June 12, 2023

Cyber expert not happy with state of cybersecurity today

Cyber expert not happy with state of cybersecurity today
Apple Podcasts podcast player badge
Spotify podcast player badge
Castro podcast player badge
RSS Feed podcast player badge
Apple Podcasts podcast player icon Spotify podcast player icon Castro podcast player icon RSS Feed podcast player icon
Cybersecurity

This week we talk with Eric Jeffery, a cybersecurity SE and host of the Cyber Security Grey Beard podcast, and he is just a little miffed about how organizations are responding to cyber attacks today. It's not so much about how they respond to the attack itself; it's how they communicate what happened to the public – if at all. He's submitting what happened at the LA Unified School District as his case in point. He's a bit fired up, so this will be a fun one.

Mentioned in this episode:

Interview ad

Speaker:

Boy, do we get an earful on this week's episode?

Speaker:

Eric Jeffrey talks to us about his opinions about the

Speaker:

state of cybersecurity today.

Speaker:

We talk about a number of incidents, but the one that really got his

Speaker:

blood boiling was what happened at the LA unified school district.

Speaker:

And, uh, he's got some interesting opinions on what organizations should

Speaker:

do to respond to such incidents.

Speaker:

You might want to grab some popcorn for this one?

W. Curtis Preston:

Hi, and welcome to Backup Central's Restore it All podcast.

W. Curtis Preston:

I'm your host, w Curtis Preston, aka mr.

W. Curtis Preston:

Backup, and have with me the guy who, according to my wife, is the only

W. Curtis Preston:

reason that I want to get a Tesla Prasanna Malaiyandi, how's it going?

W. Curtis Preston:

Persona.

Prasanna Malaiyandi:

am good, Curtis.

Prasanna Malaiyandi:

I don't.

W. Curtis Preston:

You know, she's blaming you.

Prasanna Malaiyandi:

It's not my fault.

Prasanna Malaiyandi:

I was just telling my wife, I was like, she was like, oh, why don't

Prasanna Malaiyandi:

you push Curtis to get a Tesla?

Prasanna Malaiyandi:

Like, because I don't push people, I just give them facts.

Prasanna Malaiyandi:

They can make their own decisions.

Prasanna Malaiyandi:

They're all adults.

Prasanna Malaiyandi:

You asked me a question, I give you your, the details.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

And I, I think, I think I've definitely, I, I'm not sure

W. Curtis Preston:

what pushed me over the edge.

W. Curtis Preston:

Right.

Prasanna Malaiyandi:

Speaker:

getting your car fixed.

W. Curtis Preston:

No.

W. Curtis Preston:

You know what?

W. Curtis Preston:

It was the moment where I thought my car was dead, even though it turned

W. Curtis Preston:

out to be a really minor, that's what it was, a really minor thing.

W. Curtis Preston:

I, I realized that basically I'm one major repair away from, I've already

W. Curtis Preston:

done the most major repair, right?

W. Curtis Preston:

I mean, I, I'm at 200 and.

W. Curtis Preston:

10,000 miles.

W. Curtis Preston:

I've already done the most major repair I could do, which is to

W. Curtis Preston:

replace the engine, but the battery's still hanging out back there and the

W. Curtis Preston:

transmission's still hanging out.

W. Curtis Preston:

So I, I'm, I'm, let's say I'm the value of the car away from

W. Curtis Preston:

this car being worth nothing.

W. Curtis Preston:

Right.

W. Curtis Preston:

Um, I got the really scary warning of.

W. Curtis Preston:

Check hybrid system, please pull over.

W. Curtis Preston:

Uh, you know, and luckily, I, I was sitting in my garage or

W. Curtis Preston:

sitting in my, um, driveway.

W. Curtis Preston:

I had caused the problem by doing, um, by cleaning a fan that, uh, it was

W. Curtis Preston:

the fan that cools the hybrid battery.

W. Curtis Preston:

And by doing that, I had unplugged some stuff, which I, I did, you know, cause.

W. Curtis Preston:

Right, because that's the thing to do and well, no, but you're not, you're not

W. Curtis Preston:

gonna work on a fan that's plugged in.

W. Curtis Preston:

So I unplugged it and I did all the right things, and then I

W. Curtis Preston:

plugged it all back together and then it says, check hybrid system.

W. Curtis Preston:

And I'm like, oh my right.

W. Curtis Preston:

So I.

W. Curtis Preston:

I was, and then I decided to go, you know, talk to Dr.

W. Curtis Preston:

YouTube.

W. Curtis Preston:

And, um, thankfully Dr.

W. Curtis Preston:

YouTube had a very simple fix to this very scary error.

W. Curtis Preston:

But I think that was the moment where I was like, you know, right now

W. Curtis Preston:

my car, like I've had it tuned up.

W. Curtis Preston:

I've got a new engine, I've got new tires, I've got a, a, a new paint job.

W. Curtis Preston:

Like this car right now is worth the most it's ever going to be.

W. Curtis Preston:

At its current life, and it can only go downhill from here.

W. Curtis Preston:

And I would say drastically so, and that if I'm ever gonna

W. Curtis Preston:

sell it and buy a new car,

Prasanna Malaiyandi:

See, you should, but you should be

Prasanna Malaiyandi:

like me, like my previous car.

Prasanna Malaiyandi:

I just drove that thing into the ground.

W. Curtis Preston:

Right.

W. Curtis Preston:

But, but, but my point is it could be, I could, the ground

W. Curtis Preston:

part could be a day away.

W. Curtis Preston:

That's what I'm saying.

W. Curtis Preston:

I'm, I'm at 210,000 miles.

W. Curtis Preston:

Right.

Prasanna Malaiyandi:

At that point you might as well just pour money

Prasanna Malaiyandi:

into it, you know, just keep doing it.

Prasanna Malaiyandi:

It'll be fine.

Prasanna Malaiyandi:

Just kill.

W. Curtis Preston:

Are, are you try, are you try, are you trying to

W. Curtis Preston:

not be what my wife said You are.

W. Curtis Preston:

That's what you're doing, aren't you?

W. Curtis Preston:

You're going on record for not talking me into getting a, into getting a Tesla.

W. Curtis Preston:

Uh, yeah.

W. Curtis Preston:

It's not working.

W. Curtis Preston:

Um, especially when I found out there, there's some other

W. Curtis Preston:

incentives and stuff that I have.

W. Curtis Preston:

Right.

Prasanna Malaiyandi:

But, but I will warn you though, given the current, uh,

Prasanna Malaiyandi:

political climate and news, it may not be in your best interest to be supporting

Prasanna Malaiyandi:

someone with very controversial opinions.

W. Curtis Preston:

That is, that is a different problem

W. Curtis Preston:

right now with a Tesla for sure.

W. Curtis Preston:

Um, just never know what that guy's gonna say these

Prasanna Malaiyandi:

Or polarizing opinions I should say.

W. Curtis Preston:

Luckily, I don't buy my cars based on my

W. Curtis Preston:

political opinions, but, um, yeah.

W. Curtis Preston:

Um, anyway,

Prasanna Malaiyandi:

That's neither here nor there.

Prasanna Malaiyandi:

I'm sure guests is like,

W. Curtis Preston:

here nor there.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

What?

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Well, it often happens, our guests, they're like, what, what

W. Curtis Preston:

podcast did I sign up for here?

W. Curtis Preston:

Um, our guests today has been in the industry over 25 years working

W. Curtis Preston:

for companies like hp, ibm, and XiO.

W. Curtis Preston:

He is also the host of the Cybersecurity Gray Beard Podcast.

W. Curtis Preston:

Welcome to the podcast Eric Jeffrey.

Eric Jeffrey:

Hey, Curtis.

Eric Jeffrey:

Hey Prasanna.

Eric Jeffrey:

Thanks a lot for having me.

Eric Jeffrey:

It's good to see you.

W. Curtis Preston:

I, I see that you're, you're a, uh, a member,

W. Curtis Preston:

uh, of a club to which I belong, which is the two first name.

W. Curtis Preston:

A first name as the last name.

W. Curtis Preston:

Right.

W. Curtis Preston:

Um, I bet that's never a problem for you.

Eric Jeffrey:

I don't mind it, but my wife and my ex-wife really mind it

Eric Jeffrey:

when they, when they're called Jeff, they're like, do I look like a Jeff?

Eric Jeffrey:

I, I'm like, it, so I'm cool with it.

Eric Jeffrey:

And I'm called things much worse than Jeff.

Eric Jeffrey:

But, uh, yeah, it, it, it does become a problem.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

The, the, um, yeah, I've, I've had, I've had, I've had a number of friends

W. Curtis Preston:

where it's like, with me, I think your, is it, does Eric work as a last name?

W. Curtis Preston:

I don't, I don't.

Eric Jeffrey:

Eric's son does.

Eric Jeffrey:

Um,

W. Curtis Preston:

Oh, right, right,

Eric Jeffrey:

no,

W. Curtis Preston:

right, right.

W. Curtis Preston:

Because my name's, my name's William Curtis Preston, literally go in

W. Curtis Preston:

any order that you want and they all work as first and last names.

W. Curtis Preston:

Although generally it would be Williams, right?

W. Curtis Preston:

Yeah.

W. Curtis Preston:

It's a, it's a

Eric Jeffrey:

So you got three and you make it.

Eric Jeffrey:

You make it more confusing, so

W. Curtis Preston:

Yeah.

W. Curtis Preston:

And I go by my middle name just to make it even more confusing.

W. Curtis Preston:

Right.

Eric Jeffrey:

yeah, there you go.

Eric Jeffrey:

Why make things easy for people?

W. Curtis Preston:

why may?

W. Curtis Preston:

Right.

W. Curtis Preston:

Well, we have persona, Molly Yandy here.

W. Curtis Preston:

Speaking of names,

Prasanna Malaiyandi:

it's simple.

Prasanna Malaiyandi:

Come on.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Simple for, simple for you.

W. Curtis Preston:

Literally every time I'm typing it and I'm like M a l a I,

Prasanna Malaiyandi:

I, I think it's the, I, I think it's the number of vowels in

Prasanna Malaiyandi:

my name that throw people off, and the fact that there's like an I before the y.

W. Curtis Preston:

Yeah, yeah.

W. Curtis Preston:

Exactly.

W. Curtis Preston:

Exactly.

Eric Jeffrey:

Yeah,

W. Curtis Preston:

Well, um, we're, we're glad, we're glad to have

W. Curtis Preston:

yawn, Eric or Jeffrey, whatever, you know, whatever you want to go by.

W. Curtis Preston:

Um,

Eric Jeffrey:

I'll answer to either.

W. Curtis Preston:

Yeah, exactly.

W. Curtis Preston:

I I have the same, yeah, I have the same thing.

W. Curtis Preston:

Um, when people call me Preston, it just seems weird though.

W. Curtis Preston:

Um, it does seem weird.

W. Curtis Preston:

I, I feel like I'm back in the Navy.

W. Curtis Preston:

Right.

W. Curtis Preston:

Hey, Preston, that, that was never good.

W. Curtis Preston:

That was never good to, to hear your name called out like that.

Prasanna Malaiyandi:

Does your wife do that too?

Prasanna Malaiyandi:

When she gets mad?

W. Curtis Preston:

does not, um, No, she just, my wife, I get the silent treatment.

W. Curtis Preston:

She, she just doesn't call me at all.

W. Curtis Preston:

She's like, she'll just go, she'll just go somewhere else and, and,

W. Curtis Preston:

you know, not talk to me at all.

W. Curtis Preston:

Um, So, you know, we, we, you know, when I hear about, you know, the cybersecurity

W. Curtis Preston:

Gray Beard podcast, uh, which, which I was a guest on, which is very nice.

W. Curtis Preston:

Um, you know, we, we don't, we, I don't think of ourselves

W. Curtis Preston:

as cybersecurity specialists.

W. Curtis Preston:

Definitely not, right?

W. Curtis Preston:

But we're definitely cybersecurity enthusiasts, right?

Prasanna Malaiyandi:

Anor.

W. Curtis Preston:

we.

W. Curtis Preston:

Focused?

W. Curtis Preston:

No.

W. Curtis Preston:

Anac.

W. Curtis Preston:

No, we're not quite anex.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

I think you'd have to actually know something about it to be, to be an

W. Curtis Preston:

anac, but we we're focused mainly on like keeping the data, like

W. Curtis Preston:

our focus is on the data, right?

W. Curtis Preston:

Uh, keeping it safe.

W. Curtis Preston:

Keeping it safe from anything that would do with damage, one of which

W. Curtis Preston:

is, uh, cybersecurity, uh, breaches.

W. Curtis Preston:

And, you know, during the pre-call, You know, we asked if there were some

W. Curtis Preston:

interesting, you know, cybersecurity breaches, uh, you know, in ransomware

W. Curtis Preston:

attacks that you had, um, you know, been interested in, and you, for some

W. Curtis Preston:

reason, you know, I think you seemed to want to talk about the LA Unified

W. Curtis Preston:

School District ransomware attack.

W. Curtis Preston:

Is that, is that about right?

Eric Jeffrey:

Yeah.

Eric Jeffrey:

I'd say that's fair.

Eric Jeffrey:

I also would say this, I mean, you guys are in data, and data is

Eric Jeffrey:

security and data's why we exist.

Eric Jeffrey:

If it wasn't for data, what the heck are we protecting?

Eric Jeffrey:

So whether it's like identity, identity and access management.

Eric Jeffrey:

So I do identity Well, when you're in security.

Eric Jeffrey:

Well, I do asset management.

Eric Jeffrey:

The funny thing is I think asset management is one of the most

Eric Jeffrey:

important pieces of cyber because if you don't know what the assets

Eric Jeffrey:

are, you don't know what to protect.

Eric Jeffrey:

Nobody is an expert in all areas of cybersecurity.

Eric Jeffrey:

I try and know.

Eric Jeffrey:

I try to be broad, not deep, and you guys are deep when it comes to data and

Eric Jeffrey:

I, I agree with you from the pre-call that the conversation about ransomware

Eric Jeffrey:

is probably the most important piece from a data protection perspective

Eric Jeffrey:

that, or mechanisms for exfiltration.

Eric Jeffrey:

But that is, that's a different story.

Eric Jeffrey:

But for you guys with the ransomware and with LA Unified School District, that

Eric Jeffrey:

one sticks in my crowd because of who the victims were and the victims are children.

Eric Jeffrey:

They're victims of government incompetence at the state level, at the

Eric Jeffrey:

local level, and even at the federal level because of, in my opinion, when

Eric Jeffrey:

the FBI told them to be quiet and not talk about it, that's a problem.

Eric Jeffrey:

You know, somebody made a point when a plane crashes.

Eric Jeffrey:

We do extensive investigation to find out what happened when the

Eric Jeffrey:

SpaceX blew up the other day.

Eric Jeffrey:

They blew it up on purpose because it was veering off course and they're gonna

Eric Jeffrey:

do a darn big deep dive into finding out why was it veering off course?

Eric Jeffrey:

Why don't we do that with cyber?

Eric Jeffrey:

And then when we are way off course, like with what happened in la why

Eric Jeffrey:

don't they talk about how it happened?

Eric Jeffrey:

I would guess because there's no information on this cuz the FBI

Eric Jeffrey:

told them not to say anything.

Eric Jeffrey:

I would guess there was a ranch a um, A, uh, phishing attack.

Eric Jeffrey:

Somebody sent an email, somebody clicked on something or opened up something

Eric Jeffrey:

they shouldn't have, and that allowed a nefarious actor to gain access

Eric Jeffrey:

to a system and a person's account.

Eric Jeffrey:

And then from there,

Prasanna Malaiyandi:

Uh, I was just gonna talk, Eric, just briefly, that

Prasanna Malaiyandi:

normally when you watch TV or when you watch a movie and you see all

Prasanna Malaiyandi:

these things about hacking, right?

Prasanna Malaiyandi:

It's like, oh, they're breaking into the system.

Prasanna Malaiyandi:

Right?

Prasanna Malaiyandi:

They're attacking this system.

Prasanna Malaiyandi:

They've exploited some weakness, but like you just mentioned, right?

Prasanna Malaiyandi:

A lot of times it's just a human clicking on a link that they shouldn't have, right?

Prasanna Malaiyandi:

That GA allows the bad actor to gain access.

Eric Jeffrey:

Yeah, spot on.

Eric Jeffrey:

That's it.

Eric Jeffrey:

And the studies that I've read is 3% of the population will always click

Eric Jeffrey:

on that link or open that attachment.

Eric Jeffrey:

No matter what you do to that 3%, they're gonna click on it and I'm, I'm okay.

Eric Jeffrey:

Three percent's

W. Curtis Preston:

I have some friends in that 3%

Eric Jeffrey:

Yeah.

Eric Jeffrey:

You know, and, you know, if I were king of the world, those 3% would not be allowed

Eric Jeffrey:

to turn on a computer, but I'm not.

Eric Jeffrey:

And so they are.

Eric Jeffrey:

And they do.

Eric Jeffrey:

And we have, and I have a li you know, hell, I, I make a living out of this.

Eric Jeffrey:

I make a good living doing cybersecurity.

Eric Jeffrey:

But it's frustrating when you feel like you're plugging holes in a

Eric Jeffrey:

dam and every time you stick your finger in a hole, two more pop up.

Eric Jeffrey:

And then when you want to go find out, well, why are these holes popping up?

Eric Jeffrey:

You're told, shh, don't talk about that.

Eric Jeffrey:

Just put your finger in the hole.

Eric Jeffrey:

I don't wanna put my finger in the hole.

Eric Jeffrey:

I don't want the hole to exist.

Eric Jeffrey:

And that's what happened with the LA Unified School District.

W. Curtis Preston:

Yeah, it, it's, and I, I know that you, you know, you

W. Curtis Preston:

mentioned, and, and I'd like you to talk a little bit more about that.

W. Curtis Preston:

It, um, you mentioned that there was exfiltration and there was

W. Curtis Preston:

really sensitive data that has been leaked of these students.

W. Curtis Preston:

You wanna talk about that a little bit?

Eric Jeffrey:

Yeah.

Eric Jeffrey:

What happened was the outcome, how it occurred, we don't know, but the outcome

Eric Jeffrey:

was student data and I believe also faculty and that there were teachers and,

Eric Jeffrey:

and adults that were affected as well.

Eric Jeffrey:

But I'm more concerned with the kids cuz they're victims

Eric Jeffrey:

through no fault of their own.

Eric Jeffrey:

And the data was everything I.

Eric Jeffrey:

It included their grades, it included their nurse records, so their

Eric Jeffrey:

medical, including their vaccinations and their vaccination statuses.

Eric Jeffrey:

It included their therapist.

Eric Jeffrey:

If they were going to the school counselors.

Eric Jeffrey:

It was like everything, anything and everything at the school

Eric Jeffrey:

district, the whole LA Unified School district, which I believe is

Eric Jeffrey:

the second largest in the country.

Eric Jeffrey:

I think there's something like 600,000 victims outta this with

Eric Jeffrey:

the vast majority being children.

Eric Jeffrey:

Under the age of 18, or certainly under the age of 19, six to

Eric Jeffrey:

18 probably is the range.

Eric Jeffrey:

And for their rest of their lives.

Eric Jeffrey:

I mean, they're gonna have to be worried that their data was out there and

Eric Jeffrey:

their grades and their mental health status and they, the recourses here,

Eric Jeffrey:

we'll give you LifeLock or we'll give you Equifax for your credit rating.

Eric Jeffrey:

What did care about his credit rating?

Eric Jeffrey:

You know, God forbid some of these kids when they're 13 or 14, Start to

Eric Jeffrey:

become a little more savvy and they go find the data and then they start

Eric Jeffrey:

blackmailing their, their, the other students, their peers, I should say.

Eric Jeffrey:

This is one of the things that people don't know or don't

Eric Jeffrey:

talk about with ransomware.

Eric Jeffrey:

It's not the initial hit that's the problem.

Eric Jeffrey:

It's the secondary and the tertiary hits that become the problem.

Eric Jeffrey:

A lot of these people will either wait years or they won't even

Eric Jeffrey:

find the data for years, but it's still your social security number.

Eric Jeffrey:

Your grades in the third grade are still there, and if people want to

Eric Jeffrey:

come back and start to blackmail you from it, or even worse, they use

Eric Jeffrey:

it as a secondary fishing attack.

Eric Jeffrey:

In other words, Hey, didn't you go to this school and have this

Eric Jeffrey:

teacher in the third grade?

Eric Jeffrey:

Oh yeah, I was there too.

Eric Jeffrey:

You want to get together?

Eric Jeffrey:

Why don't you pay for my plane ticket?

Eric Jeffrey:

And then this guy's getting scammed by somebody because it's something

Eric Jeffrey:

that happened 5, 10, 15 years ago.

Eric Jeffrey:

We still need to be on the lookout for the O P M breach.

Eric Jeffrey:

That happened, I believe, in 2015.

Eric Jeffrey:

People whose records were taken from that, people whose

Eric Jeffrey:

fingerprints were taken from that.

Eric Jeffrey:

Those people need to, you know, they need to be aware of it and

Eric Jeffrey:

that's why for life these victims need the Equifax of LifeLock.

Eric Jeffrey:

But that's just another field.

Eric Jeffrey:

It, it's not stopping what's causing this.

Eric Jeffrey:

And you know, that's what I do for a

Prasanna Malaiyandi:

I think the one thing, going back to what you

Prasanna Malaiyandi:

mentioned about sort of not being able to share what happened, right?

Prasanna Malaiyandi:

How it occurred, I think Curtis, I know you and I, we've talked about

Prasanna Malaiyandi:

this on the podcast, there's not a lot of transparency that goes on, right?

Prasanna Malaiyandi:

In terms of a company gets hit by ransomware.

Prasanna Malaiyandi:

It's almost taboo to say, oh, I got hit, right?

Prasanna Malaiyandi:

And so what everyone does is they sort of sweep it under the rug.

Prasanna Malaiyandi:

They silently cover it up.

Prasanna Malaiyandi:

Just try to get.

Prasanna Malaiyandi:

Things recovered without affecting too many things, and there are

Prasanna Malaiyandi:

very, very few people who actually go out there and talk about it.

Prasanna Malaiyandi:

Like Curtis, I think the first time I heard about an actual victim of

Prasanna Malaiyandi:

ransomware was when we had Tony Mendoza from Spector Logic on the podcast

Prasanna Malaiyandi:

talking about like the process as head of it, what they went through trying to

Prasanna Malaiyandi:

recover after being hit by ransomware.

Prasanna Malaiyandi:

And this is a data protection company recovering their internal systems

Prasanna Malaiyandi:

after being hit by ransomware.

Eric Jeffrey:

Yeah, and we are all told not to talk about it, and I'm very

Eric Jeffrey:

sensitive when I discuss situations that I've been involved with.

Eric Jeffrey:

I don't mention the client's name and.

Eric Jeffrey:

You know, that's out of, you know, courtesy for them.

Eric Jeffrey:

It's also about NDAs that I've signed and in certain instances, non-competes.

Eric Jeffrey:

And I, I could understand not naming the company, that may or may not be necessary,

Eric Jeffrey:

but we need to talk about how it happened and maybe we have a naked database.

Eric Jeffrey:

It says school district one, school district to school district.

Eric Jeffrey:

Three and what we need and what IBM had started to do, but I don't think anything

Eric Jeffrey:

came of it was create a database of these attacks that's based on vertical markets.

Eric Jeffrey:

So the financial services sector can work with each other and say, Hey, how are

Eric Jeffrey:

other financial services being affected because that attack is coming my way.

Eric Jeffrey:

Hospitals, how are you getting into hospital?

Eric Jeffrey:

Hospitals and what are you taking over in those hospitals?

Eric Jeffrey:

We need all these healthcare organizations communicating, and if you wanna scrub

Eric Jeffrey:

the name from an attack, fine, but at least put the database together, have

Eric Jeffrey:

an open conversation about the attacks.

Eric Jeffrey:

Again, it goes back to what happened when the challenger shuttle blew up in 86.

Eric Jeffrey:

It was because of a faulty O ring.

Eric Jeffrey:

That was almost 30 years ago.

Eric Jeffrey:

I know about the darn O ring.

Eric Jeffrey:

How many other space shuttle manufacturers know about that O ring?

Eric Jeffrey:

Well, why don't we know about the O ring that caused L A U S D to get hacked?

Eric Jeffrey:

What was their O ring?

Eric Jeffrey:

I want to see that and I want to see it documented, and I want

Eric Jeffrey:

it to be a searchable database.

Eric Jeffrey:

And the reason that they don't, and I'll be very fair to the other side, we don't

Eric Jeffrey:

want to tell the hackers what's working.

Eric Jeffrey:

Sorry guys.

Eric Jeffrey:

The hackers already know what's working.

Eric Jeffrey:

So how about we stop shooting ourselves in the foot to protect

Prasanna Malaiyandi:

feel though that maybe some of these things

Prasanna Malaiyandi:

in terms of uh, not publishing how it happened is potentially

Prasanna Malaiyandi:

because they don't actually know?

Prasanna Malaiyandi:

Cause either logs were lost or other things were compromised and

Prasanna Malaiyandi:

that's kind of a reason why they don't want to talk about it as well.

W. Curtis Preston:

I do understand the other side of the argument, right?

W. Curtis Preston:

That.

W. Curtis Preston:

It's, it's, it's two things.

W. Curtis Preston:

It's, we don't want to tell the, the bad guys what works.

W. Curtis Preston:

We also really don't want to tell them what worked here.

W. Curtis Preston:

Right.

W. Curtis Preston:

How did I get hacked because maybe I haven't fixed the reason I got hacked.

W. Curtis Preston:

Whatever, whatever that was.

W. Curtis Preston:

Right?

W. Curtis Preston:

Um, so I understand, you know, it's, it's, it, it a lot, even when,

W. Curtis Preston:

when I've listened to or talked to.

W. Curtis Preston:

People that give details about, they do seem to keep that

W. Curtis Preston:

one piece, uh, to themselves.

W. Curtis Preston:

They don't tend to give the, the,

Prasanna Malaiyandi:

like, it's like a police, right?

Prasanna Malaiyandi:

When you're investigating a case, you always keep that one piece out

Prasanna Malaiyandi:

from public, right from the news, just so you could figure out, did

Prasanna Malaiyandi:

someone actually do something or not?

Eric Jeffrey:

There's, I agree with you both, and there's two schools of thought.

Eric Jeffrey:

I'm fine holding back that one secret piece of the sauce.

Eric Jeffrey:

Twitter did a great job, and I'm not a Twitter fan at all, but I've

Eric Jeffrey:

spoken about this at conferences.

Eric Jeffrey:

I've written about this, and the way that Twitter handled their

Eric Jeffrey:

hack was fantastic because they did two very important things.

Eric Jeffrey:

They told us exactly what happened.

Eric Jeffrey:

And then they apologized.

Eric Jeffrey:

I, it was stunning.

Eric Jeffrey:

I mean, Twitter said, and above all else, we're sorry.

Eric Jeffrey:

Thank you.

Eric Jeffrey:

Twitter.

Eric Jeffrey:

I'd like for the LA Unified School District to step up and well one fire

Eric Jeffrey:

people because what happened there was criminal by far criminal, the negligence

Eric Jeffrey:

of what they do there and what they did.

Eric Jeffrey:

It's just no matter what side of it is to share, nothing.

Eric Jeffrey:

Not even to say it was a Phish attack and somebody got a link with an attachment and

Eric Jeffrey:

blah, and it was this group that did it.

Eric Jeffrey:

Come on, man.

Eric Jeffrey:

I think they may have finally came out and said Who did it?

Eric Jeffrey:

I might have been North Korea, but don't, don't quote me on that.

Eric Jeffrey:

It was last year and I am getting old and forgetting things, but

Eric Jeffrey:

my, my view on it is you still need to tell us what's going on.

Eric Jeffrey:

I want to know what type of lateral

Eric Jeffrey:

movement.

Eric Jeffrey:

You don't need to tell me the name of the employee that got hacked.

Eric Jeffrey:

That's

Eric Jeffrey:

not important.

Eric Jeffrey:

But knowing that a, a, a secretary or whomever it was that clicked on something

Eric Jeffrey:

that they shouldn't, we need to know so other people know not to click on that

Eric Jeffrey:

link.

Eric Jeffrey:

It's important because I say 3% of the people always click on

Eric Jeffrey:

it.

Eric Jeffrey:

I've seen phishing surveys coming

Eric Jeffrey:

back with 27% of the company.

Eric Jeffrey:

So if you have a hundred thousand people, 27,000 people clicked on a link.

Eric Jeffrey:

And it only takes one.

Eric Jeffrey:

Okay.

Eric Jeffrey:

So if you can get it down to 3%, you're still dealing with 3000 people

Eric Jeffrey:

you know, knowb4

Eric Jeffrey:

and, and that organization, they do these studies, they do these surveys.

Eric Jeffrey:

I'm a very big fan of that company.

Eric Jeffrey:

They do important work training people, but when even they say

Eric Jeffrey:

there's 3% we can't reach, I.

Eric Jeffrey:

That's where some of the technology needs to come in.

Eric Jeffrey:

But in the end, the human is the weakest link in the chain of cybersecurity.

Eric Jeffrey:

And the reason that I do my podcast and the reason that I join and talk

Eric Jeffrey:

with you guys is to help people understand we all are cyber defenders.

Eric Jeffrey:

We all need to.

Eric Jeffrey:

Affect change.

Eric Jeffrey:

We all need to do something, uh, different and, and make and, and

Eric Jeffrey:

protect ourselves, our loved ones, our families, our kids, and students.

Eric Jeffrey:

And that's why, you know, when I was at b m we did a, a wonderful thing for the

Eric Jeffrey:

Denver School District and that was to go do an evaluation to help them know where

Eric Jeffrey:

they need to strengthen their themselves.

Eric Jeffrey:

And I b m gave out six grants like that, and everybody needs to act

W. Curtis Preston:

What I worry about when I think about the aftermath of

W. Curtis Preston:

this particular attack, do you remember the Ashley Madison hack, right?

W. Curtis Preston:

Right.

W. Curtis Preston:

Do you remember, do you remember the aftermath of that?

W. Curtis Preston:

There were suicides right now.

W. Curtis Preston:

Now these were not innocent victims, right?

W. Curtis Preston:

These were, you know, by design.

W. Curtis Preston:

These were people looking to cheat on their, their spouses.

W. Curtis Preston:

But, um, I can see that happening here, right?

W. Curtis Preston:

So if, if children were discussing very sensitive things with their, um, you know,

W. Curtis Preston:

their counselor cuz that's what you do, uh, and then that information was leaked.

W. Curtis Preston:

I can see.

W. Curtis Preston:

Um, you know, I can see kids that were, that.

W. Curtis Preston:

are not out, that are gay, that talked about that with the counselor.

W. Curtis Preston:

I can see all kinds of

Prasanna Malaiyandi:

Speaker:

And kids are mean too.

W. Curtis Preston:

their counselor that is now, and kids are, kids are horrible.

W. Curtis Preston:

So I can, I can see suicides.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

So I do, I do think that the, um, you know, we focus mainly

W. Curtis Preston:

on the, the making sure that the data doesn't disappear forever.

W. Curtis Preston:

Um, but I do think that the, the double extortion attack where there,

W. Curtis Preston:

you know, is the absolute worst, and that that's perhaps where the front

W. Curtis Preston:

end defense money should be spent.

W. Curtis Preston:

Right?

W. Curtis Preston:

In detecting exfiltration, it is possible to detect exfiltration, but I don't

W. Curtis Preston:

think that, I think that too much money is being spent on stopping the attack.

W. Curtis Preston:

And not enough on stopping what happens after the attack.

W. Curtis Preston:

Right.

W. Curtis Preston:

Basically a a, a stronger assumed breach sort of setup Right.

W. Curtis Preston:

Mentality.

W. Curtis Preston:

Yeah.

Eric Jeffrey:

I heard something recently, and I wanna say that this came from

Eric Jeffrey:

Microsoft, from a friend of mine.

Eric Jeffrey:

She told me about making.

Eric Jeffrey:

It impossible to encrypt encryption.

Eric Jeffrey:

In other words, if you have already been encrypted with one format,

Eric Jeffrey:

you can't encrypt it in another.

Eric Jeffrey:

And based off of that concept, you could not have ransomware because you

Eric Jeffrey:

can't encrypt what's already encrypted.

Eric Jeffrey:

You said something, Curtis, it's important about double extortion, and

Eric Jeffrey:

I don't think a lot of people know what that is, but what you're talking

Eric Jeffrey:

about is the first extortion is give us the money, or we're not gonna

Eric Jeffrey:

give you the key to unlock the data.

Eric Jeffrey:

And the second piece is, okay, we're not, you're not gonna, now we're gonna

Eric Jeffrey:

extort you by leaking the data anyway.

Eric Jeffrey:

So that's the double extortion.

Eric Jeffrey:

And I will tell you for an absolute fact, I've been doing

Eric Jeffrey:

this for 25 years at least.

Eric Jeffrey:

Where do you spend your money on the front end?

Eric Jeffrey:

On the back end?

Eric Jeffrey:

Is it on encryption?

Eric Jeffrey:

Is it on data protection?

Eric Jeffrey:

Is it on backups?

Eric Jeffrey:

That is a huge debate and I have not found an organization where I believe.

Eric Jeffrey:

That they do it really correctly.

Eric Jeffrey:

They're, they're not looking at the proper use cases and

Eric Jeffrey:

use cases on data protection.

Eric Jeffrey:

And data exfiltration is really where you should focus you.

Eric Jeffrey:

You hit on something really powerful, but it's not just about the kids.

Eric Jeffrey:

Imagine a kid's talking about parent abuse.

Eric Jeffrey:

Their caregiver is abusing them.

Eric Jeffrey:

Now the caregiver finds out that the kid told that that puts the

Eric Jeffrey:

kid and the counselor at risk.

Eric Jeffrey:

If this abuser finds it.

Eric Jeffrey:

Where is the data?

Eric Jeffrey:

How do people find the data?

Eric Jeffrey:

And who's gonna go looking for it As time passes and people learn more about

Eric Jeffrey:

this, and as they get older, they're gonna go look for it and they're gonna

Eric Jeffrey:

find it and it, and there is, you know, forget the double extortion.

Eric Jeffrey:

Now you've got what I would say are kinetic threats,

Eric Jeffrey:

losing some money that's bad.

Eric Jeffrey:

Kinetic threats.

Eric Jeffrey:

That can be a hell of a lot worse.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

In this case, there could be multiple.

W. Curtis Preston:

Uh, extortions, Right.

W. Curtis Preston:

The, the initial extortion was against the, the l e ost, but the, you know,

W. Curtis Preston:

you're talking about kids be kids that become adults and they're, you know, it's

W. Curtis Preston:

like, because this information threatens their future employment status, depending

W. Curtis Preston:

on what we're talking about, um, that they could be, they could be extort.

W. Curtis Preston:

And the, the thing about that kind of thing is, It's not the same as, you know,

W. Curtis Preston:

we call this ransomware, but the, the big difference between this, the, the idea of

W. Curtis Preston:

ransom and the, the, the, the OG ransom.

W. Curtis Preston:

Give us your money and we'll give you your kid back.

W. Curtis Preston:

Uh, in this case, no matter what they pay, they can't put that

Prasanna Malaiyandi:

Speaker:

Jeanie back on the bottle.

W. Curtis Preston:

in the barn.

W. Curtis Preston:

Right?

W. Curtis Preston:

Yeah.

W. Curtis Preston:

The genie back in the bottle, whatever, whatever you, whatever, uh,

W. Curtis Preston:

uh, analogy you want to use there, their data will forever be out there.

W. Curtis Preston:

Um,

Prasanna Malaiyandi:

you think though, and just going back to Eric, what you

Prasanna Malaiyandi:

had mentioned, that no organization you've worked with has done it right.

Prasanna Malaiyandi:

Do you feel that it's because organizations don't understand the

Prasanna Malaiyandi:

data that they have, the importance of the data, the classification of

Prasanna Malaiyandi:

that data, how to protect it, because different data, for instance, like.

Prasanna Malaiyandi:

The school counselor records, right?

Prasanna Malaiyandi:

Or therapist records.

Prasanna Malaiyandi:

That's probably very sensitive data that you probably want to protect a lot more

Prasanna Malaiyandi:

than say just the kid's name, right?

Prasanna Malaiyandi:

Or an email address, potentially, right?

Prasanna Malaiyandi:

Or something that's more benign.

Prasanna Malaiyandi:

And so is that part of the problem you

Eric Jeffrey:

So you, you're.

Eric Jeffrey:

You, you're asking me straight up, why have I not run into an

Eric Jeffrey:

organization that does it correctly?

Eric Jeffrey:

Why is it that people don't seem to protect their data, and why do

Eric Jeffrey:

these things keep happening and why do they keep getting worse?

Eric Jeffrey:

And no matter how much money we spend, it just gets worse.

Eric Jeffrey:

Is that what you're asking?

Eric Jeffrey:

My professional opinion.

Eric Jeffrey:

Is that the people that care the most about the data don't have the

Eric Jeffrey:

authority to protect it, nor do they have the budget to protect it, and

Eric Jeffrey:

the people that have the budget and the authority have bigger fish to fry.

Eric Jeffrey:

I'll give you a very good example.

Eric Jeffrey:

I worked in healthcare for about eight and a half years, healthcare

Eric Jeffrey:

it, and you have a revenue generating machine called an mri.

Eric Jeffrey:

Let's say it costs a million dollars, whether you buy a revenue generating

Eric Jeffrey:

MRI for a million dollars or do you spend half that on cybersecurity?

Eric Jeffrey:

The people that are running the hospital say, we're gonna spend the million dollars

Eric Jeffrey:

on the MRI because we need to make money.

Eric Jeffrey:

And cybersecurity.

Eric Jeffrey:

Yeah.

Eric Jeffrey:

If we get hacked, we get hacked.

Eric Jeffrey:

And what's the worst thing that can happen?

Eric Jeffrey:

The worst thing that happens to these organizations is not bad enough.

Eric Jeffrey:

And here's a perfect example.

Eric Jeffrey:

I believe it was the Pinto.

Eric Jeffrey:

It was a a Ford car.

Eric Jeffrey:

And this was a major lawsuit where they calculated what

Eric Jeffrey:

is the value of a human life.

Eric Jeffrey:

And you can quantify that.

Eric Jeffrey:

I have a degree in economics and people hate the story, but you can

Eric Jeffrey:

quantify the value of a human life.

Eric Jeffrey:

I'm sorry, but you can put a dollar figure on it.

Eric Jeffrey:

And the people that, I think it was Ford.

Eric Jeffrey:

Don't sue me for it.

Eric Jeffrey:

I'm just thinking it was the Ford Pinto that was this story and they

Eric Jeffrey:

said, we are not gonna fix this car.

Eric Jeffrey:

That blows up when you hit it from the rear because it's more expensive

Eric Jeffrey:

to recall all the cars than it is to pay for the people that end up dying.

Eric Jeffrey:

Well, when this all came out, Ford was hilled just d the, the, the um, settlement

Eric Jeffrey:

was way more than it would've been to recall all the cars, to punish them.

Eric Jeffrey:

And we now have that story.

Eric Jeffrey:

And now car dealerships, I'm sorry, car manufacturers will recall the cars no

Eric Jeffrey:

matter how much it costs because they know what happened in that Pinto story.

W. Curtis Preston:

Yeah, I as a, as an owner, as a former owner of

W. Curtis Preston:

a Ford Pinto, um, the, the, the, it was actually my first car.

W. Curtis Preston:

Uh, it was like a dollar 57 part.

W. Curtis Preston:

Right was to think like it was literally, the part was like a buck And, a half,

W. Curtis Preston:

but it was the cost of bringing everybody back in to replace that dollar and,

W. Curtis Preston:

a half part, um, that caused them to Yeah, that I, I do believe your story is

W. Curtis Preston:

right, but again, don't sue me either.

W. Curtis Preston:

Um.

Eric Jeffrey:

but that's my point is we need a Ford or the cigarette companies.

Eric Jeffrey:

They got sued into oblivion because they were false marketing

Eric Jeffrey:

and saying, oh, these are great.

Eric Jeffrey:

And then the whole thing, and I, it was the eighties and nineties

Eric Jeffrey:

that just decimated the cigarette industry with that lawsuit.

Eric Jeffrey:

I, I don't know if that's what it takes to fix cybersecurity, but we,

Eric Jeffrey:

we have a, a, a broken industry.

Eric Jeffrey:

Where it's just getting worse and worse.

Eric Jeffrey:

And, and real quick, I'll, I'll just say this and then I'll, I'll shush

Eric Jeffrey:

for a moment and let you guys jump in.

Eric Jeffrey:

When I speak, I tell a story about a graph, and it shows that we

Eric Jeffrey:

spend more and more money every year on cybersecurity, and we get

Eric Jeffrey:

more and more attacks every year.

Eric Jeffrey:

So one would draw a corollary that if you're attacked more because

Eric Jeffrey:

you spend more money, spend less, and you'll be attacked less.

Eric Jeffrey:

Obviously that's not the case, but why is it?

Eric Jeffrey:

That we're spending more and more money and we're getting attacked more and more.

Eric Jeffrey:

And not only are we getting attacked more, but the attacks are worse.

Eric Jeffrey:

What happened at LA Unified School District was pretty darn egregious.

Eric Jeffrey:

It's similar to the O P M breach from seven or eight years ago.

Eric Jeffrey:

And the Equifax, the Equifax breach in 2017 was just horribly disgusting.

Eric Jeffrey:

And that goes to something you were saying earlier, persona about.

Eric Jeffrey:

It sits around for a while and they know it, and why aren't you fixing it?

Eric Jeffrey:

Equifax knew about that weakness in their, um, web server for months

Eric Jeffrey:

and they never patched it, and then they got hacked in 150 million

Eric Jeffrey:

peoples in a financial data leaks.

Eric Jeffrey:

It's just, it's broken and it's broken for a number of reasons, and we are

Eric Jeffrey:

not doing anything as a society, in my opinion, that's gonna remedy it.

Eric Jeffrey:

And coming out with more regulations and coming out with, you know, government

Eric Jeffrey:

involvement and interference, it, it, it creates certain roadblocks

Eric Jeffrey:

that are limiting the remedy.

Eric Jeffrey:

But the real remedy is, is being elusive because the, the people

Eric Jeffrey:

that are knowledgeable are not in charge and they don't have the money.

Eric Jeffrey:

And one perfect example of that is when a ciso, chief information security

Eric Jeffrey:

officer reports to a c o I've written about this, you, you can't have that.

Eric Jeffrey:

And when we have organizations that are doing that, or the CIO reports to the cfo,

Prasanna Malaiyandi:

Yep.

Eric Jeffrey:

okay, so the guidance responsible for all of your information

Eric Jeffrey:

technology is reporting to the guy responsible for the money, and they're

Eric Jeffrey:

both bonused on different things.

Eric Jeffrey:

You're gonna have a conflict and the conflict is not gonna go into the

Eric Jeffrey:

direction of stronger cybersecurity.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

This is a problem.

W. Curtis Preston:

This is a problem that we have in, in the, in the backup space, right?

W. Curtis Preston:

No one, no one ever, no one ever became a customer of a company because they

W. Curtis Preston:

used a really good backup system, right?

W. Curtis Preston:

So, uh, we have the same problem and sounds like the same.

W. Curtis Preston:

Uh, Um, similar problem because what's happened in the backup space, we didn't

W. Curtis Preston:

have cyber attacks in the backup space.

W. Curtis Preston:

They just, they just didn't exist 20 years ago.

W. Curtis Preston:

No one was attacking the backup system.

W. Curtis Preston:

We just had to make sure that it was safe from fire and floods

W. Curtis Preston:

and, you know, things like that.

W. Curtis Preston:

We, we didn't have to also make sure that, that, that, that a cyber attacker can't.

W. Curtis Preston:

You know, basically obliterate the backup system.

W. Curtis Preston:

Now we're having to spend more money and more design money.

W. Curtis Preston:

Right.

W. Curtis Preston:

You know, I, um, actually, I forgot to throw out our disclaimer.

W. Curtis Preston:

This is an independent podcast and these opinions are ours and don't necessarily

W. Curtis Preston:

reflect any companies we work with.

W. Curtis Preston:

So one of the problems that we have is that people don't back

W. Curtis Preston:

up Microsoft 365 and things like backup things like Microsoft 365.

W. Curtis Preston:

They say, oh, it's the cloud, it's magic, it's pfm, right?

W. Curtis Preston:

And if you know, you Google that, if you don't know what that means,

W. Curtis Preston:

um, and, and, and, and, and so not enough major things have happened

W. Curtis Preston:

to companies that don't back up.

W. Curtis Preston:

365 and similar products.

W. Curtis Preston:

Right.

W. Curtis Preston:

Um, not enough companies have basically ceased to exist due to cyber attacks.

W. Curtis Preston:

Um, I, I can name them.

W. Curtis Preston:

I can name them on like, literally a few fingers and they're not public

Prasanna Malaiyandi:

Code spaces.

W. Curtis Preston:

And, and, and I'll submit.

W. Curtis Preston:

But yeah, coast Spaces is, is, you know, is the big one right from

W. Curtis Preston:

the very beginning of all of this.

W. Curtis Preston:

But like, for example, This is one that I just found out, uh, just a few days ago.

W. Curtis Preston:

There's, there's a great podcast, by the way, called the ransomware files.

W. Curtis Preston:

And it's, um, just a guy that's interviewing and he, he basically

W. Curtis Preston:

does stories and then he actually talks to the people who were

W. Curtis Preston:

involved in their ransomware attack.

W. Curtis Preston:

It's a fascinating, um, you know, podcast.

W. Curtis Preston:

And he talked about this, this hack last year where, uh,

W. Curtis Preston:

Conti had basically taken down.

W. Curtis Preston:

All of Costa Rica's government, that, that, that they lost their revenue

W. Curtis Preston:

system, their, their, you know, um, the, the, basically their, the payroll, they

W. Curtis Preston:

lost all these huge, just a huge portion of the Costa Rica government and to.

W. Curtis Preston:

To my knowledge and to that guy's knowledge, like it's the first time

W. Curtis Preston:

that like an entire country has been held ransom by a ransomware group.

W. Curtis Preston:

The weirdest part of the story is that Conti.

W. Curtis Preston:

Apparently didn't do it for money because, um, and this is a way too

W. Curtis Preston:

brief explanation, but Costa Rica actually has laws that prevented the

W. Curtis Preston:

government from paying their ransom.

W. Curtis Preston:

And So, and, and, and any, and a group size Conti would've known that.

W. Curtis Preston:

It appears that they did this hack just to, um, of a way to,

W. Curtis Preston:

of a basically providing cover while they made Conti disappear.

W. Curtis Preston:

Um, right.

W. Curtis Preston:

Cuz that's what happened right at this time.

W. Curtis Preston:

This was April of last year.

W. Curtis Preston:

Uh, this was CTI's last attack before they spread everybody out

W. Curtis Preston:

to a bunch of other organizations.

W. Curtis Preston:

I agree with you Eric.

W. Curtis Preston:

I almost called Jeff.

W. Curtis Preston:

I agree with you, Eric, that, um, that not enough like of these public.

W. Curtis Preston:

Um, things where basically where, like in the case of Costa Rica, they have had to

W. Curtis Preston:

completely rebuild their IT infrastructure from scratch with no backup, no nothing.

W. Curtis Preston:

They're starting like from scratch, and I know of companies that basically

W. Curtis Preston:

have been wiped off the planet.

W. Curtis Preston:

Not enough of those have been public.

W. Curtis Preston:

And, and again, with the Costa Rica story, I didn't even realize

W. Curtis Preston:

that that happened, right?

W. Curtis Preston:

That, that, that event was not public enough.

W. Curtis Preston:

Um, and so, Yeah.

W. Curtis Preston:

I,

Prasanna Malaiyandi:

I, I wanna take the other perspective though, Curtis,

Prasanna Malaiyandi:

on that, so I totally, no, no, no.

Prasanna Malaiyandi:

So, so the one country though, that I think did a phenomenal job

Prasanna Malaiyandi:

right, is during the Ukraine War.

Prasanna Malaiyandi:

Right where they were hit multiple times, right?

Prasanna Malaiyandi:

By cyber attacks, and because they had gotten so good at rebuilding

Prasanna Malaiyandi:

their infrastructure, right?

Prasanna Malaiyandi:

They had backups.

Prasanna Malaiyandi:

They knew how to recover, right?

Prasanna Malaiyandi:

They get attacked, they'd spin up everything, right?

Prasanna Malaiyandi:

Within a couple days, everything was recovered back to normal, right?

Prasanna Malaiyandi:

And so,

W. Curtis Preston:

Yeah.

Eric Jeffrey:

Well.

Eric Jeffrey:

I'm not sure which attack you're talking about, but the reason that the Ukraine

Eric Jeffrey:

is able to recover is because they get hit so often that they have a mechanism.

Eric Jeffrey:

And also I read about this in, I wanna say it was Hacker

Eric Jeffrey:

in the State by Ben Buchanan.

Eric Jeffrey:

And it, it talked about, it was either that or in a another.

Eric Jeffrey:

One of those books, but I think it was Ben's book, it, it talked about

Eric Jeffrey:

their infrastructure is so basic that it's not that difficult to rebuild.

Eric Jeffrey:

And if we took the hits that they're taking, we wouldn't be

Eric Jeffrey:

able to recover like that because ours are so sophisticated.

Eric Jeffrey:

So the Ukraine, it, it, it's kind of like saying somebody that gets sacked

Eric Jeffrey:

in the end zone four times in a row starts to learn, Hey, how about I

Eric Jeffrey:

stop throwing the ball when I'm on the two, you know, twined, then they,

Eric Jeffrey:

they learn to run it out a little bit.

Eric Jeffrey:

But they took a lot of major blows before they became competent, and

Eric Jeffrey:

Costa Rica hadn't had that opportunity.

Eric Jeffrey:

This is the first time they got sacked as far as we know.

Eric Jeffrey:

But you talk about companies failing and business failing.

Eric Jeffrey:

Let's talk about a multi-billion dollar global company.

Eric Jeffrey:

I think, believe it was Maersk, they almost went down.

Eric Jeffrey:

They had a server that happened to be offline in Africa, and one guy

Eric Jeffrey:

was able to get that backup and they could get it up to England.

Eric Jeffrey:

I think it's in the Netherlands.

Eric Jeffrey:

I'm sorry.

Eric Jeffrey:

It's, uh, Copenhagen.

Eric Jeffrey:

It's a, it's a, a Danish company.

Eric Jeffrey:

Um.

Eric Jeffrey:

They had to get it from Africa.

Eric Jeffrey:

And the funny thing is, they could, they had export control, so somebody had to go

Eric Jeffrey:

and drive it from one African country to another so they could put it on a plane.

Eric Jeffrey:

And this person is flying with the entire backup for the domain.

Eric Jeffrey:

The only domain controller that was up when Mayor Scott hit, I

Eric Jeffrey:

believe it was with not Petya.

Eric Jeffrey:

Um, so there are, you know, saved by the skin of their teeth, if you

Eric Jeffrey:

will, but, Ukraine, they're just kind of like, some people believe that

Eric Jeffrey:

they're the testing bed for Russia, and when Russia is attacking, uh, the

Eric Jeffrey:

infrastructure, they're doing that as a test run for hitting the west.

Eric Jeffrey:

And maybe we'll see more of that in the coming year or two, depending on what

Eric Jeffrey:

goes on between Russia and Ukraine.

Eric Jeffrey:

That is a whole nother ballgame, you know, after talking about LA Unified

Eric Jeffrey:

School District and half a million kids having their data leaked versus

Eric Jeffrey:

Russia taking down the power grid in the eastern United States, which

Eric Jeffrey:

they've been testing in Ukraine since 13 or 14, is what the belief is.

Eric Jeffrey:

Um, But I, I mean, I, I still stand by looking at normal cybersecurity

Eric Jeffrey:

and normal, uh, vertical markets.

Eric Jeffrey:

Finserve Healthcare Sled, which is state and local education.

Eric Jeffrey:

Uh, these organizations do not have the desire or the need.

Eric Jeffrey:

To put the resources where they have to, they do enough to check a box and move on.

Eric Jeffrey:

So if they get hit and then they're audited, well, we did A, B, C, and D.

Eric Jeffrey:

Okay, fine.

Eric Jeffrey:

You, you meet all the regulations and the government's not coming after you.

Eric Jeffrey:

What about the other people that were affected by it though?

Eric Jeffrey:

And persona and I were talking a little bit ago, Curtis, about, I talked

Eric Jeffrey:

about the aftermath of L A U S D, but what about the week or the three days

Eric Jeffrey:

that the kids couldn't go to school?

Eric Jeffrey:

What kinda impact did that have on those students, on those parents, on the economy

Eric Jeffrey:

of LA Because gig workers couldn't drive cuz they're at home with their kids.

Eric Jeffrey:

There's so many other ancillary components to a hack that we never hear about.

Eric Jeffrey:

It's kind of like a headline.

Eric Jeffrey:

You know, if, uh, if a Hollywood star's getting divorced, you hear

Eric Jeffrey:

about it for two or three days, but then you don't know anything about it.

Eric Jeffrey:

Well, if there's a hack, you hear about it for two or three days

Eric Jeffrey:

and then you don't hear about it.

Eric Jeffrey:

That's where, you know, Ben Buchanan's book and other books are very

Eric Jeffrey:

helpful, but, Unless you're really into this, you don't hear about it.

W. Curtis Preston:

Yeah, I, I know, um, that there's, there's a, there's a,

W. Curtis Preston:

there's a, the one attitude and cuz cuz I wanna talk a little bit about, um,

W. Curtis Preston:

sort of, but I'm not gonna say anything.

W. Curtis Preston:

I wanna talk a little bit about what you could do, but I'm not

W. Curtis Preston:

gonna say anything new, right?

W. Curtis Preston:

Because, um, what we know from all of the attacks that happened is that,

W. Curtis Preston:

Roughly 90% of them, as I'm hearing, 90% of them could have been stopped by

W. Curtis Preston:

a handful of basic security practices.

W. Curtis Preston:

Right.

W. Curtis Preston:

Um, things like patch management, things like mfa, things like lease

W. Curtis Preston:

privilege and separation of powers.

W. Curtis Preston:

Um, you know, what else would you add to that list, Eric?

Eric Jeffrey:

Uh, educating your staff.

Eric Jeffrey:

I mean, number one, don't click on the link.

Eric Jeffrey:

Uh, you know, think before you click as they say.

Eric Jeffrey:

I think that you're spot on, and it's something that I've said, I've published

Eric Jeffrey:

on this that we are where we have been.

Eric Jeffrey:

Uh, For 30 years, we have the same problems.

Eric Jeffrey:

And Kevin Minnick will talk about this.

Eric Jeffrey:

He's the the chief hacking officer of Knowbe4, the same things that he was

Eric Jeffrey:

doing 30 years ago you could still do today, such as social engineering and

Eric Jeffrey:

tricking your way into environment.

Eric Jeffrey:

Tailgating is holding the door for somebody.

Eric Jeffrey:

You know, we don't do enough about educating people and we

Eric Jeffrey:

don't hold people accountable.

Eric Jeffrey:

You gotta fire 'em.

Eric Jeffrey:

When school districts are hacked and the, the, the, uh, the, the head of

Eric Jeffrey:

the school board didn't do anything.

Eric Jeffrey:

It doesn't know anything.

Eric Jeffrey:

Gone, man.

Eric Jeffrey:

If you're not cyber aware, gone.

Eric Jeffrey:

What we don't see enough of this.

Eric Jeffrey:

So you are a hundred percent correct.

Eric Jeffrey:

Basics of multifactor authentication, you gotta do it.

Eric Jeffrey:

Everybody listening to this, all of your bank accounts should be mfa.

Eric Jeffrey:

And when I say MFA, I don't mean getting a text cuz that's easy to get around.

Eric Jeffrey:

You want to use Google Authenticator or v i P by Symantec, something like that.

Eric Jeffrey:

Basic things.

Eric Jeffrey:

Um, you know, your password should be a passphrase.

Eric Jeffrey:

You should change it regularly.

Eric Jeffrey:

All in your bank accounts.

Eric Jeffrey:

Do not use the same ones.

Eric Jeffrey:

These are just basic things we've talked about for decades and you know, we,

W. Curtis Preston:

the damn link.

Eric Jeffrey:

yeah, but we keep doing the same thing.

Eric Jeffrey:

I mean, people think you need to be a rocket scientist not to get hacked.

Eric Jeffrey:

No.

Eric Jeffrey:

You just need to be aware.

Eric Jeffrey:

You need to pay attention

Prasanna Malaiyandi:

do you think it's sort of gotten to the point where it's

Prasanna Malaiyandi:

sort of overload and people have gotten sort of desensitized to a certain extent?

Eric Jeffrey:

Possibly.

Eric Jeffrey:

Possibly.

Eric Jeffrey:

And I think that people are afraid to be rude.

Eric Jeffrey:

And I, I, I see guys that they're getting a possible hack coming in

Eric Jeffrey:

on your phone or possible spam.

Eric Jeffrey:

Hi, how are you?

Eric Jeffrey:

I'm to Todd.

Eric Jeffrey:

Why are you answering the phone?

Eric Jeffrey:

Todd, why?

Eric Jeffrey:

Don't wanna be rude.

Eric Jeffrey:

He's interrupting you, man.

Eric Jeffrey:

Don't swipe left.

Eric Jeffrey:

Swipe left.

Eric Jeffrey:

Don't pick up the phone.

Eric Jeffrey:

if you, and if you swipe right.

Eric Jeffrey:

Hi, who are you?

Eric Jeffrey:

Hi.

Eric Jeffrey:

I'm calling about some auto insurance that we want to get you.

Eric Jeffrey:

Just hang the phone up.

Eric Jeffrey:

Don't say goodbye.

Eric Jeffrey:

Don't say I'm that interested.

Eric Jeffrey:

Bing hang up.

Eric Jeffrey:

They're interrupting you.

Eric Jeffrey:

Just hang up the phone.

W. Curtis Preston:

I whoop,

Eric Jeffrey:

Just do that when they call.

W. Curtis Preston:

You hung up the phone.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

I, I think, I do think that there is a certain amount, there is a,

W. Curtis Preston:

Again, you know, the 3%, but there's, there's another percent that basically

W. Curtis Preston:

they have the belief of like, well, everybody knows that, you know, the

W. Curtis Preston:

only unhackable computer is one that's completely disconnected from everything.

W. Curtis Preston:

So why, why even, why even Try.

W. Curtis Preston:

But I, I don't know.

W. Curtis Preston:

It is just basic, you know, for companies, if you, for a co, if, you know, we could

W. Curtis Preston:

argue on, you know, with, with a person.

W. Curtis Preston:

I, I can't.

W. Curtis Preston:

If there's a person, an individual, That doesn't value their personal information,

W. Curtis Preston:

whatever enough to take care of the stuff.

W. Curtis Preston:

That's not my concern.

W. Curtis Preston:

Right.

W. Curtis Preston:

Just like I, I like, it's like when, when I'm talking to somebody who says RAID is

W. Curtis Preston:

backup, and they don't need backup because they have raid or because they're in the

W. Curtis Preston:

cloud and I just, I just, I just move on.

W. Curtis Preston:

I don't need waste any time.

W. Curtis Preston:

But we're talking about companies and governmental organizations that have.

W. Curtis Preston:

People's, you know, livelihoods and people's lives in their hand.

W. Curtis Preston:

Um, if the, I agree with you, Eric, that if, if they don't want to do

W. Curtis Preston:

their job, um, you know, to, uh, to quote, uh, Taylor Swift, uh, thank you.

W. Curtis Preston:

Next, um, right.

Eric Jeffrey:

Well, your point about people saying, It's not that important

Eric Jeffrey:

or somebody else will protect me.

Eric Jeffrey:

Do you wear a seatbelt?

Eric Jeffrey:

I mean, not clicking on a link is the same thing as wearing a

Eric Jeffrey:

seatbelt, as far as I'm concerned.

Eric Jeffrey:

An individual, you know, I, I don't want my father who's 80 clicking on the link,

Eric Jeffrey:

so I, I help him and I teach him and my stepmom and my, you know, my kids have

Eric Jeffrey:

been raised and the next generation are coming up and much more security minded.

Eric Jeffrey:

But we need people to know that if you click on it, then you could

Eric Jeffrey:

put a key logger on your machine.

Eric Jeffrey:

And if you don't care about that, well, when you start typing in

Eric Jeffrey:

your banking password and somebody key logs and has that, your bank

Eric Jeffrey:

account will be empty tomorrow.

Eric Jeffrey:

Now yeah.

Eric Jeffrey:

That may only affect you and your heirs.

Eric Jeffrey:

If you're my father, that affects me.

Eric Jeffrey:

Uh, you know, so I, I'm, I'm protecting him, uh, and, and protecting me and

Eric Jeffrey:

my kids in that, but, I think a lot of times, and, and this is very important,

Eric Jeffrey:

I think a lot of times people at work think, oh, you know what, if I click

Eric Jeffrey:

on the link, there's another security safeguard down the road that will fix

Eric Jeffrey:

it, that I may screw up, but I'm not the only, you know, ah, I installed it.

Eric Jeffrey:

Some no people.

Eric Jeffrey:

There is not something else downriver.

Eric Jeffrey:

Okay?

Eric Jeffrey:

I'm here to tell you, in most cases, if you click that link,

Eric Jeffrey:

there is nothing else to save your

Prasanna Malaiyandi:

Was thinking about the three CX supply chain

Prasanna Malaiyandi:

hack that happened last week.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

And someone had installed some software that they had found online that had

Prasanna Malaiyandi:

been discontinued since like 2021.

Prasanna Malaiyandi:

And that package had been infected.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

And that then led to.

Prasanna Malaiyandi:

That now being able to get into three CX and attack their systems

Prasanna Malaiyandi:

and all sorts of other chaos.

Prasanna Malaiyandi:

But it's those sort of things.

Prasanna Malaiyandi:

It's like someone downloaded a piece of software that they shouldn't

Prasanna Malaiyandi:

have or that they probably didn't need, didn't realize those obsolete.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

And led to all of these issues for three CX or I think I was reading about a

Prasanna Malaiyandi:

security researcher who was looking for a.

Prasanna Malaiyandi:

O b s right?

Prasanna Malaiyandi:

The software for, uh, video, uh, presentations and all the rest, right?

Prasanna Malaiyandi:

And they Google searched, saw click, the first link turned

Prasanna Malaiyandi:

out to be malware, right?

Prasanna Malaiyandi:

And they're like, this is what Google's SEO returned to me

Prasanna Malaiyandi:

and it now infected my system.

Prasanna Malaiyandi:

Right?

Prasanna Malaiyandi:

And even experts get tricked by this, right?

Prasanna Malaiyandi:

And so everyone just has to be really, really careful.

Eric Jeffrey:

I have been conned and I have a paper that I wrote

Eric Jeffrey:

out years ago about a mule scam.

Eric Jeffrey:

When I was unemployed, I got tricked and I do this for a living.

Eric Jeffrey:

A year and a half or so ago, I also started, they started

Eric Jeffrey:

to scam me about a timeshare I own, and I knew it from get-go.

Eric Jeffrey:

So I actually played it all the way through and I did a podcast on it

Eric Jeffrey:

to show people how it really works from the first phone call until

Eric Jeffrey:

me telling them to go to hell.

Eric Jeffrey:

Um, but I mean, I do this for a living and I can get tricked, so I, I get it.

Eric Jeffrey:

I made the comment before, people don't want to be rude.

Eric Jeffrey:

Be rude.

Eric Jeffrey:

Delete the email, hang up the phone.

Eric Jeffrey:

Don't talk to, no, you're not getting a text because your

Eric Jeffrey:

Amazon account is locked.

Eric Jeffrey:

Don't click on that link in your text.

Eric Jeffrey:

It is everywhere.

Eric Jeffrey:

And are you gonna possibly delete an important email?

Eric Jeffrey:

Yeah.

Eric Jeffrey:

Have I deleted an email that my boss sent me that I thought was a phishing attack?

Eric Jeffrey:

Yeah.

Eric Jeffrey:

And you know what?

Eric Jeffrey:

He'll resend it.

Eric Jeffrey:

If it's that important, he'll call me on the phone or send me a teams message,

Eric Jeffrey:

but delete the email, hang up the phone.

Eric Jeffrey:

If you even answer it, they're, these people are con artists.

Eric Jeffrey:

And now with AI and with deep fakes, it's just gonna get worse and worse.

Eric Jeffrey:

We need to be skeptical of everything, question everything, and you know, get.

W. Curtis Preston:

go ahead.

Eric Jeffrey:

I say get second and third opinions on something.

Eric Jeffrey:

My wife is fantastic in protecting me for myself.

Eric Jeffrey:

I've done some stupid things on Craigslist.

Eric Jeffrey:

She goes, no, Eric, they're not gonna give you more money

Eric Jeffrey:

for that couch than it's worth.

Eric Jeffrey:

And send their cousin to pick it up just to get a little

Eric Jeffrey:

bit of money on the back end.

Eric Jeffrey:

Oh, you know what?

Eric Jeffrey:

You're right, honey.

Eric Jeffrey:

I'm sorry.

Eric Jeffrey:

So ha, run it by your family and your friends if you're not sure.

Eric Jeffrey:

But be cautious.

Eric Jeffrey:

Be skeptical.

W. Curtis Preston:

and I, and I would add to this, um, have an a, have a, uh, an

W. Curtis Preston:

environment that, uh, you know, when, when we're talking about organizations, right?

W. Curtis Preston:

Have an environment where it is encouraged.

W. Curtis Preston:

To report when you think you might have made a mistake.

W. Curtis Preston:

Right, right.

W. Curtis Preston:

When you think, when you think you've clicked on an email, so this happened to

W. Curtis Preston:

me a couple of weeks ago where I thought,

Prasanna Malaiyandi:

No.

W. Curtis Preston:

I what, what was funny was um, was after mentioning on

W. Curtis Preston:

a podcast, I don't know how anybody falls for MFA exhaustion, right?

W. Curtis Preston:

Like, send me 37 MFA requests, and eventually I say yes just to make it stop.

W. Curtis Preston:

And I'm like, how does that work?

W. Curtis Preston:

Because that just seems wrong.

W. Curtis Preston:

And then the very next day, I thought I had done it.

W. Curtis Preston:

Not that MFA exhaustion, but I thought that I had just

W. Curtis Preston:

absentmindedly said yes when I didn't remember actually going to Okta.

W. Curtis Preston:

Um, you know, to, to, to generate that request.

W. Curtis Preston:

And, um, and I immediately reported it, uh, because I, because we have that,

W. Curtis Preston:

uh, that culture, I immediately reported it and I immediately got a response.

W. Curtis Preston:

No.

W. Curtis Preston:

dude, that was you.

W. Curtis Preston:

Uh, you know, we've, you just, what it.

W. Curtis Preston:

was was there was just a tab in my browser that I had accidentally

W. Curtis Preston:

refreshed, and it was Okta and it had, it had logged me again.

W. Curtis Preston:

But you need that.

W. Curtis Preston:

That's the other thing that you can do for your employees is.

W. Curtis Preston:

If they do something stupid, um, have a culture that allows them to

W. Curtis Preston:

notify that and you reward them for that rather than yelling at them

W. Curtis Preston:

for clicking on the wrong link.

W. Curtis Preston:

Um,

Eric Jeffrey:

Yeah.

Eric Jeffrey:

And.

Eric Jeffrey:

Uh, the, the problem is there's not, even if there's no punishment, the feeling

Eric Jeffrey:

of being, feeling stupid, and I, I think that people, it is one of the reasons

Eric Jeffrey:

why internal phishing attacks cause a lot of problems because of that 3%.

Eric Jeffrey:

But really it's more like 10% that click on it.

Eric Jeffrey:

Employees think that their employer is trying to trick them, and we,

Eric Jeffrey:

as the employees need to learn.

Eric Jeffrey:

They're not trying to trick me.

Eric Jeffrey:

They're trying to train me.

Eric Jeffrey:

It's not a gotcha game.

Eric Jeffrey:

And until organizations help people realize it's not a gotcha

Eric Jeffrey:

game, it's a training game.

Eric Jeffrey:

And just like you have to take training in healthcare on hipaa, I've

Eric Jeffrey:

worked in the hos in a healthcare it.

Eric Jeffrey:

I didn't work in a hospital and year after year I have to take HIPAA training.

Eric Jeffrey:

If you work in the financial services industry, you have

Eric Jeffrey:

to take certain trainings.

Eric Jeffrey:

I think everybody should take cyber training and everybody should be getting

Eric Jeffrey:

a phishing attack email once a quarter.

Eric Jeffrey:

Regularly clockwork.

Eric Jeffrey:

Let's muscle memory people, let's train you and don't punish them per se.

Eric Jeffrey:

I mean, if you're gonna click on it five times, five quarters in a

Eric Jeffrey:

row every single time, maybe you need to, you know, get the boot.

Eric Jeffrey:

Um, but you know, that's a small minority.

Eric Jeffrey:

Um, but I, I think that there needs to be training, there needs to be

Eric Jeffrey:

ongoing, uh, support for cyber.

Eric Jeffrey:

And at the top, top down, and this is something else I've spoken about,

Eric Jeffrey:

presented, about, written, about cybersecurity, stop starts at the

Eric Jeffrey:

top, at the board of directors and the ceo, and it flows down.

Eric Jeffrey:

And if they're not aware and they don't care, the organization's not going

Eric Jeffrey:

to, the budget's not gonna be there.

Eric Jeffrey:

This is not something that you can fix, like it was in the old days, oh,

Eric Jeffrey:

put up a firewall and you'll be fine.

Eric Jeffrey:

No, it is so much more sophisticated now.

Eric Jeffrey:

It is all about psychology.

Eric Jeffrey:

I'm of the mind that maybe we need to start teaching psychology classes to

Eric Jeffrey:

go and work with a computer because our enemies are, most enemies are

Eric Jeffrey:

doing social engineering and they go after you and you're desperate,

Eric Jeffrey:

and they go after you with urgency.

Eric Jeffrey:

Do it now.

Eric Jeffrey:

Do it now.

Eric Jeffrey:

And, uh, I mean, it's, it's a problem.

Eric Jeffrey:

And I agree with you, Curtis, that we need to not punish.

Eric Jeffrey:

We need to educate and we need to not humiliate, and people

Eric Jeffrey:

need to also have a thicker skin.

Eric Jeffrey:

If you screw up, you admit it and you do better.

Eric Jeffrey:

You don't just sit there and say, you're attacking me cause

Eric Jeffrey:

I keep clicking the link.

Eric Jeffrey:

It it, it's not about you, it's about the organization.

Eric Jeffrey:

It's about your customers and it's about your business partners and

Eric Jeffrey:

people need to understand that one mistake could end the world.

Eric Jeffrey:

Go watch war games people.

Eric Jeffrey:

1983, I believe Matthew Broderick.

Eric Jeffrey:

One mistake tic-tac toe.

W. Curtis Preston:

I'd piss on a spark plug if I thought it'd do any good.

Eric Jeffrey:

Yeah.

W. Curtis Preston:

favorite, that's my favorite line from that movie.

W. Curtis Preston:

Um, alright.

W. Curtis Preston:

Well, Eric has been great.

W. Curtis Preston:

Um, I, I love talking about this stuff.

W. Curtis Preston:

I love how, uh, clearly how animated you are about this topic.

W. Curtis Preston:

Uh, we're, we're, we're people of like mind.

W. Curtis Preston:

I, I like that.

W. Curtis Preston:

So thanks for coming on.

Eric Jeffrey:

Thank you.

Eric Jeffrey:

I appreciate it.

Eric Jeffrey:

Thank you very much.

W. Curtis Preston:

And persona, uh, you know, uh, as always, you know, great

Prasanna Malaiyandi:

I try.

Prasanna Malaiyandi:

I try.

Prasanna Malaiyandi:

It was nice to meet you Eric.

Prasanna Malaiyandi:

Thanks for being on the podcast.

Eric Jeffrey:

as well, Prashant.

Eric Jeffrey:

Hopefully you'll see you again.

W. Curtis Preston:

and, uh, thanks again to our listeners.

W. Curtis Preston:

Uh, be sure to subscribe so that, uh, you can restore it all.