Zero Trust. Social Engineering. Ron Woerner. Artwork

Cyber Crime Junkies

Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

Zero Trust. Social Engineering. Ron Woerner.

March 09, 2025 • Cyber Crime Junkies-David Mauro • Season 2 • Episode 46

Zero Trust. New Approaches to Social Engineering.

Video Episode: https://youtu.be/U-RiapHidco

We discuss new approaches to understanding zero trust and new approaches to understanding social engineering with Ron Woerner. Ron is a Keynote Speaker, Tedx Speaker, Author, Security Community Leader, CEO of Cyber-AAA, Professor of Cyber Studies, CISO, Hacker and Veteran, and also works with VetSec (https://veteransec.org/), a non-profit that helps military build their cybersecurity careers.

We cover key topics:

New approaches to understanding zero trust, New Approaches to understanding social engineering, best cybersecurity practices for business, best policies to limit cyber liability, best practices identity protection, business benefits for having security assessments done, educating on security by podcasting, how intelligence gathering is critical to security, how to communicate effectively internally in business, impact the new us security strategy have on ai, innovative ways for security education, latest security expert insight, lowering risk of a data breach by security awareness training, new approaches to security awareness, new ways to limit cyber liability, newest ways to protect your identity online today, social engineering the science behind it, top security tips we all want to know, understanding the hacker mindset, understanding the neuroscience of social engineering, ways to stop social engineering.

Audio Podcast: Available Everywhere.

Thanks for Listening and Watching. PLEASE CONSIDER SUBSCRIBING. It's FREE and it will help us to help others. Our Video Channel @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8

Send us a text

Grow without Interruption. Stop Breaches. Leverage Advances in Technology with NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Zero Trust. New Approaches to Social Engineering.

We cover key topics:

[00:00:00] It's always in the news. Cyber criminals attacking great organizations wreaking havoc on the trust of their brand. We socialized cybersecurity for you to raise awareness. Interviewing leaders who built and protect great brands. We help talented people enter into this incredible field and we share our research and blockbuster true cyber crime stories.

This is Cyber Crime junkies, and now the show.

Well, welcome everybody to Cybercrime Junkies. I'm your host, David Mauro and in the studio today I'm very honored to be joined by Ron Woerner c i s s p c i s m, with over two decades of it and security experience. He's a noted international [00:01:00] consultant, keynote speaker, TEDx speaker teacher, blogger, and Absolute master in the data and cybersecurity industry.

Ron, welcome to the studio, my friend. Thank you for having me, David. Great to be here. Well, we're very excited. So you hold a lot of different positions. I know you do work with Forrester Research, cyber aaa, you're involved with Vet sec. Why don't we just tell ladies and gentlemen kind of Some of the aspects.

Let's start with Forrester Research. So walk us through just briefly kinda what all you're you're doing for them. So with Forrester Research, been there about a year almost Exactly. I'm part of their security and risk consulting team, helping large organizations as they're maturing their cybersecurity programs and practices, establishing base marks by, and benchmarks with assessments through analysis and then helping them determine how to continually improve.

Also [00:02:00] focusing on, in on Zero Trust, because that's where Zero Trust started. Over a decade ago was at Forrester. So it's a lot of organizations going beyond the buzzword of zero trust as they're trying to see how do we actually dive into the meat of how do we assume a breach? What does that mean for just in time access control?

Having that continuous monitoring in place so we always know what's happening on our network. So never a dull moment in cybersecurity. Absolutely. So let's touch base real quick. For those listeners that might be new to the segment or the topic we do have some business owners that listen in.

Mm-hmm. And they, they're interested in security or, or, or learning, but they don't know, always know all the terms. When we think about Zero Trust, how do we explain that in, in, in layman's terms? So let's go back 10, 15 years. If you look at an old network, there used to be exterior and interior. Once you got inside, you can go [00:03:00] anywhere, do anything, right?

So when John Kendra VA came up with Zero Trust, you realized that there was this crunchy exterior, but soft, squishy interior. Well now as we're webify most applications that is disappearing, particularly with the pandemic, where now we have any time applications, computing. Think about Microsoft 365.

Yep. Email and all the office stuff. You can do that from anywhere, almost any type of device that's that's not our trust and access and having access to everything. Right, right. But limiting access to just what you need to do your job. It's the idea or principle of least privilege. Too many people have access to way too much stuff and they get in trouble with it.

So keeping that as minimal as possible. Keeps everyone safer and saner. Yeah. That it's, it's really an important concept too, cuz we've seen in recent breaches, one user, one employee has been mm-hmm breached, but then they're [00:04:00] able to reach the source code of something and you're like, that user was not even supposed to have access to that, but they were able to socially engineer or do.

Multifactor authentication, fatigue, whatever the, the tactic was to, to gain control. But really it's about mm-hmm. All of it. It's how things are configured in the access once they get in. Right. Once you can impersonate someone else's access. Yeah. Particularly if they're an administrator. We see this with the D O D top secret breaches.

Mm-hmm. Where system administrators have access to top secret documents. Yeah. Now I'm former Air Force, I had a TS clearance, et cetera. You stay away from that stuff. Right now, you don't go towards it. If you shouldn't see it, you don't want to see it, but Right. That self-inflicted least privilege, but a lot of people, they see power with it, so it's just.

We call it keep yourself off the suspect list. If you don't have access to something, you can't be blamed [00:05:00] if something happens to it. Right. That's exa and especially in, in, in the days of massive breaches, right? You don't want to have access to a lot of stuff. You don't want your name to be associated with the conduit in.

So yes. You know, it's a little bit more painful as a user not having access to something to help you do your job, but it, the idea of you have it when you need it, and then it goes away when you don't. Again for San Yeah. And then cyber aaa. Yes. Please explain what, what that is. Mm-hmm. And what some of the great work that you guys are doing there.

Certainly. So it's just my own consulting practice started up like five years ago when I had a lot of companies ask me for help. Actually, had a buddy of mine give me a lot of his business cause he was wanted to retire. Go figure. So in cybersecurity assessments, advising and awareness. We're go in performing assessments, foreign with them, focusing more on small medium businesses, those who don't always have [00:06:00] the funds to do the extent of cybersecurity.

Really analysis, really important. Right. Most businesses in the US are small business. Small dimens. Exactly. So, and then tying it back to the advising, acting as a trusted advisor. So, Being that person, you know, who will give you a pragmatic approach to solving problems. Yeah. Addressing business risks. And then a lot of what I do is just awareness.

So David, I'm a teacher at heart. Mm-hmm. I still teach for a university. A lot of what I do as a consultant is just try to teach others how to best use the resources they have at hand. Yeah. And, and, and to put it in practical. Terms business, operational terms, right? So, so often, especially in the cybersecurity field, they get lost in the technologies or in the acronyms and in the, the the confusing aspects of it.

But really what [00:07:00] executives and what business owners care about is what does this mean to production? What does this mean to revenue? What does this mean to operations? Right? Yes. How much will it cost me? So it's one of the things we recommend for those entering cyber, secur security career field is learn business.

Take an economics class, a finance type of class. Absolutely. Absolutely. Because, and, and, and the importance of making an internal business case. Yes. Right. Like being able to state your case to stakeholders to be able to, to, to, to say why, why a certain service or technology would, would have value. Let me share a quick story.

I was actually absolutely working defense contractor, and we were, this was all part of the controlled unclassified information, C M M C. Mm-hmm. Capability maturity model certification now, 801 71. Anyway, going into a small defense contractor subcontractor, and they're wondering why are we spending so much on our network?

And I could tell the network admin never talked to the [00:08:00] C F O. They happened to be in the room c f asked, so why am I spending all of this money? Well, let's look to see where everyone is going. Network admin showed, you know, YouTube, Facebook, Netflix, C F o had a minor little cow. Mm. But it caught the attention then because then realized, you know, for financial sake we can also add better cybersecurity practices.

Right. So it's, it's tying that licensing. Are you overpaying for licenses? Sure. You know, why do you want to have a standard version? Yeah. It makes patching easier, but also saves money for licensing. So more examples, more when we can tie the technical with the business operations. I see a lot more success.

Absolutely. Absolutely. And then one of the other organizations you were involved are, are involved in is vets. Yes. So veterans sec.org we'll have links to all of these in the, in the show notes. So please, we encourage all listeners and viewers to [00:09:00] please check those out. But walk us through the mission of Vets Sec and what all you're doing.

Sure. So Veterans of Cybersecurity is a nonprofit group and we're military active duty veterans, and. Worldwide too. It's not just those within the us, although that's the primary membership where people are trying to transition. You probably have heard, David, there's this large gap. We don't have enough people to fill all of the different cybersecurity positions.

Absolutely. We talk about it all the time. Yes. Well, being a veteran with a high clearance, I learned how to protect things at a very young age. Let me absolutely. Everybody just wanted to mention Cybercrime Junkies Prime. We now have a subscription available through our podcast and it offers exclusive content, bonus episodes, and even pre-releases of all of our standard shows.

We keep it simple, it's just the cost of one cup of coffee, one time a month, and you [00:10:00] can cancel anytime. You can subscribe by scanning the QR code next to me in the video or by clicking the link in the show notes. If you select not to subscribe to our Prime membership, please at least consider subscribing to our YouTube channel.

It's at Cybercrime Junkies podcast on YouTube, and it's absolutely free. It allows us to bring great guests on the show. Thank you for your support, and now let's get back to it.

At a young age, let me Absolutely. Can you tell my origin story real quick? Absolutely, please do. Because this, this is so, so important because so many people, The outside of cybersecurity, there's a lot of veterans that struggle to get employment and cybersecurity is a wonderful transition for military personnel.

It is for, for a couple reasons. One, the, the security clearance, the technical skills, the transferrable skills, but also people that I find that are drawn to cybersecurity are drawn by a, a bigger mission. Yes. One to serve [00:11:00] and protect. And so that is right in hand with why you were in the military in the first place.

I loved how you put that to serve and protect. Yeah, that is exactly it. You build the security mindset. Mm-hmm. We were talking earlier about Bruce Schneider wrote about this 15 years ago, you know, having in your mind about what can go wrong and what do I need to do to prevent it, detect it, and respond appropriately to it.

This is all ingrained, even if you're not. A technician by trade. It's how you think. So I had a, I went through ro o TC at Michigan State Shaman's plot there go green. Yep. And my fifties. I had a computer science degree. I was an intelligence officer back in the nineties. You combined those two got me into the early days of information security.

Absolutely. Before it looked anything like it does today. Right. Well, I was a, a Unix his admin before Linux. Mm. Wow. I developed my own security checklist, mainly because I wanted to protect my own stuff. I didn't want anyone [00:12:00] messing with my servers. Mm-hmm. So I figured out how to secure it, how to share that information, and then organizations said, Hey, can you do this for networking for Windows infrastructure for applications?

So it just. Easily transferrable skills from the military. And that's the idea with Vet Sec. We are a group that is passionate about building other veterans brothers and sisters of arms who are looking to transition or just keep developing their career within technology or cybersecurity. That's amazing.

That's amazing. And what a what a what a great cause too. Yes it is. And we do build each other. We help each other through multiple aspects, whether it's resume reviews, practice interviews, job leads, even mental health. Okay. So we were just talking about Vet Sec and you were talking about men mental health.

Yes. And, and so let's continue on there. So even though mental health awareness month is may, it's something [00:13:00] we need to be always aware of. With ourselves and with others, you know, what are we doing to look after ourselves? If you can see it with others as well. You see signs where they're beginning to feel stress.

Yeah. You know, pulling them to the side saying, okay, we're gonna call it time out. You know, take time away from technology for a little while like you did, David, as you went on your break. Yeah. This way we come back, we're refreshed and we're energized. Yeah. Otherwise you just burn out, right? The yes, the same because stressors and things like that seem to be on how you absorb it, right?

Yes. Like it's you, you can handle the same scenario, and if you're in a good mental space, right, you're fine. Right? It rolls right off and if it, if life is overwhelming, you even a little thing can just overwhelm you. Yes. So exactly, so true. That's so true. Having com common groups like vets, tech, there's multiple others, you can do it within the security community, whether it's [00:14:00] isaka is C squared, is s s a, I mean, these are all good communities to be a part of, to build your career and build yourself.

Absolutely. So, you know, being in the cybersecurity community, like all communities, there are events and there are conferences. Mm-hmm. And the cybersecurity conferences are always colorful. As a, as a good way of calling 'em like mm-hmm. You know, not, not just Defcon. Right. But, but, but you know, even RSA and some of the others.

Mm-hmm. You recently had, you were at rsa, you had a, a presentation on influences Yes. And address some new approaches in social engineering. So we would love to hear about that. So first of all, what is influence? And then let's talk about these new approaches in, in social engineering. So influence are the, the good and bad side of influence.

If you look at the quintessential leadership and. Books like How to Win [00:15:00] Friends and Influence People. Mm-hmm. You know, from the 1930s, people think, well, it's old still. The ideas are the same and are often repeated In modern, not that much has changed. This is kind of an electronic version of what's been going on for a while.

Right, exactly. It's how do you connect with others? Right. Particularly over this type of a medium, it's gotten to be a little more challenging. How do you read, you know, micro expressions if you read that? Mm-hmm. The little expressions people may use to, you can if they're confused or something. So my talk on influence goes through all of these different aspects on more of the interpersonal or soft side of cybersecurity.

And how we need to be leveraging that in order to influence decision making. So David, I, I did a study for the Economist magazine, partly sponsored by Oracle. It was like three or four years ago when I was full-time at the university, and we were talking to CISOs from that study. We realized that [00:16:00] there's two common challenges They have.

One, being able to prioritize risks, right? I mean, there's just so many. Cyber risk. Which one do we go after? Right. The other common challenge is how do we influence decision making within the business? Right. Going back to those business skills. Yeah. Internal business case, right? Yes. So it's. Using these different types of influence or the, the negative side being influence.

So influence is more of the manipulation of it. Influence is more of the positive reinforcement. How do we get people to arrive at decisions that we've already made, you know, but on their own. For example, right. A story I would go when I worked for a Fortune 200 company, go and just join different meetings.

Mm-hmm. I, I'd make sure you know, that some would apply, but I was being part of the cybersecurity team. They'd be general it meetings, I wouldn't have to say very much [00:17:00] because just being a presence in the room, get them thinking about security. And they, oh, really? So you, so there would be a, there'd be an IT meeting and they'd be talking about a server refresher, whatever it is.

And then you'd be there and then all of a sudden somebody would bring up, well, how are we gonna secure this down? What about access to the, to the data? Things that they start thinking about that because you're in the room. Yes. Wonderful word happens. Social experiment. That's a really cool social experiment.

Well, they then own the decision. So it's not security telling you what to do, you're doing it for compliance. They're doing it again to protect their so stuff. Re preventing their own headaches is a phrase I'll sometimes use. Yeah. Who owns the headache? So once you can determine who owns the headache, helping them derive ideas for how to solve it.

So it's simple techniques like that I share during my session that you know you can use, whether it's likability, approachability, Building a [00:18:00] rapport, finding something in common with people. It's the same techniques that the, the evil hackers, threat actors will use to try to social engineer their way into an organization can also be used very positively to build and sell what we're doing for security.

Absolutely. That's really interesting. So what, what are some of your findings or what are some of your recommendations? Do you have any specific ones for any particular industries or size? Size organizations? Mm-hmm. From, from, from the findings. Mm-hmm. That, that you have. So one is well keeping information, security, simple kiss always about.

Mm-hmm. Simplifying, for example, in this being the Cybercrime Junkies podcast, you know, how do we. Reduce fishing, social engineering. First of all, fishing will never go away. I'm right. Very convinced all of its forms we're gonna still see. We still get junk mail in snail mail. Yeah. So never go [00:19:00] away. What do you do about it as just as important?

So this is one I tell my 90 year old mom. If you see something, you say something. If your Spidey senses are going off, you ask. Mm-hmm. Hey, hey David. I just got an email from the irs right, saying that I didn't pay my 22 taxes. I know I did, but they said I have to click on this link. It took, it looks just like the i r s, right?

What do you think? Right. See something, say something. I mean, so to me it sounds simplistic, but to me there's great levels of sophistication in simplicity. Because it's very powerful. People try and, you know, they wanna answer something in mm-hmm. You know, 42 page dissertations and I'm like, if you can't say it in two sentences, we don't understand it.

Like Right. It's, it's gotta boil down to so, and you know, it's, it's, mm-hmm. Social engineering to me is, is often if someone's asking you to do something that could [00:20:00] potentially be against your interests. In a tight timeline, right? Mm-hmm. Don't do it like that's a red flag, right? Like go tell somebody about it.

Just get another set of eyes on there, and a lot of adverse things can be avoided. Exactly. And then to take from psychology Daniel Kahneman's Nobel Prizewinning book, thinking fast and slow, moving from the fast brain, the emotional brain mm-hmm. The amygdala to the slower brain to process. Just the act of asking the question.

Does that, it causes exactly just the pausing, just the pausing. Yes. A lot because, and, and, and we've had some neuroscientists on this show, and they've told us that exact same thing because they, because they've said just the po like when you're caught up in the moment, you like, mm-hmm. You can train somebody.

Here's what to look for. Here's a red flag. These are all the red flags of what a phishing email looks like. But when you're caught up in the moment, right, your brain [00:21:00] biologically can't process that. This is. A red flag. So always pausing. It allows your brain to catch up and allows the rational brain, the neocortex, to kind of take over and be able to, to, to then be, oh, this looks just like that one before.

But when you're rushing through that, you, you have that amygdala hijack. You can't even process that. That is what you're recognizing. Yes. So just call a self timeout. Nothing is that much of an emergency unless it's a life that's in jeopardy. I don't know of any lives in jeopardy where you have to click on a link to No, save life.

Sorry. Yeah. The IRS is not gonna do something normal. Will Microsoft within 24 hours? No. Or the No. No one's gonna shut off access within 24 hours, right? Yeah, no. And yeah, maybe if you're a first responder that, but even them, it's, they are. Physically there and they know what to do. Yeah. And if you watch, when they come onto a scene, they always [00:22:00] assess Yes.

You know, they'll, they'll go and they'll scope out, but they know how to do it first, right? Yeah. They perform recon. This is hacking 1 0 1, by the way, what's the first step of hacking? Recon, right? Look around. What is around me? What do I need to know? What information do I need to know? Gives our brain a chance to process and then turn to somebody else and ask if you're not sure.

And this is for viewers. Yeah. Don't worry about, I, I'm asking the stupid question. There is no such thing. I fully believe that, you know, as a professor, I love it when students ask questions. I've done this with my daughter. She once had a question about a math class. I'm like, did you ask the teacher? I didn't want to appear stupid.

I'm like, Kat, you were born with my big mouth. Asked. If you have a question, someone else will. And that's true. So you were, were talking earlier about acronyms. So if someone says a T l A, you don't know ask. Mm-hmm. Because there's so many [00:23:00] three letter acronyms out there. Absolutely. And that's also one of the techniques I use working with the business is explaining quickly, interpreting.

Do you watch comedians, David, like fat Fluffy, always. Yes. So watch him, how he does translation between Spanish and English. Flawlessly. And, and who is this again? Who? Gabriel Egl. Oh, of course. Yes. Yeah. Hilarious. Lovable. Yeah, it's hilarious. He will, he tells you I'm gonna be speaking Spanish, but don't worry, I'll be translating.

And it's just very natural. You don't even realize it. Yes. We can do the same thing with our tech terms, you know, when we're talking about, I love that analogy. That's a really interesting analogy to say, you know, with a sim security incident, event management, you know, logging system, and then you explain, then you just.

Continue your sentence. You just provide a quick five second translation. Right. We're looking for weird stuff. We're searching for anomalies. Right. That's all. It's right. Yes. You know, stuff that just like, it raises your spidey sentences when you [00:24:00] see data moving from From, yes. From Omaha to Pakistan. In the middle of the night.

Something's up. We, we need an alert, right? Yes. It's some, yeah. Interesting. So interesting. So, yeah. And so keeping it very conversational as you're speaking. Yeah. It can be hard for more of the, the technical crowd to do, finding personal analogies, telling stories. So I did this again for a, a large company, bring your kid to Workday, gave a presentation on protecting kids online.

Oh yeah. Always a big challenge. I mean, especially in the day of In the days of TikTok and, and everything and it's really tough social a lot and well, yeah, I actually asked my son when he was 13, you know, do you have any friends online? You don't know, you know, and our age, of course, we knew all of our friends.

How many friends do you have now that you really don't know if they're really your friend or not? Anyway. Well, and with kids too. I mean, like, you know, the bullies used to just be on the playground. Well, now they're in their bedroom with them. [00:25:00] At at one o'clock in the morning if they have their phone in there.

Right. Like trolls. They can be, yeah. They could be cyber bullied while we're asleep. Right. And it's just learning how to step away from it. Mm-hmm. So quick tip, if you're feeling again, if you see something. See, see something I was just about to say, say something. Say something. Right? Yes. Don't feel we are not alone.

Mm-hmm. That can be daunting, but it's also very empowering, right? Knowing that. There's a lot of support available out there. But what I did in teaching child safety online, I was actually talking to the parents on how to protect the computers at work. I just didn't phrase it that way. Cause I knew they'd protect their kids.

Right. Same ideas apply. Mm-hmm. You know, in terms of if you see a weird link, double check it. Yeah. Making sure you're using strong credentials. Now, moving to multifactor authentication, you know, Because passwords are just such a weak form of proving identity. Staying up to date on patches, [00:26:00] you know, those simple, how many times do we keep saying these simple things, David, we're just Groundhog Day.

Everybody keeps saying like, I don't know why we need to be trained on hot to spot a phishing email, et cetera, because we know that it's so basic. It's like, and yet statistically nobody's learning it. Right? Right. And yet there's still a major issue. Well, there's new mechanisms for it. It's not just through email anymore.

Right. It can be, you know, someone friends you on TikTok or your social media. Yeah. Sends you a link. You get a link through a text message. I, I have a term I call wishing webinar phishing. Mm-hmm. You know, I hop on a, a Discord, slack channel or some webinar and then, you know, Build the trust through the beginning of the webinar and then submit my evil links.

Yeah. Could that be used as a conduit just to, I only need to trick one person, so if that works. Wow. Yeah. Wishing that's an interesting one too. Yeah. So it's just a, a new form of [00:27:00] the old technique is all It's Sure. And then, and then there's, there's jobs. A lot of people are out there looking for a lot of layoffs lately.

A lot of people are out there looking for work. There's a lot of. Resumes flying around with malicious links in 'em. And so HR is getting hit. Yes. There's there's a lot of that going on too. Oh. Most definitely. So it's just being aware who you're sharing your information with. I mean, yeah, you announce, or you put open for work on LinkedIn, all of a sudden you could be getting messages from all over the world.

Oh, and not all, some jobs are real. Sound really good to be true, right? Yes. But they could be money mules. Mm-hmm. A look up how, what the FBI says about being a money mo mule. Hey, do you wanna work? Do you wanna work remote? All you have to do is repackage. You can do it whatever time you want. Not. That was a whole warning that they issued.

Yes. Just, just a, just a few months back. There was also the warning about deepfake. [00:28:00] Yes. Right. People applying for remote jobs, using deepfake technologies to get those jobs. And then they don't even have to hack the company. They could just get right in. Right. Because during onboarding they give 'em access.

Mm-hmm. And as, as AI and as deep defect technologies develop it's gonna be more and more, more and more challenging. Yeah. We can create a whole persona with base on a whole lot of fake information. So it's, yeah. Again, proving identity, cycling back to zero trust. I was just about to, I was just about to do that because it really gets into.

What are the rules, right? Because there's all these different standards out there and there's no concrete set. And I know the US government issued their, their US strategy recently and, and it was interesting cuz it was different than the last few that have been out there. Mm-hmm. And this one talked about offensive movements as well as, you know, like preemptive strikes.

And then also holding certain [00:29:00] product vendors or service vendors liable, which is interesting. It'll. It's, it's, it's interesting that they said it. Mm-hmm. Now. Mm-hmm. What'll be interesting is what legislation happens. Yes. Like what actually comes from this? How do you begin this First, what, what is your take on what, what do you think could come and what do you think might be likely to come?

Well, I think it's great. We're now seeing leadership and direction from US federal government. I know not everyone will agree with me, not as, and they do have the mandates for federal agencies. The rest of us can follow 'em as guidelines. For example, nist National Institute of Standards and Technology has all of their special publications required for federal agencies.

But you'll find organizations worldwide are now using them just as, Hey, this is a sound approach to follow. Exactly. Grace Hopper said long time ago, if you remember Grace Hopper, one of the luminaries of computer science Oh yeah. The wonderful thing about standards is there are so [00:30:00] many of them. Exactly.

Yeah. I, I, I wanna do it this way. Well, this, it violates a standard. Well, let's find a different standard. Right? And, and so you really want to find one that has credibility that. That is also executable lot, right? You can still operate Exactly. And not being so beholden to it where you're stuck in compliance.

Right. Well, that gets to the whole debate. Let me ask you this, a very simple question. Mm-hmm. The difference between security and compliance. What is your take? So I once asked my boss this difference between security and audit, which I see being very similar, right? So security is more proactive, forward looking.

Compliance is more react. The backward looking, are we doing what we said we would do? Security tries to understand future risks. How do we prevent future issues? Yeah. And gets into that whole risk-based science where compliance is more of that checklist mentality. [00:31:00] Are you doing this and can we prove it?

So it's also the difference between an assessment and an audit. All I say, all auditors are from Missouri. Why do I say that? Missouri's the show me state. So that's great. Right? Proof. Yeah. With an audit or compliance. Yeah. You can't just say, okay, yeah, we're doing zero trust. Okay, prove it. Yeah. Where's your evidence?

And that often can be the challenge too, is how do you show, you are reaching a particular level of maturity or you're. Have a control in place, or if you don't have a control in place, you have compensating actions. Mm-hmm. Let me share a quick story. I often share this one. Absolutely. This was an international hotel chain I worked with, and about six years ago, windows seven was still a thing, believe it or not.

Oh yeah, I know. I know. It was still a critical app on Windows seven, not even a service pack. Right. [00:32:00] And they said we can't update it. This app, you know, we need an, an exception that we don't have to update. Can you grant it to us? Long story short. Yes. And everyone's freaking, but it says thou shalt patch.

Okay, we, it comes down to what a questions are you asking. So what is the app? It was like a U Room utilization rate. So there was no personally identifiable information. Okay. Nothing super sensitive or proprietary for the company, but it was used by numerous analysts, like five. How many analysts? Five internal people.

Well, when Window seven went end of life, they weren't able to. They weren't able to keep getting the, the patching and the security frameworks built into it. Right. But do you always need it? No, we were able, able to use zero trust at the time, segregate it, micro segmentation. Mm-hmm. On the network, but at multiple levels, not just at the network, at the access level, at the [00:33:00] application level.

So even if there was a compromise, it couldn't do any harm. Right. Yep. And would be sticky limited. Yep. Limited the blast radius. It would just have been that server. Right. You know, known risk. So it's just quantifying the risks, you know, and, and coming to that business decision point, coming back to how do we discuss those with the business owners.

I was just about to say, so, so that's an exception that is. That's a risky thing to do, right? Mm-hmm. Allow something that is gonna remain on systems that are outdated at the like mm-hmm. In, in, in light of the end of life, of Windows oh seven, but so long as you can configure it, right? Yes. It makes perfect sense.

It makes perfect business operational sense. No harm, no fall, right? Like you're able to be like, look, worst case scenario, it's not gonna go anywhere. It's gonna blast down there. Mm-hmm. It'll be limited down there and that's it. Yeah. So that's a brilliant move. That's a great moment. Moments [00:34:00] I have that should be a story you share on a podcast.

Oh, you just, oh, yes, you just did. No, that's really good. Like, I love hearing stories like that because that's a, a great example of implementing security the right way. Compromising balance with security. Yeah. Yeah, being willing, because again, compliance tends to be, well, we say we have to do this, and I've done this with, during an IRS audit for a financial organization, you know, and they came back, no, you need to do this for irs, you know, 10 75.

And there was no compromise there. And if you actually follow all of the rules, you can brick a box. It looks like I just lost you. No, I'm, I'm here. Okay. Yep. One, one second. Sorry, my machine just went to sleep. I've been talking so much. Oh, it's okay. Anyway, so if you follow all of like the c I S benchmarks or the d o d security technical implementation guides, you can [00:35:00] accidentally overs secure a system to where it's not operational, right.

Yeah. So it's, you can overs secure a business to where it's not operational, right? Right. Yes. And, and that's the whole thing that I keep searching. I keep searching for the holy grail and security. And to me it's, it's, it's a case by case basis because we can't be the mayors of the town of no. Right. We can't just say, no, we can't do this.

No, we can't do this. No. We have to find a way to make it happen. But it's part of the reason why I, I love the Zero trust methodology. Mm-hmm. And, and the framework is because you're able to segment that like you did in that one with that one app for the, yeah, for the hotel chain. Or like you need ftp the old protocol, right?

For file transfer? Yes. Yeah. Someone want needs to transfer files. Well, first of all, that is an old, archaic way of doing it. Mm-hmm. But again, okay, fine. If you want to do something that's insecure, we're gonna treat you like the rest of the internet. Right? Yeah. And just assume that you [00:36:00] can be compromised, limiting what can happen.

It's like, Learning from other fields, and this is maybe one of the parting thoughts I wanna leave the cyber crime junkies, is that, let's stop thinking of cybersecurity as only cyber problems. You were asking earlier, like I'm looking cybersecurity, like the auto industry automobile industry of the 1950s and sixties, before all of the safety and security controls you asked about.

Mm-hmm. Federal government, you know, they now hold auto manufacturers liable if there's a known defect. Fact, right? We're just taking that model and moving it into the cyber realm, right about time. Yeah. Well, and, and, and that gets into one of the last questions I want to ask you, and that is, what role or where do you see the cyber insurance industry playing in this?

Mm-hmm. Because, you know, I, I, I saw a, let me tell you a quick story. I saw a video from a commercial. It was, it was actually a, a, an interview. When [00:37:00] they were starting to require people to wear seat belts. Mm-hmm. And they interviewed these people, I don't know if they were in Kansas or in the Midwest, but they had a beer in the car and they were like complaining.

I can't believe after a hard days of wor hard day work, I, I have to start wearing a seatbelt now. Next they're gonna tell me I can't, like, have a cold one when I'm driving. It's like, oh my God. We've come a long way. Right? Yes. And, and the data supported, just like the data supports. Some modifications in security, right.

Links. Please reach out to Ron on LinkedIn. Yes. And check out all of his work. All of the links are in the show notes. Thank you very much, sir. Have a great evening. Thanks everybody for listening. Thank you all. Hey, well that's a wrap. Thank you for listening. Our next episode starts right now. Please be sure to subscribe to our YouTube channel.

It's free, and download the podcast episodes available everywhere you get podcasts. To support our show and get exclusive [00:38:00] pre-release episodes and bonus content, please subscribe to Cyber Crime Junkies Prime Lincoln, the description and show notes, and thanks for being a cyber crime Chuckie.

People on this episode

David Mauro

Host

Cyber Crime Junkies