The Get Cyber Resilient Show Episode #28
This week our hosts are LIVE online to celebrate the 1st birthday of Get Cyber Resilient! Dan, Gar and Brad take a look back over the biggest cyber security news in 2020, and the insights that the past 18 incredible guests have brought to the show. Our hosts then answer questions from our live audience on a range of cyber security hot topics.
The Get Cyber Resilient Show Episode #28 Transcript
Garrett O'Hara: [00:00:00] We're live. Well, welcome to The Get Cyber Resilient podcasts, the live birthday edition. Uh, I'm Garr O'Hara, and this week is obviously very different. We're throwing caution to the wind and going live. So, no do-overs when we flub a line, uh, which is normally me, no ability to edit out the mistakes, also normally me.
So, we're on a- a tightrope here and the clowns just stole our safety net. So, here we go, we have, uh, co host Dan McDermott and regular guest Bradley Sing joining today to celebrate. Get Cyber Resilient's first birthday. They grow up so fast.
Dan McDermott: [00:00:39] Oh God, they certainly do. It's, uh, it's amazing that, uh, we've hit the first birthday, uh, anniversary, so it was, uh, August 21, uh, this time last year that we went, uh, live with Get Cyber Resilient. Um, and as we do our podcasts on Tuesday, and known as podcast Tuesday, um, I thought we'd, uh, we'd do a special live version today. So today as Garr mentioned is a bit different.
Um, and we'll have an opportunity to reflect back over the year, the key trends in cyber, what's been happening, um, and what a great time we've had to be able to talk about it and share it with this community of, uh, of great cyber professionals. Um, we'll reflect back on, sort of, some of the 26 episodes and 18 guests that we've had over the time, which has, uh, which has been fantastic.
But really the main thing that's different about today, and what, uh, does make it, I guess, a little bit special from our side, is it's a chance to hear from you, um, our audience. Uh, this is the first time that we're throwing it live, and- and open, um, to get questions. So please participate and, uh, and ask your questions.
We'll basically run the- the Q&A session, uh, for the last sort of 15 minutes from sort of 2:30 to 2:45, and there's a couple of ways that you can interact and become part of the session. Um, the first is, uh, down the bottom of your screen, you should be able to see a Q&A box. Um, if you click on that and ask your questions in there, we'll be able to, uh, hopefully do our best to respond to them, um, at the end, um, as we'll get into that session.
Um, there also should be a, um, a button there that says, "Raise your hand." Um, so from 2:30, um, if you do that, um, we'll take you off mute, and you can, uh, join in the conversation with us and, um, ask your questions live. And again, uh, we'll do our best to see how we go in answering them. So that is, uh, pretty much, the, uh, I guess the key aspect of today is- is to try and make it a bit more interactive, um, reflect back on the year that's been and, uh, have a bit of fun along the way as well.
So Garr, Brad, I think, uh, Brad, welcome b- back to the show, fantastic, to, uh, have you join us. Uh, we sort of normally do this on a monthly basis look at the- the month that's been in security and what's been happening, uh, this time we sort of get a chance to look back a little bit further, look at the year that's been, and what's been happening. Um, and, uh, and I think that that's a- a great opportunity for us to, uh, to start with the conversation and then what we're looking to, uh, to cover today.
Um, the first, I guess, key thing that we wanna, uh, do talk about, is the biggest impact that we've seen in- on society, and then also then, uh, with, um, [inaudible 00:03:08] cyber community, is COVID. Um, and, there's no doubting that that has been, you know, the number one topic on everyone's mind for, uh, for the last six months or so. Um, and so I was interested in your take on, I guess, the impact of- of COVID, on- on cybersecurity. Um, and then also the complicating factor, I guess, of sort of, you know, moving to this work from home, or work from anywhere environment, that we see now.
Um, and the role of the things like new technologies that, well, not so new, but certainly the importance of technologies, like web conferencing and that type of thing as well. So what's been your take from a cyber perspective, um, from COVID?
Bradley Sing: [00:03:44] Yeah, no, well, first off, thanks again, Dan, for having me. It's, look it's my absolute pleasure to join the show once a month, and hello to all of our live listeners out there, or anyone who's tuning in on the podcast. Um, yeah, I don't think you could mention this year in cybersecurity, without talking about COVID. Um, look, it's changed the way, [laughs], we- we- we work, we live, we, uh, interact with technology, in so many different ways. But with any type of geopolitical event, we see, uh, a huge increase of- of noise, or hackers or- or, um, communications related to what that event may be. And it comes at a time where there's a lot of misinformation out there as well, in terms of, uh, the information we consume, the information we read.
Um, so it can be very hard sometimes, I think, for individuals to even, kind of, dissect what's another terms and condition email from your provider that's changed their COVID policy, versus, you know, an actual threat, uh, which is in the mailbox.
Dan McDermott: [00:04:38] Absolutely, and- and I think the, you know, the unscrupulous nature of, uh, cyber criminals is always looking for the weakest link, right? And I think we saw a massive spike in- in email born attacks, you know, sort of from late February, early March into, a- across sort of the Mimecast grid and- and what's happened there because, you know, they're looking to- to attack people at their most vulnerable and the weakest points right? And, uh, and- and we see that happening all the time from, you know, when the government tries to release things like Jobkeeper and that sort of stuff, um, to actually support the community during this time, um, yet again we get another wave of, you know, attacks or if face masks become compul- compulsory as they are for us here in Melbourne, um, you know, like... and the amount of fake sites selling face masks and stuff it's- it's- it's quite incredible the- that they capitalize on every, sort of- of, moment of opportunity.
Bradley Sing: [00:05:29] It's definitely I think, um... the amount of technology we use and- and the- the intersection of risk from this event is... to your point, is absolutely crazy. Um, my bike got stolen the other day, right, from- from my backyard. So, I was looking online for, um, IP cameras and, like, I was gonna get this cool setup, and obviously I probably should have locked the bike, which is the first step of security securing, [laughs], your perimeter.
Um, but to be resilient, you know, at least if I had a- had a, you know, a webcam or- or a camera could at least see- saw what happened. Um, when I was looking online, I noticed that you had your kind of entry level cameras, but you've also got, like, these $30,000 video cameras, which do thermal imaging, and facial recognition. And it puts all this information into, like, a little database. Um, definitely overkill for my backyard, but that's the type of world we're moving into, where we've got an IoT in every single corner of the room, where it's collecting this information. As we start to return, uh, to the workplace, like, there'll probably be screening processes in place, there already is in different industries.
Um, that's a lot of information which has been collected in a lot of different data points which, as we all know, haven't had security in- in mind in the past. And on top of that, to your points around, I think, um, like, you know, just people accessing Jobkeeper, essential services. Um, we're seeing, you know, people desperate in some situations to access stuff they need. And at the same time getting all this noise in- in the form of, um, fake websites, um, SMS messages, you... there's just so much noise, and the only way to communicate is- is- is via technology at the moment.
Dan McDermott: [00:06:55] That's right, I mean- I mean, we're all remote, right? And we all, [laughs], at the moment we're all in our, um, homes, doing this, uh, as we speak in that, and that has, uh, you know, I guess, invited a new sort of vulnerability as well around, sort of, web conferencing and what's happened there, um, you know, we've all sort of, uh, seen... either seen or been seen on the news, sort of, the notion of, sort of, uh, what is it, uh... [inaudible 00:07:15], what's the Zoom-
Bradley Sing: [00:07:17] Zoombombing?
Dan McDermott: [00:07:18] ... is it Zoombombing? That's the one.
Bradley Sing: [00:07:20] Yeah, I think, uh, Zoom gets a little bit of a bad rap, and like, I guess we're on the Zoom platform now for all the, [laughs], attendees, so, uh, like I- I stand by Zoom. Um, Zoom, [laughs], if you have any type of conference online, and you don't have passwords protecting it, anybody can effectively join it, that's- that's not the provider's fault. Um, if we look at video conferencing s- software and- and the history of breaches behind it, pretty much every major platform has had a breach at some point in their past. I think what it- what it forces us to do is that we still need to have the good security practices around it. So two factor auth, um, waiting rooms before meeting, as- as an example.
I was in a meeting the other day with 17 attendees and someone did a really good thing, they said, "Who's that person? Who's that unknown person?" And I hadn't seen that before, uh, uh, in a- in a zoom meeting, but I thought that was- that was good behavior. So I think we just need to be a bit more, uh, uh, [laughs], we have to watch who is in our rooms, [laughs], a little bit- be a little bit more aware of it.
Garrett O'Hara: [00:08:14] I think, uh, to jump in there, one of the things that I think... the good things that's come out of this, is the- the focus on security. And Zoom's a really good example where, you're taking something that was really, uh, like for want of a better expression, was a kind of hip version of VC. But it was never really designed for security, it was designed for ease of use, and then, you know, transition to a work from home at scale environment. And all of a sudden, all these, you know, air quotes, security flows get shown up, but really, it's often configuration issues, rather than, you know, true security problems.
The one thing I would say about Zoom is, their, uh, their interpretation of end to end encryption, um, you know, is- is questionable, and I know there's a couple of lawsuits happening around that, but, you know, it's- it's one of those things that I think the attention they got from just a mass adoption, is actually going to drive some really good outcomes in terms of a security platform. And, um, yeah, having Alex Stamos gone, [laughs], to Lean Security there, I mean, that's, uh, it's, like, it signals everything you need to know about where they'll be, you know, six months or a year from now, in terms of security.
Dan McDermott: [00:09:17] Definitely, yeah. And I think that, uh, one of the key aspects that we've seen over the last year pre COVID, and certainly since, and that is- is the rise of cyber security as a- as an issue on the national consciousness, right. Um, uh, and- and in particular, the focus around the impact on critical infrastructure, and what that means, and- and how vulnerable, um, that becomes and- and how that becomes sort of, you know, something that is, can be systemic across society and have, you know, major impacts outside of just, you know, one company at a time as well. And we've seen the government, sort of, you know, play a heavy role in- in- in driving this as well. You know, we saw from the PM's press conference, sort of, in June, uh, the follow up with the IAP report and- and the release by Andrew [Darton 00:10:01] of the, uh, and the cyber security 2020 strategy.
Um, but all, you know, all of these things have risen the consciousness, but what is it that, you know? What is it that we can do to really help protect our critical infrastructure? And what do you think the role of- of government in doing that is?
Garrett O'Hara: [00:10:16] So there... that is such a huge question, uh, [laughs], in terms of scope, and- and, you know, breadth and depth of, like, there is so, so much involved there. Um, I think, like most critical infrastructure, um, in- in most countries, they're- they're often, kind of, built organically over you know, X number of decades, and you're often relying on, sort of, ICT systems and, um, you know, security things like air gap, um, air gapping, and- and then that kind of stuff. And it depends on what you consider critical infrastructure, but that's pretty, I would say, broad and probably needs to be redefined beyond just things like energy, and health.
There's things, like, I would say, these days is internet, you know, part of critical infrastructure, you know, it- it probably could easily be considered, yes it is. And so many things operate in using it. Um, wh- what I would say is, it feels like there's a bit of a shift in the zeitgeist around how vulnerable we actually are, and that's obviously reflected in, you know, the PM's announcement. There- there seems to be a chatter and, uh, like a dialing up of the- the voices in cybersecurity, around how important this stuff is, because of how damaging it could be, if something like our, you know, energy grid, or, uh, hospitals. Which we, you know, we saw last year, we saw the impact of something like ransomware, uh, hitting, uh, you know, the Gippsland, um, you know, health, uh, organization.
So, the reality is, I think we need to have a very honest and frank conversation around where we are right now as a nation. We need to be ready to spend some serious coin, to- to protect ourselves, and I mean, really, really serious amounts of money. Um, if we- if we think of a number that is scary, double that, and then, you know, take that number and triple it, and that's probably where you're kind of starting to get to how much money we need to spend. Um, and it's- it's going to be a national program, I would say, like, for- for all of us. Um, we all have to buy into it, we probably have to accept the fact that some of our tax Dollars might go away from things that we deem to be really important now. Um, but, you know, they- they rely on cybersecurity to remain functional, and certainly in existence.
Um, yeah, it's a huge question. Um, honestly, I think we've got a long road, as most nations in the world do, I think Australia's actually pretty good, um, for the most part, but, you know, lots of work to- to still do, I would say.
Dan McDermott: [00:12:34] Yeah, definitely, and- and you mentioned, like, I think, you know, one of the- the key, sort of, critical industries that has, has been under attack, you know, for- for a long time, is health care.
Garrett O'Hara: [00:12:44] Mm-hmm [affirmative].
Dan McDermott: [00:12:44] But we also see that in terms of, uh, you know, in- in particular higher education as well. Education as a sector has been a, is- is always under attack, um, in this country. Um, you know, wh- why do you guys, sort of, see, you know, these continuing to happen, um, and, you know, what sort of advice can we, sort of, have to- to, sort of, you know, help, you know, I guess, upgrade, uh, the protection of these en- environments as well?
Bradley Sing: [00:13:10] Well I think there's-
Garrett O'Hara: [00:13:11] You- you go Brad, [laughs].
Bradley Sing: [00:13:13] Well, I think there's, like, there's- there's- there's a number of different reasons there, I think yo- you hit on a, uh, quite a few good points there, Garr, in terms of, I guess, just, like, infrastructure as a- as a risk in some of these key industries. It's also important to note that a lot of these industries have effectively been privatized over the past 20 to 30 years. So, what the... there's arguments for both sides, but from a securities' perspective, you've got government standards in terms of how they have security, and then you've got private organizations and their own governance rules as well.
Obviously, everybody has to apply by law, but it'll be interesting to see how government supports a lot of the private industry, which now, effectively, manages what we would deem as critical infrastructure; whether it be energy or roads as well.
Um, and I think what we... that translates to is- is things like, potentially, the Victorian health breach, where you've got, um, different services, um, a lot of different talking parts, but, no cohesion in terms of patching or consistency. Um, we're seeing health as- as an area which has unfortunately been targeted fairly consistent- consistently over the past 10 years. Um, now with COVID, it's obviously even worse, but the amount of confidential information, or disruption, or- or real, um, danger it can cause to people's lives, is huge.
I think we all woke up to it years ago when we saw WannaCry, and it was the NHS in- in the UK, and dashboards, uh, like just, hospitals, uh, critical, um, procedures being delayed, because people couldn't access patient records; that pretty much happened in Australia as well. So, I think when we... we hear a lot on the news about risks of attacks by foreign nations, and disruption, but the actual effect of it is- is kind of there in plain sight.
Garrett O'Hara: [00:14:45] And I think what's scary here is, like, this massive downward pressure in terms of budgets for both health care, and I would say at the moment, for education, like, they're in a really scary position, because of the international students, and- and, [laughs], the lack thereof. So the real worry then is, you've got something that, like, as a nation I think, you know, we should be proud of our healthcare. Um, we should definitely be proud of our education system, and- and certainly the university space is, you know, much sought after.
We've got incredible institutions here, but they're really, I would say, under a lot of pressure now financially so, you know, when it comes to things like spend on cybersecurity, uh, you know, is that one of the things that is, you know, potentially something you can, you know, you can see yourself saving some money on? But actually, you're increasing the risk for- for the university, or the healthcare organization, and, like, you know, unis, we- we talk to them all the time, they're incredibly complex environments, with hugely heterogenous kind of network traffic, and applications, and systems. And, um, for attackers, they're- they're just so appealing. You know, it's so- so much easier to hide in that, kind of, um, complex network traffic, versus a corporate environment where you kind of have a known, you know, set of applications.
You might throw in some sort of CASB, or, you know, web security, and you can, sort of, light up what should and shouldn't be used; unis don't have that, um, I would say, don't have that ease to, kind of, lock that stuff down. And then healthcare, I mean, it's got its own set of- of challenges, um, there as well. But, like, again, very, um, heterogeneous environments. Often, you know, heavily staffed by people who are incredible at healthcare but, you know, not cyber experts. Um, just, yeah, rich pickings. And- and given the value of health records on the, uh, the black market and the dark web, you know, this... it's- it's- it's an obvious target. Um, but, you know, I think something that we need to pay more attention to.
Bradley Sing: [00:16:37] There's probably been a lack of investment in those areas, like, even before, I think, the focus on cyber. Like, I just- I remember going to the education conferences, and the big things there were these exciting white boards, LMS systems, and all these cool services you can offer to your, you know, to your university, or to your- to your school or whatever it may be.
And I think these things are all great, but the cybersecurity vendors were sitting in the corner, and no one was talking to them. Um, it... which is basically a... uh, have a bit of an appreciation of the fact that there might not have been much focus on this in the past, and now there's ongoing disruption. And a lot of it, those industries haven't had the skills or expertise in the past to deal with it, but suddenly now they're having to deal with it, with, you know, with arguably one of the hardest times ever for the industry.
Dan McDermott: [00:17:19] Yeah, definitely. And now, um... so just a- a shout out to our audience, if you do have questions come up here in, uh, during any of this, feel free to put them in the Q&A box, and, um, like I say, we'll try to address them at half past. Um, but, Garr, just bringing together some of the things that you said there.
Like, you- you've mentioned that, you know, we need to increase spending in this- in this- in this space. Um, we've built technologies over a long period of time, and so there might be, uh, flaws in- in- in our tech stats, and from a, sort of, a vulnerability point of view, and I think of, sort of, WA Health being breached via- via their pager system, right. So an old technology set.
Um, and yet, the pr- the economic pressure that, you know, these industries, of all industries, they're gonna be facing, you know, post COVID. How do you bring all, and reconcile all those things together, when we need to spend more? Um, we've got old and antiquated technologies that may have risk associated with them, yet you're in a, you know, a- a basically going to be in a recession environment.
Garrett O'Hara: [00:18:21] You're spot on. So, you know, one of the- the things people talk about often is, how, you know, if you're poor, you probably have a, or you know, in a lower, uh, socioeconomic, uh, bracket, you probably have a car that actually is more expensive to run than a, you know, uh, somebody who's rich and has a, I don't know, what's a big car? Like a Mercedes or something like that, um, don't know that much about car brands obviously. But, you know, the- the cost of, um, of maintaining those legacy systems actually, in some ways, from a business perspective, um, is more expensive.
Because, like a car that's, you know, 30, 40 years old, you're paying for services, it keeps breaking down, you're kind of using chewing gum and band-aids to try and keep a business, um, going. I think we need to reshape what the conversation is, Dan, and I think that might be one of the- the things that's fundamentally wrong, uh, in the cybersecurity industry is that, the value to a business is still not understood, in my opinion. And that's reflected in nearly every conversation that I have with, uh, cybersecurity leaders, CISOs, uh, you know, constantly we hear this thing of, the business doesn't get it, doesn't buy into the associated risk mitigation strategy. And I think that's probably the biggest thing.
Um, I said at the start, you know, the zeitgeist is changing, and- and having the PM come out and say, "Australia's under a sustained attack," I think it's helpful, right? It's starting to move the conversation into boardrooms, into the, I don't know, the golf course, where, you know, the- the- people who, you know, whether it's rightly or wrongly, are often, kind of, you know, middle aged white men, and hopefully that changes. But, you know, it's- it's getting the conversation happening with those people, um, and making that change so that this...
You know, and one of the things we've heard during this year, or at least I have, is- is- is cybersecurity starting to be seen as a competitive advantage? Like, can you get to the point where WA Health, and those organizations, instead of having to fight tooth and nail for every penny, can actually have an- an adult conversation about the value that a good cyber resilience strategy has in place?
Um, Jacqui from... Jacqui Nelson from Dekko Secure said this a- a couple of weeks ago on the podcast. Um, and used the analogy in one of her... in one of the pieces that she wrote around the reason, um, r- race cars have good brakes, is so they can go faster. It's not that they- they can slow down faster, it's that you can go faster if you know you've got good brakes, and cybersecurity; same deal. You know, we need to reshape the conversation, as you said, Dan, it's not just, um, government, it's private enterprise. You- you know, "Here's less funding, go do more."
You know, the- this math kicks in there that you just, [laugh], like, you- you get to the point where that just starts to be ridiculous, um, and, look, I'm suspecting the people on the, uh, the audience today, they get it. You know, but it's- it's the day where that becomes a broader conversation, and we start to see that buy in from the business, and from non-technical, non-cyber, who understand the business implications of not doing cyber resilience well.
Dan McDermott: [00:21:20] And I think that, you know, Garr, you hit on one of, I guess, the key aspects I think of, uh, one of the tactics that we're seeing, you know, and the increase, and- and a new way of looking at it is ransomware, right? And- and, sort of, the large scale, sort of attacks in terms of, like, money values, and- and what you... I think you might have termed as blackwailing, [laughs], um, and the sort of, the large, you know, attack method that, uh, that is ransomware.
But also, sort of, that individual threat that it now represents, which is not only, you know, um, holding them to ransom, but threatening to publish the files and then making money again of publishing, um, any of the information on the dark web as well.
Um, what can people do to, you know, to help in terms of protecting themselves to ransomware, but also, like, you know, wh- what do you... do you negotiate with- with- with cyber terrorists?
Garrett O'Hara: [00:22:09] And so, I don't think so, and actually, I think it's illegal. Um, you know, and depending on where you are, you know, you've probably heard the- the stuff around Garmin, where there was, uh, call... I don't know if allegations is the right word? But there was a conversation around did they pay the ransom, which potentially could be illegal, depending on who the attackers are. And then you get into, [laughs], you get into, like, attribution and the value of that, and the accuracy of attribution and, you know, it's a- it's a quagmire of, uh, complexity.
Um, and this is an interesting turn in my opinion, the- the change from pure ransomware into the, well, I think they're calling it leakware? So, hey, not- not only are we going to lock your data, but we're going to leak it if you don't pay us. It- it's a horror show, like, and absolute horror show. Um, 'cause, you know, we talk about for the longest time, if you've got the back up then it gives you more leverage with the attackers, because you- you can restore in our case, like, your email. But if it's a case of, "Hey, we've- we've, you know, we've popped your data, it's we've X filled your data, but we've also encrypted it." Like, your backups don't really help with the- the leakware, um, argument, so then you get into, "Okay, we've just got to do better security." And- and you're into things like awareness training and the value of- of, kind of, what I think is more and more determined, or described as, um, security behavior change rather than, you know, pure education.
Dan McDermott: [00:23:33] Mm-hmm [affirmative].
Garrett O'Hara: [00:23:34] Um, yeah, and I'm really hoping that the term blackwailing just take off, it'll be amazing if we- we got, [laughs], that- that one to stick.
Dan McDermott: [00:23:43] [Laughs]. Well, thank you. I think that sorta concludes our sort of year in review if you like, and some of the key topics that we've seen in security and stuff. Um, but, and hold on the line with us, Brad, for the Q&A session.
But, Garr, it's an opportunity for us to also just reflect on- on the show itself, and the actual, uh, I guess, you know, a year in, 26 episodes, 18 guests in, um, is a fair [inaudible 00:24:07]. Um, so, sort of, I guess, what was the idea behind, you know, the show? And then why we sort of think that, you know, it's something of relevance and importance in- in the local market.
Garrett O'Hara: [00:24:17] Yeah, like, I- I remember the initial conversations, I mean it does, I mean, as- as quickly as the time has gone, it does seem like so long ago, given how much has happened, and how many episodes have happened, [laughs], in between.
Dan McDermott: [00:24:28] [Laughs].
Garrett O'Hara: [00:24:28] Um, like, I remember having the conversations with you, and Gregor also, around, like, what- what is it? And, I think the three of us were absolutely agreed that what it can be is, like product pitch, or, you know, Mimecasting stuff. Like the- the- the opportunity to start doing something that can add value back to the community, which I think is important to, you know, God, it sounds so cheesy saying this stuff, but, like, at a personal level and, you know, the reason you turn up to do a job every day. Um, you know, there's- there's the job, and then there's the stuff that actually, um, makes you feel good as a human.
Um. I think that was, like, for me anyway, that was kind of a core part of it. Having good conversations on the broad topic of cyber resilience, that would add value back to a community of people here in Australia. And, um, and look, I f- you know, I- I know we kind of co-host it, but I feel like we've done pretty well, you know, in one year. Actually, you've got the- the list of people who have, you know, who've been on. Like, incredibly generous of their... to spend their time with us, incredibly generous with the insights that they've had. Um, and what I particularly like is that we achieved one of the big things for us, which was going broad. You know, lots of different, um, technology, uh, guests, and as I'm looking at them there, [laughs], academics, we've got a few of those.
Um, I'm impressed with the fact that we've had two doctors on. You know, like that's particularly nice, [laughs].
Dan McDermott: [00:25:49] [Laughs].
Garrett O'Hara: [00:25:49] We've had an- an actor, um, in Drew Freed, who's the Human Error guy. You know, people from cyber insurance, CEOs, um, just such a broad range of, uh, interesting conversations and, look, at a personal level, you know, I've, you know, said this and made the joke, I'm Irish, you know, stick me with a pint of Guinness and a person, and I'm happy to talk for hours about anything. But cyber security is just one of those topics that I've, you know, it just keeps giving, you know, so I think, I feel very lucky and, um, not to sound cheesy, but quite honored by the- the fact that these people have taken time to- to come and talk to us.
Dan McDermott: [00:26:24] Yeah, definitely a huge shout out, and thank you to all of our amazing guests. It's, uh, and you know, it's people who have written books on the- on these topics, and that ride, and, like you say, have done extreme research, or leading, you know, vendors or CISOs in their own right. So it's, uh, it's been incredible group and, um, I think, you know, I've certainly learnt a lot along the journey as well, in terms of, you know, being... having the privilege to sort of meet this people, and have these conversations, obviously they know what's happening, has been- has been pretty amazing.
And, um, but I think there's one thing that has, sort of, I guess, underpinned everything, um, is- is that, you know, as much technology as there is, and as much of, you know, what we try to look at from a tech point of view, it does come down to being about people, so often, Garr. And I think that many of the conversations that you've had, um, are around, you know, the challenges of skill shortage, of burn out, of the stress of the role. Um, knowing that, you know, you're under attack all the time. Um, it's not an easy thing to [inaudible 00:27:21] when you wake up every day.
So, it's a... the role of- of the incredible sort of people across our cyber resilience community is, um, I think, one of the key aspects as well.
Garrett O'Hara: [00:27:31] Look, I- I cannot agree, uh, with you more. Like, as I think back over the interviews, so often, um, you know, when- when you think about successful CISOs these days, one of the key, kind of, characteristics you're going to see there, is that they're people focused, and by that I mean that they care about their teams. They care about themselves, because, it's like the old thing of, um, you have to put your own mask, uh, your mask on before you can help other people. And it's, you know, probably a little bit similar there.
Um, but they're incredibly good at navigating the human side of their organizations. They understand the power of allies, they understand getting buy in, and actually Phil Zongo, and, like, a- a few people have talked about this. Um, Chirag, um, talked about this, Dr. K Jerome, like, that thing of getting buy in from your organization for any program for cyber resilience. And to get buy in, it's like anything, you have to be able to- to, uh, influence. And to influence, you have to be some version of good with people, you can't, um, show up with the- the statistics and the information and expect change, we know that just doesn't work.
So, I think you're, uh, you're spot on Dan. Um, and one of the things I think is important to talk about, and- and you just mentioned it, is the, uh, the- the burn out, the, um, the incredible stress that we know from conversations the security leaders out there face on a day to day basis. And, um, how often, um, lit- sometimes literally, they, you know, the continuing operations of the company depend on them making the right decisions in challenging circumstances.
Um, yeah, in, like, the... it is all about the people, I don't think that's going to change, the, you know, the- the regards to what amazing technology gets produced in the next 12 months or two years, like, how do we get away from people? I- I don't think we can, or would want to, you know?
Dan McDermott: [00:29:19] Absolutely, and I do think it is, um, I guess we all need to be- be a bit vulnerable as well, right, that, um, uh, one of the articles that we did publish, was around the emotional toll of cyber resilience. And, um, uh, I- I put up a post, um, with that, uh, just regarding some of my own struggles, um, e- earlier this year. And, just sort... with the team that I lead, and some of the things that we've gone through, and then some of the- the challenges, and- and feeling under pressure. And, uh, um, and it was... it's by far the most, sort of, reacted to LinkedIn post that I've had.
Um, you know, thousands of views and hundreds of, you know, sort of, people engaging with that and commenting on it, and that type of thing. It was real- just really, um, sort of, humbling to- to see, you know. But, um, I think it, sort of, showed that it struck a chord as well, right, that it is, like, this is something that we're all faced with and, um, you know, you put on a brave face and- and try to, you know, do all the right things. But, uh, you know, the stress does take its toll as well, and everybody does need to look after ourselves, and each other, I think, in this as well, it's really important.
Garrett O'Hara: [00:30:18] Yeah, absolutely. I think, you know, one observation, if there's a positive with COVID, it's actually that in some way we've all become much more human. Because, I know, you know, I get to see people in their home environments, I get to see their kids jumping on their lap or, you know, the dog barking in the background. Or, you know, the fact that, um, I think in some way it's forced us to drop the- the pretense of who we are when we show up to an office. And, you know, not- but not that we become completely different people, but the idea of, um, putting on a brave face, work face, versus then, you know, going home and, uh, you know, hitting the turps because you've had a hard day. [Laughs], and do, you know, doing that to end a day out.
But, um, I think there's an honesty that's come with COVID that is pleasant, and I think it's helpful and hopefully, you know, if- if there's a good thing that comes from COVID, it's the fact that we- we all realize that, you know, we- we're human, you know, there's no robots out there.
Dan McDermott: [00:31:11] Indeed. I think that's a- a good way to finish the first bit of our [inaudible 00:31:15] and start to open it up to, uh, to- to questions. Um. We have had the first one, sort of, come through from one of our, uh, honored guests, uh, who was on the show not so long ago, Prescott Pym, from, uh, Verizon. Um, Prescott, as I said, he may have to drop off, uh, 'cause he's got other meetings as well. But just want to- want to think about the future of identity around cyber security.
"Are we too fragmented in various identity management platforms? Do we need one ring to rule them all?" So, excuse the, uh, Lord of The Rings reference there. So, particularly thinking about, sort of, you know, the average person on the street. So, how do you, sort of, how you look at id- identity? And it- its role, and how do we, sort of, you know, like, make the most of that going forward?
Garrett O'Hara: [00:31:57] Yeah, that- that is an excellent question. And, uh, and again, [laughs], one of those ones with no simple answer. Um, so- so where my head goes with that stuff is, as soon as you get to, like, one- one ring to rule them all, that's a single point of failure, and if that gets popped in some way then you've got, sort of, big issues. So I don't know if there's a way to do one ring to rule them all but, like, in some distributed way?
Dan McDermott: [00:32:20] [Laughs].
Garrett O'Hara: [00:32:20] Um, I think it's almost like, for me, it's a thought experiment more than anything else. Because you get into the politics of identity and, you know, if it becomes mandatory. Like, you know, that they... wasn't it Australia where they tried to bring in the identity card? The government identity card? And-
Dan McDermott: [00:32:36] Yeah, don't mention that, yes.
Garrett O'Hara: [00:32:38] [Laughs]. Okay, yeah.
Dan McDermott: [00:32:40] [Laughs], that's failed at least twice or three times if I can remember, so.
Garrett O'Hara: [00:32:44] Yeah, and, like, it feels like there's a natural, like, re- reluctance to- to many of those kind of things, despite the efficiencies that, uh, it would give.
Dan McDermott: [00:32:51] Mm-hmm [affirmative].
Garrett O'Hara: [00:32:51] Um, so I can see, like, there's lots of pluses or, you know, potential pros to something like that, if it was done really well. The simplicity would be incredible. Um. But, I'm just a big believer in there's no such thing as perfect security, unless you want to talk about one time pads which are, you know, they- they... yes, they work, but they're not really practical. And, you know, th- this sort of stuff, um, yeah, I don't know if there's a simple answer.
You know, we're starting to edge towards that with the, um, the ubiquity of things like, uh, Facebook and Google, and being able to use those for logins to other places. But that's not really the same as, kind of, ID management so, yeah. I- it... yeah, I don't have a... I wish I had a really insightful answer to that one-
Dan McDermott: [00:33:34] [Laughs].
Garrett O'Hara: [00:33:34] ... but it's, um, you know, a bit stumped.
Dan McDermott: [00:33:36] Does multi factor authentication help in this as well? Like, if you, you know, does that add to that extra layer of- of security to, you know, more of a singular, sort of, identity platform?
Garrett O'Hara: [00:33:48] Yeah. Um, it definitely does. And then it's into, like, do you use... I, so I have a YubiKey, which, um, I absolutely adore, um, I just think they're the best things that have ever happened. Um, actually, Lucy, who was on the call, and still is, uh, kindly gave it to me. Um, so Lucy's a Mimecaster, but I saw it on her desk while I was in Melbourne, and I said, "Hey, this thing is unopened, and, uh, I don't know if you're the kind of person that's into YubiKeys, can I have it?" And she said yes, and it's on my keyring still. Um, those kind of things are- are incredible, you know, as a way to, kind of, validate as a second factor.
Probably really good for account resets, rather than day to day, for me personally. Um, things bi-, uh, like biometrics, um, you know, that's an interesting one. Uh, you can't change your, you know, your fingerprints and your face so, I don't know if you're going to use those for ID? Uh, or your blood group, um, you know, like, what happens there? Uh, it all feels a bit Minority Report, if I'm honest. Um, I'm probably somebody who want to, you know, deep down in my heart, run away into the hills and live in a wooden cabin with, you know, vinyl record player, and their guitar, and not, [laugh], you know, not have technology. But, um, I definitely appreciate the- the value that it brings. So, yeah.
Two factor, yes, not SMS though. [Laughs].
Dan McDermott: [00:35:06] [Laughs]. Yeah, well, maybe, uh, the work from anywhere will give... might give you that, uh, opportunity to- to go to that, uh, that country cabin as well, no, I didn't do that. You will need technology and connectivity though, to- to continue from there.
Um, is there any other questions that they, uh, have, before people who, like we said, to, uh, sort of raise your hand and, uh, and we'll get to take you off mute, or, uh, use the- the Q&A or chat function to, uh, to ask questions as well.
Certainly, uh, keen to- to get your thoughts, and I think, uh, it looks like you still have to do some training with Lucy on the YubiKey as well, um, so she's not quite sure how it works, but definitely a part of it.
Got a, uh, a question come in from Matt as well, uh. It's a s- it's a sort of, a generic sort of overview one, right, like, "What's the most worrying thing then for security risk for employees working from home?" Um, I think that's- that's something that is on everybody's mind at the moment. Brad, did you wanna, uh, kick of that one?
Bradley Sing: [00:36:06] Yeah, I think it's, uh, [laughs], it's a, look, it's a very broad question, so what is the most worrying security risk for employees from home? I think the biggest thing I've heard is visibility. Um, before you had everyone effectively accessing your corporate systems via your network. And we talk about things like VPNs, and if anyone here has ever tried to enforce VPN usage for their organization, they might have struggled in the past. Um, people just don't like doing it, and the problem is, is then you've got all this traffic which is suddenly going through, well, their home internet connection, not going through your- your file or anything to that effect.
So you've got no login, and absolutely no visibility. I'm not saying every organization or every company's in this spot, but the number one thing I keep hearing is, "We've moved everyone, they're working from home, we have absolutely no idea what they're doing." Um, and I think that's- that's the big risk.
Dan McDermott: [00:36:56] Okay.
Garrett O'Hara: [00:36:56] [Laughs].
Dan McDermott: [00:36:57] [Laughs].
Garrett O'Hara: [00:36:57] But you always have Zoom, you know, you'd think, uh, this- this far into COVID and how much remote stuff we- we've done, that there'd be some body language signal that we would all know to- to, um, that we're going to speak. So, um, yeah, I think Brad is- is spot on there. Um, I just literally this morning, was reading stats from, um, who's the IT News distributor, we did with him, actually, Dan. Where they, one of the stats, and hopefully- hopefully I'm not, like, stealing your thunder from this stuff. But, um, it was 5% of the respondents had, uh, called out that they had seen a breach related to work from home.
Um, but the follow on stat which was more worrying, was that 31% of the respondents didn't know, and I think there's something in that, you know, it's not the same as having your traffic flow through a, you know, perimeter, where you can do some sort of analysis. Uh, well, depending on how you're set up. But often, um, and the fact that, you know, laptops are sitting at home behind home grade ADSL routers, probably with out of date Firmware, that's probably already been popped by some, [laughs], state nation.
Um, you know, like, there's- there's so many things that, um, I think is a bit of a worry from the security perspective. Including, and one of the things that, um, has come up on a few panels is; a lot of the Australia population, certainly the younger population, are in share houses. So the physical security side of that, when you've got, I don't know, I mean, I- I certainly did it, and, [laughs], you know, way back in the day, there was 14 of us living in a three bedroom apartment in Coogee, um, so, like, I- I know how that goes.
Um, you know, life- life has moved on luckily, but, you know-
Dan McDermott: [00:38:34] [Laughs].
Garrett O'Hara: [00:38:34] ... the reality is if I was doing this gig back then, that is not a safe environment, uh, for me to be working in, and, um. You know, the- there's a lot of things I think to- to consider when it comes to the- the big risks for people working from home. Um, yeah, and- and awareness training is another one that's come up consistently, is the- the risk of distraction, anxiety, um, the quality of the lures that are happening at the moment. They're incredible, like, they're so, so spot on in terms of brand-jackings. So, um, you know, combine the perfect storm of anxiety, distraction, kids, dogs, you know, neighbors, uh, turning their washing machine on at weird times, whatever it is. Um, combine that with the huge volume increase in attacks, but the sophistication and the- the perfection of the attacks these days, and, ooh, yeah, like, it's... not to get all negative, but it's- it's definitely a bit of a worry.
Dan McDermott: [00:39:28] Sure. Yeah. Got some final questions, thank you Matt for, uh, for- for putting some questions into the Q&A as well. So, um, one is around the $1.3 billion from the government, is that enough to solve the Australian cyber security problems? And, uh, do they need to provide more?
I think, my guess, my take to start this one of is- is a little bit around what, uh, what is it that their focused on? And I guess the government in particular is just focused on that, um, that deterrent side, so to try to stop things in the first place. So, looking at things like legislation, and protection mechanisms, and then also, I think, the notion of, um, deterrents in that in terms of, like, you know, actually catching the bad guys and stuff.
So, a lot of the investment, you know, and from a government perspective, is looking at things like, you know, employing hundreds of people at the ASD to be able to stop cyber criminals, track them down. Um, be able to stop them, and have legislation that's in place to allow them to be prosecuted effectively as well. To, sort of, go with that deterrents factor. Um, but they also talk about, um, the need for, you know, uh, cyber security for- for all. And for, you know, for SMBs and available to everybody to be able to access, you know, the best technology that's possible, in order to protect them.
Um, but there's no detail on that, sort of, from a funding point of view, or how people will get that. And Garr, I think it sort of comes back to what you were talking about earlier regarding the, you know, the fact that, you know, people- people all want access to the best technology, they wanna be a secure as possible. Um, but they don't necessarily feel like they care, either through sort of cost or complexity, right? And, um, so I do think that there's a role, um, I guess, there, and- and the government has flagged it, but haven't actually, I guess, detailed a, you know, particular, sort of funding, uh, mechanisms or policies around how to enable, sort of, in particular, SMBs, to get access to- to best of breed technology.
I think the other are though, that- that hasn't been addressed, and is one that is something that's worth exploring is, I- I think it's time now that we could look at something, like, akin to a slip-slop-slap campaign, or a- a life be in it campaign, for that co- that awareness training. And- and behavioral change that needs to happen at every level.
Um, and, you know, raise it on... the national conscience is raised, but how do we capitalize on that at this time? And, sort of, you know, look at, sort of, you know, a broad based, sort of, neo-media campaign, with a technology platform to deliver this behavioral change to really get everybody across what that change looks like, and it relates to work from home as well. Like, I think you could have the best corporate systems but, you know, you log onto your personal email at- at lunchtime to do the online shopping and, bang, you're- you're compromised, right? If you're not aware and looking out for the things that are only attack factors that are out there.
So, I think that there's, you know, there is certainly work to be done, and like you said, Garr, whatever number you take... what was it? Double it, triple it, and you might get close to it. [Laughs].
Garrett O'Hara: [00:42:26] Yeah. Yeah. And- and don't we... well, like, I- I think it's a very human thing to underestimate the cost of... the cost and the complexity sometimes, and, uh, you know, I think there might be something in that. Um, I just want to ref what you said about the SMB space, Dan, 'cause I think you're 1,000% right in terms of the importance of that, and spend. Um, because I think there needs to be, call it a leveling of the playing fields, or, you know, whatever the term is. But they... given that they are sometimes the way into larger organization, I think being smart about how we fund, I don't know what the expression would be, but those- those organizations that, like, from a budget perspective don't have access to good tech, or whatever it might be for cyber resilience.
Like, they need to be funded, um, unless we're all going to stop doing business with them because digital inter- interdependence, means that if they get popped, they're a pretty good way in to a larger organization, and you can just do the stepping stones from a really small, you know, mom and pop organization, get them, you know, jump to, you know, larger org- larger org and that. So, that's a way in. So I think your comments around the... you know, being smart about, yes it's a $1.3 billion, cool, like, where does that go?
And let's not just... let's not fund the organizations that are already in a pretty good place. I think there's something around looking at organizations that, yeah, don't have access to good tech, to bring them up to a level that helps everybody, you know?
Dan McDermott: [00:43:55] Yeah. And spend it to raise-
Garrett O'Hara: [00:43:57] It's... I mean this-
Dan McDermott: [00:43:57] ... the bench mark for all, right?
Garrett O'Hara: [00:43:59] Yeah, absolutely, I- I feel like I just, uh, sounded like I was left of Lenin there for a minute, but, um, you know, it's- it's purely from the perspective of, uh, [laughs], [inaudible 00:44:08], everyone with cyber resilience being better, you know, I think it just makes- makes sense.
Dan McDermott: [00:44:14] Cool. Um, we're heading towards time, but I think we've got, uh, time for one more, uh, question. Matt has written in that bottom, uh, "Do organizations get too caught up in- in the notion of state sponsored attacks? Um, and perhaps use it as an excuse for not improving their security posture?" There's a- a nice political one to, uh, to end on there, Garr, for you.
Garrett O'Hara: [00:44:34] I feel like I wanna run away to that cabin now, and- and sort of-
Dan McDermott: [00:44:39] [Laughs].
Garrett O'Hara: [00:44:39] ... yeah, [laughs], state sponsored attacks don't happen. Um, uh, look, interesting question from Matt. Um, so attribution is an interesting one, actually, this conversation with, uh, Dr. Francis Gaffney, two weeks ago? Maybe three weeks ago. Um, and we actually got into this whole thing of- of attribution and its value. And it's, um, and it's accuracy, if I'm honest, sometimes. And I know most, uh, threat intel teams will have some version of, you know, their level of confidence, you know, high, medium or low level of confidence for attribution.
Um, I think Francis's comments made sense to me in- in many ways, which is, the- the value, if you're doing cyber security, of knowing sometimes who the attacker is, isn't as useful as knowing what their methods are. So, the idea that... I mean, it doesn't really matter if I know, uh, I don't know, like where I live, if there was a local, um, [laughs], like car, uh, car theft gang, for example. And does that help me to- to know that, like exactly who they are? Or the- the existence of them is helpful for sure, 'cause I know I need to spend money on an alarm.
But if I find out that they're, I don't know, they use a, um, I don't know, I've never robbed a car, [laughs], it's hopefully pretty evident from my ability to not go too far with the analogy. But, I don't know, using a coat rack, I've seen that on TV, to, you know, pop the lock and do that old school thing. Cool, so maybe I, you know, once I know that, then I can do something with the door to stop that as an attack vector. But, the important thing is, to know they're using a, you know, a wire hanger, not that it's, um, you know, John Smith and- and Jane, um, Smith from around the corner.
Um, state sponsored is an interesting one though, what I would say on that is, it tends to point to a large spend on the attackers' side. So, it can be useful as a... call it a proxy, for the level of sophistication. Um, because if- if it looks like something is state sponsored, you're probably going to want to pay more attention to it than if it is, um, you know, a 12 year old sitting in Dublin, who's just running a script and happens to get lucky. Um, they're- they need different levels of attention, um, I would say.
Um, but as an excuse for not improving cyber- cyger- um, cyber security posture, I don't think so. Um, because I think most organizations want to do the best that they possibly can. I think we, um, we've had this conversation.
The- the problem tends to not be that CISOs don't nee- don't know that they need to spend more money, or do- do a, you know, a certain set of things. That's never the problem. The problem is, they- they know, they just can't get the budget, and they can't get the buy in from organizations to do it. So, um, but yeah, great question.
Bradley Sing: [00:47:26] Just to jump in there as well.
Garrett O'Hara: [00:47:27] Yeah.
Bradley Sing: [00:47:28] It, uh, for the record, you use a, um, shoestring, they use this quite a lot on the car door.
Garrett O'Hara: [00:47:32] [Laughs].
Bradley Sing: [00:47:32] [Laughs]. Um, might have locked myself out of my car once. Um, but you make a very good point Garr, like, I think, the one thing to- to remember though is, I think, we hear a lot about state sponsored stuff in the media, and you might think, "Oh, my organizations too small," or, "It doesn't affect me." But, if you're a customer of Toll, technically you're potentially part of... a victim of a state sponsored attack. Like, the cause and effect your business infrastructure, no matter how small you are, because of the focus on infrastructure, it affects you guys as well.
So, I think it's imp- too important to highlight a lot of the stuff, um, to our boards, and to our businesses.
Dan McDermott: [00:48:02] Yeah, very true, and, uh, that interdependence is- is critical, right? And it is one of those- those factors that we're, um, we're- we're... that's the world we live in, and we've got to make sure that we're all, uh, like we say, doing our part and being a cy- as cyber resilient as possible.
Um, on that note, I think we'll, uh, we can... we're close out today's session. Um, a huge thank you to, uh, to our audience, and for everybody participating, and the great questions.
Um, if you haven't, uh, subscribed to our- our monthly news letter, uh, please feel free to do so at GetCyberResilient.com. Um, you can also get a- a free copy of our- of our book, um, Cyber Resilience for Dummies Guide. Um, so feel free to, uh, to be able to request that as well. Um, you can get it electronic, or a hard copy version as well. So, uh, but thank you very much to, uh, to my co-host today, uh, Garr, appreciate it as always. Brad, thank you very much for your insights. And again, thanks to everybody, and thanks for participating, um, and, uh, please, you know, do subscribe, and we look forward to, uh, to being able to have a conversation with you again shortly. Thank you all, have a good afternoon.
Garrett O'Hara: [00:49:04] Can I- can I just add, before we jump off, thanks to you, Dan, um, like, this thing wouldn't happen, uh, without your support, and I know I say it in every LinkedIn pod, uh, post, but, uh, genuinely appreciate it, um, the support, for what it is, and the, uh, I suppose, the support for the vision.
Um, so thanks to- to both you and to Bradley, like, it's- it's, uh, it's, uh, an absolute pleasure to be able to get to do this every month with you guys. And, um, yeah, massive thanks to all the guests as well.
A huge, not a huge, but we've got a pretty decent size back catalog, is the other thing I would say.
Dan McDermott: [00:49:34] [Laughs].
Garrett O'Hara: [00:49:34] So, um, worth dipping into those and going back to all those guests that you saw on the, uh, the screen before. So, yeah, thanks from- from my side too.
Dan McDermott: [00:49:43] Yeah, no, appreciate, and definitely, yeah, do check out past- past episodes, and pick and some of your- your favorite, uh, sort of people that you wanna hear from, there are lots of great insights. So again, thank you, and, um, we'll see you all again soon, cheers all.
Garrett O'Hara: [00:49:55] Thanks all.
Bradley Sing: [00:49:56] Thank you.