The Get Cyber Resilient Show Episode #7
As COVID-19 continues to have a huge impact on businesses and people across the globe, hosts Dan and Gar discuss the implications the virus has on cyber security and the many ways that attackers are using this opportunity to pray upon the vulnerable. What do you stay vigilant about and how do you do this? #getcyberresilient #cyberresilience
The Get Cyber Resilient Show Episode #7 Transcript
Dan McDermott: [00:00:00] Welcome to, uh, the latest episode of the Get Cyber Resilient show. Um, I'm Dan McDermott, and joined by my co-host Garrett O'Hara. Yeah, it's certainly... the world has changed a lot since the last time we sat down and, uh, recorded an episode. Only in a- a few short weeks, uh, normally we sit across the table from each other and have this conversation. Uh, today we're both at home, uh, separate homes obviously, [laughs], um, uh, one in Melbourne and one in Sydney, um, using Zoom as our, uh, as our mechanism to, uh, to have this discussion and record the episode. It's crazy how much has changed in a short period of time.
Garrett O'Hara: [00:00:43] It's... it blows my mind to think that sitting, uh, I think about, uh, four weeks ago, how never would have seen this. Um. The severity of the restrictions and just how everyone has, kind of, adopted that work from home, uh, attitude. Um, I think it's- it's good. I mean I have to... if there's a positive to it, I think it's the- the spirit that I've seen and people that we talk to, like, you know, the other organizations that we work with, uh, internal conversations. I think everyone has certainly kept their chin up, and there's lots of very interesting backgrounds that I'm seeing on Zoom sessions; whether there's people's living rooms, and then some of the weird stuff that people have at home, [laughing], and that interesting stuff. And some of the- the funny backgrounds.
One of our colleagues, John McKellar, who'll you'll know Dan, he came on one of our meetings, uh, two days ago, and his background in Zoom he had changed to a supermarket aisle, fully stocked-
Dan McDermott: [00:01:35] [Laughs].
Garrett O'Hara: [00:01:35] ... with Scott toilet papers, and so it's, yeah, just getting a lot of- a lot of laughs. You know, it's, uh, strange circumstances.
Dan McDermott: [00:01:45] No doubt, and the impact is- is on everybody. I mean they're- they're consuming everything in terms of our thoughts, uh, and our news feeds, um, everything that's going on in daily, you know, people are adjusting to- to what's needing to happen. And, um, whether that's, you know, potential school closures, whether it's, uh, obviously, working from home, which many of us are now, uh, uh, doing. Um. The cancellation of events. It's certainly something that, uh, it feels like, uh, we- we're getting somewhere with it, but it, uh, it's hard to know wh- when the end is in sight at the moment, [inaudible 00:02:19].
Garrett O'Hara: [00:02:20] It's... the end feels so far away, right? It's- it's one of those things that has me unsettled personally, it's just the uncertainty of it all. Um, not just what's happening today, but to your points, like, what does this mean six months from now? Or a year, five years from now? Um, I think this is going to be a... it's one of those seismic events that, you know, even I have talked about before. Um, normally that was cyber-security stuff, but actually this is... it's bigger than that. Um, it's in- it's incredible. You know, I've never... obviously never felt or experienced anything like it in my lifetime.
Dan McDermott: [00:02:51] No, no, certainly, uh, not something that we ever foresaw, that's for sure. And it, uh, what's interesting is you spoke about the different, sort of, Zoom, uh, environments and meetings that people have. I think we had somebody in a dressing gown on a call the other day.
Garrett O'Hara: [00:03:03] [Laughs].
Dan McDermott: [00:03:04] So that was, uh, [laughing], that was interesting as well. It's, uh, it- it's it is interesting how, uh, you know, we've had, I've had people in suits on one, um, think they're, like, they go to work, they're all dressed up, um, and, uh, another's just still in their jammies. So it's, uh, it's... that's the way everybody's responding, uh, to this and in different ways, and then trying to find their own way through it, that's for sure. I guess what we have also seen is- is- is, that there is an impact on- on cyber-security as part of it though.
Um, you know, I think we mentioned last time that, you know, that cyber criminals will use anything that they can to- to try to exploit people. Um, and it's been amazing, again, the rise in attacks that have happened. Uh, you know, over this period of time, I think we're seeing, you know, a massive escalation in, sort of, phishing and smishing, fake domains. Um, you know, everything from face mask sales, to, um, hand sanitizer, um, you know, buying toilet rolls on line. Everything else is, uh, is sort of being used as a- as a way to sort of try to, um, I guess, exploit, uh, people during this time.
How are you seeing, sort of, I guess, the challenges from a cyber-security front, uh, during this period?
Garrett O'Hara: [00:04:20] Um, it scares me, is probably the first thing, just given how much of this stuff is going on that, um, people then also have to deal with the cyber-security side of this. Um, there was a really good post this morning on LinkedIn, um, somebody who I'm connected with, and the- the sort of image that a company that posted was, um, you know, no hacker or attacker has ever said, "Not in scope." And I think that's the- the horrible thing about what's happening at the moment is that, you'd think just purely from a moral perspective, not that attackers really, you know, feel that way. But, that something like this would just be that one time where they'd say, "Actually, you know what, we'll leave this one alone." And actually, it's gone completely the opposite way.
And talking to, um, so [Andrew Gosney 00:05:04], who runs our [MSOT 00:05:05] team here locally, and, um, he's seen just this- this huge spike in COVIDS and corona related phishing attacks, as you said. Um, so seeing those, exactly what you said, the social engineering type stuff, it's a CDC release, it's an email from, you know, potentially something that looks like your company with a PDF on guide lines for how to deal with COVIDS, or work from home guidelines, or any of those sort of social engineering lures. Um, just lots and lots of them out there. And then linked, um, LinkedIn for me, has just lit up, uh, with people in our industry commenting on this, sharing, uh, what they're seeing, sharing some of the domains that are out there and used, being used for, um, phishing attacks.
So they're kind of, you know, I think I was reading The Recorded Future produced a report, and there's, like, hundreds of these domains being registered every single day. You know, COVID-19, herbal cures for COVID-19, and- and every combination mentioning, uh, COVID-19. So, um, yes, I suppose it's just... it's definitely time to be super, super cautious. Because I think the last thing we need on top of everything that people are dealing with, is the ramifications of a, either a personal breach on, you know, on a laptop as people work from home and don't necessarily have access to their IT people. Which is another problem. Um, you know, you don't have the ability to just walk over to the desk and- and say, "Hey, this thing looks like it's locked up, can you help?"
Like what- what do we do in a situation, um, where, you know, if there's self isolation, or if we get to the point where it's forced isolation, and that's being policed as it is in other parts of the world. If somebody's laptop gets encrypted, or something catastrophic happens through a breach, um, yeah, I mean, it completely changes the game. The- the playing field is completely different.
Dan McDermott: [00:06:48] Yeah, and- and a lot of those- those emails, I mean, we'd s- sort of say, you know, don't click on things, you know, be cautious and that. Um, but some of the examples that we're seeing, uh, look very real. Um, and at a time, you know, like you say, the notion of it feeling like it's from your own organization giving you tips and guidance on what to do, is something that feels very compelling at the moment. And that- that's, you know, you were like, "Yeah, I need to know this, I want to know what my organization's stance is, where we're coming from. What is our policies, how are we managing this? What is it going to look like, working from home?"
Um, yeah, I think, you know, every person is- is very vulnerable to that at the moment, because it is so top of mind, and so evolving and changing that you do feel like you need to... if you get something like that, you feel like you need to keep up to date. Um, otherwise you fall behind quickly in terms of the response and what is happening. So, there's no doubting that, um, I feel like that... unfortunately, you feel like something's going to be successful, right? And, um, and that, you know, a breach, uh, will occur, and, you know, and that, you know, the ramifications, and how do people manage from that, is going to have to kick into place. And like you say, and it's not, you know, just- just the notion of how it would normally be done in the office either, um, how to do that from a remote perspective. Uh, is something that, I don't know, I feel like it's- it's... it feels inevitable, right, it feels like it's just going to happen.
Garrett O'Hara: [00:08:19] Mm-hmm [affirmative]. It- it's scary. I think about, you know, the stuff that's happening in Victoria. Um, some hospitals there, uh, last year. And- and if you, you know, if you think about that happening now, and the impact that that would have, and- and how that changes the stakes in terms of, like, what we've described as blackmailing. You know, those kind of larger, um, large organizations where it's just not necessarily just plain old [inaudible 00:08:43], but actually it's a hospital and more-
Dan McDermott: [00:08:46] Mm-hmm [affirmative].
Garrett O'Hara: [00:08:46] ... kind of medical facility in today's environments. You know, it again changes the, "Don't pay, or don't negotiate with terrorists," when it's probably all ready an overwhelmed health system, that the last thing they need to deal with is- is that sort of stuff. Um, it's definitely a... it- it has me very, very scared personally, I'll be honest with you. Like, it's quite unsettling. Um, just the-
Dan McDermott: [00:09:06] Mm-hmm [affirmative].
Garrett O'Hara: [00:09:07] ... how, um, how vulnerable we all are. Um.
Dan McDermott: [00:09:13] Definitely so. And- and I think that, you know, one of the other things that, uh... we, sort of, put an article up around it at the start of the month, is- is around, I guess, the emotional tole of, um, cyber resilience in general. And that was before this, right? Before this time. But one of the things that I'd reflected on, as- as I'm sort of doing the research and pulling that together, is just it- it is unrelenting. You know, a lot of CICOs and cyber professionals are- are trying to, you know, stop that attack, protect their organization. Um, and- and it's tiring, right? It feels like, you know, that at some point, "They're going to fail." That, uh, you know, something will get through and, you know, there will be a breach and something will happen.
Um, I think that how, you know, I guess, cyber professionals can actually feel good in this environment, I think is a difficult thing as well. And, um, I don't know if you've got any, sort of, thoughts and tips on, you know, how do, how do we sort of prepare for this, and how do we sort of, you know, allow for the notion that- that, you know, sometimes, you know, things will get through? But it's like, it's also how we respond and what we do from there that will actually help define the success, and help actually, you know, stop the- the rate of burn out that we're seeing with, uh, this constant pressure for, uh, for the perfect, you know, protection of your organization.
Garrett O'Hara: [00:10:38] Yeah, which, I mean, we all kind of know. Unfortunately it doesn't exist yet. And I think that, maybe, is part of the stress that, uh, CISOs... and also it's security leaders, people in our industry in general, probably feel some sense of, um, the task is impossible, but [inaudible 00:10:52], you know, everybody knows that. But the expectation is that you achieve the impossible somehow. You know, perfect protection, no breaches, um. One of the- the lovely things, I would say, I've seen in our industry is the, um, the spirit that's evolved over the last, kind of, four or five years, where, um... and we see this between vendors, where there's a spirit of collaboration and- and sort of working together.
Um, but I also know that that exists within the CISO world, where, within a particular, uh, vertical or industry, I know that the CISOs are generally well connected and will meet up for, kind of, dinners on a regular basis, and have their WhatsApp groups, and, um, I think that's what I, kind of, will go back to, is the- the idea that there's support there, there's people in the same situation. Um, it sounds cheesy, but, like, nobody is into it alone.
Dan McDermott: [00:11:38] Mm-hmm [affirmative].
Garrett O'Hara: [00:11:38] And the challenges that any security leader's facing right now, are broad, and they're- they're common with their colleagues, their peers in the industry, um, and- and for me, I don't think there's a technical or a process solution to this stress. I feel like it has to come back to, um, just fundamentally how people in general deal with stress, regardless, you know, whether it's CISO or somebody-
Dan McDermott: [00:12:02] Mm-hmm [affirmative]. Mm-hmm [affirmative].
Garrett O'Hara: [00:12:02] ... you know, in another high pressure job. Um, that, I- I think it's the, you know, facing the reality of, you have an impossible task and that is understood. Um, and, you know, I suppose the [laughing], the expe- the expectation is that, you know, you do that to the best of your abilities, um, and then know that there's- there's a bunch of people around, um, in the industry who are experiencing the same thing. And I think, uh, you know, I don't want to sound cheesy, but I think sharing that, um, that stress on line is not a bad thing. Um, you know, if you've got trusted peers in your, you know, your LinkedIn groups, or WhatsApp, I mean, I think it's okay to talk about that stuff these days.
Dan McDermott: [00:12:38] Yeah, it's, um, I guess, I put up a post sharing my, um, you know, I guess my, sort of, vulnerability and experience of the moment, and just with things in the team, and feeling quite, sort of, behind and, you know, under resourced, and over worked, and all of those type of things. And, um, um, just as a, I guess, a personal share, it... as a link into the notion of, sort of- of the burnout that other professionals are facing. Um, and the response was- was quite amazing. Um, was unexpected honestly. Uh, just, you know, heard from a lot of people, um, near and far and people that I haven't heard from in a long time as well, um, and that, you know, sort of, reaching out and providing support as well.
And it was, uh, it was quite humbling definitely, and but it does show that there is that community spirit I think. I think, you know, once upon a time, security was seen as- as nobody would talk to each other. That, you know, it's... you can't share, you know, what's happening from a security perspective. I think that's all changed, and so much, in that, um... but like you say that, there's definitely this notion of, uh, of a community that, um, are there to support each other and have each other's backs. And it's not a, it's not a competitive dog eat world at all. It's a, how we're all in this together, and- and how do we do our best to- to support each other, because nobody wants to see anybody go through a breach in those difficult times and that.
I don't think anybody, you know, feels good about seeing, you know, a- a colleague that's going through that, a peer going through that. So, it's definitely, uh the case. And I think it's- it's... I think to me, it also is around that notion of the impossible task. I think the narratives need to change.
Garrett O'Hara: [00:14:18] Mm-hmm [affirmative].
Dan McDermott: [00:14:19] It needs to start with, actually what are we trying to do? And what is a cyber resilient strategy really about? And- and a lot of it is, we spend all our time talking about stopping everything, protecting, doing the impossible. Yet it's really about the response, right? When something happens and it goes wrong, how do we... how are we prepared to respond to that? Um, you know, systems process, but communication, how do we ensure that we keep all stakeholders in- informed, up to date? Uh, and I think that that response is so critical and will actually end up defining the success of many cyber resilience programs. Right?
And I think the... hopefully, while being a very stressful time, will help alleviate some of the stress, because it's not the impossible that's trying to be achieved, it's the management and the reality of the situation that is trying to be dealt with. But I definitely think that a change in the way that cyber and security professionals need to talk to management, to the broader organization, to executives, the board, does need to, you know, change and- and have a big holistic view. And I think many CISOs are trying to do that. Um, but I think sometimes it's- it's not necessarily heard or- or seen as the, uh, the impossible is still expected.
Garrett O'Hara: [00:15:40] And- and to your, uh, points there Dan, I mean, I wonder is part of it why it's not heard or understood, it's, uh, not heard, is because it's not really understood? You know, the importance of the CISO role, for example.
Dan McDermott: [00:15:53] Mm-hmm [affirmative].
Garrett O'Hara: [00:15:53] And, um, I think you and I have probably both talked to CISOs who do things like reporting to finance teams, rather than directly to, you know, the- the, um, CEO for example. Um, and I think that- that changed and we should see that, in my opinion, kind of, uh, um, expedite. I think the change is going to start happening much more quickly with things like this current environment-
Dan McDermott: [00:16:16] Mm-hmm [affirmative].
Garrett O'Hara: [00:16:17] ... where COVID-19 is just so ubiquitous. And, um, you know, to- to your point, the outcome is based on understanding what a CISO role is, would be so much more useful, um, and stop some of that burnout. You know, as you look at them, I mean, that- that survey was quite shocking, the one from, um, from Nominate, the, um-
Dan McDermott: [00:16:33] Mm-hmm [affirmative].
Garrett O'Hara: [00:16:34] ... you know, the folks who look after the .com domain. Um, but, you know, there are 88% reporting high levels of stress, but they're linked to physical and mental health issues then. Um, and- and things like using alcohol to kind of get through the day, I'm definitely partial to, like, a fairly regular negroni, but, you know, so far I feel like, [laughing], it's not become a- a crutch. Um, but yeah, you know, not- not to take it too lightly but, um, like it's worrying; that level of stress in an industry, I find that shocking.
It... you know, I almost feel like you could swap the word CISO, like, for your doctor, and- and would expect similar kind of stats. You know, it actually seems like that- that kind of level and- and related stress. It- it's quite shocking.
Dan McDermott: [00:17:19] It is, and- and I think you're right in terms of, like, that is it, is the role and the challenge understood, you know, by executive? Probably not. Um, and- and how do cyber professionals take the lead on- on taking control of that narrative, changing that conversation? Um, making it a, you know, a... bring it in the language that I do think that they understand, which is- is risk. And risk mitigation, and risk management-
Garrett O'Hara: [00:17:45] Mm-hmm [affirmative].
Dan McDermott: [00:17:45] Um, you know, I think is sort of the bridge in many ways, that if we can start to use that and frame what we're doing from a, from a cyber protection, or an awareness training, or a, you know, a remediation point of view, or whatever, you know. From that- that stance, and put that in the frame of risk mitigation, risk management, and, I think then executives who understand that world, understand that language, and can be a bridge to, um, having a better view of what- what the role is there to do. And how it actually manages through a difficult time, whether that be, just where we're at at the moment, or just be a breach itself as well.
Garrett O'Hara: [00:18:24] And do you... here's a question for you; do you think with what's happening right now, um, that the "She'll be right," attitude may start to change in Australian society? Because, I mean, I love it in a ways, it- it's lovely, it's relaxed, and then, when things like this happen, it's- it's the part of me that goes, you know what? Sometimes she won't be right, and I think there's nothing wrong with planning for that, um, you know, that eventuality and being realistic to your points around the risk- risk to businesses with, you know, with breaches, with this kind of stuff that's happening at the moment. It's so significant, and just, it- it all seems so strange to me, how, I don't know, it- it- it is literally, like, "She'll be right," sometimes from senior management.
And then, you know, when we talk to cyber leaders, trying to get budget for programs of works across lots of different areas, the- the value's just I think, quite often not really understood. And- and as you said, in terms of risk managements, forget about the, you know, the bells and whistles and the- the shiny brochures, but just purely from the perspective of managing risk for business. It's just, it's astonishing to me sometimes how people will skimp on that. It's like, it's sort of... a friend who years ago, um, boasted to me about buying tires for his car, um, for a ridiculously low price, I think it was-
Dan McDermott: [00:19:42] [Laughs].
Garrett O'Hara: [00:19:42] ... like, 50 bucks a tire, and I'm thinking like, "Of all the things to save money on, is that really," like, "Is that a smart choice?" You know, and it's- it's fine. The vast majority of the time you're driving your car, that makes no difference. But then, you know, something hor-, you know, horrible is happening, you actually wish you'll have spent more than $50 on the tires that you put on your car.
Dan McDermott: [00:20:05] You, look, I mean... I think- I think at the top end of enterprises in Australia, there is a- a strong risk culture, and lot of things are put in place, and- and they'd look at things, you know, I think a more conservative view. But I think when you move beyond that throughout, um, sort of, the economy and society, um, "She'll be right," is- is a thing, there's no doubting that. Um, I think we've seen it with COVID-19, uh, and you know how re, our response sometimes has been a bit slow in the many ways. And many people are, "Oh, she'll be right," and just continue on, and almost boasting that they can, you know, that they're bullet proof, or immune from this.
Um, I think we have seen that change very quickly though as well, right? I think, you know, just go to the supermarket and, um, we see the- the- the change in attitude very quickly, that, uh, um, people aren't thinking that because the shelves are empty. [Laughs]. So people are stocking up and, um, and- and trying to prepare now in- in a response to the mechanism. So I definitely... I've always thought that the greatest risk in this country to our cyber security is, "She'll be right." It actually is the number one, uh, issue-
Garrett O'Hara: [00:21:16] Mm-hmm [affirmative].
Dan McDermott: [00:21:16] ... that I think we have, um, and it's, and it's very hard to overcome, because it's not, uh, it's not a cyber thing, it's not a-
Garrett O'Hara: [00:21:23] No.
Dan McDermott: [00:21:23] ... security thing, it- it... you know, it's societal. So, it is definitely, uh, something that I think this time, might actually bring that to the fore, to realize that planning ahead, being prepared, and having that worse case scenario thought through and in the back pocket, and understood, is probably an important thing to do. Um, yeah, I think that could be, could be a positive out of this, uh, this whole situation.
Garrett O'Hara: [00:21:49] Mm-hmm [affirmative]. Got to, [laughing], got to look for the positives. I think the other thing I will take from it is, um, that you- you just kind of stare, around the people almost being boastful about their behaviors during this time. And, um, because you drive round there's certainly some cafes that are still full of people, and, um, you know, there- there is sometimes a bit of a, uh, "I'm going to do my thing anyway." And I think one of the things that I've been heartened by, is that there we're actually seeing a lot of people understanding the importance of how dependent we all are on each other, uh, at the moment.
Um, and you and I, like, [laughing], we're working from home. I'm pretty sure both of us would be, you know, not fine, but, you know, we'd probably come out okay from getting, um, you know, corona virus, and, you know, we'd recover, but we're doing this not for us, we're doing this-
Dan McDermott: [00:22:35] Mm-hmm [affirmative].
Garrett O'Hara: [00:22:35] ... for older people, and for all the vunr-, uh, vulnerable people in society. And, you know, if there's a tenuous analogy to the service industry world, I think sometimes what we have to do, is yes, protect ourselves, but also by protecting ourselves we're protecting our vendors, our supply chain, our end users.
Dan McDermott: [00:22:52] Mm-hmm [affirmative].
Garrett O'Hara: [00:22:53] And- and so much more than just the organization in and of itself, so. Um, you know, hopefully this, oh, I don't know. Hopefully there's some good lessons and, you know, some things we take out of all of this at the end, and, um, we will become a, become a better country.
Dan McDermott: [00:23:03] Mm-hmm [affirmative]. Well I think, uh, I think on that very positive note, and- and more altruistic view of, uh, of what we can be- become and do, and I guess, improve upon, I think is a... is probably a good way to, uh, uh, end today's sort of conversation. And, sort of, look forward to, you know, what positives we can take out of this. But really I think, most critically and importantly at the moment, is- is continuing, for everybody to- to stay safe. Um, both in terms of the health risk itself, obviously, first and foremost, um, but certainly the cyber risk that this is presenting.
Um, and, you know, and if you think, "She'll be right," and- and haven't prepared, um, I guess, take our- our words of, uh, to heart hopefully. And, uh, you know, I think everybody is responding quickly and reacting to that. And then hopefully we can get ahead of it, um, before anything, um, more significant occurs as well.
Yeah, I thank you again for your time, really appreciate it. Hope everybody listening enjoyed, uh, our conversation around, uh, the current state of affairs, uh, with COVID-19, um, and the implications that it's having on all of us, and on the cyber world.
With that we'll, uh, we'll speak again soon.