit send. The money's gone forever at that point. It's not -- you know, it's literally like handing cash when you use that Zelle or Venmo app and you hit send. It's gone. Good luck trying to recover it at that point. And I feel bad for them. So I want to help them as much as I possibly can.

David Moulton: Dan, you've used the term cyber hygiene. And I think you might define it a little bit different than the way I've thought about it. Can you talk about what you mean by that term and then maybe get into how companies can think about and approach cyber hygiene?

Daniel Ford: Yeah. So I think about it just like our personal hygiene. You know, when you wake up in the morning, what is that routine you have before you either have started your day or have walked out of the house? Or if you're working remotely, what is it you're doing to start your day? You know, you're brushing your teeth. You're taking a shower. You're putting, hopefully, you know, you know, you're using soap and shampoo, all those kind of fun things. You're coming out putting on deodorant. Well, I look at the same thing with cyber hygiene. So when -- and again, I might be taking it to the extreme. But one of the things that I do both -- you know, so when I leave the house, did I turn off my WIFI on my device? Did I ensure that if I'm going to -- especially when I go get to my car. I've connected my Bluetooth. It's only connected there. When I get out of my car, my disconnecting my Bluetooth. And that might be a little extreme for some. But that's a part of my hygiene routine. I want to ensure that people are updating their systems on a routine basis, especially on your personal, you know, systems. That's where, you know, the vulnerabilities are being patched. So, have they done those things? Am I using, you know, a password manager? In the event that we add a new, you know, I just signed up for a new service, as soon as I do that, am I making sure that my password manager is able to use that? And I put it in my credentials into there, you know. Things like that. And by doing some of these basic things for whatever it is you're doing, do you have your playbooks? Are you actually using and doing whatever your standard operating procedures are within your playbooks? We know what to do on -- at a corporate level because we have all of this guidance out there, whether it be from NIST or ISACA, ISC squared, you know, ISO. They have them, but are you really doing it right? And I think many organizations are not. And a lot of all the people don't even know what to do.

David Moulton: Would you have the three top cyber hygiene activities or habits that you need to have to look around and say like, let's get everyone moving. What would those tips be?

Daniel Ford: So if we're talking about for individuals, you know, people, you know, the first thing I look to do is that everything that's sensitive, let's make sure we've got multifactor authentication. You know, it sounds like a clich. But every day, it seems like I hear from someone that, "Oh, my Facebook account was hacked." Probably wasn't. But did you have multifactor? Almost every time I hear, the answer is no. And then we go to the same thing with financial institutions, you know. And financial institutions, a lot of them are notorious for not enforcing proper guidelines on their customers and members to just get into their digital and online banking. So, I would implore everyone to make sure, again, that has multifactor, you know. Make sure you, you know -- and again, use, you know, use a password manager. They're not that expensive. So they should really be doing that. And then we go to organizations. If the number one attack vector is that blended thread, it's coming in through phishing and it's going out through the web and almost every organization is utilizing Microsoft Active Directory, why do we not have multifactor authentication at the network layer? There's so many companies out there that do that multifactor, that plug right in with Active Directory. This makes it more of a challenge for that threat actor to get in. And then from there, you know, looking at -- one of the things -- one of my pet peeves is I see a lot of these emails that come in with a link and the link should never even get to the end user and with the web -- email web gateway which has deemed the link safe. So many of them have -- they've modified the link so then it goes to check it. But that's bad. We're teaching our users bad habits by saying, "Here's a link in an email of which is and should be safe. And it's not. We have the technologies out there and they're just not being, you know, deployed.

David Moulton: So you've talked about MFA, password manager. I think that's the personal level and at the corporate level and then as you get into, you know, some of the best practices of moving data away from a highly attacked area like email, and to make sure that the email itself that does get through has had some of the systems take a look at it and do a cleanse on it. And if it's not safe, don't serve me up an opportunity to make the wrong decision or, you know, cause an accident. I think there's actually a meme or a cartoon out there that always cracks me up. It's in this corner, you know, multimillions in software and security. And in that corner, Dave. And as a member of the Club of Dave, I'm always like, "Oh, they've met me. Oh, no." When we talked before you brought up this idea of a cyber-attack happens, and we have all this fallout. And then we move on. And in other industries, if we were to have, you know, a major crash in an airline, there would be an investigation, there would be an ongoing look into how do we stop this? But we don't. And when these incidents occur, even when large amounts of personal data are exposed, it's handled quietly. It's handled secretively. And it seemed to bother you. I'm wondering if you'll talk about that aspect a little bit. And what do you think could be done to move our culture away from that type of behavior?

Daniel Ford: When a breach happens, no one really wants to talk about it. You know, lawyers get involved. And it really -- you know, and because they -- there's some liability perhaps at stake. But that means that no one gets to learn from that mistake. And that means we are doomed for other organizations to repeat that same mistake. When I did my MBA at University of Michigan, the thing that I found so interesting and what I really enjoyed and found that a lot of universities teach this way is through case studies. And you can go back in time and see, like, "Oh, how would I have done it?" Now, they removed the names of the organizations. But you're analyzing it based on what we know today to make sure you don't make that same mistake. And we don't do that with cybersecurity. The move at breach is a great example of this. Over 5,500 organizations were breached. No one wants to really talk about why they were breached, even though there -- in many cases, it happens to be that, you know, from what is least, you know, for the most part, publicly known. And then is that you have a software vendor didn't do some basics. So, you know, their white belt level stuff is you're producing software code. You might want to scan your code for SQL injections. A SQL injection has been in the OWASP top 10 for as long as it's -- I think it's been around. It just seems to change places. So they didn't scan for that. You have on the customer side, they could have some web application scanning that wasn't being scanned for. And then you had a mismanagement of firewall. But as soon as that happened, why was every CISO that was using MoveIt not going to their firewall team and saying, "Do I have this IP -- you know, this particular server locked down via IP address and port and all these things? No one is talking about it. You know, we have a number of those that have occurred. But no one has talk about it. So that means every other organization can't learn from that mistake and maybe prevent the next breach that's going to happen. [ Music ]

David Moulton: And, Dan, I want to shift gears a little bit. You've emphasized that helping the world be a better place has been a part of your philosophy and something that you've been pursuing, it sounds like for ages. I'm wondering, how do you envision a world where people in organizations are adopting those better cyber hygiene practices that you've talked about?

Daniel Ford: I think when we start seeing some things maybe where, "Hey, this organization takes their cyber hygiene seriously. Buy from those that have proper cyber hygiene." That's where we can start doing some good. Like there's -- and there's going to be those organizations that they only care about the bottom line. And if they -- and yes, I -- you're an organization. You're a corporation. Your number one goal is to increase shareholder value. Absolutely get that. And I would never say that an organization shouldn't be doing that when you're for profit. But that part of that should be that I'm doing the best for my customer -- for my shareholders. And I believe cybersecurity is a part of that because I probably have something that is -- requires safety mechanisms. If you are having personal identifiable information, there's digital safety concerns. And anytime we have this, those organizations that I feel are taking that cyber hygiene seriously should be the ones that are -- their stock is consistently going up, their market cap is constantly going up, they're more -- they're definitely just more valuable. And then the local, you know, that local mentality of buy local can be by those that actually take cyber hygiene seriously. At least that's my -- that might be a, a little bit too pie in the sky. But that's what I would love to see is that those that care about the value of their customers, cyber hygiene is a part of that. And that's how I see my utopian world.

David Moulton: Dan, years ago, I sat in a designer seat. And for better or for worse, there were some partners that I worked with, some in engineering in particular, who thought of design as the guys that made it look pretty and colored in, you know, the UI at the end of the project. And I always looked at design as a partnership to engineering to think about. Are we solving the right problem and are we solving the problem for the customer in a way that they like? It's music part of the UX practice. I came across this index of design-led companies. And it was really fascinating to look at this group of 15 versus the S&P 500. And they were outperformers. Now, a lot of them were blue chips. And, you know, maybe that was a big piece of it led by really competent leadership with great products. But not all of them, you know. All of them together I think it outperformed the market by 240%, if I recall right. And I was able to use that to show my stakeholders, show the engineering team, the design really mattered. And it wasn't just this idea of did we pick the right shade of blue? I've then tried to figure out how to build the same thing that shows, here's a company that takes its security serious and has great cyber hygiene, does the right thing when it comes to this ingredient in the mix called security." And I've struggled for years to come up with how to gather that information and show it. How do orgs get that needed information on a potential partner's cyber hygiene?

Daniel Ford: So I think one of the things which has been a recent trend in the industry, which is third-party monitoring, risk monitoring. And so what they're doing -- I think like one of the popular ones is like SecurityScorecard. So, they're consistently scouring news about whether or not they've been breached. But they're also scanning them to see are they -- you know, if their policy, say they're scanning every 90 days and they're fixing things every 90 days, they're actually taking a look at that and seeing if they're doing it. And that would be at least from a company standpoint, that you could look to. And I would implore if you're not if, or anyone that's out there, you know, listening and you're responsible for security, you should have some type of third-party vendor risk monitoring. You should absolutely have a vendor due diligence, you know, program as well to kind of see what, you know, a lot of our data is going everywhere. So you should know if those things are -- you know, these companies are practicing what they preach and are they changing your risk? In this case, you have a set risk tolerance. And are they still abiding within your risk tolerance? And if not, you should look to get out of those contracts or at least not renew with them and make that a part of the discussion for, you know, all the rest of your chief officers. And the other part is like I also -- all of our third-party vendors, I put in our threat intelligence. So if something comes up, we're getting advanced notification of it that, you know, there's an issue with a Fiserv or a Jack Henry or something along those lines. But you should have them all in there. So if something hits, you now know something's going on. And you can be proactive and reach out to that third-party vendor. And I think that's should be a part of the partnership. I have a responsibility to my membership. CISOs have a responsibility, you know, to their, you know, their employees and their customer base. But also, I think in a way we like to say partnership with vendors. And sometimes it's there and sometimes it's not. But as part of that, Hey, I heard that, you know, through our threat intelligence, you're currently being targeted by this threat actor group. And here is the vulnerability in which you're being targeted. So, you know, what are you doing about that? And not everyone is doing those kind of things.

David Moulton: Dan, I think that one of the themes that comes through in a lot of the content and the conversation in and around cybersecurity is that it can feel like a losing battle. But there are definitely days when good guys get the win. What advice would you give organizations or individuals who are feeling overwhelmed by that constant stream of threats and vulnerabilities?

Daniel Ford: So I think that's a great point because we always hear about like alert fatigue. There's vulnerability, management fatigue. And it's a real thing. And so the thing that I tell my teams and I tell, you know, a lot of my colleagues, the idea is to be better tomorrow than you were today. And in some cases, that's going to be 1% improvement. In other cases, it might be, you know, the couple of weeks after Microsoft Patch Tuesday, you feel really great. So you want to keep that philosophy of be better tomorrow than you were today is the first thing that I tell them. You know, the next, you know, part of that when they're really kind of struggling is we are always going to be attacked. And I love the overall example from -- you know, I'm much more of a Star Wars person. I think there's always an aspect of either Star Wars or Star Trek. But I still like this aspect from Star Trek of that Kobayashi Maru, The Unwinnable Game. And that is what cybersecurity is. It's not winnable. So what Captain Kirk does, he changed the rules. He doesn't believe in an unwinnable scenario. Same thing with cybersecurity. So, I kind of changed the rules from the way I looked at it. The goal is can we identify the attack or the attack vector -- you know, I think the industry average is something like, you know, 192 days the cybercriminal has been of the organization. So can I identify it in 30 days? Can I identify it in two weeks? And then, can I contain it? You know that -- and so I look at that. My goal has changed. I know we're going to get breached at some point. But can I minimize the impact of that? And so we start developing a strategy in which we feel comfortable, if not confident, that we can identify it faster than an organization like our peer -- in our peer group. So that's one of the things that I look at. I also very much preach this aspect of we are not going to be in this mode of, "It's behind the firewall, so it's not going to happen." And that is one of the biggest fallacies I hear in cybersecurity. And it really irritates me because I say, unless the attack is happening against the firewall, every single breach has happened behind the firewall. So don't say those kind of things. The other thing that they do -- and I try to get them to say this, you know. I think there's a big misconception when it comes to defense in depth. The aspect of that defense in depth is in the event a control failed, then we have these other controls to pick it up. And we should be securing the system to the best it can possibly be at that time. And then this way, if you do that, you can't say, "Oh, well, this vulnerability is not a big deal because it's behind the firewall." You've said, "Okay, great. So we're going to go into this -- you know, we will say like, you know, a fist fight with one arm." Because you're saying the systems are vulnerable. But we're not going to patch them. And now you're going to go into this fist fight boxing match with only one arm. That doesn't make any sense. So make sure all the systems are as secured as they possibly can be and you have that particular risk profile set up for each of your different systems. And when it goes out of that risk profile, you should get it back there as fast as you can. And -- or at least, you know, whatever the risk tolerance is. But I think that's the thing that I have my organization and my team focus on is those. Because you can't focus on everything because, you know, you can't boil the ocean. But we can, you know, focus on the things that we can control and then we assist our counterparts in IT on how to get back there. So that's at least what's helped myself by changing that goal. And I think I first came up with this when I was doing enterprise security architecture for, you know, different government agencies at the time. And that was, you can't prevent -- if your goal is prevention, you're going to lose. It's not possible. It's -- and so don't play the Kobayashi Maru in that particular way. Play it with a hundred percent identification faster than your peer group. And then contain it and try to really cut down on the impact of that. And then how quickly can we get back to a new norm. So that's at least how my philosophy and how I've been doing it.

David Moulton: Dan, thanks for a great conversation today. I really appreciate you sharing your insights on cyber hygiene on cyber literacy and reminding us that we need to stay curious. And this game is not winnable. But if you change the rules, it's one that you can stay in.

Daniel Ford: Dave, I really appreciate you having me on as a guest and allowing me to kind of share my thoughts, my journey in this crazy world of cybersecurity. And I can't thank you enough for having me on.

David Moulton: That's it for today. If you've liked what you've heard, please subscribe wherever you listen. And leave us a review on Apple Podcast or Spotify. Those reviews and feedback really do help us understand what you want to hear about. If you want to reach out to me directly on the show, email me at threatvector @paloaltonetworks.com. I want to thank our executive producer Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure. Stay vigilant. Goodbye for now.

Threat Vector
Podcast Info
HOST(S):
Sherrod DeGrippo

Meet David Moulton, the voice for Threat Vector, the Palo Alto Networks podcast dedicated to sharing knowledge, know-how, and groundbreaking research to safeguard our digital world.

Moulton, leads Thought Leadership for Palo Alto Networks, draws on a rich background of experience, including roles in design, strategy, marketing, and sales, to connect with experts from across the globe.

Schedule: Biweekly, Thursdays
Credits: Executive Producer is Michael Heller, Show production by Kenne Miller, Joe Bettencourt, Virginia Tran and David Moulton. Editing and audio engineering by Elliott Peltzman.
Creator: Palo Alto Unit 42
Threat Vector