”LACK OF EDUCATION ABOUT IT SECURITY HARMS US THE MOST”
Two of the sharpest minds in the IT security industry in the USA, are Bob Flores and Bob Gourley.
Both are speaking at the 11th Nordic IT Security conference, that will take place on the 15th of November in Stockholm.
– “I think the thing that harms us the most, is just a lack of education about basic security awareness, when it comes to using technology,” says Bob Flores who is a 31-year CIA veteran.
“There is a lot of software, and other solutions, out and about today to help deal with IT security issues. But as the old saying goes, prevention is better than cure.”
Bob Flores, is an ex CTO of the CIA, and now the CEO of Applicology Incorporated in Washington, DC. Bob Gourley is another IT Security veteran, who is the CTO at Crucial Point LLC and publisher of the CTOvision.com blog, also in the Washington area. Flores and Gourley are also co-founders and directors of Cognitio Corporation in Washington.
Bob and Bob work mostly with helping companies, corporations and enterprises get their IT Security act together.
- IoT is a big problem, because very little security is put in. And some of that is due to people wanting to “hit the market” quickly. They want to get their products out as fast as they can, so they have got to cut corners and security is the first one in many cases, Mr Flores explains.
- And often the reason behind this, is the lack of education, among the people actually building these things. So, I think education is a bigger issue, all the way around.
Gourley agrees – and disagrees – with Flores.
- I absolutely agree with Bob regarding the big IoT-problem and the dynamics there. These are very serious topics, but there are many other threats too, which means education and awareness among a broad range of people is needed.
The education aspect is only one of many, though, according to Mr Gourley.
- Since the financial threat of the cyber attacks to individuals is still out there, and is still great, attacks will keep coming via multiple paths. Regarding financial attacks, it is interesting that if your credit card is stolen, your loss is limited and the bank will just give you a new credit card. So it’s not that big of a headache. If your bank account is attacked, in most cases, the bank is going to cover the problem since it’s their vulnerability. So you are protected in a lot of ways.
- If someone steals your personal information from your home computer, and commits fraud against you, that can really be disruptive, and causes a significant headache for you. And perhaps loss of money too. For example, if you are a business, and you fall for one of these business email compromises. Let’s say someone in your company, maybe the CEO, wires hundreds of thousands of dollars to a criminal organization, that hurts. That money is just gone. So, all in all, the financial threats are very serious. And the threats to critical infrastructure are also very serious.
Q: What about the critical infrastructure. Can this be the new method of warfare used by the world’s superpowers?
- I don’t see countries like China or Russia going to war via cyber, unless they are really serious about getting put on an escalation ladder, where it could lead to a global war. I think we need to raise our defenses in our critical infrastructure, and we need to raise our defenses on the Internet of Things, of course. But we really need to protect people’s financial information, personal information where breaches are going on all the time, says Bob Gourley.
When it comes to financial fraud, Bob Flores is a firm believer of the ”Follow the money” principle.
- In almost all cases dealing with hacking or fraud, if you can identify the source of the money, that will tell you who is behind the whole thing. With that said, it’s not that easy to do sometimes.
Bob Gourley agrees with Flores this time.
- Yes, think that still remains true even in the changing world of technology around us. For example, one of the big changes in attacks over the last year or so, is that sometimes malicious software gets on your computer: not to steal your information but to do crypto-mining. Yet, still, in that case it is about the money. Follow the money, who wanted to do the crypto-mining? And then you can figure out why they are doing it. And perhaps that can help you navigate it.
Q: A very grave cybersecurity threat, facing the world at large, is the lack of protection for critical infrastructure and the Internet of Things. How then, to go about tackling all these things?
- I think that Bob Flores made a very good point about awareness. As you guys know, cyber space is a human created domain, and it’s hard to understand how it works. Because it is all just invisible to the average user, and we need to raise awareness on what is really going on in there. And what people can do to defend their systems, says Bob Gourley.
According to Gourley, this is not rocket science.
- The defensive steps a lot of us know. We just need to share them, and get people paying attention by using the right anti-malware system. For example to keep the malicious code off the device. Being up-to-date and protecting yourself and your network router and firewall, is also extremely important. And using good password management techniques, and Two Factor Authentication. All these are widely known principles, that are so very important. We need more people doing those.
Bob Flores points out that even small businesses need to sharpen up.
- They need to insist, on some of these practises. For example, some banks require that you use Two Factor Authentication, to get access to your account information. That´s a great thing, because it teaches people, like my own mother, that these kinds of things are very important. They get to have a choice to of either using Two Factor Authentication, or just not accessing their stuff online. So, over time, people who understand these things will eventually teach their kids as they come along. And we will get out of some of this trouble that we are in.
Q: Getting back to your comments about education. Are there many large organizations and enterprises today, that don’t take seriously enough that they don’t only need to educate the board and management – but also need to have the so-called regular employees educated about the cyber security threats?
- Yes, so when we do risk assessments for companies, one of the things that we often find is that there is a lack of education among the workforce and that is just an accident waiting to happen, says Bob Flores.
This is easy to discover, explains Mr Flores.
- As we talk to the CEO, we also talk to all the people responsible in the IT department. But we also just randomly walk up to people in the organization, and start up a conversation with them about security practises and how often are they being updated on phishing and those sort of things. It’s rare to find a company that has a program in place where the employees are told anything about cyber security, except when they are first hired.
There are certainly some exceptions to that, though.
- What these organizations need to understand is that every single employee, no matter what your job is, has a role to play in security. And the quicker we can get the workforce to understand this, then better off we are all going to be. Obviously, if you are the CISO of an organization the role that you play in security is much higher than if you are working in a mailroom. But, even the person in the mailroom or the person person driving the truck, they all have a role to play as well and they need to understand those roles.
Q: So, it’s like every other aspect of security – you are not stronger than your weakest link actually.
- Absolutely, says Bob Gourley
- And you know, you raised another point when you say that, and that is that it takes a team and having every employee educated on what their role is in that team is extremely important, and that could be providing them information when they see something unusual or making sure they are protected at home also, but it takes a broader team too. No company today can do this on their own, so we encourage companies to reach out with peers in their industry, maybe with an information sharing organization or their cert for their community and work with the right vendors in their community ahead of time to be ready to respond to a breach. So that mentality of the team preparing for a breach and building a broad support base is a key part of your strategy for defense and response after a breach.
Q: Having said that, you are coming of course as guests to the Nordic IT Security Conference this year on November 15th, but if you go a year back, has anything taken place the last 12 months that you could call a game changer within corporate security. Is there anything out there that we could talk about now but we could not talk about last year?
What’s the trendy thing to talk about right now?
- I think one of the things is, and it’s not like this has suddenly happened within the last year, but there has been a realization amongst many folks that perhaps, the way we are running our networks and having applications on those networks needs to be changed. And this has brought on, some say a new technology. It’s called Software Defined Perimeter, or SDP. Mr. Gourley from his days from Defensive Intelligence Agency will tell you that now it’s an old technology that has recently been put forth by the cloud alliance, which is an international organization. We think this, in fact, does change the game.
It doesn’t protect you 100 percent, nothing does except disconnecting. But it is a very different way of looking at how you use your network and applications, and most importantly, how the users interact with those applications. And I think, as this develops, we are going to see a lot better protection of a lot of places. For example, the Coca-Cola cooperation has been a leader in this, and a couple of other organizations that are using this in a big way. We have a chain in the US that does office supplies, called Staples, they are using this on their networks. In the case of Coca-Cola, they have all those other bottling companies which they do now own, need access to certain information within the Coca-Cola´s network. They have no idea who these people are on the other end of the computer, if you will.
So, they have to go through great pain to protect their recipes and things like that and Software Defined Perimeter is a great answer to that. So, the last let’s say two, three years, this is the biggest game changer I have seen coming along, says Flores.
Bob Gourley adds:
- Cloud computing is becoming more secure. If you can figure your cloud capabilities correctly and use things like the Software Defined Perimeter and the right software and right monitoring, cloud computing is actually the way to reduce your risks. Because you can have cloud capabilities delivered from and organization, that has thousands of engineers helping to keep that secure. So the Software Defined Perimeter is important defending things inside your company and behind your firewall, but it is also fantastic helping transitioning information into cloud.
Q: Specifically, you will be coming to our conference to host a roundtable where you are going to discuss the scandal of the last US election. And the Russian influence. Could we just ask you bluntly and directly, do you personally believe that Russia helped Mr Donald Trump to get elected?
- I think, well, there is a lot of evidence out there that points to this. And the US Intelligence Community has come to the conclusion that, yes, that is the case, so that leaves me to believe that yes, it’s likely that is has happened, says Bob Flores.
- Did it help to get Trump elected? Yes, certainly to some degree. But, if Putin had not done that, we would still have a President Trump today. I have no doubt, If Russia took no part at whatsoever, we would still have President Trump. So, they are not the reason that Hillary Clinton lost, still, I am not excusing them of what they did.
The Russian interference in the elections of democracies and open societies is wrong. And we need to stop this, comments Mr Gourley.
Q: Well, then we have to ask you, as we have an election coming in Sweden in September this year: How common will it be in the future in the western democracies to see, and let’s call them the “evil powers”, trying to disturb or disrupt or change the results of democratic elections?
- Well, I think it’s always going to be a problem and for some countries it will be a worse of a problem. You are not going to see some small country trying to attack the election in the United States, but you might see them trying to attack the election in Sweden. Thinking that, well ”Sweden is a smaller country and perhaps isn’t able to defend its security”. ”They don´t have the technology to protect their system, so let’s go after them”.
Bob Flores underlines that this is not a problem that should be underestimated.
- I would certainly be worried about it. And you should never let your guard down and say,ah well, you know what, nobody cares about us, so we are just going to have an electronic voting system, that doesn’t have any security system to it whatsoever.
That would be crazy. Bob Gourley concurs here:
- Yes, I have no doubt that Russia will attempt to disturb and disrupt and yes even hack the elections in Sweden in September. I cannot predict if they will influence the outcome, but odds are very high that their full spectrum cyber and media deception operations will cause some to wonder about how influential they were, and this means at a minimum their actions will weaken, at least a bit, what is a very good democratic institution.