In this podcast episode of The Cybersecurity Insider podcast, host Yigal Behar introduces his new guest on the show, Steve Magnani.
They covered a lot of ground, from patching issues to backing up data, dealing with service interruptions, explaining the difference between a cybersecurity audit and a risk assessment, and much more.
Introducing Steve Magnani
Steve shares that he spent 33 years at Citigroup, where he oversaw various security programs, including multi-factor authentication and vulnerability assessment management. Currently, he consults for a corporation on the East Coast, focusing on their vendor management program.
Steve expresses his excitement about joining forces with Yigal and 2Secure to educate and raise awareness among small and medium-sized businesses about the importance of cybersecurity assessments. Every business, regardless of its size or industry, is vulnerable to cyberattacks, particularly ransomware.
According to Steve, preventing cyberattacks is much more minimal than dealing with the financial and reputational harm caused by a breach.
Sky Routers Patched
Yigal discusses a news story about a critical DNS rebinding vulnerability affecting Sky routers in the UK. The flaw could allow attackers to access the router’s home network, change router configuration, and access other devices. The flaw was first disclosed in May 2020 and was initially said to be mitigated by November 2020. However, Sky says that as of October 22, 2021, 99% of affected routers have received the update.
Steve expresses skepticism about the reported patch statistics and recommends that users of this type of networking capability verify that their routers are patched. He also notes, “I would take that with a grain of salt, and if you have or operate in this particular type of networking capability, I would certainly look into it and make sure that you have the appropriate patching completed. Well, typically in big networks and enterprises…” and that may require service disruption.
Service Disruption
Yigal discusses the challenges enterprises face when installing patches, especially in large networks. He explains that it often takes a considerable amount of time to implement patches due to potential dependencies and the risk of service disruption.
Yigal claims that while service disruption is undesirable, it’s preferable to leave a system vulnerable to cyberattacks or data leaks.
He then poses a question to Steve, asking for his opinion on whether it’s better to risk service disruption by patching or to leave a system unpatched and exposed to cyber threats.
Steve points out that this question perfectly encapsulates the dilemma faced by small and medium business owners who need to decide whether to invest in cybersecurity measures. He further clarifies that the issue isn’t about not wanting to spend money but rather about the decision of how to spend it wisely.
Spending The Money
Yigal and Steve discuss the mindset and challenges faced by companies when deciding whether to apply patches that might cause service disruptions.
Steve uses the example of a hypothetical $200 million revenue company where the CTO advises against installing a patch due to a potential 15% hit on revenue. This dilemma depicts the trade-off between ensuring security and maintaining uninterrupted operations.
Steve explains that companies must know how their systems connect, especially big companies that have grown by buying other companies. Without knowing how systems are interconnected, applying patches can be risky, as it might cause unexpected issues.
He also says that companies often test patches in safe environments before using them to avoid problems. In the end, the choice to fix or not depends on how much risk a company can take. If they don’t know how a patch will work, they might choose to risk service disruption to prioritize security.
To Patch Or Not
Yigal and Steve return to the topic of patching and the dilemma it poses for businesses. Yigal says that the decision to patch or not is a separate issue from budget constraints.
He describes the potential consequences of patching, such as service disruption if software conflicts arise. While service disruption is a security concern, it’s not as severe as being breached.
Yigal often advises his clients that it’s better to be safe and experience temporary downtime due to patching than to be exposed to the risks of a cyberattack. He admits that this advice might seem counterintuitive, as it involves prioritizing downtime over uninterrupted service.
Steve agrees with Yigal, which the challenges businesses face, as many operate with thin profit margins, and any disruption to revenue can hurt the business. Ultimately, it’s a matter of weighing out the risks and making informed decisions about patching and security measures.
Service Availability
Yigal brings the discussion to the same point with service availability. He shares an incident where Tesla owners were unable to access their vehicles due to a problem with the Tesla app.
According to the news, Elon Musk explained that the issue was caused by increased network traffic visibility during troubleshooting, which inadvertently led to a denial of service.
Yigal voices his concerns about the reliance on apps and software in modern cars, stating a preference for physical keys as a backup in case of technical issues. He puts in, “You need to have some sort of a backup here in case something goes wrong.”
Backup
Yigal and Steve discuss the increasing reliance on apps and smartphones for daily tasks, including unlocking cars.
Yigal points out the lack of backup options in these new technologies. He questions what would happen if a smartphone malfunctions or runs out of battery, leaving the owner without a way to access the vehicle.
Steve expands on this concern, emphasizing that many digital systems, both in cars and homes, lack backup options. If these systems fail or are compromised, users are left without alternatives. He points out that even major organizations like Tesla, which rely on a centralized network for their cars, need to consider the impact of disruptions and ensure service integrity. They agree that companies must have backup plans in place to maintain functionality in case their primary systems fail.
FBI Flash Alert
Yigal reads an FBI flash alert regarding an actively exploited zero-day vulnerability in FatPipe software. This software is used to combine multiple Internet connections into a “fat pipe.”
The vulnerability has been exploited by an unknown threat actor since May 2021, allowing them to gain access and maintain a persistent presence on targeted systems. The attackers can upload a web shell, granting them full access and the ability to install malware or expand their foothold in the network.
Yigal relates this to the previous discussion about patching, suggesting that it might be better to patch systems than to risk being exploited.
Steve agrees that it’s important to patch, but he knows it’s not always possible to be 100% patched. Sometimes, patching things might cause other problems with the system or affect how customers use it. He says that while it’s best to be fully patched, businesses need to think about what might happen if they do and compare that to the risks of not patching. “Can you actually get there without significantly impacting your business?” he asks.
Problems With Patching
Yigal declares that both patching and not patching can lead to operational problems. If a company is breached, it can’t serve customers or perform internal activities.
Conversely, if a company patches its systems but experiences service disruptions, it still faces problems with customers due to unavailability. In the worst-case scenario, a breach results in data leaks, leading to customer loss and possible legal issues with authorities.
Steve suggests that while patching might cause temporary performance issues and customer complaints, it’s preferable to the risk of a breach, which can be far more costly and damaging in the long run. He says businesses should prioritize patching and deal with any small issues that come up, instead of risking a big security problem later on.
Alternatives
Yigal suggests that there’s an alternative to choosing between patching and risking a breach: having a duplicate production environment.
He shares an example of a conversation he had with a development company he hosts. He advised them to have three separate networks: development, testing, and production.
While starting with one environment is common for small companies, separating them becomes necessary as security concerns grow. However, Yigal proposes that having two identical production environments might be even better. By switching between the two systems during patching, businesses can maintain service availability while ensuring a good level of security.
Steve points out that even major organizations lack proper testing platforms, especially for complex systems like those involving APIs and services.
He shares his experience with next-generation architectures, where testing environments were not unique or sufficient for thorough evaluation. Steve mentions that even his own programs, like suspicious activity detection and multi-factor authentication, couldn’t be fully tested in a true test environment due to the reliance on real-world data and credentials.
The discussion then shifts to proxy environments, which were often not tested for vulnerabilities. Steve explains that this is because people thought proxies were just part of the main system, so if the main system was safe, the proxy was too. But he admits this might not have been ideal as vulnerabilities in the proxy could still pose risks.
GoDaddy Breach
Yigal discusses a GoDaddy data breach, where unauthorized access to their managed WordPress hosting environment exposed customer data.
The breach, which occurred in early September, was discovered in November. Up to 1.2 million users had their email addresses, subscriber numbers, SSL private keys and passwords exposed. GoDaddy has taken steps to mitigate the damage, such as resetting passwords and reissuing SSL certificates.
But Yigal points out that the root cause of the issue was likely the use of default passwords that were not changed. This shows a bigger problem because when settings are wrong or not changed from the configuration or default, attackers can easily take advantage and cause trouble.
Configuration Issues
Yigal asks Steve if he has encountered configuration issues in his previous roles. Steve confirms that misconfigurations were common in his experience, stating that they are a major problem in cybersecurity, especially in the cloud environment due to the configuration settings.
While Steve wasn’t directly involved in network configurations, he was exposed to coding breaches in applications.
He cites NIST and other frameworks and recommends including configuration scripts in backup procedures. He also points to the shortage of skilled technical professionals capable of managing these configurations effectively.
Steve shares an example of a small manufacturing company struggling to meet NIST 853 requirements due to their limited resources. He also says to pay attention to the “technology tree” and ensure proper controls.
Yigal notes that with the Internet, even companies with one physical location can be considered global, as anyone can access their services. He also discusses the challenges of data management, as the amount of data is constantly growing and being accessed from multiple locations.
This makes it difficult to track and protect data without proper visibility. Yigal uses GoDaddy as an example, suggesting they could have prevented their recent breach by forcing customers to change passwords and use two-factor authentication (2FA) upon initial login. He praises Microsoft for rolling out this practice and predicts it will become more common over time.
Cybersecurity Awareness For Business Owners
Steve believes that many small and medium-sized business owners don’t prioritize security. He suggests that even when these businesses have CTOs who recognize security issues, the message isn’t effectively communicated to the owners.
Steve thinks that owners need to understand the severity of a security breach to appreciate the importance of cybersecurity controls. He compares these controls to insurance, saying they can minimize the damage caused by a cyber attack.
Yigal then shares a story about a retail business owner he spoke to recently. The owner had previously declined a cybersecurity audit due to cost concerns but is now reconsidering due to a recent issue.
But, the owner seems to have a limited understanding of cybersecurity, relying on basic measures like backups and employee training. Business owners don’t always get how complicated cybersecurity is and how the dangers are always changing. They often worry about the cost and think that doing a few simple checks is enough to keep everything safe.
Yigal then poses a question to Steve: What would be your recommendation to them? How to get started? What would be the first step for them?
How To Get Started
According to Steve, his recommendations for small businesses with no prior cybersecurity measures include the following:
1. Documentation
- Includes a statement about their business operations, the environment they operate in, and the technology they use.
- If formal documentation is unavailable, even a list of equipment, software versions, and infrastructure details can serve as a baseline for assessment.
2. Scanning Their Code
- Especially if customer-facing, scan for vulnerabilities in the code.
- Determine who has access to what data and how they access it.
- Evaluate VPN setups and other external access controls.
- Scan for vulnerabilities in servers and any DMZ (demilitarized zone).
This approach helps assessors see a company’s current security status, identify weaknesses, and recommend proper measures to improve cybersecurity.
What Is A Risk Assessment
Yigal asks Steve to define what he understands a cybersecurity audit to mean. Steve explains that a cybersecurity audit involves assessing the technology, the human interaction with that technology, and any third parties involved that could potentially be breached.
Yigal then asks Steve to clarify what a risk assessment is and how it is different from a cybersecurity audit. Steve defines risk assessment as a statement based on findings, identifying potential future risks or attacks. Yigal suggests that it can also include current risks, leading to a discussion about the confusion surrounding the terminology.
Yigal then shares his experience with the confusion surrounding the terms “penetration testing,” “vulnerability assessment,” and “risk assessment.” He clarifies that while many people request penetration testing, they often mean vulnerability assessment.
Vulnerability assessment (external and internal) involves identifying weak points in a system, while penetration testing focuses on actively exploiting those vulnerabilities.
Yigal maintains that risk assessment encompasses a broader scope, including not only technical vulnerabilities but also an evaluation of processes, data location, access controls, and other factors. He sees a risk assessment as a comprehensive checklist that goes beyond a simple audit.
Yigal points out that the distinction between these terms is often misunderstood, even by professionals in the field. He says it’s important to be clear about what you want to achieve when talking about cybersecurity assessments.
Outcomes Of A Risk Assessment
Steve clarifies that risk assessment and threat assessment are distinct yet connected concepts. He describes risk assessment as a two-stage process. First, it identifies existing vulnerabilities within a system. Then, it uses threat assessment techniques to simulate how malicious actors might exploit those vulnerabilities.
Yigal says there’s a lot of technical jargon used in cybersecurity and people need to understand it better so they don’t get confused. He then asks Steve to elaborate on threat assessment, questioning whether it focuses on current or future threats and its relationship with risk assessment.
Threat Assessment
Steve confirms that threat assessment is a subset of risk assessment. He explains that it involves evaluating identified vulnerabilities (such as CVEs) to determine their potential severity and prioritize them based on factors like criticality, priority, and impact.
Steve says, “Obviously, you’re not going to waste your time on low-risk vulnerabilities, but you’re going to take medium and higher, right? And then, you’re going to look at how the human element interfaces with your technology.”
He clarifies that threat assessment isn’t about predicting actual breaches, but rather about identifying potential attack paths, even if the goal is as simple as harvesting usernames and passwords.
To conduct a thorough threat assessment, companies might bring in people who know a lot about fraud or other experts who can help find ways that malicious actors might attack. This means trying out simulated attacks to see if the vulnerabilities they found can be used to cause real damage.
Steve mentions independent researchers often find and share information about vulnerabilities in systems, including major banks and companies like Microsoft. He particularly references the recent impact on Managed Service Providers (MSPs), who suffered due to vulnerabilities exploited in the past year.
Yigal plugs in his own definition of risk assessment, which is assigning a score to a business’s vulnerability to threats, aiming to rate the potential for penetration and the impact of a breach. He adds that risk assessment involves understanding relevant threats and knowing what could go wrong and how bad it could be, such as data being misused or stolen for further attacks.
Clear Communication In Cybersecurity
Yigal explains the concept of a threat by providing examples like using stolen data for further attacks, phishing emails, or malicious links sent through social media. Even cybersecurity professionals may struggle with clearly defining and communicating these concepts, especially to business owners who may not have a technical background.
Yigal opts to focus on outcomes when discussing cybersecurity with business owners. He suggests that instead of using technical jargon, it’s better to understand their specific concerns and goals.
This involves asking questions like whether they have a major security gap they need to address or if they are looking for minor improvements. Knowing what they want to achieve will help make the cybersecurity plan and communication more effective.
Yigal says it’s important for cybersecurity experts to talk clearly with business owners when they share the risk assessment results. He points out that experts might see every vulnerability as important, but business owners might have different priorities. “Because, at the end of the day, they are the ones with all the information, and they need to make this kind of decision.”
This difference in how they see things means it’s important to talk to business owners in a way that makes sense to them and focuses on what matters most to their business.
If you enjoyed this episode of The Cybersecurity Insider, check out our library of insightful discussions and expert interviews. You can find our entire collection on YouTube, Apple Podcasts, and Spotify. Don’t miss out on staying informed and up-to-date on the latest cybersecurity trends and threats. Subscribe to our channels and never miss an episode!
