All posts by Cindy Ng

[Podcast] Our Post WannaCry World

[Podcast] Our Post WannaCry World

After WannaCry, US lawmakers introduced the Protecting Our Ability to Counter Hacking Act of 2017, or PATCH Act. If the bill gets passed, it would create a Vulnerabilities Equities Process Review Board where they would decide if a vulnerability, known by the government, would be disclosed to a non-government entity. It won’t be an easy law to iron out as they’ll need to find the right balance between vulnerability disclosure and national security.

Meanwhile Shadow Brokers, the hacking group that leaked the SMBv1 exploit that led to WannaCry, announced that they would create a subscription-based business that would give paying members a monthly data dump of zero-days and exploits.

Grounded in our post WannaCry world, the Inside Out Security Show panelists – Mike Thompson and Kilian Englert – mulled over a popular philosophical keynote by Cory Doctorow, The Coming War on General Purpose Computing.

We closed out the show by discussing another potentially deadly attack, Adylkuzz and whether not they’d prefer an attack like ransomware that notifies them or a cryptocurrency miner that consumes resources from their system and they wouldn’t even know it.


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] Pick Up Music, Pick Up Technology

[Podcast] Pick Up Music, Pick Up Technology

Last week, when the world experienced the largest ransomware outbreak in history, it also reminded me of our cybersecurity workforce shortage. When events like WannaCry happen, we can never have too many security heroes!

There was an idea floating around that suggested individuals with a music background might have a promising future in security. The thinking is: if you can pick up music, you can also pick up technology.

The Inside Out Security panelists – Mike Thompson, Forrest Template and Mike Buckbee – are in agreement. Their sentiments expanded to all artists and added that creative thinking along with attention to detail can go a long way.

Other articles discussed:

  • Intel Warns of Active Management Technology Vulnerability
  • Besides Netflix’s Orange is the New Black threat, hackers also helped ourselves to copies of titles from other companies
  • IoT companies keep building devices with security flaws
  • What nuclear security officers (and infosec pros) can learn from casino managers
  • IBM sends USBs with malware to customers

Tool of the week: Pi hole


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

Planet Ransomware

Planet Ransomware

If you were expecting a quiet Friday in terms of cyberattacks, this ain’t it. There are reports of a massive ransomware attack affecting computers on a global scale: in the UK, Spain, Russia, Ukraine, Japan, and Taiwan.

The ransomware variant that’s doing the damage is called WCry, also known as WannaCry or WanaCrypt0r. It has so far claimed some high-profile targets, including NHS hospitals in the UK, and telecom and banking companies in Spain.

Be calm and carry on, of course.

In the blog, we’ve been writing about ransomware over the last two years, and we have great educational resources to help you prevent or reduce the damage of an attack.

Here’s a quick overview of our content.

What is it?

Our ransomware guide: https://blog.varonis.com/the-complete-ransomware-guide/ 

Learning more

The Troy Hunt course: https://blog.varonis.com/introduction-to-ransomware-course/

How it spreads

Yes, it can have worm-like features: https://blog.varonis.com/next-gen-ransomware-ransomworm-gets-deadlier/

Can I make my own (for research purposes)?

Yes, but only under adult supervision:

https://blog.varonis.com/malware-coding-lessons-for-it-people-part-ii-more-fun-with-fud-ransomware/

https://blog.varonis.com/malware-coding-lessons-people-part-learning-write-custom-fud-fully-undetected-malware/

Reducing the risk

Limiting file access really, really helps: https://blog.varonis.com/the-best-ransomware-defense-dont-have-files/

Legal and Regulatory Implications

For US companies, this is what you need to know: https://blog.varonis.com/ransomware-the-legal-cheat-sheet-for-breach-notification/

Should you pay?

It depends:

https://blog.varonis.com/should-the-website-that-infected-a-pc-with-ransomware-pay/

https://blog.varonis.com/hospital-paid-ransom-didnt-get-all-files-back/

Is a decryption solution available?

Check here: https://www.varonis.com/ransomware-identifier/

The ultimate answer to ransomware

User Behavior Analytics (UBA): https://blog.varonis.com/why-uba-will-catch-the-zero-day-ransomware-attacks-that-endpoint-protection-cant/

And here’s proof:  https://www.varonis.com/ransomware-solutions

 

 

 

[Podcast] John P. Carlin: Lessons Learned from the DOJ (Part 1)

[Podcast] John P. Carlin: Lessons Learned from the DOJ (Part 1)

Last week, John P. Carlin, former Assistant Attorney General for the U.S. Department of Justice’s (DOJ) National Security Division, spent an afternoon sharing lessons learned from the DOJ.

And because the lessons have been so insightful, we’ll be rebroadcast his talk as podcasts.

In part one of our series, John weaves in lessons learned from Ardit Ferizi, Hacktivists/Wikileaks, Russia, and the Syrian Electronic Army. He reminds us that the current threat landscape is no doubt complicated, requiring blended defenses, as well as the significance of collaboration between businesses and law enforcement.

John Carlin currently chairs Morrison & Foerster’s global risk and crisis management team.


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:


Transcript

Cindy Ng: John Carlin, Chair of Morrison and Foerster’s Global Risk and Crisis Management Group says the secret to effective crisis management is that you’ve thought about it before the crisis. We thought we’d put his expertise to good use by having him share with us his experience as Assistant Attorney General for National Security on a wide range of topics. He described the current threat landscape, economic espionage, weaponized information, and what organizations can do to manage their risk. We are re-broadcasting his talk in a series that was held last week by starting with describing what a blended threat looks like, the particular challenges of insider threats, and the significance of the government working collaboratively with the private sector.

John Carlin: The threat when it comes to what’s facing our private companies has reached a level we haven’t seen before. That’s true for two reasons really. Some of what we’re seeing on the threats are things that in the national security community that we’ve been monitoring for years, but we’ve had a change of approach. So in the past, while we were monitoring it, it would stay in classified systems. We would watch what nation states were doing or terrorist groups were doing and we didn’t have any method to make it public. So one trend has been governments are starting to make public what they see in cyberspace. The second is that the actual threat itself has increased both in volume and complexity. That’s been quite noticeable. In the past year alone, and really the past two years, we’ve seen cyber incidents that have gotten people’s attention from every level. That has caused in government a shift in terms of the regulatory attention that’s focused on cyber security breaches.

When I recently left government, there was almost an unholy rush across every regulatory and law enforcement agency as they realized what the scope of the threat was and how their existing regulatory or law enforcement authorities were not covering it. That caused them to do two things. One, to try to come up with creative ways to interpret existing regulatory standards so that they can impose liability in the event of a cyber breach, and second, for those who realize that no matter how creative you got, there just was no way to bring it within existing regulations, more countries around the world are adopting data breach laws than ever before, most notably, Europe coming onboard in 2018, but really it’s a global phenomenon. And as part of the focus on data breach, they’re also having laws that are starting to impose certain standards of care or specific security obligations. I think it’s that combination of increased awareness of the threat plus an increasingly complex and potentially punitive regulatory and law enforcement environment that’s made this a top-of-mind issue for C-suites in poll after poll, not just here in the United States but in countries throughout the world. It’s new and they’re not quite sure what the legal regulatory landscape looks like, and accordingly, it’s the type of thing that keeps them up at night.

For those of you in the information technology space, that could be good news and bad news. It means more scrutiny on what you’re doing but then hopefully, as we explain what it is and what can be done, it will also mean more resources. There’s the old description of traditional cyber threats, and it’s not like any of these have stopped, which would be crooks, nation states, activists, terrorists, everyone who wants to do something bad in the real world moving to cyberspace as we move everything that we value from analog to digital space, and the type of activity that they did ranged from economic espionage type activity to destruction of information, alteration of information, which I think is a trend that we need to watch, this is the idea of the integrity of your data may be at stake. I know, it’s top-of-mind for those of us responsible for protecting against criminal and national security threats in government and fraud.

I’m not going to spend too much on those traditional buckets. I wanted to highlight two new areas of cyber threat that are here, now. One is the, what I’ll call the blended threat and the second is insider threats. Let’s start with the blended threat. Imagine you’re back at your office, you’re in your company, and you spot what looks like a relatively low-level, unsophisticated criminal hack of your system. For many of you, it wouldn’t even warrant, as you handle it yourself, informing anyone in the C-suite. It would never reach that high in the company. Now imagine that as a result of that relatively unsophisticated hack, you’re a trusted brand name retail company, that the bad guy has managed to steal a relatively small amount of personally identifiable information: some names, some addresses. As you know, happens as we speak to hundreds and thousands of companies across the world. So the vast majority of those companies faced with an unsophisticated hack where it looked like the IT folks had a good control over what had occurred, it would stop there, to the extent it gets reported up to the C-suite, looks like a simple criminal act and will go unreported.

The case I’m going through with you now though is a real case and what happened next was several weeks later, this company then received, through email, it was Gmail, so a commercial provider, a notice that said, “Hey, unless you wanna be embarrassed by the release of these names and addresses, you need to pay us $500 through Bitcoin.” As these things go, you know, you can’t really think of a dollar figure much lower than $500, asking for something through Bitcoin on a Gmail threat also does not look particularly sophisticated, you combine that with great confidence that you’ve been able to find them on your system and kick them off your system, again, the vast majority of companies, this does not go down as a high risk event and would not be reported. In the case that I’m discussing, which was a real case, the company did work with law enforcement and what they found out that they never would have been able to find out on their own was that what looked like a criminal act, and don’t get me wrong, it was criminal, these guys wanted the $500, but it also was something else. And what it also was was it turned out that on the other end of that hack, on the other end of that keyboard was an extremist from Kosovo who had moved from Kosovo to Malaysia and located in Malaysia in a conspiracy with a partner who is still in Kosovo, he’d hacked into this U.S.-based trusted retail company, stolen these names and addresses, and in addition to the $500, he had managed, through Twitter, to befriend one of the most notorious cyber terrorists in the world at the time, a man named Junaid Hussain, who’s from the United Kingdom. Junaid Hussain had moved from the United Kingdom to Raqqa, Syria where he was located at the very heart of the Islamic State of the Levant.

In my old job, I was the top national security lawyer at the Justice Department responsible for protecting against terrorists and cyber threat, and on the terror side of the arena, this guy, Junaid Hussain along with his cohort in the Islamic State of the Levant, had mastered a new way of trying to commit terrorist acts. Unlike Al Qaeda where they had trained and vetted operatives, what they were doing was crowdsourcing terror. They were using social media against us and consistent with that approach, what Junaid Hussain did is he befriended this individual who moved to Malaysia named Farizi, he communicated with him through U.S. provided technology, Twitter, he got a copy of the stolen names and addresses and then he called those names and addresses into a kill list. He distributed that kill list through Twitter back to the United States and said, totally consistent with their new approach of crowdsourcing terror, “Hey, if you believe in the Islamic State, if you’re following me, kill these people,” by name, by address, where they live.

That’s the face of the new threat in a version of the blended threat. I think for any of you, any company, if you knew when you were dealing with the incident, where you’d seen someone breach your system, that the person who breached your system was looking to kill people with the information that they stole, that would immediately be a C-suite event, your crisis risk plans would go into place, you would certainly be contacting law enforcement. The problem with the blended threat, these guys who are both crooks on the one hand and working on behalf of a terrorist or a nation state is you don’t.

Because they did work together, in this case, Farizi, the guy responsible in Malaysia, was arrested pursuant to U.S. charges, extradited after cooperation from Malaysia, pled guilty and was sentenced this past July to 20 years in Federal prison. And Junaid Hussain, who was operating in ungoverned space in Raqqa, Syria, was killed in a military strike acknowledged by Central Command. This issue that’s putting your companies on the frontlines of national security threats in a way that they simply never happened before, there’s not another area of threat which has the same effect, requires new approaches in terms of security and in the ways that the Federal government interacts with private companies.

Let me go through a little bit of some other examples of this blended threat phenomenon. If you think about what happened with the Wikileaks, you have Wikileaks which acts as a distributor of information but what they do is they end up, it’s not necessarily the hacktivist that steals the information. So you see the breach into your system, you’re not quite sure how it’s gonna be used. Is it gonna be used by someone who wants to make money? Is it gonna be used as someone who has a very specific intelligence purposes? It used to be the case, certainly the assumption for those of us in government working with the private sector that if you had information stolen by a nation state, unless you had some economic espionage type issue, you really didn’t need to worry about the nation-state using it against you and that’s clearly no longer the case. What you see here with something like Russia and the DNC is information that is taken in one sphere then gets leveraged and used to be put out through another. So a nation state steals it and then they have this shield of Wikileaks for the distribution of the information.

You also have with Russia, we tried in terms of the blended threat, you have what look like nation state actors and let’s use the most recent Justice case against the Russian actors who attacked Yahoo. What you had there were crooks, I mean, straight up crooks who were Russian who were out to make a profit, and there was an attempt at law enforcement to law enforcement cooperation and U.S. law enforcement authorities passed information to the Russians to try to hold those crooks responsible. What you get instead of cooperation, this is all laid out in the complaint, is that the Russians then signed up the crooks as intelligence assets and used them to continue to steal information and to take some of the information they’d stolen so that the guy was both making a profit on one hand but also was providing it for state purposes.

That version of the blended threat has a slight variation on it which his day job is Russian State Security Service Hacker or Chinese State Security Service hacker but there’s a lot of corruption in both countries. You wanna make a buck on the side, same actor, same system, daytime working on behalf of the state, night time, looking to line their pockets with profits, what you’re trying to figure out on the back end of that attack, “Hey, what type of risk am I dealing with?” It can be incredibly complicated to figure out. Am I in a national security situation or a criminal situation. And that’s combined then with the deliberate blending. As we’ve moved toward doing attribution, you’ll see state actors, whether Russian, Chinese or others, they will not use the same sophisticated tools that they used to use in the past to breach your system that were identifiable. So you can tell by the tactics, the TTP, the tactics, the techniques, the procedures that you were dealing with a state actor from Russia or China or another sophisticated state actor. Now they’re using the same easily available tools that low-level crooks are using in the first instance looking to see if they can get in through human error or weaknesses in the defenses and that makes it much harder to do the attribution.

Final version of the blended threat would be Syrian Electronic Army. Now many of you may be familiar with this group. This was the group who, and, you know, it’s in vogue now, everyone’s talking about fake news. Well, they’re the original fake news case that we did. When we prosecuted the Syrian Electronic Army, what they had done was they spoofed a terrorist attack on the White House by defacing the White House, public facing site. That was very successful and caused the loss of billions of dollars in the stock market until people realized that it was a hoax. That same group though was regularly committing ransomware type offenses, they just weren’t calling themselves the Syrian Electronic Army. And so for many of your companies, you would have a policy in place that would again spot it at a high area of risk and say, “We’re not gonna make a payment if we knew we were paying off the Syrian Electronic Army,” or in the case of Farizi, if we knew we were paying off a terrorist, but the problem is you don’t know. And as it was laid out in that complaint when we arrested one of those individuals in Germany, I don’t think even their, the people operating them, running them from the Syrian Electronic Army knew that they were using the same tools on the side to make a buck.

So what lessons can you learn or how can we help protect our systems recognizing this change in threat? Well, one is as the criminal groups, as the sophisticated type of programs and vulnerabilities that you can sell on the dark web become more and more blended with nation states and terrorist groups taking advantage of them, we need to ask ourselves, “Are our defenses as blended as the threat?” And inside the company, that means making sure that we crosscut those who are responsible for preventing and minimizing the risk from a threat where it doesn’t stop and say, “Hey, maybe we could build a wall that’s high enough or deep enough to keep someone out,” because that doesn’t exist, but once they’re inside and we’re dealing with the actual threat, who do I have in my company who has evolved? Is there a way to make easily available to the business side so we can get their informed views as to what and how information should be protected to mitigate risk on the front end and then how to respond? And similarly, are we working together as companies and as a government with companies as the bad guys are with nation states who are sponsoring them or a terrorist group and that’s where there’s focus now, on figuring out a better way to do cooperation between business and law enforcement is vital.

The division I used to head, the National Security Division, we were created as one of the reforms post-September 11th and the idea was post-September 11th, we gotta get better at sharing information across law enforcement and intelligence divide. The failure to share that type of information led to the death of thousands of people on September 11th. This challenge of how to share information in terms of what the government is seeing on the threat and how to receive information is exponentially more complicated because it’s not just about sharing information better within government or within your company, it’s how to share information across government to the private sector and back again.

[Podcast] Security Learn-It-Alls

[Podcast] Security Learn-It-Alls


Rather than referring our weekly podcast panelists as security experts, we’re now introducing them as security practitioners. Why? A popular business article on mindset brought to our attention the perils of having self-proclaimed titles, such as experts and gurus. It signals our “thirst for knowledge in a particular subject has been quenched.” That is far from reality! Security is a constantly evolving field, with new threats and vulnerabilities. To have a fighting chance, it would behoove us to start by cultivating a curious learner mindset by asking, “Why?” and “How does this work?”

As reformed security know-it-alls, here are some of the stories we covered:

Tool of the week: Account Lockout Status


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] Presenting Cybersecurity Ideas to the Board

[Podcast] Presenting Cybersecurity Ideas to the Board

There’s been a long held stigma amongst our infosec cohort and it’s getting in the way of doing business. What’s the stigma, you ask? “Know-it-all” techies who are unable to communicate. Unfortunately, this shortcoming also puts our jobs at stake.

According to a recent cybersecurity survey, the board of directors polled said that IT and security executives will lose their jobs because of their failure to provide the board with useful, actionable information. It gets worse. More than half of board members say that the data presented is too technical.

In an effort to redeem ourselves and to understand the problem, I suggested role playing with the Inside Out Security panel – Kilian Englert, Mike Buckbee, and Kris Keyser – and to also practice speaking with executives about cybersecurity.

I presented two practical scenarios. The first prompt: explain why you might need UBA, even if you already have a SIEM tool. The other: explain the importance of keeping the health data generated from a wearable, safe and secure.

Articles discussed in our podcast:

  • How to derive a profit from the data deluge
  • Headphones that spy on listeners
  • New phone sign-in feature that skips the password
  • Microchip implanted in between one’s thumb and index finger
  • Microsoft fixed critical vulnerabilities in uncredited update released in March

Tool of the week: Powersploit


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] When Security is a Status Symbol

[Podcast] When Security is a Status Symbol

As sleep and busyness gain prominence as status symbols, I wondered when or if good security would ever achieve the same notoriety. Investing in promising security technology is a good start. We’ve also seen an upsurge in biometrics as a form of authentication. And let’s not forget our high school cybersecurity champs!

However, as we celebrate new technologies, sometimes we remain at a loss for vulnerabilities in existing technologies, such as one’s ability to guess a user’s PIN with the phone’s sensors. I’m also alarmed with how easily you can order an attack!

Tool of the week: CaptureBox


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] Christina Morillo, Enterprise Information Security Expert

[Podcast] Christina Morillo, Enterprise Information Security Expert

If you want to be an infosec guru, there are no shortcuts to the top. And enterprise information security expert, Christina Morillo knows exactly what that means.

When she worked at the help desk, she explained technical jargon to non-technical users. As a system administrator, Christina organized and managed AD, met compliance regulations, and completed entitlement reviews. Also, as a security architect, she developed a comprehensive enterprise information security program. And if you need someone to successfully manage an organization’s risk, Christina can do that as well.

In our interview, Christina Morillo revealed the technical certificates that helped jumpstart her infosec career, described work highlights, and shared her efforts in bringing a more accurate representation of women of color in tech through stock images.


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:


Transcript

Cindy Ng: Christina Morillo has been in the security space long before automation and actual data became the industry’s “it” word. She has been helping organizations advance their infosec and insider threat programs through her deep technical expertise in centralizing disparate systems, strengthening and automating tasks, as well as translating complex issues between the business and IT stakeholders. In our interview, Christina highlights hallmarks in her career, turning points in the industry, and how she worked her way to the top.

Cindy Ng So, you’ve been in the security space for almost 20 years, and you’ve seen the field transform into something that people didn’t really know about. Into something that people see almost regularly on the front page news. And I wanted to go back in time and for you to tell us how you got started in the security business.

Christina Morillo: So, I actually got started in the technology industry about 18 years ago, and out of that, in security, I’ve been like 11 to 12 years. But I pretty much got started from the ground up while I was attending university. I actually got a job doing technical support for, at the time, compaq computers. So that’s like I’m aging myself right there. But back when compaq computers were really popular, I worked for a call center, and we did 24-hour technical support. And that’s where I kind of learned all of my troubleshooting skills, and being able to kind of walk someone through restarting their computer, installing an update, installing a patch, being able to articulate technical jargon, in a nontechnical format. Then from there, I moved on to doing more desktop support. I wanted to get away from the call center environment, I wanted to get away from that, and be in, like, an enterprise environment where I was the support person, so I could get that user interaction. So that’s where my journey started. It feels like yesterday, but it’s been a long time.

Cindy Ng It goes by quickly, and how did you get started at Swiss Re?

Christina Morillo: When I came back home from university, I am originally from New York City, I was looking for work. And I wanted to really get into financial services, doing IT within the financial services industry because I knew that would be a good strategic move for my professional career. I bumped into this recruiter, and he told me about a position at Swiss Re within their capital management investment division. And so I gave it a go even though I didn’t have the experience. You know, I took a shot. And they really liked the fact that I had prior experience with active directory and networking. And since I was very much hands-on and I had just taken some Microsoft certifications, so I was like really into it. So I was able to answer the questions really efficiently, and they liked me, so they gave me the shot. That’s what started me into the world of information security, and identity, and access management, and access control. I learned all my “manual foundation” I’ll call it, manual fundamentals, at Swiss Re.

Cindy Ng Would you say that your deep understanding of AD was an important part of your career?

Christina Morillo: Oh, absolutely. Absolutely.

Cindy Ng And what do most sysadmins get wrong when it comes to their understanding of AD?

Christina Morillo: There is a lot to do with the whole permissioning and file structure. A lot of times people don’t really go into the differences between share permissions and NTFS permissions. And it can get really complex really fast. Especially when you’re learning in school, you create your environment, right? So it’s very clean. But when you start at a company, you’re looking at years of buildup. So you go into these environments where it’s nowhere near what you learned at school. So you’re just like, oh my goodness. And it becomes really overwhelming very quickly. I think it’s, like, not having that deep understanding and deep knowledge, and just kind of taking short routes. Because we’re very busy during the day, and there’s a lot to do, right? Especially for sysadmins. They have a lot on their plates. So I think a lot of times it’s like, okay, use your own backlist. Just throw them in whatever group, we’ll fix it later. And later never comes. I don’t fault them, but I just think that we need to be a little bit more diligent with understanding structures and fundamentals.

Cindy Ng How did you spend time figuring out how to restructure a certain group, if that was an important part in your job? In your team?

Christina Morillo: Yeah. Of course, absolutely. I always want to because it makes my life easier. But, you know, you’re not always able to. And that’s because, like I said, it’s so complex, and there’s so many layers that peeling these layers back will cause chaos. So sometimes you have to prioritize. And just from like a business perspective you have to prioritize. You know, is this something that we can do gradually or look at setting up as a project and completing it in phases, or is it high-priority, right?

And so, the first thing I do is I talk to whoever owns the group or let’s say whatever specific department, like finance. So who approved access to this group? So I like to kind of determine that. And then work my way backwards. So, okay, if this is the owner of the group, then I like to say, “Who should get access to this group?” What kind of access do they need to this group? Do they need read-only access, or do they need modify access?” And then go from there. And who should be the initial members of the group? And a lot of times its a matter of having to recreate the group. So create a fresh group, add the individual users, read-write or modify, or read-only, and then migrate them into the group, and then delete the old group. Which that part can take time because you don’t know what you’re touching.

A lot of times people like to permission groups at different levels where they don’t belong. The worst thing that can happen is you can cause an outage and you never really want that. Kind of investigating and using tools like DatAdvantage to help with the investigations to better understand what you’re doing before you do it. So it’s a process. I mean, I wouldn’t say it’s something easy. That’s why, a lot of times, it’s put on the back burner. But, you know, I feel like it’s something that has to be done.

Cindy Ng Your next role which was at Alliance Bernstein?

Christina Morillo: So at Alliance Bernstein, that was a short-term contract. That was part of their incident response & security team. 50% of the time I was handling tickets, and, you know, approving out FTP access, and approving firewall access, and checking out scans or anti-virus scans, and making sure that our AV was up to date, and doing all that stuff.

And then the other 50% was working on identity management and, like, onboarding applications into the system and testing. And then training the team that would handle day to day support. So it’s like a level two, level three. And then defining the processes. You know, onboarding the applications, defining the processes, writing the documentation, and then handing over to the support team to take over from there. So it was a lot of conversation with stakeholders, application owners, and I really appreciated being able to be a part of those processes.

That’s why I started seeing more of the automation. I mean, at Swiss Re, we were very much manual for the first couple of years. Which was fantastic because, you know, although it was a pain, it was fantastic because I got to understand how to do things if the system was down. It gave me that understanding of like ‘Oh, I know how to generate a manual report.’ So when it came time to automate, I was like, ‘Oh. Okay, this is nothing. I understand the workflow,’ right? I can create a workflow quickly, or I can… I understand what we need, right? And it also helps when people are just like, “That’s gonna take four days.” I’m like, “Absolutely not. That’s going to take you 45 minutes.” So it was a great experience.

Cindy Ng Would you ever buffer in time if systems went down? I’m thinking about something like ransomware.

Christina Morillo: Thankfully, that never happened while I was at these companies. That never happened. And since it didn’t hit my team, I think I’ve always been more on the preventative rather than being on the reactive side. A lot of times you did have to react to different situations or work in tandem with other teams, but I’m really into, like, preventative. Like, how can we minimize risk? How can we prevent this from happening? Kind of thinking out of the box that way. You have to not be an optimistic person. Like, you have to be like, well, this can happen if we leave that open. Right? And it’s not even meant to sound negative, but it’s almost like you have to have that approach because you have to understand what adversaries and hackers, how do they think? What would I want to do? Right? Like, if I see a door unlocked. It’s almost like you’re on the edge and you have to think that way, and you have to look at problems a little bit differently because, in business, you don’t rank, you just want to do their work.

Cindy Ng Did you develop that skill naturally, or was it innate, or did you realize, ‘Oh my God, I need to start thinking a certain way’? The business isn’t gonna care about it. That’s why you’re responsible for it.

Christina Morillo: I think I’ve always had that skill set, but I think that I developed it more throughout my career. Like, added strength in that skill throughout my career. Because when you’re starting, especially with network administration and sysadmin stuff, you have to be the problem solver. So you have to be on the lookout for problems. Because that’s, like, your job, right? So there’s a problem, you fix it. There’s a problem, you fix it. So, a lot of times, just to make your job a little bit easier, you have to almost have to anticipate a problem. You have to say, ‘Oh, if that window’s open and if it rains, the water’s gonna get in. So let’s close the window before it rains!’ It sounds intuitive, but a lot of times people just don’t think that far ahead.

I think it’s just a matter of the longer I remain in the industry, the more I see things changing. And then you just have to evolve. So you always have to think about being one or two steps ahead, when you can. And I think that skill set comes with time. You just have to prepare. And also, like, the more you know… Like, I’m very big on education and training and learning even if it’s not specific to my job. I feel like it helps broaden my perspective. And it helps me with whatever work I’m doing. I’m always taking either, like, a Javascript class or some class, or just like a fun in web development class. I’ve been looking for a Python class. Like, I did a technical cert, like boot camp. Like, I’m preparing for a cert. But it’s a lot. But I also take ad-hoc stuff. Like I’ll take a calligraphy class, just to kind of balance it out. You know I’ll go to different talks at the 92nd Street Y. Whether it’s technology related or just, like, futurism related, or just innovation related. Or something completely different.

Cindy Ng I’ve read your harrowing story about taking a class at General Assembly with having kids and a husband. Oh my God, you are so amazing. It’s so inspiring.

Christina Morillo: Definitely hard. But, you know, you gotta do what you gotta do. And it’s a problem because when you become a parent, it doesn’t mean that you lose your ambition. It just kind of goes on a temporary hold. But then you when you remember, you’re like ‘Oh, wait a minute. No. I have to get back to it.’

Cindy Ng So let’s talk about Fitch Ratings. That role is really interesting.

Christina Morillo: Yeah, yeah. Thus far, it’s been one of my favorites. Because, at Fitch, I was actually able to deploy an identity and access management platform. So, on nothing to create something completely new and just deploy it globally, right? So what that means is that I changed the HR onboarding process and offboarding process. So, like, how new-hires are added to the system. How people that are terminated are removed from the system. How employees request access to different applications. How managers approve. How authorizers approve the entire workflow. So that was amazing.

Basically, when I started, they wanted to go from pretty decentralized to a centralized model to purchase this out of the box application. They had a lot of transitions, so they needed someone to come in and own the application and say, like, “Okay, but let me implement it.” It was just on a like a development server, not fully configured. So, my job was to come in, look at the use-cases, look at what they needed. At least initially. What needed to happen? How did they need to use this application? Then I needed to understand the business processes. Current things, or how do they perform this work today? Like, does the help desk do it? Does a developer give access to a specific application that they manage? What are they developed for? What happens now?

So I took time to understand all of the processes. Right? Like, I spoke to everyone. I spoke to HR. I spoke to finance. I spoke to legal. I spoke to compliance. I spoke to the help desk. I spoke to network administration. I spoke to application developers. To compile all of that information in order to better create the use-cases and the workflows, and to kind of flesh them out. Then what I did is I started building and automating these processes in that tool, on that platform.

My boss gave me… He said, “Oh, I’ll give you like a year.” And I was like, “Okay. Fine.” But, I guess, once I got into like the thick of things, I got like really aggressive, and I really was hard with the vendor. Because I was a team of one. You know, I had support from our internal app team, and network administration team, and the sysadmins. But I completely owned the process, and owned the applications, and owned building it out. So I rode the vendor like crazy just to get this done, and understand, and just to look at it from top-bottom, bottom-to-top. And we were able to deploy it in five months.

You know, I got them from sending emails and creating help desk tickets, to fully automated system, onboarding, offboarding, and requesting entitlements. But more importantly, I was able to get people on board. Because that’s one of the other big things that you don’t really discuss. A lot of times we got a lot of pushback. While what we do is extremely important, especially in security, and sometimes we’re not the ones that are the most liked. People are afraid, right? So it’s also about developing new relationships with your constituents, with the users, right? And helping them understand that you’re not trying to make their lives miserable, you’re just getting them on board. I think that also takes skill. It takes finesse. It takes being able to speak to people, relate to people. And also, it takes being able to listen at scale. Right? So you have to listen to understand.

You know, I think if a lot of us did more listening and less talking, we would definitely understand where people are coming from and be able to kind of come up with solutions. I mean, you’re not always gonna make people happy. Maybe some of the time. Not all of the time. But at least you’ve communicated, and they can respect you for that. Right? So I was able to get pretty much the entire company on board. And to welcome this tool that they had heard about for so long. And they weren’t hesitant. To the point where I couldn’t get them to leave me alone about it.

Cindy Ng You were able to help them realize that you’re still able to do your work, but to do it securely.

Christina Morillo: And better.

Cindy Ng When you say scared and concerned, what were they worried about?

Christina Morillo: When you say the word “automation,” the main worry is that people are gonna lose their jobs. When someone says, “Oh, I heard that the tool will allow you to onboard a user.’ People won’t need to call the help desk anymore for that or won’t need help with that. Then you’re taking away like a piece or a portion of their work that may affect their productivity. And if it affects their productivity, it will affect the money that the team or the department gets. If that happens, then, obviously, we don’t need ten help desk people. We only need five. Right?

So, pretty much, it’s like fear of losing their jobs or fear that they’re becoming obsolete. So that’s usually the biggest one. And also when there’s, like, a new person coming in asking you how do you do your work, what is the process, that’s kind of scary. “Why do you want to know? Are you taking over? Are you trying to take away my work?” You’re always going to get push back. I think that’s part of the job, especially when you’re in security. You’re just always going to. And, you know, people fear what they don’t understand. So that’s part of it too.

Cindy Ng Let’s talk about Morgan Stanley now. So at this point, you’re at a really more strategic level where you’re really helping entire teams managing risk?

Christina Morillo: Yeah. So while I was at Fitch and, you know, while I loved it, it became more of a sysadmin type of role. So I decided to begin looking for my next opportunity. And Morgan Stanley came up with that summer. And I looked at it as, well, this is a great opportunity for me to be at a more strategic level and understand, become a middleman, right? Almost like a business analyst where I’m understanding what the business needs and the kind of liaising on the technology side. So I thought it would be a good opportunity for me to hone that skill set on the business side and look at values opposition. But also because of my technical background, I’ll be able to communicate with and get things done on the tech side.

So that was amazing. I mean, I learned a lot about how the business and IT engage. What’s important, and how to present certain, I guess, calls for action. Like, if you need something done, like, oh, you implement a new DLP solution. Are you solving a problem for the business or are you solving a problem for technology? Understanding the goal. Understanding your approach. And looking at things two ways. Looking at how to resolve a problem tactically. How can we resolve this issue today? And then what is the strategic or long-term solution? So a lot of business-speak, a lot of how to present.

I think I would almost equate it to… My time at Morgan Stanley… And I’m no longer at Morgan Stanley, actually. But my time at Morgan Stanley I equated to getting a mini-MBA because it really prepared me and allowed me to think differently. I think, you know, when you’re in technology you tend to stay in your tech cocoon. And that’s all you want to do and talk about. But understanding how others think about it, even how project managers engage with a business. The business is just thinking about risk, and how to minimize risk, and how they can do their jobs and make money. Because, at the end of the day, that’s what the goal is, right? Yeah, it allowed me to understand that. Whereas normally, on the tech side, I never really had to deal with that or face it. So I didn’t think about it. But at Morgan, you have to think about it, and you have to create solutions around it.

Cindy Ng Also, IT’s often seen as, like, a call center rather a money generator.

Christina Morillo: I’ve always had an issue with that. Even though IT, like, we’re seen as a call center, without us… And I’m biased, obviously… But I feel like without us, you wouldn’t be able to function. At the end of they day, are we generating money? I think so. But then it goes into that whole chicken or the egg thing. But that’s my argument, and I guess I’m biased. I’ve always been in IT, right?

Cindy Ng What’s most important to business? Is it always about the bottom line? For IT people, its always about security and minimizing risk.

Christina Morillo: It is about the bottom line. There are many avenues to get to there more efficiently, or just a little bit smarter. It’s like working smarter. But I think one of the ways is by listening at scale. Just like if you’re starting a company, you’re providing a service, you need to understand who your target market is, right? You need to understand what they want and why they want it. And that’s how you know what service you can provide or how you can tailor your needs to them. Why? Because then they will buy it from you, or they will seek services from you. And what does that mean? That means you get to collect that money.

And sometimes you need, like, a neutral group. You know? Like a working group. I realized they have a lot of working groups. So a lot of discussion. Sometimes that can be good and bad, but I see it as more of a positive thing. And the reason why is because you need to be able to hear from both sides, right? Both sides need to be able to express themselves, and everyone needs to be one the same page or get to that same page somehow. You need to understand what I need as a business user. I need to be able to book a trade, or I need to be able to do this, and I need to do it in this amount of time. Now how can you help me? And then the IT person, or the security person, whoever needs to be able to say, “Okay. Well, this is what I can do, this is what I cannot do right now. But maybe this is what I can do in the future.”

Again, it goes back to that we are problem solvers. So we’re all about solutions and how to keep the business afloat and keep the business running and operating. That’s our job. We’re not there to say we have to do it this way. That’s not what we’re there for. So I think it’s also understanding what role everyone plays, and understanding that we all have to kind of like work together to get to that common goal.

Let’s say we have a working group about implementing Varonis DataPrivilege globally, right? So then you have stakeholders from every department, or every department that it would touch. So if that means if that the security team is going to be involved, we have a representative from the security team. If that means that the project management who’s managing the project is gonna be involved, we have someone from that team. So you pretty much have a representative from each team that it will affect. Including the business, at times, so that they’re aware of what’s going on. And then you have status updates on what’s going on. What do we need? Where are the blocks and the blockers? And people get to speak, and people get to brainstorm, and you get to bring up problems, and what you need from the other team, what they need from you. And it just helps with getting projects moving and getting things going quickly and just more efficiently without anyone feeling like they weren’t represented in the decision-making process. It also speaks to that as well.

Cindy Ng Before our initial conversation, I had no idea that you used DatAdvantage.

Christina Morillo: My last employer, they used DatAdvantage, and were also implementing portions of DataPrivilege. The company before that, Fitch, we used DatAdvantage heavily. So, like, recording. You know, it’s been a couple of years, so I don’t know if they still use the tool. But I know when I was there, I actually used it for reporting purposes, and to help me generate reports, and just do, like, investigations, and other rule-based stuff.

Cindy Ng Was it helpful for, like, SOX compliance?

Christina Morillo: Yeah. Yeah, especially when whether it was internal or external audits, we always got the call. Like, “Can you come and give me access to this group on such and such date?” or, “Can you come and get this removed?” or, “Can you tell me this?” Just weird ad-hoc requests. That makes sense, right? But at the time, you’re like, ‘Why did you need this?’ Being able to kinda quickly generate the report was, like, super helpful.

Cindy Ng And finally, I love what you do with the Women of Color in Tech chat.

Christina Morillo: Yeah, yeah. A friend of mine, Stephanie Morillo…no relation, just same last name…but we both work in tech. And in 2015, we decided to co-found a grassroots initiative to help other women of color, and non-binary folks and just under-represented people in technology to have a voice, a community. We started off as Twitter chats. So we would have weekly, bi-weekly Twitter chats. Just have conversations, conversations with the community.

And then we started getting contacted by different organizations. So they wanted to sponsor some of our community members to attend conferences, and just different discussions and meetups and events. So we started to do that. We also did, like, a monthly job newsletter, where companies, like Twitter and Google, they contacted us. Then we worked with them. We kind of posted different positions they were recruiting for and shared it directly with our community.

And then, the thing we’re most known for is the Women of Color in Tech stock photos, which basically is a collection of open-source stock photos featuring women and non-binary folks of color who work in technology. So those photos, the goal was to give them out for free, open-source them, so people that can have better imagery, right? Because we felt that that representation mattered. The way that that came about was when I was building the landing page for the initiative, I realized that I couldn’t find any photos of women who like me who work in technology. And it made me really upset. Right? And so that activated… I feel like that anger activated something within me, and maybe it came as a rant. Like, I was just, like, “Okay, Getty, don’t you have photos of women in tech who look like me?” Why is every… Whether white or Asian or whoever… Why is any… And I see a woman with a computer or an iPad, it looks like she’s playing around with it. Those are the pictures that I was seeing. This is not what I do. This is not what I’ve done. So I just felt like I wasn’t represented. And then if I wasn’t represented, countless of other folks weren’t as well.

I spoke to a photographer friend of mine who also works in tech. And he started like his side passion stuff. So he agreed, and we just kind of started out. I mean, we went with the flow. It turned out amazing. And we released the photos. We open sourced them, and we got a lot of interest, a lot of feedback, a lot of features, a lot of reporting on it. And we decided to go for another two rounds. You know, a lot of companies we talked to were like, “We want to be a part of this. This is amazing. How can we support you?” So a lot of great organizations. If you look at the site, you see of those organizations that sponsored the last two photo shoots.

We released the collection of over 500 photos. And we’ve seen them everywhere, from Forbes, Wall Street Journal. It’s like I’ve seen them everywhere. They’re just, like, all over the web. Some of our tech models have gotten jobs because they started conversations. Like, “Wait, weren’t you in the Women of Color in Tech photos?” “Yeah, that’s me!” Whatever. Some people have gotten stopped, like, “Wait a minute, you’re in this photo.” Or they get tags. They’ve been used at conferences. Some organizations are now using them as part of their landing pages. They’re like all over the place. And that was the goal.

But it really, you know, makes us really happy. But just seeing photos all over the place, and the fact that people recognize that those are our photos, it was just amazing. We actually open sourced our process as well. We released an article that spoke about how we got sponsors, what we did, in hopes that other people, other organizations would also get inspired and replicate the stock photos. But we also get inquiries about, you know, “Are you gonna have another one? Can you guys have another one?” So it’s up in the air. I’m debating it. Maybe.

[Podcast] Evolving Bank Security Threats

[Podcast] Evolving Bank Security Threats


It was only last week that we applauded banks for introducing cardless ATMs in an effort to curb financial fraud. But with the latest bank heists, it may help to turn up the offense and defense. Why? Hackers were able to drill a hole, connect a wire, cover it up with a sticker and the ATM will automatically and obediently dispense thousands. Another group of enterprising hackers changed a bank’s DNS, taking over their website and mobile sites, redirecting customers to phishing sites.

But let’s be honest and realistic. Bank security is no easy feat. They’re complicated systems with a large attack surface to defend. Whereas attackers only need to find one vulnerability, sprinkle it with technical expertise, and gets to decide when and how the attack happens. Moreover, they don’t have to worry about bureaucracy, meeting compliance and following laws. The bottom-line is that attackers have more flexibility and are more agile.

In addition to evolving bank security threats, we also covered the following:

Tool of the week: ngrok, secure introspected tunnels to localhost


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] Americans’ Cyber Hygiene

[Podcast] Americans’ Cyber Hygiene


Recently, the Pew Research Center released a report highlighting what Americans know about cybersecurity. The intent of the survey and quiz was to understand how closely Americans are following best practices recommended by cybersecurity experts.

One question on the quiz reminded us that we’re entitled to one free copy of our credit report every 12 months from each of the three nationwide credit reporting companies. The reason behind this offering is that there is so much financial fraud.

And in an effort to curve banking scams, Wells Fargo introduced cardless ATMs, where customers can log into their app to request an eight-digit code to enter along with their PIN to retrieve cash.

Outside the US, the £1 coin gets a new look and line of defense. It uses an Integrated Secure Identification Systems, which gets authenticated at high speeds. Plus, it’s harder to counterfeit and that’s exactly what we want!

Other themes and ideas we covered that weren’t part of the quiz:

Did the Inside Out Security panel – Mike Thompson, Kilian Englert, and Mike Buckbee – pass Pew’s cybersecurity quiz? Listen to find out!


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

 

 

 

[Podcast] What CISOs are Making, Reading and Sharing

[Podcast] What CISOs are Making, Reading and Sharing


Besides talking to my fav security experts on the podcast, I’ve also been curious with what CISOs have been up to lately. Afterall they have the difficult job of keeping an organization’s network and data safe and secure. Plus, they tend to always be a few steps ahead in their thinking and planning.

After a few clicks on Twitter, I found a CISO at a predictive analytics SaaS platform who published a security manifesto. His goal was to build security awareness into every job, every role, and to give people a reason to choose the more secure path.

Another CSO at a team communication and collaboration tool company stressed the importance of transparency. This means communicating with their customers as much as possible – what he’s working on and how their bug bounty and features work.

As for what CISOs are reading and sharing, here are a few links to keep you on your toes and us talkin’:


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app: