[00:40] Cybersecurity Hot Topics Straight From Cabo, San Lucas

Eric: We're actually here together for the first time in a long time, in Cabo, San Lucas. And there are no cybersecurity issues in Cabo San Lucas. I don’t think there’s any, other than they have a lot of QR codes they want us to scan, which I'm not a fan of.

Rachael: That's a vulnerability pathway, I think, for a lot of things.

Eric: For all the good that a QR code can do, it can show you a menu, it can give you so much information. It can also give you malware and do things to your device. I am not a QR code fan, personally.

Rachael: But it's that or nothing here because they don't give you printed anything anymore. It's the wave of the future.

Eric: What do we have on the agenda for today?

Rachael: We're going to talk about some of the alerts that we're seeing out there. We're going to save some of that. We got RSA coming up. I know there have been some developments, Colonial Pipeline, and a really interesting impact of ransomware on a university in Illinois. Lincoln College is about 157-year-old. It's been through the Great Depression, the 1918 pandemic with the flu.

Eric: The Spanish Flu.

Rachael: They've been through World Wars. 157 years in existence then COVID comes. That was pretty bad. Then last fall, ransomware hit. Now, that impacted all of their recruiting.

Eric: They weren't prepared for ransomware. They didn't have the backups.

 

A Huge Hit

Rachael: It's a small school with about 800 students. It's in rural Illinois. They're like a small and medium business. I don't want to say they were unprepared. Obviously, this ransomware really impacted them because they couldn't do recruiting. They lost a lot of money. And now they have to close the school.

Eric: They paid the ransom, I believe?

Rachael: It was $100,000, yes. You could imagine the loss of the recruiting, the loss of the funding of students, that's a huge hit. 157 years in, COVID plus ransomware, and they no longer exist. That's heartbreaking.
Eric: It's historically a black college or university. There were 101, maybe a hundred now, black colleges and universities left in America. It’s down from about 130 as I remember, back in the 1930s, 1940s.

Rachael: These smaller schools, they're like SMBs. They're just not prepared for a lot of these cybersecurity incidents happening. 
We talked about this a little bit earlier in the week. If you back up, is that your get-out-of-jail-free card? Does it back up and we're done? I know that's a lot of the guidance that's being given.

Eric: I was at a dinner meeting where there was a deep debate. We're here for a work trip, by the way. Rachel and I aren't podcasting from around the world. Well, we are, but not just to fly around and podcast from Cabo, San Lucas.
I was talking to one of our technologists and his wife, who's also in the industry. The debate was back up. If you back everything up, are you protected from ransomware? One of the individuals worked at a non-cybersecurity company who happens to do backup.

 

The Debate on Cybersecurity Hot Topics

Eric: The debate was, if you're backed up, don't worry about that ransomware. Just restore from backup and continue going. I've got a pretty deep technology background, and in storage. I said, "I'm pretty sure it's not that easy." For instance, if you get hit with malware, especially if they linger before they actually activate anything, you might be backing up corrupted data.

Rachael: Which we know they like to do.

Eric: You might be backing up the malware. When you restore it, depending on what type of malware it is, we saw it with Saudi Aramco. It was tens of thousands. I want to say it was 30 to 50,000 endpoints that they scrapped and replaced because somebody brought malware into the business via USB drive.

Rachael: So what you're saying is, there's no silver bullet.

Eric: We know in cyber, there are no silver bullets. What I'm saying is that backup is important. 

You have to have timely backups. You've got to have good backups. You have to have off-site backups. In the business, you've got to have your backups in at least three locations with at least one remote place. You could have a hurricane, a tornado, a fire, a malicious intent, you name it. But you also have to be able to recover. You've got to practice.

Rachael: That's the big piece.

Eric: I think it’s the piece that a lot of businesses and organizations don't have time or money, they just don't pay attention to it. They don't practice recovery. Backups are critically important. We had this big debate. It was a three-and-a-half-hour dinner.

 

[06:27] Ransomware Victims Who Recovered from Backup

Eric: I think we all got exhausted. It was probably about 11:30 or so, as we were in the backup topic and malware and ransomware topic. So we moved on. I got back to the room about 12:30. It was literally a three-and-a-half-hour dinner because of the service. Not bad, just a long dinner, but I went back. I searched to try to find anything on what percentage of ransomware victims recover from backup successfully or unsuccessfully.

Rachael: What'd you find?

Eric: Very little, and I spent about an hour. I don't know that a study's ever been done or how you would do a study, an accurate study. You'd have to find some way of finding the entire population of ransomware victims or at least an accurate sample.

Rachael: Who are willing to be part of it, or admit that they've been victims of that.

Eric: A representative sample to see what they did and how they did it. I don't think a lot of people would be willing to talk about it.

Rachael: That's too bad.

Eric: I don't think a lot of people know. I'm going to keep searching, maybe we'll talk about this on a future show. My hunch is that it's not a high success rate, just having been in the business.

Rachael: It's not that straightforward. One idea I've been thinking about is a new one we haven't talked about yet. People want to talk about and share their experiences in cybersecurity. We all like to help others learn, but also just share, this is crazy what we're living through.

 

Anonymously Share Cybersecurity Hot Topics and Stories

Rachael: One of these ideas I was playing with was, could we give cybersecurity professionals an avenue to anonymously share their stories? Like when you're in the witness protection program, your voice is modulated. You're in the dark, no one can see you. You could share stories without giving away the company, or necessarily the industry, or yourself.

Eric: We could do that on the podcast. We could find a way to connect with people who want to share, obfuscate the details.

Rachael: So anyone interested to reach out, absolutely.

Eric: I think people do share openly to an extent. It's certainly becoming better. Remember the beginning of COVID, everybody was like, "We can't talk about who has COVID HIPAA?" I've run into so many people over the last weeks and months where they’re like, "I've had COVID three times."

Rachael: The first thing they say is, "Don't worry. I've had COVID."

Eric: "I just got over COVID." As prevalence increases, and I think this applies to cybersecurity attacks, I don't want to say you become numb, but you become more tolerant. You’re more willing to discuss. I think there is a component where we have to talk about what we're experiencing.

Rachael: Especially as quickly as it moves. So I'm calling it the Mask CISO series. If anyone wants to come participate, we'd love to share your story

Eric: We don't use video. We don't need the mask.

Rachael: We'll modulate your voice. You'll be completely anonymous and you can share your story because that's a lot to keep with you too. Some of these really significant stories.

 

To Listeners with a Really Good Story

Eric: For any listeners out there who have a really good story and they just can't talk about it publicly or they can, reach out to us. Leave us some feedback, reach us at [email protected] or [email protected]. We will get you on the show if you have a good story. We'll share it with all of our listeners and you don't have to wear a mask because it's a podcast.

Rachael: Totally protected, which I think is a really good entry point. We read that the cyber wire has launched a CISA Cybersecurity Alerts Audio Feed. So it's a public service audio feed for urgent cyber security advisories. You were just telling me there was something like 28 ICS advisories?

Eric: Yes. They characterize it as an unusually large number of industrial control system advisories. I think this will lead into our next topic. There were 28 advisories released on, I believe the 12th of May. It happened to be my birthday. That was the 28 advisories. 25 of them were related to Siemens. I don't know what happened. Somebody had to be focused on Siemens products, nothing bad about Siemens.

Everybody has issues and then Mitsubishi and Delta Electronics. I don't even know some of these products and organizations, but 28 advisories. The first thing that came to mind was, you think that's high? I think that's low. 

Hundreds of thousand, millions of vulnerabilities are out there. Many are disclosed every week. But the real question I had when I saw this was, who's actually looking at this and taking action? How many devices are out there at each organization? Are we updating them? I looked into a couple of the ICS advisories and it points back to patches and things to do.

 

IT Patching

Eric: It seems like a lot of work. We need to find a way to automate the updates and the patching. I mean, an IT patching is a mess. We've been at it for decades trying the systems out there, their programs, applications that just do patching people pay millions of dollars for. I don't know that that translates into the ICS world.

Rachael: I don't know, it does. The flip side is those organizations that are so far behind on patching sometimes avoid the pain of what's going around. They're not on the most current version or even the last 10 versions of something.

Eric: It’s similar to a cold ball application. But that's like saying, "Well, I don't want to ever run out of gas or I don't want to have engine failure. So I'm going to have a horse and a buggy." I'm protected from fuel cost increases and from an engine failing. You still have to feed the horse and you're not going as fast.

Rachael: The horses do live a long time though.

Eric: I think they're probably more expensive than vehicles over the long run. I think we still need to figure out more on the ICS front. Speaking of that, Colonial pipeline, we have some news this week.

Rachael: They're always in the news. They can't escape it.

Eric: What did they pay for ransomware?

Rachael: I think it was around 5 million. But they were able to, I think clawback, almost half of that.

Eric: The government pulled back, from what I researched. I'm assuming it's accurate, 2.3 million, almost half of their money.

Rachael: That's a lot to give back. It's unfortunate they lost the other half though.

 

 

[13:52] A List of Probable Violations

Eric: I don't think a lot of people know this, but pipelines are regulated by the Department of Transportation. So the Department of Transportation, specifically the Department of Transportation's pipeline and hazardous materials, safety administration, there's no cyber in there in any way, shape or form, has issued a list of probable violations and proposed compliance orders for them.

These are the largest pipeline organizations in the country, the United States. They're proposing a fine of $986,400 due to violations, including control room management, failure to follow procedures such as a point to point verification for documenting SCADA displays and failure to comply with field equipment for 87 safety related pressure transmitter alarms in 2019. They did not verify 17, 18 and all of 19. They didn't go through at all. I don't hear about cybersecurity anywhere in there. I'm betting other pipelines probably have similar concerns. They were in the press.

Rachael: They had a lot of heat.

Eric: When people were filling plastic bags with gasoline, remember those days? We’ve talked about it on the show a little bit. We have all these problems, the industrial control systems from everything that was reported were not part of the problem. The billing system, they couldn't bill.

Rachael: That was the problem. It backed everything up.

Eric: Nothing about cybersecurity. Do we not have the regulatory? Is the government saying, "This is how we're going to try to enforce better cybersecurity hygiene." I don't know how to read this.

 

A Million-Dollar Fine

Eric: I don’t know what the intent is here. But a million-dollar fine, just under a million bucks for all of the chaos that was created. Colonial Pipeline, we could say they were targeted. I think they were just tripped over, but it happened.
What if they were targeted and they had all of these challenges? Are pipelines and critical infrastructure organizations going to go out there and say, "I need to do something. I need to be better prepared in a cybersecurity world, or we'll just pay the million-dollar fine." It's a million bucks and we were going to pay five.

Rachael: It's the risk calculus.

Eric: I think it was Conti that attacked Colonial?

Rachael: I believe so. They've changed names so often. It’s been like 10 years.

Eric: But regardless, they were more than happy to pay 5 million. I'm going to assume they're going to be more than happy to get off with $986,400 for those fines.
Rachael: I want to see how they got to that number.

Eric: I don't think it makes an impact.

Rachael: It doesn't, but that's the thing. You're running through like the decision calculus of what's going to cost me more money near term, long term. You know your risk calculus and for a lot of them, it's just easier to say, "You know what? Let's just pay the fine and keep on keeping on because there's still a lot of that thinking. It's not going to happen to me." Then when it does, you get the spotlight shined on you. People start digging into your company, which is not always a good thing. Nobody's perfect.

 

A Catastrophic Event

Eric: It's an interesting one. I don't know where this goes, but I don't think this is the watershed event we've always talked about. There has to be some kind of catastrophic event in the industry to make things change. Clearly this is not a catastrophic event.

Rachael: No. Well, what is that going to take? There've been so many crazy, huge events, and we're still not at the bottom, which can be frightening if you think about it too long.

Eric: We've got some challenges out there. I don't know what's going to fix it, but we do have an event coming up.

Rachael: It’s where this could be discussed and great minds get together.

Eric: I'm sure Colonial Pipeline and the event that they dealt with will be coming up at the first RSA.

Rachael: Yes. In-person.

Eric: Which you're running again. We had you the first time, on the show. You were not a host, even. It was at RSA 2020.

Rachael: Yes. Just prior to COVID, with our former CTO, Nico Fischbach.

Eric: We surprised you. You didn't think you were on the show. What you thought was you were watching the show, and you became the main guest and now here is your show. Like everything in life, you take it over. What do you think, first, the RSA, in two years. It got moved because of Omicron.

Rachael: It was supposed to be in early February. Then they pushed it out to June. So it's like June 6th through 9th.
Eric: By the way, June 6th 1944 was D-Day, the invasion of Normandy Allied Forces going into occupied France. Hopefully there's nothing related there. It's a good show and it doesn't start with a bang.

 

[19:26] Cybersecurity Hot Topics and Predictions

Eric: We're back two years later. It's been moved. I know it's been a ton of pressure and stress on you moving an entire show. You put a ton of time and effort into this.

Rachael: It takes a village. This is a huge event.

Eric: What are your predictions? How many people go versus say, "I'm not going to a super spreader event." I don't even know if we call them or if it's safe. Or I don't feel like going to San Francisco right now, or I'm exhausted or I need to get out of the house. I'm going to RSA.

Rachael: I think it's all of the above. Interestingly, we've been talking to a lot of people and who's going. A lot of people are taking a wait and see approach.

Eric: Even now, we're in mid-May.

Rachael: It's for a number of reasons. The timing is not usually when RSA has their show.

Eric: It’s in the early spring, mid-winter.

Rachael: Is that March-ish timeframe a lot of the time? So now we're running into summer vacations, graduations. On top of that, people are still a little bit wary of going to in-person events.

Eric: My son's out of school this year, for some reason, before RSA kicks off. I think it's the 3rd of June or 2nd.

Rachael: We've got all of these cascading events on RSA this year. I think it's still going to be a great turnout, and I know there's tons of parties to be happening. I'm hearing really good feedback on a lot of people who want to get out.

 

Losing the Travel Mojo

Rachael: Some people haven't been out in a long time. It's like they've lost their travel mojo, but then once you get there, like Cabo. I think some people are like, "I'm not sure about traveling," but then you get here and it's amazing. You get to see all these people you haven't seen.

Eric: We haven't seen in two years who are in the industry.

Rachael: In-person,

Eric: 20,000 people. 30? What do you think?

Rachael: Was it AWS? I think they had about a 30% drop-off for the event in December if I remember correctly. So I think we could apply the same math here. If there's a 30% drop off from their usual.

Eric: What did we do in 2020 when it really wasn't impacted by COVID at the time?

Rachael: There was a drop off though, remember? Companies like IBM decided not to sponsor, they didn't want to go to the show. So you did see a drop-off. I think we could see 2020 numbers here at the 2022 show, which was around 20 K.

Eric: You're expecting about 20,000 people at the show?

Rachael: It's a great show and people are going to be there, what's going on? They haven't seen anything in person they want to get hands-on with whatever's new. There's some really significant things happening in the industry. As you know, security service, edge, sassy, it's a hot topic right now, platforms.

Eric: Well, there's a ton of hot topics. Cybersecurity does nothing but get more important and in front of you, and so I get it.

Rachael: You're going to be there with me.

 

A Catalyst Year for Cybersecurity

Eric: I think we'll do a show from there. If anybody wants to get on the show or watch the show, shoot us an email. We'll do our best to make that happen. We're in the same regions, I think.

Rachael: We are. We're back in the same station

Eric: Right off Moscone Center, right off north.

Rachael: We're close to the W, I know that, then the Moscone Center.

Eric: We'll be there. We'll record a show while we're out there.

Rachael: Anyone who wants to stop by, please do. That would be a lot of fun.

Eric: We'll get some great guests while we're out there. Maybe we'll mix it up a little bit. So you're a big fan of RSA.

Rachael: I am. This year's events are transformative which is wonderful.

Eric: That's the theme? Transform?

Rachael: It's a perfect theme.

Eric: What do they mean by that?

Rachael: Well, industry and transformation. I think this is going to be a really catalyst year for cyber security, coming out of COVID and all of the implications of that, of how we've changed.

Eric: We can work from anywhere.

Rachael: We are a changed society in how we work and live and security has to evolve with that. I think we're going to see some really interesting things come out of RSA this year. That's my prediction.

Eric: It's less than a month away. So we are on the final glide path right now.

Rachael: It's going to be here and we'll be on the shoe floor again. I think with a lot of the other companies that would be joining us. There is a really strong presence from the industry this year there. It's going to be good. I feel confident saying that.

 

Cybersecurity Hot Topics on the MBA Curriculum

Eric: So before I hit the pool, which I spent about seven hours in yesterday, I was pruned. Anything else of interest on the show?

Rachael: We love when we get listener feedback.
We've talked a lot about education and the importance of cyber as part of the MBA curriculum. You want to be a CEO or you want to help lead a company. Understanding cyber security today in business is critical. It's an enabler of business, but it's also the cost of doing business.

I want to thank, I think it's someone in your organization, Brett Buskey who has reached out and let us know that in Clemson, their MBA program includes an MIS course. They know if you're going to be leading a business or part of any financial implications for business, you really need to understand the security that goes with that. We love to hear about schools that are helping drive this forward.

Eric: Clemson University has an MBA program which includes like a single course.

Rachael: Like an MIS course.

Eric: It's part of the required curriculum.

Rachael: Exactly, which is wonderful. It's not an elective, which I think is so smart.

Eric: When I went to Maryland back in the day, they had essentially a diversity course you had to take, and I took women in. I'm trying to think of women in the arts, I believe, where I was first exposed to Frida Kahlo. It was something I would've never done except I had to do it. That really opened my eyes to something that I probably wouldn't have experienced or I would've experienced in a different way.

 

 

[25:56] Cybersecurity Hot Topics and Conversations

 

Eric: Don't get me wrong, I love it. It was interesting to me. I love women musicians and female vocalists are the best for me, but you know, Georgia O'Keeffe but it was really a great course. So I think this will open people's eyes on the cybersecurity conversation and you and I can revisit, should it be infused into the business, my perspective. Or do we need to have specific people, which I think is more your near-term perspective? The BSO and merging the business and the IT and the cyber, I think we both agree. The integration in the business unit isn't happening fast enough.

Rachael: But I think the key conversations are happening with you starting right in your MBA programs. Also, more senior executives are wanting to have conversations with the CISO versus just waiting for a report to hit their desk.

Eric: I think they need to also because members of the board are asking those hard questions.
Rachael: As well they should. We've talked about fiduciary responsibility that's going to hit them, should there be a data breach.

Eric: Or look at Colonial Pipeline. If they had asked some questions, maybe they would've been more prepared. Not to pick on Colonial Pipeline at all. It happens to any of us, or Lincoln college. There are a lot of other colleges that would be just as acceptable today. To wrap up the show, I think backups are critically important. I'm not sure they're enough.

Rachael: It's a starting place. At least it's something. If you're going to do one thing, at least do that.

 

Taking Cybersecurity Off the Table

Eric: As a data storage expert from early in his career, you can take cybersecurity totally off the table. You should still have multiple and offsite backups. At least three independent copies that you test and verify on a routine basis and you know how to restore because somebody could just make a mistake.

Rachael: It's very easy to do. Once again, a huge thank you to all of our listeners for joining us this week. We look forward to catching back up with you next week. In the meantime, as you know, don't forget to smash.

Eric: Smash that subscribe button and go listen. We've got 180-plus episodes since we've been doing this for a long time. Almost four years. Every Tuesday, a new release. So go listen to the old episodes too. There is really some durable content there. Thank you listeners for everything and we'll talk to you soon.

 

About Our Hosts