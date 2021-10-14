Standardization. I can’t stress standardization enough. Attacking employee PCs are the preferred way hackers breach a company, so let’s start there. An example of a company policy standard is that all employee laptop hard drives must be encrypted, without exception. Another is that no USB drives may be inserted into a company device. A third would be not allowing a PC access to the network when its software needs to be updated.

Fascinated with science fiction as a child, in 1969 an extremely upset JohnE Upgrade wrote a very angry letter to NBC when they cancelled the original Star Trek series. His IT career began in 1983, and he became the 2nd network director of the 41.8 billion dollars project for the C-17 cargo plane in 1988. You may have seen the interior of a C-17, when it was used to airlift thousands of refugees as they fled from Afghanistan during the 2021 Taliban takeover.

After a 35-year career, he retired as a cybersecurity subject matter expert from IBM’s Cloud Division to write his cybersecurity book entitled “Don’t Hack”. He recently founded CyberD TV, the first streaming service dedicated to cybersecurity training for the general public, which will launch on Vimeo in October of 2021.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Absolutely, and thanks for having me! I grew up in a middle-class household, and played a lot of sports, like baseball, basketball, bowling, football and pool. I also became interested in hacking before it was called hacking, after reading an article about “phone phreaking” in 1971.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Sure. As a teenager, I started off on the wrong side of the law, manipulating the AT&T telephone network. I’d been phone phreaking for two years, and one day FBI agents came to my grandmother’s house. They wanted to know the name of the person who’d made dozens of out of state long-distance calls to her number, calls that the phone company couldn’t charge for.

Across the country, more FBI agents went door to door questioning my neighbors to find out who was behind it; each violation was a federal crime, and came with up to a 10-year prison term per charge. Since I was a dumb kid, I thought it was just goofing around, and no one had been hurt. Officially, I’d committed a felony called “interstate theft of services”, and let’s just say, AT&T was not happy.

Since I’d made over 50 separate calls, I was very worried. The FBI probably had a backlog of more important things to do, and nothing ever came of it, but for years I was sure I was going to prison for a long, long time. Sometimes people catch a break, and that was mine.

I decided I’d be much better off putting my skills to use on the side of law and order. That was 45 years ago, and it was the best decision I’ve ever made!

Can you share the most interesting story that happened to you since you began this fascinating career?

Yes, and this was an internal cybersecurity error, the equivalent of shooting yourself in the foot. It was my most “touch and go” moment, and actually lasted for three days. It happened when my team hardened a server a bit too much, one with roughly 2,000 programmers on it, all racing to beat a release deadline for enterprise software that customers paid millions of dollars to purchase.

My solution would be a roadmap for hackers to follow, so I won’t go into detail on it, but there was no impact on the release date.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

There were many people who helped me during my career, so I’ll go back to the very beginning. I was working as a motel clerk while going to college, and saw a computer operator job posted on the college’s job assistance bulletin board. My first wonderful mentor hired me, and then brought me with her in 1984 to McDonnell Douglas, a massive corporation with 250,000 employees. I was given the chance to break into IT by her, and she changed my life.

Are you working on any exciting new projects now? How do you think that will help people?

Well, at the very least, they’re exciting to me! Lol!

After I retired, I said to myself, “Myself, it would be really cool, and give me a great sense of satisfaction, if I wrote a book to help people defend themselves against online scams, and even get into cybersecurity if they’re interested”.

The cybersecurity industry currently has 4 million vacant positions that corporations can’t fill, so the need is there.

As hacking got worse, I also decided to launch the first streaming service dedicated to cybersecurity, and share my knowledge that way too. It’s called CyberD TV, and it’s like Netflix for Cybersecurity.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Self-care is numero uno.

One major tip is, don’t eat at your desk every day. It’s just not good for you, physically or mentally.

Meditation is the most important thing for me. I didn’t know how to meditate until I was 56 years old, and wish I’d learned it sooner. Exercise is another method to help relieve stress, and is critical for your health.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

First and foremost is my passion to teach people and companies how to protect themselves online. The next step is for people to join the cybersecurity industry. We desperately need those four million vacant positions filled!

Second, it’s exciting to see that corporations are budgeting adequate money for cybersecurity now. I think every company realizes the financial threat a potential data breach can pose to them. In the past, cybersecurity was considered a non-revenue generating cost, called overhead, but corporations have really changed their attitudes.

Lastly, I feel the same way about the cybersecurity industry today that I did about Apple, Amazon and Facebook before they took off; our industry is about to explode! For employees, the career opportunities are unbelievable. For investors, I won’t be surprised if the world’s first trillionaire comes from a cybersecurity related business.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Unfortunately, I see too many dangers looming for our society, and it’s really upsetting to me. I hope companies can prepare in time. Here’s a list of “The Dirty Dozen Critical Cybersecurity Threats on the Horizon” for your readers:

Food distribution chain disruptions — Starvation is the scenario I dislike the most, because I really love to eat. Most Americans don’t stockpile food; a distribution chain disruption will create mass chaos. Air traffic control jamming — If air traffic control operations for major airports are rendered inoperable, pilots would have to fly blind, avoid mid-air crashes, then land their planes without the control tower. Nuclear weapons — At least 10 countries in the world are known to possess nuclear weapons. Some might not have the best controls in place, and if terrorists can hack into them from remote…scary. Nuclear power plants — Seeking a ransom, hackers could accidentally cause a meltdown at a nuclear plant. There are currently 55 nuclear power plants in America, located in 28 different states, totaling 93 nuclear reactors. I live near one of them, and it makes me break into a sweat just thinking about it. Dam sabotage — Dams release pressure by opening their spillways to allow the controlled flow of water, but if hackers blocked their spillways, the enormous buildup of water pressure could cause a dam to fail. There are 84,000 dams in America, and most have people living close to them. Reservoirs — we need reservoirs for drinking water, irrigation, and to flush our toilets. Without water, fires could rage out of control, and destroy entire sections of a city. Hospitals and emergency medical care — in 2020, at least 235 American hospitals paid hackers over 100 million dollars in ransom money. Hospitals have already turned away ambulances carrying sick or dying patients, because they had no way to provide them with medical care. Power — A non-hacker related internal operations power failure in Texas created an electrical blackout. It killed at least 210 people, who froze to death. Hackers could attempt something similar for ransom. Economic chaos — What if hackers shut down the New York Stock Exchange in an extortion attempt? The value of shares trading hands daily on the NYSE is 5 trillion dollars, per the Bank of International Settlements. An extended outage due to a data breach could cause a global economic collapse. Oil and gasoline — Months later, the effect of the Colonial Pipeline breach is still being felt nation-wide. Mass transportation — If they got in, hackers could stop trains, or mess with the street lights in a city. This could cause crashes like the ones we’ve seen in the movies. Identity theft — ID theft occurs to thousands of people every day, and I’ve been one of the victims. I now subscribe to three different credit monitoring services.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Definitely. I call this lame social engineering technique “The Phony Company Heavyweight”. One day I got a call from a slacker hacker pretending to be a VP, who wanted access to the corporate network. He began screaming he was giving a sales presentation to our biggest customer, and if he wasn’t immediately granted access, I’d be out of a job.

Granting someone network access over the phone was against company policy, as well as common sense. I said I’d immediately send out a technician to take care of the problem, and help him open a ticket with the Help Desk. After a few more threats about my job, he hung up. I sent out a company-wide email warning my fellow employees to be on guard for phone calls like this one, because he wouldn’t stop with me. This happens a lot.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

I’d be glad to. Firewalls and Intrusion Detection Systems are familiar ones, but a very important cybersecurity tool that many people aren’t aware of is an endpoint management server.

We used endpoint management software extensively, because it can simultaneously deploy emergency security patches to over 10,000 PCs and servers at a time. Large corporations may have 100,000 employees or more, and without an endpoint management server patching the hosts on their network, it would be a logistical impossibility to patch security vulnerabilities on every PC or server on the network.

This next cybersecurity tool doesn’t get much respect, probably because it’s been around for so long people take it for granted, like electricity. It’s a vastly under-appreciated corporate defensive tool; antivirus software. It’s any company’s first line of defense against malicious software attacks for PCs and servers, such as viruses, trojan horses, ransomware, etc.

Though it’s still called antivirus software, it’s more of a complete package suite, and provides protection against any kind of malicious software that can cause damage to a computer or network. Without a doubt, AV software should be installed on every PC and server in the company, to detect and clean malware threats. That’s a given; it’s Cybersecurity Defense 101.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

That’s a tough series of questions. Antivirus software is over the counter, but endpoint management software generally isn’t. This doesn’t take into account everything else a company needs to protect against a data breach.

If I was in charge at a small company, the first thing I’d do is hire an experienced agency to do an initial cybersecurity assessment. Many cybersecurity companies are so new, the best thing about them is their marketing ability. Companies like this are going to learn on your dime, and to me, that’s not acceptable.

Even the best third-party security companies will try and sell expensive software, or services, which are out of reach for a small company on a tight budget. Good negotiation skills come in handy here. I don’t think most small companies know how much blanket coverage they’ll need to minimize their cybersecurity exposure; bundling software and services into a discount package definitely helps with this.

Before I started a search outside my company to hire a CIO, I’d take a look at the people already there. An internal CIO hire will have a shorter learning curve, as they already know the company. My top candidate would most likely be an Infrastructure Director who’s managed multiple teams, and has IT managers already reporting to them. I’ve seen every combination of CIO hire there is, and an internal hire has the best chance to enable a smooth transition.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Yes, there are definitely signs individuals can look for in their personal lives to indicate they’ve been hacked.

This is the worst way a person will discover they’ve been hacked, and it might not be until months, or years, after the actual event occurred. If an individual gets a ransom note, and personal photos are included, ones that nobody else has ever seen, they were either hacked, or the victim of what’s called “revenge porn” by an ex-partner. It happens to ordinary people, not just celebrities. The best advice I can give people is don’t let anyone take pictures of you with their phone, or with your own phone, that you wouldn’t post online yourself. Once it’s on the Internet, it’s there forever. Something is certainly amiss if a person is turned down when applying for credit that should easily be within their range. This is a byproduct of a hacker using their identity. People can look to see if purchases appear on their credit card statement, ones they know they didn’t make. There can also be non-digital “organic” hacks that occur in our physical world. I left Hawaii once after a very fun vacation, and I still had possession of my credit card. Sad to say someone, like an unethical cashier, must’ve taken down my number. They tried charging things after I left, but the credit card company prevented it. This is hard to quantify, but if a person feels uneasy, and vaguely remembers having clicked on a link in their email, that’s a sign something may be wrong. They should trust their instinct, because they may have been a phishing victim without realizing it. Overall, the best remedy is to subscribe to a credit monitoring service which will keep track of suspicious activity, like big dollar amount charges that are out of character, and weird credit applications.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

This is a tricky question; it literally covers a lot of territory, because it varies from state to state, based on what services were provided, and the type of information that was stolen.

The Federal Trade Commission has pages of guidance on what to do at their website;

https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business

I’ve summarized some of the highest priority responses below:

Seal the breach ASAP. Don’t hide the breach. That’s the best thing a company can do to protect their customers, employees, investors, shareholders, and the company itself. As the old saying goes, many times the coverup is worse than the crime, and that’s definitely true after a data breach. The company must call their local police department immediately. When local law enforcement doesn’t know what to do, notify the FBI. Personal health records are in a special category. A company must notify the FTC and, in some cases, the media. Checking the FTC’s Health Breach Notification Rule explains who they must notify, and when. In addition, the company needs to know if they’re covered by the HIPAA Breach Notification Rule. If so, they must notify the Secretary of the U.S. Department of Health and Human Services (HHS) and, in some cases, the media. HHS’s Breach Notification Rule explains who they must notify, and when. Inform all affected parties immediately. That would be their customers, employees, investors and shareholders. To speed things up, and so there’s no confusion, the FTC has put a data breach notification template on their website for companies to use. Hire a third-party cybersecurity forensics company that specializes in determining how the breach happened, and when. Bring in another company to evaluate overall cybersecurity defense fitness, because there might be other exposures than the one which was exploited. This company could also assist with tightening up their cybersecurity defense, or a third agency would have to be hired. Enact an employee cybersecurity training program. Again, an outside firm would be best, because whatever training methods the company tried had failed, as proven by the data breach.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

This is a tremendous concern for me. Privacy is a critical issue, and I’m not sure every company realizes it. When I signed the Privacy Policy Agreement for CyberD TV with our video hosting platform, I pledged that as long as I ran the company, we’d never sell subscriber information to a third party.

That pretty much took care of the CCPA and the CPRA, as I clearly stated in my privacy agreement, I’ve got no intention to share the information of my subscribers with outside companies. I take in no advertising revenue, and there’s no tracking of my customer’s buying habits.

Outside of the United States is another story. I’m not a lawyer, but I personally looked into the articles of the GDPR very intensely, because that covers the European Union. The laws for privacy, slander and libel appear much stronger in the EU than what we have in the United States. CyberD TV is dependent on the cybersecurity measures of the company who provides the streaming platform we run on, and I have no control over their defensive capabilities.

In essence, the affect it has on my business is that I’ve made the decision to block the European Union from my subscriber base for the time being. That hurts, because there are over 440 million people who live in the EU region.

Once we’ve been active for a while, my plan is to hire a top lawyer in the EU whose specialty is the ins and outs of the GDPR, and then figure out what the next steps for CyberD TV will be for the EU. I’m not going to wait for a data breach to happen, instead I plan to be proactive. At the very least I want to show the people behind the GDPR I’m very willing to work with them to satisfy any and all of their requirements.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The company didn’t put enough funding into cybersecurity, and now they have to play catch up. Poor cybersecurity training. I don’t think companies emphasize to their employees the financial cost to the company bottom line when a breach occurs. After a breach, many employees can lose their jobs. Cybersecurity positions are the hottest jobs right now, and if companies try to pay under market value, their employees will leave, and potential candidates will go elsewhere. There are 4 million open cybersecurity jobs, so good people have plenty of choices.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

No question about it, the uptick in hacking, data breaches, and privacy errors has been on a massive upward trend. There are daily headlines about scammers, hackers, and very costly data breaches. When employees work from home, many are less security conscious, while at the same time they lack the security protection provided when they’re at the office.

The number of attackers has increased many-fold. People stuck inside due to Covid-19 had the free time to try their hand at hacking. Many were desperate because they’d lost their jobs, and their only source of income. People who would never consider such a thing may turn to crime, when they feel they have no other choice. They don’t even need much coding knowledge themselves; hacking software is available on the Dark Web that probes for security vulnerabilities to exploit, creating data breaches, while other software packages will lock up company records, until the hackers are paid a ransom.

Desperation is the Mother of Necessity, and Necessity is the Mother of Invention.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

I was inspired by this question, because today, I feel 5 things are not enough. There are just too many sensitive areas that need to be covered. With that being said, I’ve put together an A-Z list to help companies tighten their data privacy measures, as they strive to optimize their cybersecurity defense, and avoid being breached:

Standardization. I can’t stress standardization enough. Attacking employee PCs are the preferred way hackers breach a company, so let’s start there. An example of a company policy standard is that all employee laptop hard drives must be encrypted, without exception. Another is that no USB drives may be inserted into a company device. A third would be not allowing a PC access to the network when its software needs to be updated. Employee Training. Cybersecurity training is critical. Most employees dread online training, because they find it boring, or feel it takes too much time away from their normal work. I’ve seen many PCs become infected, due to “free” software employees downloaded from the Internet. I’ve managed both Deskside Support, and the Help Desk. These employees are the first staff members to see a breached PC, and will recognize if an employee PC has been compromised. They’re very important pieces in the cybersecurity defense chain. Physical Security. Many companies use a badge system, or one based on biometrics. Social engineers will definitely try to work around them. They’ll sneak in behind an employee with legitimate access to the facility, using a technique called tailgating. When I’ve caught a tailgater in action, they inevitably keep their head down, mumble that they forgot their badge, and never come back. Physical locks given to company employees to lock down their laptops. A 20 dollars lock is the best way for an employee to physically secure their laptop to their desk when they’re at lunch. I’ve also known of employees who’ve had their car windows broken, and their laptop stolen, because it was left on the seat, and they didn’t lock it in the trunk. Limit the ability of employees to disable BIOS settings, BIOS passwords, hard drive passwords, power on passwords, VPN passwords, and Windows passwords. Passwords annoy employees, but they slow down hackers quite well. With a little extra time, we can block hackers from getting in at the network level. Force Software Updates at login. Employees will put off updates if given the choice, but I knew my company was safer because we were forced to do software updates before we could access the network. Block employees’ ability to install apps. “Free” software is used by hackers as a trap, so don’t allow employees to let them in to your environment. In the 1990’s-2000’s, my staff had to rebuild many PCs damaged after being infected by costly free software employees got from the Internet. Hardware standardization. Smart companies buy their PCs from one manufacturer. I’ve ordered identical model laptops in big quantities, and always asked for consecutive serial numbers. Why? Like a car maker, hardware manufacturers have multiple vendors, and buy the most economical part available at the time. Requesting consecutive serial numbers are a good way to avoid cybersecurity exposures, such as vulnerable hard drive firmware, because they had different parts than the other laptops I’d purchased. Backups. Company servers must be backed up every day. When a hacker gains access to a server, and erases a data volume before they’re discovered, that’s a major issue, but most of the data will be recovered from the last backup. If daily backups aren’t done, a company loses valuable info they must painfully recreate, and it’s no longer an issue; it’s a nightmare. Server standards. It’s not realistic to build identical server images, but my team put together a manual for server builds that was so good, the server manufacturer was very impressed. A company must have policies to define server standards. When a server is finally put into production, it means the operating system is fully patched, all the applications have been thoroughly tested, and it’s ready to be used from that point forward. Endpoint management, patches and updates. An internal endpoint manager is great for any company, because it can concurrently update thousands of PCs. That’s completely different from an external update, like the one that delivered malware to 18,000 customers of SolarWinds, which was one of the most infamous cyberattacks in history. Maintenance Windows. Servers may only be patched or updated during a specified window of time, a period called the Maintenance Window, and the cybersecurity team must be well aware of them. Security patches take precedence over the Maintenance Window, and are applied as soon as they’re available. I’ve had development managers argue with me about this, but I followed company policy, and they always lost. Change Control. With Change Control, every change is requested, approved, progress is tracked, and after the work is successfully done, it’s closed. Then the Change Control Request becomes a read only record, and is archived for future reference. Change Control Records are extremely important as evidence following a data breach, and cybersecurity forensics teams will study them closely. Problem Management. The cybersecurity team sometimes must make judgement calls on the spot, and then get manager approval later. The Problem Management process allows it, and it’s invaluable in emergency situations. I’ve used the process when security patches had to be applied quickly to prevent vulnerabilities from being exploited by hackers, or in cases of hardware failure. Network Architecture. A small to medium business usually can’t justify the cost of a full-time architect, and will hire an established firm to work with their network team on the design. Our network architecture was excellent, and the result was a smooth running, and very solidly protected, corporate network. Penetration Testing. This is the scanning of a company’s network to test the strength of its security, and discover if the network can be penetrated. Scans are run against the network, searching for security vulnerabilities. I always hired external third parties to run the penetration tests, due to their objectivity, expertise, and specialized tools our network engineers didn’t possess. Network Firewalls, and Intrusion Detection Systems (IDS). I’ve bought them since the earliest versions, and they pay off big. A NIDS will monitor the data traffic on your network, and report any suspicious behavior. A HIDS will monitor the hosts, like company PCs, for changes that conflict with cybersecurity policies, and suspicious activity. An IDPS is next level; not only will it monitor for intruders, but can take action against them to defend a company from a major data breach. Network Engineers. They must be vetted carefully before being brought on board, and a company should hire only the best ones they can find. I’ve been lucky to have worked with some outstanding network engineers. You can have the best network design, awesome hardware, and great monitoring software tools, but without solid network engineers, your company will still be vulnerable to cyberattacks, and data breaches. Redundant Hardware. These devices don’t get updated immediately from the primary device; there is a short time delay built in. If a hacker gets on your network and damages a server OS file system, or tries to erase a storage device, sometimes the only way to stop them is to momentarily take the server down, kick the hackers off the network, and bring the redundant device online with read-only operating system files. If a hacker is caught quickly enough, this can prevent a massive loss of data. Failover Hardware. For major online retailers, like Amazon, a few minutes of downtime can cost a million dollars, or more. We designed our business model to include failover hardware that replicates with the primary instantly, because if hardware does fail, the failover device will take over immediately, and business will go on as usual. In some cases, a website outage from hardware failure can cost a company as much as a data breach. Proper Server Security Classification. When a website server is incorrectly classified at a lower security level than it should be, that gives hackers a better chance to take down your website. I’ve inherited servers incorrectly given a lower security classification, and it’s difficult to remedy without a disruption. Obsolete Operating Systems, and Contained Environments. Sometimes a company will use apps that will only run on an obsolete OS. As a work around, a company will put these servers into a Contained Environment, where it’s boxed in behind so many layers of network protection that only a very restricted group of employees can access it. I’ve had to work with these types of servers for years at time. Implementation. After a server has been built, tested, and put into production, implementation of the cybersecurity policies laid out by the company must continue to be strictly followed. Our team had to work hard, and work smart, to ensure we knew every cybersecurity policy as we managed production servers, and kept hackers at bay. Compliance. A company with strong cybersecurity policies in place, and a team who correctly implements them, will amass a large amount of good compliance data about their servers. Each server will have its own data collection in a repository, and when it’s examined, will reveal if they’re compliant; if not, a close investigation will also reveal when, where, why and how deviations occurred. This is critically important, and I studied our compliance data like a hawk. Internal Auditing. How can a company know if their servers have been kept compliant, without regular internal audits? Auditors will request compliance evidence, known as proofs, that the cybersecurity team must present to them in a timely fashion. Auditors will closely examine the compliance history of the server. An audit will reveal if the cybersecurity team has followed company policy. For each data point a server could fail on, and there are hundreds of them, that’s an exposure hackers could exploit if they were able to penetrate the network. There were times I had to defend fifteen servers in one month to prove they were compliant, and that’s very difficult.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

Thanks! It always makes me feel so proud, and humbled, when people tell me I’ve influenced their career.

I’ve always wanted to do something great for society, but in my 60’s, thought the opportunity had passed me by. Maybe cybersecurity training is my chance to inspire a movement. My idea was to start CyberD TV, the first streaming service dedicated to teach the general public what I’ve learned over my 35-year cybersecurity career.

I’ll train seniors how to avoid being scammed, teach parents ways to keep their kids safe online, give tips on how to stop identity theft, and help people who are interested to pursue one of those 4 million open cybersecurity jobs.

