So much of cybersecurity comes down to the human element. When large companies are breached, it’s often because a person made a poor decision or was duped by an internet scam. During Cybersecurity Awareness Month, it’s important to look at how scams impact individuals and societies.
For our Cybersecurity Awareness Month podcast series, we talked to Mike Nelson, director of strategy and consulting at CyberCX, about how to avoid cyber scams, why cybersecurity risk is really a business risk and how cyber defenses can be strengthened with artificial intelligence (AI). Listen to the complete podcast here.
The following been edited for clarity.
Gary Cohen: Cybersecurity Awareness Month is obviously highlighting some key behaviors. They usually do multifactor authentication, strong passwords, recognizing phishing. What do you think people should be focusing on this month?
Mike Nelson: One of the things I like to look at during Cybersecurity Awareness Month is extending cybersecurity and the traditional definitions of cybersecurity a little bit more into everyday life, a little bit more into how the average layperson might come across and might see cybersecurity topics in just their day-to-day. For Cybersecurity Awareness Month, one of my favorite topics for this one is how do we translate what we are doing in the cybersecurity space to what everybody’s just seeing on a day-to-day basis? So my topic for this one is scams.
I’ve been working with a couple of CyberCX team members on a couple of recent projects and engagements with some public sector clients on how can we apply cybersecurity principles — the general “don’t respond to phishing emails, don’t give out too much information from a cybersecurity perspective” — also to that sort of scam perspective. Your grandma receiving the email that her granddaughter is in jail, and she’s got to bail her out. “Here, quick, send money to this account info right here!” I like that extension of cybersecurity awareness a little bit more into the public sphere on how people are dealing with these topics on a daily basis. Any chance that we get to translate cybersecurity into situations like that, that sort of adjacent space, that’s going to be one of my advocacy parts for this Cybersecurity Awareness Month.
Tyler Wall: A quick anecdote here on the topic of cell phone scams: I think it was last year, my mom actually got a call from someone pretending to be my brother saying he was drunk driving, got into an accident, broke his nose, and she started freaking out. So she called my dad, and she was like, “Ah, I need you to call the lawyer because Ryan, he just got in an accident. He’s drunk.” My dad stopped for a second. He was like, “Well, it’s the middle of the school day. I mean, I don’t know. Maybe check Life360 real quick.” So he checked and then everything kind of died down. But it can be very convincing with those kinds of attacks, especially as we start getting into those newer methods of social engineering attacks. It’ll probably get pretty wild out there.
Nelson: Very much so, and very topical, too. You’ve heard and maybe seen some scam watch alerts and that type of thing, people using AI to mimic voices to perpetuate these scams. It’s something that’s evolving and something that you’re going to see more of as these scams get more complex over time. So, absolutely, just that vigilant posture. It’s not just something for cybersecurity professionals. It’s something that it pays to adopt by the general public in a lot of cases, as well. It’s certainly topical. Extending our cybersecurity awareness space a little bit more into this public sphere here is an admirable goal.
Wall: What trends or developments in cybersecurity are you particularly excited about heading into 2024?
Nelson: I’ve got one that’s top of my list: Cybersecurity becoming more and more and more of a business risk rather than a technology risk. So it applies both for traditional IT (information technology) environments and OT (operational technology) environments, as you guys are focusing on here on the ICS Pulse Podcast. When you see cybersecurity being treated by the business as more of a business impediment — trying to prevent against business impediments is what I’m trying to say there — as opposed to just a technology-specific issue. How can we fix this with additional tech or with additional process to be put in place to defend against these threats? The rising prominence of cybersecurity as a business issue is a trend that I’m really looking forward to see continuing and getting even more important going into 2024.
Cohen: It also helps to speak to the business case because you need the C-suite, you need the board, you need all of these people to create that cybersecurity culture throughout an organization.
Nelson: Very much so. That’s it. You nailed it. Cybersecurity not only as a technology issue, but also as a culture and awareness issue. Again, good tie-in here to Cybersecurity Awareness Month. Cybersecurity is a business issue, behavioral issue, culture issue, and not just what technological sort of capabilities do you have in place. It’s a growing trend, and I like where this one is going.
Cohen: Can you share a memorable experience or a case from your career that really highlighted the importance of cybersecurity for you?
Nelson: Yeah, I’ll give you two, and they’re certainly ICS (industrial control system) related. I got into cybersecurity consulting right out of the university as a “Let’s see what it’s like. It sounds cool. It sounds sexy. It sounds interesting. Let’s explore what we can do here and what types of projects are available to us.” So I started my career in pen testing and a little bit more of application security reviews, kind of that technical lens. I had two really “A ha!” moments in my first year of pen testing that were good anecdotes as well as to illustrate the importance of doing this type of stuff.
One of them was back in 2013, pen testing a power company based in the Midwest here in the U.S., and understanding from what we were seeing that they actually had an exposure of their SCADA 9supervisory control and data acquisition) systems facing the internet, which was set up and intentionally configured that way because the admin of those systems was looking to be able to remotely access them should they experience an issue after hours or while they were on vacation, something like that. Thinking that, “Hey, we need a backup plan here. We need a way to be able to access this stuff if we’re not able to get to it in the office or on the network.”
So just really seeing that, “Whoa, wait a minute.” Somebody here was really trying to do the right thing, but in doing so created a really big cybersecurity risk, or a really big potential vulnerability. That was one of the first experiences for me where I saw that there really needs to be this alignment between cybersecurity trying to secure the business and the business trying to enable effective operations. I’ve taken that forward with me in my career, that people aren’t circumventing cybersecurity rules just for the sense of, “I want to do the insecure thing.” It’s, “I want to be able to do something. I want to be able to enable the business,” but maybe needing to step back and review that from a security perspective before making a change like that.
The second one I’ll keep short. Another pen test-related one here: a pen test of a series of retirement homes. So this was a large retirement home company who operated retirement homes all over the U.S. We were reviewing — and this was an internal pen test — and one of the things that we found on this was that many of those super sensitive, lifesaving, life-preserving safety-type systems that are running on that company’s networks are actually pretty readily accessible to people that were administering the network.
This was before proper segmentation and proper zero-trust architectures being put in place here. But another “A ha!” or “Oh, wow” moment of seeing life support system one, life support system two, and right next to it, that little power off button, or do you want to restart? Heck no. Definitely not. Stay far away from that stuff while you’re pen testing those types of things. But I hope both of those examples just sort of serve to be illustrations of why this has really resonated with me and made cybersecurity rise to that level of prominence. There’s real stuff at stake here when needing to do this the right way.
Wall: On the topic of attacks, as an industry, what have we learned from major cyberattacks recently?
Nelson: The major takeaway that I’ve had from some of the big hacks recently is that there’s always going to be a new one. There’s always going to be another vulnerability. We’ve seen a shift for businesses over the last few years here of not just “How do we plug all the holes so that we don’t get compromised?” to “How do we build the muscle and the responsiveness capability to put the right practices into place when we inevitably get compromised?” Hopefully, that compromise is minor. Hopefully, that compromise is isolated or singular systems as opposed to a larger-scale ransomware or data theft extortion incident.
But companies shifting their mindsets and enterprises shifting their mindsets to, “What do we do when we inevitably have to deal with an incident?” Sort of treating it more so as, “What are we going to do when this happens?” versus, “We can’t let this happen” has gotten companies in a much better place. There’s always going to be another zero day, always going to be another exploitable vulnerability, but really training up that capability of, “Well, what do we do when it happens?” has been something that I think continuously has been stressed as a recent attack learning need to know in the wake of some of these most recent attacks.
Cohen: Absolutely. What emerging technologies do you see impacting the field of cybersecurity in the near future?
Nelson: One that I like and that I’m following pretty closely is AI, with a little bit more of a machine learning lens in terms of how a defensive cybersecurity posture can be augmented or strengthened from a machine learning capability. A machine is always going to be able to react faster than a human. When it sees a certain type of attack coming in, a certain type of anomalous behavior, a machine will have the ability to say, “OK, I’m going to quarantine,” or, “I’m going to segment,” or, “I’m going to auto scale. I’m going to do something here to deal with this unexpected surge or unexpected activity.”
I really am excited to continue to follow how are SOP (standard operating procedure) seam arrangements and MD, managed detection response, next-gen detection and response capabilities, being strengthened by that machine learning ability in terms of not waiting for an analyst to say, “Oh, yeah, I see that detection. Do this.” And, instead, maybe having lower-level actions taken and then presented to the analyst. “Hey, I have a machine that did this. I’m now ready for you to follow up to do that next level, deeper dive into those activities.”
Wall: Last question for you here. I mean, Gary and I pride ourselves in keeping these podcasts pretty fun. And what is a fun podcast without a fun question in there? So our fun question for you today is: What is your favorite movie or TV show that has something to do with cybersecurity?
Nelson: I’m going to give you a related media. It’s still media, still on screen, but I’m going to go with “Mr. Robot.” I’m not sure if you guys are fans or have previously watched, but “Mr. Robot” is a really cool story, really cool background on the hacking that’s in “Mr. Robot,” of which it is a pretty prominent part of the storyline.
There’s a blog associated with this — and no free advertising, but a small plug if you want to Google it. The guy that runs this blog, it’s pretty interesting, he actually goes through the hacking scenes in “Mr. Robot” and sort of explains, “Well, this is where it’s really representative of what actually takes place, and this is where we had to take a little bit of liberties and sort of simplify things a little bit.” But if you’re into a good depiction of what hacking really looks like in media, go check out “Mr. Robot,” and check out that associated blog that does a little bit of a deeper dive into how that hacking is reminiscent or sort of realistically comparing to what attackers actually do on a daily basis. So I’ll plug “Mr. Robot” for that answer.
Now, not necessarily from the story perspective. The show got a little bit wonky in its final seasons, but it’s OK. The depictions of hacking are what you’re going there for, and they’re probably the most on-point that I’ve seen in any form of media over the course of my career.