The Catalyst by Softchoice

The hack that changed everything

April 14, 2021 David Kennedy Season 2 Episode 3
The Catalyst by Softchoice
The hack that changed everything
Show Notes Transcript

The year 2020 was one of many turning points in the IT industry, so when it comes to cybersecurity, you’d hope there were some silver linings, right? Well, we might have some bad news. 

In the year since the global pandemic hit, hackers have gotten more sophisticated and dangerous. In this episode, David Kennedy, renowned cybersecurity leader and best-selling author, returns to the podcast to take a look at the major SolarWinds attack, the new obstacles for IT and best practices for securing your people, data and customer relationships. 

Featuring:   

David Kennedy, co-founder at Binary Defense and Trusted Sec 

Special appearances by:   

Rebecca Martinez, Senior Enterprise Account Leader, Softchoice  

Ryan Demelo, Solutions Marketing Manager, Cloud Portfolio at Softchoice  

Christopher Payne, Territory Sales Leader, Softchoice  

The Catalyst by Softchoice is the podcast shining a light on the human side of IT leaders and reframing our relationship with technology.   

Are you a leader in the IT space? Read more on Softchoice’s Innovation Executive Forum, an exclusive, members-only community of over 400 senior IT leaders across North America.  

Erika  

From Softchoice, this is The Catalyst, the podcast that is shining a light on the human side of IT and reframing our relationship to technology. I'm your host, Erika Van Noort. Working in the IT industry, you hear all the time about how humans are the weakest link when it comes to cybersecurity. So, I got to thinking just how good are my peers here at Softchoice at keeping up with their own cybersecurity hygiene? Okay, so now it's time for the quiz. All right, the security quiz. I'm looking for a show of hands here, folks. So how many of you are using a different password for every app and every service that you use? Okay, we've got two hands from one. Okay, so what about using MFA? So multi-factor authentication to access personal apps like your Gmail, Facebook, or your banking? Okay, we got three out of four on that one. Alright, that's looking better. One was, like, holding their hands above their eyes as if we couldn't quite make out who that was. [chuckling] We won't release any names at this point. What about setting up a non-default admin password on your Wi-Fi home router? Okay, embarrassed one is now, like, two hands, roaring-- like, I'm talking a Tom Brady touchdown kind of look here, going on. Okay, fantastic. Okay, that might sound bad, especially since we at Softchoice pride ourselves on being ahead of the curve. But trust me, we are far from unique. In fact, studies show 95% of cybersecurity breaches are due to human error. The truth is when it comes to IT and cybersecurity people really are the weakest link. So that leads to my next question: why can't we get our act together?

 

Rebecca  

It's funny, because when we were doing the-- when we were doing the quiz, I was thinking...I mean, there's a reason I had kind of shame face, I'll own that that was me. And a lot of it is because there's a strong understanding that my reasons are not good. [chuckles] Like, they're very part convenience based. Honestly, that is why, it's-- it is inconvenient to remember a different password for every application. It is, you know, inconvenient to go and have to download multi-factor authentication. It's a change, and sometimes change can be uncomfortable. So, but it-- I mean, I hate to say it, but I'm probably the voice of the norm in, you know, general at-home worker population, and that businesses will need to make it easier for the average man to adopt a stronger security posture. They need to understand how to bring this into their regular life without their business, their companies dictating for them what that needs to look like. 

 

Erika  

The year 2020 was one of many turning points in the IT industry with major moves to remote work, huge CX evolutions, and digital acceleration in the cloud. So, when it comes to security, you'd hope it wasn't all bad news-- that we made some amazing leaps and bounds, right? To figure that out, I'm happy to be joined once again by David Kennedy, the co-founder of two large scale cybersecurity firms, Binary Defense, and Trusted Sec. David's mission to advance the cybersecurity industry on a global scale has scored him some unique credentials, including serving as technical consultant for the critically acclaimed TV show Mr. Robot, and being named one of the top IT security influencers in the world. He has served on the United States Marine Corps and saw two tours in Iraq, focusing on cyber warfare. He has also testified before Congress on issues of national security, and is a regular contributor on CNN, BBC, and other high profile media outlets. David, welcome to the show.

 

David  

Thanks so much for having me today. It's a true-- truly a pleasure.

 

Erika  

So, David, we've been looking at 2020 in this podcast as a turning point for IT leaders and businesses. So, I wanted to start by asking you with 2020 in the rearview mirror, did anything actually change for security? Or was it just more of the same?

 

David  

You know, what's interesting is that, you know, organizations have been trying to adopt a more work-from-home type of strategy for a number of years. And with the whole COVID pandemic, it really thrusted everybody to make that change, you know, right away and instantaneously, regardless if they were ready for it or not. What we saw is that, you know, technology progressed at such a rapid rate. So, we had organizations that were literally redesigning their architecture and infrastructure on the fly, because they had to make these changes because of the pandemic. And so, we did see a lot of drastic changes for organizations around the security front both for good and for worse, for better and for worse, that had a lot of impact, I think, on the on security in the future. Innovation-wise, we also saw ransomware groups and other adversaries and attack become more sophisticated, as well. So, it's always a continual game of, you know, trying to protect against the hackers, as well as you know, what the adversaries and attackers are doing against their infrastructures, to try to stay ahead of that, as well.

 

Erika  

So as 2020 ended up being all about the remote worker, as you state, what is the level of risk and responsibility for end users now?

 

David  

What's really changed is that, you know, if you think about how we viewed our security programs prior to 2020 and the pandemic happening, you know, we would consider our networks to be like these castles, right, with heavily fortified walls, and archers, and moats, and knights, and things like that protecting our walls. Kind of that castle-like mentality. And what happened is, you know, we had to essentially remove those walls, open up the drawbridges, and allow all of our folks that are inside our castles out into the, you know, general city to conduct their operations and businesses. The landscape changed very drastically, very quickly. And we actually saw-- right when the pandemic was happening, we actually saw a drastic dip and attacks happening, Because, you know, attackers had to figure out, well, if I compromise one person now how can I still get access to corporate resources and their infrastructure when they're working from home? So, it required attackers to have to think differently, and how they go after, and how they approach going after folks. But then we started to see a major, large increase, because now that you don't have the same exact security controls at home as you did while you're on premise, there's now an opportunity there for attackers because now you have home networks, which, you know, traditionally don't have intrusion prevention systems, or firewalls, or web application firewalls, or those types of things that we traditionally had in our on-premise side. So, you know, I think a lot more cloud adoption occurred, which, you know, made things-- made resources a lot easier for folks. At the same time, we kind of went back a step when it came to how we secure our devices, especially from a work-from-home perspective. So, all of those had some pretty big ramifications, I think, on our security levels, and we're still trying to adjust and accommodate that to try to have the same level of security both on-prem as we do off-premises, as well.

 

Erika  

So, when you think about 2020, it was also a year of bad news. And it was capped off with what looks like a historically bad hack with the SolarWinds breach that many of us read about. What did you feel when you heard about that, and what does it say about the current state of security?

 

David  

This is gonna sound bad when I say it but let me explain it here in a second. 

 

Erika  

Okay...

 

David  

When I first found out. you know, my initial reaction was, "Wow, this is amazing," right? And amazing from the perspective of the amount of sophistication and attack that went into this. You know, you think about nation states that have unlimited resources and capabilities and can direct 100 people, or 500 people, you know, to an organization. Those are, those are bad odds, unfortunately, that we have when it comes to, you know-- when we have maybe 5 people defending our infrastructure versus 100 that are attacking us. So, when it comes to nation states, it really highlighted the problem that we have from a national defense perspective, and our ability to respond, you know, in proportionate measures to countries that do this to us. You know, what happened with SolarWinds specifically is that, you know, beginning late in 2019, the Russians hacked into SolarWinds, and it looks like it was from a weak password. They apparently blamed it on an intern that set a weak password. I think it was "SolarWinds123", or something to that effect. And they were able to guess that and get access to SolarWinds' internal systems. And when an attacker that's sophisticated enough, they start to spread around the network to look for things that would be useful for them. Now, SolarWinds is obviously a large company, has hundreds of thousands of customers, federal, state, and local. And so, the Russians looked at how can we leverage this compromise from SolarWinds to maximize our benefits from an espionage perspective, or going after, you know, military intelligence facilities, or extract information? And they hacked into the components that that control the source code of their product, which was called Orion, SolarWinds Orion. And SolarWinds Orion, you know, has hundreds of thousands of customers-- well, I'll rephrase that, they have 30,000 customers. Their overall organization has over hundreds of thousands of customers. And then they targeted basically around 1000 customers or so from what we can identify today. They hijacked the update mechanism that pushes updates out to customers. You know, think of this very similarly to what you have from an iOS update when you're updating your iPhone, or your Android, or you have a Windows Update. And around, you know, mid of last year, 2020, they pushed an update out, even though they had hacked them in 2019, pushed an actual malicious update out that established connections to these Russian-- what we call command and control infrastructures that allow them to hack further into a lot of these different companies. Mimecast was hit hard with source code stealing and source code disclosure. Microsoft was hit hard; they hacked into Microsoft and stole source code. They got into Cisco, Intel, you know, you name it. There's a lot of companies, a lot of medical research facilities from a COVID vaccination perspective. And what ended up turning this case around, which was which was really interesting, is that, you know, it wasn't a specific system that detected this. There wasn't an intrusion prevention system. It wasn't a piece of detection, monitoring detection that was in place, you know, to stop this. It was actually one employee over at FireEye, which is a third-party security company. They-- one of the adversaries in Russia tried resetting what's called multi-factor or two-factor authentication, which set a notice to an individual user, and that user then reported it, which blew this whole case open. They're like, woah, so this person got hacked, how did they get hacked? And they traced it all the way back, you know, to this specific compromise, and ultimately originating from the SolarWinds server compromise. So, you know, this was a fascinating hack. It's one of the most brazen, large scale hacks that we've seen in a very, very long time. And it's one of those ones that that really made history because you know, now we know these types of attacks are absolutely possible. And every person that is a managed service provider, you know, a software development company that provides technology for organizations, or a third-party trusted provider, you really all are on notice right now, from a security perspective, because you have unprecedent access to a lot of these different organizations. And believe me, these attackers are coming from here. We're seeing ransomware groups talk about how they can maximize on this now. This is going to be the new wave of the future that we're going to be experiencing both short-, mid- and long-term that we really don't have a lot of solutions for because our models are based off of trust.

 

Erika

Wow. It's just-- it's mind blowing, sometimes, when I think about just how far and how wide this is from, you know, how it prevails. So, I was reading something about, you know, industry leaders at a recent IDC conference said that coming out of last year IT decision makers would be holding their tech partners and suppliers to higher standards, across three main areas. Security, as you're sharing, privacy, diversity, and inclusion. And it sounds from what you've shared that the SolarWinds and the others that you've referenced here are really what's propelling a lot of that, you know, holding people to higher standards.

 

David  

That's right. When you when you look at how an organization, you know, tries to protect itself, you know, most organizations have what we call, you know, third party vendor management, right? And third-party vendor management includes risk as part of that. So usually, you know, a company that's looking at buying a product or, you know, purchasing a piece of web application software technology, or software as a service platform, you typically do a, you know, some sort of risk assessment against that company to determine what's the impact going to be, you know, if they were to become breached in some way, shape, or form? But what we realized very quickly with something like SolarWinds is that those types of assessments don't go far enough, because we don't typically look at how damaging a trusted third parties update mechanism could be. You look at something like SolarWinds, you know, Orion, you know, it's recommended install is to have, you know, unprecedented access to your environment with domain administrative right-- level rights, you know, having access to your networking equipment. I mean, you talk about a system, or piece of software that you want to hack, I mean, this is it, this gives you keys to your entire kingdom. But we also have to think not just about the outside-in anymore. And that's primarily what organizations look at is, how is an attacker going to hack me from the outside? How are they going to hack me through phishing? How are they going to hack me through my web applications? How are they going to hack me from, you know, my software as a service platform? But they don't think about how I can be hacked from the inside. But one of the key things that seems like a very basic security principle is not allowing your servers to communicate with the Internet in the first place. You know, having your servers, having direct access to communicate to systems that it never has before is a pretty direct threat towards your organization. And, you know, big corporations like Microsoft, as mentioned before, VMware, Cisco, et cetera, all allowed their servers to communicate directly out with the Internet, which ultimately allowed for what we call a command and control to be established with the Russian adversaries. And then from there, the Russians were able to further hack into their organization. So, by taking simple measures, by just disallowing your servers from having regular Internet connections to non-known, you know, addresses would have would have substantially reduced the risk that you have from this. So, it's a combination of looking at your vendors, ensuring that they're doing a much better job at security, and being much more rigorous, especially for high-risk vendors that have a large amount of access to your infrastructure or environment, as well as the security controls you can put in place to try to minimize these types of attacks from happening. And believe me, these two things, these two concepts, are two of the key things that we really need to focus on right now. Because these types of attacks are not going to be going away anytime soon. And they're only gonna get more damaging.

 

Erika  

My heart's racing, David, as you share all of these things, because I'm thinking, you know, our listeners out there, they're sort of going, "Okay, check, check. Oh, haven't done that. What do I do here?" So, some pretty interesting things. 

 

[music plays] 

 

Erika  

Clearly, the level of sophistication of modern hacks is off the charts. I think we thought of hackers being the non-threatening, bored person in their mom's basement for so long that maybe we just let our guards down. Off the top of the show, you heard a number of my colleagues addressing their cybersecurity hygiene, and it wasn't pretty. So how much do regular people really know about how security hacks are affecting our world today?

 

Christopher  

You know, I start to think about next order implications. And I think about a world of automation, and 5G, and IoT, and this becomes insanely frightening. I mean, you know, we're just kind of coming off of a natural disaster in Texas, where cities were without power. And that was just for a natural disaster, and that took days. I mean, really imagine a world where a cyber-attack on a utility company would take out power in a city, or cities, or hijacking an airplane is a cyber-attack. So, I think that these are the birth pains of what we are going to see start to impact nations and cities and countries across the world. And I think that we have to become cognizant as a community of individuals, in tandem with government agencies, as well as companies and entities.

 

Erika  

It's a great point, Chris. I think you're teeing us up for season three of our podcast series, when we get into dark scenarios. 

 

[laughing]

 

Christopher  

Dystopian societies, right?

 

Erika  

That's it, how bad can it really get? That's it. 

 

[music plays]

 

Erika  

Now, you've written extensively about social engineering and popularized the phrase long before it was even in our lexicon. What role do you see people, end users, consumers playing in keeping us secure in a post-pandemic era?

      

Christopher  

You know, think about the SolarWinds breach as an example. One employee was literally the entire downfall of this entire campaign from Russia. Education and awareness is such a foundational piece to any organization. And time and time again, we see a lot of these attacks thwarted. When you look at an organization that has a successful security program it's because they have a solid education awareness program that continuously teaches the risks around leveraging the Internet and technology, and the risk that technology introduces to that environment in a corporation. You know, for me, one of the most fundamental pieces to a security program is the education awareness pieces, because social engineering and phishing is so prominent within these organizations. And the reason why it's so big, and I don't think a lot of people really recognize it, is let's just say you have 1000 employees. You have 1000 employees, and that's on the you know, smaller side, right? You have companies that have hundreds of thousands of employees. You know, that's 1000 different vulnerabilities that you have in your organization, because, you know, me as an attacker, I can go after one employee and if I fail, I move on to the next one. I move on to the next one, I move on to the next one, I move on to the next one, until I get somebody that is willing to do what I need them to do. And having a good education awareness program to ensure that users feel comfortable being able to report unusual activity, even if it's legitimate, being able to report that in an easy fashion, it actually being investigated and analyzed, and then blocked as appropriate. Those are the types of things that really make or break these types of breaches that we see in the future. And there was a CSO online article that interviewed a number of different companies that went to a work-from-home perspective, and not one of them out of all the companies that interviewed did any type of additional education awareness around security when it came to work from home. So, you know, we have to continuously work on teaching our users what's expected behavior for them. Testing, you know, going through simulations to see whether or not people will fall for it so they can correct behavior. You know, unfortunately, that's the world we live in today. And again, time and time again, when we see these types of attacks prevented it's usually not from, you know, whatever it ends up being. It's through the user population, that really makes a huge impact and difference on that.

 

Erika  

So, what's that secret sauce? Like, how do you drive home the education? Because, you know, there's courses, there's all of these sorts of things. But, you know, we know people aren't educated at the level they should be. But what's something, or what's a tip that you have for you know, our leader-- our leaders and our listeners on this podcast for how to actually drive and make that education more successful?

 

David  

Think of it this way-- how would you want to learn as an individual, right? Do you want to learn from, like, a boring point-and-click, you know, a presentation slide? The answer that is typically no. I mean, when I was the Chief Security Officer for Diebold for a number of years, what resonated for us was a few different things. Whenever we would get phishing campaigns that were targeted towards our users, we'd actually share those with the entire company saying, "This was an actual attack. This is what it was doing, here's what to look for." And people loved that. We also would do once a month-- we'd have quarterly newsletters. And in those newsletters, there'd be, like, puzzles that were security themed, or crossword puzzles, or things that effect. And people that-- the first 10 people or 50 people that would complete it, you know, would get, you know, like $50 bucks Amazon gift cards. So, trying to keep people engaged with fun things that they can be rewarded for. One thing that we also did as well is that we did continual testing, where we would phish our user population. And we would let people know that we're doing it at first, especially, you know, in the early stages, because we don't want people to think that, you know, we're doing this negatively to hurt them, right? We're not trying to find who's a bad employee or not. We're trying to keep you aware of what real phishing campaigns look like, and what you fell for. And then from there, we start to go more blind testing. You know, it's a combination of continual reinforcement, showing what's really out there, and education. Everybody wants to do the right thing, typically, when it comes to their work in their office. It's just how do you relate to them so that they can change those patterns of behavior? And that really comes through continual reinforcement and going through testing to actually go and do it. And you also want to have things in place, too, that, you know, if a user does fall for it, having the ability to detect when a user falls short, as well. So, you know, monitoring detection becomes really important so that if your education awareness controls fail, you have the ability to detect, and respond, and to move much more effectively to reduce the damage that a company has to an organization. So, you look at that, and you say, "Okay, well, if an attacker has access to my environment for five minutes, it's probably not a big deal. But if they have access to my environment for six months, well, that's a major problem, they probably have access to all of my data." So how do we, you know, couple education awareness training with monitoring detection so that we can remove or reduce the dwell time and the overall the amount of damage that an attacker can have in our environment? So, they both go hand in hand.

 

Erika  

So, when we talked-- you've talked a lot about, you know, where IT leaders should be focusing their energy from some of the examples that you've given. So, are there things that we should be doing differently in 2021, that we may not have done in 2020? You mentioned about, like, the security and following at home as we sent people home to work, is there anything else and have any of the solutions change to support that?

 

David  

There's a few things that we need to take a look at, right? We need to look at zero trust mentality. And when I say, by zero trust mentality, it's not a zero trust piece of technology. Zero trust at its core principle is reducing your attack surface. And what I mean by reducing your attack surface is minimizing what a user has access to. You know, when we designed our architecture and infrastructures, you know, 20 years ago, 30 years ago, it was with the mindset of keeping information open so that we can conduct business on a regular basis. With cloud service providers, with our ability to, you know, be able to kind of carve out our on-premise solutions there's things like OKTA StoreFront, or Citrix, you know. There are ways for us to kind of contain our users in this small box to be able to still do their work, but minimize, you know, exposing everything in our organization. So, I think, you know, having that mindset of coming up with an architecture that continuously reduces the footprint that you give to your users, as well as what you expose on the outside, that's ultimately a winning practice, because there's not as much attack surface for hackers to go after. And even if a user, let's just say, gets compromised, they may only-- you know, the attacker would only have access to the type of access-- to the type of data and resources that you see today. You know, a big concern for folks right now is ransomware. And rightfully so, right? Because ransomware, you know, what attackers do is they typically, you know, hack into one system, and then they try to entrench themselves into all the other systems. And you're now working on multiple users, your server infrastructure, your backup infrastructure, and then they hit you all at once. You know, we saw in 2020 Universal Health Systems was shut down. They couldn't even take patients in their emergency rooms because ransomware completely encrypted their entire environment. So, you know, ransomware right now is a alarming threat because, you know, we see these ransomware groups developing in sophistication. So, any way that we can slow that progress down, require them to go more active as far as how they attack systems, they become more noisy, allows us to respond much more effectively to these. So, it's a combination of architecture, and it's a mindset. And it's also the ability to understand that we are going to have exposures, right? We are going to have vulnerabilities in our environment that we missed, that we didn't know that system was there. It's legacy, we never thought it would get hit in the first place. And we have to look at that and say, "That's not the ultimate thing that we're going to stop against." We know that our program is going to have holes in it. We know that we're going to have vulnerabilities. We have to think conceptually just past the initial exploitation phase and all the other phases that attackers do. So, you know, ransomware, great example, or even nation states, great example. Hack one person and try to do privilege escalation and try to go from privilege escalation to information gathering. Try to go from information gathering to post-exploitation scenarios around lateral movement. To move from one system to the next system, the next system until they get access to objectives. All of those things are key phases in an attack that are abnormal behavior in our environment that we should be looking at across our entire organization, and really focusing our efforts on so that we can again reduce the amount of time that an attacker has. If I can stop them when one system is compromised, that's not the downfall of entire organization. When they have access to 100 systems, or 500 systems, or 10,000 systems, that's when we have a really big problem. And I think the shift in 2021 and beyond is really going to be around vendor risk management, around the stuff that we saw from SolarWinds. It's going to be around, you know, how do we shore up our architecture to ensure that we can withstand those types of attacks, and others? And third, how do we have the visibility into our environment that if we experience a breach like we have, that we can respond effectively to it, knowing that we're going to have vulnerabilities. And those key three things there, I think, are some of the main areas for an organization to think about. Now again, there, there are basics here that we need to be focusing on, too. Like, multi-factor authentication is an absolute must today. And you really need to be moving off of SMS as a form of authentication. You need to be moving more towards the authenticator apps, or YubiKeys, or things of that effect as a method for verification. SMS has a number of problems in it that I don't recommend it anymore. But, you know, there are a number of basics that we should still have in place. But those three key concepts are what I think is going to drive the industry forward for the next several years.

 

Erika  

I do just want to ask you, you know, sort of you know, yourself, when you look to the future, we spent a lot of time looking at the past. You know, what's one change you really want to see in the industry over the next year?

 

David  

It's a tough question because there's so many priorities. You know, I think the problem that we have today is that we rely too heavily on technology to secure our organizations. And a lot of times the technology is what lets us down. Or, you know, going into 2021, our focus really should be on education, awareness of our users. It should be going back to the basics. So, focusing on things like architecture, vulnerability management, patch management. And I'm not saying the basics are easy, by the way, the basics are hard. If the basics were easy, everybody would be doing them. But I think relying less on kind of the buzzwords in the industry around machine learning and artificial intelligence. There's still not fully vetted or applied principles around machine learning, artificial intelligence that we can directly say have a direct correlation to reduction in exposures or vulnerabilities in our environment. You know, focusing on the tough stuff is what we do-- we need to do. There's no shortcuts in information security, it requires understanding the business, it understands where your data is at, and it requires a lot of investment and changing patterns of behavior of people to actually go and address. So, my biggest thing, and my biggest hope for 2021 is that we focus back on the basics. And we start to really shore up a lot of the historical legacy debt that we have in our infrastructure to really make it much harder for attackers to gain access.

 

Erika  

I always remember somebody years ago telling me at a dinner with other IT leaders, and they talked about you know, their biggest-- their weakest link was the carbon that sat between the keyboard and the chair. [David laughs] And said, you know, that education piece is probably one of the biggest hurdles. That sounds easy enough to do, because you do have control, and you do have influence, and you do have the tools available. But it does require both the organization and the user to take equal investment in that. So...

 

David  

Most recently, there was a hack that hit a water treatment facility, I believe it was in Florida. And we don't know who did it but hacked in this water treatment facility actually changed the chemical compounds to be poisonous for the water supply to the actual town, which could have impacted thousands of people. Luckily, they caught it from secondary systems as it was about to leave the water treatment facility. But literally, a poison hack against-- through the Internet. These are all things that are possible now. And so, one of the biggest things that keeps me up at night is how big these types of attacks can actually be. And every country in the world is always toying with that type of response. Cyber warfare is a direct way to inflict damage back at home in every capacity. China does it, Russia does it, the United States does it, the UK does it, Israel does it, North Korea does it, Iran, everybody does it. And they're continuously hacking our energy sector, our financial sector, our skid infrastructure, our protected infrastructure around the grid, around how we do water treatment. You know, it only takes an escalation of a certain caliber tune when they start to inflict damage here at home. And our next war isn't going to directly be with bombs, and missiles, and boots on ground, it's going to be here back at home, as well, and we're going to feel the pain equally. And that's the terrifying part. And that's the part that I really have a tough time with. Because we are grossly unprepared to handle those types of caliber of attacks against our infrastructure. And nobody unfortunately, from a legislation perspective is talking about what we need to do from a defense standpoint. That's the only way that it's going to be fixed is that if we have proportional responses that we launch directly because of cyber-attacks, both on private and public sector, we're not going to see a decrease in this. So, it's definitely a major problem that keeps me up at night.

 

Erika  

See, and I thought my heart was racing before, and now...okay. 

 

[laughing] 

 

This has been great. I want to thank you so much for joining me here today. It's been a great conversation. And as always, I come away learning that much more from you. So, thank you.

 

David  

Oh, thanks so much for having me, such a pleasure. And there's been so many things that have happened in 2019, and 2020, and 2021 that we can talk about. Good news is that I think a lot of these high-profile attacks are really bringing a lot of visibility to what we need to accomplish. And I think we are moving in the right direction in positivity. I'm a glass is-- I'm a glass is half full, not empty type of person. So, I really do think that we're progressing forward very quickly in the cybersecurity front. And it's really encouraging to see a lot of these companies take hold of it.

 

Erika  

And you're sort of, you know, even characterizing the "never waste a crisis," right? So--

 

[laughter] 

 

From a learning perspective. 

 

[music plays]

 

Christopher  

There are demons in density. When you think about working from home, you think the most dense population is in your house. So that means that everybody's working over a Wi-Fi connection, a unprotected network, a unprotected device, and with the demons in the density, that's a Internet villain's dream. So, I think that we need to understand that we are prey to the predators. And then we need to say these are the things that we can do to put ourselves in a good position, because it's not just a workplace type of threat. Once these individuals start to compromise devices, you probably have done some personal things on your devices. So, you're compromised as an individual from a professional and a personal standpoint.

 

Erika  

I think that's code for Chris is going to update all his passwords when we get off this podcast today. 

 

[laughing]

 

Christopher  

You see right through me. 

 

[laughing]

 

Erika  

Here's the thing about us humans-- we're exactly that. Living, breathing, mistake-making, naive yet well-intentioned humans. But this isn't anything to dwell on. Like David said, exposures and mistakes are inevitable when you have people behind the wheel and the keyboard. And before I sound too much like an alien overlord, puny humans, don't worry. Though people are and likely always will be a major factor in security failures, the solution to successful cybersecurity for organizations isn't automation--it's education. The late great Nelson Mandela once said, "Education is the most powerful weapon which you can use to change the world." So now it's up to you. It's time to work with your people to find the best way to drive education in a way that's engaging and adopted. Class is in session. 

 

[bell rings] 

 

[music plays]

 

Erika  

Thanks for listening. If this conversation freaked you out a little-- I mean, it certainly did for me-- please share this episode with a friend or colleague. Coming up in two weeks, my conversation with Microsoft's Ricardo Wagner. We take a hard look at why building accessibility in the organization is more important than ever and connected to your bottom line. Not only is it the right thing to do, but stats show it's also great for business. I'm Erika Van Noort, and this is The Catalyst.

 

[music plays]