Asset inventory is a way to track everything that your organization uses. It’s an up-to-date list of what devices, software, and versions is used in the day-to-day operations. Keeping this in an up-to-date list is important because if there is a security event that is publicized it’s easier to look at the list to determine if you have an affected device and how you can best protect it from the impact.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewingNate Cash.
Nate Cash has been tinkering with computers since a young age. His path to Information Security started when he and his friends would find vulnerabilities in computer programs and play tricks on each other. After high school, Nate joined the United States Marine Corps where he provided voice, internet, and secure internet using microwave equipment. After the Marines, he received his A.A.S in computer information science. He worked as a network engineer where he implemented everything from Cisco voice to routing and switching, before finding his way back to his true passion, cyber security. Nate went on to pursue a B.A.S in cyber security followed by earning an MBA. Nate has been designing, installing, and testing security solutions as a consultant for critical infrastructure, financial institutions, manufacturing, industrial systems, academic institutions, and within government environments. He has consulted with small partnerships up to fortune 50 organization. Nate has over 20 years of experience in cyber security and holds industry leading certifications.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a small midwestern college town, during the time the internet was becoming mainstream within households. My friends and I would play outside, ride bikes, or play games on computers. We even got to the point where we would mess with each other’s games by setting up code to sabotage the other’s games or give us extra resources when the game started.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
When I installed network equipment, our single security person quit, and I volunteered to take over. I was at a customer site when the customer asked me how this equipment was supposed to stop the Code Red computer worm. The Code Red worm was a big deal; it would copy itself and try to spread to other machines. To answer my customer’s question, I labbed up a vulnerable environment and figured out how the worm propagated and how the equipment would prevent the spread of the worm. At that point I was hooked on cyber security.
Can you share the most interesting story that happened to you since you began your career?
I would say this has to be during my pentesting days. Pentesting is where you take the tactics of a bad guy and try to break into a network, like an attacker would. It shows an organization where their weak points are, and they can beef up their defenses to prevent those attacks from working in the future. It’s wargaming: attackers breach the defenses, the defenders learn and upgrade their defenses and the cycle repeats itself. Anyway, I was doing a pentest on an organization and the VP of Security told me I would never break in. Four days later I was sitting at his desk with his favorite cup of coffee from the coffee shop downstairs, and a report on how I learned his special coffee along with how I got in. I used a combination of social engineering and pentesting techniques.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are too many to list. The security community is open to sharing and supportive. My parents gave me the freedom to explore things on my own accord but if I have to choose just one person, it would be the first person who set me up for success. I had a teacher in high school who took a chance on me. I just didn’t care to do homework, it never helped me learn anything and I saw it as busy work and a waste of time. I would take the tests and score high on them; I was failing because I didn’t want to do the homework. Like a lot of teens at that age, I was dealing with a lot of changes, and that was compounded when my mom died my freshman year. I didn’t have the discipline or the money to go to college, so I decided to join the military, then I narrowed down that decision to the Marines because I needed to prove something to myself.
The problem was by the time my senior year came around I was failing all of my classes. I told the recruiter I was going to drop out of high school, take the GED test then go into the Marines, I scored a 1200 on my SATs so the GED would have been an easy sit in, take it, and ship out to bootcamp that same week. The recruiter told me I needed a high school diploma, and the GED wouldn’t do. At the bare minimum I needed a passing grade in a math class, an English class, and science class to get my diploma. When I went to all of my teachers to explain how I wanted to complete all of my homework for the entire school year, Chuck Herber was the first to say yes, and when the other teachers refused, he went and talked to them. It’s because of him, that they reluctantly agreed. I was able to complete all of the homework in 3 days, and barely scrape by with a high school diploma so I could join the Marines.
Are you working on any exciting new projects now? How do you think that will help people?
Vertical farming & 3d printing. Specifically designing and printing 3d parts to put together a low-cost vertical farming and hydroponics system for growing food.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
You have to balance your priorities. Be healthy by working out, get plenty of sleep, and drink plenty of water. Disconnect for your technology periodically and have a hobby that brings you’re a lot of joy. Recognize your symptoms of burnout and take a break before you get there. Everyone’s symptoms are different.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
A lot of organizations horde vast amounts of data which they will never use. If you send out an email newsletter, do you really need to keep more than the person’s name and email address? An organization that accepts credit card payment will need to keep detailed records to send to the payment companies. Some organizations are keeping data and analyzing that data for advertising purposes or to gain some kind of competitive advantage.
A small organization should pay close attention to the data they are collecting. They don’t have the resources to protect the data and have increased risk if that data is stolen. I recommend small organizations to store the minimum amount of data they need to offer their services for their customers. The more data or sensitive the data an organization collects, the more due diligence that organization needs to provide to protect the data. They should aggregate the data and delete the original. Aggregating the data allows organizations to keep an accurate count while purging the personal data behind it, lowering the risk to an organization. They should also purge the data periodically. To put a cost to this, one user record is worth 39 dollars — 220 dollars depending on the data that is compromised. PCI and health data are worth more than just an email address.
So adhering to a minimal data collection policy and purging old records will limit your financial risk in the event of a breach.
In the face of this changing landscape, how has your data retention policy evolved over the years?
I used to think we should keep ‘all of the data’ because hard drive space is cheap, to help enable the business. Now I look at data as risk, so we need to change our risk profile on data to help the business make money while mitigating risk.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
Some organizations need to keep data for a specific period of time for operational or regulatory compliance. Those organizations should rotate the stored data to offline storage as soon as they are done actively working with it. Organizations should classify the data and limit access to individuals who need to use that data as part of their day-to-day operations. Data should be stored and transferred securely, i.e. full disk encryption and transfer via secure protocols like HTTPS, using strong encryption methods. If the data is no longer used, delete it, unless there is a regulatory requirement to save it, then rotate the data to offline, secure storage. Once the data is beyond the retention policy, dispose of it in a secure manner.
Limit access to the data by ensuring you use strong and unique usernames and paraphrases (password) for each separate online account you create. Hackers are using credential stuffing techniques. If a data is compromised in a breach, they will retry those usernames and passwords in other services. If you reuse the same username and password across your accounts, the bad guys can hope between account successfully. Using a password manager allows you to memorize one password, but to create unique credentials for each online service you have.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
GDPR is the newest legislation which is turning heads in the industry. GDPR is an updated protection directive. It requires organizations to protect data and privacy for EU citizens. It’s a high standard for all 28 EU member states and was derived due to public outcry for updated privacy standards. Shortly after the EU passed GDPR, California passed their own called the CCPA. States and Federal entities will be close behind GDPR and CCPA in passing their own consumer privacy regulations.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Tools have matured over the past few years. There are leading market data retention and archiving systems whose purpose is to automate your retention policies. The tool you choose is based around your budget, the amount and type of data, and which regulatory compliance framework you need to follow. The goal is to perform a reasonable amount of due diligence. You don’t want to spend millions of dollars on a solution when you have names and email addresses for 100 people on an email list. Try to figure out what the data is worth, then develop a solution that is reasonable.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
The cloud is an amazing place, and it is not going anywhere. Security practitioners need to understand and learn how to protect the data in the cloud. It’s a cost-effective solution and it has empowered small organizations to compete with fortune 50 companies. It’s purely a David and Goliath story, if you will. Any data retention policy for an organization who uses the cloud will need to be updated. The security team will need to run checks and balances against the settings to verify that the data is complaint with the policy. No company goes out of their way to set the data storage to be accessible by anyone, yet it happens. Security organizations need to setup templates so turning up services are turned up securely and they need to audit to verify that settings have not changed.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
Strong & Unique paraphrases for all accounts — In the early days I had a handful of passwords I used. When I noticed one of them was compromised in a breach the attacker was only able to log into my accounts with the same username and password. They only had access to my social media accounts, but this attack is now known as a credential stuffing attack. Using a service like haveibeenpwned to change username/passwords for confirmed breaches and a password manager are crucial steps to protecting data.
Encrypting data in motion and at rest with strong encryption mechanisms — Full hard drive encryption and projects like let’s encrypt are the cornerstone to keeping sensitive data safe. These mechanisms will ensure if data is going across the wire it’s encrypted and if someone walks off with your computer the data can’t be taken. In my pentesting days I plugged my laptop into a financial institution’s network while their systems were performing a backup. It wasn’t encrypted and I was able to pull down everything including account numbers, addresses, and date of birth. Needless to say, this was a major finding.
Keeping your software up to date — Security practitioners will state this until they are blue in the face. Keeping firmware and software up to date are important for organizations. Updates include security fixes and patches to vulnerabilities. You would be surprised at how many organizations have devices with 5+ year old vulnerabilities on them.
Asset inventory — Asset inventory is a way to track everything that your organization uses. It’s an up-to-date list of what devices, software, and versions is used in the day-to-day operations. Keeping this in an up-to-date list is important because if there is a security event that is publicized it’s easier to look at the list to determine if you have an affected device and how you can best protect it from the impact.
Implement Accountability principle — Leadership has to be able to prove they are taking the appropriate measures in protecting data. Policies and procedures need to be written and adhered to, training given to all employees, and plans need to be written up around impact assessments, records management, and finally breach responses. In all of the organizations I have worked with, the organizations where leadership took this responsibility scored better in pentests and assessments.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Vertical Farming — More food with less space, less land, and less water. Also means more food sources are closer to consumption, so less logistics.
How can our readers further follow your work online?
Twitter — @vipergts46
This was very inspiring and informative. Thank you so much for the time you spent with this interview!