“Security culture is very important”, With Jason Remilard and Russ Munisteri of MyComputerCareer

Security culture is very important. Regularly communicating to the enterprise of cyber-attacks, details of the attacks, how those attacks are threats to the business and ways to reduce that attack surface. Security awareness, training and simulations hold weight. Cybersecurity does not reside in the IT department anymore. It scales out to every department, each employee, […]

The Thrive Global Community welcomes voices from many spheres on our open platform. We publish pieces as written by outside contributors with a wide range of opinions, which don’t necessarily reflect our own. Community stories are not commissioned by our editorial team and must meet our guidelines prior to being published.

Security culture is very important. Regularly communicating to the enterprise of cyber-attacks, details of the attacks, how those attacks are threats to the business and ways to reduce that attack surface. Security awareness, training and simulations hold weight. Cybersecurity does not reside in the IT department anymore. It scales out to every department, each employee, and ultimately comes from senior management. I do stress on senior management because their buy-in is crucial. Without their support, cybersecurity will not be a priority until it is too late.

As part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Russ Munisteri.

With over a decade of experience in cybersecurity, Russ Munisteri, CASP+, CEH can easily speak to how to optimize company’s approach to cybersecurity and privacy. An information technology professional, trainer and academic director, Russ has a proven success of planning and executing training programs based on CompTIA, Microsoft, Cisco, Linux, and cybersecurity certification requirements, organizing and presenting curriculum, training instructors, answering questions, providing feedback, and evaluating student and program effectiveness. Committed to fostering positive interpersonal and intercultural communication within the classroom and IT business environments. He’s currently Assistant Director of Education at MyComputerCareer, an accredited online and in-campus technical college that provides hands-on Information Technology training, certifications and job placement in as little as seven months.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born and raised on Long Island, NY. From a young age, I was attracted to technology. My first computer was a Commodore 64 and eventually worked my way up to America Online (blast from the past!). That sparked great interest in technology. Directly after completing my bachelor’s degree, I pursued Information Technology by obtaining my CompTIA A+ and Microsoft’s MCSE certifications. From there, I had secured a Help Desk role which quickly turned into Systems Administration.

While spending time learning the industry, I had decided to pursue a Master of Arts degree in Education. Upon completing my degree, I had relocated to Georgia and invested seven years in public education. I did return to Information Technology for a couple of years which led me to MyComputerCareer as an Instructor for IT certifications.

Presently, I am an Assistant Director of Education for our Live Online division. I have achieved many cybersecurity IT certifications such as CompTIA CASP+, CySA+, Security+, EC-Council’s CEH, ITIL and Cisco’s CCNA in Cyber Ops.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

As a Systems Administrator, I had the opportunity to build physical and virtual servers, which was fun! But what caught my interest was securing them. Ranging from operating system hardening to physical security to high availability, I knew this was the career that I wanted to pursue. My experience also entails constructing, maintaining, and securing corporate networks based on best practice, as well as, conducting security awareness/training sessions for end-users on various security-related topics.

Can you share the most interesting story that happened to you since you began this fascinating career?

As I had mentioned, my background consists of IT and education. I am a firm believer that everything happens for a reason. At the time, I had self-doubt about leaving IT and jumping into education and when an opportunity presented itself to return to IT, I had self-doubt again. But wait! I went back into education at MyComputerCareer and had self-doubt again. Are you still with me?! It all happened for a reason and fell into place.

When I began educating adults, I had a difficult time adjusting, as my teaching experience was with children. As time progressed, I found my niche and became comfortable with the curriculum and my teaching style. And…then it happened! My first student certification pass and my student said it was because of me. It does not get better than that!

Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

My wife, Nadia, has been a great support with my career. When Nadia and I completed our master’s degrees, I was not able to secure a public education teaching position in New York, as the market was flooded. I have family in Atlanta, GA and we decided to relocate there upon securing teaching positions, which we did (same school). Nadia guided me throughout the time I had spent in public education and even when I returned to Information Technology.

When I found MyComputerCareer, to pursue the role of an Information Technology Instructor, Nadia was a tremendous support when we relocated to North Carolina by dealing with me! Presently, we have two beautiful children and Nadia continues to excel in molding the minds of children in the classroom. I have been with MyComputerCareer for four years and advanced to education management.

Are you working on any exciting new projects now? How do you think that will help people?

I have been working on two projects. One with MyComputerCareer and the other personally. With MyComputerCareer, I am working on a YouTube show title, Tech Out. Tech Out is a new project that is designed around cybersecurity, IT certifications and overall Information Technology for all technical levels. Tech Out includes cyber news, deep dives into specific topics and demonstrations (coming soon). MyComputerCareer YouTube Channel

As I am devoted to the cyber-world, on January 14th, 2018, I have established Cybersecurity Lounge (CSL). CSL is a Facebook group that is designed to inform and educate at all levels of Information Technology. I focus on IT certifications, cybersecurity, motivation and advancing in the career. In a short period of time, CSL has grown to over 26,500 members world-wide and growing daily. Cybersecurity Lounge (CSL)

What advice would you give to your colleagues to help them to thrive and not “burn out”?

  • Purpose: “A person with a clear purpose will make progress on even the roughest road. A person with no purpose will make no progress on even the smoothest road.” ~Thomas Carlyle
  • Goals: Thriving to achieve goals is an art and a science. To succeed, an end goal needs to be clearly established. Working towards your daily goals will motivate you to ultimately achieve your trophy.
  • Opportunity: Opportunity ties into goal-driven actions. IF you are not working towards your daily goals and opportunity arrives, it is too late. Be prepared! Have a plan. Write it down. Do not procrastinate. Take action!
  • Reflect: Self-reflection is important. It aligns you with your goals and reduces burnout. Each night, I reflect on my actions of the day and tell myself what needs to be corrected and tweaked to keep moving forward. Currently, my goal is to achieve my CISSP certification. I tell myself (not listen to myself), what needs to be accomplished each day.
  • Rejuvenate: Passion gives you the energy to rebound from burnout. I am passionate about cybersecurity and education. Love what you do or make the necessary changes in your life to be passionate again.

I highly recommend The Energy Bus. You are the driver of your bus and it is your choice to drive in the right direction. If you keep the energy vampires off your bus, success is your destination.

The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

Social Engineering was once just an art. It was a subjective topic, as many had different perspectives of what it is and how it is presented. Today, social engineering is a science, facts. Let us get a clear definition of social engineering. According to NIST SP 800–61 r2, social engineering is an attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks. For example, the Ukrainian power grid attack and Stuxnet.

Humans are the most vulnerable and attackers take full advantage of people and their situations. So, attackers thrive on human vulnerabilities for their malicious goals such as financial gain, physical entry to a datacenter/office, account login credentials, credit card numbers, SS#s and more.

Throughout my IT certification experience and studies, social engineering is usually a topic that I spend the most time on. Phishing, Vishing, Smishing, Whaling and Impersonation attacks is one side of SE, but what about the other side? Identity thieves, scam artists, governments, salespeople, disgruntled employees, and the list goes on. What about parents and children? I have you thinking…

Network security: Protecting your network, whether at work or at home is crucial. The process to implement safeguards to protect your assets is an ongoing process. Once you identify your assets (hardware, software, data, people), threats and the value those assets hold, that will determine how you will protect it. Everything surrounds the CIA Triad (confidentiality, integrity, and availability), of your assets.

Encryption technology: Encryption ties into network and cybersecurity, but I am very interested in the science and the history of encryption. For example, Julius Caesar development an encryption mechanism that shifts alphabet letters. The Spartans used a scytale device to encrypt messages during the war. Did you know in WWII, Germany had the Enigma machine and Poland compromised the key, which shaved time off the war and saved endless amounts of lives?

Today’s encryption technology is far more advanced and extremely difficult to compromise. Advanced Encryption Standard (AES) is today’s encryption standard and is approved by the US government for classified information.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Ransomware attacks are occurring almost daily. These attacks can be detrimental to any organization if not properly prepared. Phishing attacks are the easiest and fastest way into a network, which ties into social engineering. In the past, attackers would encrypt your data (workstations/file servers) and leave a well-crafted ransom note (sarcasm) behind with payment information. Today’s advanced ransomware not only encrypts your data, but also exfiltrates enough data with the threats of selling it on the dark web. This puts an organization in a tight spot. Prior to exfiltrating your data, you can ignore the ransom and recovery from backups and call it a day. Now, senior management must decide, pay the ransom with the hopes this issue disappears or roll the dice. Keep company reputation in mind.

Here is a fun fact! Darkside, a ransomware group, wanted to donate millions of stolen dollars to various charities. Darkside’s mission promised to “make the world a better place.” Of course, the various charity groups declined the money.

Even though ransomware is extremely unethical and illegal, it is very difficult seek justice through the court system. Bottom line, an IT department can implement 100,000 dollars worth of equipment to protect their data, but it takes one person to be fooled to gain access.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

While in the role as a Systems Administrator, our team was subjected to a ransomware attack twice in one month. Thousands of files became encrypted with many overnight hours to resolve. My role with one of the incidents was forensics. I had the opportunity to work closely with Microsoft’s cybersecurity division to dive into the situation and to analyze the virus. My journey with this issue started with working with the remote user to remove the workstation from the network to prevent further damage, but to also keep the waters calm. That is probably one of the most important pieces to this puzzle is to remain calm.

While collaborating with Microsoft, retrieving the actual virus, and securely transferring it, turned on my cybersecurity lightbulb. I knew security was my passion. The question was, how do I pursue this path even more? Through experience and certifications.

Our team did recover with minimal damage. The most important part of this experience was the lessons learned meetings once the dust had settled. Here, we discussed what happened, how to better prepare, and what to do moving forward.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

For risk management, utilizing a risk register or a Kanban application is beneficial. These tools simplify and categorize the priority of your risks from high to low (avoid sticky notes!).

On the technical side, there are many open-source and commercial products. Here are just a few:

  • Nmap is a popular free command-line tool that is for network discovery, inventory, network administration and auditing. Nmap is a great tool for gathering information about a network and obtaining a list of active hosts. This is part of a process called reconnaissance. Zenmap is the GUI version of Nmap.
  • Kali Linux is a distribution of Linux. Kali comes equipped with hundreds of tools. These tools are used for network scanning which includes vulnerabilities and auditing.
  • Wireshark is a network protocol analyzer which operates in real-time. Wireshark focuses on network protocols and reads “sniffs” the network for vulnerabilities and malicious traffic. IT Professionals are looking for ways to improve their network by capturing traffic and analyzing it. Of course, management needs to approve the use of Wireshark, as privacy is a factor.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

My experience has been with both small and large IT departments. From my perspective, I prefer a small shop, due to collaboration purposes. Remember, we are here to support company objectives. Despite the size of your team, and I have mentioned this earlier, senior management support and buy-in is the key to your algorithm.

I am a bit old school! I like to have control of where services are and how data is processed and protected. However, if a third party needs to join your party, strong IT security policies (CASB), SLAs, and training are critical for data protection.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Unusual behavior with machines or personnel is a clear indication that something is wrong. For example, Phishing attacks are common with the overall goal to manipulate the end-user to provide confidential information. End-users can look for suspicious emails, too-good-to-be-true advertisements, URLs that do not align with the email and a questionable “from” email address. Work with your IT department immediately if there are any questions or concerns. Do not click away!

Insider threats, such as a disgruntled employee, can lead to a bad day. This category of a threat already has the knowledge to cause damage. So, what do you do? Be alert, notice for unusual behavior/patterns and communicate with management.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Incidents and breaches will happen, and they are on the rise. How do we handle the situation? Per the National Institute of Standards and Technology (NIST) special publication (SP) 800–61 “Computer Security Incident Handling Guide” defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”

NIST outlines four steps for incident handling:

  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident recovery

In my perspective, preparation and the post-incident recovery are important (all stages are). During the preparation stage, your Incident Response Team should have a documented process when an event incident occurs. A lessons-learned meeting allows the team to learn what happened and decide what actions to put into place that will reduce the likelihood of future incidents.

How would I protect my customers? First, I recommend having a strong external team which includes legal, law enforcement and public relations. Second, avoid the CEO speaking with the media. Be honest with your customers. Explain and own the situation. From there, have a detailed plan moving forward which includes any compensation that may be owned and safeguards that will be implemented to reduce the likelihood of another occurrence.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

I do not need to stress the importance of data protection, as this is what we do daily. I support the General Data Protection Regulation (GDPR) and The California Consumer Privacy Act (CCPA). Like I had mentioned before, the value of our data outweighs the facilities that store it. The European Union has done it right. The framework not only protects consumer data and provides consumer rights, but it has harsh consequences. If I were running a large organization doing business in Europe, I would not want to be fined a maximum of 20 million euros or 4% of my worldwide turnover for the previous financial year, whichever is the higher. Ouch! For example, a major airline, a Hotel chain and an Internet search engine company. They were fined millions of euros for non-compliance.

California is also on board and has been since 2018. Much of the country has followed suit with their own version. Please keep in mind that consumers that fall under the CCPA do not automatically fall under the GDPR, they are separate frameworks.

Businesses may go through a painful change. With change, risk presents itself. Evaluate the risks and take the appropriate actions. How the risk is addressed will affect the overall numbers. The faster businesses adapt to this change and communicate the benefits to their customers, in the long run, businesses will continue to prosper.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Everything that an IT professional does surrounds the CIA Triad (Confidentiality, Integrity, and Availability) to support company goals. From my perspective confidentiality is the most important leg of the triad, keep your secrets a secret! Common mistakes that I have seen is the management of access control:

  • It is important that companies utilize role-based access control (MAC for the federal gov’t). Assign access to the job role/title, not the individual. This will prevent authorization creep.
  • Blacklisting vs whitelisting. I prefer to whitelist. Only provide the access or tools to employees to perform their job.
  • Weak password policies are an issue. Enforce a complex password policy. For example, \4y2}`BMG_ is complex. Bingo123 is not.
  • Security awareness and training is an ongoing project.
  • The use of external media, such as USB drives and non-approved cloud services.
  • Encrypt USB drives if they are needed.
  • Block non-approved cloud services.
  • Mobile devices are out of control!
  • Assure they are enrolled in a Mobile Device Management solution that aligns with IT security policy.
  • Encrypt all mobile devices.
  • Approved cloud services.
  • Have a cloud access security broker (CASB) in line with the cloud provider. A CASB is utilized to enforce security policy with the cloud provider.
  • Encrypt everything!
  • SECURE IoT devices with network isolation and tight security.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Since the pandemic, there has been an upward trend in privacy errors and incidents. For example, a popular video conferencing platform that had vulnerabilities were exploited, cell phone locations tracked by the government, ransomware attacks, etc.

From the perspective of the attacker, remote connections to a company’s primary network or a cloud service increases the attack surface. The question is, how can we, as IT professionals, reduce the attack surface?

Home networking and computer settings should be secured.

  • Is your firewall enabled?
  • Have you disabled unused services on your home network and computer (UPnP, FTP, etc.)?
  • Do you have reputable antivirus and antimalware applications installed?
  • cnet top 10 AV
  • Are you utilizing a wireless network? If so, WPA2 with AES encryption with a strong passphrase.
  • VPN connection to their corporate network.
  • Only use IT dept approved cloud services.
  • Avoid removeable media unless it is encrypted and IT dept approved.

Teleconferencing can present risks. Such platforms have added features and improved security since the pandemic. There are ways to remain secure:

  • If recording a session, rename the recorded file, save the video recording in a secured location.
  • Session settings should be modified where the host only has control, not the attendees.
  • Send the meeting privately to participants. Never advertise on a public forum.
  • Professional background. Do not disclose too much about your personal environment.

Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Senior Management Support:

With support from senior management and strong IT security policies, implementing safeguards that align with company objectives will not be an upstream challenge. This will allow the budgets to properly secure your environment and have employee buy-in.

Risk Management Framework (RMF):

It is very important to have a Risk Management Framework. Risk management is an ongoing project that needs to be utilized with network changes (new applications, hardware, BYOD, access control, etc.). NIST SP 800–37 R2, Risk Management Framework for Information Systems and Organizations is a great place to start. Going through the motions will guide the IT department with safeguard implementation. Remember, risks can never be eliminated. Our role is to reduce risk to an acceptable level that is outlined by senior management.

Account protection:

Strong login credentials such as a complex password policy.

  • Utilize password vaults such as 1Password to avoid writing password down (under the keyboard, sticky note on the monitor)
  • Multi-factor authentication — another way to prove it is you!
  • Text message/email code in addition to username/password
  • Virtual private networks (VPN)
  • Cloud access. How secure are you?

Security culture is very important. Regularly communicating to the enterprise of cyber-attacks, details of the attacks, how those attacks are threats to the business and ways to reduce that attack surface. Security awareness, training and simulations hold weight. Cybersecurity does not reside in the IT department anymore. It scales out to every department, each employee, and ultimately comes from senior management. I do stress on senior management because their buy-in is crucial. Without their support, cybersecurity will not be a priority until it is too late.

Cloud Environments can present risks. You are now expanding your attack surface, so how will you secure that environment?

  • Look for misconfigurations and privileged accounts.
  • Pay attention to phishing attacks that can potentially hijack an account.
  • Those insider threats!
  • Automate where applicable.

If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? (Think, simple, fast, effective and something everyone can do!)

If I had the power to inspire a movement (maybe one day), I would bring cybersecurity awareness to public education for all states as a requirement for graduation. I would require that cybersecurity, with an emphasis on social engineering, to be part of the elementary, middle, and high school curriculum. In addition, cybersecurity would be part of all staff professional develop to maintain their teaching license.

How can our readers further follow your work online?

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...


    “Hire a Data Protection Officer”, With Jason Remillard and Jason Lau

    by Jason Remillard

    Arvid Vermote of GlobalSign: “Choose your battles”

    by Jason Remillard

    Viktor Tadijanovic: If people would listen more, they would find it easier to solve even the most complex problems

    by Jason Remillard
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.