Carol Woodbury on Security Strategies and Best Practices
Charlie Guarino: Hi everybody. This is Charlie Guarino. Welcome to another edition of TechTalk SMB. I am so happy today to sit down and have a nice chat with the former IBM i security architect of IBM i and the current co-founder of DXR Security, a company that helps organizations change their IBM i security one step at a time. If you don’t know how that is by now, it is none other than Carol Woodbury. Carol, what a treat to have you in our discussion today.
Carol Woodbury: Thanks for having me Charlie, great pleasure.
Charlie: Always a pleasure to speak with you Carol. I know Carol that we spoke a little bit before we started this podcast but one thing that really struck me even just today this morning was I received yet another email just this morning from I think it was the king of some country telling me that I was the billion-dollar recipient of an entire empire and that one I had—fortunately I had the smarts to not continue clicking on that one but I’ll tell you. There are some that I’ve been getting more recently from seemingly very reputable companies, recognizable names that you know if you didn’t look twice or didn’t look hard enough, I was convinced that I won gift cards or whatever the case is. Now I think I’m smart enough to not do that but there are so many people who inadvertently or whatever get fooled and click on these things. What are you—is there a bigger rash of these going around right now?
Carol: Bigger—I don’t know if it’s a bigger rash or we’re just so hyper focused on these days because it typically leads to if you actually click on it one of two things happen. Either you have given over your personal information like your social security number or for the people up north social insurance number or they have somehow gained access to your system like through credentials like your user ID and password or worse—I guess this is three things—it downloads a payload and inserts malware onto your system so I think a lot of it there’s been phishing to try to get your personal information but the whole experience of getting malware on your system is just exploding right now.
Charlie: And there’s such a very low cost of entry for them to do this. I mean I can’t imagine—you know first of all, I don’t know how they get my name to begin with but even beyond that, the cost of entry for them to do this seems very small so they can send out very, very large swaths of these emails, probably I mean I don’t even know, thousands, millions, I don’t even know what the number might be.
Carol: Yeah, they can do a very broad brush and they’ve gotten your email from a variety of places. Either they know the naming convention of an organization so if this came through your work email, they may have discovered or guessed because everybody usually does a pretty easy naming convention for their users @whatever the organization name is so it’s usually pretty easy to get valid names or at some point in time that naming convention, that user ID was stolen and put on the dark web for sale so they’re just harvesting. They’ve purchased a mail—like a mailing list you know like the marketers do. They purchase a mailing list. They purchase an email list and they start going at it. You know the unfortunate thing? They are getting so sophisticated these days and it’s really hard to know what’s legitimate and what isn’t. If you think of elderly people, this is why I am so adamant that people have to train their employees and then those employees really need to train their family members because think of your grandparents. You know they get oh, I’ve just been given an Amazon gift card or oh yes, I will respond to the guy in Nigeria. He just needs $50 or $500 or whatever the price is and I get that much back? Of course and there’s a lot of people who fall for those scams so it’s really unfortunate.
Charlie: So you mentioned educating your team members or your staff. I know that’s a big thing but really what comprises education? I do note there are some companies that actually will send out their own phishing emails to their own employees as a test once they’ve educated them but what does education—what is that comprised of typically?
Carol: Yeah, it really is kind of a three-prong approach so one is what you mentioned. There’s companies that will send out—you can either hire them to do it or you can actually purchase the software yourself and they will send out those phishing emails to their employees and when they do it, they typically start and it’s like really obvious that it’s a phishing email and then it will get harder and harder to detect and so you know employees typically the companies that sell the software encourage you to be encouraging to your employees and not like whack your employees or penalize them in some way but what I’ve seen be effective is having contests between locations or divisions or departments to see who can get the lowest score meaning the lowest click through rates right? So if you do click through, you typically get a link to some explanation of why this was a phishing email and point out the things that you need to look at to try to avoid it in the future. So there’s that but as I was saying earlier, those emails are getting so sophisticated that it’s hard to detect. So there’s a couple of things you have to think about and that’s if somebody does detect it, do they know what to do with that if it comes in their inbox? So I was just talking with a friend of mine and she’s at a corporate level. She’s a very intelligent woman. She just got the recent email and I’ve gotten it too where they’re sending you a fax and it’s an attachment. Of course if you open the attachment then it’s probably going to download some sort of ransomware. So she knew enough not to click on it but she didn’t know what she was supposed to do about it or with it so she again knew enough to contact their IT department but they had actually put an email address in place that she should have just forwarded to this email but the organization hadn’t done a good enough job of educating not just their end users but even their executives to know what to do if they get some sort of suspicious email right? So some organization have hired an outside firm and that outside firm has software that does a pretty good job of scanning the email to filter it to begin with but of course all these new threats are coming though so they desperately want you to forward it to this email address to have it be logged as a new concern. Sometimes they even add a button, a plug-in into something like Outlook to be able to forward it directly to this place or to IT.
Charlie: All right but even if I am super diligent and I have the best trained employees in the world, that still is only part of the equation here because what is to stop—I mean I’m guilty as anybody else, guilty as charged. I will sometimes be at a coffee shop or in an airport or whenever like that I might be in a public area is the point and I guess you kind of forget and you drop your guard and you connect to the WiFi offered by the airline for example. Now I’m attached so now I’m sending out—even though I’m diligent about the emails which I’m going to click on, my emails—you tell me. Are my emails secure? Is my browsing history secure? How do I combat against that?
Carol: Right. The answer is no, they’re not secure. You’re connected to a public network and that public network is not encrypted so the thing you have to do is make sure that you are connecting using a VPN so I know this occurs because I had a client one time and he was one of these very curious individuals let’s say and bought a remote antenna just to see if he could read the traffic outside of a well-known coffee shop and the answer was yes, he could. So as you say you let the guard down. I know that I’ve connected to a hotel WiFi before in all of my travels without connecting to my VPN right away but that’s one of the things people look for. They’ll sit there—people. They are people but they’re less then optimal people—will sit there and try to look for unsecured connections and then read your traffic. Now this individual that I talked about earlier, he did it for his jollies just to see if he could. There are people that literally will do this looking for unencrypted credentials and other things going by. So the message is: You need a VPN so that you can connect securely so that’s another thing that employers should be educating their employees about is to make sure and especially in this work from home, you know remote work. A lot of people get bored with staring at the four walls of their office. I don’t know about you Charlie but I’m kind of getting tired of these green walls surrounding me right now and I might work part of the day at Starbucks. You know if I go there and connect to the internet, then I need to be using a VPN to make my connections are secure and people need to know that.
Charlie: That explains why before you can connect in many of these public areas, you have to accept their terms and who reads the terms? You just go right to the bottom, click the box and now you’re online.
Carol: Exactly. Exactly. Yes for all to see.
Charlie: When you mentioned people can read your emails, what about my attachments? Those are equally at risk?
Carol: Sure, yeah. They may be able to intercept those email address and actually what they’re really trying to do is be able to hack back into your email box so you know most Outlook for sure does, most email clients have a web version right? It’s not just the one on your phone or your PC. They have a web version of that email client and so if they can get your user ID and password, they will often then come in through your web browser or web client and start inserting themselves into your email so one of the things that they will do is put a routing entry, a rule in place to route all your email to somebody else. It’s not like it’s rerouted out of your inbox. It’s also routed to them. So that’s a form of something called business email compromise. You’ll see the acronym called BEC and that’s is a huge again business for hackers because they will typically target somebody like in finance and if they can find those people, they’ll look at email conversations that go by and this is especially prevalent right as people were starting to work from home when the pandemic hit because processes changed; everything was different so people were used to having changes in their processes so a lot of times they would insert themselves in like an accounts payable type situation and they—at just the time that a payment was due, they would send a new invoice looking very much like a previous invoice but they have a new routing number or a new account number. They’ll say hey, we’ve had to change things due to the pandemic so make your payment to this number instead of the old one. A lot of people just didn’t think twice about it. That’s again one of those education things, right? You must question all changes like this.
Charlie: Hmm. Listen even with the best attempts and even with the highest degree of due diligence, you you know hacks occur obviously—
Carol: Yes.
Charlie: You know even to the most—you know the smartest people that we know—
Carol: Yup.
Charlie: So there has to be some additional methods to recover from this and I know one thing I was reading about recently is cyber insurance.
Carol: Right.
Charlie: And there is—so there are some facilities to help you recover—either recover your lost data or if you get hacked for example and now you’re paying in bitcoin or whatever.
Carol: Right.
Charlie: Ransomware or whatever. So is cyber insurance, is that something that is discussed that you’ve—do you find yourself discussing that more with customers now as an important as let’s say fire and theft insurance?
Carol: Right. Usually I am discussing that in the context of being prepared so first of all there are a shocking number of people who think that nothing is going to happen to them and they don’t do anything to prepare themselves ahead of time. So they don’t have any kind of instant planning or if this happens, these are the people we call. These are the first things we do. These are the first servers we shut down. So the first thing is that you have to have planning and one of those things when you’re doing planning is to figure out if you are going to purchase cyber insurance or not. The problem with cyber insurance, it’s getting better but it’s still actually kind of a new thing so if you are trying to get insurance for your car for example. You can go to five different insurance companies and you can compare the coverage from all five of those and you’re comparing apples to apples. Cyber insurance and again it’s getting better but it’s hard to compare insurance policies so you have to really examine what you’re going to get out of that cyber insurance like some of them will require their forensic team to be the one that investigates the incident for example or you know you will have to use their legal team or you have to use their tools or they will provide it as long you purchase their software that will supposedly prevent it in the first place so there’s—it’s really hard to compare what you’re going to get. I also have read fairly recently because there have been so many attacks and so much ransomware out there that one of the companies out of Europe is starting to refuse to pay the ransom so if that becomes a trend, that will be interesting to see what happens. I mean it was in the context of trying to stop the hackers from doing ransom, from inserting ransomware into somebody’s organization because if the cyber insurance isn’t going to pay, then is the company going to pay and maybe they won’t get paid so maybe they’ll go find something else to do but yeah, that whole bitcoin you know again part of the discussion of being prepared is if we get hacked and our data gets encrypted, are we going to pay the ransom? That’s a discussion that should be had before you get hacked, not after the fact.
Charlie: And it only takes one employee in your entire network to introduce this malware to lock down the entire company.
Carol: Absolutely. There was a hospital that got shut down because an employee was on vacation and read an email on her personal account, from her personal email account on her work laptop and opened an attachment. Ransomware encrypted her laptop and because she was connected, it went through the entire organization and shut down a hospital.
Charlie: You know this conversation is making me more afraid even to open up any computer any day of the week. It’s so scary—but that brings up—I mean that’s the joke but there’s an interesting discussion point here and that is you know it’s trying to find that balance whatever it happens to be. I’m sure this is something you have to deal with every single day. How many obstacles do you want to put in front of any one user to keep them in a secure silo you know be it MFA, you know multifactor authentication or whatever else—you know whatever tools you have at your disposal to do that but you also need to have them at some point do their job. This is something you must wrestle with I’m sure.
Carol: Absolutely. Absolutely. You know the security purist will not allow any kind of risk but I work with people everyday, real people and there is varying skill levels and there’s varying tolerances to what employees will tolerate so from a security perspective so yes, it’s that how many layers of defense do you put in place and so a lot of people are starting to use multifactor authentication. I think that that’s a great layer of defense to put in place because if an organizations’ user IDs and passwords are stolen and then they are hacked back, if that additional factor that you have to provide is there, then the stolen credentials aren’t as valuable to that thief. Just because I have the user ID and password, I wouldn’t have my RSA token or my OCTO token that I can enter so stolen credentials are thwarted with multifactor authentication.
Charlie: You know it’s interesting Carol I—just while you began speaking to respond to my last question, I just had this immediate thought and how I use the word obstacle and you turned it around to say layer of defense which is really quite interesting to me. So it’s just a clear indication of how the perspective of this depending on which side of the—you know you’re trying to keep the company secure versus you know preventing me from doing my job so anyway I thought that was interesting. I know many users will call obstacles—call them obstacles.
Carol: Right and most people and I mean OK let’s be real Charlie. You’re more in the developer programmer world right?
Charlie: Yes.
Carol: It’s a rare programmer that considers security as a benefit right? It’s usually that security is something to be tolerated at best and usually makes it so they can’t do their job in their eyes so again depending on the user group that I’m working with be it somebody in the security team or system administration or if I’m working with the programmers, I have to approach my recommendations in a way that will be most readily accepted by whatever team I’m working with at the time.
Charlie: To any level of scrutiny.
Carol: To any level of scrutiny you know and with the programmers I really have to help them understand that it’s nothing personal. It’s not that the company doesn’t trust them. It’s that these are there to protect the organization at large, not to try to make their life miserable even though I understand that the perception is that it’s making their life miserable.
Charlie: And frankly if given that discussion point right there, it also bolsters their defensible position doesn’t it?
Carol: Yes.
Charlie: So from that view, it has a lot of merit.
Carol: Yes so a lot of times things have to be put in place from a regulatory perspective depending on you know whether they’re in healthcare or finance, you know that type of thing, what type of data they’re dealing with, if it’s the PII, the personally identifiable information. There’s regulations surrounding that type of information so you can then deflect it and say look this is—we have to abide by the laws or the regulations with that data. We have no choice. Again, it’s not personal. So you have to help people understand why. I have had the most success when I can help people understand the why of why we’re implementing VS just doing it randomly because a lot of people quite frankly take extra steps from a security perspective as a personal affront. It’s like I’ve worked here 20 years. I would never do anything. It’s like I understand but if your user ID and password is stolen getting back to the MFA, you know they can use it to break into the system and get access so we’re going to put this other factor in place that they won’t have. You will have it and that will protect our system, has nothing to do with the fact that we trust you or don’t trust you.
Charlie: Yeah, the last word you want to hear in any bank of developers or any group of developers is the word “oops.”
Carol: Right. [Laughter] Exactly, exactly.
Charlie: When you hear that term it doesn’t generally end well.
Carol: No, right.
Charlie: So you mentioned or I should say I mentioned—I introduced you as helping companies secure you know one step at a time and let’s talk about that. So we have planning, security planning. Now surely in all your years of doing this you’ve entered some companies that have no plan, zero plan in place, nothing in place to I guess some that have very sophisticated plans in place and everything in between.
Carol: Right.
Charlie: If I’m one of those companies who seemingly has nothing in place, where do I start? I mean I fully support the notion that any plan is better than no plan but I think you need to qualify that because a bad plan may be worse than no plan perhaps. I don’t know. I mean so give me some of the real low hanging fruit here. What’s like the first thing the most obvious thing like oh my gosh, you don’t even have this in place? What might that be?
Carol: Right. One of them is that plan right? I mean right after John Vanderwall and I started DXR Security, somebody found me on LinkedIn and they were in a panic. They even found my phone number some how and they left me a voice and they said Ms. Woodbury we’ve just been hacked. Our systems are all encrypted and I just don’t know who to call. I don’t know what to do. I mean they were literally clueless and they were reaching out to whomever they could find to try to help them.
Charlie: And with each passing hour by the way, it was getting more dire with each passing hour.
Carol: Right, right so you really need to acknowledge that it could happen to you and have that plan in place first. Analyze things. Do you have the backups, right? So start with a plan and then anything you do is going to make things better like get rid of old profiles, people that no longer work with the organization and again this is not just IBM i. This is Windows; this is firewall; this is any user account that’s out there, there’s a story at least once a month if not longer of people that have been let go that hack back into the organizations. There was one just last week where they hacked back in and deleted terabytes of data. So you know that’s an easy one to get started with and it doesn’t affect any end users right? You may be afraid of affecting your end users. Well getting rid of profiles that no longer exist isn’t going to bother anybody; they’re not there anymore. So that’s one thing. Then you could start making people change their password on a regular basis and again that one will affect your end users; you might have to explain to them why they’re doing this, why you’re requiring it but you’d be surprised at how many people don’t require password changes and in this day and age—so there’s this thing called credential stuffing where somebody will—a hacker will purchase passwords, user IDS and password on the deep web and then try to use that combination someplace else so again you probably—if you’re not requiring password changes, you probably have a really easy naming convention for your user IDs so you get a user ID and you get a password and you try that password combination. Likely they’ll get in some place because somebody has used that same password everywhere they log into.
Charlie: Oh so my IBM i user credentials might be at my bank is what you’re saying?
Carol: Yes.
Charlie: OK got it.
Carol: And Yahoo and Netflix and Target, you know everywhere and I’ve seen that happen even in my own family. I’ve had to chastise my niece. Do not use the same user ID at the same you know your bank as you do Target, as you do Whole Foods, whatever so they really need to be separate.
Charlie: So a password manager right there may or may not be—I mean so because the user ID is more often than not your email address.
Carol: Exactly. Exactly so I use the same email address but I make vastly different passwords anywhere I log in to so I have a password vault on my phone that I use right and it may not even be the most clever password for everyplace but as long as it’s different than anything else that I’ve used, the only danger is going—they’re going to be able to hack into that one account and if it’s Wayfair, who cares? I mean I’d know if I got something ordered from Wayfair but I’m not going to make that same password strength like my bank password is much longer.
Charlie: Or pass phrase.
Carol: Or pass phrase and it is a pass phrase.
Charlie: Right.
Carol: Yeah.
Charlie: There’s so—I mean you know security—you read every year. I mean I see the subjects every single year, the surveys every single year and security is always, always and I don’t care what industry you’re in; I don’t care what platform you’re on. Security is always you know paramount. It’s the most important thing to everybody and if it’s not, it should be certainly.
Carol: Yes, yes.
Charlie: I mean technology, sure we care about technology and I mean I love technology of course but you can never not have the security conversation because well as you said I mean there’s so many different ways that we can get into that data either deliberately or inadvertently.
Carol: Yes. Well part of the problem is if somebody hasn’t secured their data and everybody has access to it, the accidental errors can occur. You know one thing that people don’t think of from a good security scheme is the prevention of accidental errors so you know if everybody is running as root or admin or in IBM i QSECOFR authority, then they have access to everything on the system. It makes their life easy they think until they delete something that they didn’t mean to delete or they updated something oops that was the wrong file, right and so if you can segment that and really give people appropriate authority for their job responsibilities, it really helps the accidental errors to not occur.
Charlie: So everything we’ve spoken about Carol is good advice for anybody, any platform, any time it seems.
Carol: Yes.
Charlie: We barely got into the IBM i specific conversation here but we didn’t really need to because what you’re saying here is I mean common sense I guess but you’ve given this so many nuggets for people to listen to and to consider when they’re looking at a security plan or amending what they already have in place or updating whatever the case happens to be.
Carol: True, agreed. Just a lot of common sense and just wanting to acknowledge that their data is worth something, right and if their data is worth something I mean they have that data for a reason and they’re running their business off that data. They’re making business decisions off that data or they’re servicing their clients based on that data. They’re running a manufacturing line or pricing or inventory controls off this data and if you’re going to run your business off that data, then it’s worth protecting it. Otherwise why do you have that data?
Charlie: But then you hear the flippant—the flippant attitude sometimes. Well what could somebody possibly do with my data? Well I mean again I say this all the time. I’m sure there are several competitors who would love to get their hands on some of your data tables for sure.
Carol: Exactly but then you circle back around and say okay then are you not running your business off that data so it’s valuable to you so then what happens if you have a ransomware attack and your data isn’t available to you? Okay the hacker may not have wanted it or if they downloaded the data before they encrypted it, they might look at it and go ahhh, I don’t care about that but you do so you know your business, your data if it’s not important to somebody else, it’s sure important to your business and so it’s worth protecting.
Charlie: And it’s got value for sure.
Carol: And it has value.
Charlie: Right. Carol, I think we’ll leave it there. What can I say? I think we’ve probably barely have scratched the surface here.
Carol: Probably so.
Charlie: Right but already as I said you know while you’ve been speaking here, I’ve been making some notes and it’s just fascinating stuff. It really is, truly is and you know just protect. Let’s be all careful out there. Let’s be careful out there so they say right?
Carol: Exactly. Be careful out there. Yes. [Laughter]
Charlie: This has been great. Carol I would like—I just want to thank you so much. You are a truly a wealth of information, a wealth of knowledge on this topic and I think everybody will get some real value out of this discussion that we’ve had here so thank you very much for your time today. It’s always a pleasure to speak with you and hope to see you at some point down the road of course maybe at some conference. I hope that day does come at some point in our lives. Who knows?
Carol: Oh, you and me both. Thank you so much for the invitation. It’s truly my pleasure.
Charlie: Thank you Carol. Well this wraps up this month’s podcast. Thank you everybody for listening, joining us, and listening in. Be sure to check out other offerings by TechChannel. You’ll see a lot of other interesting podcasts out there, webinars, and a lot of good content so it’s worth your while exploring. Until next time, thanks everybody for joining. See you soon. Bye now.