https://cisoseries.com/i-pity-the-fool-who-builds-a-homogeneous-cyber-a-team/
If you want to build a successful cybersecurity team, you need to be diverse, mostly in thought. But that diversity in thought usually is the result of people with diverse backgrounds who have had different experiences and have solved problems differently. It’s actually really hard to hire a diverse team because what people want to do is simply hire people who look, talk, and sound like them. People who come from the same background as you. While that may work for building friends, it’s not necessarily the best solution when building a team to secure your company.
This week’s episode is hosted by David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is George Finney (@wellawaresecure), CISO, Southern Methodist University and author of “Well Aware: The Nine Cybersecurity Habits to Protect Your Future” and “Project Zero Trust.”
And here’s George’s cybersecurity personality test.
Full transcript
[Voiceover] 10-second security tip, go!
[George Finney] Well, you probably heard the advice that an ounce prevention is worth a pound of cure. And studies have shown that a cyber security strategy focused on prevention is actually five to ten times less expensive than one that’s focused on being reactive. Which is why I think zero trust is so important. Because it’s a strategy for how to put prevention into practice.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. Joining me for this very episode is none other than Andy Ellis, who is the operating partner at YL Ventures. Andy, most people know you by the following sound you make with your voice.
[Andy Ellis] [Speaks foreign language 00:00:54] and welcome to 5783.
[David Spark] There you go. We’re jumping into a brand new year. We’re also available at CISOseries.com. I want to mention our sponsor is Feroot. So thrilled that Feroot has joined us. Secure your JavaScript web applications and web pages with automated security scanning, monitoring, and controls to stop cyber threats and protect customer data. That is Feroot. And more about Feroot later in the show. But first, Andy… Now, I know it’s pompous to say this. I want to have this moment in my life at some point where I say, “Do you know who I am?” And somebody quivers in their shoes.
[Andy Ellis] Why?
[David Spark] Have you ever had that moment where you go, “Do you know who I am?” And have someone go, “Oh my God, it’s Andy Ellis.”
[Andy Ellis] I’ve had people have the like, “Oh my God, it’s Andy Ellis,” but I never want to have it be that I have thrown that around. With the exception… I will admit that I did throw it around at RSA, literally at RSA many years ago when I started to yell at vendors who had booth babes.
[David Spark] Well, and they put the kibosh on the booth babes at RSA.
[Andy Ellis] Yeah, but I basically went around to every vendor that had one, and I would ask to speak to their marketing manager. I’d tell them who I was, and I’d say, “Just so you know, I’m going to tell people not to use your product until you solve this problem.” That was the only time I’ve ever done it. I did because one of my staff members…when I said, “Look, there’s nothing I can do about the booth babe situation,” she said, “Do you have any idea how big your boots are? You can just go stomp with them.”
[David Spark] [Laughs] Well, first of all, I just think it’s funny that I could actually ever one day say, “Do you know who I am?” And somebody would actually react in the, “Oh, I’m scared. I must have done something wrong.” Because most people logically if they heard me say that, like, “Yeah, I know who you are. You’re a pompous jerk.”
[Laughter]
[Andy Ellis] Usually if anybody says, “Do you know who I am?” That is my answer is, “Oh, boy, you’re somebody who’s going to throw your weight around. I don’t care how much weight you’ve got. I’m just going to laugh at it now.”
[David Spark] The proper response if I ever were to say that is to truly laugh at me. But it would be fun if someone actually did react like, “God…” It’s never going to happen.
[Andy Ellis] Probably not.
[David Spark] Let me introduce our guest, who we’ve had on before. And it just dawned on me we had him on before. He came to promote his book. And guess what? He’s got a brand new book, and we’re going to promote it here as well.
[Andy Ellis] How many books is he going to publish before mine gets published?
[David Spark] Oh, that’s a good question. We can bring that up in the show. He is the CISO over at Southern Methodist University and also the author of the brand new book, “Project Zero Trust,” which will be physically available one week from this episode dropping. But you can go onto Amazon and you can preorder it. So, essentially they’ll start shipping it a week after you start ordering it if you order it the day this episode dropped.
[Andy Ellis] Which you should unless you’re at services, celebrating Rosh Hashanah. In which case, order it tomorrow.
[David Spark] There you go.
[Andy Ellis] Which I guess is today when you’re listening to it.
[David Spark] Good point. I should say this gentleman’s name so you can actually look up his name and make sure you’re getting the right book. His name is George Finney. George, thank you so much for joining us.
[George Finney] Thank you so much for having me. It’s a pleasure to be back.
Why is everyone talking about this now?
4:14.318
[David Spark] “Why are there so many vCISCOs who have never been a CISO? Isn’t it difficult to advise on a role you’ve never done?” asked Michael Meiss, who is an associate CISO at the University of Kansas Health System. This drove a huge debate. Justin P. of Rapid7 responded, “This is kind of like saying, ‘Why are there so many CISOs who have never been a CISO before?’ You got to start somewhere.” Okay, can you be a vCISO if you’re not a CISO first? And if you’re a vCISO without ever being a CISO, are you just a cyber security consultant? Andy?
[Andy Ellis] Well, I think all CISOs are functionally cyber security consultants, so we could just extend that. I think it helps to understand what a vCISO is, and I think there’s a lot of different descriptions of a vCISO. If you think that what a vCISO is is, “Oh my goodness, I got myself in too deep. I need a CISO, and I can’t afford the time to go get one. I need someone to come in right now and fill those shoes,” then yeah, that person ought to have a long history of doing the come in and transformational CISO role, which there are people who just specialize in doing that. they’ve never been long-term CISOs, and that’s okay. But if this is your first CISO gig, yeah, it’s kind of awkward to say, “Oh, I’m a vCISO,” when what I really am is I’m a cyber security consultant who comes in and recommends you do a few things and then punches out. If you don’t own the transformation, I don’t think you’re a CISO or a vCISO.
[David Spark] Own the transformation. Do you agree, George? And if so, what would you add to that?
[George Finney] I love that distinction. A vCISO role I think is different from a CISO role. Many of the folks that I’ve talked to that are vCISOs today, even if they’ve been CISOs in the past, they’re expected to upsell their clients on additional tools or services. Their compensation is at least based partly on commission. There are other differences. You may not actually be managing a team like you would as a CISO. You’re not necessarily building relationships inside the organization like you might otherwise be because you’re not there every day. That’s not to talk bad about vCISOs. I know a lot of great CISOs out there who have had years of experience, and they’ve chosen to take on the vCISO role just as a great way of getting experience in a lot of different industries. Myself, I’ve been in higher ed my whole career. I think about that. we all have imposter syndrome to some extent. I think it’s really a great learning opportunity for folks like me who are interested in moving around, but the reality is that there aren’t enough CISOs out there to meet the need. We’ve got to do more to prepare the next generation of CISOs to be able to accomplish more and hit the ground running.
[David Spark] Okay, so that brings up an interesting point because this was very much kind of a slamming the vCISO role. We have to welcome this role a little bit more. Agree or disagree, Andy?
[Andy Ellis] I think that, again, it comes down to what is the vCISO. So, to me, it’s a marketing term. But if you aren’t reporting to the executive management, probably you shouldn’t have CISO in your title. If what you’re doing is what George just described, “Oh, I’m coming in. I’m helping you build the security program, buy a bunch of tools. There’s somebody that I work for who’s doing all of the interesting executive management, and blocking and tackling,” I think you are. You’re a systems integrator. Fantastic work. Really respect folks doing that. But I can see why that creates tension when people say, “But you’re not doing any of the things that make the CISO role different than a consultant who’s filling in for a director of security.”
[George Finney] Well, I think if I were a vCISO out there, especially if I were a brand new vCISO, if there’s not a lot of mentoring, if there aren’t experienced CISOs at the helm of that organization, if they don’t have a development program for me, a green vCISO might just be running by trial and error. There’s a lot of risk there that you’re developing long-term bad habits that might actually hurt your clients long-term. So, I think it really depends on the organization that’s offering the services.
More bad security advice.
8:27.783
[David Spark] “Is it viable to set up an attacking honeypot that punishes the attempted intruder,” asked a Redditor on the cyber security subreddit. They were suggesting dropping malware on those attackers who come into the honeypot. The overwhelming response from the Reddit community was a big, fat no. It falls under hacking back. And often you’re attacking the innocent bystander whose computer has been compromised in the attack. But one person suggested a gray area – idea of leaving attractive files loaded with honey tokens. This would turn the attackers into beacons, always revealing their location even if they change their IP address. I’ll start with you, George, on this. Is this viable? And outside of just wasting attackers’ time, what are some of the creative uses of honeypots most users do not consider?
[George Finney] I am a huge proponent of deception technology just in general. I think this is the next big thing that can really help cyber teams out. Those tools are relatively inexpensive compared to some other tools that are out there that are not six-figure tools generally speaking, so you can get into them.
[David Spark] By the way, I should say this falls into the category of what you said in our opening tip under prevention.
[George Finney] Absolutely. So, I think most people out there, most security people anyway, are familiar with MITRE ATT&CK framework, but they’ve also just launched a new framework for defenders which they call the Engage Framework. The idea behind that is actually they want to have an active defense where we take the things we learn from the attack framework and then essentially create a storyboard for how we’re going to engage the attackers without actually hacking back. You don’t do that. But it turns out that there’s a lot we can do without actually dropping malware on systems. There’s this myth out there… I actually had an argument with a CIO at a large security vendor, and I think he reflected a lot of the myth out there that deception technologies attract unwanted attention to your organization.
But I came across a paper that was published I think in 2018 by the NSA where they hired red teamers to come into the network, and they actually deployed deception. When they told the attackers they were deploying deception, the bad guys spent less time in their environment when they used deception. So, similar to how putting up the home alarm sign on your house that you have an alarm system will actually have the criminal spend less time in your house. That effect was true even when they weren’t actually using deception, even when they just told the attacker that they had deception. Because they’re questioning whether their tools are working or set up right, they’re questioning their own ability. So, essentially you’re not necessarily hacking their systems, but you’re bringing that deception engagement to the attacker’s mind, which is really powerful. They spend less time on the network. Ultimately that’s a good thing. I think, gosh, we could deploy deception maybe much more comprehensively in the world and really reduce the effectiveness of our attackers.
[David Spark] Andy, are you as bullish on deception technology as George is, and what do you think of the concept of honey beacons?
[Andy Ellis] I think honey beacons or honey tokens is basically just tracking stuff that you put into software. Or not into software really. Into the documents. So, “Oh, look, I’ve got a Word doc that has an invisible tracking link inside it.” Fine, go ahead and do that. That’s not hacking, and you’re doing it to all of your things. So, everyone of your users is also using those callouts. So, just pay attention to the fact that for a beacon to be useful, everybody is going to be interacting with your beacon, which means you’ll be getting a lot of messages. I think when you think about deception, I think deception on its own is actually generally a bad idea. I see a lot of people who get enamored, and they’re like, “Oh, I’ll just use deception technology.” No, no, no, the deception technology is about hacking the adversary’s mindset. And so what you’re doing is you’re taking legitimate normal things, and you’re doing something slightly deceptive in them to cause the hacker to do something different. I’ll give an example. At one point we had a competitor who seemed to be really good at targeting our opportunities. We would get deep into a sales cycle, and then they would show up.
So, we were doing lots of things to try to figure out like where were they getting access to this. They couldn’t just be naturally showing up at all the right places. So, one of the many different things we did to try to figure out how they were getting access to our prospecting list is we put bogus prospect entries into our CRM system where there was no electronic trail of the decision to do so. It was all one verbally. Those phone numbers that were in there went to a private investigator who knew exactly what to say to pretend to be this company if that phone ever rang. If it did, we’d be like, “Okay, we know they’re in our CRM system somehow.” That phone never did. That wasn’t actually the way it played out. But literally I and the sales rep would get on a phone call every once in a while, and we’d be like, “Okay, let’s advance the opportunity to stage two.” And we had bogus domains set up so he could send invites to it just in case they’re watching our email system. All of this stuff. It’s a lot of work to do deception right, and so I don’t really recommend just saying, “Oh, I’m going to do that and be done.” You use it where you have a targeted reason to.
Sponsor – Feroot
14:00.908
[Steve Prentice] All companies want to provide a safe and secure environment for customer transactions. But in their efforts to safeguard the process, a significant component often gets overlooked. This is why Ivan Tsarynny created Feroot Security.
[Ivan Tsarynny] My name is Ivan Tsarynny, cofounder and CEO of Feroot Security. We help discover and secure the JavaScript supply chain and specifically the JavaScript supply chain that is executed on the client side of web applications or websites. Companies that operate their business through the website or web applications, they collect a lot of sensitive information through the user interfaces – passwords, social security numbers, financial health records, and so much more. Now most if not all of the security measures are targeted at the back end, not the front end of the web apps.
[Steve Prentice] Web apps, JavaScript libraries, CSS elements, they all have access to sensitive customer data.
[Ivan Tsarynny] App sec teams are trying to find now…they’re trying to proactively find those data leaks and incidents, and therefor they’re having a big problem because existing tools are always on the back end, not on the front end of web apps. We help app sec teams find and discover all the sensitive information, sensitive forms that exist throughout the user journeys. We help companies move into prevention mode.
[Steve Prentice] For more information, visit feroot.com.
It’s time to play, “What’s worse?”
15:31.004
[David Spark] All right, George, I know you’re familiar with this because you’ve played “what’s worse” before, but you haven’t played with Andy. I wanted to have two CISOs on for this one, so this will be appropriate, because it’s about vendor engagement. It comes from Jerich Beason, who’s the CISO of Commercial Bank at Capital One. He admits that both of these scenarios have happened to him. So, I want you to determine which one is worse. A new vendor that cold calls you at two in the morning, chasing a lead, or a new vendor that spoofs the number of someone you trust to cold call you but does it at a reasonable time of the day. Andy, which one is worse?
[Andy Ellis] Both of them are really bad for the vendor. I’m trying to decide on which level I want to answer this one. Because in the moment, what’s worse? Is them spoofing somebody who is a legitimate person that I trusted? Although that’s really easy. Because once I figure out who they are, I’m literally calling their CMO, and I’m saying, “Either fire this person because this is well beyond a breach of ethics or fire your entire marketing and lead generation team.” Because you have a problem somewhere, figure out where it is. Not my issue anymore.
[David Spark] By the way, this is the second time you’ve given…with the booth babes and this. So, have you done this multiple times? Like you’ve seen some vendor practice that was so offensive you contacted the sales director or CMO to say, “This has got to stop.”
[Andy Ellis] Oh, yeah. No, I actually had a company that decided that they would get me on Twitter where every lead gen, ADE, everybody starts tagging me on Twitter to get my attention.
[David Spark] It got your attention.
[Andy Ellis] It got my attention. It was like their sales kickoff, and it was social selling, when people started saying that. And they’re like, “Oh, let’s do this.” So, literally I would go, and I would look up the company. I’d find the CMO, the CEO, and I just start emailing and calling them. And I’m like, “I don’t know what the F is going on at your conference, but this has to stop right now.” So, in a sense I think crossing that ethical line is I think the what’s worse even though it gives me better remedy. You call me at two in the morning, I don’t feel like I can escalate. And so I just have to tell you to cut it out and go away. But I’m still going to go with it’s worse that I get the tool to go after your executives.
[David Spark] All right. So, George, where do you stand?
[George Finney] I know you hate this, but I’m going to have to agree with Andy. It’s actually happened to me before. I have a new CIO. My old CIO transitioned out a few years ago. And shortly after he left, I got a call from a spoof number. By the way, we gave the new CIO a new phone number so he wouldn’t get all these calls. They’re spoofing the old CIO… So, I see his name come up. I know it’s not a legit request. Absolutely I’ll never do business with that vendor again. Unfortunately I think for the vendor, it’s not necessarily even their sales staff. I assume from the way that the person calling…it’s just some telemarketing firm that they’ve outsourced these calls to that’s actually spoofing these numbers to get higher return rates. So, you’ve got to understand as a sales organization what your downstream partners are doing on your behalf that you may not know about. If all of their incentive is about the number of people they turn around or the number of people…
[David Spark] Because how much do they care about your brand?
[George Finney] Absolutely.
[Andy Ellis] And this is just in your own staff. I’ve talked to a lot of folks who do cold calling. One to three percent engagement rate is fantastic. They’re excited for that. And what I say to them is, “Hey, so that’s a 97 to 99% brand marketing opportunity that you’re not thinking about. Everybody who does not engage with you, you have nonetheless had a marketing experience with them. Was that a positive one or a negative one?” Because those totally outweigh the one to three percent who might have taken your call.
[David Spark] I should mention that the situation of the person calling you at two in the morning…given that everyone is literally all over the world and if you are cold calling, which people in general don’t like, it’s inevitable you’re going to get somebody at two in the morning.
[Andy Ellis] I’ve gotten that when I travel to Israel, and then people think I’m in the states. So, they call me at five PM, right as I’m about to be done, and it’s midnight. And I’m like, “Oh, come on. Don’t do this stuff to me.” Yeah. No, it absolutely happens.
[David Spark] Yeah, and there’s just no way to know.
[Andy Ellis] Right. Remember years ago they used to do this… It was Rapid7, I think, was calling people at like seven AM on their personal cell phones, and Jack Daniel threw a fit on Twitter about it.
[David Spark] Oh, I didn’t know this.
[Andy Ellis] Oh, yeah. No, it actually changed… So, Rapid7 reacted pretty well to it, I think. I seem to recall that everybody who chimed in and said, “Yeah, they did that to me, too,” the sales director at Rapid7 shipped them all a bottle of vodka as an apology.
[David Spark] [Laughs]
[Andy Ellis] Like, “I am so sorry. We’re going to fix this. Here, have a bottle of vodka.”
[David Spark] Well, that’s a good way of dealing with a little negative press.
Should you hire this person?
20:51.203
[David Spark] What are the personality types you need on your staff? We constantly talk about the need for diversity, but what we’re really talking about is the diversity of thought. When people have diverse backgrounds, they come to the table with diverse thinking. So, instead of having a discussion about diversity… I’ll start with you, George. Can you put labels on categories of different types of viewpoints that are valuable to you?
[George Finney] Funny you should ask. So, I think that there are a number of different personalities when it comes to cyber security, and I believe in this so much that I actually made an attempt to classify them using the nine cyber security habits I talked about in my last book, “Well Aware.” So, I’ve developed a free cyber security personality test that you can take on my website.
[David Spark] Aw, that’s cool.
[George Finney] It’s wellawaresecurity.com. Just click on the personality test. I’ve actually consulted with different groups, different teams, different companies on showing where their departments or where their teams can align their different cyber security habits with their objectives. So, when I created the test, I don’t ask a lot of technical questions about cyber security. It’s really all about your values when it comes to security, because people have different backgrounds. When I was a kid, my bike was stolen, and it really kind of affected the way I think about things. But I have a friend who was in a convenient store when it was being robbed. He has a very different perspective. I think as I’ve worked with some of my staff here at SMU, I’ll run into an obstacle. I’m thinking about how to overcome it, and it really helps me to understand that that person is approaching security from a different perspective. They still value security. They’ve just got other focuses that they’ve come to throughout their life. So, I think that’s really cool. But I’m not sure that I want people making hiring decisions based on my test. I just think that it can help teams collaborate better together when they know each other’s strengths.
[David Spark] Knowing strengths. All right, Andy, what are the cyber security personalities that you need?
[Andy Ellis] I don’t know. I’m only on question 13 of 22 on George’s website, so I don’t yet know where I am. I guess later in the episode I’ll come back and tell you if I’ve managed to finish it. So, I think it can be really dangerous to people labels on people. Those are great starting for conversations. Oh, yeah, you want to have a skeptic. But you don’t label somebody as being a skeptic. I’m a fan of “The Six Thinking Hats.” It’s a book. I forgot who actually wrote it, so I’ll apologize for not having that reference here. But at different times you’d have different roles. Like right now you’re supposed to be the cheerleader who says, “Oh, this is a great idea. Let’s figure out how we go do it.” But there’s somebody else in the room who has the deep analytical, “Hey, let’s just think through the consequences of this one.” So, I think when you’re talking about roles in that method then different people can fit into them.
I think what’s really important is when people bring sort of their inclinations for what they like to do as well as experience. Like, “I have been in this bad situation before. I understand it.” And when people do talk about diversity and they’re talking about diversity of skin or plumbing, a lot of times they are talking about, “Oh, it’s quite likely that you have different experiences which contributes to how you’re going to engage with something. Just because, yes, you came from a minority background, or you came from a poor background, or you’ve been stalked before so you’re more likely to pay attention to how this thing can be used for stalking.” And let’s just be very forthright. You’re more likely to have been stalked if you’re a woman than if you’re a man. Boom.
[David Spark] Yeah. Well, so is there a way that a candidate can express their thinking viewpoint to you so it could be an attractive seller? And should they bring that up? I would assume that’d be something in an interview. Like you ask someone like, “How would you address such a situation, or how would you think through this situation?” I’ll start with you, Andy, on this.
[Andy Ellis] Yeah. So, I think you have to be careful if you’re trying to come in and say, “Oh, I bring diversity of thought even though I don’t bring diversity of body.” Because that’s a landmine you’re going to step on. Depending who the interviewer is, either you get a pass, or you get an immediate fail. That said, I think you do want to talk about what you bring to an organization and more importantly how do you fit the existing team. So, if you’re a candidate who’s coming in and you think you bring a unique perspective, well, the first questions you should be asking are around what perspectives already exist. So, you can really riff off that and say, “Oh, hey, I’m talking to this person. Wow, you seem like you get really deeply analytical. One of the things that I’m really great at it is taking that analysis and putting it into language that we can communicate back to business partners in ways that they will understand.” That’s an experience that I bring to the table as being that translator. Or I can easily turn on the complete skeptic and tear design apart, but I don’t do that because I like tearing it apart. That’s just a capability that I can bring to the table. But I can also be the cheerleader, helping make it a better design.
[David Spark] George?
[George Finney] I think a lot about burnout when it comes to cyber security professionals.
[David Spark] We just recorded an episode on this very topic.
[George Finney] So, it’s been a hot topic lately, right? And I’m concerned, especially when we’re interviewing folks. We talk about their experiences with different technology or tools. When I talk to people who are coming in new to the cyber security industry or when I give advice to folks who are in the industry that want to make a decision, the first question I ask them is, “What do you like doing? What do you enjoy?” I think one of the things about my test where I’ll often have them take the free personality test… I want to help push them towards things that they enjoy doing, that they’re going to be able to last an entire career on.
Yeah, if you’re just making decisions about what makes the most money, what’s the next step in my career to increase the progression, you’re not going to be happy long-term. I think that’s really important when it comes to a career in cyber security. There’s so many interesting things that we do. I think you can have a rewarding career so long as it’s really aligning with your personality. A lot of college students are going around red teaming because it’s the sexy thing in cyber, but that might not be the best fit for everybody. And so helping guide people to places where they want to be I think is really important. And personality, we should embrace that. I think different people might have different roles that fit with them better based on who they are and what their values are.
Challenge accepted.
27:35.734
[David Spark] On the cyber security subreddit, a redditor asked, “For those of you who actually do pen testing or red teaming, what is the most interesting, novel, or otherwise memorable exploit or exploit chain you’ve used in the real world?” So, some of the answers from the redditors were, “External IP to remotely unlock doors in an office.” Another was highjacked camera had thermal imaging which allowed them to read pin codes and keyboard strokes. Another simulated deletion of a person’s entire hard drive, and payment terminal had a glitch that allowed them to approve the point of sales system to zero out orders. All right, I’ll start with you, Andy. What have you seen that’s been cool and novel?
[Andy Ellis] These are fun. I think some of my favorite ones were when you find somebody who’s not screen saved taking a screenshot of their desktop, making it into their background image, and then creating a folder, putting everything into that folder, and then hiding the folder so only the one by one pixel is visible in the very bottom right corner. So, they can’t click on anything on their desktop. That’s like a 30-year-old hack, but it was always fun. My favorite one for breaking is burning a piece of paper. For doors that have a PIR sensor that’s going to detect a human who’s sort of walking up, they’re looking for heat sources in motion. So, if you slide a piece of paper through the door, because it isn’t a tight seal… You have glass doors that sort of mostly close. But light it on fire, and slide it through the door, and wave it around, the door will open.
[David Spark] I don’t recommend lighting doors on fire though.
[Andy Ellis] You don’t light the door. You light the piece of paper on fire on the other side of the door.
[David Spark] But if the fire is inside, and it starts to catch something else, and you can’t get in…
[Andy Ellis] Well, it’s a good thing you’re already on the other side of the door, isn’t it?
[David Spark] But if you can’t get in, you’ve just committed arson, which is I think might be a bigger problem, Andy.
[Andy Ellis] It might be.
[Laughter]
[David Spark] George, what is the best, coolest exploits you’ve seen?
[George Finney] One of the fun things we do, we do password assessments. We’ll provide kind of caches of our passwords to an assessor, and we obfuscate them so the assessor doesn’t know the account that those passwords are associated with. Then they’ll run them through GPU crackers. And so they can help us find what the most commonly used passwords are specific to our environment to help us build the business case to increase password complexity, for example. It helps us better align our controls with what our users are actually doing. It helps us align our security awareness training to focus on common issues. But we’ve found when we did one of these that the assessors cracked like a 28-character long password. We were just blown away. Like how is this even possible. And what we realized is that they were able to crack the password because they customized the dictionary. But we’re a Methodist university, so they actually kind of took when they built their custom dictionary biblical quotes. And so someone had put a really long biblical quote as their password. Oh my gosh. So, yeah, that’s my fun story.
Closing
31:00.874
[David Spark] That’s a really interesting targeted attack. That’s pretty darn cool. Well, that brings us to the end of our show here, gentlemen. Thank you very much, George. Thank you very much, Andy. George, I’m going to let you have the last word here. I want you to plug away. But let me first plug away at your book. George is the author of a book called “Well Aware,” which is very available now, yes, George?
[George Finney] Yeah. So, your show came out before the book won the Book of the Year Award by Business Magazine for how kind of relatable it was for not just for security people but for business leaders. So, yeah, it did really well.
[David Spark] That is awesome. Hopefully this new book…the new book, which by the way, is entitled “Project Zero Trust…” If you haven’t heard it, security people, zero trust is kind of big in the news. Even Biden has heard about this, our president here in the United States. We will have a link to where you can get it over on Amazon and also a link to this personality assessor that you have, George, as well. The book is actually available on October 4th. This episode drops a few days beforehand, but you can preorder it beforehand. Now, before I get to you, Andy, I do want to mention our sponsor, Feroot. They are spelled Feroot.com. JavaScript web applications, which changes are you got them, you need some security around them. Check out Feroot.com for more on that. Thank you, Feroot, for being a brand new sponsor of the CISO Series. Andy, any last thoughts?
[Andy Ellis] I’m really excited to see a book that’s got “zero” because my book has a “one” in the number. So, I’m one above George. It’ll be “One Percent Leadership” in April, but you can’t preorder it yet.
[David Spark] Look at the way that you found the loosest thread to plug your own book. [Laughs]
[Andy Ellis] You should have zero trust in my ability not to find one.
[David Spark] My God. It really is. This is going to be the weakest transition we can…segue… There was a comedian by the name of John Hugashian [Phonetic 00:33:08] back in San Francisco, and he used to tell… He’d just tell jokes. And instead of doing segues from one joke to the other or finding a thread, he literally would say, “Segue,” and do the next joke. Always cracked me up.
[Andy Ellis] I love it. That’s a great little catchy… A nice way to just ride a little bit from one spot to another and try to keep your balance without having to worry too hard about it. So, just take your segue.
[David Spark] I love that. All right. George, go ahead. Tell us more about “Project Zero Trust.”
[George Finney] I wanted to write a book that was approachable to anyone in IT. And so I was kind of inspired by Gene Kim’s “The Phoenix Project” and the way that he tells a story.
[David Spark] Which is more focused on the dev ops culture.
[George Finney] Exactly. So, this “Project Zero Trust” tells the story of a fictional company that they’ve been ransomed. They’re digging themselves out of that ransom hole. But at the same time, their leadership creates a project for zero trust. And so the new guy coming in has to build a team that’s cross functional that involves help desk, sys admins, project managers, vendors, salespeople, all to come together to deliver on this mission of putting zero trust in place before their next big product release comes out. I got to collaborate… I’m good friends with John Kindervag. He lives here in Dallas. So, I use his methodology that he’s come up with and his zero trust security model along the way. So, it’s kind of integrated into the story itself. But it’s weird. A lot of the security people I talk to about zero trust actually get most of their information about zero trust from vendors or marketers. I think as an industry, we need to take back zero trust because it’s really the most affective strategy we have for protecting our organizations.
[David Spark] Excellent point. By the way, the last thing about getting it from vendors, vendors have become the educators now because we’re running a media site, and we’re trying to educate our community, but we can’t do everything. And we don’t have a mechanism to do sort of these deep dives in education that the media used to be able to do. I remember the early days of PC Magazine. I would love to read their sort of wrap ups on certain specific technologies. But actually vendors have stepped up to do just that. Now, obviously they’re going to be leaning more towards what their solution can handle, understandably. So, you have to kind of take all that with a grain of salt. George, thank you so much for joining us today. Andy, thank you so much as well. And thank you, audience. Please send in your questions. And also recommend… I’m always looking for good story based… It can be fiction or nonfiction. Not that many fiction based cyber security books out there. But I’m very interested in story based books in cyber security. Go ahead and recommend them. We’d love to hear them from you. Thank you very much for your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headline – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series podcast.