#LetsTalkSecurity: The New Digital Normal VP, Security Research
Transcript
Rik Ferguson: [00:00:00] Good morning. Good afternoon. Good evening. Good night. Good Thursday. Good week. Hello. We’re back. We’re live. Um, it’s all about you. Uh, we are here. Um, my guest and I are going to have a wide ranging and super interesting discussion. I’m tempting fate by sitting here with my legs crossed by the time this is over. When I stand up, I could fall straight down again. You never know what will happen in this roller coaster of a show. Um, we have a fantastic guest for you this week. You may have noticed that there was no episode last week. Um, I was taking advantage of the public holiday. Uh, so we had a holiday here and I know you had a short week in various other countries around the world. So we’re back with the third episode, uh, in the fourth week of let’s talk security. Thank you very much for joining us. My guest today, uh, has been in the industry for many, many years. She is a former, US DIA, um, uh, chief, uh, deputy chief of cyber. She has worked in risk management at AT&T. She’s an author. She’s an authority. She’s founder and CEO of my connected health. She is Tyler Cohen Wood. Hiya. Hello.
Tyler Cohen Wood: [00:01:23] Hi, how are you? That was a great introduction.
Rik Ferguson: [00:01:28] I just made it up off the top of my head. Obviously not the facts. The facts are the facts, but I had no idea what I was going to say when we went live. Uh, that’s the way I roll. Um, thank you for joining us. You’re looking great.
Tyler Cohen Wood: [00:01:38] Thank you. Thank you so much for having me and you too are looking great in your Motley crew shirt. I like it.
Rik Ferguson: [00:01:45] The bad boys of Hollywood. I’m trying to make sure it’s a different t-shirt for every broadcast. Thank you for noticing. So, yeah, we have around about an hour to have a wide-ranging chat about everything and anything. Um, let’s talk about you first. Let’s set the scene. And audience, don’t forget, I know, and I can see from the comments coming in, that you’re joining us from all around the world. So, thank you. First of all, for joining us again, um, hope you enjoy the conversation, but don’t forget if you have any questions that you want to ask or any answers that you really need. This show is as much about you as it is about Tyler. So, drop your questions in live, and we will do our best to get through those as they pop up. Um, so Tyler, let’s talk about the present before we go back in time, a little bit founder and CEO of My Connected Health, uh, and yet cybersecurity professional. So, what is my connected health? Um, and what is the security angle there?
Tyler Cohen Wood: [00:02:47] So my connected health is it’s a global healthcare system that uses a different methodology with AI, and there’s some other kind of secret sauce, um, to really help bring together healthcare professionals and help patients with difficult to diagnose cases, get a diagnosis, but also offer its collaborative model. So, doctors work in teams. There’s a lot of things that make this different and people will get diagnosed with this type, with this system.
Rik Ferguson: [00:03:21] And this is, this is an early stage startup right now, right?
Tyler Cohen Wood: [00:03:24] Yes we are pre-funding. Um, it is very, very early stage, but, um, you know, things are really looking good and there’s a huge need in the market for this. So I’m really excited about it.
Rik Ferguson: [00:03:38] So you have a, a long and storied professional history. Yeah. So maybe let’s talk a little bit about your journey. Um, I want to talk a lot about what’s going on now in cybersecurity. I want to, so we’re going to dive into that, but I think it’s important just to get a baseline, to set the scene, if you like. So what, what, what was your journey? How have you ended up here and why eventually when we get there? Why my connected health?
Tyler Cohen Wood: [00:04:09] Well, when I graduated, it was, it was the late nineties and, um, I, we just didn’t have cyber safety, cyber security back then. It wasn’t, it really wasn’t a thing. We didn’t even have DSL. Um, well, actually we were about to have DSL and I was way into music. I was, uh, I was a DJ. I worked for a record label for a nightclub. And I was very into music, but I started kind of learning how to fiddle around with computers and take things apart and put them back together. And I really thought it was fun. So I moved to San Francisco, which at that time was, you know, the big .com boom, and, um, got a job there and then started, uh, moving from, you know, CIS admin positions up to security. And eventually, um, I came to DC and I’ve worked for the government, um, for pretty much, most of the time that I’ve been here. And I remember the last time these were here. So I was, I was here 17 years ago. So it’s been a long time.
Rik Ferguson: [00:05:17] So you were at the defense intelligence agency, right? And I’m of course I’m well aware that there’s probably lots of staff, maybe most of the stuff that you can’t talk about or, or won’t talk about, or don’t want to talk about fully respect that, but as someone external, obviously I stand no chance of going to work for the DIA, mostly because of my nationality, probably because of my hair as well, who knows but mostly because of my nationality. But, so how do you end up in that kind of field? How do you go from being interested in being a tinkerer to being a CIS admin and then finding yourself at the DIA and working your way up there? Cause I think that’s the trajectory that a lot of people watching would be very interested in exploring for themselves.
Tyler Cohen Wood: [00:05:57] Well, so some of it was just, just, um, persistence. Um, when, when I first moved out to DC, I worked for the department of defense, cyber-crime center, other forensic, their forensic lab, developing, um, coursework for, and scenario based training for how to teach DOD agents, how to respond to an incident and how to then do the forensic analysis of it.
Yeah, I will I’ll admit, I mean, it was kind of out of scope. I had been doing cybersecurity as a, kind of a CIS admin, but this was a little bit different. And, you know, fortunately I, I read everything that I could, I learned everything that I could and I watched, and it turned out to be something that I was really good at and I absolutely adored it. And, um, I mean, it was, it was, it was very rewarding and that sort of got me thinking that my mind works. And in interesting ways, um, I, I can think like a bad guy, but I’m not a bad guy. And I can think of like worst case scenarios. And that turned out to be really, really helpful because when I moved into the, the lab from the training facility into the forensic lab and I was actually doing forensics and incident response, Um, it helped me to investigate these, these, uh, digital evidence and think about it in a, in a unique way. And, you know, I was one of the first people that, um, started talking about, uh, using iPods. We didn’t have iPhones yet, but iPods to a store digital evidence, and I showed how you could take an MP3 and just add a little bit of text in there as a hidden message. And I could, you know, show that that’s actually, that can be evidence and went through all kinds of other crazy things, showing, you know, just what the possibilities are.
Rik Ferguson: [00:08:03] I remember back around the same time must have been a similar time. Um, I was, uh, an architect security, privacy architect. And I was doing a lot of, sort of three o’clock, four o’clock in the morning, work in data centers, actually deploying the stuff that I had been protecting. Um, and of course, you know, the, um, entrance to the data center, there’s a lot of physical security there’s man traps and there’s phone confiscation. And that was the thing that made me laugh is they would make sure they would take your cell phone away because they had a camera on it, even back then it had a camera and they don’t want you taking photos of configuration screens and patchbays and anything else that, that, that would be handy intelligence. But of course, the one thing that you really want in the data center with you at that time of the morning, when you’re working by yourself in that nicely chilled environment is an iPod. And I remember laughing so much to myself thinking, and they took my phone away, but I could basically steal the entire data center on my iPod is 160 gig of storage that I just need to plug in and start downloading stuff. It’s amazing. And for me, that was a very early illustration of how security policy and security thinking very often lags behind, um, changes in the technological landscape and then the associated changes in the criminal landscape. So on that, on that note, and that was a totally off the top of my head segue, but it works really well, so on that note. So when you’ve been, um, doing this for quite some time, uh, I don’t want to age you, but you’ve been doing it for quite some time and that’s fantastic. You must’ve seen, Hey, I’m older and now I know when you graduated, um, you must have seen a lot of changes in the threat landscape over that time. What has been the, the ones of most significance do you think for changing the game from a criminal perspective and changing the game more importantly from a defender’s perspective, what have been the biggest change.
Tyler Cohen Wood: [00:10:02] Well, obviously I think things have changed so rapidly. And I mean, I re I remember, um, I thought that I, when I first started kind of coming on the scene, I was very concerned about, you know, the potential for using it as a threat vector to get into a business. And I there’s been so many of these changes, social media obviously is, is one of the huge ones. But, um, I think that the, the target attack that started in 2013, uh, when it was found in 14, did I get my dates? Right? I think I did, 14?
Rik Ferguson: [00:10:43] Exactly what are we talking about, I mean, for me the big one. Yeah. Sorry. I thought you were talking about targeted, like as in APT target. You mean these targets let’s be totally clear. Yeah, that that’s kind of asking for trouble, right. Making your logo a bullseye is kind of like, anyway, you were saying the target attack.
Tyler Cohen Wood: [00:11:03] The target attack, because it was, it changed the game because the attackers entered through an IOT device. They used a third party credentials and went in through an HVAC system and were able to, to conduct the attack that way. And to me, that was a huge game changer because it was shortly after that, that we started seeing more and more and more of those types of attacks.
Rik Ferguson: [00:11:32] Yeah. And supply chain attacks that become, become a really, a really big thing and a really big, um, part of the cybercriminal, um, modus operandi right now. Right. I mean, like I can obviously solar winds is the big one that everyone will say at the moment. Cause it’s the most recent. Um, but there are plenty of others in there. Plenty of, plenty of really interesting, uh, proofs of concept. Um, One of the areas that’s particularly interesting to me right now, because technologically it’s a big growth area. It’s a big adoption area within enterprises is cloud. What’s your view on a cloud threat and cloud security?
Tyler Cohen Wood: [00:12:10] Well, there’s, there’s pros and cons to anything. Um, you know, if, if, if you’re utilizing a public cloud and you’re sharing a machine, a physical machine with another entity, you remember a couple of years ago, there was the attack on the, there, there was a bios level attack. Um, and so, you know, that’s a threat vector. Um, but I think one of the biggest threat vectors is when businesses are utilizing the cloud, they don’t actually look at, at, at the contract and that’s a mistake. They don’t necessarily know. And these are questions that have to be asked where if there is a security incident, where does my responsibility as a business begin and an end, and where does the cloud providers begin and end? Because often, you know, there’s, there is there, there is written in that you are in charge of your own security. So, and that’s fine, but I just, I think that it’s a threat. If you don’t actually look at it, what your responsibilities are. And I think that’s, that’s, that’s a big threat.
Rik Ferguson: [00:13:22] Yeah. And you know, for me, the what’s really interesting is that the, if you look at threats that are currently successful in cloud environments right now, uh, by far the greatest culprit or the greatest weakness, uh, is misconfigurations. The huge majority of successful attacks against cloud infrastructure. Yep. Uh, because it was poorly configured when it was rolled out. Um, and that, and you were talking about responsibility, the shared responsibility model, you know, whether you move from, um, infrastructure as a service where you’ve got the, everything from the operating system up, or the further you kind of move to the right through a platform as a service, uh, to fully abstract, serverless or software as a service type infrastructure, the less control you have, the more responsibility you give away to your cloud provider. But the one constant, the one thing that you remain responsible for wherever you are on that, right, is the service configuration. Uh, and we’re seeing that massively taken advantage of now for, um, for cryptocurrency mining, obviously people trying to, you know, hijack your processing capability to mine cryptocurrency for themselves, but increasingly for theft of credentials, for theft of data. And I think that’s going to be a real growth area.
Tyler Cohen Wood: [00:14:39] That’s a huge growth area. Yeah, it is huge. You know, can I go back to a question you asked, you said, what, what, what are turning points? Uh, you know, what have been some of the changes in the turning points. We’re living in one of those right now and because the, the amount of attacks on critical infrastructure that we’re starting to see, um, that, uh, colonial pipeline, JVs, there was the New York, New York subway system, San Francisco, a ridiculous amount of attacks in the solar winds in a very short period of time. And, you know, they’re all ransomware and, you know, they’re targeted toward things that can be considered critical infrastructure, and it’s a really complicated situation. And, um, I think that there’s more, that needs to be done to really stop this situation. I mean, it, in terms of like, for example, in, in, in terms of the colonial pipeline hack, it was a compromised VPN password. There’s AI has got a long way to go, but it’s really good at what it does. And I would just make the assumption that it would be easy to make that determination of if a person is utilizing a device and they’re always using that device to VPN in there’s an identifier, there’s also a location affiliated with it. There’s a profile. And if suddenly that VPN is, um, being logged into, by a completely different device, um, in a completely different location, then that should be an alert.
Rik Ferguson: [00:16:39] Yep. Yep. For sure. And you know, and for me the colonial one, um, directly that, I mean, that was even less complex to my mind. I mean, you’re absolutely right in that there is a great security architecture use case around, I mean that, you’re basically beginning to talk about zero trust as a, as an infrastructure, as an architecture concept. Right. Um, but for colonialism, that, for me, that was process failure and I think. While we, while we definitely need to be looking forwards and you know, the us government is heavily into zero trust as a, as an architecture to begin adopting right now. Uh, we also need to make sure that we, and this is the perennial problem with cybersecurity. We need to make sure that we have the basics covered, right? That account that was used in colonial is to my understanding, and I’m not an insider, but from what’s been made public, that account that was used to attack colonial is one that, um, was no longer in use no longer in use within the organization. Right. It should have been aged out. It should have been closed down. Uh, the account access should at least have been terminated if not the account deleted, you know, whatever was appropriate for that resource at the time. So that’s, for me, that’s a basic process failing. Um, and in the early days of ransomware against both individuals and organizations, a lot of the success of ransomware was built and established on failures of process, because we had neglected the basics in our scramble for the shiny and the new, I think, uh, across the industry. Right. And so I remember when was it maybe 2016, uh, when ransomware was kind of at its previous height. Yeah. And you know, it was when we were seeing a whole lot of new, um, you know, ransomware variants, or the whole lot of new threat actors, um, and a lot of the education that was out there at the time to help people, uh, come back from ransomware attacks was around backups because people had neglected the basics of making sure you’ve got, you know, following the 3, 2, 1 rule, making sure you’ve got your backups, making sure they’re offline.
Uh, and, and, and people really learned from that. I think process improved, which is why ransomware threat actors have had to change their tactics and have had to change their tools and their capabilities and why we see a lot more, uh, living off the land type attacks, where we see, um, utilization of exploits, of vulnerabilities, where organizations may previously have looked at criticality and said, oh, this isn’t for example, remote exploitation, um, remote execution of code.
So, it’s less critical to get it patched. Then these ones that I really need to take care of right now, now, because they’re actively looking for, oh, this is a nice escalation of privileges vulnerability. Once I am in, that’s exactly the kind of thing I’m going to target. I need to escalate my privileges to be able to run PsExec or anything, whatever you’re using, ransomware as a service. You know, the other growth area I’d be really interested in your insights on this. And let’s think a little bit about the future as well. Um, one of the big growth areas right now, I spoke about cloud from a practitioner perspective. Um, is the adoption of cloud within, uh, the cybercriminal world. So operating clouds of logs and charging per access for, um, uh, access to these clouds of logs to for intelligence gathering purposes. Um, but also the rise of the access as a service industry and the initial access, the vendors, the IAVs of the criminal world. Um, we know that that’s a source right now of information and access for current ransomware campaigns. Do you see that as a growth area for criminals? Where do you see that going?
Tyler Cohen Wood: [00:20:37] I do. I see, I see. Well, in, let’s also talk about fishing. I mean, we got to talk about fishing. I mean, the, the percentage of breaches that were caused by, by fishing, a successful fishing attack. I mean, it’s, it’s asked and I think what is it? 95%, 93%. of breaches.
Rik Ferguson: [00:20:57] Yeah. It’s I mean, historically it’s been up there in the nineties. I wonder if we will see that number start to drop off. I think we will, um, as criminals move more towards this cloud of logs and initial accents, um, per vendor.
Tyler Cohen Wood: [00:21:12] Their is also a trend of utilizing, uh, utilizing AI to comb through open source information, uh, open ocean and to be able to piece together, uh, profiles on people to be able to guess their passwords and, you know, the amount of information that is available. Um, I’m not saying that that it’s it’s, it’s just openly available, well it is, but, but the amount of information is, is just astounding. On on people. And, and I think that, um, you know, one of the target areas you had mentioned, you know, utilizing cloud and then the logs, but also using AI to really, uh, get a good profile and be able to really emulate that person as best as they can, or trick them into some kind of phishing, whaling, BEC whatever.
Rik Ferguson: [00:22:05] Yeah. Yeah. Um, so I, um, I want to talk to you about the future, but I want to just ask a couple more questions about the present. The future is a big thing with me and I’ve got loads of stuff and we’re, we’re going to go into that. Um, but I want your perspective on a couple of other things that relate more directly to the here and now. Uh, and the first is why do you think, uh, and certainly, you know, it sounds like a leading question, but it’s not because, you know, from, uh, people that I know practitioners that are in the trenches every day, This is not a loaded question. This is a reflection of reality. Why do you think ransomware is at such epidemic levels right now?
Tyler Cohen Wood: [00:22:50] Um, the eclipse. No, because the ransom is being paid and they’re, if they’re targeting things that are critical infrastructure that you kind of have to pay and, you know, it’s, it’s gonna, it’s difficult to, to go from backups. You can’t have the colonial pipeline shut down for, you know, months on end. Um, so in, in this is what was absolutely insane to me is there’s actually another business that that’s becoming a huge, and they’re re they’re called ransomware negotiators. And what they do is they’re paid by the business to negotiate a deal with, with the criminals.
Rik Ferguson: [00:23:38] And it’s a fully legitimate business, right? That isn’t even the criminal aspects of it. That’s that’s market economics and the capitalist system at work. Right. The free market.
Tyler Cohen Wood: [00:23:52] And what concerns me is isn’t necessarily, um, you know, the, that they got into the colonial pipeline. Obviously, that concerns me a lot. That wasn’t the best way of saying that. But I see that as, as other nations state actors or hacking groups may see this and see what the reaction was and, you know, they’re going to go after something that could be much more disruptive, like a water supply, um, or power grids or it’s, it’s going to escalate.
And the problem with critical infrastructure is that. You, we, we need it, we need it. And I mean, if you’re attacking a hospital, you know, ransomware through the hospital, there’s got, there has to be a better way and we have to be better defenders. And I think that that better way is preventative measures. And, and I think that we need to really, um, think about how we’re delivering a cyber security awareness training, and maybe we need cybersecurity awareness training 0.3, and I’ve, I’ve done, I’ve done keynote presentations all over the world. Um, businesses, small, large, all, all over. And, uh, um, you know, one of the, one of the questions, you know, that, that, that they ask, well, they always want to talk about, about fishing, but. What I noticed is that when I would do presentations from the business side of things saying, you know, if you get this, this type of email, um, or if you know, you see this on your social media account, don’t click because it could be an entrance into your business network.
Well, I noticed that when I changed it to something that was more personal that’s when I think people tend to be more invested because the techniques that you’re going to use are going to be the same, but there’s a very big difference, um, to people. If you say, um, yeah, you’ve got you don’t click on this because it could be an entrance into your business and you know, you could get in trouble and you gotta be cognizant of all this. If you click on this, this, this type of link, or if you’re posting all of this information and you’re not using privacy settings, you could be putting your, your, your children at risk, or you could be putting your personal livelihood, um your finances, um, at risk, and it’s the same techniques, but I think people are more engaged in and more invested and they want to be empowered. They want to have this, this, but it’s just gotta be delivered in a way that I think makes sense to, to, to people on an individual level.
Rik Ferguson: [00:26:53] Yeah. We had a similar observation trend a few years ago. One of the, one of the things that I do at trend, which became an accidental part of my role, but I really enjoy it is making films. Uh, and we were talking about, you know, you can make a film about something. You can make a movie about something just for the sake of clarity. Uh, you can make it, you can make a film about something, um, and in part a whole lot of, um, information, but if your viewer isn’t engaged, uh, or if your viewer believes they already know it. Even if they don’t, um, then they’re not going to take much from that. So we kind of switched around and said, well, th th it’s like with insurance, right? People don’t take insurance because they believe something will never happen to them. So they let it slip. And then the house catches fire and then they go, oh, I wish I bought that insurance.
Um, people very often within security can have that misplaced sense of, uh, safety, uh, within the corporate environment. I’m the best CISO in the world. I hire the best people in the world. I’ve invested in the best technology in the world. It’s not going to happen to me. So we started to make interactive, um, videos. We made a couple of them, which actually put you the, the person being edited. In the driver’s seat and you watch a bit of the action, the action stops. You make a choice. The action continues like those old choose your own adventure books that I used to read as a kid, because you, what you have to do is you have to let the viewer, let the person being educated, make all the decisions for them to be able to realize at the end that actually I messed up, I was in charge and I messed up. There is something that I need to reconsider or need. So with ransomware, what’s the, there’s been a lot of focus on it in the US very recently for very good reasons. Colonial was the big, the moment, but then, you know, there’ve been other ones as there have been previous ones and they continue to happen.
So now you have, you know, the U S administration talking about ransomware. It’s a problem. And that great phrase, something must be done. Uh, using the passive tense, which is always a red flag for me. What and by whom those are my questions. What is the C change in your view that is required? Or what is the change in approach that is required to make a difference? Is it something to do with cryptocurrency? Is it something to do with the way that data is managed? Is it something to do with the way that security is architected? Um, what, what is the C change that’s required? It’s your chance to fix everything? Totally unfair question. A good one.
Tyler Cohen Wood: [00:29:36] Well, there’s a technology that, that we’re utilizing in, in my connected health and it’s, it’s, it’s, it’s a different way of, of, of using, um, using the internet. It’s kind of thinking, thinking like, uh, I don’t know some of my ideas, but they’re great. I mean, they work, they sound like a crazy person, but just using things in a very different manner. Um, which I wish I could say, next time you have me on, you know, we’ll be funded would be great. And we can, I can go into the yeah, but, but it’s, it’s, it’s out there, but it, it, it, it works. But, but for, for, for right now, I mean, I think zero trust is a very good policy to have. I think it’s, it’s a good thing. Um, I don’t know what the answer is. I co-host a clubhouse chat, um, on Fridays and, um, we’ve, we’ve had this conversation numerous times and some people say you’ve got to hold the C-suite accountable. You have to have fines. I think someone mentioned jail. Um, we all laughed, but, and then all the way down to, should you hold the person who clicked the link responsible? And I actually don’t know what the answer is there. I don’t know if, if that would have an effect, it may, um, it may make the situation worse. But what I think is needed honestly, is, is a, uh, personal, um, cybersecurity assistant that is with you on your phone at all times, giving, giving you a quiet word in the ear. What about, what about if you’re walking street and, um, you don’t have your phone config, you have your phone configured to auto join wifi. And you walk by a coffee shop that has, you know, unsecured wifi. You’re going to go on that network. But if your helper app, your helper, cybersecurity app said, hold on, you’re about to enter into an unsecured network. Um, do you want to do this. Now this is why I would suggest you don’t. Would you like me to fix the setting in there for you? So that doesn’t happen again?
Rik Ferguson: [00:32:06] Yeah. Whereas right now we’re relying on people to understand what all the arcane settings that are hidden away within the interfaces of our devices, right?
Tyler Cohen Wood: [00:32:15] Cyber security people. And I mean, I’m one of them, but we see cyber security as, um, much more important than the rest of the world. And because to us, we live in this world. This is what we do. We see these threats. We’re constantly thinking about all the potential things that could happen to try to force them, but you know, a lot of people, and I I’ve actually asked,I asked about 40 friends, um, who work in completely different, um, arenas, various verticals. And I asked them, do you, do you get the cybersecurity awareness training? You know, do you think about cyber security? You know, when you’re working and the response that I got, um, from actually everyone was no cyber security just gets in the way it keeps me from getting my contracts out. It keeps me from getting my job done and it’s, it’s a problem.
Rik Ferguson: [00:33:18] Well, when it’s done well, it’s something that happens around me and keeps me safe. It’s not something to take an active part in.
Tyler Cohen Wood: [00:33:24] Yeah, yeah, yeah. So, so I think that that, that, that, that relationship has to change because I mean, we’re going to become more and more and more cyber. When COVID hit and we went to a work from home environment. I mean, we went to living, uh, I would say 99.9% cyber cyber life, relying on these, these, you know, digital devices and things to keep us safe. And, you know, that was a huge, that’s a huge adjustment.
Rik Ferguson: [00:33:55] So from, from just to close out on the ransomware thing, when we’re talking about what’s the big C change, what do you think of the idea of, um, criminalizing ransom payments? Is that a great idea or is that a really dumb idea or somewhere in between? I tend to fall on one side or the other.
Tyler Cohen Wood: [00:34:13] I’ve heard this one too. And you know what, in a way. Yeah, sure. Criminalize it. That that would certainly stop it. But what if it’s a hospital? What if it’s, what if it’s, um, you know, uh, something else that’s critical infrastructure that, that we’re reliant on and that people’s lives are at stake.
Rik Ferguson: [00:34:35] Or what if it’s the only option you have anyway, right then you’re legal or not legal, you’re still going to pay the ransom. And actually what you do is you generate the, the fertile ground required for yet another, uh, cybercriminal infrastructure to spring up and ransomware brokers and, uh, and, uh, money, digital currency laundering services, and everything possible to hide the fact, uh, that you paid a ransom because you don’t want to go to jail. Uh, you don’t want to face the legal consequences of it. So yeah, obviously that exposes what my view on the subject is.
Tyler Cohen Wood: [00:35:06] Yeah. I don’t know.
Rik Ferguson: [00:35:10] There are a lot for me. There are a lot of things, uh, that are required. We have to keep up. As an industry, we have to keep banging on about the basics no matter. And I used to get this not, not frequently, but I’ve had it several times where people would come up to me after an event and say why are you still talking about basic stuff? I came here to hear about, you know, the next new, great big thing, or the most scary threat, or what criminals are doing today, why are you talking to me about backups. And the answer is well, because you’re still not doing your backups. So no matter how many times you’ve said a certain thing, um, if that is still one of the valid responses and one of the valid tactics to mitigate criminal enterprise or whatever that thing is, then we need to make sure that we keep talking about those things until they’re done right. Stop being magpies of the cyber world and focusing on the shiny thing in the distance.
Tyler Cohen Wood: [00:35:56] Yeah. Well, and there’s also, there’s also always the possibility that the ransomware is just a red herring and what, what actually was going on behind the scenes is the hackers went into the machine. It went in into a server and they changed the data. Because we think exfiltration of data or ransomware is like the worst, but it can be pretty scary when you think about manipulation of data. You know, changing levels of, of whatever chemicals in the water system or in a hospital, you know, changing medications or anything like that. It can be quite, quite frightening.
Rik Ferguson: [00:36:41] So that leads onto the future. I mean, let’s, let’s talk about what we know where we are right now. We know what the problems are. We may not have all the answers otherwise, I guess, you know, we’d all be out of jobs if all the questions were answerable immediately and in a definitive fashion. So, what about the future? We’ve moved as a society from a centralized workforce, in an office with data center centric usage that was difficult to say data center centric usage patterns. We’ve moved now because of the pandemic to a much more distributed workforce working from all kinds of different places. Obviously, during the pandemic that’s been working from home, post pandemic is going to be working from anywhere I guess. And why not? So it’s a much more distributed workforce when we’re much less data center centric, we are much more cloud centric in terms of how we access and use data. Um, what does that mean for near term? Uh, what is the, what is the new digital normal? That’s why I called this episode, the new digital normal. I remember now, what does that look like? And what, what do you think will be the areas of focus of the attacker and therefore, where should we as defenders be looking?
Tyler Cohen Wood: [00:37:58] Well, I think that a lot of businesses are gonna adopt a, you know, sometimes come in the office or, you know, a work from home policy. And because people are finding that it actually works. I mean, there’s pro obviously there’s pros and cons to everything, but, um, so I think that a lot of the, the, the, the threats vectors are still going to be targeted, you know, toward, toward the home system and the home network in any security measures that may or may not be in place. Um, but I do think that there is, we’re also, you know, going to be going back into the office. Um, some people, although, I mean, when I, when I think about the changes from COVID, it’s astronomical in so many, in so many ways to just think about and sorry, I’m going off on a tangent. There have been some kind of good things that have come out of this. And, and, and that’s really, um, collaboration. I have seen more collaboration in the cybersecurity arena than I, than I ever have before. Um, people are working together, um, on problems and they, they genuinely want to help. And, you know, one of the other things is just the tremendous amount of innovation. I mean, even, even the MRNA, I’m not a doctor, but this is the vaccine. The way that it works is just. It’s it’s groundbreaking. And when you look at a lot of the, um, the online, um, healthcare systems, and when you look at just how quickly we’ve, um, adapted and we’ve, we’ve, we’ve innovated with so much new technology that I really believe that, that we’re, we’re seeing we’re witnessing the next, what the next thing is, is going to be. And it’s, it’s going to be a lot more digital.
Rik Ferguson: [00:39:59] So if we’re saying that businesses effectively, correct me, if I’m wrong, I’m paraphrasing what you just said. Um, if we’re saying…
Tyler Cohen Wood: [00:40:08] I went on a long tangent.
Rik Ferguson: [00:40:10] Listening, that’s my job. Don’t tell my wife that. She accused me of never doing the above, um, which is true. Uh, see now I don’t know what I was going to say. No, uh, paraphrasing. Um, what you’re effectively saying is that businesses have been forced to innovate rapidly throughout, uh, the pandemic because of the changes in working practices. I guess what you’re saying is that cloud adoption has been accelerated, um, over the intervening 18 months of when we, you know, our working lives basically turned on their heads. So does that mean, does that mean we’ve created new criminal opportunity. Have businesses been forced to innovate and adopt technology at a faster pace than we can expect them to learn how to secure it?
Tyler Cohen Wood: [00:41:04] I, I, I don’t know. I mean, if I was looking at, at, at, if I was looking at the news and you know, just just this month, I would say that, you know, we’re not winning this, but I think the, the, the potential is definitely there. And, you know, when you think about attacks on the whole. You know, if, if I were a criminal and if, if I were going to, um, attack someone who’s working from home, I would see if their kids were doing school from home. And I would actually go in through that vector. That’s an easy one. It’s an easy target.
Rik Ferguson: [00:41:40] Yeah. So taking that whole supply chain attack methodology and what we’ve done effectively, I suppose it’s broadened the supply chain to include yeah, my kid’s school, any other device on my home network, and of course, things like the VPN gateway that is now seeing much heavier use than ever before. Although arguably, I suppose. Oh, I’m going to upset some people here. VPN is arguably a dying technology and VPN is arguably seeing, seeing the end of its potential use case, uh, as a, as a mechanism for securing access to the enterprise, let’s say, uh, because if we have moved and this is assuming something to do all the time, right. Exactly. If we’ve moved to a much more cloud centric, usage pattern and away from data centric, then VPN has far less of a role to play in that cloud centric world. Which is why zero trust becomes such a, uh, such a recommended and rapidly pursued, um, architecture. I see. So you said we had a conversation a couple of days ago and you said, uh, oh, and let’s talk about some real scary things. So, what are those scary things? You have my interest and my ear. And don’t forget, um, audience, you are, uh, at Liberty to submit your questions about any of this stuff and anything that we haven’t spoken about. We are here for you. Tell me about the scary stuff.
Tyler Cohen Wood: [00:43:03] Well, I look, I see what’s happening and I, and I see, I see different patterns and I see potential. And one of, one of the big concerns that I have, and I, I don’t want to freak people out by this because, um, you know, there, there are measures that could be taken to really safeguard something like this. But, you know, you have a lot of, um, a lot of genetic databases that hold, um, the genetics. I don’t remember the names of all of them. You had mentioned. What w what was, you mean?
Rik Ferguson: [00:43:37] Like the, the genealogy type resource, the genealogical and the health based where you can get your own DNA test is spit in a bottle and send off.
Tyler Cohen Wood: [00:43:45] Yes, well, if, if that information and there’s also other methodologies for getting a genetic database, but if it packing into it, but if, if these, this information was compromised or if this information was sold to a third party that maybe didn’t have the best intentions, I mean, it, it, it, it wouldn’t would be the easiest thing in the world. And again, I am by no means a medical doctor, but I know cyber security and I know no how threat actors work. And, you know, one of the things that keeps me up at night well ,aside from the cicadas, um, is, is thinking about if these are databases are compromised by a nation state actor, you can easily create a bio weapon to target a very specific population. And you could either wipe out an entire population or worst case scenario, create a ransomware like situation. Where you need to have the key or some kind of, uh, you know, medical component that you don’t know to be able to unlock what’s happening to your body.
Rik Ferguson: [00:44:56] That sounds like an apocalyptic novel.
Tyler Cohen Wood: [00:45:01] It does. And, and, and these are things that, that concerned me because these are, these are things that are in the realm of possibility, and it’s, it’s quite frightening to think about.
Rik Ferguson: [00:45:16] So here’s an example, but my, my friend, actually, friend and fellow researcher, Vic Veins, uh, @cyberveins on Twitter, if you’re looking for someone new to follow, highly recommended. Uh, released a recent research paper, actually at RSA, we had a joint presentation RSA called project 2030, which is trying to imagine the next 10 years of, uh, technological change and the associated societal change, uh, and what opportunities that might present for threat actors and therefore where the areas of focus should be for defenders. That’s kind of the, in a nutshell, the point of the report, one of them, the things that always stands out, jumps out to people. Uh, we spoke in the report about the possibility of digital immortality. So, uh, over the course of the next 10 years, we begin to have AI representations of ourselves. Who we feed throughout our lifetimes. Maybe we have a daily conversation or a weekly conversation. They monitor all of your online activity. They learn how to be you, how to act as you, and when you die, they become you. So you’re in the ground and they carry on online acting and interacting as you. For, I guess, an infinite period of time. So you end up and then obviously with advances in artificial intelligence, you’re talking about these digital entities, increasingly having agency, uh, being able to commit criminal acts or at least antisocial apps. Uh, if not criminal. So you end up with a situation where you have grieving relatives, uh, going to, uh, going to court to try to ensure that a dead relative is not switched off or maybe trying to ensure that they are switched off, but then what you have on the other side of that, think about the possibility for ransomware, right? You, you rely on having this, this digital representation of someone who’s no longer with you, uh, in your life still, what’s the, what’s the price that can be paced on placed on access to that dead person. Um, so yeah, digital representations of human, and ransomware associated activity. Uh, with that, of course, we’re also look at the kind of stuff that, that, uh, Elon Musk is involved with Neuralink, uh, with beginning to progressing directly wetware connected, uh, within the next decade or so.
Tyler Cohen Wood: [00:47:44] They’re already using implants, you know, that you put in the finger right there. They look the little point of rice for, for credentials and identity management and for payment as well, a little Bluetooth, um, implants.
Rik Ferguson: [00:47:59] Uh, and, and you know, the other thing to me is, think about what we’ve already seen, uh, over the past, even five years, not 10 with, um, GAN generated AI and GAN generated humans and, uh, the possibilities for animation and real-time animation of existing or never existed human representations, video and audio. Uh, think of a future when the whole population becomes desensitized to that because, uh, movie stars license out their likeness. So they can appear in seven films at the same time and get paid seven times for doing it.
Tyler Cohen Wood: [00:48:36] Can this walk the dog for me?
Rik Ferguson: [00:48:40] You know, wouldn’t it be cool, but still, uh, as a population we become desensitized to what’s real and what’s not real. We lose our, our ability to tell the difference, think of what that means. And with your, um, background in, in, uh, defense intelligence, I think of what that would mean for influence operations of the future. When you can’t tell if it’s a real person or not a real person, and you can have an interactive communication with that person, what would you know, the, the Facebook campaign of the future look like when we’re talking about these kinds of people. Sorry.
Tyler Cohen Wood: [00:49:15] No, I just, I, I just realized that that, that you, you have just as scary a mind, if not more so than mine, and it’s awesome, but it’s really scary. It’s disturbing. And, and, but, but I, you made me think of a question. How, how, um, how are these, these online, um, versions of yourself being created? Are they being created by information that, you know, an entity like, um, what what’s, uh, like Google or Facebook or whatever may have is, is that what they’re basing? Is that what they’re using to base it on?
Rik Ferguson: [00:49:58] Well let’s, I mean, it doesn’t exist, right? So it, it could be one of, one of many ways. If it’s your own representation of yourself, then arguably you would be in control of it. And you’d be using probably a cloud backend, right? You’d be feeding it with data and the cloud back end to be responsible for creating the digital entity from the data collected. But if that backend exists, if the technologies exist, then why would criminals not be doing the same and gathering open-source intelligence to create their own version of you for targeted attacks? We have a question that just came in on Twitter, uh, playing on the title of the episode. Are extortionist ransomware attacks expected to be the new normal? Do you think that’s going to continue into the foreseeable future or do you think we’re going to hit peak ransomware?
Tyler Cohen Wood: [00:50:47] Um, I’m trying, I’m going to try to be optimistic here. Um, I do think that just based on what I’ve seen in the past few months, that it will be the new normal for a while, but, um, I believe strongly enough in, in the security professionals that are out there and, and the businesses out there that are all that, that what they do is security. And even, you know, within, within the government that we will have, have, have to have some kind of resolution to this, because I think it’s very disturbing.
Like I said before that there is an entirely new business popping up that is extremely lucrative to be a ransomware negotiator. And just because of that, that scares me. That it’s that lucrative.
Rik Ferguson: [00:51:40] Yeah. Did it become fertile ground for, for other people to make money that then begin to rely on its existence? Its continued existence.
Tyler Cohen Wood: [00:51:47] But at some point there’s going to be something. An attack that, that I actually, I hope it doesn’t come to this, but it may come to an attack, a ransomware attack that is so horrifying that something is done about it. And that, um, you know, where people start really taking it seriously.
Rik Ferguson: [00:52:11] Yeah. Yeah. I mean, to me, it’s, I can think back through the history of ransomware, it bubbled under, I mean, the first ever ransomware was delivered on five and a quarter inch floppy disc it’s that old as a threat, right? Yeah, yeah, yeah. Um, it was called the aids Trojan because it masqueraded as, as a digital interactive quiz to assess your likelihood of having been exposed to, um, the HIV. Five and quarter inch floppy sent out. So it’s that whole, it has that kind of pedigree. And then it went through, you know, screen lockers and mobile, um, rats and where a mobile screen lockers, but it, it never really took off until cryptocurrency, um, and uh, really enabled the payment ecosystem. So to my mind, the answer doesn’t lie in. Oh, and I skipped a bit, we did hit peak grants aware in about 2016 and then it rapidly declined. But what was happening is that the threat actors were rethinking and reconfiguring and regrouping and coming up with new targets and new tactics, which they very successfully did. And that’s where we are today. So it is definitely possible to hit a peak and for it to go away, if you want it to go away forever to my mind, the only long-term potential answer is not criminalizing the payments themselves for the reasons that we already spoke about it’s removing or stripping the anonymity from, um, digital, uh, digital based currencies.
Tyler Cohen Wood: [00:53:46] Or are we just rebuild the internet, make it more secure.
Rik Ferguson: [00:53:50] What we’ve got to do is give law enforcement the possibility of following the money. Previously was a very successful investigative tactic.
Tyler Cohen Wood: [00:54:01] In the Colonial Pipeline hack, they did actually recover some of the money, which that, that is a, that’s a huge start if you’re on are profitable. I mean, some of these attacks, have you heard of virtual kidnapping? I mean, this is horrible on families and, and I know we’re running low on time, so I’ll be very quick, but, um, you know, what happens is, uh, someone calls like a parent’s phone, um, and say, Hey, I’ve got your, your kid. And, um, I kidnapped them. If you don’t send this amount of cryptocurrency by whatever I’m going to kill. And, um, you know, oftentimes those, they’re false and, you know, there’s things that, you know, parents or people can do, you know, keep the person on the line, ask if you can speak to the person while someone else is trying to reach your actual loved one, or like your, your child, you know, cause maybe in dance class and they answer say, Hey, no, I’m fine. And then you just know it wasn’t attack, but it’s the creativity is, is, is just, is quite astounding.
Rik Ferguson: [00:55:10] So like you said, it, we were close to there. So I, I want to, I want you to give you the chance to finish on something uplifting or something. It’s very easy to be dystopian and I’m equally guilty. Hey, I’m the digital humans guy. So we spoke about COVID and this is a question I’ve been asking everyone so far, and it it’s a, it’s a chance for you to be uplifting at the end, uh, as well as the transfer, all of us to learn. Um, we’ve all had very different experiences throughout all of our different lockdowns. We’re all in different countries. You’ve had different levels of exposure, different levels of lockdown, different levels of effect and so on and so on. But what we all have in common is that we have all had the potential to learn from this experience. Uh, and I don’t mean that stupid question of what have you been doing with, I learned three languages, but what I really do care about is what have you learned from this experience? Why is the world different for you now than it was at the beginning of last year?
Tyler Cohen Wood: [00:56:17] Well, uh, in 2018, I got sick and I got really sick. And, um, knowing what I know now, I realized I was actually sick before, but, um, I was, I was incredibly sick. I, you know, went from doctor to doctor. Um, you know, at first they said it’s infectious colitis. And I started going through the system and seeing these doctors silos. And, um, you know, we even went to one of the most reputable hospitals in the country. And, um, you know, it just was the same thing where the endocrinologist can’t talk to the GI or, you know, I would get the answer. Well, yeah. I don’t know what this is. I’ve never seen anything like this. You should go back to that doctor. And I continued to get sicker and sicker and sicker. And for people that, that are ill, um, not having a diagnosis is, is probably the worst thing in the world because you’re sick. You can’t tell people what’s wrong because you don’t know. There’s, there’s almost a sense that people don’t believe you, especially if you have, what’s called an invisible disease where people look okay, you don’t look sick. And, and, uh, I wanted to do my connected health in 2019. Obviously it was different then, but no one in the world wanted a system like that. Um, in 2019, they just didn’t. And then when COVID happened, I said, I’m doing this system because it’s going to save millions of lives. And you know, it, it may help me. It may not, I don’t know, but I knew that I had to prove that my, what I call my human, um, logic statements that that would go into the system that it would work. So I, um, I. Actually use my own case data. And I ended up diagnosing myself with something that only 300,000 people in this country are known to have later confirmed by doctors. And for me, that was huge. So I went from, from being very sick and not knowing why to having an answer and wanting to give other people that same, um, that, that same closure or this, that, that opportunity to, to know what’s going on, um, and know how to fix it. Because everyone deserves that everyone deserves healthcare.
Rik Ferguson: [00:58:50] Yeah. Without doubt. And we promised ourselves we weren’t going to go into politics. So let’s not go down that road, but I fully agree.
Tyler Cohen Wood: [00:58:58] This is just me having lived through a bad experience, but because, um, the work that I did at DIA, the work I did at DOD. I under, I, I look at things very differently and I have built these complex systems that work. And that’s, that’s really what this is. So whether it’s to it’s, it can help me. I don’t know, but I do know that it will be able to help like millions of other people that are in a similar situation. I think there’s one in 13 Americans that are, that are undiagnosed. Um, and, and, and that’s really, what I want to do is I want to make sure that I build this so that other people have that opportunity too.
Rik Ferguson: [00:59:45] Fantastic. Tyler. It’s been an absolute pleasure. Thank you so much for joining us on let’s talk security. Um, if you want to follow Tyler on Twitter, it’s @TylerCohenWood, am I right? Uh, so go find her there. Uh, mine, mine, Twitter thing. I never pointed in the right direction. One day, I’m going to get this right. My Twitter thing is just there. So you can follow me too. Um, Tyler, thanks so much for joining us. It’s been an absolute pleasure. Uh, and I hope that we can speak again.
Tyler Cohen Wood: [01:00:15] Thank you so much for having me. I had a great time.
Rik Ferguson: [01:00:19] See ya.
Tyler Cohen Wood: [01:00:20] Bye.
Rik Ferguson: [01:00:23] There you go. Another hour of your lives gone by, another I hope enthralling and interesting episode of let’s talk security. I’m not going to take up any more of your day, but I will be back next week. Uh, for the final two episodes of this season, I am focusing solely on practitioners. People just like you, people in the trenches on the front lines, doing the job. So don’t forget to tune in next week. Please come and join us. In the meantime, I’m Ron burgundy, you stay classy. Ah, see you stay classy. And I had this really great smile. It was due for a really good ending. And then, you know, I did a press the wrong button anyway. See ya.
Read More HERE