Unknown
I saw in The Guardian— The Guardian did a Q&A, and one of their questions was, question: was my personal data at risk? And The Guardian said, has been since 2010.
Yes, that's what they should have said. They said no more than when Facebook's up and running, but I agree with you, Carole. It's like, no, you're actually safer at the moment.
Facebook's down. It's when Facebook's up you've got to worry. Smashing Security, episode 247. 246, Facebook Has Fallen, with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 246. My name's Graham Cluley.
CAROLE THERIAULT
And I'm Carole Theriault.
GRAHAM CLULEY
And Carole, we're joined today by somebody who's brand new to the show, Chris Kirsch.
CAROLE THERIAULT
Welcome, Chris.
GRAHAM CLULEY
Thank you. It's a pleasure to be on. How do you two know each other? What's going on?
CAROLE THERIAULT
From another podcast, a very celebrated podcast called Sticky Pickles. I don't know if you've heard of it.
GRAHAM CLULEY
Oh, Sticky Pickles.
CAROLE THERIAULT
He gave us an outrageous story. It was fantastic.
GRAHAM CLULEY
Right. Okay. So he's now graduated up to Smashing Security.
CAROLE THERIAULT
Well, or he's roughing it. We don't know.
GRAHAM CLULEY
Chris, what do you do when you're not appearing on Sticky Pickles or Smashing Security?
CHRIS KIRSCH
So I'm the co-founder of a company called Rumble. You can find it at rumble.run, bit of an unusual top-level domain. And I co-founded the company with H.D. Moore.
He is the creator of Metasploit and essentially what we're doing is helping people find things that are connected to their network.
GRAHAM CLULEY
Pretty important thing.
CAROLE THERIAULT
You see, Graham, some people have important jobs. Now let's say thanks to this week's sponsors, 1Password and Ativo Networks. Their support help us give you this show for free.
Now coming up on today's show, Graham, what do you got?
GRAHAM CLULEY
Oh, it's complicated.
CAROLE THERIAULT
Is that really all you're gonna give us?
CAROLE THERIAULT
Okay, Chris, what about you? And please be more descriptive.
CHRIS KIRSCH
Okay. I've got a sad story with a lot of ethical problems. So let me put it that way.
CAROLE THERIAULT
And in my story, we learn whether collaboration and cooperation is the answer.
Plus, don't miss our featured interview with Carolyn Crandall, who is the chief security advocate at Ativo Networks.
And you'll hear me get a much-needed education in identity security. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY
Now, chums, chums, how's your week been?
GRAHAM CLULEY
Yeah, been all right. Yeah, it's not disastrous. Yeah. Well, I hope it has been good.
I hope it's been at least not as bad as Facebook's, because Facebook earlier this week, they went on a little holiday for some hours. They dropped off the internet entirely.
Did you hear about this? Hardly anyone mentioned it.
CAROLE THERIAULT
I did hear about it. It had absolutely no impact on my life other than people started messaging me more regularly saying I'm bored because Facebook's not there. So how are you?
GRAHAM CLULEY
I don't know what to do. My life has lost all meaning. Yeah. I can't like people on Instagram.
CHRIS KIRSCH
I thought they were just taking the week off, you know, wasn't it one of those relax, recharge weeks for Facebook or something like that?
GRAHAM CLULEY
Oh, wouldn't that be fantastic? Yeah. It felt like the good old days, didn't it?
CAROLE THERIAULT
A national holiday.
GRAHAM CLULEY
Yeah, it did. It felt like the days when we had to study medicine for years to become experts in vaccines rather than learn things on social media sites from postings instead.
It was a simpler time, it felt like.
And we've got really Facebook to thank for this throwback through time, because what they did was they made some configuration changes on their little bit of the internet backbone, and they goofed up.
They accidentally shot themselves in the foot. A catastrophic failure wiped them off the internet, effectively making it impossible for anybody to reach their servers.
CAROLE THERIAULT
And so did they not test before going live?
GRAHAM CLULEY
Well, it's a bit hard. I suppose you'd have to create another Facebook, wouldn't you, to sort of test it?
CAROLE THERIAULT
They must have a virtual Facebook times 1,000. Right, Chris? You're smart. Of course they must have a virtual network.
CHRIS KIRSCH
You'd think, right?
GRAHAM CLULEY
Yeah, but it's not possible to sort of imagine every dependency and everything which relies upon everything else, and you can still have a finger fumble or copy something into the wrong folder.
CAROLE THERIAULT
Mr. Graham Cluley, are you empathizing with Mr.
GRAHAM CLULEY
Zuckerberg, who must not be very happy about this? No, not really. I can't bring myself to. But Facebook went down, WhatsApp went down, Messenger went down, Instagram went down.
All these Facebook entities, and all because—
CAROLE THERIAULT
How will we live?
GRAHAM CLULEY
I know. Well, some people really did struggle, and some people, of course, their businesses depend upon these sites and services. Payments may come in through these things as well.
GRAHAM CLULEY
Yeah, lots of ads. Imagine the people who will be moaning right now that they paid for ads.
CAROLE THERIAULT
I don't get enough ads. I don't get enough ads in my life. I wouldn't mind a few thousand more, actually. Maybe that's why I should go to these things.
GRAHAM CLULEY
Yeah, yeah. Maybe you should install some of these things. Maybe you should sign up. So it was a problem with Facebook's configuration of BGP, the Border Gateway Protocol.
Which is like a sat nav system, really. It's sort of, you know, here you have DNS and IP addresses which tell you where something is.
Well, BGP, it's the kind of thing which tells you how to get where something is, how to navigate the internet to get to it.
And because they'd sort of shot themselves in the foot, everything had simply been wiped. It had just forgotten everything it needs to know about how to find Facebook.
And this had an impact on other sites as well. It wasn't just Facebook which wasn't online. One of the sites which went down is a site called isitdownrightnow.com.
CAROLE THERIAULT
Okay. Is that related in any way?
GRAHAM CLULEY
Well, isitdownrightnow.com isn't owned by Facebook and it doesn't run off a Facebook server.
GRAHAM CLULEY
It's one of these sites which tells you about popular internet sites and whether they're down. So when Facebook et al.
went down, lots of people went to isitdownrightnow.com to see—
CAROLE THERIAULT
Did they get DDoSed by accident?
CHRIS KIRSCH
Graham. Graham, I have a fantastic business proposal for you.
CHRIS KIRSCH
I want you to partner with me on this.
GRAHAM CLULEY
Oh, okay. Yeah, I'll do that.
CAROLE THERIAULT
Fuck you, Chris.
GRAHAM CLULEY
Let's hear the idea first, Carole. You might be pleased not to be involved.
CAROLE THERIAULT
Okay. Okay.
CHRIS KIRSCH
I think we should start a site.
CHRIS KIRSCH
That is called is, is it downrightnow.com, downrightnow.com. Oh, I think—
CAROLE THERIAULT
I would register that immediately.
GRAHAM CLULEY
And that would just see whether isitdownrightnow.com is down.
GRAHAM CLULEY
I love this idea. This is genius.
CAROLE THERIAULT
I'm not interested at all.
GRAHAM CLULEY
But anyway, yes, it'd be knocked over by all the traffic of people trying to find out if Facebook and other sites were still down.
And some people also experienced Twitter outage as well, though Twitter wasn't really connected with it. Lots of people suddenly using Twitter more.
Some of them experienced problems with the API. Signal said that it had seen an uptick in signups for its encrypted messaging service.
CAROLE THERIAULT
And this has happened what, this week, right?
GRAHAM CLULEY
Yeah, it happened on Monday night. Yeah.
CHRIS KIRSCH
I think, yeah, I mean, that's been part of a long trend, right?
Where so many people have moved over from WhatsApp to Signal because they didn't like WhatsApp being acquired by Facebook and changing some of the privacy policies, I think.
GRAHAM CLULEY
Yeah, I think a lot of people would like to use a different messaging service than WhatsApp because of the Facebook connection.
But of course, you have to get all your mates to switch over as well. And maybe this is a great opportunity to do that.
Now, sadly, Zuck, he reportedly lost $7 billion of his personal wealth.
CHRIS KIRSCH
Oh, now I have empathy with him.
CAROLE THERIAULT
Of his personal wealth? What do you mean? You mean the company's wealth, not his personal wealth.
GRAHAM CLULEY
Well, no, his shares. Because he obviously has quite a few Facebook shares.
GRAHAM CLULEY
$7 billion now. So it wasn't sort of taken from his pocket, obviously.
CAROLE THERIAULT
Yeah, I don't think it's sitting in his current account. No.
GRAHAM CLULEY
But the share price did fall. I'm sure it will return, however.
And the other odd thing was that there are people out there who only use their internet connection for accessing Facebook or WhatsApp. They don't do anything else. What a sad life.
And can you imagine? Yeah. That is the internet for them. The internet is Facebook.
And so when they couldn't access Facebook, what they did was they didn't report, oh, Facebook appears to be broken.
They went to their ISPs and cell providers and say, the internet appears to be broken. They reported that their cell providers were down and suffering an outage instead.
So there were all these people saying, well, the cell provider's got it. It's like, no, no, no, it's just Facebook. So conspiracy theories began to spread.
I know it's hard to believe, isn't it? Conspiracy theories spreading, especially when Facebook is down. Normally conspiracy stories spread when Facebook is up.
But this is— I don't even know how the conspiracy story spread about Facebook being up, but one did about Facebook being down.
Some people thought it was linked to the Facebook whistleblower. Did you hear about the Facebook whistleblower?
CHRIS KIRSCH
Yeah, we did.
GRAHAM CLULEY
Yeah, it's been big news. So she says the site's been misleading the public.
CHRIS KIRSCH
I think it was 60 Minutes.
CAROLE THERIAULT
Oh, yes.
GRAHAM CLULEY
Yeah, absolutely. It's been big news in all kinds of places. The theory was Facebook didn't want the news to spread to its users, so it thought, what should we do?
What should we do to stop the news getting to our users? We'll turn off Facebook.
GRAHAM CLULEY
Well, that wasn't true.
You can believe it though, because just last month, New York Times, they did a story about how Zuckerberg had personally signed off on an initiative, a program within the company to show users more pro-Facebook stories in their newsfeed.
Which obviously would push out some of the negative ones.
CAROLE THERIAULT
Inline content marketing.
CHRIS KIRSCH
So it's completely unreasonable that he would switch Facebook off because that's fewer positive stories for Facebook, right?
GRAHAM CLULEY
Yes, that's true. Although the negative story wouldn't have spread on Facebook because it gets very confusing.
CAROLE THERIAULT
How long was the outage for? I just don't know the basics yet.
GRAHAM CLULEY
Hours. Hours and hours. A number of hours, yes.
CAROLE THERIAULT
Did anyone eat their fingers?
GRAHAM CLULEY
Well, I don't know that food supplies were cut off as a result. Although I suppose if you were ordering food via WhatsApp, then— And some people make payments as well, don't they?
They rely on these messaging services to make payments too these days, I think.
I'm not a Facebook user, so I don't really— Anyway, there were also stories that maybe Facebook had suffered a data breach. Some people began to spread that story.
And this was Facebook's attempt to shut it down. So there's all kinds of bonkers stuff.
I saw in The Guardian, The Guardian did a Q&A and one of their questions was, question, was my personal data at risk? And The Guardian said, has been since 2010.
Yes, that's what they should have said. They said no more than when Facebook's up and running, but I agree with you, Carole, much better answer.
It's when Facebook's up you've got to worry. But all this doesn't really explain why it took Facebook so many hours to bring its systems back up and running.
And the reason for that, it turns out, is that Facebook is running everything to do with Facebook through Facebook systems.
So if you want to speak to a fellow staff member at Facebook, if you want to say to them, "Our server seems to be down." Did they resort to freaking pigeons? So they couldn't do it.
GRAHAM CLULEY
If you want to log in remotely to the server room to reboot it, that's going through a Facebook server you can't access.
If you've got a server room which is locked and you need a security badge to be like, bleep you through, the security badge system doesn't work because Facebook's— So they couldn't physically get inside the server rooms to manually fix them.
CAROLE THERIAULT
Sucks, sucks, sucks, sucks, sucks.
CHRIS KIRSCH
Yeah, maybe you should resort to buy over build, you know.
CAROLE THERIAULT
Just go back and sell skateboards or something. Walk away. That's what I say.
GRAHAM CLULEY
So everything to do with Facebook was down.
And also, of course, if you were using a third-party site which uses Facebook login, you know, sometimes sites say, of course, I need to know a username and password.
Use Facebook login.
CAROLE THERIAULT
Why did you suddenly change your voice? Loads of people. Apple have sign-ins. Google have sign-ins. Facebook have sign-ins.
GRAHAM CLULEY
So if you're using one of those, you're dependent on Facebook being up and running in order to let you in. And it didn't work. So you couldn't get in that way either.
GRAHAM CLULEY
A bad week for Facebook. But things have got worse since because now. Well, it's bad news for the rest of the world. Facebook is back up. Oh dear. And the holiday is over.
I can't, but I think there's a lesson here. There's a lesson, which is don't put all your eggs in one basket.
Don't just, you know, and I mean, that poor IT person who made that error. What do you think?
CAROLE THERIAULT
Don't put all your eggs in one basket. Doesn't that mean you're now a proponent of polyamory?
GRAHAM CLULEY
Well, I don't have eggs, Carole, to spread around. I think maybe you need to go back to biology class. Chris, what have you got for us?
CHRIS KIRSCH
So Graham, I'm going to try and be even more concise than you are with your stories. So this is a story by Kevin Poulsen in the Wall Street Journal. It's quite a sad story.
So just a trigger warning if the story involving the death of a small child is challenging to you, then you may want to skip the next 5 minutes and continue with Carole's story.
So let me set the scene a little bit. In July 2019, the staff at Spring Hill Medical Center in Alabama saw some vague notices kind of like taped across their computer screens.
And it said that the hospital's medical record system was down until further notice.
So the staff actually didn't know why, but the hospital had been attacked by ransomware by a Russian-based gang called Ryuk, and they declined to pay the ransomware gang, which, you know, I think you should because otherwise you're perpetuating the problem.
So the systems were down, and this put a lot of strain on the nurses and doctors.
You know, they were resorting to texting each other, and they printed out lab results and ran them across the hospital on foot and all of that stuff.
And many of the younger nurses who'd never worked without electronic medical records, you know, it was chaos.
GRAHAM CLULEY
They were probably a fair bit better at texting quickly though, weren't they, than the older medics?
CHRIS KIRSCH
Yeah, maybe I should have used Facebook until then that went down. Yeah. But the hospital denied to a local TV news station that it had any network event that affected patient care.
CAROLE THERIAULT
I'm just thinking, I wonder if the person who spoke didn't know at the time, but that seems to be impossible the way you're telling the story. So they did know and they lied.
CHRIS KIRSCH
Yeah. I think they were probably riding the line of, you know, we have a network event, but it doesn't affect patient care, you know, but they didn't express in that way.
So, you know, it's a political non-apology apology kind of thing where you're really taking a fine point on something.
GRAHAM CLULEY
I'm sorry, Kroll, if you, for some reason I didn't truly understand, took offense at my comments in the podcast the other week, which you clearly failed to properly comprehend.
CAROLE THERIAULT
It's basically the— I don't know why you're apologizing now, Graham. That's the best I've ever heard from you.
CAROLE THERIAULT
Carry on, Chris, please.
CHRIS KIRSCH
So 8 days later, the ransomware attack is still going on.
And that day, you know, finally the hospital actually admitted publicly on a local TV station that it had experienced a security event.
CAROLE THERIAULT
Wow. So they treaded water for 8 whole days.
CHRIS KIRSCH
8 days, right? That's a long time. And that same day, a woman by the name of Tarani Kidd got to the hospital to give birth. And she was still unaware of the cyberattack.
CHRIS KIRSCH
So as part of the cyberattack, as part of the ransomware, the nurse's desk at the labor delivery unit was cut off from the actual heartbeat monitors in the delivery rooms.
And so when—
CAROLE THERIAULT
Oh my God.
CHRIS KIRSCH
Right? So when her daughter was delivered, the heart rate monitors had actually signaled distress for over an hour before the birth, but the nurses didn't receive it.
GRAHAM CLULEY
Oh my goodness. Yeah.
CHRIS KIRSCH
So it's a hard story, right? It's a hard story. And, you know, the doctors texted later, hey, I need you to help me understand why I wasn't notified. This was preventable and so on.
So, you know, it showed that medically this would have been preventable if they'd gotten notified.
CHRIS KIRSCH
Yeah. So the baby was born with severe brain damage and died 9 months later. So this could be like the first confirmed death resulting from a ransomware attack.
Now, there are some really big questions to ask, right? No question that this is a super tragic story. And I think doctors or nurses, I assume did their best under the circumstances.
But there are some really big questions to ask. So the hospital said, hey, we did the best under the circumstances.
And they also said that the doctor should have informed the patient about the ransomware attack.
So they're throwing the doctor under the bus a little bit, which I think is a little harsh.
CAROLE THERIAULT
I imagine that doctor was probably being told for the whole 8 days, say nothing to the patients. We continue providing patient care at the same level.
CHRIS KIRSCH
And the doctor said that he believed he could still deliver the baby safely, which is why he didn't mention it.
And my understanding is that the legal argument that the mother put forward is that the hospital should have informed her that it was under a ransomware attack and that it had diminished services so that she could have chosen to go to a different hospital.
CHRIS KIRSCH
And so this makes the whole thing very interesting. Because the first question is obviously, is the hospital responsible for getting ransomwared or is it an act of God, right?
If it's an act of God, then okay, then you can't do anything. If you get hit by lightning and your hospital is out, there is very little you can do by that.
But the question is, is ransomware preventable? That's the first question, I think.
CAROLE THERIAULT
And who is the onus? Is it on the hospital to provide enough defenses to ward off most ransomware attacks? And this one just snuck in because it was so clever.
CHRIS KIRSCH
Yeah, exactly. So did you exercise due care? And I think that's where those were the arguments up until now. And I think those are still valid.
But the other question arising from this is, does the hospital have a responsibility to inform patients that they've been ransomwared and may not be able to deliver the right care?
GRAHAM CLULEY
I think Carole's given her opinion on that.
CHRIS KIRSCH
So if we take this away from cybersecurity, the question is would a hospital have to notify you that it's almost out of ICU beds due to COVID, for example, and that you may not receive the right care, right?
If they don't inform you, does that open them up to a lawsuit? I think this is interesting, not just for hospitals, because obviously in hospitals any misstep can cause a death.
But let's say that you run some kind of business service or private service, maybe not Facebook, I'm not sure if Facebook is critical enough, right? Maybe it is, I don't know.
And you're under cyberattack and you do not notify your current or future customers that your service is impacted. Does that open you up to future lawsuits?
And I think that's really the interesting part of the story.
CAROLE THERIAULT
Oh, this is so hard. Because there's a death of a kid involved, right?
CHRIS KIRSCH
I know, I know.
CAROLE THERIAULT
That's the horror show. And people choose hospitals based on the level of care that they are touting, either in their marketing or all over their website.
And if they didn't put a big blazing sign on it saying, we have an event that we need to take care of and it may impact care while we do this, I think that they were in the wrong.
GRAHAM CLULEY
But they obviously felt that it wasn't influence in their level of care, don't you think? I think they thought that it wasn't causing—
CAROLE THERIAULT
But the nurses couldn't get access to the heart monitors.
GRAHAM CLULEY
Well, yeah, maybe their assessment as to whether it was impacting—
CAROLE THERIAULT
Wasn't very good. Yeah.
GRAHAM CLULEY
I think it's hard for the average layperson to— I mean, just being told some computers have been hit by ransomware isn't very meaningful, is it?
I mean, most people aren't computer security experts and they're not going to have enough information about exactly how many systems.
GRAHAM CLULEY
Yes, but if you shut the doors of the hospital to absolutely everyone, isn't that going to cause chaos as well and maybe have an impact, a domino effect on other hospitals in the area, which will all become—
CAROLE THERIAULT
Yes. Okay. Very fair. There's like emergency cases, which that's a whole different story. But if something that's planned, like a birth, you may have elected to go elsewhere.
I completely agree with that.
GRAHAM CLULEY
Do American hospitals not have— Carole loves her terms and conditions and, you know, all these things that you have to sign before you can use a website.
Do American hospitals not have a little form you need to sign before you undergo some sort of medical procedure?
Because I remember when I had a problem with my jaw and they thought, well, they took me into the hospital here in Oxford and they said, okay, what we're going to do is we're going to go inside your mouth and we're going to do a little bit of surgery inside your mouth.
But if it's a bit too tricky to do it inside your mouth, we're going to go in from the outside and we'll just have to wire up your mouth for about 3 or 4 months afterwards.
And they were saying this to me as they were giving me the anesthetic, asking me to sign this thing.
CAROLE THERIAULT
Thank God for deepfakes. That happened, right?
GRAHAM CLULEY
You'd have probably liked it, right?
CAROLE THERIAULT
Yeah, I could have put words in your mouth. Made you funnier.
GRAHAM CLULEY
Carole, what have you got for us?
CAROLE THERIAULT
Okay, so all these ransomware attacks have been putting a little bit of a fire under some national buttocks, so to speak, encouraging them to stand up and help staunch the flow of ransomware.
So there's a kind of seminal moment in July when Interpol urged industry partners and police agencies worldwide to work together to disrupt this international criminal industry.
So Interpol Secretary General Stork said the best tactic to disrupt a seemingly never-ending stream of ransomware is to adopt the same international collaboration strategy used when fighting organized crime and terrorism, which makes sense, right?
Because the issue, as we all know, is transnational threats. International, like, where are they?
CHRIS KIRSCH
Makes sense.
GRAHAM CLULEY
The problem historically has been that there are ransomware gangs based in some countries where the police turn a blind eye because they're not affecting companies in those countries, but companies overseas.
CAROLE THERIAULT
And it can be difficult to find them even because they're bouncing around across lots of different servers around the world. And it's complicated.
If I called my local coppers to complain about an online scam that I fell for, they'd probably tell me to call Action Fraud in the UK.
And then they would probably log it in a system and give me some advice on how I can recoup whatever I can or strengthen my security, but that would be that.
GRAHAM CLULEY
Well, they'd file it in the wastepaper basket, from what I've heard. Yeah, that would probably— You'd probably never hear anything ever again.
CAROLE THERIAULT
And see, Interpol have strong examples to show that collaboration works.
So last year, they published results of a year-long investigative clampdown on worldwide criminal networks in the kind of phone and online fraud biz.
So it was codenamed First Light, and the operation officially concluded in November with the following results. They were able to secure almost $154 million worth of illicit funds.
These were intercepted. There was 21,500 operators, fraudsters, and money launderers that were arrested and 10,000 locations raided.
And this marked the first time law enforcement had coordinated with Interpol on a global scale to combat telecom fraud, with operations taking place on every single continent.
Kind of interesting, right?
CHRIS KIRSCH
Yeah. Why didn't they do that before? I thought that's what they should have been doing all along, right?
CAROLE THERIAULT
Well, I agree. I do have it in big letters here, "About time." So I'm with you.
So we have Interpol in July saying, work together on ransomware, see it worked for us during the scams bit. So I wanted to see, well, did anyone listen, right?
Did anyone listen to Interpol? And I have two events to call attention to today. So the first one is on the 1st of October, President Joe Biden said that the U.S.
will bring together 30 countries to jointly crack down on ransomware behind a barrage of attacks impacting organizations worldwide.
CHRIS KIRSCH
So is Russia part of— Well, that's very interesting.
CAROLE THERIAULT
He didn't list the countries. He's obviously saying NATO, G7, but, you know, there are a few other countries in there, so it'll be interesting.
I think obviously they would love to have Russia on board just for the, you know, the muscle. That'd be great. You know, we could all be happy, happy together.
GRAHAM CLULEY
There might be some itsy-bitsy countries in there, might they?
CAROLE THERIAULT
Papua New Guinea, maybe the Isle of Man, you know, maybe, because they want to disrupt ransomware networks and they want to work to establish and promote clear rules of the road for all nations cyberspace.
You can see this is— there's a lot of hot air here. There's nothing really actionable that I could see. But then, you know, president doesn't have to put in action in his speech.
GRAHAM CLULEY
Yeah, I'm sure underneath it all, law enforcement are talking to each other and trying to become more coordinated.
CAROLE THERIAULT
Yeah. Now, this followed— so in July, President Biden issued a US security memorandum to bolster the nation's critical infrastructure cybersecurity.
So he's already basically said, look, here's a baseline of performance goals for critical infrastructure owners and operators.
Which is kind of scary because you kind of think that would already be in place, right?
CAROLE THERIAULT
Scary. So this is good news. This is all good news. It is about time, but it's all good news that this is happening.
Now across the pond in old Blighty, we've also had a recent announcement, but in a little bit of a different tone.
So where Biden said, we are building a coalition of nations to advocate for and invest in trusted 5G tech and to better secure our supply chains.
The UK revealed plans to invest heavily in national cybersecurity, creating a, quote, cyber force, unquote, unit to perform retaliatory attacks.
CHRIS KIRSCH
What uniforms does the cybersecurity force have?
CAROLE THERIAULT
You hope it's made of latex or spandex.
CHRIS KIRSCH
I'm thinking of the Space Force in the US.
Unknown
Space Force, yes.
CHRIS KIRSCH
I think LED blinking lights.
CAROLE THERIAULT
That's right, that was so funny. So yeah, basically the news from this new National Cybersecurity Cyber Force is to perform retaliatory attacks.
And the government has earmarked £5 billion to be dribbled out to the cyber force in the next 10 years or so, by 2030.
GRAHAM CLULEY
Oh golly, nice uniforms.
CAROLE THERIAULT
Yeah, right. And they've now decided where it's going to be based, right. So you might assume London, maybe, you know, Edinburgh, Glasgow, Manchester, Birmingham, maybe.
CHRIS KIRSCH
Give it to the Dutch. Dutch police are doing a great job.
CAROLE THERIAULT
Well, this is a UK cyber force, right? It has to be the UK.
GRAHAM CLULEY
Yeah, we're not that close with Europe anymore.
CHRIS KIRSCH
Oh, okay. Okay. Yeah, there's that.
GRAHAM CLULEY
Oh, I forgot about that thing. We're doing our own.
CHRIS KIRSCH
Yeah, yeah, yeah.
GRAHAM CLULEY
It's going jolly, jolly well.
CAROLE THERIAULT
They're going to the land that I know to be land of cheese, hot pots and—
GRAHAM CLULEY
Lancashire.
CHRIS KIRSCH
I was thinking Switzerland and fondue.
CAROLE THERIAULT
They're going to a town called— I don't know how you say this name. It's S-A-M-L-E-S-B-U-R-Y. So I'm going to try Samlesbury.
It's a tiny village of about 1,000 people back in 2011 when the census happened. Okay, it's tiny.
CHRIS KIRSCH
Do they have internet?
GRAHAM CLULEY
What's their broadband?
CHRIS KIRSCH
Maybe they don't have internet, and that's why it's the safest place for cybersecurity?
GRAHAM CLULEY
Maybe.
Hang on, so there's this beautiful picturesque little town up in Lancashire full of men with flat caps and whippets, and they're going to completely ruin it by putting a cyberattack facility in?
CAROLE THERIAULT
One of the main attractions is Samlesbury Hall, right? A historic house in the village.
GRAHAM CLULEY
Well known for it.
CAROLE THERIAULT
This Lancashire local press are all "this is amazing for us, this is going to be amazing.
We're going to boost our economy, we're going to have loads of jobs." But I'm with you, I think the villagers must be up in arms.
CAROLE THERIAULT
And no one's hearing them because they're probably not saying 100% of people in the town hate us.
It's more "there's 1,000 people complaining, but we're fine." Anyway, the Foreign Secretary Liz Truss said it would, you know, this cyber force would confront aggressive behavior from malign actors and demonstrate that Britain is still investing in next generation defense capabilities.
GRAHAM CLULEY
How are they going to do that then? How are they going to do this? How are they going to—
CAROLE THERIAULT
Hire lots and lots of people.
GRAHAM CLULEY
Yeah, but what are these people going to do?
CAROLE THERIAULT
And then fight their adversaries with retaliatory action. Now that was really my question for you. How do you feel?
You know, we sit there all the time going, "Oh God, we really hate North Korea or Russia, China for doing all these attacks on us. You know what we do have to do?
We do exactly the same thing back to them." It kind of feels a bit— I'm happy with them investing in defensives, but retaliatory actions, what do we have to gain from that other than headaches?
GRAHAM CLULEY
So I think we're all agreed that there's a big problem with malware and hackers taking down critical infrastructure, right? If they're able to do that.
So the ransomware attack which forced Colonial Pipeline to shut down the pipeline on the East Coast of the States, big problem.
WannaCry ransomware, which hit the British NHS, big problem. But something like that, like WannaCry, it's not like you can attack a server and prevent the attack happening anymore.
It's just out there. One thing we know about malicious hackers is they don't use their own computers, so they will exploit other people's computers.
So we will then be launching an attack maybe against Belgium. We like them. We do, we love the Belgians. There's a lot of Belgian listeners.
CAROLE THERIAULT
Yeah, we do.
GRAHAM CLULEY
They've got delicious chocolates as well in Belgium and other things.
CAROLE THERIAULT
I saw my first chocolate boobs in Belgium.
CHRIS KIRSCH
So did they specify if the retaliatory action, I think you called it, is that a cyber response or a legal response or a kinetic response?
CAROLE THERIAULT
From what I'm reading, cyber response.
CHRIS KIRSCH
Cyber response. So hacking back.
CAROLE THERIAULT
So they are going to counter, you know, counter with cyber threats in some way.
And I just think you may, you know, as good as it sounds, you're just adding to the pile of shit we all have to deal with by doing this.
Now, if they mean we are going to be covert and pay attention to scams as they happen so that we can arrest them, right, that sounds good, you know.
But I think go back to Interpol, make sure you work internationally, you know, get some friends, because collaboration seems to work. That's what we need.
So anyway, yeah, there you go. That's what I think.
GRAHAM CLULEY
Who's going to want to live in Lancashire?
CAROLE THERIAULT
I don't know, anyone who wants a job in cyber, it seems. I think a few hundred will be going soon.
GRAHAM CLULEY
But all you've said is that there's a nice town hall or something to go to. It's like, you know, also Cyberforce. Do they have a multiplex?
CAROLE THERIAULT
Maybe they'll have a helipad.
CAROLE THERIAULT
Cyberforce.
CHRIS KIRSCH
Maybe they just have really good real estate rates compared to London.
CAROLE THERIAULT
Top real estate tip from Chris. Let's all get on the Salisbury real estate market.
GRAHAM CLULEY
For the last 15 years, the great team at 1Password have been helping folks stay protected private and productive, whether they use 1Password or not.
And now, with the launch of 1Password University, they've used their expertise to create fun, dynamic, and free learning resources for people of all skill levels.
Learn how to make the most of your 1Password account's features, find out how to build a culture of security in your workplace, or discover why reusing the same password across multiple accounts puts you at risk.
Broaden your knowledge, starting with the basic building blocks of security. Learn at your own pace and discover the tools and tactics that will help keep you safe on the internet.
Whether you're a business leader looking to create a culture of security in the workplace, or you're a user trying to understand why you need a unique password for each account, 1Password University's free courses have got something for you.
Go check them out right now. Try 1Password University for free at www.1password.university. That's www.1password.university.
CAROLE THERIAULT
Listeners, it is time to get serious about preventing and detecting credential abuse, privilege escalation, and entitlement exposures.
My friends over at Attivo Networks have tackled this challenge, and I want to share how it works.
The Attivo Identity Visibility Bundle finds exposed admin credentials from the endpoint, conducts over 200 continuous checks on Active Directory, and identifies risky entitlement and over-provisioning in cloud environments.
The Attivo Identity Detection Bundle cloaks production credentials and AD objects to hide and deny access and deceives tools like Bloodhound steering the attacker into decoys for threat intelligence gathering.
If you want to learn more and kick credential attacks to the curb, go to attivo.networks.com. That's Attivo, A-T-T-I-V-O, networks.com.
And thanks to Attivo Networks for sponsoring the show.
GRAHAM CLULEY
And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT
Pick of the Week.
CHRIS KIRSCH
Pick of the Week. Is that my cue?
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
CAROLE THERIAULT
Better not be.
GRAHAM CLULEY
Well, my Pick of the Week this week is not security-related. You'll be very pleased to hear.
GRAHAM CLULEY
I, like every other parent, am sick to the back teeth of children playing ruddy video games. Yes, they can do it for a little bit. But stop doing it quite so much.
Stop watching YouTube quite as much. It's all got out of control.
CAROLE THERIAULT
If you were a kid now, would you not be trying to play computer games 24/7? Of course.
GRAHAM CLULEY
Which is why I am going to propose an alternative.
GRAHAM CLULEY
Which is that you should be playing board games.
CAROLE THERIAULT
Yeah, yeah. We've done this for about four weeks, haven't we? Yeah, yeah, yeah.
GRAHAM CLULEY
We talk about board games, but now I'm going to give you the ultimate resource for finding the best board game for your horrible child to play.
CHRIS KIRSCH
That's awesome, Graham, because when your house gets hit by ransomware, you have something offline to do, right?
GRAHAM CLULEY
Exactly. We'll be doing it by candlelight as well.
CAROLE THERIAULT
Yeah. Take that, Facebook.
GRAHAM CLULEY
So I would recommend you go to the website boardgamegeek.com, which lists thousands and thousands of board games. You can search in all manner of ways.
The vast number of different types of board game which are out there, from strategy to adventure to kinetic games to everything imaginable for all ages.
You can filter it based upon how many people are likely to be playing, the age group. It's a tremendous resource.
It links to reviews, it links to videos where you can see a demo of the game in action, and I've used it in a number of ways.
I've both found brand new games and read people's recommendations of things I want to buy, but I've also found some games where I had played them in my childhood and forgotten them or forgotten their name.
I could just vaguely remember, oh, it had something to do with marbles and it sort of looked like this.
And then being able to find it via BoardGameGeek and then go and buy it on eBay, an old version of it, to try and entertain my son with it. So—
CAROLE THERIAULT
How's that working out?
GRAHAM CLULEY
Very, very well indeed. It's not as though he's been playing Red Dead Redemption 2 for the last 18 hours solid. But every now and then I say, let's play a board game.
He goes, oh yeah, let's do it. You know, he's quite excited by it. And I think kids actually enjoy this sort of thing.
So go to boardgamegeek.com and why not drop me a line with what you think are your favorite board games. And maybe I will check some of those out as well.
And that is my pick of the week. Board Game Geek.
CHRIS KIRSCH
Graham, I think there is a slight flaw in your plan. So if you've been ransomwared and you can't get online, how are you going to check out BoardGameGeek.com?
And how are you going to order that game online?
GRAHAM CLULEY
Yeah, Graham.
GRAHAM CLULEY
Damn! Chris, what's your pick of the week?
CHRIS KIRSCH
All right, Graham.
CHRIS KIRSCH
I Expect You to Die.
CHRIS KIRSCH
And Carole, I Expect You to Die Too.
GRAHAM CLULEY
Oh, you're not a very cheerful person, Chris, can I say? For the first time on your show, it's all been misery.
CHRIS KIRSCH
I get it. I'm off the show. I'm off the show.
CAROLE THERIAULT
You know, we do like to do a bit of comedy on this.
GRAHAM CLULEY
A little bit. You know.
CHRIS KIRSCH
So these are the names of the game and its sequel that I picked for you this week.
CHRIS KIRSCH
So I got the Oculus Quest 2 for my birthday. It's a fun little VR headset that's, you know, I understand quite affordable compared to some of the other VR headset options out there.
GRAHAM CLULEY
So this is a virtual reality thing which you wear like a pair of goggles?
CHRIS KIRSCH
Exactly. It looks completely ridiculous.
GRAHAM CLULEY
And you turn into the Lawnmower Man. You're in that movie with Pierce Brosnan, right?
CHRIS KIRSCH
Exactly. I look like the Lawnmower Man. My husband actually mows the lawn.
So yeah, and so I'm not a huge gamer normally because, you know, when I play ego shooters and especially if it's an online multiplayer game, my life expectancy is about 3.5 seconds when playing against, you know, teens.
And so I love the puzzle games, right? Not as in pieces of puzzles, but more like, you know, escape room kind of things, right?
CAROLE THERIAULT
Yes, me too. I like it.
CHRIS KIRSCH
And so this game is called I Expect You to Die and the sequel, which is I Expect You to Die 2.
The best way to describe it, I think, is a 007-style cartoonish tongue-in-cheek kind of escape room game that you play by yourself.
And so you find yourself on a mission and you're placed in a submarine or a spaceship or a plane, a train, a villain's lair, and you have to try and get out.
CHRIS KIRSCH
And you really have the two controllers of your VR headsets in your hands.
So you essentially reach for things with your hands and you see your hands in VR and have to open boxes and push buttons and flip things over and those kinds of things.
And you have to try and escape all of the lasers and poison gas and assassins and explosives and things that are trying to kill you. So it's really good fun.
And so each time you actually get out of one situation, you graduate up a level and you get to the next situation. And so on. So it's a ton of fun, really well made.
I think it's available on other platforms too, but that's just the one that I play it on. And it really kept me hooked until 2 AM, which I usually don't get hooked on games.
I play them for a little bit and then get bored and put them aside. But this one was a ton of fun.
GRAHAM CLULEY
Don't you, wouldn't you feel a bit nauseous, you know, wearing VR goggles and motion sickness?
CHRIS KIRSCH
Yeah, on this one, not so much. I think it depends a lot. I don't get motion sickness easily, and this game specifically, you play sitting down.
CAROLE THERIAULT
Okay, thank God. I was just thinking of Graham, right? Because, you know, he'd come back with a broken arm, a black eye. He'd have a war with the broom or something.
CHRIS KIRSCH
Yeah, it is a little bit challenging to take a sip of your beer or whiskey or something on the side because you've got the thing in your face, right? So maybe straws are in order.
But yeah, there are other games that you do play standing up.
So for those, I sometimes feel a little bit queasy, especially if you're walking up the stairs, because your body is — your brain says you're moving up the stairs, but your body doesn't.
And that's really strange. Moving around is okay, makes me a little bit queasy, but moving up and down stairs is really strange.
CAROLE THERIAULT
I suspect it's crazy for the body.
GRAHAM CLULEY
The fact that you're disconnecting what you see and what your brain's interpreting and what actions you take.
Chris, I really appreciate that you've basically completely undermined my pick of the week, where I was trying to get people away from video games by giving them an even more immersive video game, a virtual reality one.
That's just great.
CAROLE THERIAULT
Is it good for kids, Chris?
CHRIS KIRSCH
I think this game is actually very good for kids because it's cartoonish. It's not too brutal, right? I think it's—
CAROLE THERIAULT
I expect you to die.
GRAHAM CLULEY
No, Mr. Bond, I expect you to die. Yes, I do. Carole, what's your pick of the week?
CAROLE THERIAULT
So my pick of the week this week is a show on Netflix, a short series if you will, called Midnight Mass.
So this is an American supernatural horror miniseries, okay, created by Mike Flanagan and has a star that I had to mention, okay, Henry Thomas.
Do you know who that — we haven't seen him since, well, I haven't seen him since the '80s.
GRAHAM CLULEY
Oh, what was he?
CAROLE THERIAULT
He's of E.T. fame.
GRAHAM CLULEY
Oh, I thought I recognised him.
CAROLE THERIAULT
He was Elliott.
CAROLE THERIAULT
And he is the dad of our main protagonist in this series, Midnight Mass.
Now, the plot centres on an island, an isolated island, small community, and supernatural events start to happen after the arrival of a new and, I don't know, quite engaging priest.
Now, this was just released September 24th, 2021. Now, okay, I've got some good and bad, right? The good, the plot's really interesting.
It has a really fresh take on a known horror genre, so I thought, oh, that's clever, that's interesting.
And also it had some good surprises where you're, whoa, didn't see that coming. So there's a lot of that, which I quite enjoy.
The not so good is there's a lot of soliloquies, rather than sparky conversations. So a character will suddenly start rabbiting on for five minutes about something.
GRAHAM CLULEY
Well, they turn to the camera dramatically, Shakespearean style.
CAROLE THERIAULT
No, no, no, they're talking to their characters.
CHRIS KIRSCH
A little bit like Graham?
CAROLE THERIAULT
Yeah, a bit like Graham, but just go on and on and on, right? And I just—
GRAHAM CLULEY
So let me just make a note. Chris Kirsch never coming back again.
CHRIS KIRSCH
I thought that was already decided, so I can go all out.
CAROLE THERIAULT
Don't you worry, I've got your back, Mr. Chris. Now, I tuned out on these, but luckily my hubs didn't, so I got the gist in a much shorter, more interesting format.
CHRIS KIRSCH
So how much horror is it? How bad is it? Because I'm really cringy, you know, turning off the TV.
CAROLE THERIAULT
I think you've got eyelids, right? So that's what I always tell everybody. I think watch it.
And when it gets too gross, you either just close your eyes and just tell whoever's watching it with you going, what happened? What happened? What's happening?
CHRIS KIRSCH
Yeah, I don't have a problem with gore and gross. I have a problem with supernatural things. It's really strange because my rational brain says this is completely irrational.
It's not going to happen. Right. I can watch a movie about some robber coming in and killing everybody.
And it doesn't faze me because I have the feeling, you know, this is overconfidence bias. I think that at least I could have options there, right, of what I could do.
But the supernatural stuff, even though my brain says it's irrational, I don't know what I could do to protect myself, if that makes sense.
CAROLE THERIAULT
Yeah, maybe this one isn't for you. I think that's probably the central question is like—
GRAHAM CLULEY
Just brandish a carrot. Brandish a carrot or some other vegetable. Make— imagine that there's some supernatural way of warding off supernatural threats. Oh, that's clever, Graham.
An egg whisk. If you just tell yourself that works, think, oh, this isn't anything to worry about.
CAROLE THERIAULT
Explains the Daleks, right? With the whisks.
GRAHAM CLULEY
That's— well, yeah. Yeah, sink plunger.
CAROLE THERIAULT
So anyway, Chris aside, right, I think this might be a perfect thing for a Friday night, you know, date of pizza and Netflix. And I say you can chill during the soliloquies.
So there you go. That is Midnight Mass on Netflix. And it just came out. So it's brand new. So probably most of you haven't seen it. That's my pick of the week.
GRAHAM CLULEY
Tremendous. Now, Carole, before we wrap up, I believe we've got a featured interview this week, haven't we?
CAROLE THERIAULT
Yes, we are now going to listen to Carolyn Crandall from Activo Networks, all about identity security. Take a listen. So welcome, Carolyn Crandall.
Unknown
Carolyn Crandall. It is awesome to be here. Thanks for having me on your show.
CAROLE THERIAULT
So listeners, Carolyn Crandall is the Chief Security Advocate at Attivo Networks. I would love actually to start with your background, if you wouldn't mind.
Unknown
Yeah, yeah. Well, it's been a journey. So for myself, I've been in the high-tech industry for a little over a mumble mumble 30 years or so now.
And it's been fascinating all the way back from when we were trying to figure out how to not have sneakernets to actually network-connected devices to now a world exploding with IoT devices and other things.
My entrée with this particular company and what I do here was really an opportunity to take a look at cybersecurity, how systems were being protected, and realizing that there was a massive gap for detecting in-network activity.
And this company had a really interesting approach by using deception, cyber deception technology to do it.
So I knew the CEO from before, and I thought this is a fantastic opportunity to kind of shake things up a little bit and do something different.
And so that's when I came on to the company. I've been here for about 6+ years now. So it's been a very fun ride.
Watching how things have even changed over the last few years in cyber. Attivo's been on the Deloitte Fast 500 the last 3 years that we submitted in, and it's been a fun ride.
CAROLE THERIAULT
Now, we want to get into the weeds a little bit. Maybe we can start with identity security. So say you had a typical business owner, right?
Maybe a CEO who doesn't mainline tech and cyber. How would you describe identity security to them?
Unknown
Right. Yeah, it's a great question. Actually, I was talking to a friend who was a CISO of mine yesterday.
We kind of boiled it down and it's like a lot of people are going, "Identity?" But it nets out to identities as far as me as an individual, my user ID, my password.
But when I start to talk about that, people think about consumer identities, right? It's my information, my account I bank with, my credit cards in.
What we wanted to do was to separate it.
So you start to pull apart this big word of identity and you go, "Okay, well, what is that?" Most people are familiar with it from the sense of identity and access management systems, and they may have heard of things like IAM or privileged access management or IGA, and that's the technologies that really focusing on provisioning, connecting, and controlling identities.
But what's been left out in this is the whole aspect of identity security, which is, well, who protects the credentials? Who protects the systems that manage those things?
And so there's a whole new aspect of identity security that's emerging this year that's comprised of really two aspects of it. One is the visibility.
So how do you know when things are exposed and vulnerable that you need to go clean up? And then the second side of it is detection.
How do you detect when there's a live attack using misused credentials or attacks on an Active Directory system.
And now when you move into the cloud too, this whole thing of cloud entitlements with all the non-human identities, which has just exploded the amount of things that people have to understand and manage.
And so of that, you've started to come up with visibility and identity detection response solutions that even though we've talked about identities, we've never really talked about identity security and what can be done here.
And so that's a big initiative. I think it falls under the identity-first umbrella that the Gartner folks have been pushing.
And it makes a lot of sense because it's a gap that sat between EDR systems, right, on the endpoint. So they protect a bunch of things, but not the credentials and the privileges.
And the IAM systems that, you know, again, protect and making sure that you get access, but they don't actually secure the credentials and those systems that manage them.
So that's kind of the dynamic that we've seen in this last year and what Attivo as a company is really focused on so that we can help people address that pain point.
CAROLE THERIAULT
When a company approaches you, what typically are the main pain points that they would cite?
What are things that they are worried about and they say, look, we really need your help, Attivo Networks, this is a problem?
Unknown
Well, credentials always comes up as a first. I want to know what credentials are exposed on my local endpoints. Like, so for example, do I have any administrator credentials?
Lots of problems, especially with transient workforces, of credentials that are being left out there, just orphaned out on the endpoints, and the ability to see those things.
Can anybody go from that endpoint and get access to my domain controllers, right?
So everybody knows you lose domain control and that becomes a big problem and a big mess to have to clean up.
And so the first thing we have is, hey, give me some visibility so that at least I can go clean up the credentials on the endpoint.
But then as you start to get into the folks that are a little bit more sophisticated with it, they're going, hey, well, where does the attacker want to go?
And they want to go straight into Active Directory and they want to gain that domain control. And it was really interesting. I was listening to a webinar the other day.
It was from Mandiant, and Nick Bennett, who's one of the VPs over there, was talking about it. And the question that I loved is, why does ransomware keep happening?
And the thing that they found is the most common issue was the misconfigurations and vulnerabilities related to Active Directory. And I thought, okay, major, massive problem.
It's the keys to the kingdom. You take it over, you can change security processes. You can download mass amounts of malware so you can lock up the systems and encrypt them.
You can do a lot of damage. And so I think, and a lot of people say, well, I can't really secure Active Directory because what it does is it gives me access.
But you have to figure out a way of being able to detect when somebody is doing things to Active Directory that they shouldn't, mass account changes or password spray attack or some of the other things that they may do in order to change things and give themselves access and control.
And quite honestly, before this year, there really wasn't good technology to be able to see that.
And so our conversations have shifted from, hey, let's look at the exposures on the endpoint, to let's look at the most valuable thing that they're going after for access and privileges, and that's AD.
And let's do that.
CAROLE THERIAULT
I bet people come and speak with you and then sometimes you might go, well, let's go take a look and let's get full visibility and see what's going on.
And then you can show them and they'll go, oh my God, I had no idea. So I bet they're not even aware of some of the things that they really ought to be aware of.
Unknown
Yeah, yeah. No, it's a great point because we actually run a free assessment for anybody. You can just go to our website and fill out the form and it'll get set up for you.
But we've had people that are, "We just did our audits last week, you're not going to find a thing." But because we can do over 200 checks and look for 70 different vulnerabilities, and we can look for these live attacks, we go so much further than a human can do in the time that they're generally given, that you're always going to find new things.
It's the new diagnostic equipment that you can hook up and test your cars.
You can have a mechanic walk around the car and look at a bunch of things, but there's only so far they can go.
This stuff goes really deep, and it's all automated, and it does the correlation.
So all of a sudden, not only do you have data, but you've got dots that are connected, and it becomes very powerful. So you are absolutely right.
There are a lot of surprises, and we've actually had meetings that have been stopped going, "We need to go take care of something right now" because they realize that that's a very vulnerable situation.
And it's hard. Everybody's running hard and working hard, but misconfigurations happen. And attackers are stealthy. They're going to change things to hide their tracks.
And we look for those activities and the techniques that they're using to go, "Uh-uh, we see what you're doing." And we're going to tell the defenders about that activity so they can go and drive the remediation.
As I mentioned before, you start to open that up in the cloud and you get people that are replicating their AD environments in the cloud and then turning on all those non-human entities, and you have a multifold of different relationships that are getting set up.
And because of the complexity, all these group policies are getting set up, and we all know what happens there, right?
Is you lose track of when one person gets in one group that gets connected to another and another, and you just can't keep up.
You can't see, and all of a sudden you have, I think the number is 95% of the entitlements that are given are not used, right?
So, you've got this massive overprovisioning, which equals a much bigger risk than you intended to take.
CAROLE THERIAULT
Do you find there's a lot of companies out there that aren't very good at spring cleaning all their permissions and they're lying around dust bunnies across the networks?
Unknown
Yeah, it's the fact that even if you do spring cleaning, the attackers are not waiting till, you know, that's a good point. You know, they're in there all the time.
And even if you did your spring cleaning, it's summer now, and now they're going to go and look for other things. So you really need that continuous and real-time visibility.
So I love periodic audits, I love pen tests.
Unknown
I think those are all really valuable parts of your strategy.
But wouldn't it be great, you come in and you have your cup of coffee, you sit down, you get your dashboard up, and it tells you where your low, medium, and high exposures are.
It tells you if things are problems at your computer, your user, your domain level, and you've got it all in front of you in that morning.
So now you can also kind of dole it out and go, "Okay, I want my experts working on the high severity stuff."
Unknown
At least now I've got a list too where I can give to other members of the team and say, "Hey, can you guys go work on this?" The tools are so sophisticated now that you also get all of the information that you'd normally send a researcher to go do, right?
You know, what is this? What do we know about it? How do we address it?
Unknown
And the reporting is pretty slick on this stuff, right? You know, it tells you CVEs, MITRE mappings. It tells you what you need to do in order to write the scripts and fix things.
And, you know, sneak peek into roadmap stuff is that automation full automation with scripts is coming, but right now most people want to still look at it, but it's all there to write them pretty quick.
CAROLE THERIAULT
Okay, so say we have some company owners out there from companies that are thinking, this is exactly what we need, but I don't have the language even to understand, to operate this myself.
I need to get someone to help me do that. What kind of skill set are they looking for? What kind of manager will be running this at an optimum level?
Unknown
It's really not hard. I always look at these things like an iPhone. There's a lot of sophistication inside of the phone, but you don't see it.
You don't have to know how all the apps and everything work in the background.
Unknown
You just have to be able to use it.
I think from a user standpoint that any security professional that is involved in incident response and remediation of things will recognize everything that sits inside of this information and will be given information that they can follow and know what to do.
I can't replace security training, so you need some base security training to know what's going on.
But once you have that, to be able to make this very actionable, that comes in and makes it very easy for people to respond.
Unknown
And again, different levels of dashboards, and so you can use many times, you know, a simple or an advanced dashboard for some of the findings.
And when we look at the sophistication of things, you know, if I'm looking at an Active Directory attack, depending upon what level I want to go to, maybe I just want to see if they're querying Active Directory and they shouldn't be, and maybe I'll feed them back some deceptive information that redirects them into a decoy.
Now, once you've decided if you want to watch that engagement, you might have a little bit more senior person get involved in tracking and analysis so you can pick up that counterintelligence about what the attacker is doing to you, to your company, you know, there.
But the other stuff is pretty simple.
Unknown
I don't think we've ever had anybody add a person to operate any of the ATTIVO technology.
Generally, people say maybe 15 minutes, you know, once a week you might want to go in and look at it.
Some people look at it more often if there are bigger environments, but it's pretty simple and not terribly time-consuming.
CAROLE THERIAULT
I think it's a perfect analogy because I was thinking about my car. If I had to know everything how my car worked in order to drive, I never would have driven.
I was going to say, if someone wants to learn more, what steps would they take? Can they go to the Ativo Networks website?
Or is there special places you'd advise them to take a look?
Unknown
Yeah, I mean, there's a bunch of information out, not only on the Attiva website, which I would highly recommend to go take a look at that.
So you can go in and you can look at things either by solutions, like maybe you're concerned about ransomware and you want to look at our, not only visibility for how people could maybe take over and download that ransomware, but also, there's some cool cloaking technology.
So for the Trekkie fans that are out there, you can hide and deny access to the data they're looking for, the credentials they're looking for, the AD objects.
They can't see anything, and of course, you can decoy the environment so you're feeding back fake information so they think they're progressing, which we love because it totally messes with their tools.
It's so awesome because it looks real and they're just steered off the path.
CAROLE THERIAULT
Fabulous. Is there anything else that you'd like to add before we close this amazingly interesting interview?
Unknown
Yeah.
I think that identity security needs to be a priority for both small and large organizations because you've got to protect your credentials and you need to do that locally at your endpoints.
You need to protect your Active Directory and everybody's moving to the cloud in a multi-cloud way.
So you've got to get your arms wrapped around entitlement visibility before it takes you over. And it will, because it is very complex.
So tools that are out there to do that this, make it super simple, make it integrated for complete viewing. So take a look.
It's new stuff that you probably have not seen before, so again, judge with your own eyes, but I would encourage you at least to understand what you can do that you weren't able to do before.
CAROLE THERIAULT
Absolutely brilliant. Carolyn Crandall, Chief Security Advocate at Attivo Networks, thank you so much for coming on the show.
GRAHAM CLULEY
Tremendous. Well, that really does wrap up the show for this week. Chris, thank you so much for coming on. I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
CHRIS KIRSCH
So on Twitter, I'm Chris_Kirsch. That's K-I-R-S-C-H. And you can also find me on LinkedIn.
And the website of the company is rumble.run, where you can download a private version or a personal version of the Rumble asset inventory, and you can run it on your home network if you're geekily inclined.
That can be a ton of fun to see what you have connected that you are not expecting.
And it's completely free and unlimited in terms of time, just in terms of number of devices that you're likely to have on your network.
GRAHAM CLULEY
And you can follow us on Twitter @SmashingSecurity. Security, no G. Twitter allows to have a G. And we've also got a Smashing Security subreddit.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Google Podcasts.
CHRIS KIRSCH
We should all pitch in to get Graham a GoFundMe page to buy another G, I think.
CAROLE THERIAULT
And thanks to this episode's sponsors, 1Password and Attivo Networks, and to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 245 episodes, check out smashingsecurity.com.
GRAHAM CLULEY
Until next time, cheerio. Bye-bye.
CAROLE THERIAULT
Bye. Goodbye. Thanks, Chris.
GRAHAM CLULEY
Thanks, Chris.
CHRIS KIRSCH
Okay, thank you. Too bad I'm off the next show.
CAROLE THERIAULT
You know what, I have to say, I think your segment was longer than Graham's.
CHRIS KIRSCH
Yes, I know. That's why I said I'm going to be more concise than Graham.
GRAHAM CLULEY
Never mind the length, feel the quality. That's what I say.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.