June 25, 2018 • Amanda McKeon
In this episode of the Recorded Future podcast, we explore the unique challenges associated with securing your C-Suite executives. Not only are they attractive targets for scammers and fraudsters, when it comes to security, they’re often afforded a level of flexibility and deference not given to other employees. What’s the most effective approach for educating executives on the critical role of security, and how do you extend that behavior beyond the office walls? In a world where business email compromise and phishing run rampant and attacks happen at the hardware DNA level, translating security strategy to the common language of risk management can be an effective approach.
Joining us once again to address these questions is Dr. Christopher Pierson, CEO at Binary Sun Cyber Risk Advisors.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and thanks for joining us for episode 62 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
In this episode of the Recorded Future podcast, we explore the unique challenges associated with securing your C-suite executives. Not only are they attractive targets for scammers and fraudsters, when it comes to security, they’re often afforded a level of flexibility and deference not given to other employees. What’s the most effective approach for educating executives on the critical role of security, and how do you extend that behavior beyond the office walls? In a world where business email compromise and phishing run rampant and attacks happen at the hardware-DNA level, translating security strategy to the common language of risk management can be an effective approach.
Joining us once again to address these questions is Dr. Christopher Pierson, CEO at Binary Sun Cyber Risk Advisors. Stay with us.
Dr. Christopher Pierson:
When you take a look at the risks of the company, it’s not just what is within the environment that matters. We do have this little bleed over of BYOD in devices that are personal devices. You’d have some controlled applications on them. But when we talk about the executive team and executives — you know, those 10, 20 people that are key to the company’s survival — those individuals are mixing their personal and work lives. They’re essentially working seven days a week, working every single day of the year on phone calls, and working from home offices. They sometimes have to print out documents at home and work on different computers as they’re traveling. And what we see there is a pattern of behavior where they need as little friction as possible, and with that comes some of the most common things — sharing of passwords, reuse of passwords, no password safes between personal life and corporate world, no VPN usage. So, after six days of working straight and wanting to go out for that Starbucks on Sunday morning, they’re pulling out a laptop or an iPad at the local Starbucks and not initiating a VPN, even on their personal device.
There’s just nothing these days that those executives are doing that isn’t related, in some form or fashion, to work. It could be a merchant acquisition, yet, they’re on their personal iPad just quickly searching a few different companies, looking at some of the people of the executive team that they’re willing and wanting to purchase and bring into the fold of their company. It could be any one of those things. So, those risks, those threats that exist there at the company also exist in their full personal lives, and with regard to their spouse or significant other, as well as the kids, and everyone that’s on the home network.
I mean, Dave, even if you take a look at, just recently, the announcement of Russian SBU compromising some 500,000 routers. They’re at home and they’re behind a home router, which might be any one of the most popular brand-name routers, but it has an integral deficiency in it and could be compromised. Once again, that can impact the company.
Now, how much of this vulnerability is disproportional in that if the boss says, “Yeah, that password is too hard for me. I’m just doing this.” The big bad boss at the very top of the chain. The IT people aren’t going to be able to necessarily say to that person, “Listen, you need to do this. You need to do that.” So, do we find that there are specific vulnerabilities that come with that — I guess, that deference — to those types of executives?
Dr. Christopher Pierson:
Absolutely. I mean, when you talk about the C-suite, when you talk about those 10 key executives, a lot of times it’s, “No, too much friction. Don’t want to be bothered with it. I just see this as an IT issue.” What I find there is that getting in with the general council, getting in with the chief financial officer, getting in with the head of HR ops, and getting in with folks that are actually going to serve as a test case for you in terms of how you approach this, how you tackle it, and what things you offer to them that makes their lives easier is a good way of lining up different resources around that executive table. That way, one, two, three people don’t want to be the odd man or woman out of the circle. I think that’s number one.
Number two, showing … In telling someone, “Hey, this password save thing is very, very easy,” or, “This personal VPN is very, very easy. I would like you to take a look at it. I’d like you to think about it. I’d like you to harden your browser.” I mean, all that’s great, but all I see is frustration, fear, and anxiety, and we can’t do that. We have to go ahead and make sure we show them. That could be a simple video demonstration where you literally record a … It takes 20 seconds and you send them a video of it taking 20 seconds. Once again, we have to show, not tell, how easy it really is.
And third, we have to bring things back to the business of the company. How does this actually help the company? Sure, it might help IT. It might help security. It might help ops. But how does this actually help the company? And hitting home with some salient points there. I mean, publicly traded companies, it should be a no-brainer in terms of SEC, SEC rules, SEC disclosure laws, and all the rest. If you’re operating internationally — GDPR — we could go on for hours about that, but it’s more common sense in terms of the executive team. It’s reputational risk. You just can’t be operating the size of business that you are with that type of reputational risk and having it be your name or your position attached to the disclosure form regarding the risk that occurred. I think those are some good things to think about as we push out through the executive team.
So really, framing it in a way that they can understand. Speaking to them in that language of risk, rather than necessarily the tech side of things.
Dr. Christopher Pierson:
Absolutely. One of the things that we actually find there is … Let’s take for example, shredders. Showing someone that if they have a manual shredder as opposed to shred bins is like, “Look, you really do need those thin micro-cut shredders.” If you’re in the defense industrial base, the NSA approved shredders — they really do make a difference. Show them. Bring a Ziploc bag of some document that was shredded on a crosscut versus a micro cut shredder. Show it to them. Explain to them. And suggest that, “Hey, look. We can’t control you and what you do in your home, but for $99, for $200 — getting one of these shredders would substantially reduce the risk of the documents you bring home. Right? We don’t want you to throw them out. We’d love for you to bring them back, but if you can’t bring them back, shred them.” So, teaching someone how to improve their personal safety and their personal identity theft risks also translates into the corporate world, and vice versa.
There’s several things that we can do there. At the end of the day, all of these executives are extremely busy. They want to maximize time that they have with their family, maximize free time that they have at home. And to the extent that we can simplify things for them, I think we’ll find that that benefits us a lot more.
You mentioned, at the home level, perhaps having a compromised router. How are organizations dealing with those sorts of things that are happening at that firmware level, but below, in the actual hardware? It strikes me that those sorts of things are hard to keep track of and hard to trace.
Dr. Christopher Pierson:
Yeah. I think we’re losing our audiences a lot here. When you talk about best-in-class protections, best-in-class controls, “We’d rather you not do this, we’d like you to take this behavior.” Those are all things that we want to instill in people and want them to be part of the solution and be an active participant in. When things like DNA-level attacks occur, where the end user can’t do anything about it, doesn’t know anything about it, doesn’t know how to solve it, and quite honestly, the tech community struggles at solving it, that’s where we really lose people. For example, processor chips with Spectre and Meltdown — what is someone supposed to do about that? In the Intel chip — an AMD chip — these chip sets are in everything. ARM chips, they’re in everything. No one’s going to go around their home and open up everything and confirm what type of chip they have, or go looking for it, or try to figure out how to go ahead and redo the firmware of those devices.
We’ve made it incredibly hard and difficult there for people to understand what they’re supposed to do about this massive, looming risk. It’s the same thing in terms of a router. Well, you don’t want me to just jack into the modem that the cable company brings over? You said go out and buy an Acme device, and I plugged it in and set it up, did all the password things, and set the SSID. I did all these things, and now you’re telling me that what I just did isn’t sufficient enough because there’s something that’s embedded within the device at a native level that I can’t change, can’t impact, and it could have compromised my entire home? I mean, what am I supposed to do? This is the frustration we see. And it’s quite honestly a frustration we have to solve. We have to come to the consumer population, to our executive population, with solutions to these attacks as opposed to, “Eh. We’re not really sure. Just unplug the router.” And lo and behold, we find that that’s not going to completely flush the vulnerability from the router.
To be clear, we need to find some way of communicating past these DNA-level, intrinsic, built-in vulnerabilities that are occurring.
How much of this do you suppose is a cultural thing, where … I always think of the example of medicine. For example, if I go get my flu shot every year, that’s a good best practice, but my doctor’s not going to say to me, “Hey, you’re absolutely guaranteed to not get the flu this year,” or, “You’re not going to catch a cold,” or anything like that. No matter what I do, I may be decreasing the odds of getting sick, but no one is realistically going to tell me, “You’re 100 percent safe.”
What I’m getting at is, how much of this is a culture of setting expectations realistically, rather than saying to that executive, “Hey, we’re good. There’s no way anybody’s going to get in here.” To say, “Well, these are the things we can do. This will reduce our risk this way. If we want to spend money here, we can, or if we want to save money here, we can.” Do you see where I’m getting at with this?
Dr. Christopher Pierson:
Absolutely. When you take a look at things, the amount of marketing dollars that we’ve spent on generating fear is crazy. You can’t keep on crying wolf every single time because people are going to tune it out. Take a look at data breach letters. Only a small percentage of the population, some five percent to eight percent — sometimes people go up as high as 10 percent and 13 percent — actually do all the things that are in those letters, yet, it’s blasted out every single night on the television. Data breach, data breach, follow-up letter, do this on your credit report, do that. Follow the link, don’t follow the link, don’t click on links. Well, now what are they supposed to do?
We’ve created this self-serving prophecy, where everyone is so attenuated to cyber risks that they’re fearful of doing anything. But also, in a certain regard, we’re not adequately telling them what really is of a high-level risk. It’s almost like what I call in the corporate world, the “helicopter risk.” At any point in time, yes, the helicopter could come crashing out of the sky, could fall on you, but when we take a look at things, we really explain it in a way that focuses on why this is important. What is really dangerous about it, and what is the reality of what’s actually going to happen, as opposed to totally theoretical things that are just not likely to happen? And focus users’ attention, consumers’ attention, on those things that actually matter. If we did that, I think we’d have a much more captive audience on those things that are truly, truly important.
Yeah, and that takes me to another area I want to explore with you. We get these big stories about big hacks and technical compromises and so on, but yet, we’re still seeing that the source of so many of these things is business email compromise and phishing.
Dr. Christopher Pierson:
Oh my gosh, yeah. I mean, you’re telling me. It is still … Every single report that comes out, 92 percent, 95 percent, 98 percent phishing, human intervention, someone clicking on a link, clicking on a download, or accepting an email that might have actually come from within the internal environment. There could be the compromise. But more often than not, it’s something that is just ghosted or masked. But yeah, we’re actually doing it to ourselves. No matter what, there’s no way to actually stop or prevent someone from clicking, so it does need to be some type of technological control and ramp up in controls there. We do need to substantially ramp up education. As a cybersecurity community, we need to have some better offerings here that don’t add a ton of friction. You have sandbox after sandbox after sandbox, and once you have one and two and three-second latency on things, right, users are just not going to use that technology.
And the same thing in terms of business email compromise. No matter what … I mean, we just had — I think it was just last week — 74 people indicted in business email compromise fraud. 42 of those folks from the United States. And IC3, which is an arm of the FBI, the Internet Crime Complaint Center, which tracks all of the self-reported claims, both from different law enforcement offices as well as from individuals — their numbers are definitely woefully under reported. But since they’ve been tracking, they’ve tracked about $3.7 billion in BEC fraud reported to them. Once again, woefully under reported, but it’s still happening. People are still voluntarily handing over money, voluntarily handing over the keys to the kingdom, and there really is no end in sight.
The bad guys have actually found some things that are really working, which is why they keep on doing it. And no matter what, whether they’re a 100-person company, 1,000-person company, or a 100,000-person company, there’s always one person that you can get to do something. Make them feel rushed, make them feel pressured, make them feel special that they’ve been chosen for the new secret program and to transfer the money now. So, we still see those things working within the environment. And quite honestly, until they stop working, we’re not going to see adversaries changing their attack vector and how they go about this.
Let’s bring it back home to threat intelligence and how that all ties this together. Where do we find ourselves today in terms of companies dialing it in and really prioritizing threat intelligence and making it useful?
Dr. Christopher Pierson:
Threat intelligence is not just about the tools, whether they be automated tools, manual tools, open source intelligence, or paid-for intelligence. There’s that aspect of things. Then there’s the aspect of having some way of dimensioning, analyzing, assessing those risks. How is this relevant to my sector, to my products and services, to my machines or my environment, and to our people who are actually here at the company, based off of not just who they are, but the culture around the company? So, there are always those elements to intelligence, but really making it a priority so that you could actually transfer this into being more strategic, I think, is really where we need to be heading.
Many companies don’t have a threat intelligence program whatsoever. For them, they should start out with that in terms of a part-time add-on, moving to a full-time FTE, and actually making it work within their security operations center, or dev sec ops centers, whatever they might have. Once again, that’s very manual and very tactical, based off of the sector product services, machines, the environment, all the rest. What applies to me? How does it apply? And how do I move about making some things automated and handling others in a more manual fashion? That’s great.
My bigger question is this. When we see the trends, and oftentimes it’s the third-party companies that analyze six months worth of data and then come out with a cybersecurity report saying, “Here are the last trends that we saw over the past six months or past year,” and they’re providing a strategic vision on where things need to move from a control perspective. I think it’s actually right about time that we shift. It’s gotten to be much more of a matured process here, but we shift the internal cybersecurity intelligence teams’ analysts into actually feeding out strategic information, strategic data back to the CIO, back to the CISO, and even to the CFO, as to what we’re seeing, why we’re seeing it, and how it impacts us.
Once again, not on a tactical level, but at a strategic level so that the company can actually say, “Huh. We’re seeing our sector threats increase here. Our control set there is a little less than in other areas. We need to make some funding changes, some funding differences. Maybe less controls in other areas, and ramp up controls in this area.” I would like to see the threat intelligence world and the analyst world plug more into the strategic direction of the company every three to six months in terms of controls, product services, and ways of actually tackling
those items, and especially education, quite honestly.
Do you think we’re headed in that direction? Are people hearing that message?
Dr. Christopher Pierson:
I think there’s a disparity here. There’s definitely folks that are at larger companies that have entire service security intelligence teams, where they have lots of individuals that are actually tackling this and feeding up high-level recommendations into some type of risk management governing board — a CISO committee for more strategic-based items. But everyone can do this, and it’s actually at the smaller company level where they can benefit more from this.
What I mean by that is, if it’s in your sector, if it’s based on the threats you see, based off of those different risks you see coming through, whether it’s paid or free intel, it doesn’t matter. You’re able to make better purchasing decisions on controls, better purchasing decisions on people, and better education decisions. You’re going to greatly mitigate those risks that are coming into your company and that your company will be seeing in the future than if you just stay on the status quo. I think it’s going to save money long term for those smaller companies, but once again, it has to be assimilated into a strategic perspective.
That’s Dr. Christopher Pierson from Binary Sun Cyber Risk Advisors.
If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.