Episode 55: Let’s Talk Security With Richard Maloley

Kiran Very cool. So today Richard and I are going to talk about all things security. Richard has 10 years of experience at OST as a Security Consultant, and I invited him onto the show to discuss three main topics: what’s new and noteworthy in the security space, cloud security and a few of OST’s key differentiators in this realm. So Richard, I wanted to ask you a little bit about some of the most common threats that are likely being faced by the businesses that we serve. Can you walk through what a few of those are? 

Richard: How much time do we have? I could probably talk all day on this. So first and foremost, the most common that we’re still seeing is something called business email compromise. That’s where you get that mysterious text from Meredith asking for you to get her a gift card or, simply put, malicious actors will just spray using some passwords and try to log in as you over and over again until they get in. That’s when they start to send out more phishing requests from there, right?

So that’s number one. Number two is simple misconfiguration or unpatched vulnerabilities. This is still a thing. So this is where I live, right? I’m scanning for vulnerabilities all day, every day at organizations. But not every organization does this and simply put to become a target, it’s not the value of your data. It’s how easy it is to get in at the end of the day. Malicious actors, they just want a nice, easy pay day, right? One of the newest ones I’m seeing though, is what we call multifactor fatigue. Malicious actor tries to log in, you get the allow or deny prompt on your authenticator, and you hit allow, even though you’re not the one that logged in, right? So we see this a lot. In fact, one firm found that 90% of the time they just get in. Because the user will just hit allow no matter what, which is crazy. But the most sinister one that we saw, supply chain attacks where a malicious actor inserts themselves into patches, for example, for common software and you don’t even know about it because you’re not the one packaging it and writing it. That’s when it keeps me up at night. 

Kiran: Yeah, and like you said, it almost only takes one successful attempt to be victorious, if I can use that word. Tell me a little bit about that. The fact that businesses have to prepare for any possible attack, but a malicious actor, again, only needs to be successful one time and still get what they’re after. How do you handle that contrast? 

Richard: We have to win every time. They only have to win once and they have bigger budgets than us at the end of the day. So part of that is reframing how we react to these breaches. Ransoms, we don’t recommend paying them, for example, because you’re just giving them what they want.

You’re just reinforcing the bad behaviors, just like training an animal, right? You don’t reinforce bad behavior, you don’t reward that. But also, it comes down to education. We just need to keep getting organizations educated. The workforce educated about what to do, what not to do, and how to respond to these appropriately.

And then part of that is also making sure that we have vendors and software in place to protect us. My end user clicking a malicious link should not result in my entire organization being breached. It should be mitigated right there. 

Kiran: So, can you tell me a little bit about best practices and some of the ideal tactics to try to wean off attacks in this area?

Richard: Absolutely. Education, first and foremost. Knowledge is power. Tell people, tell organizations what’s out there. Tell them the truth and give them ideas. It’s how to protect themselves. Just like this podcast is doing today. Multifactor authentication. You need it. You need to have an entire organization-wide strategy for it. Ideally, you pick two types: one physical, one on your phone. At the end of the day, that’s what it comes down to is making sure you’re doing the appropriate practices to protect yourself. Vulnerability scans, this is really not a very expensive thing to do. Organizations can do it themselves, but I highly recommend hiring a firm to do it that has expertise in that. But you need to look at both the inside and the outside. Ideally, if you can afford it, get a real pen test firm in place where they spend 2, 3, 4 weeks of recon, of trying to break in physically, of looking at every aspect, of your organization for vulnerabilities, especially the ones that you just don’t know about because of your technical debts. If you’ve got 10, 20, 30 years of technical debt, you know, that’s what brought down Equifax, originally. Beyond that, if you’re a really really mature organization, solve for billable materials, knowing what you’re using at all times. Which vendors went into it? Who packaged it? Who makes it? What it depends on? Besides that, the last two that I’d say, have a baseline of your organization in terms of your network, your applications, your users, what is normal for you? You can’t find the abnormal without knowing you’re normal. Then finally, the number one thing, get rid of local administrative rights. Get rid of administrative rights. The less people that have roots and god power in your organization, the better, the more protected you will be.

Kiran: That’s really really interesting. I’m sure that a lot of our clients listening are thinking about how this might impact cloud security with movement in that space. So can you talk a little bit about what is taking place in regards to cloud security?

Richard: Define cloud. At the end of the day, cloud is just someone else’s computer and storage and services that you lease time and energy on, right? When I talk about cloud security, again, it goes down to misconfigurations and why are you doing cloud for that? So I always like to have my clients ask just a few questions, things like, where’s my data stored? Because data storage could violate, say, the law or other compliance issues. If you wanna leave that cloud, can you take your data with you? Is that going to be a problem? Is it encrypted at rest and in transit? Is my data gonna be protected no matter what? Can the employees of that cloud service provider access my data without my consent or even with my consent? This is something I want, right? Multifactor. If that cloud does not support multifactor authentication, I say no. Take a timeout. That’s not the solution you want. And then finally, I kinda hate to say it sometimes, but you have to kinda ask the question, why cloud? Does it have to be in the cloud? Not everything has to go to the cloud, but of course it makes sense for a lot of things, say email. Take Microsoft Exchange. Guess what? Microsoft does that a lot better than we do. And I’m still getting customers that get hacked through Exchange these days.

Kiran: Sure. And I’m sure in your work, you’re seeing organizations in different maturity levels attempt to prepare themselves for threats. So are there any tips that you have for businesses? I know we talked a little bit about best practices, but any tips as organizations look to build and grow of things that they should be looking for as they work to secure themselves? Maybe even things that employees should be doing on their own individual front. Just to help ensure organizations are safe. 

Richard: I think the first thing for any organization is to just, again, goes back to education. Educate users as to why they need to care about security, first and foremost, right? You don’t wanna just go into a job and work your job. You want to know why you’re doing it and why you should care? Why should you care about having a good password or passphrase? Why do I need to have this multifactor authentication? Why should I be using this in both my personal life and for my official company life? It just comes down to explain the basics, understanding those basics and reinforcing them.

Kiran: That’s really good advice there. Are there things that you yourself do, Richard? I know there’s a lot of different methods that you can take, but are there tactics you employ yourself in this space that you think someone listening could potentially benefit from? 

Richard: Yeah, absolutely. So even here on my own work laptop, for example, I took myself out of the local administrator group. I can’t actually affect system-wide changes there. What else do I do? I use a password manager because they work. I remember 1Password. And it remembers the rest of them. I have multifactor on all my stuff, all my social media, my Gmail, Facebook, Twitter, Instagram if I had one. I also use a hardware-based multifactor authentication key called a YubiKey. It’s cheap, it’s effective. You can’t steal it. You can’t just hack into that, right? Unless you physically take it from me, in which case you still need to have my password. 

Kiran: That is great advice. That is very helpful. So let’s talk a little bit about OST. What are some of our key differentiators in this space?

Richard: I will tell you three. First and foremost, my team, we do over a hundred of these assessments a year. You name it, we’ve seen it. Everything from small mom-and-pop businesses to large healthcare and hospitals. It’s what we do. Number two, we understand how to do incident response. That is, you think something’s going on or you know something’s going on. We can help you contain, mitigate, remediate, and most importantly, at the very end, report what happened, why did it happen? If possible, what evidence do we have? Because that’s all important. On top of that, here at OST, I think we have the best cloud team and experts in place, especially after our acquisition of Stratum. I know enough about cloud to be dangerous. They’re the ones that I go to make sure I do it right. 

Kiran: Excellent. If someone has additional questions, what would be their best route as far as getting started in this space?

Richard: To get started in the IT information security space? 

Kiran: Yes. 

Richard: Oh my goodness. Honestly, the first way to get into this space is to just ask who already is in the space. Find a community on Twitter, Discord, Slack. Go to a hacker convention. They’re happening all the time. Again, even Grand Rapids has one every year now. Every major city has one. But just get in there, ask questions and listen. I get my best news and updates just in time before you see it on the Today Show kind of news from Twitter because I follow so many InfoSec professionals on Twitter.

Kiran: That’s really good to know too. And you’re probably keeping your finger on that pulse so you’re ready to respond as soon as you can. 

Richard: It’s funny, a lot of these things break on a Friday evening at eight o’clock. And you always have to make that choice as to, oh man, do I really want to get onto the work laptop and do the next hour or two for research and posting and have something ready to go for Saturday or Monday at work? But yeah, that’s exactly how it goes. 

Kiran: Excellent. In closing, Richard, any final thoughts, can you just reiterate the importance of being prepared as an organization against malicious actors and for having a security structure in place? 

Richard: Invest now or pay more later. And that’s the basic mantra. Most organizations will end up being breached in one form or another. Now that breach may be simple it may be, yeah, somebody gets my email password and they were able to then send out other phishing emails. That’s not really a bad breach. It’s still a breach, but not terrible.

Or you could have a nation-state threat actor in your system for six months. At the end of the day, it really doesn’t matter what the breach is, you still need to know how to respond to it appropriately. So an organization needs to invest in their people, get rid of insider threats that way by investing. They need to have proper systems in place. They need to know what they have in place so they can respond and protect it. And really they need to have a plan. That’s where the incident response plan comes in. So, every organization, if you are a leader in your organization and you don’t know anything about your IR plan, you need to call OST today.

Kiran: Excellent. I wanted to touch back just quickly on the security assessments that you and your team are conducting. Are there quick questions that an organization listening short of taking part in the whole assessment might ask themselves to determine their potential exposure to a threat? Anything that might be a red flag they could see right away that you’re able to speak to? 

Richard: Do you know all of your assets? If you don’t, do a security assessment. Have you ever seen a breakdown of how many vulnerabilities you have? If not, you need a security assessment. Do you know what your basic IT security policies are? If you don’t know, you need an assessment. Do you know how many administrators you have in your environment, both locally, within, say active directory or within usher? If you don’t, you need an assessment. Those are basic questions that should be answered. 

Kiran: Great questions there for listeners to keep in mind. And again, just summarizing some of the themes. It seems like education is critical. Educating employees, educating really all who come through the organization. So that’s certainly key. Anything else you wish to add, Richard, on this subject? 

Richard: If I won a million dollars tomorrow, I would still come to work the next day because I love what I do. I believe that if we all work together, if we all take security seriously, if we all just do a little bit extra in terms of effort, we can have a much better world. If we can remove the perverse reasons for criminals to do what they do, then we’ll have a better world. And if we all stop paying ransoms, we’ll have actual money for defense and not give the offense more ammunition. 

Kiran: Excellent. Thank you, Richard, for being on our show today. 

Richard: My pleasure. That was fun. 

Kiran: OST, changing how the world connects together. For more information, go to ostusa.com