Ep. 3 – Building Business Continuity & Resilience

 

Building Business Continuity & Resilience with Max Alexander at JPMorgan Chase – Episode Transcript

Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with top experts in the field. Today, you’re going to learn how to protect your data safe, how to keep your operations sound, and your business ready for whatever comes next.

This is Logically Speaking.

STEVE RIVERA

Today we have the incredible pleasure of being able to speak to Max Alexander. Max is currently Vice President of Cyber and Technology Emerging Threats Research at JPMorgan Chase, where he’s responsible for educating the firm and its clients on best practices when it comes to mitigating cyber threats attacks.

Prior to joining the firm in 2019, Max was the lead of the Digital Forensics and Insider Threats team at the Pentagon. He’s also a director and a professor of digital forensics at the University of Maryland Global Campus, where he trains and mentors the future forensic investigators. And I’m very excited to talk to Max today. Comes with, Max, I got to be honest, when I read all of the degrees you had, I was a little intimidated.

 

MAX ALEXANDER

I wouldn’t even go into that. We can talk about that later. I have, I would say, a mental illness where I’m addicted to going to college. It could be a good or a bad thing. So I do consider myself a lifelong learner.

 

STEVE RIVERA

That’s fantastic. I mean, I was going to ask you, should I call you Dr. Alexander?

 

MAX ALEXANDER

No, my name is Max. Just call me Max. That’s fine.

 

STEVE RIVERA

So Max, you know, to start things off, if you could just share how you got into cybersecurity and a little bit more about your experience, more from like, you know, from a tactical sense, like how did you get into cyber? Was it something you were always interested in or did you kind of just stumble into it?

 

MAX ALEXANDER

Well, from a tactical sense, it was very tactical. And yes, I did. I stumbled into it. So you know, we’ll start back pre-9-11. Obviously, I was in the military, if you can’t tell by the haircut, it still has, it’s still a part of me. Yeah. So I joined the military before 9-11. I actually joined the National Guard, kind of like most people who joined the National Guard, you should see the commercials on TV of, you know, join the Guard, serve your country, but it also pays for college. And you know, I was, my family, we weren’t poor, but we weren’t rich either. We grew up in Kentucky and I went, okay, well, this makes sense. I’ve got to find a way to pay for college. I joined the National Guard. A lot of my close friends had joined the Guard. So also kind of wanted to do something hard. So I’m like, well, let me enlist in the Kentucky National Guard 20 Special Forces Group. So yeah, I did that. Went through all of the training and then the 9-11 happened and found myself overseas right at the beginning of the Afghan invasion. And you know, I was young then. I was just had graduated high school, finished training for about a year and a half. I was a little over 21, 22 years old at the kickoff of the war. And what we were doing in the war was obviously we were going and finding a lot of talent and terrorist-related individuals. And we were getting a lot of digital media, computers and cell phones and things of that nature. And we were collecting those things up and then they kind of turned to me and like, well, you’re the youngest person on the team. You should know all there is to know about digital devices and cell phones and computers. And like, I’m from Kentucky. I don’t own a cell phone.

And I just, you know, I think I had just gotten a home computer when we left, you know, early 2000s. Like, I don’t know anything about this. So I learned when I was overseas, I actually was fortunate enough, I had linked up with some folks over at the National Security Agency, the kind of trial by fire at that time. When I got back, I’m like, well, you need to, you know, we’re going to keep doing this for the foreseeable future. You’ve got to train me on what it is you want me to do. So I had convinced them to send me to a lot of schools and, you know, a lot of some of those were colleges and universities, but some of it was like the Defense Cybercrime Training Center. I got to do a lot of training there and was like probably one of the first forensic investigators in the DOD. So it was a really cool experience. That I am the accidental cyber person. I was, it was not purposeful. It was not something like I, yes, let’s go into cyber. So kind of, kind of a long story there.

 

STEVE RIVERA

That’s interesting, you know, that you would be viewed as the young person who’s tech savvy. So you had to know this stuff. That’s interesting. So I want to talk a little bit about your forensic investigating background. You’re in financial services now. Right. Traditionally, and I’ve been in cyber for 25 years and I’ve seen that traditionally financial services tends to be a leader in security since, you know, the times of, you know, the wild, wild west. They knew how to protect their assets. And so that’s, to me, it’s always been like that mindset that financial services is a leader. So in your experience, are there industries that need to invest further in cybersecurity? In other words, what industries outside of your own do you see need additional investment in cybersecurity?

 

MAX ALEXANDER

And investment, you know, that’s kind of an interesting word because we can invest in a lot of things. We can invest in people, process and technology. So what industries need more investment? Well, all of them. What industries need the most or more investment out of things that we’ve seen? You can read the news. Everybody reads the news.

So I talk to a lot of folks around the globe every day. And that’s kind of one of the questions that I get is, you know, how much money should I be investing? Where should I invest? What should I invest in? And I’ll caveat this whole thing and kind of one of my sayings if you ever heard me talk is that you can build your castle’s walls out of gold. It does not necessarily make it more secure. It just makes it more expensive.

When we talk about investing in things, okay, we have to do it smartly and all of the investments that we should make tend to go should go back to risk. Every organization should have some type of risk assessment. They should identify what they’re vulnerable to, what risk they might have, what threat actors may be posed against them. And then let’s start looking at the controls that we already have in place. And if the controls aren’t mitigating those risks down to that acceptable level, then okay, maybe we need to invest more in certain areas. Most people, most organizations don’t know what risk they face.

They don’t have a good risk assessment. So when they go about doing a lot of this, they do it blindly and they’re like, well, let me just go buy the latest and greatest. And not to say that the latest and greatest thing isn’t useful. You just have to figure out where this latest and greatest thing fits in. But to more specifically answer your question, what industry should we invest in or what industry should look at this more specifically? Well, I’ll say critical infrastructure, and that’s a very broad and nebulous term because when we look at critical infrastructure across the spectrum of the US, there are 16 critical infrastructure sectors, 80, 90% of it’s owned by private industry, and pretty much everything under the sun is critical infrastructure when you look at the definitions.

So to be even more specific to that, when I think of critical infrastructure, I’m thinking of, well, the things that make us function and live as a society, the energy, the electricity, the water, those things, the life health safety things. And oftentimes we see a lot of those things being hacked or hit. I was just reading the news the other day. We saw China might be targeting power companies around military bases. And historically, a lot of these critical infrastructure or electrical power sectors, they have historically been underfunded. A lot of these could be government owned, government partnerships, and a lot of the infrastructure they’re using is old. And to completely revamp a lot of that is major, major investment, a major undertaking. And oftentimes too, we often see these critical infrastructure things hooked up to the open internet. There’s actually search engines showed on HD. You can start Googling critical infrastructure appliances that may be out there and then start searching for vulnerability. So I would say if I were any organization, particularly that sector, I would definitely look at maybe investing more, trying to figure out how to modernize, how to maybe more secure our infrastructure.

Yeah. And it’s a key point, right? The critical infrastructure tends to be the one using the legacy systems, the set and forget it mindset for years and years and years. My teams have found servers that haven’t been rebooted in years or patched because they’re just afraid of bringing those systems down that they won’t come back up.

 

STEVE RIVERA

So you bring a really good point. Can you speak to a little bit about the, when an organization, a company gets breached, the impact typically is viewed as downtime and then on a cursory level, maybe reputational damage. But can you speak some of the unknown impacts of these breaches that are happening and maybe educate some of our listeners that they don’t have to be a financial institution to have some of these countermeasures and as you mentioned, which is a great practice, identifying and quantifying the risk with an assessment so that you can then make sure that you’re appropriating the right amount of budget and funds in the areas that are going to have the best amount of impact to reducing that risk. But can you speak to the unknown impacts of being breached?

 

MAX ALEXANDER

Yeah. And I think those unknown impacts too, when it goes back to identifying things and looking at what might affect your organization, it’s a good marketing tool for cyber insurance because oftentimes with risk, we can accept it, we can mitigate it, we can ignore it, we can transfer it. Oftentimes we see a lot of companies, we’re going to transfer that risk to cyber insurers, but we’ve seen the cost of cyber insurance, it just skyrockets and it is because a lot of these unknown risks that organizations face. So obviously when we’re hit with any type of cyber attack, we’re down. I think the average time an organization is down from a ransomware attack is about seven to nine business days. And keep in mind that that’s an average. So that if you’re doing really good and you have your Doc Ops, you tested them, you might be down for a matter of minutes, hours. We see worst case scenarios, it could be a period of months.

So obviously downtime is probably your number one threat. But then there’s also some residuals in that. Well, if an organization gets hit and they go down and they’re down for a period of weeks, well maybe I need to go find a new organization to do business with. So now I’m going to maybe lose some customers I have to competitors because they haven’t had a cyber attack or it’s just easier for my customers to go to a business that’s open. So there is some reputational damage there as well as a loss of customer base. In addition to that, intellectual property. So if I’m working on something, a lot of these ransomware attacks, they’re not just ransoming my data. They’re now taking and holding a hostage, starting to put it on the dark web. If I’m Kentucky Fried Chicken (KFC) and I’ve got the secret to the 11 herbs and spices, and that’s what makes my business my business and someone goes and steals that, well then that could really put me in a jam. And now we see some other fried chicken restaurant come up and undercut me and maybe they have 12 herbs and spices now because they’re better, they know my secret. So we oftentimes see risk of that, particularly during COVID.

We actually saw a lot of attacks against healthcare entities that were investigating the COVID vaccine. And I think we saw a particular nation state try and create their own COVID vaccine based on some of the data that was stolen. So a lot of these are very, like an iceberg, I think there was some company out there that made a iceberg graphic of the known knowns and then the unknown unknowns were actually deep down below the surface and vastly outnumbered the known knowns. So when looking at trying to protect your business, it’s those things under the way tops that really could hem you up and bite you. Plus the cost of data breach notification legal, all of those things come into place. And now we’re having to buy a lot of services for our clients and customers because their data was exposed, we could be exposed to lawsuits. So we have to figure that out outside council.

We now have to start paying for those things. So a lot of expenses that organizations don’t necessarily think of.

 

STEVE RIVERA

No, those are really great points. You mentioned cyber insurance and I had a couple questions around that that I wanted to touch on because I think that’s an interesting topic. I’ve spoken to some clients recently that have told me that their cyber insurance premiums are going up. I mean, you mentioned it. It’s exponentially two, three, four times the amount. I’m also finding that the cyber insurers are mandating just some baseline, especially with some of our listeners in that mid market mandating certain countermeasures like multifactor, some type of endpoint protection and ongoing monitoring and retention of logs, incident response and disaster recovery plans. These are things that if you had the ability to nail it down to two or three things that you think would allow the listeners to keep their premiums, what would those things be?

 

MAX ALEXANDER

I think Microsoft did a study a couple of years ago and they said organizations implemented multifactor authentication. It would reduce cyber attacks by I think somewhere around the 90% range. I don’t know what they looked at or how they came up with that calculation, but what we tend to look at is that hackers, they’re getting passwords. I just read a study the other day when it talked about critical infrastructure attacks. Hackers were essentially using legitimate credentials, I think, in over 75% of the attacks. One, knowing that your users are under attack, implementing that multifactor authentication, using strong multifactor authentication, something like the tokens instead of something like a SMS text password. The tokens are much stronger than obviously the text because your phone can be faked, forged, spooked. That would be number one, but then also user monitoring. So if I know certain things about my users, they only log in maybe between the hours of nine to five. They log in from specific IP addresses. Having that monitoring capability, particularly on your administrators, and looking for deviations from the norm would probably pay dividends in a lot of the attacks that we’re seeing. Of course, any type of monitoring that you’re doing. Having logs, knowing what to collect, when to collect it. I think one of their sayings is to find evil, you have to know normal. Yeah, that’s absolutely true. You have to know what right looks like, or you’re never going to find wrong. So that’s all part of a good cybersecurity program.

 

STEVE RIVERA

Perfect. No, great, great, great points there, Max. Thank you. I want to shift a little bit and talk a little bit more about threat actor tactics, techniques, procedures, TTPs that your team are seeing from threat actors. Not specifics, but what are you seeing from the threat actors and their TTPs and how it’s changed over time?

 

MAX ALEXANDER

Yeah, and I’ll speak from a perspective of a lot of the research I do just in the private world from an educational institute perspective. A lot of what I’m seeing in that regard is that there is a war going on right now between Russia and Ukraine. And we’re actually seeing a lot of the tactics and techniques that are used in that wartime environment being now operationalized and used in a civilian context, or the lines are being blurred now. There is not really a difference between what we’re seeing in the war. Sometimes kind of commingled together. But we go back and I guess maybe at the start of the pandemic, we saw the rise of ransomware. And initially the ransomware tactics and techniques were, well, let’s just go in and hold the data hostage. And early on during the pandemic, we saw a lot of organizations for the first time have to exercise some resiliency in that my employees are no longer in the building. But in order to do that, a lot of them just had to go out and buy stuff overnight, virtual private networks, remote desktop protocols. And they stood them up almost immediately, did not test them, did not implement security. And the initial TTP was, well, let’s go after VPNs, let’s go after RDP connections. And we saw that that was the number one cause of ransomware attacks in organizations at the early stages of the pandemic. Since then, the price of Bitcoin has fallen from 60,000, I think it’s like 30,000 right now. We’ve seen a lot of folks no longer making these huge massive ransom payments. I think the biggest one I saw during the height of it was like $70 million. $50 million was, I think, an average ransomware payment just a couple of years ago. Now we’re seeing quite lower ransomware payments. And it’s more of the mindset of let’s just go out and get everyone.

And I think now what we’ve seen too is that Log4j, going back a couple of years, that was a big vulnerability that was exploited heavily. I think OWASP rated that as their number one, number two vulnerability for a while. And the patches had been out for that for at least now a couple of years. People still don’t patch for Log4j. But now we have something even worse. We’ve seen the threat actors now kind of pivot to this move it vulnerability. And we’ve seen government organizations, private sectors, I think there’s like 500 now private sector entities that have been hit with this move it vulnerability. Some of them still some people still don’t know about it. Some people are now looking, you know, now just now looking to fix this. And this has been out since the 25th of May.

But to circle back, I mean, completely answer your question. I think as a cyber person, you know, for the last decade, I’ve educated folks, hey, you need to really do a good job of taking care of your own organization, implementing those controls that we talked about earlier. Where cyber folks maybe we’ve fallen down over the last couple of years is that we’ve maybe neglected to say, oh, and by the way, you have to look at your third parties, because third parties are now big sources of vulnerability. And to circle back to how this relates to the Russian Ukraine crisis, when we go back to the first time of how Russia invaded the Crimea region 2016. One of the things that we saw the threat actors do in that particular case was they said, well, let’s do a study of that country. And let’s figure out some software that is kind of ubiquitous throughout Ukraine. And they actually found something called me doc. And it’s a financial accounting software, pretty much everybody uses it. I think it’s almost mandated by the government that everyone had to use me doc to report finances and taxes. Well, Russia said, let’s hack into that. And all of the updates that me doc is providing to its clients and customers. Well, let’s put some malware in that. And let’s start shutting down these critical infrastructure sectors like we talked about earlier, the power, the banks, all of that stuff. And we saw that that is exactly what happened. And that has been a TTP, I think we’ve seen since 2016. And there’s been a number of attacks in that regard. I think SolarWinds is exactly how they use SolarWinds. But even before that, there was a company that they clean up your desktop software, it used to be known as crap cleaner, it’s called C cleaner.

Now, the same thing happened to that when they hacked into it, all of the updates and was providing to its clients and customers that was essentially laced with malware. So the third party aspect, the threat actors now using those and leveraging those third parties to get into your organization. I think that’s an evolving technique that we have seen in that regard. And then just in the ransomware space, again, that has evolved where they’re just not content with taking and holding your data hostage. We’re actually seeing these folks now use more of an extortion technique. We’re going to take your proprietary data or your personal health information, your PII, and we’re going to hold that hostage and threaten to release that on the dark web if you don’t make some type of payments. So I think the attacks have evolved in that regard.

 

STEVE RIVERA

Yeah, I know you brought up the interesting thing about ransom payments. I’m interested in your opinion on whether or not collectively there would ever be a movement where organizations will stop paying the ransom and do other measures to recoup and to recover from a ransomware attack and stop kind of that money train that seems to be right. Because the more the industry pays, the hackers will continue. It’s a money game for them. But do you ever see that coming to fruition where we band together and say, no more payments, we’re just going to recover in another way? Or will this always be kind of where we kind of stand and continue to pay these ransoms that will continue to impact industries?

 

MAX ALEXANDER

Yeah, I think for the most part, we still don’t see a large group of organizations making ransom payments. But the quantity of them is so heavy and vast right now. Even the 30, almost 40% that are paying, that does add up. So it is a very lucrative business. As far as being able to recover, I think we preach for a long time that you have to have good backups of your system. You have to have a business continuity plan. You have to have a disaster recovery plan. You have to test those and make sure they’ve worked. I’ve spoken to a lot of organizations that have been hit and they’re like, oh, yeah, we have backups or we have a backup. And then I’ll talk to them three or four months later and they’re like, oh, gosh, we’ve been hit with ransomware. We don’t know what we’re going to do. I thought you had backups. Oh, yeah, well, we’ve never tested it or the backup didn’t work or the backup was only to a certain point in time. And the ransomware happened when we backed up the data. So we just restore it. We’re restoring back to ransomware. So I think not just having a plan is good, but testing that plan, you have to put into some type of tabletop testing. You have to put in some type of actually no crap. I’m going to make sure the backups work and we’re going to test this maybe over a long weekend to see if this actually happens. So I think, yeah, that’s definitely needed.

There’s an old military expression, two is one and one is none. So one backup is probably good, but 500 backups are better. If you really want to be resilient, that may be an overkill. But you definitely have to know when the threat actor got in your system and be able to restore to a known good point before that. So having these multiple iterations of backups are definitely going to help your organization when the time comes. And then knowing that your teams can restore from those backups when needed gives you the power to not have to negotiate with these ransomware takers. So just encrypting your data using these basic cybersecurity protective measures, encrypt data at rest, encrypt data at transit, that would be very beneficial as well.

 

STEVE RIVERA

Yeah, I wanted to, it’s great points. Thanks for sharing it. I love that mindset of two is good, one is none. I wrote that down. I’m going to reuse that, maybe even put it on a t-shirt. But one of the things that I wanted to talk about was third party. You mentioned third party vulnerabilities or risks and that seems to be the threat vector that most people overlook in the mid-market. They think about shoring up their defenses, but they don’t think about the weakest link in their security as that vendor that they’ve given VPN access or remote access to support some kind of software or application or system in their environment. How have you seen companies do a good job of handling that third party risk?

 

MAX ALEXANDER

Yeah, so for ages and ages, organizations have had third party oversight. So when you get ready to do business with somebody, you bring in a team of folks, maybe somebody from cyber, somebody from legal, somebody from pretty much every department who’s going to have a say in this, and you go over the contract, the service level agreements that you’re going to have, what you expect that company to do for you. You may ask them certain cyber questions, and then you sign a contract and then you largely forget about that until something bad happens. And that’s where more successful organizations we see that, okay, we’re not going to let this thing just kind of die on the vine or just wait for the relationship to deteriorate or for them to screw up. We have to at least annually go back and review, is this contract or is it doing what we’ve asked it to do? Are they adhering to the terms of the contract? Have we conducted an exercise with a drill with them in the case of something bad occurring and asking those questions? When vulnerabilities come out like log4j or this MOVE-it vulnerability, have we asked the vendor, what have you done to patch this? Also, do we know what data that we’re sharing with them? So in the event that we think that there may be a compromise, do we know what information we may have that we’ve shared could potentially be at risk? So it’s a whole of organization aspect, but it has to be something that’s continuous and ongoing. It can’t just be, well, let’s one and done and then wait for the best to happen.

 

STEVE RIVERA

No, it’s a really great point because last week was with a customer in Georgia and specifically this came up, which was, have you put into practice your business continuity plan? Have you tested it? Have you gotten everybody in the room, tossed a scenario at them? Have you assessed on an annual basis your third parties? And the CISO looked at me and he was like, no, we don’t even know where to start. And that’s not a small organization. That’s a fairly large, several thousand employees, hundreds of millions of dollars in revenue at risk. And I think about that and I think that the point you made, which is really, really good is that annual attestation is super important, but then practicing the business continuity, the incident response.

You mentioned previously about having those contacts with law enforcement or legal counsel, forensic investigators, those things, those relationships should never start when a ransomware has actually happened. It should be established. You should have practiced it. You should have that muscle memory. So really, really great points. I really appreciate that.

I’d like to shift a little bit toward the insider threat and maybe share a little bit about your thoughts on how companies can protect against the insider threat. You mentioned intellectual property. That seems to be the number one asset that gets compromised from the insider. But maybe you can share a little bit about that and maybe some of your thoughts on how to mitigate that risk of that insider threat.

 

MAX ALEXANDER

And it’s uncomfortable for a lot of organizations to talk about because we don’t like to think that somebody that we work with is potentially going to be that person that takes our organization down, that steals our data from us. And then looking at my government experience, from my government background, I mean, catching spies, the Robert Hansons, the Edward Snowdens of the organizations, they were trusted with access to certain data. And then they essentially betrayed that trust. Rightfully or wrongly, it’s a political thing for some folks to look at. I don’t want to delve into that. But organizationally, you do have to look at, OK, well, we’ve entrusted people with some very high levels of access. And then they kind of walk away with that data, put that data out there, and we didn’t want it. Those are the intentional insider threats.

And those are things that everybody probably thinks about when we hear the term insider threat. There’s also the unintentional insider threat, which is pretty much everybody in the organization who might do something stupid on the computer, which IT folks, I think, were probably some of the worst offenders of doing stupid things, but just anybody who gets a phishing email, that’s still a large portion of cyber attacks that are out there. And it only takes one. And if your staff isn’t trained on recognizing the latest and greatest phishing attacks, which we talk about things that are evolving, we now see blended attacks where you’re getting emails that are directing you to pick up the phone and call the hackers and talking to a person on the phone. They’re again, letting that guard down a little bit more.

You might start divulging things that you necessarily wouldn’t. So the unintentional insider can be just as dangerous as that intentional insider. We have to go back and again, we have to look at certain policies. What controls can I put in place? What policy controls can I put in place to one maybe stave off some of this? So could be maybe you’re not going to bring thumb drives or a movable media into the building. My technical control might be that I’m going to monitor for the use of thumb drives. Then I might have a disciplinary program attached around that. Maybe even for our unintentional insiders, we do now see a lot of folks using these third party services to conduct phishing attacks on their organizations.

 

Kevin Mitnick, great guy. Just lost him a couple weeks ago. He had a great company out there that was doing these phishing attacks. We see a lot of use and a lot of value in that. We’re training your organizations. A lot of the folks I talk to now, they’re kind of paranoid. Like, oh gosh, is this going to be a phishing test that my IT team is doing? And yeah, I’m glad to see people are now a little scared about that. We do see some disciplinary programs coming up through a lot of organizations. Maybe the first time that you click on a phishing email and it’s one of these tests that are coming from one of these third party companies that you’re seeing a little education, training and support coming your way. Like, okay, hey, you failed the phishing test. Let’s educate you.

Maybe the second time you do it, your manager provides you some education, training and support. Maybe the third or fourth time you do this, it may or may not be a resume generating event, but HR gets involved in the figuring out, hey, why do you keep clicking these phishing emails? Are you doing this on purpose or are you just not taking to the training what’s going on? But again, there has to be a, all of the controls put in place, the policy, the technical, we have to be able to monitor and have some type of metric. I think Jack Welch said something, if you can’t measure it, you can’t manage it. I know in the business world that may cause some consternation with some folks, but I think in the IT world, it’s definitely good as a science background. I want to have some measurements on what my network and my employees are doing. So if I start out doing my phishing test and we’ve got 50, 70% click rate and now I’ve got my folks trained in paranoia and we’re down in the single digits, I think, you know, it’s not perfect, but I’m doing better and we’re not having as many attacks. Then I can focus maybe some more of my effort on triaging some of these phishing things that might get through and just allows me to better focus my efforts. Probably a longer answer than you wanted.

 

STEVE RIVERA

No, no, you gave some great topics here like, you know, the policy and the controls are super important. I think the education is key as well. But one of the things that I’ve seen is creating this culture where questioning is okay. What I mean by that is we’ve gotten, you know, we’ve seen internally an increase in kind of these SMS phishing, you know, the smishing where someone will get a text from our CEO saying, hey, this is me with a new cell phone. I need you to respond immediately. Yeah. And instead of simply responding, we developed this culture of, hmm, that sounds odd. Let me question it. I know his real cell number and this actually happened to me two weekends ago.

Another one that happened was on the last day of the month, we got to an email alias, a file that said signed PO for X hundred thousands of dollars. And you know, I immediately notified sales organizations that do not click on that. And I knew that they were questioning it when I contacted IT. Yes, several people already notified us. It’s that culture of question, right? Don’t trust everything that you get, even if it seems like a PO at the end of the month.

 

MAX ALEXANDER

It goes back to empowering your employees as well. So I think that’s a good point. We have to question, we have to empower employees. That purchase order you’re receiving in the financial world, we call that a business email compromise and that’s probably the number one external fraud threat that you’re going to face, but it’s enabled by these unintentional insiders in your company. So one, you have to train the staff, the accounts payable staff. What does this look like? But you have to have the authority to question that because oftentimes those are accompanied by, well, if you don’t make the payment, we’re going to assess you a late fee, a penalty. We’re going to cancel your contract. And you have that person who’s, they’re decently paid, but they’re not well off. They’re like, gosh, I don’t want to be responsible for ruining this relationship, incurring a late fee. I need my job. I don’t want to get fired. Let me go ahead and make this payment.

So not only questioning, but also reporting. And I think that’s one of the other aspects is that not only when you see these phishing emails should you look at this and question it, not just delete it, but your organization needs to have a mechanism to report this over to the IT staff, like you were talking about, so they can remove this from the inboxes of folks who may not have that questioning mindset. And going back again to my government days, another thing that we look at is not just questioning and reporting. All of the fraud contacts in your organization and all the insider threat folks in your organization will say that the number one way of catching insider threats in your organization is the reporting. And you have to have a culture of reporting in the organization.

Going back and looking at spies like Aldrich Ames, he did a lot of damage to the government. And he went undetected for a long time. And he was an instructor at the CIA’s farm and was training future spies, but was also selling them out. But it wasn’t until someone came and actually looked at his drapes and recognized that, gosh, these drapes are thousands of dollars. There’s no way that this guy is just 14 or 15 would be able to afford this. They actually reported him and were able to then catch that spy.

 

STEVE RIVERA

Interesting. I’d like to shift focus a little bit and talk about artificial intelligence and how you perceive AI having an impact on cybersecurity. There’s two aspects of it. There’s the threat actors use of AI, but then there’s also the countermeasures that are powered by AI. How do you see AI having an impact on cybersecurity?

 

MAX ALEXANDER

People in cybersecurity have been using AI longer than I think a lot of the population has known about artificial intelligence. So anybody who’s been in the cyber world for a decade, we’ve seen the emergence of AI, particularly as it relates to endpoint detection response. There’s a host of companies out there that are using it. There’s a host of companies that are doing it at the perimeters and the firewall level as well. So that is a good use of that technology. And then AI is obviously a broad set.

You have AI in general and machine learning and then deep learning. So there’s a myriad of stuff that encompasses AI in and of itself. A lot of what we’re seeing, I think, is scaremongering. It’s people who’ve watched 2001, a space odyssey. I think Hal’s going to take over the nuclear weapons or we’ve seen Terminator. Not that we shouldn’t necessarily question what it’s doing, but I think a lot of the hype curve of this is kind of overblown. I do think it is a good use of technology. We have to use it smartly. We have to understand what it’s doing. I think a lot of the issue with AI is that a lot of the outputs are black box.

 

They’re not necessarily Bayesian logarithms that you can follow along with some type of mathematical concept. It’s doing something. We kind of have an idea of what it’s doing, but we don’t know why it’s deriving certain conclusions, but we do see that it’s coming to relatively a good understanding of what we’ve asked it to do. But when we start reusing code and we start asking AI to do certain things that maybe it wasn’t initially intended to do, but now we’re asking it to do something different and it comes out with some crazy result, OK, well, yes, you should expect that because that’s not what it was intended to do and we’re using it for that purpose. So I do see AI as a good tool, hackers, obviously there’s hack GPT now they’re using it for some nefarious things. I have played around with it even just as far as early this year. Chat GPT, it didn’t code very well in Python. It’s gotten a little bit better. It didn’t do math very well. I’ve asked it to do some very simple math problems. I think it had problems doing subtraction and division. So yeah, it’s a decent tool, but it’s not going to be the end all be all. I think that some people make it out to be.

 

STEVE RIVERA

No, I appreciate that. I did want to end on a note and ask your opinion about that new SEC rule that is requiring companies to reveal cyber attacks within about four days. The stated purpose of this SEC rule is to protect investors. Right. But with the experience you’ve had in forensic investigations and that my teams have had in forensic investigations, four days seems like a very short amount of time to do root cause analysis to actually figure out what the attack impact is. Do you have any thoughts on that rule and how it’s going to be a game changer for how quickly companies have to report these attacks?

 

MAX ALEXANDER

Yeah. Well, first and foremost, I mean, it’s an SEC rule. So right now when it comes to fruition, you’re going to have to follow it. And essentially you need to get your legal counsel involved because it is a legal process first and foremost, but you also have to have your cyber folks. Looking at the SEC rule, it also says a material breach. Because that’s a legal word, you’re going to have to figure out what the word material means. So it’s not just a cyber process. So one, yes, go out, follow the law.

Two, get your cyber folks involved. Our job is the same thing we’ve always done. Let’s go investigate. Let’s find the cause of the breach. Let’s go through the incident response process. Let’s do all of those things. Let the legal folks worry about the legal things. I’m not a lawyer. I can’t give legal advice. That being said, when we look at maybe some of the material impacts, okay, now I’m having to notify the government about a potential breach that I’m still investigating. I may not have had time to patch or mitigate some of the things that I’m still trying to figure out. Is there a potential risk there? Yeah, there could be. Because now I’m notifying someone outside of my organization about a breach and I still don’t maybe know how, why, what happened. Other people could then say, ah, ACME widgets has been hit. Let’s start going after them because they’re just in the middle of recovery process. We know that something bad is happening.

So maybe from a tactical side of the house, it could be less than optimal for some cyber work. I understand why the government did it. So we’re trying to protect investors, but it may have some second and third order effects that we don’t know about yet. So it’s important again, if you find it’s not working, if companies are finding that it’s not working, it’s a legislative process. Let’s get in touch with our legislators and provide some input on that.

 

STEVE RIVERA

Great. Well, I appreciate the comment. One last thought, there seems to always be this shortage of resources, skilled resources in cybersecurity. The number varies depending upon what trade rags you read, the hundred thousands to the millions. What are your thoughts on how you crack into cyber? And it’s always that catch-22. People want to hire folks with experience, but you don’t get experience until you actually get a job in the industry. So how do we make up that delta of resources that seem to be always lacking in cybersecurity?

MAX ALEXANDER

Experience comes from different things. So education first and foremost, you have to know what you’re doing. Does that mean everybody has to go to college? No. Does everybody have to have a CISSP? No. But some of those, those were the routes that I took just because I’m a glutton for punishment and I like doing some of those things. My daughter, she’s 16, almost 17 years old now. She absolutely hates and detests going to school. I have to be on her all the time. She likes cybersecurity, so I’ve enrolled her in as many cyber things in her high school now as we can. So she just finished the complete cyber curriculum they have. She’s doing coding this year. I think we’ve determined that she probably, the four-year university is just not going to be for her. There’s a great community college, Nova Community College. They have an Associates of Applied Science. She’s looking at doing that cyber curriculum, cyber program there to get that training. And then also maybe looking at internships and things along the way. So there is a path for her, even someone who doesn’t like college, that maybe it might be an option for her in the future. But I do think too that we can’t just look at college as a way like, oh, well, you don’t have a four-year degree. You’re not qualified to do cyber.

 

There are lots of folks out there that do not have any college, do not have any cybersecurity certifications whatsoever. And they still can pick up something and they’re still valuable in this process and could ultimately be a really good cyber person. So we can’t necessarily discount those folks either. Within, you know, if your companies are big enough that you can afford to have some of your own internal training, that might be a method to go to build your own. Okay. We, you know, the business that may be more important than knowing cyber, let’s grow our own and develop what we need along that process. And that could be skills. That could be maybe we’re going to pay for college for you. Maybe we do our own thing. So there’s a million ways to get there. You don’t have to have degrees and certs. It helps. But you know, just getting folks to that stage and companies identifying that need. And if the school system isn’t providing it to you, then you have to find it some other way.

 

STEVE RIVERA

Yeah, no, it’s a great point. I was just, you made me remember a conversation I was having two weeks ago with a retired admiral in the Navy who is helping this nonprofit organization with children on the spectrum of autism, you know, high functioning autism and getting them trained in cybersecurity because of their proclivity toward being able to analyze data at rapid paces, you know, repetitive functions and focus and, and, and getting them to have a career path as a sock analyst or being able to train them in these cybersecurity areas so that they can have a career and be able to continue to prove themselves. And we were talking about this and I thought, here’s one way where we can introduce more individuals into this industry that seems to be lacking resources overall. I appreciate the comments that you just made. Max, thank you very much. I think we’ve come to the end of our time. And I appreciate all the comments and the conversation here.

That is all for this episode make sure you tune in next time to Logically Speaking and stay cyber first and future ready.