Evolution of Cybersecurity - Are Threats Getting More Advanced?

AR:
Was that back in the day when you could hack a phone by just dialing random digits?

RS:
That's phone freaking, yeah.

AR:
Freaking, that's right. Yeah, yeah.

RS:
That was part of the allure that also got me involved. Even prior to working in the bank, even at the age of, I'd say I was 16, 17 years old, I got my first Tandy 1000 SX computer from Radio Shack when they used to be around.

AR:
Wow. What kind of operating system did that have?

RS:
It was an IBM compatible.

AR:
Oh, wow.

RS:
DOS based.

AR:
DOS based, yeah.

RS:
DOS based, so it was a lot of fun trying to program.

AR:
What was the biggest threat back then relative to today?

RS:
Back then the systems pretty much had remote access through dial-in, so dial-up security was pretty challenging. Candidly, I think there wasn't a lot of focus and concerted interest on monitoring those type of systems. It came up as part of audits that were performed on the banking systems. So I think it has definitely evolved from that point.

AR:
Sure, yeah.

RS:
It's become more of a routine activity for many organizations to have IT security type representatives.

AR:
Yeah, I think back then it was more analog in terms of ...

RS:
It was definitely analog.

AR:
Yeah, I feel like there's more vectors for attack nowadays because there's so many layers, although I would say it's a little bit more secure nowadays too.

RS:
Well, yeah, some things are new and advanced and some things still remain the same. Yeah, so some of the common challenges that we face are basic blocking and tackling, what you call in the industry, is putting the right level of access controls, enabling a proper level of authentication. And then-

AR:
People still putting passwords on Post-it notes.

RS:
Putting it on Post-it notes. I remember the days we used to do routine audits within the bank and other firms that I worked for, where we would look for, do a clean desk review and see if there was any type of information, confidential passwords, credentials of that nature that would be stored. A lot of times everybody was looking under the stapler or under the keyboard or something of that nature where users would essentially hide their passwords.

AR:
Yeah, some things don't change, I guess.

RS:
Some things don't change.

AR:
So technology improves, but humans are humans.

RS:
That is the main culprit in many of the cases that we experience, is because it's not because of the hacking into a system, it's user error or just not having enough understanding and awareness of the actions that they're taking.

AR:
Yeah. So you were 16, 17 when you initially became interested, you wanted to be a hacker, is that what it is?

RS:
Yeah, yeah. I think you could call it that, but it was kind of an interesting experience for me, because the concept of a hacker really had different meanings to others. And some "hackers" were considered more of the professionals that really looked at it from the purest way of dealing with IT, versus those that had the more, I guess the bad kind of behavior that people think that hackers are actually doing. And in fact, when I worked at another bank we actually had consultation with outside counsel to even have discussions about, what is a white hat hacker, what's a black hat hacker? What's a gray hat hacker? And each one of those has a different type of meaning. And we even went through, as far as screening for employees, if they were known hackers, we wouldn't hire them.

AR:
But there's also a place for, really a lot of companies have bounty programs where they'll pay out if you find a vulnerability. And that's where I guess a white hat would work.

RS:
Yeah, that's exactly right. There are paid opportunities to uncover if there's errors in the coding. And there's been crowdsourcing of those type of arrangements too to help identify and ferret out or vet out applications. So yeah, there's some benefits there to help with improving the overall security for certain things like applications.

AR:
I don't know if you know this, but I actually was suspended from high school for hacking.

RS:
Oh, were you?

AR:
Yeah. Do you want to hear the story?

RS:
I would love to hear the story.

AR:
Man, it was a while ago, but this is back in the Windows 2000 days.

RS:
Yeah.

AR:
And both parents worked, so I was after school often and they blocked all the game sites. Back then it was like flash games.

RS:
Flash games, yeah.

AR:
So I was like, "I'll just crack the administrator password and I'll give myself access to miniclip.com," or whatever it was, if you remember those sites. So I think back then Ubuntu was the new thing. And I put it on a flash drive and I got a SAM file, it was called, and it had the hash of the admin password on it.

RS:
The hash, there you go.

AR:
And I found out about rainbow tables and I was able to brute force it. It took like a week, my computer was running for a straight week just testing passwords.

RS:
That's absolutely right. Used to be brute force in the password, utilizing these rainbow tables. I remember actually doing that against a lot of PC Anywhere hosts, you know, remote access hosts into systems. And I remember in particular I had a one instance where I was actually paid, I was working as a consultant, and contracted to test the environment for this one. Well, I'll say it this way, they're a well known publisher. And we actually went in, it was a team of us that went in, and I was the one focused on the remote access with PC Anywhere testing. We did brute force, and I was able to gain access into the environment through a connected system, which was obviously connected to the rest of the network. And so we used that, and it was just a single desktop within the HR division with PC Anywhere.

AR:
Wow.

RS:
And I remember actually getting on the system and the administrator, or the person that was the user, they thought, to start chatting with me, like, "Who is this?" They were chatting and I told them, "I'm the IT administrator and I need to do some maintenance." And said, "Okay, proceed." So I did, I proceeded. I kept on going.

AR:
Tell me about some of the more fascinating cases you may have worked with clients and the issues they've had.

RS:
Yeah. I know that I've dealt with insider threat, and insider threat to the point that it's those that are most trusted within the organization, within the administrative function.

AR:
So can you define that?

RS:
Yeah, so security administrators, those that have actual, so to speak, the crown jewels, the keys to the kingdom, we often affectionately say in the industry. But they have the actual administrative accounts to the systems.

AR:
And they pose potentially the biggest threat?

RS:
They do pose it.

AR:
Especially if they're disgruntled or something.

RS:
One instance where I worked at a bank in New York, well known bank to this day, and there was, at that time, this was in the early '90s, they had bulletin board systems. And I remember working-

AR:
What's a bulletin board system?

RS:
Yeah, so it's the early days of social media basically.

AR:
Right.

RS:
It was a way for groups in like in interests to connect.

AR:
Online, BBS?

RS:
Online, it was BBS. This is the early days of the Internet. I'm dating myself.

AR:
This is kind of like forums, right?

RS:
Yeah, forums that are out there and people are communicating and chatting and sharing of information and files. Well, this one administrator was accessing the BBS systems and essentially was sharing viruses and cobbled viruses together to basically breach systems or cause havoc on systems. And more importantly, they were using the bank systems to develop the code.

AR:
Oh, wow.

RS:
And they were then passing that out. So there was a big research investigation that had to go into that to prove that point that was going on. Later in my years I worked under contract for the FDIC, and I was involved with a lot of these things that we're hearing about with bank closures, bank resolutions, let me put it that way. And so in one of the instances where we were doing a review for the bank and doing some due diligence, we understood or uncovered that there was collusion that was occurring within the environment between the IT and the chief risk officer, if you will.

AR:
And when you say collusion, what were they trying to accomplish exactly?

RS:
Basically circumventing access controls, enabling them to have access to ...

AR:
Funds?

RS:
Funds, yeah. And that's typically what's the issue.

AR:
Right, but isn't that still traceable?

RS:
You would think, but then when you have an administrative privilege, there's ...

AR:
There are ways to obfuscate-

RS:
Obfuscate the way to get in. You can create some unique profiles that are seemingly trusted or authorized to have access. You can modify, at that time it was modification of logs.

AR:
Right, oh, I see.

RS:
You can taint the logs.

AR:
I see. So they wouldn't be able to trace it.

RS:
Yeah, so it'd make it more difficult. So it was pretty alarming to me that insider threat was that pervasive and that real.

AR:
That's interesting. So log tampering, is that still a potential issue?

RS:
It's much more difficult nowadays. In fact, I think there are techniques that are out there right now to have more non-repudiation and trust in the logs itself.

AR:
And that's partially why blockchain is so powerful.

RS:
Absolutely, blockchain is very powerful.

AR:
Because you can't.

RS:
You can't. There is a sense of integrity with that overall blockchain.

AR:
But it has to be decentralized, right?

RS:
It has to be decentralized.

AR:
Because a centralized blockchain can still be tampered with, technically.

RS:
That is correct, because that's the challenge with a lot of these systems. If you have it in a central location, then if you're able to manipulate, then there is no trust behind that.

AR:
I know this isn't necessarily security specific, but are you finding a lot more activity or usage of the blockchain technology with banking or other sectors?

RS:
There's other applications. Yeah, even just in farming, knowing where crops are coming from, blockchain is part.

AR:
Oh, so like supply chain?

RS:
Yeah, supply chain. In the overall brand scheme of things, if you want to understand where certain products are coming from. Again, agriculture or even in the meat processing, knowing where, cows, as an example.

AR:
So what is the incentive for these companies to implement the decentralized solution? Is it because the vendors they're working with require that level of transparency? What's the catalyst? Because they can just use their own internal databases, but there's always going to be that notion of trust, right?

RS:
Yeah. That's the whole concept behind blockchain, is to create this level of trust amongst all the parties that are involved in that overall supply chain. Well, that's the one thing I can say. I'm constantly learning about these type of technologies and advancements, and that's the appeal behind cybersecurity. It's not a static thing. It's always evolving.

AR:
It's always evolving.

RS:
It's always evolving.

AR:
Yeah. So speaking of which, can you walk us through the evolution of the threats themselves and also the mitigations? I don't think companies necessarily spent a whole lot back then. Nowadays a lot is being spent, but there's a lot of solutions that makes it easier for companies to implement cybersecurity without necessarily needing a whole department for it, right?

RS:
Yeah. Well, I think back when we were going, the days that I was working in the bank and dealing with security in that capacity, there were administrators, there were auditors, there were sometimes teams and armies of individuals that were involved in helping address security from all different angles. The days of virus protection has evolved to not just putting antivirus now, it's really looking at endpoint, the full endpoint capabilities of looking at it more dynamically, more routinely at the endpoint and understanding if there are any malware issues that are occurring there.

And also taking stock of what's on the network through understanding what endpoints are out there. That's been a big pain point for a lot of companies, knowing what are your assets, what you're trying to protect.

AR:
And that includes endpoints that sit between an email link, like I think ...

RS:
Yeah, like your desktop, or even ...

AR:
So endpoint management, Microsoft Intune, all of those things.

RS:
All those things are used in harmony to ...

AR:
To minimize.

RS:
Yeah, to minimize the landscape, if you will, from an attack surface perspective.

AR:
I think of, when Bitcoin came out, now all of a sudden you can blackmail people for their data. You know how they have the, what do you call them? When they basically encrypt your hard drive or your data and then there's a note that says, "If you want us to decrypt it ..."

RS:
Ransomware.

AR:
Ransomware, that's right.

RS:
Ransomware.

AR:
I was like, "That's insane," but it's actually really, really intelligent. It's like spy versus spy, you're always trying to be on top of it and think of what the next attack is going to look like.

RS:
Well, I think all of that is fascinating to me.

AR:
Yeah.

RS:
It also gets into the psyche of the people that are actually doing this type of thing.

AR:
You would think, if they're that smart, why don't they just get a job?

RS:
Well, they can. Why? Because they can get more money doing that.

AR:
That's actually...

RS:
To tell you the truth, it is, it's a multi-billion dollar, trillion dollar business. That's why there's a lot of these regulations that are in place right now that have really propped up, trying to put a little bit more control.

AR:
Similar to what they're trying to do with TikTok?

RS:
Similar with the CFIUSA, Committee for Foreign Investment in US Assets. Yeah, so they want to essentially restrict any of the Chinese, create a wall, if you will, between Chinese owned and US owned.

AR:
More or less the data going back and forth.

RS:
It's all about the data, quite honestly.

AR:
Right. And there's so much data now being captured everywhere.

RS:
Yes.

AR:
It's almost impossible to plug it or prevent it from going into the wrong hands.

RS:
Yeah. And the reality is, all of our data is already exposed.

AR:
It is. It's almost like we give it voluntarily. It's like, "Here you go."

RS:
And many times it is. That's the case. But I know that there's sites called, "I've been powned," or, "Have you been powned" or something like that.

AR:
Yeah, I've heard of that.

RS:
Yeah. And I think I remember putting in my own email accounts.

AR:
So can you explain to the audience what those websites are?

Raymond Soriano:
Yeah, those websites actually provide insight into known hacked sites or locations that-

AR:
So you can enter your password and it'll tell you ...

RS:
Enter your user ID or your email, is what I put in there.

AR:
Oh, okay.

RS:
And then it will tell you if it's been compromised on a certain site, if it's been already put onto some website like Wastebin, or if it's been disclosed as part of some kind of breach already, it will tell you.

AR:
And then you would go change your password.

RS:
Yeah, then you can go through the activities of changing your password, which is probably a good practice anyway to do that if you're still using passwords.

AR:
Right, yeah. Nowadays MFA multifactor authentication, that's super important.

RS:
It's absolutely important. I've read multiple studies, even Microsoft has put something out there, and I don't want to quote them, but I know that they indicate that a large portion, a percentage of a lot of the breaches that are out there could have been prevented if they had multifactor in place.

AR:
And even when it comes to multifactor, there is applications like Microsoft and Google Authenticator versus using text message, which is not secure, because now they're spoofing your SIM card.

RS:
Yeah, spoofing SIM cards. There are different applications. I've even used certain applications that have that multifactor with a texting feature and then I've had somebody try to contact me to indicate that they're an administrator or they're part of that application. I'm thinking like when you're trying to online sell goods, there are different applications that do that, I don't want to name them.

AR:
Where you get a spam email?

RS:
Yeah, you get a spam email or you may even get a phone call, which is kind of interesting.

AR:
They're trying everything.

RS:
Yeah, like I said earlier, by any means necessary.

AR:
Yeah. And a lot of people fall for it because they just don't know any better or they can't distinguish between the real email or the fake email, and it's really sad.

RS:
It's very challenging. And now there are tools that are out there that the adversaries, hackers, black hat hackers, if you will, they're using to essentially create these scripts and sending them out via email. And it's no longer just looking for errors, grammatical issues, or anything. It's really surpassed that. And now you're getting into artificial intelligence that actually is ...

AR:
It's a great topic.

RS:
Yeah, hopefully I'm teeing that up now.

AR:
Yeah.

RS:
Because that's a whole new evolution of security challenges that we need to think.

AR:
So it's both good and bad. Artificial intelligence greatly enhances our ability to be secure and identify risks. It also greatly enhances the ability to create viruses, vulnerabilities, malware, ransomware.

RS:
I think these type of pain points or challenges we're seeing are going to be pervasive. It's going to be something that we have to evolve as an industry, if you will. I think that the biggest thing that I see, though, is what's common across all of this is the education of this and just bringing awareness. And no matter whatever the issue is, the circumstances, putting that information out there and letting people be aware and understand that there are different ways and means that the attackers are always going to be looking at how to get in.

AR:
Reinforce training.

RS:
Vigilance, if you will, putting in training.

AR:
Because the layman is not going to know the latest threats.

RS:
They're not, they're not. Not everybody can, there's so much information out there.

AR:
So what do companies do, what do your clients do to keep their employees up to date?

RS:
Yeah, the common element that I'm seeing right now is phishing, a phishing test. You can do that and then they say, "Ah, gotcha."

AR:
Oh, so they'll send the employee an email?

RS:
Yeah, yeah. They'll have an outside help do that or they utilize a product to do that. And they'll configure it so that they can create these random campaigns, if you will, in an attempt to, I don't want to say fool the employee, but to try to lure them to see if they would expose information. In order for somebody to understand that they need to be mindful of this, it has to be part of the culture and it has to be indoctrinated as part of how you train and create that awareness within the organization. And by the way, that's the whole concept of doing it not only from the employee going up, the bottom up, it's the top down too, as they're just as suspect, and if not the likely candidates that are going to be phished, for example, or where there's going to be attempts to try to compromise.

So I think awareness has to be pervasive throughout the organization. It has to be exercised on a continuous basis. It has to do different types of techniques, not just a phishing technique. I think sometimes just going through even a TikTok exercise.

AR:
If someone gets your password and that's sufficient, then you have a different problem.

RS:
You've got a big bigger problem. You've got a different problem, but it's a bigger problem, because now they have that information and they can pivot.

AR:
I wanted to ask you, so there's this movement towards improving security, and that's always ongoing. How do companies balance that between innovation? Because I see security as almost an antithesis to some degree of innovation, because it slows down processes and the more you lock things down, for example, my work application, I can't even copy and paste something from one application to another.

RS:
Right.

AR:
I can't even copy anything, you know what I mean?

RS:
So you're trying to bypass now, right? You've got to figure out a way you can.

AR:
Yeah, you got me.

RS:
Yeah. No, I think with innovation obviously there's a lot of goodness, if you will, with that. It brings the opportunities, the efficiencies, growth for organizations, but obviously it introduces some additional level of risk in some cases. I think it's just understanding the technology, maybe putting measures, risk indicators, metrics in place to understand how the innovation is not only providing the value, but managing risk.

AR:
Have you seen any clients do, this is just something I thought of, a sandbox environment where it's a free for all, there's no security in place, but it's completely isolated from the main operation, from a research and development perspective? Is that something that is common at all?

RS:
No, it is common. You're going to have to do some R&D, I would think, and you can isolate. But what the problem is, and again, this has been through my own experience, I worked on another client, it was a cable box manufacturer. So as an example, they had their technology, their latest and greatest technology. It was more from a trying to market technology, but they claimed that it was isolated.

But what happened when we did the review, it wasn't isolated. What was seemingly, they applied certain controls, again, a human factor came into play. One of their developers, an administrator, actually enabled access into the production environment of the network. And seemingly this set top box, if you will, provided the gateway into the environment.

AR:
Oh, wow.

RS:
So I think it's important for people to understand the boundaries and what's part of the ecosystem, the IT ecosystem.

AR:
Take a high level view and then drill down.

RS:
Right, and be open-minded that it's not just what's in your capacity to control, it's what is also in the capacity of your providers and the third parties that you're working with. And that is another area.

AR:
Everyone has their own security risk. I guess that makes sense, given all of that, why a startup can outcompete a big company. Because the stakes are a lot lower when you don't have that much data and they're able to move a lot quicker.

RS:
Yeah, they're more agile, absolutely.

AR:
Yeah.

RS:
But as they evolve ...

AR:
As they grow, yeah, eventually they have to do the same.

RS:
Right. And depending on the industry, because I deal a lot with financial services, I deal with regulated industries, healthcare, I'll deal in certain respects retail, those that are governed by some type of state, local, or federal requirement. And generally those, even if they're a small firm, they still have to eventually evolve and be governed by those laws and stuff.

AR:
Right. But hopefully there's solutions that help them so that they're not spending all that time and resources as much.

RS:
Yeah. I think from my perspective, and what I do on a different routine basis is try to help organizations mature their thinking related to cybersecurity and just overall risk management. It's educating and going through that process with them. So we do a lot of handholding there, I'll say it that way. Because we have clients that are all size and scale. And you would think that the small mom and pop proprietorship don't have that many problems, but they do have just as many problems as the large enterprise.

AR:
What advice would you have for someone who's maybe still in school that's looking into cybersecurity? Is it a very promising field?

RS:
It is. I can say when I was going to school a couple of decades back I wasn't as exposed to the insurance, information assurance, and cybersecurity programs that they actually have as actual degrees.

AR:
Yeah, they've fleshed them out now.

RS:
Yeah, they've actually developed those. It's so enlightening to see that this profession has really evolved in that capacity. I would say if I were to give advice to those that are in this field, is never stop learning, for one thing. it's not an endgame. It's a journey that they have to go through.

AR:
Right, and that's the biggest thing. Everything relates to technology.

RS:
Yeah. It's an evolution of yourself and maturation of how you look at things and evolving in the field that way. There's the old adage, "It's not a matter of if, it's when." But now it's translated to, "When and how often." And so what I'm bringing up is that it's going to continuously evolve, and that's something as part of this field, it will be evolving. So again, tying it all back, let them them do the research, gain more knowledge.

AR:
We need pioneers.

RS:
Yeah, we need pioneers in that space. That's exactly right. Because I think there's a lot of things that are the same, but there are these new innovations and things that are going to be distinct, and we have to understand them.

AR:
What advice would you give your 20-year-old self if you could go back in time?

RS:
Oh, yeah.

AR:
It doesn't have to be career related, by the way.

RS:
No, no, no. But I could say that if I look at it from just an overall experience and what I've been involved, obviously not be naive. Because like I said, I talk-

AR:
Does that work though, just saying, "Hey, don't be naive"?

RS:
No, not necessarily.

AR:
Sometimes you've just got to stumble.

RS:
Yeah, you've got to stumble. But always think about it from the perspective that you can challenge. You have to challenge, you have to use professional scrutiny and skepticism and things. Sometimes what is seemingly supposed to be secure is not always secure. If I'm looking at translating from a career perspective, independent of that-

AR:
Basically don't take anything at face value.

RS:
Don't take anything at face value. What I hear a lot too, by the way, is there's a reliance on SOC reports, the service organization type reports that people put out.

AR:
That's the be all, end all.

RS:
Be all, end all. And while I can give them a lot of merit, I agree that there is an element that people have gone through the appropriate level of due diligence, but it's not all-encompassing.

AR:
It works until it doesn't.

RS:
It works until it doesn't. And it's only a state of point, in the review, and this is what they observed during this period. But again, it doesn't talk about the complete picture, what the organization, the provider, if you will, or the third party, the vendor that you're working with, that you're requesting the SOC reports. So my advice is, again, tying it back to the advice, trust but verify, the adage that Ronald Reagan put out there. I think you have to. And that helps evolve enhancement and better controls that are going to be applied. And like I said, from a cybersecurity it's never ending.

AR:
Yeah. Well, I appreciate this conversation. Where can people find you on social media?

RS:
Yeah, they can find me on social media, on LinkedIn. I have a Twitter account, @RaySoriano1, number one. They can also essentially reach me at EisnerAmper, my full name, raymond.soriano@eisneramper.com. I'm online, I'm pretty much social.

AR:
Plugged in.

RS:
I'm a social butterfly when it comes to that. So I am pretty plugged in, dialed in.

AR:
Great. Well, thanks again for being on the show.

RS:
Thank you very much. I appreciate it.

AR:
Hopefully we have another session sometime.

RS:
I'm looking forward to it, yeah.

AR:
Yeah.

RS:
More to talk about.

^{Transcribed by Rev.com}