Your company’s password policy may be driving bad behaviors. The 3-month cycle of password change, combined with <1 uppercase letter, 1 lowercase, 1 number, 1 non-alphanumeric character> and a minimum of at least 8 characters that a lot of organizations use actually caused a phenomena seen by penetration testers and attackers alike. A lot of users were choosing this exact format <Season><year><!>, so Fall2020! as an example. If you just read your password, it’s not just you, but you need to change your password please, right now. Organizations should literally block people from choosing this and ideally implement both a password manager AND two-factor authentication.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Sam Humphries, security strategist, Exabeam.
Samantha has 20 years of experience in cyber security, and during this time has held a plethora of roles, one of her favourite titles being Global Threat Response Manager, which definitely sounds more glamorous than it was in reality. She has defined strategy for multiple security products and technologies, helped hundreds of organisations of all shapes, sizes, and geographies recover and learn from cyberattacks, and trained many people on security concepts and solutions.
In her current role as global product marketing team at Exabeam, she has responsibility for EMEA, Data Lake, compliance, and all things related to cloud.
Samantha authors articles for various security publications, and is a regular speaker and volunteer at industry events, including BSides, IPExpo, CyberSecurityX, The Diana Initiative, and Blue Team Village (DEFCON).
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
When I was four years old, my mum bought into the idea of computers, as she was working at a very hi-tech floppy disk copying company. So one day a ZX Spectrum arrived at home, followed a year later by a BBC Master. However, for as long as I can remember, I loved writing, which spawned an ambition to be a journalist, specifically, a war correspondent. I went to school in West London until I was 11, before moving to a little town in North Yorkshire where there wasn’t very much going on and everyone knew each other’s business. I craved more excitement and missed the city life, so by the time I was 18, I was back in West London.
Whilst trying to fund college, I got a job at a business travel agency, where I may have been a tad liberal with the truth about my knowledge of the booking system they were using. I’d panicked when they asked me which one I’d used previously and said the wrong one. I got the job, and learned how to use the aforementioned booking system on my first day, through reading the help section in the software. I’m not at all advocating lying in a job interview, but there’s definitely a lot to be said for reading the manual.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
For me, it has been more about important experiences than a story. I always had a computer at home and constantly tinkered with it to improve my skills. I credit my mom with this passion, as she decided when I was so young that computing knowledge might be valuable in the future.
A few years into working in business travel, I was the consultant for Network Associates. I learned about what they did, and landed a reception role there that proved to be a foot in the door for my cybersecurity career. After that, I moved up the ranks, including a role in sales focused on encryption products and firewalls in a market that didn’t know it needed them. Next, I moved to work in technical support, which marked the beginning of my technical career that spanned incident response product management, then product marketing and security strategy.
Can you share the most interesting story that happened to you since you began this fascinating career?
The toughest most exciting experience was working as part of the incident response team dealing with the ARAMCO breach in 2012. I remember exactly where I was when the phone call came in. I had to run into the office and worked on it for weeks — it was an exciting experience despite being the most catastrophic thing I’ve worked on from a business impact standpoint.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Raj Samani — he is super awesome. We worked together at McAfee, where he offered to mentor me. He is such an inspiration, not just because he decided what his career was going to be, went out and built such a body of knowledge and experience that he now advises Interpol, amongst other things. But because he took time with me to understand my niche and help me decide what I wanted to do. Among the many things he taught me, one of the most important is that the benefit of giving back to others in your industry is huge.
Are you working on any exciting new projects now? How do you think that will help people?
One I’m working on at the moment is helping security practitioners to reach goals of being more proactive in their organizations. A lot of security is reactive, and they never have time to think proactively and do the work they want to do. If they are doing work they don’t get credit for, in short, it should be automated. This is not only good on an individual level for practitioners, but good for organizations because they’ll have smart people being more creative and proactively protecting their systems, rather than waiting for something to go wrong.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
It’s hard. We do this job because we enjoy it, and we don’t switch off. But, the obvious things remain important. Self care is vital — something as simple as nutrition can make a big difference to wellbeing, even ahead of other popular activities such as yoga/meditation. Also, taking time off is critical, so beware of a culture where it’s the norm to work or be available all the time — it’s not good for the employer or for you.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- It’s always changing. New research, from both the white and black hat perspectives, along with innovative technology, present opportunities to find security holes and make the technology industry better.
- The hacker community is fascinating because they spend hours upon hours researching and working with device manufacturers and major enterprises to identify flaws and prevent major breaches.
- The collaboration between vendors, researchers and government is impressive compared to other industries — individuals from all walks of life come together to protect the world’s data.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
In today’s distributed environments, where there is always pressure to get businesses, branches or teams up and running quickly, we’ll see breaches utilizing flaws and errors that weren’t addressed when infrastructure and services originally went live. If security didn’t have a full chance to review it because of earlier urgency, retrospective action should be considered. That is perhaps my biggest worry at the moment. Mistakes and risky choices are inevitable, but they shouldn’t be left to become serious vulnerabilities.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Yes, many. Perhaps the most harrowing was working on a particularly serious virus outbreak at a group of five hospitals. Sometimes you’re almost disconnected from what you do — you think: it’s just computers — but that made it very human. The impact was so serious that they couldn’t do a lot of critical life or death tasks, and were on the verge of moving people out of intensive care. We got them back on their feet, but it was touch and go for a while. While many organizations have plans in place for some form of disaster response, it’s vital to test them regularly to make sure processes and business continuity work even in dire situations like that.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
There are really good reporting tools focused on what’s happening around the world — Shodan.io and Censys are great resources for understanding what the internet landscape looks like and what the risks are.
My current favorite tidbit to share with non-security people is https everywhere, which is a browser plugin from the EFF that helps reduce the risk of visiting and transacting with unencrypted websites.
Password management is really valuable too and helps you use complex passwords across different websites without losing or forgetting your logins.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
I don’t believe any organization can use OTC software anymore. Yes, they need AV and firewall, but contemporary cybersecurity requires so much more. There are plenty of MSPs and MDR providers who can do most of that for you, but if you’re at the point you don’t have the budget to do that, there needs to be a conversation.
Compliance is another huge issue. Organizations owe it to their customers and employees to secure their data, which should include visibility to understand the data and implement controls to protect it. Lack of visibility isn’t an excuse. There are enough services out there to take some of that pain from you, but no matter what, you need that knowledge of your data and activity. Smaller companies likely don’t need a CISO, but they can get a virtual CISO who can advise them a few times a month. This will help them keep up with the latest security innovations and threats.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
There is a huge variety of potential issues, but among those to keep a regular eye on is system resource drain, which can be an indication that someone may be cryptomining on your service. Pop ups are another really good indicator that something might be amiss, while redirection could also be a sign. Ransomware will be obvious…your screen will have a message on it telling you that you have been attacked. The list goes on, and it’s worth educating everyone on the team to be aware of the most common threats and indicators of potential trouble.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Ideally, businesses will quickly be able to understand the end to end timeline of what happened. It’s vital to get a picture of how an attacker got in, which machines and data they touched, etc. I’ve worked on more root cause analyses with organizations than I like to think about, and unfortunately, all too often, details are sketchy. If you don’t understand the full picture, you can’t do something to prevent something similar happening. This is particularly important, as it’s not uncommon for an attacker to try and get back in at a later date, resulting in companies being hit multiple times.
Though these regulations may be pain points for many organizations, I’m glad they’re in place because they’re raising awareness of and action toward data privacy. But I understand compliance can be tough to understand, and even tougher to fully implement.
In a business context, the CCPA and GDPR lay out administrative rules that must be followed to ensure compliance. Relevant companies must ensure they’re offering customers and staff information on what data is being collected, options around which personal details are being gathered, the right to say no and opt out of data collection, the right to request deletion of their information and equal pricing despite their privacy selections.
With so many remote, it is a good time to update privacy policies and notices, check on the company’s consumer-rights protocols and data-gathering processes/inventories, as well as ensure the right cybersecurity measures are in place. Compliance officers will also need to be more assertive and proactive about their check-ins to ensure all departments involved in contact tracing follow these guidelines.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Organizations thinking it won’t happen to them, that it’s someone else’s problem, or it’s only big companies that get hit is perhaps the most worrying pattern of behavior.
Similarly, failing to apply least privilege and giving too many rights to users for tools/systems is a serious failing in many businesses. Access control must be in place.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes, without doubt. People let their guard down, and the combination of using their own devices and the distractions of home environments enabled cybercriminals to move quickly and exploit the situation. For the larger businesses, it’s harder for leaders to talk to their security team while they are at home, but their visibility can be vital to a quick and effective decision-making process. All businesses should ensure ecosystem visibility and have a rapid communication process in place for if anything goes wrong — and test it before it’s actually needed.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Visibility is still the hardest to accomplish today — but it’s the most important part of security. If you can’t see something, you can’t protect it, and you cannot calculate the risk it generates in your environment. Incalculable risk is infinite risk. There has been a wealth of breaches that have occurred because IT security teams didn’t know about an asset.
- Understanding your threat model is key to everything that you do around security. If you don’t know who or what you are protecting your environment from, you are likely not making the best choices on how to protect it.
- Your company’s password policy may be driving bad behaviors. The 3-month cycle of password change, combined with <1 uppercase letter, 1 lowercase, 1 number, 1 non-alphanumeric character> and a minimum of at least 8 characters that a lot of organizations use actually caused a phenomena seen by penetration testers and attackers alike. A lot of users were choosing this exact format <Season><year><!>, so Fall2020! as an example. If you just read your password, it’s not just you, but you need to change your password please, right now. Organizations should literally block people from choosing this and ideally implement both a password manager AND two-factor authentication.
- Please please please practice the principle of least privilege — whether you’re setting up user access or coding new applications. “Need-to-know-basis” has been around as a concept for a long time, and it works. It will make things harder for attackers when they get into your environment.
- Security awareness training should be interesting for your users and a positive experience utilizing different mediums. If you’re rolling out the same old computer-based training every year and not seeing improvements then you’ve literally become Einstein’s definition of madness. Think short, fun videos, lunch and learns, tips and tricks of the week, rewarding people who consistently do well at phishing simulation tests — and most of all get creative!
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Whilst this won’t solve world peace, nor fix all the security issues on the planet I’d like everyone reading this to go and install the https everywhere browser plugin today. You can find the right version here: https://www.eff.org/https-everywhere — and then share it on all your social media accounts; tell your friends, neighbours, and family. It will help you and them be more secure when online.
I would also like to shout out a nonprofit I work with. It’s microfinance lending initiative called Lend With Care, lendwithcare.org, and their mission is to “help people in low income countries work their way out of poverty with dignity.” If you have time, I’d appreciate you checking it out, spreading the word, and possibly donating!
How can our readers further follow your work online?
I’m very active on Twitter (@safesecs), although I’m not always talking about cybersecurity, and hands up, am not always 100% safe for work. For a more professional / safe for work experience, I blog pretty regularly for Exabeam here: https://www.exabeam.com/author/sam-humphries/. And am always happy to connect with folks on LinkedIn: https://www.linkedin.com/in/safesecs/.