Season 1 Episode 38: National Security Expert Says: “Before Paying for the Complex, Figure Out the Basics”
We had the pleasure of sitting down this week with William Kimble, cofounder of Cyber Defense Technologies (CDT) in Northern Virginia.
William served in Iraq while an active Marine, where he worked as part of a radio reconnaissance team. These days, William and the other members on his team at CDT utilize their experience with the DoD and intelligence communities to safeguard organization and business data systems against attacks.
William started his company in 2010 and focus much of his time on securing critical systems within government entities. This can range from state-level governments securing voting machines up to industrial machine systems within the DoD and Intelligence communities, as well as military functions. His company services organizations of all sizes, but mainly governments. This encompasses local governments, but also nuclear power plants, water treatments, etc.
Many of the machines and systems William’s company works with have needed to be, essentially, retrofitted to be actually secure, as the original systems weren’t built with a connection in mind- and therefore, are open to attack.
Similar to IoT (“Internet of Things”), many industries first start out where functionality is the first thought, not security- but that’s actually looking at it backward, says William.
A good example of this? Doorbell cameras, which are not always designed to be secure enough to keep bad actors away from accessing their networks.
Like Tim says, “The how should come after the what and the why” As in, what are we trying to accomplish, what are we trying to do? After that’s decided, then comes the how.
What are some of the most significant security threats a typical organization can see?
According to William, it’s the people that work there. There’s a social engineering aspect of security, and it means many organizations are getting better at securing outbound information from a company.
Yet, the human element is often the biggest open door to allowing bad actors access to private networks. People are inherently trusting, and it can expose a company in ways it might not think. Phishing attacks, for example, are the perfect example of this. Not only have they gotten more sophisticated and more relentless, but unfortunately they’re still working.
Most times, William says, the initial entry into a system is something easy, like phishing via email. But other ways cyber defenses can be breached are via bad or nonexistent patching of network security holes.
Patching a system (often as simple as just updating the software) is something organizations can actually use as a defense against attacks, he says. A lot of times, the breaches you see on the news, someone who was exposed to a phishing campaign allowed the attack to run right through an unpatched system.
What vulnerabilities do you see the most often in your line of work?
“You know what we see in a lot of our industry?” asks William, “and you’ll see this from guys that have been around to do a lot of talks, who have been around for a while. [Companies will spend money on] exploit chaining and vulnerability chaining, and getting complex, and a lot of organizations are spending their time trying to build safeguards in to defeat against the complex attacks. And you know, if you’re a major organization, that’s probably a good – good thing, but you need to start with the basics first.”
“We go into places all the time,” he says, “that aren’t even doing the basics, but they’ve spent millions of dollars trying to stop the complex.”
“You may be a target of the complex hacks, the complex malware variance. But it really depends on what your risk is, what your vulnerability is and how you’ve measured that, but most organizations need to start with the basics before they go into – to protect against that type of stuff.”
See more of this excellent quote here:
Tim says,”You know, a phrase we overuse here maybe some is the whole concept of the low-hanging fruit. And if you’re a bad actor, you’re going to tend to go to the low-hanging fruit first. And that’s going to be the people who’ve overlooked the basics. That’s the low-hanging fruit.
The complex stuff may have a bigger payoff, but it can take a long time to do and depending on what level of bad actor you are, that $20,000 or $100,000 or $50,000 that you might get from low-hanging fruit is a pretty nice payoff for not a lot of work.”
It’s the basic stuff you need to be on the lookout for. As Tim says, “you have to be at least willing to lock your car door and not leave the money bag on the front seat, and then act like we’re shocked when the bag gets stolen.”
What can small businesses do to protect themselves against more common types of data breaches?
Larger organizations used to be the ones most targeted by the bad guys,” says William. “If you’re a super small organization, you’re not going to be the main target of concern for a bad guy. But, if he’s scanning a file of 2,000 known vulnerabilities, and you pop up with the most, you suddenly become the target. They’re taking swaths of IPs and looking for who is the most vulnerable.”
He continues, “We preach as security people to use a different name and password everywhere but honestly that people who might not think that it’s really that important are the ones who are setting themselves up for the best chance at getting hacked.” Many times, it’s using an automation that bad actors can run against lists of stolen credentials, and they push into a system that way.
William says, “Making sure you’re having 2 factors or multifactor communication on your platform is going to help a lot. Most organizations that are small at this point are going to be using a cloud platform for their business, and most or all of the major providers at this point should have 2-factor authentication at this point and you should be nervous if they don’t!”
Training people, patching systems, and using two-factor authentication are going to be some of the major things a small business can do to protect your data.
Remember, security and convenience are zero-sum and multi-factor may be less convenient but it a lot more secure. Proper use of two-factor authentication protects not just a company’s internal data but their customer’s data as well.
What do you think a business should so first when they are attacked by a bad actor?
William says, “Isolate the issue first off.”
Ransomware is a different story but when it comes to something like phishing, it means someone can be isolated- and that means actually unplugging the device from the wall, and turning it off so the bad actor can’t move laterally across the network.
“Isolation will cut down on the exposure to the rest of the network and possibly infecting other devices and systems. From there, you can look into what has happened and how to stop it going forward.”
For more information:
on Twitter: @CDTLLC or @WilliamJKimble