Erik: Welcome to the Industrial IoT Spotlight, your number one spot for insight from industrial IoT thought leaders who are transforming businesses today with your host, Erik Walenza.
Welcome back to the Industrial IoT Spotlight podcast. I'm your host, Erik Walenza, CEO of IoT ONE. And our guest today is Eric Cole, founder and CEO of Secure Anchor Consulting. Secure Anchor Consulting provides high touch cybersecurity services that help organizations prevent security breaches, detect network intrusions, and respond to advanced threats. In this talk, we discussed the rapidly evolving cybersecurity environment and what it takes to secure a system today. And we also explored the impact of remote work and remote system access due to COVID-19 on cybersecurity threat vectors.
If you find these conversations valuable, please leave us a comment and a five-star review. And if you'd like to share your company's story or recommend a speaker, please email us at team@IoTone.com. Thank you. Eric, thank you so much for joining us today.
Eric: It is my pleasure to be here. Thank you for having me.
Erik: This is a topic which is increasingly important in the industrial IOT space. Eric, before we get into that topic, you have a super interesting background, so I'd love to hear you walk us through a few of the major milestones. You've worked at SciTech group, Lockheed Martin FA, and then you are now the founder and CEO of Secure Anchor Consulting. We can start from your first interest in this topic of cybersecurity a couple decades ago. And then it'd be interesting to hear how you transition from working for corporate C suite positions to now setting up your own consultancy? ‘
Eric: Absolutely. And if it's okay, I'm going to take you back even a little farther before I worked for all those companies you mentioned. Because it all began in 1991 when I worked at the CIA, the Central Intelligence Agency, and I was interning, and I was looking for departments to work for. And of course, this was 1991, so I was interviewed with the network operations center, with a programming group, with operating system group.
And then there was this little group called cybersecurity that interested me. Because when I talked to my advisors, and I talked to other people saying, which group should I work for? Everybody anonymously said, you need to go and work for networking, everything is going to be network, everything is going to be interconnected. That is the future. And I said, but I really liked this area called cybersecurity. They're like, cybersecurity is a fad. Nobody's going to care about it. You're going to install some software. It's going to be solved. It's not going to be a major problem in 20 or 30 years, like famous last words.
So I don't listen to people, I take advice, but I ultimately listened to my gut. And my gut said go with cybersecurity. So I went in the cybersecurity group and it turned into me becoming a professional hacker for seven years where I actually really built up my offensive mindset. And that has served me well, because since I left the CIA, I got tired of hacking, I got tired of breaking in. And the reason is simple. It's easy. You can always break into any system because any system, any business, whether it's IoT, or large, commercial or aerospace, if you have functionality, you have vulnerabilities. Therefore, there's always going to be a way for the attacker to get in. So offense is easy. Defense is much harder. So I switched in the late 90s
When I left the CIA and became very focused on defense of helping organizations really understand how to build out creative solutions to protect their organization. I'm also an entrepreneur. I love building and selling companies. So when I left the agency, I started a government contracting company with several colleagues. And I was really focused on the R&D of building out creative solutions.
We were then acquired by Lockheed Martin. And Bob Stevens, the CEO and President of Lockheed Martin at the time, he kept me on as his chief scientist focused on cybersecurity. So whenever there was any major breaches, any issues, any problems with cybersecurity, I would get the call at 2am, jump on an airplane and head out to wherever the issue was. So from my offensive mindset, I switched to defense and then I focused a lot on incident response of after breaches occur, after problems happen, how do we respond and fix it?
But then I was thinking through those years at Lockheed, why are we waiting for an incident to occur? Why are we waiting for the compromise to happen and then we react 6, 9, 12 months later when there's a lot of damage? What if we started doing more proactive based solutions? So that's when I started working for companies like McAfee, I helped revamp their entire technology line, and then we sold to Intel. And then after that, I started my own company, Secure Anchor, in which we're now really focused on helping organizations understand cybersecurity so they can build proactive solutions to minimize the damage.
Because let's face it, the average breach you hear about in the news goes like this, company has been compromised for two and a half years, they've lost 300-400 million records, they're being fined and it's going to cost them 15-20 million. And you got to sit there and say, wait a second, how does a large organization that has all this technology and all these people working in cybersecurity miss an attack for two and a half, for three years and have such a big data breach? And the problem is simple. Organizations don't understand cybersecurity, and they're focused on the wrong areas. So that's really what my mission is to make cyberspace a safe place to live, work, and raise a family.
Erik: Normal security is a little bit like that as well. If you want to break into a building, you can break into the building. But the cost benefit is really not there. And cybersecurity, what is it that is behind the tremendous rise in attacks recently, is it that the value of the data is increasing so there's a greater incentive because it's all about incentives? Or is it that it's so difficult to catch people if you're breaking into a building, and there's a good chance you're going to end up in handcuffs? Without with cybersecurity, maybe it's just particularly challenging in that domain to actually apprehend somebody, so the risk profile is lower? What is it around this domain that creates this dynamic that we don't have in a lot of other security related areas of life, even at the national security level, defense, trumps offense in many domains? What is it unique around the cybersecurity creates this dynamic where offense to some extent trumps defense?
Eric: So starting with the last one, the reason why offense trumps defense is simple. If somebody is going to break into an organization, if they're going to break into a bank, if they're going to steal your personal information, or steal corporate data, they only need to find one vulnerability, they only need to find one possible way in. If you want the defense, in order to fix and secure the organization, you have to go in and find all the vulnerabilities. Now here's the problem.
If you have 100% security, the only way you can achieve that is if you have zero functionality if you have zero value or benefit your organization. As soon as you add functionality, you're decreasing security. So anytime you're allowing email, you're setting up a web server, you're setting up a new system, you're connecting your devices, your PLC to a network, that's adding functionality. And every time you do that, you're decreasing the security, you're adding in risk, which means any organization that has computers and technology that has functionality is going to have security risks, they're going to have vulnerabilities, it's impossible to get around it. It's like laws of gravity: when you do one, the other increases; when you increase functionality, you decrease security, it's always going to happen.
And therefore the big trick, and this is one that many organizations miss, prevention is ideal, but detection is a must. Most companies still naively think they could prevent all attacks. So they're putting all their energy in prevention, and when preventive measures fail, they don't have detection; they're not catching the attack. The way that I described cybersecurity, it's all about containing and controlling damage in a timely manner. When we implement security for our clients, I tell them, listen, you're going to get breached, it's going to happen. Our goal is to catch it within hours and not years. Our goal is to catch it when you have 10 records, not 10 million records.
But companies have to recognize the reality that breaches are going to happen and accept it, not fight it, and focus a lot more energy on the detection side. And then the reason why these attacks are increasing is because organizations have moved so aggressively, where systems that used to not be connected. I remember when we used to work with a lot of control systems, nuclear power plants, oil and gas, even the manufacturing facilities at Lockheed Martin, five, six years ago, seven, eight years ago, they were never connected to public networks, they were always air-gapped and separated and isolated.
So unless you had an insider that physically breached the perimeter of the organization, you weren't going to be able to get access to that data. But what a lot of organizations have done over the years is they're now starting to go and say, oh, it would be so much easier if our nuclear reactor had access to our production network, oh, it will be so much easier if the PLCs were connected. So they're starting to interconnect a lot of these systems that were never designed or built with security, they were meant to be air-gapped so that's creating a huge number of exposures.
And then the second piece is cybercrime pays. As you eluded, we know who's committed these crimes. I can give you their name, their address, and where they're located. The problem is they're in countries where it's not illegal to hack outside the country and we don't have extradition treaties with those countries. So we know who they are, what they're doing, but we can't do anything about it from a law enforcement perspective, which means yes, in 10, or 12 years when I believe the UN or some other organization is going to have an international law enforcement agency for cybercrime, so all the countries are going to work together will start to solve this. But we're talking at least 10 or 12 years, which means organizations have to recognize the attacks will continue, they will increase, and those that ignore it are going to pay and those that embrace it, and start putting proper detection in place are going to be the ones that start winning.
Erik: I guess we have, maybe from my perspective, for different types of actors. You have the kind of the lone hacker who might be just out to prove that he can do something, he might be trying to make a little bit of money. And there's probably a lot of those but low sophistication, then you have the criminal syndicates, which are more sophisticated, you have nation states, and you also have probably, in some cases, corporates, hacking each other. Has there been an evolution that you're monitoring around who is responsible, because I suppose that will determine to some extent, who you would identify as the targets, what type of data might be interesting to them? Are there waves or trends around who the attackers are? Or is this somewhat constant with a proportion among these different segments over time?
Eric: So the big trends we're seeing, and I'll put a caveat that it's biased data, and I'll explain what I mean by that in a minute. But what we're really seeing is that bottom tier that you mentioned, sort of those lone actors and those organized crime, those are the ones that are really increasing in attacks. And the reason is this. You see a lot of reports saying the attacks are getting a lot more sophisticated, they're getting a lot more advanced, and that's the reason why you're seeing the increase. I completely disagree with that.
Because if you go back 10 years ago, most of the attacks were actually very advanced, customized attacks, because organizations were patching, locking down and securing their system. So we saw in 2010 -2011, what we call zero day or O-day attacks, which what that means is these are brand new attacks that the vendor doesn't know about, there's no fix. They're very advanced, very sophisticated, and they're very hard to defend against.
However, in the last two or three years, if you look at all the major breaches, they all came down to this. There was a server visible from the internet that the company wasn't aware of, it was missing patches, which means it had known vulnerabilities and it contained critical data that wasn't properly protected. Every single one of the major breaches that our company has worked on, we work on over 70 in the last three years, often under that bucket.
So the problem today is organizations are getting sloppy. They're not doing proper asset inventory and protecting their systems and therefore we're making it very, very easy for the attackers to break in and make money. And of course, the biggest one we see with the organized crime and the lone wolf actors are anything that's monetarily driven, so ransomware is one of their favorite. Because if your data is held ransom, you can't run your business. And most businesses, you pay the ransom, is 2 million; if you don't pay the ransom to recover the data, is 8 million. So it's actually more cost effective unfortunately, for organizations to pay the ransom, so we're seeing that increased tremendously.
Now, I said that we see that vector increasing and not as much the really advanced nation state threat actors and I said, there's a caveat. And the caveat is this. most organizations don't have advanced detection capabilities. And most nation state attacks are very advanced that the problem is not that it's not happening, is we're not seeing it because they're going below our radar and in stealth mode.
So I read a report three months ago that said, over the last 12 months, the number of nation state attacks is decreased by 30%. The number of nation state attacks over the last 12 months have not been detected. So companies are not detecting 30% attacks that they used to. It's not that it's not happening is that we're not catching. And that's probably one of the biggest fallacies I see in cybersecurity, where I'll talk to executives, and they'll be like, Eric, we're good. We don't need your help. We haven't had any breaches in the last 18 months. We're doing good.
And I'm like, okay, let me get this straight. Every other company on the planet is getting attacked and compromised, and you're telling me for some reason you're not, which means one of two things. Either you have special, magical unicorn grade security that nobody else has, and you're magically protecting, or it's not that you haven't had a breach, it's that you're not catching or detecting it. And I could almost guarantee that it's number two.
So I would urge to listeners that if you're in an organization where you haven't seen any attacks, and you haven't been breached in 12 or 18 months, you need to look harder. It's not that it's not happening. It's that it is happening, and you're not looking at the right place, and you're not catching it.
Erik: So then you have on the one hand, the nation state and maybe state back companies that are becoming increasingly sophisticated in terms of masking their efforts and hiding out in the system safe and indeed over time. This makes sense as well with the adoption of IoT systems and also just complex IT systems at companies that really have no DNA, no strong IT DNA over the past decade or so, it makes sense that there's a lot of easy targets now, new asset classes, new databases that are being opened up. Hospitals are, unfortunately, probably one of the key ones that comes to mind here of great targets for ransomware.
It sounds like these would be different problems to solve. On the one hand, you have relatively low sophistication attacks against targets that simply are not. I talked to a lot of IoT device manufacturers, and security solutions that are for IoT devices, and we're starting to turn the corner maybe. But in a lot of these categories, we'll build security and once we prove that there's actually product market fit, we start scaling up. So you have a lot of asset classes where security is not being built in. Do you approach these as two fundamentally different challenges, this mass market versus this straight driven sophisticated under the radar attacks? What would be the difference in terms of how you might secure the targets of these two?
Eric: IoT presents a whole new challenge, because the whole premise of IoT is that you have smaller computing devices that can perform very single-minded focus. So most of them don't have robust operating systems, and weren't built with security in mind. So to me, the big switches when you're talking about traditional Windows servers, or Unix, or Linux servers, or mainframes or large scale cloud computing, most of the security is operating system-based, patch the system, uninstall applications you don't need, lockdown the system, have really strong robust passwords. And if you do a lot of those things, it would be really hard to break into those systems and devices.
The problem with IoT is they're not really built to be these robust operating systems. A lot of the IoT devices are very simple, low costs, they don't have security built in. And if you start building security in, it's going to either increase the computational size, drain the battery or power supplies, or negatively impact the system. So, to me, the big trick with IoT is you went with hardcore operating systems security to now network based security where you now have to design a network where you're placing the IoT devices in a secure network so they can do their thing but you're limiting and controlling what information comes in, and what information goes out to be able to minimize or reduce the impact of those devices getting compromised.
So now it's a different mindset for a lot of security professionals, patching, hardening, removing software, and access control really aren't things that come into play. So it's much more about how do we design and set up a network that's air-gapped, or partially air-gapped to minimize or reduce access to that information.
We were doing a pretty good job finishing up last year. So as we finished up 1999 and heading into January 2020, I would say a lot of our clients that we were working with were starting to get it. We were building out proper security perimeters and zones. We were slicing up their network with VLANs, and filtering mechanisms that really doing a good job of protecting the devices with proper network configuration. And then March or April, this thing happened that you might have heard about called COVID-19, and that changed everything because now all of a sudden at hospitals, you had a lot more doctors working remotely, you had a lot more people that weren't coming in. Even in power plants, and utility companies and manufacturing, all of a sudden people that traditionally had to come into the office to do their job, now because of the epidemic, organizations are like, okay, this is too much of a risk, we need to allow remote access.
And pretty much within four to six weeks of companies “COVID-tizing” their organization, most of what we've done over the last 12 months to protect and secure, a lot of these IoT systems went away, because now they're allowing direct access from the internet or indirect access which now creates a whole new set of exposures. And that's why when the reports come out, you'll see third quarter and fourth quarter of 2020 being massive attacks against IoT because of all of the changes that people have to make the support a remote workforce.
Erik: What are the steps that an organization needs to take? I think a lot of corporates are getting more flexible with IT requirements simply because factories are opening up to the cloud so that management that's maybe stuck out of the country are not able to visit is able to access data and so forth. And I believe this is not going to be in many cases, a situation that we walk back, because there are enough benefits to the ability, whether you're a factory or hospital to be able to operate remotely that there's going to be some stickiness to the situation even once COVID goes away. What is the path that you would walk through for one of these organizations that has recently opened up their IT system to devices outside of the control network?
Eric: The way you do this is it's what I call a hybrid cloud solution, is your data and information With the epidemic, I don't think we're going back to anything that resembled normal in the next two or three years. I still think with what I'm talking with business owners, executives, and a lot of our clients is we're probably at least for another 12-18 months going to have mainly a remote workforce. And then in 2022-23 maybe, we'll have 20 or 30% of the people in offices that used to be. But this is going to be the new solution.
So what you need to do is have all your critical data and information, whether it's hospitals, control systems, utility companies in a private cloud, so it's on the back end, not directly accessible on the internet. Then you need to have an authentication zone. And I know initially, this changes, it's a little bit of an inconvenience, but then you have to have users that have to authenticate based on their location. So if you're going from your home, you have to initially register that this is now your remote office so they know that those IP addresses are valid. You then have to do two factor authentication potentially with a certificate or other forms, so there's going to be some overhead setting it up. That's one part of the solution.
We need to do a much better job of authenticating, verifying and validating this concept that in the year 2020, we're still allowing people to access critical information based on a password is insane. Passwords, they were met in 1990 technology, not today. We need to get two-factor, we need to get certificates, we need to get better grade authentication, and get away from the old passwords. So that's option one.
The second is our endpoints, our exposure points. If you're letting people use personal computers, or even work computers at home, or what I call now that home office, those systems typically are built once every three to four years. So if they get compromised, if a user clicks on a link, opens an attachment, it gets infected, that system is infected for two to three years. And even if you're authenticating correctly to get access to the critical data, the adversary already controls the endpoint. So if they control the endpoint, then authentication doesn't matter.
So the other option that we're rolling out, and many of our clients started doing this two or three months ago when we realize COVID was the new reality is you need to give your users at home that are working remotely thin clients. They don't have an operating system. They don't have a hard drive. Now, every time you start up your computer, you go out to a trusted server, you download an OSU button in memory, and then when you turn your computer off at the end of the day, all of that goes away.
Now, even if you get infected, you're going to be infected for two or three hours, because every day you get a new clean build. So there's no long term access for the adversary and there's no data that they can compromise on that system. So now by utilizing a thin client to the endpoint with a robust authentication with a hybrid cloud model, now all of a sudden, you can allow people in a smart, functionally rich, but secure way to be able to access the information like they were in the office but be able to do it remotely.
Erik: So is that deploying a virtual system on top of my team uses their own personal computers? Would the corporate then be deploying a virtual system on top of that harder or would they actually be shipping out hardware that doesn't allow somebody to operate outside of the parameters, they would set?
Eric: In an ideal manner, you would actually ship them all out thin clients. You would ship them out $800 or $900 device that has a lot of memory, no hard drive space. Let the users get their own monitors and keyboard, but you would just send them the basic computer. That would be the ideal situation, because now you're controlling all vectors. If that's not possible, if that's not something you can do, then the second option, which is not ideal, but better than nothing, is you can go in and let them use their home computer, install a VM product, and then you just give them a virtual machine that they load every day to run on their system. And if that's configured correctly, you can at least do some isolation of the endpoint and the hard drive.
Erik: But if you can share a little bit about the types of people you're talking to at these companies, because this security issue it's a little bit like wearing a seatbelt. And until you get in an accident, you don't necessarily take it seriously. Once you get in an accident, you're going to wear a seatbelt for the rest of your life. A lot of companies are in that position where they haven't been burned yet. Maybe they've seen other companies, but it hasn't happened to them, so it's hard to allocate the budget and the time to properly secure. Who, in an organization or maybe a mid to large sized organization would you be speaking with around these topics? And then maybe you can share a little bit about the argumentation? How do you get somebody who has not yet been burned to take this seriously as a preventative measure?
Eric: With clients, of course, obvious if they have an IT director, or a CISO, we would go in and work with that. But the funny thing is, most of our clients that we get brought into I would call a sort of mid-size are our sweet spot is between $1-4 billion companies, that's where we help them out. 80% of our clients are in that space, where it is overworked and they don't have an actual CISO.
So, most of the folks that we're talking to bringing us in. On number one is chief legal counsel, is the head attorney, because they are seeing breaches, they're looking at the ransomware, they're looking at the record, and they're getting concerned. Because cybersecurity, whether we realize it or not is primarily a legal matter. And then the second ones that bring us in are auditors. Because most of the clients were dealing with, when you're dealing with utility companies, organizations in manufacturing that have a high amount of IoT devices, auditors are the ones that when they start auditing, they go, wait a second, you did what? You connected what network to what network? So the auditors are the second group that brings us in.
And then the third group that brings us in is somebody who sits on the board of advisors or directors for the company. They're looking at everything the company is doing, they're getting all their updates and briefs, and they go, I sit on six different boards, and two of the other companies I work with have had breaches. So you need to go in and start thinking about cybersecurity. So it's actually the executives that bring us in that start asking questions to understand whether they have a proper cybersecurity strategy in place or not.
And you are spot on when you say that nobody thinks it's going to happen to them. The two biggest challenges when I deal with anyone with cybersecurity is first, they don't think they're a target, and second, they don't think cybersecurity is their responsibility. They think that somebody else's problem IT or security is supposed to deal with that.
And the interesting thing, and I'll share some real data with you is prior to COVID, we were doing about 70% of our business was proactive security assessments. And 30% was what we call incident response or expert witness where companies have breaches or getting sued for having breaches and they bring us in.
The last quarter, I just looked at our numbers, and 20% was security assessments. We took a little hit on that because with COVID, and companies struggling in revenue and others, a lot of companies like Eric, we can afford a security assessment. We're going to need to put it off, we can't do it. So we've seen those numbers drop. Companies might take a break from cybersecurity, but the cybercriminal don’t, they're still breaking in and saying you're ready for this.
In January, our business was 70% assessments proactive and 30% incident response reactive. The last four months was 20% security assessments proactive and 80% incident response reactive. So essentially, what's happened with COVID is for four or five months, companies ignored security. They put it on the back burner because they viewed it as an overhead function. And now they're seeing their incidents increase exponentially because they ignore the problem. And we haven't even tipped the iceberg yet that as we finish up this year and move the first quarter of 2021, I think you're going to see a huge amount of compromises and incidences and breaches become publicized because companies have been ignoring security because of the epidemic.
Erik: It could even be that cybercrime is counter cyclical. A lot of people being laid off from jobs, so even fairly high skilled developers being laid off or just working from home and have a lot of time on their hands. And so now you have a kind of a talent base that has time needs money and of course you have opportunities. Obviously, healthcare strikes me as one of the areas that would see a lot of attacks now because of the sensitivity of their data. Are there particular sectors that you've seen bear the brunt of these attacks over the past year or so?
Eric: It's sort of funny because we have to break it down pre-COVID, post-COVID. I would say, pre-COVID, before COVID hit, it was a lot of health care, manufacturing, and utility companies. And now post-COVID, the number one factor we're seeing is financial organizations. And the reason is this. A lot of people right now are strapped for cash, they lost their income, they lost benefits. Which means whenever that happens, they're much more emotional for phishing based attacks. So we've seen the number of attacks that are compromising people's 401k, going after banks, going after mortgages, going after anything financially-driven, has definitely increased by about 20% since COVID. We're also seeing healthcare being hit rightfully so.
But the other thing we're seeing is a large number of attacks in the pharmaceutical industry. We're starting to realize that the biggest monetary component today is not stocks, it's actually vaccines. So we're seeing various countries, like you've seen a lot from North Korea, China, actually trying to secure and break into the different vaccines in Germany, where a lot of your pharmaceutical companies are actually based out of are doing similar things.
So there's this huge war going on with prescription drugs for COVID, vaccines for COVID, any treatments for COVID. Whoever can own or dominate that market, it's going to be a billion dollar market. So we're seeing huge amounts of attacks against all the different research firms and pharmaceutical that are just being hit dramatically. And then of course, as we head into the holiday season, with most countries around the world, we're also seeing very few people going to physical stores, and a lot more people doing online shopping. My prediction is this month, we're going to see a huge amount of online retail organizations being hit with cyberattacks just because of the increased revenue that's going to flow through them.
Erik: I guess the pharma case is in somewhat unique, very situational. It's a bit unfortunate, maybe billions are at stake. But right now, trillions are at stake in the greater economy. So it'd be nice if these organizations could find a way to pull resources and just bite the bullet, allocate funds for the greater good. But if we put them aside, because that's a unique situation and we look at the ecommerce or finance, what is typically being stolen here? Is it personal identifiable information that's being stolen and sold? Is it attacks that are directly accessing funds? I mean, you mentioned ransomware earlier, where are the bulk of the structure of the attacks or the assets that they're stealing?
Eric: In the last two or three years, almost all of the attacks we're seeing are heavily based off of monetary gain. So anything that can have a monetary value or benefit to the adversary is what they're targeting. So we talked about ransomware, that's in step because I encrypt all your data, you pay me money, or you don't get your data back. But what a lot of people don't realize is there's a whole underground of the Internet called the dark web. And I know a lot of people when they hear about it, they think it's SciFi, or fictional, but it actually does exist. It's a part of the internet where criminal elements reside, and they buy and sell bank accounts, social security numbers, identification, health records, anything that can have monetary gain for stealing or compromising data.
So with that backdrop, you're seeing healthcare information, social security numbers within the United States, identification information in other countries, passport information, bank accounts, anything that can have direct or indirect value for getting money for the cybercriminals, that's pretty much what they're going after and targeting today.
Erik: Maybe this is more FBI type work. But is there significant progress being done on preventing the sale because I guess this is very much a supply-demand situation? So if you're able to also reduce the demand side by making it more difficult to monetize stolen assets, whether it's cryptocurrency or more personal data, that would potentially reduce the incentive. Have you seen progress there, or are we moving in the opposite direction?
Eric: There is definitely progress. The problem is if you plot out the progress, it's sort of a small curve. And if you plot out the increase in the cybercrime, it's a much bigger curve. So while there is progress being made, it's not keeping up with the pace that's happening. And the two fundamental problems, the one that I sort of mentioned is a lot of this is being done internationally.
With traditional crime, if you're going to rob a traditional bank, if you're going to rob a traditional hospital that's in the United States, you have to come to the United States. I can't physically rob a bank at gunpoint from another country. So traditional crimes because they have to come to our country, we're very good at catching them and finding them. The problem now with cybercrime is you can go from anywhere in the world, and break into a bank, break into a hospital, and never leave that country.
And as I alluded to, because a lot of these countries don't have laws that make it illegal, and we don't have extradition treaties, there's not a lot we can do because there's not cooperation. So that's problem one.
Problem two, is a lot of these underground sites are actually run like gangs that make it very hard for law enforcement to get involved. For example, with the high end gangs, one of the things you have to do to get into the gang is you have to kill somebody. And the reason why they have that criteria is because an undercover police officer, even though they're undercover, they're not allowed to kill somebody in cold blood, even if it's for the greater good. So the criminals have figured out ways to weed out and make it hard for law enforcement to get involved.
With the dark web and the underground sites, it's the same thing. For you to get access to some of these really, really bad locations, you have to go in and break into a bank, you have to go in and steal 50,000 bank accounts. Once again, undercover cops can't do that because that's breaking the law to a point they're not allowed to. So the cyber criminals have figured out ways to make it very hard and very difficult for law enforcement to infiltrate these organizations. And they're also segment that in such a way that even when law enforcement can, it's a very small group, and the number of new groups are increasing more exponentially than cybercrime can keep up with.
My hat goes off to all law enforcement. They are doing an amazing job. So I just want to be crystal clear, none of this is a negative on that. They are amazing people that are doing amazing jobs. It's just an unfortunate reality of what we live in. So organizations have to recognize that, at least for the near future, cyber security is their responsibility. They're going to get attacked, we're not going to be able to stop it. And they really need to focus a lot of energy and effort on detection.
Erik: I think we've touched on a lot of different aspects of this. But maybe we can now select an example, a case that you've worked on recently of a midsize company and walk us through what steps did you take, because I think a lot of our listeners are going to be in a similar position where they're on the one hand resource constrained both in terms of financial resources and also internal domain know-how, but have legitimate concerns, whether it's around securing a product that bringing out to market or securing their internal operations. So I think it'd be quite useful to have just a step by step process for assessing, where are you today and then what do you do to, I guess two things, one, secure your environment and two, assess whether you've already been compromised and then after that deal with that situation?
Eric: There's two aspects to it, so I'll do one technical and then one executive level. So technically, we were brought into an organization that was getting compromised pretty significantly and they were getting hit with a large amount of cybercrime. So what it comes down to is hacking is not hard.
So if we just want to break hacking down to its fundamental components, you essentially need three things. You need a target, you need an access, and you need a vulnerability. So, most of the big attacks that we see are focused on servers that are internet facing. And the way those attacks work is you find a visible server that's accessible from the internet, it's missing patches, it means it has known vulnerabilities, and it contains critical data that is not properly protected or encrypted. So I know this sounds a little anti-climatic.
But if you want to protect your organization, whether you're a 10 million 100 million, a billion, or $10, or $20, or $30 billion organization, it's really quite simple. You need to go in and have visibility. You need to understand what are the IP addresses that are visible from the internet.
You need to know which ports are open, and what patches are applied to those systems.
Now, the way many organizations do this, is they actually do a bottom-up approach. So they're going to go in and the first problem is they don't have visibility. They don't know all their servers. In every one of the major breaches that we've seen in the news over the last couple of years, every single one of them, the server that was compromised, nobody knew was on the network. Nobody was knew that it was out there.
Because let's face it, if you have an organization where they have a server that's missing patches, that contains critical data that's not properly protected and somebody openly knew about that and said, yeah, let's do that, that's a good idea, that's crazy. I mean, that's negligence. That's not what's happening. What's happening is they don't have that awareness of what their servers are. So you need to have a network visibility map that says, here are the visible IPs from the internet, here are the open ports, and here are the services that are running.
Now even with that, as I said, companies get it wrong, they do a bottom-up. So what most companies do is to like, okay, we got a patch, patch, patch, we got a lockdown, we got a harder we got to configure. What I recommend you do as a case study is do a top-down approach. So if you imagine this network visibility map, where you have an IP address range that's assigned to your company, you then have the 30 servers that are visible, you then have the ports and you have the services.
What I want you to do is reduced the attack surface. I want you to start at the top and say does every one of these servers need to be visible from the internet? No, let's remove them. Because let's face it, if you have 10 servers that don't need to be visible from the internet, isn't it better to remove them than to patch them? Why even have them visible if they're not needed? So now what we're doing is we're reducing the attack surface, then we take the ports that are open, and we say, okay, do all seven of these ports need to be open on the system? No, let's reduce the attack surface.
So what we're now doing by doing a top down, we're reducing that overall attack surface, minimizing the exposure and now we only patch what's left. And now patching becomes much easier, because we have total visibility and control into our environment. So that would be the first case study I would definitely recommend is you got to have visibility, you have to build that network visibility map, but you have to reduce the attack surface.
The second one is we're doing a lot of executive awareness, because let's face it. If you have vice presidents, directors, managers in an organization that they don't understand security, or they don't think about security, you're not going to be secure. They have to recognize that they are a target, and that cybersecurity is their responsibility. And the case study with this one is you just need to train all of your VPs and managers to ask two questions.
The problem now is when they make a decision, they're only asking one question. And that question is, what is the value or benefit? So let's set up a new server with customer data. What is the value or benefit? It can increase our revenue by 10%, let's do it. So they're only asking one question, which is very, very dangerous. What you want to do is train everyone in your organization to always ask two questions. What is the value and benefit? And then the second question, what is the risk and exposure by doing this? Then you get to decide is the value worth the risk of exposure? Is it worth that value now? If you say yes, then great, do it.
Like people always ask me, Eric, is this secure? Or I bet you, if I asked you whether I can do this, you're going to tell me it's not secure and I go no. Security is never binary. It's never yes or no. It's always what is your risk posture versus value or benefit? You might be in a situation where something is fairly risky, but the value and benefit is so great that you might be willing to do it. In other organizations, you might not. So the whole idea is you need to train executives on making full decisions with all the information what is the value of benefit, what is the risk and exposure and then can you live with that risk and exposure?
And if you can't reduce the risk or don't do it, and if you can, then make that decision. But just by adding in that simple second question now gives those executives the visibility to make security conscious decisions where they understand the value, they understand the risk, and they're properly balancing both sides of the equation.
Erik: Assessing the benefit is their core job. Assessing the risk is something that is outside of their domain of expertise. And it's again, coming back to this car accident analogy. It's something that until it happens is not necessarily apparent. What level of proficiency would you expect these executives to read so that they can make informed decision a risk benefit decision? Do they need to develop a high level of proficiency? Or is it more gaining awareness of the issue, and then knowing who in their organization they can engage with to fill in the information gaps? Because I would imagine, it's always challenging to bring senior executives to kind of have them devote the time to develop a new domain of expertise?
Eric: It's definitely the awareness. It's not something where I'm expecting your vice president of product and development or your vice president of marketing to take six months of cybersecurity classes and understand that, it's just an awareness to ask the question. Because here's the problem today. In most organizations, vice presidents, and managers and executives, they have all of the authority, but they have none of the responsibility when it comes to cybersecurity.
So we see this happen all the time, where the chief information security officer will go to a vice president and say, you can't do this; this is a huge security risk, you shouldn't be doing this. And they basically say, go away, I'm making money. As long as I'm making money, I can do whatever I want. You have no control over me. You deal with security I'm ignoring.
And even though the CISO went to everybody saying this is bad, this is bad, this is bad, nobody listened to them. And then what happens? A breach occurs. And what does the organization do? Fire the system. So now that Vice President had zero responsibility for cybersecurity, they are going to continue to make bad decisions because they don't have the responsibility, they have the authority, and you're going to just keep getting CISO in and getting them fired. And this is why the problem persists.
What we need to do in organizations is shift the responsibility to that Vice President. So now when that Vice President makes a decision, security goes in and transfers the rest of that. We now go in and say, okay, Mr. or Mrs. Vice President, we're going to make you aware of the risk. And if you decide to accept that risk, we're going to tell the executives that you've accepted this risk.
Now, if a breach happens, not only is the Vice President responsible. But now because they have that responsibility, and they're going to get in trouble, they're going to stop ignoring security and stop making bad decisions. So this whole concept of asking two questions is really breaking the fundamental problem, where Vice Presidents have all the authority and none of the responsibility. Because it till we push responsibility with authority with security and raise awareness, these problems are not going to get fixed anytime soon.
Erik: Maybe this is a good place for us to end actually. I remember that Hannah Broadwell, who had introduced us mentioned that you're also running a virtual Chief Information Security Officer course. So I imagine that would at least be one avenue for non-IT. Is that a course specifically for CISOs who already have specific domain expertise and you're enhancing that? Or would there be a separate course for non-IT executives to gain this foundation of knowledge?
Eric: So I'm calling it a CISO course, a Chief Information Security Officer course. Because the problem I saw in organizations is there is no cybersecurity strategy. I know some technical people get mad at me. But the problem we have over the years is that people always view a CISO as a promotion for a really smart engineer. So a CISO was a technical advancement in the organization and that's the reason why it didn't work.
So this course is really how do you think strategically about cybersecurity, and while it's intended for somebody that will wants to be invincible and it's also very applicable to non-technical executives that want to think strategically about security. They want to understand, okay, at a high non-technical level, I don't want to get a master's degree in this, but just 6, 7, 8 hours worth of material that I could just listen to on my car ride or at the gym to just think about security strategically, that's really what that course is for.
So anybody that wants to understand security strategy, whether it's for a CISO, or as a more effective executive, this course would be very, very effective. And if you go to secure-anchor.com, you can definitely find out more information about it.
Erik: Eric, I think this is been a super useful podcast already. Is there anything that we're missing that we should cover?
Eric: I think we covered the key points. And I just want to sort of emphasize that no matter who you are, no matter what size organization you are, whether you're making $100,000 a year, or 10 billion a year, you are going to be a target, you are going to be compromised, and cybersecurity is your responsibility. And if you have not had a breach in over 12 months, it's not because it's not happening. It's because you're not looking in the way.
Erik: One of the things I'm doing on the side here is I'm one of the directors for Startup Grind, which is a nonprofit organization for entrepreneurs. And somebody just two days ago, tried a phishing attack on me. And I'm thinking what are you even trying to steal here? You know, I'm not sure of any resources that are interesting here. But even a little NGO for entrepreneurs is that is an attack target here. Eric, so you're doing super important work. Thank you for taking the time out of your schedule to share your expertise with us. What's the best way for people to reach out to you? Is it through the website? Or what do you prefer?
Eric: I'm very active on the internet because I'm on a mission to make cyberspace a safe place to live, work, and raise a family. So if you just want information just on any social media platform, Dr. Eric Cole. I have a life of a CISO show that I do and I have a lot of content I put out every day. If you're interested from a business perspective, www.secure-anchor.com And if I can help you in any way shape or form, firstname.lastname@example.org And I'd love to hear from you and see how we can help you.
Erik: Great. Thank you, Eric.
Eric: My pleasure. Thank you, Erik.
Erik: Thanks for tuning in to another edition of the industrial IoT spotlight. Don't forget to follow us on Twitter at IotoneHQ, and to check out our database of case studies on IoTONE.com. If you have unique insight or a project deployment story to share, we'd love to feature you on a future edition. Write us at erik.walenza@IoTone.com.