Cybersecurity Review of the Year 2024 - Ep 130

Show Notes

Join Rob Aragao in this unique edition of Reimagining Cyber, as he takes you on a retrospective journey through the most impactful podcast moments of 2024. This episode features highlights from discussions on major topics, including the EU's Digital Operational Resilience Act with Dominic Brown, election defenses with Dr. Ben Adida, MasterCard's cyber defense efforts with John Brickey, global cybercrime insights with Craig Jones, NASA's cybersecurity approaches with Tiffany Snyder, and the advancements and challenges of AI in cybersecurity with Ashley Jess. Don't miss this comprehensive review and stay tuned for more exciting content in 2025!

00:00 Welcome to Reimagining Cyber
00:46 Inside DORA: EU's Cyber Resilience Path
04:12 Securing the Vote: Election Defenses
07:27 MasterCard's Cyber Defense Collaboration
09:52 Global Cybercrime Insights with Interpol
14:02 NASA's Cybersecurity in Orbit
17:38 AI and Deepfakes: New Cybersecurity Challenges
20:38 Conclusion and Future Episodes

As featured on Million Podcasts' 

Best 100 Cybersecurity Podcasts  

Top 50 Chief Information Security Officer CISO Podcasts 

Top 70 Security Hacking Podcasts

This list is the most comprehensive ranking of Cyber Security Podcasts online and we are honoured to feature amongst the best!

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

Transcript

[00:00:00] Rob Aragao: Hello,

[00:00:04] I'm Rob Aragao and welcome to a unique edition of Reimagining Cyber. That's because this week's episode is not a podcast. It's a time machine. So why am I making such a bold claim? Well, I'm fairly sure that you will be listening to this in 2025. But where am I right now is what you would refer to as last year.

[00:00:25] And what I need you to do is take my hand and join me back in 2024. So let's go.

[00:00:35] We are now in the right place to start the Reimagining Cyber year in review. You're going to hear some of the podcast moments that made a big impact on me and you, the listener, over the past 12 months. Let's kick off with what was actually our most downloaded episode of the year. It was called Inside Dora, EU's Cyber Resilience Path.

[00:00:56] As I'm sure you are aware, DORA is the EU's Digital Operational Resiliency Act, and it addresses cyber threats to EU financial systems. The episode featured Dominic Brown. And he's the CEO of Gravelite Consulting, an authority on FinTech. Dominic compared DORA to U. S. regulations and also had advice for organizations trying to get everything in line before the January 2025 deadline.

[00:01:23] Dominic Brown: There's a, there's a third party risk element to DORA that we haven't talked about yet. What firms are going to need to do, we talked a little bit about it, but firms are going to need to oversee the risk. With their cloud services providers. And they're also going to need to stipulate in the contracts, SLAs around cybersecurity, contractual arrangements around cybersecurity that the regulators are going to stipulate and they won't be able to partner with companies that don't meet these standards and adhere to these rules.

[00:02:01] So I think that is going to influence enterprise architectures. I think the responsibility is going to be. On both the cloud service provider, and I mean, it calls it right out in the regulation that the financial services firm is responsible for the risk management at the third party, say, Amazon, for instance, right?

[00:02:24] And this is going to be complicated because Amazon is not going to let you do a security audit of their infrastructure, right? A smaller vendor might, right? But I do think it's going to result in less complicated architectures because I think the more third party. Applications that you're using more difficult.

[00:02:47] It's going to be to manage the cyber security risk as well as just The complexity in the contracts, right? I mean, if you think about it, the, you know, the fewer security models, sets of audit trails, access controls you got to deal with, the better off you're going to be, right? And I think for some business processes like M& A, investment banking, private equity, investment management software, things like that.

[00:03:20] I think vendors that can provide the entire stack, uh, Are gonna be at an advantage because it's just going to simplify it on these lines of businesses, you know, they they are not in the weeds when it comes to I. T. Right. So they're not they're not looking necessarily at the Amazons of the world. They're looking for someone to solve a problem for a specific business process.

[00:03:45] So I think if you're a reasonably stable vendor that can provide the whole stack, I think I think you'll be an advantage. I think it's really going to be bad for Partnerships where there's a fourth party solution that you can deal with. Right. I think, I think it's, it's going to tighten that all, that all up.

[00:04:05] Rob Aragao: Dominic Brown there on episode 84 called Inside Dora, EU's Cyber Resilience Path. Our next highlight focuses on voting. 2024 was a remarkable year for elections as voters in over 60 countries went to the polls. In episode 93 called Secure the Vote, Inside Election Defenses, we heard from Dr. Ben Adida, the co founder and executive director of Voting Works.

[00:04:32] Dr. Aditya is renowned for his expertise in safeguarding our voting process.

[00:04:37] Dr Ben Adida: I'm not running around my hair on fire worried about if Russia is going to hack voting equipment in the next couple of years. I don't think that is their most effective way to mess with our democracy. I think that this information route, the confusion route is, has been much more effective, but where it touches on voting systems, where I think it's really interesting is where when that disinformation causes confusion.

[00:05:04] In the public's mind as to how voting works and that confusion can lead to lower trust. And I was talking just earlier about the perception of trust. It can hit that. So my sense is nation states today, their biggest bang for the buck is going to be to attack the perception of voting system security much more than the reality of voting system security.

[00:05:25] And partly because attacking the reality of voting system security is hard. We don't have the same voting system for everybody in the U. S. So it's a pretty. It's not a monoculture of voting systems that we have, right? So you'd have, and then with paper ballots, you'd have to do a lot of retail attacks locally at precincts and whatnot.

[00:05:43] So it's not impossible, but it's harder. So the easier route for these attacks are on the perception of it. There's also some concerns that there may be real attacks, not just the disinformation attacks on voter registration systems. Uh, that's one of the concerns that's been raised recently because And then that would probably look mostly like a denial of service attack, right?

[00:06:05] Where you're removing people from the polls or whatnot, if it were to happen. We know that in, uh, 2016 and 2020, there were attempts to attack voter registration systems. We don't know what we pretty certain that they didn't go too far, but they were certainly attempts to do that. Uh, so when I think about the concerns about nation state attackers, in the short term, I think about disinformation and attacks on the perception.

[00:06:30] of how voting systems are secure. I think a little bit about attacks on voter registration systems. That's what I think about in the short term. I'm not deathly worried, but I do think we're reaching a point where because we're talking about voting systems all the time, just as you mentioned at the, at the beginning of this, you have to keep in mind, We were not talking about voting systems 15, 16 years ago.

[00:06:54] And so what you had at the time is you had mostly election technology was very niche, very small group of people working on it, dedicated people working on it. The need for public transparency was basically zero because the public wasn't interested, right? It was, there was, there wasn't a lot of public scrutiny.

[00:07:11] We're in a completely different world in 2024. 

[00:07:15] Rob Aragao: That was Dr. Ben Adida, the co founder and executive director of VotingWorks, and you can hear the full conversation in episode 93 called Secure the Vote Inside Election Defenses. Another episode of the show that really stuck out for me was number 109, and it featured John Brickey, senior vice president at MasterCard.

[00:07:36] I'm a keen proponent of collaboration, and MasterCard have done a great job in the cyber defense collaboration efforts with other sectors within critical infrastructure. Here's John. 

[00:07:46] John Brickey: Yeah. So, I mean, we, we have so many different partnerships. Ours fall into three main buckets. So one is what we call collective defense across our ecosystem.

[00:07:55] And a lot of that is working with public and private sectors. So there's a number of those that I can mention. The second one is when we promote consistent approaches globally, again, global organizations, nonprofits, as well as other companies. And then the last one is building a cyber workforce fit for tomorrow.

[00:08:13] So as you can imagine, everyone needs talent. So we're all working together. Um, we work with a number of organizations, not only in the U. S., but around the world. Matter of fact, we just stood up a European Cyber Resilience Center at MasterCard. And that came through a project where we started working with other companies across mainly the financial sector originally, but then we started to To really expand beyond that.

[00:08:37] Uh, we just opened up that center two months ago, and that really came about because of partnerships within the U S um, my, again, my, my previous boss, now our cybersecurity fellow has had his hand in a lot of different partnerships with CISA, with the secret service, with the FBI. So, uh, through his personal interactions, we've, we've leveraged those partnerships to do a number of.

[00:09:06] Greater, uh, services. And so some of those, you know, we can talk about a little bit later, but there's just, uh, so many different partners, uh, really for us, it's not only other companies, but it's nonprofits, global nonprofits, it's government agencies. Um, I think we all work with a number of agencies just based out of a desire for.

[00:09:29] Everyone to make things better. Also, there's regulatory though. Sometimes regulators turn to companies and want to get our thoughts as they come out with new policies. And so it's not just a top down process. 

[00:09:43] Rob Aragao: That was John Brickey, Senior Vice President at MasterCard, and Episode 109, MasterCard's take on cyber defense innovation and collaboration.

[00:09:52] We've had a number of eye opening discussions this year, none more so than with Craig Jones, former Director of the Global Cyber Crimes Directorate at Interpol. Greg actually spoke to me on a couple of occasions. What you're about to hear is taken from episode 114, Cyber Resiliency on a Global Scale. 

[00:10:12] Craig Jones: I think you're more likely to be a victim of cybercrime in a country or an economy which is more digitally advanced effectively.

[00:10:21] So historically, we can look at the West in that. So this is the ransomware piece we have coming out time and time again, and the business email compromise. So the cyber criminals will look at that, that financial Side of things. So that's probably more in the English speaking sort of West where you've got a combination of those sort of frauds as well as those technical attack serving the technical side to go off the vulnerabilities and the frauds.

[00:10:48] They go after, you know, the opportunities to engage. On a one to one basis, so we do a volume and then narrow it down and do those sort of business email compromise. So we're seeing it more and where you then look at where the infrastructure base, where the infrastructure is everywhere. So that's one of the big challenges we have is, you know, the infrastructure is used by the cyber criminals and used by everybody else as well.

[00:11:09] So how do you identify that infrastructure and then get that taken down? So I think there's, there's a technical aspect to this. Which we could be better at but then you come into those let's call them hard to reach jurisdictions And i'd probably best for me to talk about some sort of examples here We look at that we see about the cyber attacks that are reported emanating from Iran or emanating from the African subcontinent or emanating from the Far East or emanating from Russian speaking countries as well.

[00:11:40] So you, you've got those same countries coming up time and time again, and you've got then that piece, whether it's a state act, whether it's a near state act, and these are sort of in the cybercrime space. And I should add here, you know, uh, North Korea is not a member of Interpol, so we don't have reach into or with North Korea effectively.

[00:12:04] And so some of the examples I'll give in that is the way law enforcement is trying to operate now. And we have seen some good examples where we've seen cooperation between the U. S. and Russia. Colonial pipeline we've seen. Yeah. Okay. Sometimes there has been that corporation and some arrests have been made, but I think if you looked um, at where, if you look at a clear global graphic about where the main rat wear attacks are happening, there's not many happening in sort of Eastern Europe, Russia based sort of country.

[00:12:36] So I think, you know, it doesn't take a particularly savvy analyst to work out well, okay, well maybe quite a few of attacks are coming or we, you know, cyber crime. Is emanating from from that region effectively. I think also I'd sort of mentioned Africa in that as well What we're seeing is where you have economies that are growing really really quickly Um in Africa, you know, you've got a lot of people it's more on the micro side So using their mobile phones to conduct their businesses sharing mobile phones between each other's swapping sim cards in and out Um, you know, that's potentially more vulnerable.

[00:13:12] But then you look at You know, crime emanating, let's say, Nigeria, for example, you know, there is an organized crime network in sort of Africa, whether you call it Black Axe, which is a wider organized crime group, or whether you look at some of the smaller villages, and we've seen here where you've got extreme poverty in that country, you know, there is an opportunity for them to make money through committing cybercrime, if it works, You know, they're going to do it.

[00:13:40] So that very similar to Eastern Europe, where we have the villages in Eastern Europe were identified back, you know, the nineties, early, early 2000s, where you had a whole community there committing cybercrime. 

[00:13:54] Rob Aragao: Craig Jones there, former director of Global Cyber Crimes Directorate at Interpol, who you can hear in both Episodes 113 and 114.

[00:14:02] Okay, so I have taken you back in time, now to take you into space with Tiffany Schneider, the Deputy Chief of Cybersecurity Mission Integration at NASA. Tiffany joined us for Episode 117, called Cybersecurity in Orbit, NASA's Digital Defense. 

[00:14:19] Tiffany Snyder: I would say at NASA, it really all begins with understanding the goals of the mission and the constraints that our various missions operate under, you know, taking into account who the customers are, who the stakeholders, who our partners are.

[00:14:32] NASA has such a diverse and large portfolio of missions, anywhere from maybe a 10, 000, um, weather balloon, right? That's only going to operate for two months to a multi billion dollar campaign like Artemis that we hope will operate for decades. And we oversee the cybersecurity, um, program for all of that.

[00:14:53] So that's really hard to come up with like one overarching cybersecurity program that's going to, to work for all of those, um, types of missions. So fortunately for us, uh, NASA already has a robust risk management function baked into every step of the missions, right from the very beginning of system development, life cycle, our mission personnel, our engineers, our software engineers, safety.

[00:15:19] They're identifying, categorizing, cataloging risk. You know, when you're building the world's largest rocket and sending people to the moon, you really have to have a spot on understanding of risk. And you need to understand what systems and data are critical and what assets are critical, what absolutely cannot fail.

[00:15:39] So saying all that, you know, I think it's hard to think of anywhere else in the world that manages risk quite like NASA at launch control, mission control. I will say that cyber is the new kid to the block with risk management. As far as NASA goes, you know, if you talk to somebody in our field about risk management, we're obviously going to think about risk management from the risk management framework perspective.

[00:16:01] I know you've had Dr. Ron Ross on a bunch of times from the NIST, right? Very smart guy. And then this puts out some amazing publications on risk management. Honestly, NASA's risk management function predates a lot of those publications. So we've had to evolve our approach in cyber and as opposed to asking the mission, the missions to do our framework, we've had to think about how can we fit within what they're already doing so well, right?

[00:16:30] How do we bring that cyber critical information to our program managers, to our flight directors in. Actionable terms because they are managing so many other areas of risk. When you're talking about a launch day, launch control here is thinking about weather, thinking about bird strikes. They're thinking about metal fatigue.

[00:16:50] I can't come to them and say, you have a thousand unpatched systems on your network. That means nothing to them. From their perspective, they're thinking, what does that mean to the success of my mission? You know, tell me what, what do I do with that? So. We've had to evolve our process so that we can jointly work towards protecting these critical assets.

[00:17:13] And it's a, it's a struggle when you're a federal agency and you have somewhere over 140 pieces of legislation telling us what we have to do from a cyber perspective. And then you have to communicate this in a way that is effective to our mission personnel.

[00:17:27] Rob Aragao: That was Tiffany Schneider, the Deputy Chief of Cybersecurity Mission Integration at NASA, who appeared in episode 117, Cybersecurity in Orbit, NASA's digital defense.

[00:17:38] And finally, it would be impossible to offer any kind of review of 2024 without mentioning AI. Of course. In Episode 108, AI and Deep Fakes, New Challenges in Cybersecurity, I spoke to Ashley Jess, a Senior Intelligence Analyst at Intel 471. 

[00:17:56] Ashley Jess: Yeah, I mean, it's, it is really something to see how much this space has evolved since November 2022.

[00:18:02] I'm in this weird, I guess, privileged spot where I've been really watching it very closely, and so I know exactly the sort of pathway it's on, and, and it is It is exponential. I mean, back in November 2022, we assessed that AI capabilities weren't advanced enough to make a significant risk to organizations, right?

[00:18:20] I mean, in most instances, it was a supportive role, but that tide really continues to turn and, you know, the recent underground offers we're seeing really show that threat actors are still very, very focused on leveraging AI to innovate and sort of bolster their capabilities as opposed to using it for, you know, you know, Generic chat bot functionality.

[00:18:39] So as they continue to sort of explore and develop and advance in this space, things will almost certainly continue to evolve further still. And I think the main area that they're going to start really diving into is is malware. And also, I would say also call centers and services, but. It's also interesting in the, you know, the sort of mainstream space, right?

[00:19:00] Mainstream AI offerings are where that real explosion is also still continuing. So, you know, all of these products that people might integrate into their own business introduce new risks and increase attack surfaces for an organization. And this sort of massively, largely unquestioned, increased mainstream adoption of AI means that, you know, governments, organizations, individual users alike, they all need to really place a high priority on legislation, safety, and security, you know, both when using AI capabilities and defending against them.

[00:19:38] So, If that's in your own organization, folks really should critically examine the data policy of any AI tools they might want to integrate. And also, you know, ask yourself, as much as I hate to say it, if it's even worth it. It's been really interesting in the last couple of weeks, actually, because there's more and more reports that are coming out that are starting to Say that AI might not even be worth the investment.

[00:20:01] And I'm talking from the likes of Goldman Sachs. They released a report last week and it was just very interesting to see that on the financial side. Another company, I think it was Lucidworks, the survey that was like only one in four companies have successfully even launched an AI initiative. So, you know, the technology definitely has some notable issues even now, but regardless of what your organization decides to do with AI, criminals are using it.

[00:20:27] Rob Aragao: That was Ashley Jess, Senior Intelligence Analyst at Intel 471, who I spoke to in episode 108, AI and Deepfakes, New Challenges in Cybersecurity. Thanks so much for joining me in the Reimagining Cyber Year in Review 2024. We have plenty more great guests lined up to appear on the show over the next year, so please do subscribe to the podcast and make sure you don't miss any episodes going forward.

[00:20:52] That's all for me. I'll let you get back to 2025. Goodbye.