Cyber expert not happy with state of cybersecurity today
This week we talk with Eric Jeffery, a cybersecurity SE and host of the Cyber Security Grey Beard podcast, and he is just a little miffed about how organizations are responding to cyber attacks today. It's not so much about how they respond to the attack itself; it's how they communicate what happened to the public – if at all. He's submitting what happened at the LA Unified School District as his case in point. He's a bit fired up, so this will be a fun one.
Mentioned in this episode:
Interview ad
Boy, do we get an earful on this week's episode?
Speaker:Eric Jeffrey talks to us about his opinions about the
Speaker:state of cybersecurity today.
Speaker:We talk about a number of incidents, but the one that really got his
Speaker:blood boiling was what happened at the LA unified school district.
Speaker:And, uh, he's got some interesting opinions on what organizations should
Speaker:do to respond to such incidents.
Speaker:You might want to grab some popcorn for this one?
W. Curtis Preston:Hi, and welcome to Backup Central's Restore it All podcast.
W. Curtis Preston:I'm your host, w Curtis Preston, aka mr.
W. Curtis Preston:Backup, and have with me the guy who, according to my wife, is the only
W. Curtis Preston:reason that I want to get a Tesla Prasanna Malaiyandi, how's it going?
W. Curtis Preston:Persona.
Prasanna Malaiyandi:am good, Curtis.
Prasanna Malaiyandi:I don't.
W. Curtis Preston:You know, she's blaming you.
Prasanna Malaiyandi:It's not my fault.
Prasanna Malaiyandi:I was just telling my wife, I was like, she was like, oh, why don't
Prasanna Malaiyandi:you push Curtis to get a Tesla?
Prasanna Malaiyandi:Like, because I don't push people, I just give them facts.
Prasanna Malaiyandi:They can make their own decisions.
Prasanna Malaiyandi:They're all adults.
Prasanna Malaiyandi:You asked me a question, I give you your, the details.
W. Curtis Preston:Yeah.
W. Curtis Preston:And I, I think, I think I've definitely, I, I'm not sure
W. Curtis Preston:what pushed me over the edge.
W. Curtis Preston:Right.
Prasanna Malaiyandi:
Speaker:getting your car fixed.
W. Curtis Preston:No.
W. Curtis Preston:You know what?
W. Curtis Preston:It was the moment where I thought my car was dead, even though it turned
W. Curtis Preston:out to be a really minor, that's what it was, a really minor thing.
W. Curtis Preston:I, I realized that basically I'm one major repair away from, I've already
W. Curtis Preston:done the most major repair, right?
W. Curtis Preston:I mean, I, I'm at 200 and.
W. Curtis Preston:10,000 miles.
W. Curtis Preston:I've already done the most major repair I could do, which is to
W. Curtis Preston:replace the engine, but the battery's still hanging out back there and the
W. Curtis Preston:transmission's still hanging out.
W. Curtis Preston:So I, I'm, I'm, let's say I'm the value of the car away from
W. Curtis Preston:this car being worth nothing.
W. Curtis Preston:Right.
W. Curtis Preston:Um, I got the really scary warning of.
W. Curtis Preston:Check hybrid system, please pull over.
W. Curtis Preston:Uh, you know, and luckily, I, I was sitting in my garage or
W. Curtis Preston:sitting in my, um, driveway.
W. Curtis Preston:I had caused the problem by doing, um, by cleaning a fan that, uh, it was
W. Curtis Preston:the fan that cools the hybrid battery.
W. Curtis Preston:And by doing that, I had unplugged some stuff, which I, I did, you know, cause.
W. Curtis Preston:Right, because that's the thing to do and well, no, but you're not, you're not
W. Curtis Preston:gonna work on a fan that's plugged in.
W. Curtis Preston:So I unplugged it and I did all the right things, and then I
W. Curtis Preston:plugged it all back together and then it says, check hybrid system.
W. Curtis Preston:And I'm like, oh my right.
W. Curtis Preston:So I.
W. Curtis Preston:I was, and then I decided to go, you know, talk to Dr.
W. Curtis Preston:YouTube.
W. Curtis Preston:And, um, thankfully Dr.
W. Curtis Preston:YouTube had a very simple fix to this very scary error.
W. Curtis Preston:But I think that was the moment where I was like, you know, right now
W. Curtis Preston:my car, like I've had it tuned up.
W. Curtis Preston:I've got a new engine, I've got new tires, I've got a, a, a new paint job.
W. Curtis Preston:Like this car right now is worth the most it's ever going to be.
W. Curtis Preston:At its current life, and it can only go downhill from here.
W. Curtis Preston:And I would say drastically so, and that if I'm ever gonna
W. Curtis Preston:sell it and buy a new car,
Prasanna Malaiyandi:See, you should, but you should be
Prasanna Malaiyandi:like me, like my previous car.
Prasanna Malaiyandi:I just drove that thing into the ground.
W. Curtis Preston:Right.
W. Curtis Preston:But, but, but my point is it could be, I could, the ground
W. Curtis Preston:part could be a day away.
W. Curtis Preston:That's what I'm saying.
W. Curtis Preston:I'm, I'm at 210,000 miles.
W. Curtis Preston:Right.
Prasanna Malaiyandi:At that point you might as well just pour money
Prasanna Malaiyandi:into it, you know, just keep doing it.
Prasanna Malaiyandi:It'll be fine.
Prasanna Malaiyandi:Just kill.
W. Curtis Preston:Are, are you try, are you try, are you trying to
W. Curtis Preston:not be what my wife said You are.
W. Curtis Preston:That's what you're doing, aren't you?
W. Curtis Preston:You're going on record for not talking me into getting a, into getting a Tesla.
W. Curtis Preston:Uh, yeah.
W. Curtis Preston:It's not working.
W. Curtis Preston:Um, especially when I found out there, there's some other
W. Curtis Preston:incentives and stuff that I have.
W. Curtis Preston:Right.
Prasanna Malaiyandi:But, but I will warn you though, given the current, uh,
Prasanna Malaiyandi:political climate and news, it may not be in your best interest to be supporting
Prasanna Malaiyandi:someone with very controversial opinions.
W. Curtis Preston:That is, that is a different problem
W. Curtis Preston:right now with a Tesla for sure.
W. Curtis Preston:Um, just never know what that guy's gonna say these
Prasanna Malaiyandi:Or polarizing opinions I should say.
W. Curtis Preston:Luckily, I don't buy my cars based on my
W. Curtis Preston:political opinions, but, um, yeah.
W. Curtis Preston:Um, anyway,
Prasanna Malaiyandi:That's neither here nor there.
Prasanna Malaiyandi:I'm sure guests is like,
W. Curtis Preston:here nor there.
W. Curtis Preston:Yeah.
W. Curtis Preston:What?
W. Curtis Preston:Yeah.
W. Curtis Preston:Well, it often happens, our guests, they're like, what, what
W. Curtis Preston:podcast did I sign up for here?
W. Curtis Preston:Um, our guests today has been in the industry over 25 years working
W. Curtis Preston:for companies like hp, ibm, and XiO.
W. Curtis Preston:He is also the host of the Cybersecurity Gray Beard Podcast.
W. Curtis Preston:Welcome to the podcast Eric Jeffrey.
Eric Jeffrey:Hey, Curtis.
Eric Jeffrey:Hey Prasanna.
Eric Jeffrey:Thanks a lot for having me.
Eric Jeffrey:It's good to see you.
W. Curtis Preston:I, I see that you're, you're a, uh, a member,
W. Curtis Preston:uh, of a club to which I belong, which is the two first name.
W. Curtis Preston:A first name as the last name.
W. Curtis Preston:Right.
W. Curtis Preston:Um, I bet that's never a problem for you.
Eric Jeffrey:I don't mind it, but my wife and my ex-wife really mind it
Eric Jeffrey:when they, when they're called Jeff, they're like, do I look like a Jeff?
Eric Jeffrey:I, I'm like, it, so I'm cool with it.
Eric Jeffrey:And I'm called things much worse than Jeff.
Eric Jeffrey:But, uh, yeah, it, it, it does become a problem.
W. Curtis Preston:Yeah.
W. Curtis Preston:The, the, um, yeah, I've, I've had, I've had, I've had a number of friends
W. Curtis Preston:where it's like, with me, I think your, is it, does Eric work as a last name?
W. Curtis Preston:I don't, I don't.
Eric Jeffrey:Eric's son does.
Eric Jeffrey:Um,
W. Curtis Preston:Oh, right, right,
Eric Jeffrey:no,
W. Curtis Preston:right, right.
W. Curtis Preston:Because my name's, my name's William Curtis Preston, literally go in
W. Curtis Preston:any order that you want and they all work as first and last names.
W. Curtis Preston:Although generally it would be Williams, right?
W. Curtis Preston:Yeah.
W. Curtis Preston:It's a, it's a
Eric Jeffrey:So you got three and you make it.
Eric Jeffrey:You make it more confusing, so
W. Curtis Preston:Yeah.
W. Curtis Preston:And I go by my middle name just to make it even more confusing.
W. Curtis Preston:Right.
Eric Jeffrey:yeah, there you go.
Eric Jeffrey:Why make things easy for people?
W. Curtis Preston:why may?
W. Curtis Preston:Right.
W. Curtis Preston:Well, we have persona, Molly Yandy here.
W. Curtis Preston:Speaking of names,
Prasanna Malaiyandi:it's simple.
Prasanna Malaiyandi:Come on.
W. Curtis Preston:Yeah.
W. Curtis Preston:Simple for, simple for you.
W. Curtis Preston:Literally every time I'm typing it and I'm like M a l a I,
Prasanna Malaiyandi:I, I think it's the, I, I think it's the number of vowels in
Prasanna Malaiyandi:my name that throw people off, and the fact that there's like an I before the y.
W. Curtis Preston:Yeah, yeah.
W. Curtis Preston:Exactly.
W. Curtis Preston:Exactly.
Eric Jeffrey:Yeah,
W. Curtis Preston:Well, um, we're, we're glad, we're glad to have
W. Curtis Preston:yawn, Eric or Jeffrey, whatever, you know, whatever you want to go by.
W. Curtis Preston:Um,
Eric Jeffrey:I'll answer to either.
W. Curtis Preston:Yeah, exactly.
W. Curtis Preston:I I have the same, yeah, I have the same thing.
W. Curtis Preston:Um, when people call me Preston, it just seems weird though.
W. Curtis Preston:Um, it does seem weird.
W. Curtis Preston:I, I feel like I'm back in the Navy.
W. Curtis Preston:Right.
W. Curtis Preston:Hey, Preston, that, that was never good.
W. Curtis Preston:That was never good to, to hear your name called out like that.
Prasanna Malaiyandi:Does your wife do that too?
Prasanna Malaiyandi:When she gets mad?
W. Curtis Preston:does not, um, No, she just, my wife, I get the silent treatment.
W. Curtis Preston:She, she just doesn't call me at all.
W. Curtis Preston:She's like, she'll just go, she'll just go somewhere else and, and,
W. Curtis Preston:you know, not talk to me at all.
W. Curtis Preston:Um, So, you know, we, we, you know, when I hear about, you know, the cybersecurity
W. Curtis Preston:Gray Beard podcast, uh, which, which I was a guest on, which is very nice.
W. Curtis Preston:Um, you know, we, we don't, we, I don't think of ourselves
W. Curtis Preston:as cybersecurity specialists.
W. Curtis Preston:Definitely not, right?
W. Curtis Preston:But we're definitely cybersecurity enthusiasts, right?
Prasanna Malaiyandi:Anor.
W. Curtis Preston:we.
W. Curtis Preston:Focused?
W. Curtis Preston:No.
W. Curtis Preston:Anac.
W. Curtis Preston:No, we're not quite anex.
W. Curtis Preston:Yeah.
W. Curtis Preston:I think you'd have to actually know something about it to be, to be an
W. Curtis Preston:anac, but we we're focused mainly on like keeping the data, like
W. Curtis Preston:our focus is on the data, right?
W. Curtis Preston:Uh, keeping it safe.
W. Curtis Preston:Keeping it safe from anything that would do with damage, one of which
W. Curtis Preston:is, uh, cybersecurity, uh, breaches.
W. Curtis Preston:And, you know, during the pre-call, You know, we asked if there were some
W. Curtis Preston:interesting, you know, cybersecurity breaches, uh, you know, in ransomware
W. Curtis Preston:attacks that you had, um, you know, been interested in, and you, for some
W. Curtis Preston:reason, you know, I think you seemed to want to talk about the LA Unified
W. Curtis Preston:School District ransomware attack.
W. Curtis Preston:Is that, is that about right?
Eric Jeffrey:Yeah.
Eric Jeffrey:I'd say that's fair.
Eric Jeffrey:I also would say this, I mean, you guys are in data, and data is
Eric Jeffrey:security and data's why we exist.
Eric Jeffrey:If it wasn't for data, what the heck are we protecting?
Eric Jeffrey:So whether it's like identity, identity and access management.
Eric Jeffrey:So I do identity Well, when you're in security.
Eric Jeffrey:Well, I do asset management.
Eric Jeffrey:The funny thing is I think asset management is one of the most
Eric Jeffrey:important pieces of cyber because if you don't know what the assets
Eric Jeffrey:are, you don't know what to protect.
Eric Jeffrey:Nobody is an expert in all areas of cybersecurity.
Eric Jeffrey:I try and know.
Eric Jeffrey:I try to be broad, not deep, and you guys are deep when it comes to data and
Eric Jeffrey:I, I agree with you from the pre-call that the conversation about ransomware
Eric Jeffrey:is probably the most important piece from a data protection perspective
Eric Jeffrey:that, or mechanisms for exfiltration.
Eric Jeffrey:But that is, that's a different story.
Eric Jeffrey:But for you guys with the ransomware and with LA Unified School District, that
Eric Jeffrey:one sticks in my crowd because of who the victims were and the victims are children.
Eric Jeffrey:They're victims of government incompetence at the state level, at the
Eric Jeffrey:local level, and even at the federal level because of, in my opinion, when
Eric Jeffrey:the FBI told them to be quiet and not talk about it, that's a problem.
Eric Jeffrey:You know, somebody made a point when a plane crashes.
Eric Jeffrey:We do extensive investigation to find out what happened when the
Eric Jeffrey:SpaceX blew up the other day.
Eric Jeffrey:They blew it up on purpose because it was veering off course and they're gonna
Eric Jeffrey:do a darn big deep dive into finding out why was it veering off course?
Eric Jeffrey:Why don't we do that with cyber?
Eric Jeffrey:And then when we are way off course, like with what happened in la why
Eric Jeffrey:don't they talk about how it happened?
Eric Jeffrey:I would guess because there's no information on this cuz the FBI
Eric Jeffrey:told them not to say anything.
Eric Jeffrey:I would guess there was a ranch a um, A, uh, phishing attack.
Eric Jeffrey:Somebody sent an email, somebody clicked on something or opened up something
Eric Jeffrey:they shouldn't have, and that allowed a nefarious actor to gain access
Eric Jeffrey:to a system and a person's account.
Eric Jeffrey:And then from there,
Prasanna Malaiyandi:Uh, I was just gonna talk, Eric, just briefly, that
Prasanna Malaiyandi:normally when you watch TV or when you watch a movie and you see all
Prasanna Malaiyandi:these things about hacking, right?
Prasanna Malaiyandi:It's like, oh, they're breaking into the system.
Prasanna Malaiyandi:Right?
Prasanna Malaiyandi:They're attacking this system.
Prasanna Malaiyandi:They've exploited some weakness, but like you just mentioned, right?
Prasanna Malaiyandi:A lot of times it's just a human clicking on a link that they shouldn't have, right?
Prasanna Malaiyandi:That GA allows the bad actor to gain access.
Eric Jeffrey:Yeah, spot on.
Eric Jeffrey:That's it.
Eric Jeffrey:And the studies that I've read is 3% of the population will always click
Eric Jeffrey:on that link or open that attachment.
Eric Jeffrey:No matter what you do to that 3%, they're gonna click on it and I'm, I'm okay.
Eric Jeffrey:Three percent's
W. Curtis Preston:I have some friends in that 3%
Eric Jeffrey:Yeah.
Eric Jeffrey:You know, and, you know, if I were king of the world, those 3% would not be allowed
Eric Jeffrey:to turn on a computer, but I'm not.
Eric Jeffrey:And so they are.
Eric Jeffrey:And they do.
Eric Jeffrey:And we have, and I have a li you know, hell, I, I make a living out of this.
Eric Jeffrey:I make a good living doing cybersecurity.
Eric Jeffrey:But it's frustrating when you feel like you're plugging holes in a
Eric Jeffrey:dam and every time you stick your finger in a hole, two more pop up.
Eric Jeffrey:And then when you want to go find out, well, why are these holes popping up?
Eric Jeffrey:You're told, shh, don't talk about that.
Eric Jeffrey:Just put your finger in the hole.
Eric Jeffrey:I don't wanna put my finger in the hole.
Eric Jeffrey:I don't want the hole to exist.
Eric Jeffrey:And that's what happened with the LA Unified School District.
W. Curtis Preston:Yeah, it, it's, and I, I know that you, you know, you
W. Curtis Preston:mentioned, and, and I'd like you to talk a little bit more about that.
W. Curtis Preston:It, um, you mentioned that there was exfiltration and there was
W. Curtis Preston:really sensitive data that has been leaked of these students.
W. Curtis Preston:You wanna talk about that a little bit?
Eric Jeffrey:Yeah.
Eric Jeffrey:What happened was the outcome, how it occurred, we don't know, but the outcome
Eric Jeffrey:was student data and I believe also faculty and that there were teachers and,
Eric Jeffrey:and adults that were affected as well.
Eric Jeffrey:But I'm more concerned with the kids cuz they're victims
Eric Jeffrey:through no fault of their own.
Eric Jeffrey:And the data was everything I.
Eric Jeffrey:It included their grades, it included their nurse records, so their
Eric Jeffrey:medical, including their vaccinations and their vaccination statuses.
Eric Jeffrey:It included their therapist.
Eric Jeffrey:If they were going to the school counselors.
Eric Jeffrey:It was like everything, anything and everything at the school
Eric Jeffrey:district, the whole LA Unified School district, which I believe is
Eric Jeffrey:the second largest in the country.
Eric Jeffrey:I think there's something like 600,000 victims outta this with
Eric Jeffrey:the vast majority being children.
Eric Jeffrey:Under the age of 18, or certainly under the age of 19, six to
Eric Jeffrey:18 probably is the range.
Eric Jeffrey:And for their rest of their lives.
Eric Jeffrey:I mean, they're gonna have to be worried that their data was out there and
Eric Jeffrey:their grades and their mental health status and they, the recourses here,
Eric Jeffrey:we'll give you LifeLock or we'll give you Equifax for your credit rating.
Eric Jeffrey:What did care about his credit rating?
Eric Jeffrey:You know, God forbid some of these kids when they're 13 or 14, Start to
Eric Jeffrey:become a little more savvy and they go find the data and then they start
Eric Jeffrey:blackmailing their, their, the other students, their peers, I should say.
Eric Jeffrey:This is one of the things that people don't know or don't
Eric Jeffrey:talk about with ransomware.
Eric Jeffrey:It's not the initial hit that's the problem.
Eric Jeffrey:It's the secondary and the tertiary hits that become the problem.
Eric Jeffrey:A lot of these people will either wait years or they won't even
Eric Jeffrey:find the data for years, but it's still your social security number.
Eric Jeffrey:Your grades in the third grade are still there, and if people want to
Eric Jeffrey:come back and start to blackmail you from it, or even worse, they use
Eric Jeffrey:it as a secondary fishing attack.
Eric Jeffrey:In other words, Hey, didn't you go to this school and have this
Eric Jeffrey:teacher in the third grade?
Eric Jeffrey:Oh yeah, I was there too.
Eric Jeffrey:You want to get together?
Eric Jeffrey:Why don't you pay for my plane ticket?
Eric Jeffrey:And then this guy's getting scammed by somebody because it's something
Eric Jeffrey:that happened 5, 10, 15 years ago.
Eric Jeffrey:We still need to be on the lookout for the O P M breach.
Eric Jeffrey:That happened, I believe, in 2015.
Eric Jeffrey:People whose records were taken from that, people whose
Eric Jeffrey:fingerprints were taken from that.
Eric Jeffrey:Those people need to, you know, they need to be aware of it and
Eric Jeffrey:that's why for life these victims need the Equifax of LifeLock.
Eric Jeffrey:But that's just another field.
Eric Jeffrey:It, it's not stopping what's causing this.
Eric Jeffrey:And you know, that's what I do for a
Prasanna Malaiyandi:I think the one thing, going back to what you
Prasanna Malaiyandi:mentioned about sort of not being able to share what happened, right?
Prasanna Malaiyandi:How it occurred, I think Curtis, I know you and I, we've talked about
Prasanna Malaiyandi:this on the podcast, there's not a lot of transparency that goes on, right?
Prasanna Malaiyandi:In terms of a company gets hit by ransomware.
Prasanna Malaiyandi:It's almost taboo to say, oh, I got hit, right?
Prasanna Malaiyandi:And so what everyone does is they sort of sweep it under the rug.
Prasanna Malaiyandi:They silently cover it up.
Prasanna Malaiyandi:Just try to get.
Prasanna Malaiyandi:Things recovered without affecting too many things, and there are
Prasanna Malaiyandi:very, very few people who actually go out there and talk about it.
Prasanna Malaiyandi:Like Curtis, I think the first time I heard about an actual victim of
Prasanna Malaiyandi:ransomware was when we had Tony Mendoza from Spector Logic on the podcast
Prasanna Malaiyandi:talking about like the process as head of it, what they went through trying to
Prasanna Malaiyandi:recover after being hit by ransomware.
Prasanna Malaiyandi:And this is a data protection company recovering their internal systems
Prasanna Malaiyandi:after being hit by ransomware.
Eric Jeffrey:Yeah, and we are all told not to talk about it, and I'm very
Eric Jeffrey:sensitive when I discuss situations that I've been involved with.
Eric Jeffrey:I don't mention the client's name and.
Eric Jeffrey:You know, that's out of, you know, courtesy for them.
Eric Jeffrey:It's also about NDAs that I've signed and in certain instances, non-competes.
Eric Jeffrey:And I, I could understand not naming the company, that may or may not be necessary,
Eric Jeffrey:but we need to talk about how it happened and maybe we have a naked database.
Eric Jeffrey:It says school district one, school district to school district.
Eric Jeffrey:Three and what we need and what IBM had started to do, but I don't think anything
Eric Jeffrey:came of it was create a database of these attacks that's based on vertical markets.
Eric Jeffrey:So the financial services sector can work with each other and say, Hey, how are
Eric Jeffrey:other financial services being affected because that attack is coming my way.
Eric Jeffrey:Hospitals, how are you getting into hospital?
Eric Jeffrey:Hospitals and what are you taking over in those hospitals?
Eric Jeffrey:We need all these healthcare organizations communicating, and if you wanna scrub
Eric Jeffrey:the name from an attack, fine, but at least put the database together, have
Eric Jeffrey:an open conversation about the attacks.
Eric Jeffrey:Again, it goes back to what happened when the challenger shuttle blew up in 86.
Eric Jeffrey:It was because of a faulty O ring.
Eric Jeffrey:That was almost 30 years ago.
Eric Jeffrey:I know about the darn O ring.
Eric Jeffrey:How many other space shuttle manufacturers know about that O ring?
Eric Jeffrey:Well, why don't we know about the O ring that caused L A U S D to get hacked?
Eric Jeffrey:What was their O ring?
Eric Jeffrey:I want to see that and I want to see it documented, and I want
Eric Jeffrey:it to be a searchable database.
Eric Jeffrey:And the reason that they don't, and I'll be very fair to the other side, we don't
Eric Jeffrey:want to tell the hackers what's working.
Eric Jeffrey:Sorry guys.
Eric Jeffrey:The hackers already know what's working.
Eric Jeffrey:So how about we stop shooting ourselves in the foot to protect
Prasanna Malaiyandi:feel though that maybe some of these things
Prasanna Malaiyandi:in terms of uh, not publishing how it happened is potentially
Prasanna Malaiyandi:because they don't actually know?
Prasanna Malaiyandi:Cause either logs were lost or other things were compromised and
Prasanna Malaiyandi:that's kind of a reason why they don't want to talk about it as well.
W. Curtis Preston:I do understand the other side of the argument, right?
W. Curtis Preston:That.
W. Curtis Preston:It's, it's, it's two things.
W. Curtis Preston:It's, we don't want to tell the, the bad guys what works.
W. Curtis Preston:We also really don't want to tell them what worked here.
W. Curtis Preston:Right.
W. Curtis Preston:How did I get hacked because maybe I haven't fixed the reason I got hacked.
W. Curtis Preston:Whatever, whatever that was.
W. Curtis Preston:Right?
W. Curtis Preston:Um, so I understand, you know, it's, it's, it, it a lot, even when,
W. Curtis Preston:when I've listened to or talked to.
W. Curtis Preston:People that give details about, they do seem to keep that
W. Curtis Preston:one piece, uh, to themselves.
W. Curtis Preston:They don't tend to give the, the,
Prasanna Malaiyandi:like, it's like a police, right?
Prasanna Malaiyandi:When you're investigating a case, you always keep that one piece out
Prasanna Malaiyandi:from public, right from the news, just so you could figure out, did
Prasanna Malaiyandi:someone actually do something or not?
Eric Jeffrey:There's, I agree with you both, and there's two schools of thought.
Eric Jeffrey:I'm fine holding back that one secret piece of the sauce.
Eric Jeffrey:Twitter did a great job, and I'm not a Twitter fan at all, but I've
Eric Jeffrey:spoken about this at conferences.
Eric Jeffrey:I've written about this, and the way that Twitter handled their
Eric Jeffrey:hack was fantastic because they did two very important things.
Eric Jeffrey:They told us exactly what happened.
Eric Jeffrey:And then they apologized.
Eric Jeffrey:I, it was stunning.
Eric Jeffrey:I mean, Twitter said, and above all else, we're sorry.
Eric Jeffrey:Thank you.
Eric Jeffrey:Twitter.
Eric Jeffrey:I'd like for the LA Unified School District to step up and well one fire
Eric Jeffrey:people because what happened there was criminal by far criminal, the negligence
Eric Jeffrey:of what they do there and what they did.
Eric Jeffrey:It's just no matter what side of it is to share, nothing.
Eric Jeffrey:Not even to say it was a Phish attack and somebody got a link with an attachment and
Eric Jeffrey:blah, and it was this group that did it.
Eric Jeffrey:Come on, man.
Eric Jeffrey:I think they may have finally came out and said Who did it?
Eric Jeffrey:I might have been North Korea, but don't, don't quote me on that.
Eric Jeffrey:It was last year and I am getting old and forgetting things, but
Eric Jeffrey:my, my view on it is you still need to tell us what's going on.
Eric Jeffrey:I want to know what type of lateral
Eric Jeffrey:movement.
Eric Jeffrey:You don't need to tell me the name of the employee that got hacked.
Eric Jeffrey:That's
Eric Jeffrey:not important.
Eric Jeffrey:But knowing that a, a, a secretary or whomever it was that clicked on something
Eric Jeffrey:that they shouldn't, we need to know so other people know not to click on that
Eric Jeffrey:link.
Eric Jeffrey:It's important because I say 3% of the people always click on
Eric Jeffrey:it.
Eric Jeffrey:I've seen phishing surveys coming
Eric Jeffrey:back with 27% of the company.
Eric Jeffrey:So if you have a hundred thousand people, 27,000 people clicked on a link.
Eric Jeffrey:And it only takes one.
Eric Jeffrey:Okay.
Eric Jeffrey:So if you can get it down to 3%, you're still dealing with 3000 people
Eric Jeffrey:you know, knowb4
Eric Jeffrey:and, and that organization, they do these studies, they do these surveys.
Eric Jeffrey:I'm a very big fan of that company.
Eric Jeffrey:They do important work training people, but when even they say
Eric Jeffrey:there's 3% we can't reach, I.
Eric Jeffrey:That's where some of the technology needs to come in.
Eric Jeffrey:But in the end, the human is the weakest link in the chain of cybersecurity.
Eric Jeffrey:And the reason that I do my podcast and the reason that I join and talk
Eric Jeffrey:with you guys is to help people understand we all are cyber defenders.
Eric Jeffrey:We all need to.
Eric Jeffrey:Affect change.
Eric Jeffrey:We all need to do something, uh, different and, and make and, and
Eric Jeffrey:protect ourselves, our loved ones, our families, our kids, and students.
Eric Jeffrey:And that's why, you know, when I was at b m we did a, a wonderful thing for the
Eric Jeffrey:Denver School District and that was to go do an evaluation to help them know where
Eric Jeffrey:they need to strengthen their themselves.
Eric Jeffrey:And I b m gave out six grants like that, and everybody needs to act
W. Curtis Preston:What I worry about when I think about the aftermath of
W. Curtis Preston:this particular attack, do you remember the Ashley Madison hack, right?
W. Curtis Preston:Right.
W. Curtis Preston:Do you remember, do you remember the aftermath of that?
W. Curtis Preston:There were suicides right now.
W. Curtis Preston:Now these were not innocent victims, right?
W. Curtis Preston:These were, you know, by design.
W. Curtis Preston:These were people looking to cheat on their, their spouses.
W. Curtis Preston:But, um, I can see that happening here, right?
W. Curtis Preston:So if, if children were discussing very sensitive things with their, um, you know,
W. Curtis Preston:their counselor cuz that's what you do, uh, and then that information was leaked.
W. Curtis Preston:I can see.
W. Curtis Preston:Um, you know, I can see kids that were, that.
W. Curtis Preston:are not out, that are gay, that talked about that with the counselor.
W. Curtis Preston:I can see all kinds of
Prasanna Malaiyandi:
Speaker:And kids are mean too.
W. Curtis Preston:their counselor that is now, and kids are, kids are horrible.
W. Curtis Preston:So I can, I can see suicides.
W. Curtis Preston:Yeah.
W. Curtis Preston:So I do, I do think that the, um, you know, we focus mainly
W. Curtis Preston:on the, the making sure that the data doesn't disappear forever.
W. Curtis Preston:Um, but I do think that the, the double extortion attack where there,
W. Curtis Preston:you know, is the absolute worst, and that that's perhaps where the front
W. Curtis Preston:end defense money should be spent.
W. Curtis Preston:Right?
W. Curtis Preston:In detecting exfiltration, it is possible to detect exfiltration, but I don't
W. Curtis Preston:think that, I think that too much money is being spent on stopping the attack.
W. Curtis Preston:And not enough on stopping what happens after the attack.
W. Curtis Preston:Right.
W. Curtis Preston:Basically a a, a stronger assumed breach sort of setup Right.
W. Curtis Preston:Mentality.
W. Curtis Preston:Yeah.
Eric Jeffrey:I heard something recently, and I wanna say that this came from
Eric Jeffrey:Microsoft, from a friend of mine.
Eric Jeffrey:She told me about making.
Eric Jeffrey:It impossible to encrypt encryption.
Eric Jeffrey:In other words, if you have already been encrypted with one format,
Eric Jeffrey:you can't encrypt it in another.
Eric Jeffrey:And based off of that concept, you could not have ransomware because you
Eric Jeffrey:can't encrypt what's already encrypted.
Eric Jeffrey:You said something, Curtis, it's important about double extortion, and
Eric Jeffrey:I don't think a lot of people know what that is, but what you're talking
Eric Jeffrey:about is the first extortion is give us the money, or we're not gonna
Eric Jeffrey:give you the key to unlock the data.
Eric Jeffrey:And the second piece is, okay, we're not, you're not gonna, now we're gonna
Eric Jeffrey:extort you by leaking the data anyway.
Eric Jeffrey:So that's the double extortion.
Eric Jeffrey:And I will tell you for an absolute fact, I've been doing
Eric Jeffrey:this for 25 years at least.
Eric Jeffrey:Where do you spend your money on the front end?
Eric Jeffrey:On the back end?
Eric Jeffrey:Is it on encryption?
Eric Jeffrey:Is it on data protection?
Eric Jeffrey:Is it on backups?
Eric Jeffrey:That is a huge debate and I have not found an organization where I believe.
Eric Jeffrey:That they do it really correctly.
Eric Jeffrey:They're, they're not looking at the proper use cases and
Eric Jeffrey:use cases on data protection.
Eric Jeffrey:And data exfiltration is really where you should focus you.
Eric Jeffrey:You hit on something really powerful, but it's not just about the kids.
Eric Jeffrey:Imagine a kid's talking about parent abuse.
Eric Jeffrey:Their caregiver is abusing them.
Eric Jeffrey:Now the caregiver finds out that the kid told that that puts the
Eric Jeffrey:kid and the counselor at risk.
Eric Jeffrey:If this abuser finds it.
Eric Jeffrey:Where is the data?
Eric Jeffrey:How do people find the data?
Eric Jeffrey:And who's gonna go looking for it As time passes and people learn more about
Eric Jeffrey:this, and as they get older, they're gonna go look for it and they're gonna
Eric Jeffrey:find it and it, and there is, you know, forget the double extortion.
Eric Jeffrey:Now you've got what I would say are kinetic threats,
Eric Jeffrey:losing some money that's bad.
Eric Jeffrey:Kinetic threats.
Eric Jeffrey:That can be a hell of a lot worse.
W. Curtis Preston:Yeah.
W. Curtis Preston:In this case, there could be multiple.
W. Curtis Preston:Uh, extortions, Right.
W. Curtis Preston:The, the initial extortion was against the, the l e ost, but the, you know,
W. Curtis Preston:you're talking about kids be kids that become adults and they're, you know, it's
W. Curtis Preston:like, because this information threatens their future employment status, depending
W. Curtis Preston:on what we're talking about, um, that they could be, they could be extort.
W. Curtis Preston:And the, the thing about that kind of thing is, It's not the same as, you know,
W. Curtis Preston:we call this ransomware, but the, the big difference between this, the, the idea of
W. Curtis Preston:ransom and the, the, the, the OG ransom.
W. Curtis Preston:Give us your money and we'll give you your kid back.
W. Curtis Preston:Uh, in this case, no matter what they pay, they can't put that
Prasanna Malaiyandi:
Speaker:Jeanie back on the bottle.
W. Curtis Preston:in the barn.
W. Curtis Preston:Right?
W. Curtis Preston:Yeah.
W. Curtis Preston:The genie back in the bottle, whatever, whatever you, whatever, uh,
W. Curtis Preston:uh, analogy you want to use there, their data will forever be out there.
W. Curtis Preston:Um,
Prasanna Malaiyandi:you think though, and just going back to Eric, what you
Prasanna Malaiyandi:had mentioned, that no organization you've worked with has done it right.
Prasanna Malaiyandi:Do you feel that it's because organizations don't understand the
Prasanna Malaiyandi:data that they have, the importance of the data, the classification of
Prasanna Malaiyandi:that data, how to protect it, because different data, for instance, like.
Prasanna Malaiyandi:The school counselor records, right?
Prasanna Malaiyandi:Or therapist records.
Prasanna Malaiyandi:That's probably very sensitive data that you probably want to protect a lot more
Prasanna Malaiyandi:than say just the kid's name, right?
Prasanna Malaiyandi:Or an email address, potentially, right?
Prasanna Malaiyandi:Or something that's more benign.
Prasanna Malaiyandi:And so is that part of the problem you
Eric Jeffrey:So you, you're.
Eric Jeffrey:You, you're asking me straight up, why have I not run into an
Eric Jeffrey:organization that does it correctly?
Eric Jeffrey:Why is it that people don't seem to protect their data, and why do
Eric Jeffrey:these things keep happening and why do they keep getting worse?
Eric Jeffrey:And no matter how much money we spend, it just gets worse.
Eric Jeffrey:Is that what you're asking?
Eric Jeffrey:My professional opinion.
Eric Jeffrey:Is that the people that care the most about the data don't have the
Eric Jeffrey:authority to protect it, nor do they have the budget to protect it, and
Eric Jeffrey:the people that have the budget and the authority have bigger fish to fry.
Eric Jeffrey:I'll give you a very good example.
Eric Jeffrey:I worked in healthcare for about eight and a half years, healthcare
Eric Jeffrey:it, and you have a revenue generating machine called an mri.
Eric Jeffrey:Let's say it costs a million dollars, whether you buy a revenue generating
Eric Jeffrey:MRI for a million dollars or do you spend half that on cybersecurity?
Eric Jeffrey:The people that are running the hospital say, we're gonna spend the million dollars
Eric Jeffrey:on the MRI because we need to make money.
Eric Jeffrey:And cybersecurity.
Eric Jeffrey:Yeah.
Eric Jeffrey:If we get hacked, we get hacked.
Eric Jeffrey:And what's the worst thing that can happen?
Eric Jeffrey:The worst thing that happens to these organizations is not bad enough.
Eric Jeffrey:And here's a perfect example.
Eric Jeffrey:I believe it was the Pinto.
Eric Jeffrey:It was a a Ford car.
Eric Jeffrey:And this was a major lawsuit where they calculated what
Eric Jeffrey:is the value of a human life.
Eric Jeffrey:And you can quantify that.
Eric Jeffrey:I have a degree in economics and people hate the story, but you can
Eric Jeffrey:quantify the value of a human life.
Eric Jeffrey:I'm sorry, but you can put a dollar figure on it.
Eric Jeffrey:And the people that, I think it was Ford.
Eric Jeffrey:Don't sue me for it.
Eric Jeffrey:I'm just thinking it was the Ford Pinto that was this story and they
Eric Jeffrey:said, we are not gonna fix this car.
Eric Jeffrey:That blows up when you hit it from the rear because it's more expensive
Eric Jeffrey:to recall all the cars than it is to pay for the people that end up dying.
Eric Jeffrey:Well, when this all came out, Ford was hilled just d the, the, the um, settlement
Eric Jeffrey:was way more than it would've been to recall all the cars, to punish them.
Eric Jeffrey:And we now have that story.
Eric Jeffrey:And now car dealerships, I'm sorry, car manufacturers will recall the cars no
Eric Jeffrey:matter how much it costs because they know what happened in that Pinto story.
W. Curtis Preston:Yeah, I as a, as an owner, as a former owner of
W. Curtis Preston:a Ford Pinto, um, the, the, the, it was actually my first car.
W. Curtis Preston:Uh, it was like a dollar 57 part.
W. Curtis Preston:Right was to think like it was literally, the part was like a buck And, a half,
W. Curtis Preston:but it was the cost of bringing everybody back in to replace that dollar and,
W. Curtis Preston:a half part, um, that caused them to Yeah, that I, I do believe your story is
W. Curtis Preston:right, but again, don't sue me either.
W. Curtis Preston:Um.
Eric Jeffrey:but that's my point is we need a Ford or the cigarette companies.
Eric Jeffrey:They got sued into oblivion because they were false marketing
Eric Jeffrey:and saying, oh, these are great.
Eric Jeffrey:And then the whole thing, and I, it was the eighties and nineties
Eric Jeffrey:that just decimated the cigarette industry with that lawsuit.
Eric Jeffrey:I, I don't know if that's what it takes to fix cybersecurity, but we,
Eric Jeffrey:we have a, a, a broken industry.
Eric Jeffrey:Where it's just getting worse and worse.
Eric Jeffrey:And, and real quick, I'll, I'll just say this and then I'll, I'll shush
Eric Jeffrey:for a moment and let you guys jump in.
Eric Jeffrey:When I speak, I tell a story about a graph, and it shows that we
Eric Jeffrey:spend more and more money every year on cybersecurity, and we get
Eric Jeffrey:more and more attacks every year.
Eric Jeffrey:So one would draw a corollary that if you're attacked more because
Eric Jeffrey:you spend more money, spend less, and you'll be attacked less.
Eric Jeffrey:Obviously that's not the case, but why is it?
Eric Jeffrey:That we're spending more and more money and we're getting attacked more and more.
Eric Jeffrey:And not only are we getting attacked more, but the attacks are worse.
Eric Jeffrey:What happened at LA Unified School District was pretty darn egregious.
Eric Jeffrey:It's similar to the O P M breach from seven or eight years ago.
Eric Jeffrey:And the Equifax, the Equifax breach in 2017 was just horribly disgusting.
Eric Jeffrey:And that goes to something you were saying earlier, persona about.
Eric Jeffrey:It sits around for a while and they know it, and why aren't you fixing it?
Eric Jeffrey:Equifax knew about that weakness in their, um, web server for months
Eric Jeffrey:and they never patched it, and then they got hacked in 150 million
Eric Jeffrey:peoples in a financial data leaks.
Eric Jeffrey:It's just, it's broken and it's broken for a number of reasons, and we are
Eric Jeffrey:not doing anything as a society, in my opinion, that's gonna remedy it.
Eric Jeffrey:And coming out with more regulations and coming out with, you know, government
Eric Jeffrey:involvement and interference, it, it, it creates certain roadblocks
Eric Jeffrey:that are limiting the remedy.
Eric Jeffrey:But the real remedy is, is being elusive because the, the people
Eric Jeffrey:that are knowledgeable are not in charge and they don't have the money.
Eric Jeffrey:And one perfect example of that is when a ciso, chief information security
Eric Jeffrey:officer reports to a c o I've written about this, you, you can't have that.
Eric Jeffrey:And when we have organizations that are doing that, or the CIO reports to the cfo,
Prasanna Malaiyandi:Yep.
Eric Jeffrey:okay, so the guidance responsible for all of your information
Eric Jeffrey:technology is reporting to the guy responsible for the money, and they're
Eric Jeffrey:both bonused on different things.
Eric Jeffrey:You're gonna have a conflict and the conflict is not gonna go into the
Eric Jeffrey:direction of stronger cybersecurity.
W. Curtis Preston:Yeah.
W. Curtis Preston:This is a problem.
W. Curtis Preston:This is a problem that we have in, in the, in the backup space, right?
W. Curtis Preston:No one, no one ever, no one ever became a customer of a company because they
W. Curtis Preston:used a really good backup system, right?
W. Curtis Preston:So, uh, we have the same problem and sounds like the same.
W. Curtis Preston:Uh, Um, similar problem because what's happened in the backup space, we didn't
W. Curtis Preston:have cyber attacks in the backup space.
W. Curtis Preston:They just, they just didn't exist 20 years ago.
W. Curtis Preston:No one was attacking the backup system.
W. Curtis Preston:We just had to make sure that it was safe from fire and floods
W. Curtis Preston:and, you know, things like that.
W. Curtis Preston:We, we didn't have to also make sure that, that, that, that a cyber attacker can't.
W. Curtis Preston:You know, basically obliterate the backup system.
W. Curtis Preston:Now we're having to spend more money and more design money.
W. Curtis Preston:Right.
W. Curtis Preston:You know, I, um, actually, I forgot to throw out our disclaimer.
W. Curtis Preston:This is an independent podcast and these opinions are ours and don't necessarily
W. Curtis Preston:reflect any companies we work with.
W. Curtis Preston:So one of the problems that we have is that people don't back
W. Curtis Preston:up Microsoft 365 and things like backup things like Microsoft 365.
W. Curtis Preston:They say, oh, it's the cloud, it's magic, it's pfm, right?
W. Curtis Preston:And if you know, you Google that, if you don't know what that means,
W. Curtis Preston:um, and, and, and, and, and so not enough major things have happened
W. Curtis Preston:to companies that don't back up.
W. Curtis Preston:365 and similar products.
W. Curtis Preston:Right.
W. Curtis Preston:Um, not enough companies have basically ceased to exist due to cyber attacks.
W. Curtis Preston:Um, I, I can name them.
W. Curtis Preston:I can name them on like, literally a few fingers and they're not public
Prasanna Malaiyandi:Code spaces.
W. Curtis Preston:And, and, and I'll submit.
W. Curtis Preston:But yeah, coast Spaces is, is, you know, is the big one right from
W. Curtis Preston:the very beginning of all of this.
W. Curtis Preston:But like, for example, This is one that I just found out, uh, just a few days ago.
W. Curtis Preston:There's, there's a great podcast, by the way, called the ransomware files.
W. Curtis Preston:And it's, um, just a guy that's interviewing and he, he basically
W. Curtis Preston:does stories and then he actually talks to the people who were
W. Curtis Preston:involved in their ransomware attack.
W. Curtis Preston:It's a fascinating, um, you know, podcast.
W. Curtis Preston:And he talked about this, this hack last year where, uh,
W. Curtis Preston:Conti had basically taken down.
W. Curtis Preston:All of Costa Rica's government, that, that, that they lost their revenue
W. Curtis Preston:system, their, their, you know, um, the, the, basically their, the payroll, they
W. Curtis Preston:lost all these huge, just a huge portion of the Costa Rica government and to.
W. Curtis Preston:To my knowledge and to that guy's knowledge, like it's the first time
W. Curtis Preston:that like an entire country has been held ransom by a ransomware group.
W. Curtis Preston:The weirdest part of the story is that Conti.
W. Curtis Preston:Apparently didn't do it for money because, um, and this is a way too
W. Curtis Preston:brief explanation, but Costa Rica actually has laws that prevented the
W. Curtis Preston:government from paying their ransom.
W. Curtis Preston:And So, and, and, and any, and a group size Conti would've known that.
W. Curtis Preston:It appears that they did this hack just to, um, of a way to,
W. Curtis Preston:of a basically providing cover while they made Conti disappear.
W. Curtis Preston:Um, right.
W. Curtis Preston:Cuz that's what happened right at this time.
W. Curtis Preston:This was April of last year.
W. Curtis Preston:Uh, this was CTI's last attack before they spread everybody out
W. Curtis Preston:to a bunch of other organizations.
W. Curtis Preston:I agree with you Eric.
W. Curtis Preston:I almost called Jeff.
W. Curtis Preston:I agree with you, Eric, that, um, that not enough like of these public.
W. Curtis Preston:Um, things where basically where, like in the case of Costa Rica, they have had to
W. Curtis Preston:completely rebuild their IT infrastructure from scratch with no backup, no nothing.
W. Curtis Preston:They're starting like from scratch, and I know of companies that basically
W. Curtis Preston:have been wiped off the planet.
W. Curtis Preston:Not enough of those have been public.
W. Curtis Preston:And, and again, with the Costa Rica story, I didn't even realize
W. Curtis Preston:that that happened, right?
W. Curtis Preston:That, that, that event was not public enough.
W. Curtis Preston:Um, and so, Yeah.
W. Curtis Preston:I,
Prasanna Malaiyandi:I, I wanna take the other perspective though, Curtis,
Prasanna Malaiyandi:on that, so I totally, no, no, no.
Prasanna Malaiyandi:So, so the one country though, that I think did a phenomenal job
Prasanna Malaiyandi:right, is during the Ukraine War.
Prasanna Malaiyandi:Right where they were hit multiple times, right?
Prasanna Malaiyandi:By cyber attacks, and because they had gotten so good at rebuilding
Prasanna Malaiyandi:their infrastructure, right?
Prasanna Malaiyandi:They had backups.
Prasanna Malaiyandi:They knew how to recover, right?
Prasanna Malaiyandi:They get attacked, they'd spin up everything, right?
Prasanna Malaiyandi:Within a couple days, everything was recovered back to normal, right?
Prasanna Malaiyandi:And so,
W. Curtis Preston:Yeah.
Eric Jeffrey:Well.
Eric Jeffrey:I'm not sure which attack you're talking about, but the reason that the Ukraine
Eric Jeffrey:is able to recover is because they get hit so often that they have a mechanism.
Eric Jeffrey:And also I read about this in, I wanna say it was Hacker
Eric Jeffrey:in the State by Ben Buchanan.
Eric Jeffrey:And it, it talked about, it was either that or in a another.
Eric Jeffrey:One of those books, but I think it was Ben's book, it, it talked about
Eric Jeffrey:their infrastructure is so basic that it's not that difficult to rebuild.
Eric Jeffrey:And if we took the hits that they're taking, we wouldn't be
Eric Jeffrey:able to recover like that because ours are so sophisticated.
Eric Jeffrey:So the Ukraine, it, it, it's kind of like saying somebody that gets sacked
Eric Jeffrey:in the end zone four times in a row starts to learn, Hey, how about I
Eric Jeffrey:stop throwing the ball when I'm on the two, you know, twined, then they,
Eric Jeffrey:they learn to run it out a little bit.
Eric Jeffrey:But they took a lot of major blows before they became competent, and
Eric Jeffrey:Costa Rica hadn't had that opportunity.
Eric Jeffrey:This is the first time they got sacked as far as we know.
Eric Jeffrey:But you talk about companies failing and business failing.
Eric Jeffrey:Let's talk about a multi-billion dollar global company.
Eric Jeffrey:I think, believe it was Maersk, they almost went down.
Eric Jeffrey:They had a server that happened to be offline in Africa, and one guy
Eric Jeffrey:was able to get that backup and they could get it up to England.
Eric Jeffrey:I think it's in the Netherlands.
Eric Jeffrey:I'm sorry.
Eric Jeffrey:It's, uh, Copenhagen.
Eric Jeffrey:It's a, it's a, a Danish company.
Eric Jeffrey:Um.
Eric Jeffrey:They had to get it from Africa.
Eric Jeffrey:And the funny thing is, they could, they had export control, so somebody had to go
Eric Jeffrey:and drive it from one African country to another so they could put it on a plane.
Eric Jeffrey:And this person is flying with the entire backup for the domain.
Eric Jeffrey:The only domain controller that was up when Mayor Scott hit, I
Eric Jeffrey:believe it was with not Petya.
Eric Jeffrey:Um, so there are, you know, saved by the skin of their teeth, if you
Eric Jeffrey:will, but, Ukraine, they're just kind of like, some people believe that
Eric Jeffrey:they're the testing bed for Russia, and when Russia is attacking, uh, the
Eric Jeffrey:infrastructure, they're doing that as a test run for hitting the west.
Eric Jeffrey:And maybe we'll see more of that in the coming year or two, depending on what
Eric Jeffrey:goes on between Russia and Ukraine.
Eric Jeffrey:That is a whole nother ballgame, you know, after talking about LA Unified
Eric Jeffrey:School District and half a million kids having their data leaked versus
Eric Jeffrey:Russia taking down the power grid in the eastern United States, which
Eric Jeffrey:they've been testing in Ukraine since 13 or 14, is what the belief is.
Eric Jeffrey:Um, But I, I mean, I, I still stand by looking at normal cybersecurity
Eric Jeffrey:and normal, uh, vertical markets.
Eric Jeffrey:Finserve Healthcare Sled, which is state and local education.
Eric Jeffrey:Uh, these organizations do not have the desire or the need.
Eric Jeffrey:To put the resources where they have to, they do enough to check a box and move on.
Eric Jeffrey:So if they get hit and then they're audited, well, we did A, B, C, and D.
Eric Jeffrey:Okay, fine.
Eric Jeffrey:You, you meet all the regulations and the government's not coming after you.
Eric Jeffrey:What about the other people that were affected by it though?
Eric Jeffrey:And persona and I were talking a little bit ago, Curtis, about, I talked
Eric Jeffrey:about the aftermath of L A U S D, but what about the week or the three days
Eric Jeffrey:that the kids couldn't go to school?
Eric Jeffrey:What kinda impact did that have on those students, on those parents, on the economy
Eric Jeffrey:of LA Because gig workers couldn't drive cuz they're at home with their kids.
Eric Jeffrey:There's so many other ancillary components to a hack that we never hear about.
Eric Jeffrey:It's kind of like a headline.
Eric Jeffrey:You know, if, uh, if a Hollywood star's getting divorced, you hear
Eric Jeffrey:about it for two or three days, but then you don't know anything about it.
Eric Jeffrey:Well, if there's a hack, you hear about it for two or three days
Eric Jeffrey:and then you don't hear about it.
Eric Jeffrey:That's where, you know, Ben Buchanan's book and other books are very
Eric Jeffrey:helpful, but, Unless you're really into this, you don't hear about it.
W. Curtis Preston:Yeah, I, I know, um, that there's, there's a, there's a,
W. Curtis Preston:there's a, the one attitude and cuz cuz I wanna talk a little bit about, um,
W. Curtis Preston:sort of, but I'm not gonna say anything.
W. Curtis Preston:I wanna talk a little bit about what you could do, but I'm not
W. Curtis Preston:gonna say anything new, right?
W. Curtis Preston:Because, um, what we know from all of the attacks that happened is that,
W. Curtis Preston:Roughly 90% of them, as I'm hearing, 90% of them could have been stopped by
W. Curtis Preston:a handful of basic security practices.
W. Curtis Preston:Right.
W. Curtis Preston:Um, things like patch management, things like mfa, things like lease
W. Curtis Preston:privilege and separation of powers.
W. Curtis Preston:Um, you know, what else would you add to that list, Eric?
Eric Jeffrey:Uh, educating your staff.
Eric Jeffrey:I mean, number one, don't click on the link.
Eric Jeffrey:Uh, you know, think before you click as they say.
Eric Jeffrey:I think that you're spot on, and it's something that I've said, I've published
Eric Jeffrey:on this that we are where we have been.
Eric Jeffrey:Uh, For 30 years, we have the same problems.
Eric Jeffrey:And Kevin Minnick will talk about this.
Eric Jeffrey:He's the the chief hacking officer of Knowbe4, the same things that he was
Eric Jeffrey:doing 30 years ago you could still do today, such as social engineering and
Eric Jeffrey:tricking your way into environment.
Eric Jeffrey:Tailgating is holding the door for somebody.
Eric Jeffrey:You know, we don't do enough about educating people and we
Eric Jeffrey:don't hold people accountable.
Eric Jeffrey:You gotta fire 'em.
Eric Jeffrey:When school districts are hacked and the, the, the, uh, the, the head of
Eric Jeffrey:the school board didn't do anything.
Eric Jeffrey:It doesn't know anything.
Eric Jeffrey:Gone, man.
Eric Jeffrey:If you're not cyber aware, gone.
Eric Jeffrey:What we don't see enough of this.
Eric Jeffrey:So you are a hundred percent correct.
Eric Jeffrey:Basics of multifactor authentication, you gotta do it.
Eric Jeffrey:Everybody listening to this, all of your bank accounts should be mfa.
Eric Jeffrey:And when I say MFA, I don't mean getting a text cuz that's easy to get around.
Eric Jeffrey:You want to use Google Authenticator or v i P by Symantec, something like that.
Eric Jeffrey:Basic things.
Eric Jeffrey:Um, you know, your password should be a passphrase.
Eric Jeffrey:You should change it regularly.
Eric Jeffrey:All in your bank accounts.
Eric Jeffrey:Do not use the same ones.
Eric Jeffrey:These are just basic things we've talked about for decades and you know, we,
W. Curtis Preston:the damn link.
Eric Jeffrey:yeah, but we keep doing the same thing.
Eric Jeffrey:I mean, people think you need to be a rocket scientist not to get hacked.
Eric Jeffrey:No.
Eric Jeffrey:You just need to be aware.
Eric Jeffrey:You need to pay attention
Prasanna Malaiyandi:do you think it's sort of gotten to the point where it's
Prasanna Malaiyandi:sort of overload and people have gotten sort of desensitized to a certain extent?
Eric Jeffrey:Possibly.
Eric Jeffrey:Possibly.
Eric Jeffrey:And I think that people are afraid to be rude.
Eric Jeffrey:And I, I, I see guys that they're getting a possible hack coming in
Eric Jeffrey:on your phone or possible spam.
Eric Jeffrey:Hi, how are you?
Eric Jeffrey:I'm to Todd.
Eric Jeffrey:Why are you answering the phone?
Eric Jeffrey:Todd, why?
Eric Jeffrey:Don't wanna be rude.
Eric Jeffrey:He's interrupting you, man.
Eric Jeffrey:Don't swipe left.
Eric Jeffrey:Swipe left.
Eric Jeffrey:Don't pick up the phone.
Eric Jeffrey:if you, and if you swipe right.
Eric Jeffrey:Hi, who are you?
Eric Jeffrey:Hi.
Eric Jeffrey:I'm calling about some auto insurance that we want to get you.
Eric Jeffrey:Just hang the phone up.
Eric Jeffrey:Don't say goodbye.
Eric Jeffrey:Don't say I'm that interested.
Eric Jeffrey:Bing hang up.
Eric Jeffrey:They're interrupting you.
Eric Jeffrey:Just hang up the phone.
W. Curtis Preston:I whoop,
Eric Jeffrey:Just do that when they call.
W. Curtis Preston:You hung up the phone.
W. Curtis Preston:Yeah.
W. Curtis Preston:I, I think, I do think that there is a certain amount, there is a,
W. Curtis Preston:Again, you know, the 3%, but there's, there's another percent that basically
W. Curtis Preston:they have the belief of like, well, everybody knows that, you know, the
W. Curtis Preston:only unhackable computer is one that's completely disconnected from everything.
W. Curtis Preston:So why, why even, why even Try.
W. Curtis Preston:But I, I don't know.
W. Curtis Preston:It is just basic, you know, for companies, if you, for a co, if, you know, we could
W. Curtis Preston:argue on, you know, with, with a person.
W. Curtis Preston:I, I can't.
W. Curtis Preston:If there's a person, an individual, That doesn't value their personal information,
W. Curtis Preston:whatever enough to take care of the stuff.
W. Curtis Preston:That's not my concern.
W. Curtis Preston:Right.
W. Curtis Preston:Just like I, I like, it's like when, when I'm talking to somebody who says RAID is
W. Curtis Preston:backup, and they don't need backup because they have raid or because they're in the
W. Curtis Preston:cloud and I just, I just, I just move on.
W. Curtis Preston:I don't need waste any time.
W. Curtis Preston:But we're talking about companies and governmental organizations that have.
W. Curtis Preston:People's, you know, livelihoods and people's lives in their hand.
W. Curtis Preston:Um, if the, I agree with you, Eric, that if, if they don't want to do
W. Curtis Preston:their job, um, you know, to, uh, to quote, uh, Taylor Swift, uh, thank you.
W. Curtis Preston:Next, um, right.
Eric Jeffrey:Well, your point about people saying, It's not that important
Eric Jeffrey:or somebody else will protect me.
Eric Jeffrey:Do you wear a seatbelt?
Eric Jeffrey:I mean, not clicking on a link is the same thing as wearing a
Eric Jeffrey:seatbelt, as far as I'm concerned.
Eric Jeffrey:An individual, you know, I, I don't want my father who's 80 clicking on the link,
Eric Jeffrey:so I, I help him and I teach him and my stepmom and my, you know, my kids have
Eric Jeffrey:been raised and the next generation are coming up and much more security minded.
Eric Jeffrey:But we need people to know that if you click on it, then you could
Eric Jeffrey:put a key logger on your machine.
Eric Jeffrey:And if you don't care about that, well, when you start typing in
Eric Jeffrey:your banking password and somebody key logs and has that, your bank
Eric Jeffrey:account will be empty tomorrow.
Eric Jeffrey:Now yeah.
Eric Jeffrey:That may only affect you and your heirs.
Eric Jeffrey:If you're my father, that affects me.
Eric Jeffrey:Uh, you know, so I, I'm, I'm protecting him, uh, and, and protecting me and
Eric Jeffrey:my kids in that, but, I think a lot of times, and, and this is very important,
Eric Jeffrey:I think a lot of times people at work think, oh, you know what, if I click
Eric Jeffrey:on the link, there's another security safeguard down the road that will fix
Eric Jeffrey:it, that I may screw up, but I'm not the only, you know, ah, I installed it.
Eric Jeffrey:Some no people.
Eric Jeffrey:There is not something else downriver.
Eric Jeffrey:Okay?
Eric Jeffrey:I'm here to tell you, in most cases, if you click that link,
Eric Jeffrey:there is nothing else to save your
Prasanna Malaiyandi:Was thinking about the three CX supply chain
Prasanna Malaiyandi:hack that happened last week.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:And someone had installed some software that they had found online that had
Prasanna Malaiyandi:been discontinued since like 2021.
Prasanna Malaiyandi:And that package had been infected.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:And that then led to.
Prasanna Malaiyandi:That now being able to get into three CX and attack their systems
Prasanna Malaiyandi:and all sorts of other chaos.
Prasanna Malaiyandi:But it's those sort of things.
Prasanna Malaiyandi:It's like someone downloaded a piece of software that they shouldn't
Prasanna Malaiyandi:have or that they probably didn't need, didn't realize those obsolete.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:And led to all of these issues for three CX or I think I was reading about a
Prasanna Malaiyandi:security researcher who was looking for a.
Prasanna Malaiyandi:O b s right?
Prasanna Malaiyandi:The software for, uh, video, uh, presentations and all the rest, right?
Prasanna Malaiyandi:And they Google searched, saw click, the first link turned
Prasanna Malaiyandi:out to be malware, right?
Prasanna Malaiyandi:And they're like, this is what Google's SEO returned to me
Prasanna Malaiyandi:and it now infected my system.
Prasanna Malaiyandi:Right?
Prasanna Malaiyandi:And even experts get tricked by this, right?
Prasanna Malaiyandi:And so everyone just has to be really, really careful.
Eric Jeffrey:I have been conned and I have a paper that I wrote
Eric Jeffrey:out years ago about a mule scam.
Eric Jeffrey:When I was unemployed, I got tricked and I do this for a living.
Eric Jeffrey:A year and a half or so ago, I also started, they started
Eric Jeffrey:to scam me about a timeshare I own, and I knew it from get-go.
Eric Jeffrey:So I actually played it all the way through and I did a podcast on it
Eric Jeffrey:to show people how it really works from the first phone call until
Eric Jeffrey:me telling them to go to hell.
Eric Jeffrey:Um, but I mean, I do this for a living and I can get tricked, so I, I get it.
Eric Jeffrey:I made the comment before, people don't want to be rude.
Eric Jeffrey:Be rude.
Eric Jeffrey:Delete the email, hang up the phone.
Eric Jeffrey:Don't talk to, no, you're not getting a text because your
Eric Jeffrey:Amazon account is locked.
Eric Jeffrey:Don't click on that link in your text.
Eric Jeffrey:It is everywhere.
Eric Jeffrey:And are you gonna possibly delete an important email?
Eric Jeffrey:Yeah.
Eric Jeffrey:Have I deleted an email that my boss sent me that I thought was a phishing attack?
Eric Jeffrey:Yeah.
Eric Jeffrey:And you know what?
Eric Jeffrey:He'll resend it.
Eric Jeffrey:If it's that important, he'll call me on the phone or send me a teams message,
Eric Jeffrey:but delete the email, hang up the phone.
Eric Jeffrey:If you even answer it, they're, these people are con artists.
Eric Jeffrey:And now with AI and with deep fakes, it's just gonna get worse and worse.
Eric Jeffrey:We need to be skeptical of everything, question everything, and you know, get.
W. Curtis Preston:go ahead.
Eric Jeffrey:I say get second and third opinions on something.
Eric Jeffrey:My wife is fantastic in protecting me for myself.
Eric Jeffrey:I've done some stupid things on Craigslist.
Eric Jeffrey:She goes, no, Eric, they're not gonna give you more money
Eric Jeffrey:for that couch than it's worth.
Eric Jeffrey:And send their cousin to pick it up just to get a little
Eric Jeffrey:bit of money on the back end.
Eric Jeffrey:Oh, you know what?
Eric Jeffrey:You're right, honey.
Eric Jeffrey:I'm sorry.
Eric Jeffrey:So ha, run it by your family and your friends if you're not sure.
Eric Jeffrey:But be cautious.
Eric Jeffrey:Be skeptical.
W. Curtis Preston:and I, and I would add to this, um, have an a, have a, uh, an
W. Curtis Preston:environment that, uh, you know, when, when we're talking about organizations, right?
W. Curtis Preston:Have an environment where it is encouraged.
W. Curtis Preston:To report when you think you might have made a mistake.
W. Curtis Preston:Right, right.
W. Curtis Preston:When you think, when you think you've clicked on an email, so this happened to
W. Curtis Preston:me a couple of weeks ago where I thought,
Prasanna Malaiyandi:No.
W. Curtis Preston:I what, what was funny was um, was after mentioning on
W. Curtis Preston:a podcast, I don't know how anybody falls for MFA exhaustion, right?
W. Curtis Preston:Like, send me 37 MFA requests, and eventually I say yes just to make it stop.
W. Curtis Preston:And I'm like, how does that work?
W. Curtis Preston:Because that just seems wrong.
W. Curtis Preston:And then the very next day, I thought I had done it.
W. Curtis Preston:Not that MFA exhaustion, but I thought that I had just
W. Curtis Preston:absentmindedly said yes when I didn't remember actually going to Okta.
W. Curtis Preston:Um, you know, to, to, to generate that request.
W. Curtis Preston:And, um, and I immediately reported it, uh, because I, because we have that,
W. Curtis Preston:uh, that culture, I immediately reported it and I immediately got a response.
W. Curtis Preston:No.
W. Curtis Preston:dude, that was you.
W. Curtis Preston:Uh, you know, we've, you just, what it.
W. Curtis Preston:was was there was just a tab in my browser that I had accidentally
W. Curtis Preston:refreshed, and it was Okta and it had, it had logged me again.
W. Curtis Preston:But you need that.
W. Curtis Preston:That's the other thing that you can do for your employees is.
W. Curtis Preston:If they do something stupid, um, have a culture that allows them to
W. Curtis Preston:notify that and you reward them for that rather than yelling at them
W. Curtis Preston:for clicking on the wrong link.
W. Curtis Preston:Um,
Eric Jeffrey:Yeah.
Eric Jeffrey:And.
Eric Jeffrey:Uh, the, the problem is there's not, even if there's no punishment, the feeling
Eric Jeffrey:of being, feeling stupid, and I, I think that people, it is one of the reasons
Eric Jeffrey:why internal phishing attacks cause a lot of problems because of that 3%.
Eric Jeffrey:But really it's more like 10% that click on it.
Eric Jeffrey:Employees think that their employer is trying to trick them, and we,
Eric Jeffrey:as the employees need to learn.
Eric Jeffrey:They're not trying to trick me.
Eric Jeffrey:They're trying to train me.
Eric Jeffrey:It's not a gotcha game.
Eric Jeffrey:And until organizations help people realize it's not a gotcha
Eric Jeffrey:game, it's a training game.
Eric Jeffrey:And just like you have to take training in healthcare on hipaa, I've
Eric Jeffrey:worked in the hos in a healthcare it.
Eric Jeffrey:I didn't work in a hospital and year after year I have to take HIPAA training.
Eric Jeffrey:If you work in the financial services industry, you have
Eric Jeffrey:to take certain trainings.
Eric Jeffrey:I think everybody should take cyber training and everybody should be getting
Eric Jeffrey:a phishing attack email once a quarter.
Eric Jeffrey:Regularly clockwork.
Eric Jeffrey:Let's muscle memory people, let's train you and don't punish them per se.
Eric Jeffrey:I mean, if you're gonna click on it five times, five quarters in a
Eric Jeffrey:row every single time, maybe you need to, you know, get the boot.
Eric Jeffrey:Um, but you know, that's a small minority.
Eric Jeffrey:Um, but I, I think that there needs to be training, there needs to be
Eric Jeffrey:ongoing, uh, support for cyber.
Eric Jeffrey:And at the top, top down, and this is something else I've spoken about,
Eric Jeffrey:presented, about, written, about cybersecurity, stop starts at the
Eric Jeffrey:top, at the board of directors and the ceo, and it flows down.
Eric Jeffrey:And if they're not aware and they don't care, the organization's not going
Eric Jeffrey:to, the budget's not gonna be there.
Eric Jeffrey:This is not something that you can fix, like it was in the old days, oh,
Eric Jeffrey:put up a firewall and you'll be fine.
Eric Jeffrey:No, it is so much more sophisticated now.
Eric Jeffrey:It is all about psychology.
Eric Jeffrey:I'm of the mind that maybe we need to start teaching psychology classes to
Eric Jeffrey:go and work with a computer because our enemies are, most enemies are
Eric Jeffrey:doing social engineering and they go after you and you're desperate,
Eric Jeffrey:and they go after you with urgency.
Eric Jeffrey:Do it now.
Eric Jeffrey:Do it now.
Eric Jeffrey:And, uh, I mean, it's, it's a problem.
Eric Jeffrey:And I agree with you, Curtis, that we need to not punish.
Eric Jeffrey:We need to educate and we need to not humiliate, and people
Eric Jeffrey:need to also have a thicker skin.
Eric Jeffrey:If you screw up, you admit it and you do better.
Eric Jeffrey:You don't just sit there and say, you're attacking me cause
Eric Jeffrey:I keep clicking the link.
Eric Jeffrey:It it, it's not about you, it's about the organization.
Eric Jeffrey:It's about your customers and it's about your business partners and
Eric Jeffrey:people need to understand that one mistake could end the world.
Eric Jeffrey:Go watch war games people.
Eric Jeffrey:1983, I believe Matthew Broderick.
Eric Jeffrey:One mistake tic-tac toe.
W. Curtis Preston:I'd piss on a spark plug if I thought it'd do any good.
Eric Jeffrey:Yeah.
W. Curtis Preston:favorite, that's my favorite line from that movie.
W. Curtis Preston:Um, alright.
W. Curtis Preston:Well, Eric has been great.
W. Curtis Preston:Um, I, I love talking about this stuff.
W. Curtis Preston:I love how, uh, clearly how animated you are about this topic.
W. Curtis Preston:Uh, we're, we're, we're people of like mind.
W. Curtis Preston:I, I like that.
W. Curtis Preston:So thanks for coming on.
Eric Jeffrey:Thank you.
Eric Jeffrey:I appreciate it.
Eric Jeffrey:Thank you very much.
W. Curtis Preston:And persona, uh, you know, uh, as always, you know, great
Prasanna Malaiyandi:I try.
Prasanna Malaiyandi:I try.
Prasanna Malaiyandi:It was nice to meet you Eric.
Prasanna Malaiyandi:Thanks for being on the podcast.
Eric Jeffrey:as well, Prashant.
Eric Jeffrey:Hopefully you'll see you again.
W. Curtis Preston:and, uh, thanks again to our listeners.
W. Curtis Preston:Uh, be sure to subscribe so that, uh, you can restore it all.
Listen On
