Transcripts

This Week in Enterprise Tech 542 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

 

Louis Maresca (00:00:00):
On This Week in Enterprise Tech, we have Mr. Brian Chee, Mr. Curtis Franklin, back on the show today. Now Fido standards are becoming the litmus test for security logins. Passkeys are checking all the boxes there, especially the ones with Phish resistance. Google is now implementing pasky across all of it. Pro this properties, the question is, will it push that standard forward? We'll definitely talk about it. And do you wanna empower your users to take personal responsibility, protecting your information? Well, today we have Lise Lapointe CEO of Terrano security, and she's gonna help us navigate the ever-changing landscape of security awareness and what focuses you need to have as an organization. So you definitely should miss it. TWIET on the set

Announcer (00:00:41):
Podcasts you love from people you trust. This is is TWiT.

Louis Maresca (00:00:54):
This is TWiT This Week in Enterprise Tech episode 5 42, recorded May 5th, 2023. Technology is easy. People are hard. This episode of this week in Enterprise Tech is brought to you by ZipRecruiter. Did you know that hiring can take up to 11 weeks on average? You have the time to wait. Of course not. Stop waiting and start using ZipRecruiter. Ziprecruiter helps you find qualified candidates for all of your roles fast. Right now you try for free ziprecruiter.com/TWiT And by Decisions, don't let complexity block your company's growth decisions. No code rules driven process automation software provides every tool needed to build custom workflows, empowering you to modernize legacy systems, ensure regulatory compliance, and renew customer experience. Visit decisions.com/TWiT to learn how automating anything can change everything. And by it warden, get the password manager that offers a robust and cost effective solution and can drastically increase your chances of staying safe online. Get started with a free trial of a teams or enterprise plan, or get started for free across all devices as an individual user@thinkwarden.com slash TWiT.Welcome to TWiT This Week in Enterprise Tech, the show that is dedicated to you, the enterprise professional, the IT pro, and that geek who just wants to know how this world's connected. I'm Lewis Moroski, your host, your guide through this big world of the enterprise, but I can't guide you by myself. I need to bring in the professionals and the experts, and we get to welcome back the Happy Traveler. Mr. Curtis Franklin, principal analyst at amea. Speaking of busy, you just came back from RSA. How was that trip?

Curtis Franklin (00:02:41):
It was good. I had a total of, I think 35 meetings in four days, so it was a standard issue. Rsa lot of great conversations talking about ai. I counted and there were two of those conversations that did not mention AI in some form or fashion. And then of course talking about a lot of training in terms of awareness training and professional training, and also talking about risk quantification, which is the subject to my next big report. So lots to talk about, lots of interesting stuff and some things that should keep us talking for some time to come.

Louis Maresca (00:03:28):
Sounds good to me. Sounds good to me. Well, thanks for being back, Curtis. Appreciate it. Well, speaking to busy, we also have our favorite network expert, Mr. Brandi, who's also been building his own private broadcasting network or something like that. How are you doing Cheaper. How's that going for you?

Brian Chee (00:03:41):
I'm doing well. I'm I'm being cheap because it's a 5 0 1 [inaudible] [inaudible] nonprofit charity, and we're trying to deploy digital signage around the central Florida fairground. And so I bought some used Bright Size, which I love, you know, they're great. However unfortunate, they, they suffer from the same kind of issue as the original raspberry pies, and people seem to feel like just yanking the SD cards out instead of pushing and letting it click like a ballpoint pin. And so two out of the four that I just bought on eBay, I'm gonna have to un solder and solder some new SD card holders in, which is going to be painful, but hey, at least I know how to do it right, <laugh>.

Louis Maresca (00:04:26):
That's right, that's right. Hey, sometimes you do you get hit for, for buying things on the cheap, but hey, once it's working, it's gonna be all worth it. So we'll see how it goes. Thanks cheaper for being here. Well, Fido standards have become a litmus test for login technology and security and pass key that bing checks all the boxes, especially the ones regarding phish resistance. But we'll Google join the bandwagon and when they do we'll push that standard forward. We'll definitely have some thoughts there. We'll get into that. Now, do you and your organization wanna lower your attack service? I know a bunch of do. Well, how about empowering your users to take personal responsibility into protecting your information? Well, today we have Lisa LaPointe, CEO of Terranova Security and the author of The Human Fix to Human Risks Five Steps to Fostering a Culture of Cybersecurity Awareness.

(00:05:14):
And she's gonna take us through and how to navigate the ever-changing landscape of security awareness and some really helpful information for you and your organization. So definitely stick around lots of great information coming up, but first, like we always do, ton of stuff happening this week in the enterprise. So let's go ahead and jump into this week's news blips. Now, one of the most valuable asset to organizations is definitely their data. Well, according to this semiconductor article, engineering article, chips are becoming so complex it's hard to step in and debug data scenarios. The problem is trending in complexity because the fact that there's more and more need to store data as part of that compute package. Now, data leakage is a manner that also be exploited, and in some circumstances it can't be fixed without a recall on hardware or a hardware upgrade. If you're interested here, some of the unpredictable scenarios around the data leakage are manufacturing defects, circuit aging, electro migration, time dependent, dialectric breakdown, and thermal related damage among other things.

(00:06:16):
Now, this can be provide a one-sided channel attack without actually hacking the chip. Doesn't make you feel warm and fuzzy in that case. Well, another cause is actually knowledge repositories for designing chips that are actually aimed at keeping learning in-house. They're don't allow it to actually share the information because it's proprietary, didn't allow it, share it externally. In addition, there's also a continued talent shortage at all levels of design through manufacturing, which often mean that in-depth skills and competitive knowledge developed in one company will follow employees to jobs at new companies and then allow that information to get out. And these data leakage gym shoes in hardware may not even be a flow off, but a weakness that's exploited in a very clever fashion normally. Now, if you thought about security, and if you haven't thought about these scenarios, network hardware's also in there. How about tracing those hardware issues in the hardware bus?

(00:07:03):
It's maybe ensuring timings are right or so on and so forth to make sure there's no data leakage. Well, the question is, is there a solution to all this? Right? While some experts actually say decoupling single chips into what they call chips, thinking about breaking, thinking about the same scenario, maybe an analog to that as breaking down services and breaking them apart into microservices, they hope that that will make things better. Now, chip based approaches or multichip packages will give the chips the ability to actually yield the security you need. Now, if you're not a hardware expert or you're not a hardware business, you, you might think, ah, this doesn't impact me. But think about all the network appliances that are processing what, let's say 800 gigabits per second of ethernet traffic. Those chips have flaws that might not have been done right now going forward. Chip makers and IP developers will have to work harder to maintain a divide and conquer strategy for employees and stay vigilant in monitoring the flow of data whenever it's possible. The question is, without AI won't be possible.

Curtis Franklin (00:07:59):
Well, if you haven't made plans for early August, you might want to keep a trip to Las Vegas in mind. There's gonna be a whole lot going on at a pair of conferences. Case in point, the White House has organized some of the nation's leading developers for an event at the AI village at Defcon 31 in August, where their algorithms will be exposed to close scrutiny and rigorous vetting from the public. Those participating include included Google Hugging Face, Microsoft, Nvidia Open AI and stability ai. This public display is part of a series of announcements meant to address the spectrum of concerns around ai, including its economic impact and potential for discrimination. Now, this is just the latest in a series of announcements on artificial intelligence that has come from the White House. In October, we saw the blueprint for an AI bill of rights and associated executive actions.

(00:08:57):
In January, national Science Foundation mapped out a plan for a national artificial intelligence research resource, which is just now coming to light. In March, the National Institute of Standards and Technology or NIST released its AI risk management framework taken as a whole. The new AI actions and policies make clear that among all the other risks, cybersecurity must be top of mind when thinking about ai. And that's not all to mitigate the cyber risk in ai. The National Science Foundation will be funding seven new national AI research institutes that among other things, will provide research in the field of ai. Cybersecurity criminals and threat actors have already begun to use AI with auto-generated YouTube videos that spread malware phishing attacks, mimicking chat G P T malware developed through chat G P T and plenty more creative methods. But the real problem with AI is far larger and far more threatening to the future of a safe internet. According to experts, AI may one day enable hackers, even those without technical skills to spread malware at scales we have not yet seen. According to an article at Dark Reading, the biggest threat from AI is misinformation. Depending on the data collected in training a model and how robust that model is, it can lead to serious use of misinformation and decision making and other incredibly dangerous outcomes that could have incredibly long lasting results.

Brian Chee (00:10:38):
So a big thank you to dark reading for this article, especially because it talks about two sides of the argument. So the article goes on to say the thousands of hotels and other entities in the hospitality industry worldwide, using Oracle's opera property management system might want to quickly patch a flaw on the software that Oracle disclosed in its April, 2023 security update. Oracle is described a vulnerability called V dash 2023 dash 21 9 32, as a complex bug in the Oracle Hospitality five property services product that only an authenticated attacker with a highly privileged access could exploit. The vendor assigned it a moderate severity rating of 7.2 on the CVSs scale, based among other things on the apparent fact that an attacker could not exploit it remotely. Well, the researchers who actually discovered and reported the flaw to Oracle disagree with the company's characterization of the vulnerability and called it incorrect.

(00:11:44):
In a blog post, researchers fr from attack surface management firm asset note and two other organizations said they had achieved pre authentication, remote code execution using a bug. When participating at a live hacking event last year, the researchers described the target in that event as one of the largest resorts in the us. This vulnerability does not require any authentication to exploit despite what Oracle's claims sh Ham Shaw co-founder and CTO O of Asset note said in a blog post this last week, this vulnerability should have a C E V S S score of 10.00. I'm gonna skip ahead a little bit in the article and talk about the order of operations bug. Shaw a bug hunter on the hacker one platform discovered the vulnerability while conducting a source code analysis of opera in collaboration with Sean Yo engineering lead at asset note, Brendan Carvell, a pen tester with PWC Australia and Jason Haddock, ciso, a ad adversary emulation company BBA Sean, the other researchers identified C V E 20 23 2 1 93 2 is having to do with an opera code segment, sanitizing an encrypted payload for two specific variables and then decrypting it instead of doing it the other way around.

(00:13:15):
This type of an order of operations bug gives attackers a way to sneak in any payload via the variables without any sanitation happening according to the researcher. Well, this kind of reminds me of another hotel management system when the tandem non-stop series had a glitch, which cascaded through a large number of hotels around the world. My question is whether the mono almost monopolistic nature of hotel management systems has in itself become a vulnerability?

Louis Maresca (00:13:50):
GDPR has been a challenge for a number of global organizations, but it's provided a lot more control over your data when interacting with businesses. Now, if you're a serious global business, you're probably have put in place processes to ensure you're meeting GDPR rules. Well, well, according to this register article, recent decision regarding G P R compensation rates have might have businesses rethinking this strategy to not take GDPR seriously. Now, in the new rights, there is no threshold that non-material damage needs to pass before data subjects can make a claim. Now, if you're wondering what non-material loss is or damage is, it essentially means it didn't directly cost you any money like a loss of income. Examples include pain, suffering, shame, affronts to dignity, trauma and anxiety, just to name a few. Now, the European Court of Justice was asked if it could give a threshold for how bad this needed to be before you had the right to claim compensation.

(00:14:42):
And it appears from this week's judgment that there's no minimum that's right. You violate, you violate gdpr, defendants can come at you and take the game here. Now that means may have very little wiggle room of interpreting what GDPR means to your organization, you to get it right or you get sued. Now, the court also offered some clarity around assessment of damages more generally, saying it was for the legal system of each member to state of each member state to decide that each country could quote, prescribe the detailed rules for actions intended to safeguard of the rights with individuals derived from the gdpr. And in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalents are compiled or complied with. If you haven't made sure you had processes in place to follow the rule of the land when it comes to gdpr, it might be time to get in gear.

(00:15:36):
Well, folks, that does it for the news blips, but next up we have the great news bys. Before we get there, though, we do have to thank a really great sponsor of this weekend Enterprise Tech, and that's Zip Recruiter if you're looking to hire people. You know, the market right now is flooded with potential candidates. It's a buyer's market out there right now. However, you need a way to weed through the forest to find the right candidate. Now, did you know you can take up to 11 weeks on average to hire for an open position? Well, that's almost two and a half months. So if you, you're thinking about hiring or for your growing business, do you really have that kind of time? Well, I have a solution for you listening. Stop waiting and start using ZipRecruiter. Ziprecruiter can help you quickly find qualified candidates for all of your roles.

(00:16:23):
And right now you can try it for free at ziprecruiter.com/TWiT. Go ahead, go over there right now. We'll wait. Well, while I wait. I'll tell you just how ZipRecruiter is so efficient at helping you hire a ZipRecruiter uses powerful machine matching technology to quickly find and send you to the most qualified people for your roles. You can check out the people that ZipRecruiter sends you, and if you really like one or two, you can personally invite them to apply with one click, which may make them apply even sooner. Plus, here's how quickly ZipRecruiter can work to help you Hire four out of five employers who post on ZipRecruiter, get a quality candidate within the first day. So speed up your hiring process with ZipRecruiter. See why 3.8 million businesses have come to ZipRecruiter for their hiring needs. Just go to this exclusive web address to try ZipRecruiter for free.

(00:17:15):
Ziprecruiter.Com/Twit.Again, that's ziprecruiter.com/t W I E t. Ziprecruiter, the smartest way to hire, and we thank ZipRecruiter for their support of This Week in Enterprise Tech. Well Folks, it's time for the news bys. Pass Keys is a technology that was developed by Apple, Microsoft, and Google, but with any new security technology and implementation, it usually takes a long time to adopt unless you find ways to actually migrate and get users to move to it quickly. Well, with past Keys, since it's been a strong cryptographic security foundation that anchors your login privileges to your phone and your computer adoption has actually been quickly, pretty quick, pretty fast. The question is, has it been fast enough? Well, Google has been part of a developing past keys and they haven't really implemented it fully. In fact, they implemented it for Android phones and their Chrome browser. However, most of their services, including their websites, haven't implemented it yet.

(00:18:17):
Almost like kinda shipping really good bolts, but you don't actually use it for the construction of your own hardware. Now. Well, Google was be taking the foo move to actually finally integrate it and encourage people to move to it. That means with Google turning on passkey support, they will have support for almost 1.5 billion people around the world. Now, having the app opportunity to actually adopt passkey here now is, that might be a question for all of us, is is enough to force users to passkey to get them to use it. We'll have to see. I wanna bring Curtis in here and Brian, because Curtis, I, you know, are passkey, you know, it's a great technology. Do you think it's the beginning of the end to passwords?

Curtis Franklin (00:18:59):
Yes, but I'm going to also say I think it's gonna be a long time before we put passwords in our rear view mirror. We have seen over and over again just how resistant the enterprise can be to change. Most of that, I'll be honest, has to do with the resistance of rank and file employees to changes in the way they do things. The people who are listening to TWT are unusual in corporate, in the corporate sense, because the people who listen to TWT are people who want to know how things are done, how the process works, why they're doing things. The majority of people employed by large corporations, and for that matter, smaller businesses tend to learn by rote. They go to a particular point on a menu, they make a click, they go to a different menu, they do things essentially by rote. And every time you change this, the Lou, you're gonna know this exceptionally well because of the pushback you would get. Any time you suggest a change to let's call it an Excel menu structure the pushback is huge because the retraining costs will be huge for the enterprise. And so I think that this is, is a great step forward. It's a meaningful step forward. It is a necessary step forward, and it's one that's going to see the back dragging for years to come.

Louis Maresca (00:20:50):
<Laugh>, I like that. Well, right now I'm gonna throw this to you because password reuse is a huge problem. I, we hear this a lot. The question to you is, though, does pass keys actually fix the problem?

Brian Chee (00:21:00):
It should. I hesitate only because it's how the pass keys are implemented. In a lot of cases, it pa I've seen passkey implementations look more like two fa something you have in something, you know. Now keep in mind, even on things as secure as say hand biometrics that have been used in various military applications all over the world those, even though they're great and require blood flowing through the hand most high security applications also require a pin. So I, I'm gonna equate pass keys to some really good biometrics. It's, it's going to be a way of getting forward and getting away from people always reusing passwords which is I think the biggest vulnerability there is in the cybersecurity industry today. Past keys, if properly implemented should reroll long nasty keys every single time and breaking those keys should be very difficult. But then again, I saw some absolutely amazing things happening at Defcon, and it's kind of scary if you ask me how talented some of these people are to find ways around what looks like a really secure technology.

Louis Maresca (00:22:35):
Right, right. Well, we, we know that two f a multifactor has been around for a while, and, and the question is, you know, things like, we see things like, you know, sim spoofing for SMS based factors. The question is here though is, does, is pasky what makes Pasky better? What, what's it make makes it more significant? Curtis, what do you think here?

Curtis Franklin (00:22:54):
Well, I I think that the, the technology behind pasky are more significant for a couple of reasons. One is that it does require something that you have not something that's sent to you, not something to be intercepted, something that you have. The assumption is that, that something that you have requires authentication in and of itself. If it's sitting on a smartphone, then the assumption is that you're going to use either a a pen or facial recognition, you know, some sort of authentication method to get into that device. And so it would make it very difficult for someone to steal the device and be able to get into your your account. Plus there's still the, there's something, you know, you've got to know what your name is. So it, it is not perfect. There is no perfect security, but I think that this is, has a relatively low transactional friction. It has a relatively low initial cost, and it has a high degree of being something that many users are going to be familiar with because, you know, they, they've had experience with banking applications and bill paying applications and even social media networks that require some sort of sign-in using the the, the smartphone. So this is gonna be something that has a lower organizational cost of entry than many other systems do. And I think for 95 plus percent of cases, the security they provide is good enough.

Louis Maresca (00:24:50):
Right. Speaking of good enough, it seems that actually, you know, some sites you know, still require the old legacy passwords that are out there, but it seems like pasky might even be a good method for maybe your favorite password manager out there to to, to actually secure the password manager itself. In fact, I know password manager makers like Bitwarden, who's actually a sponsor also one password are pretty active in the Phyto Alliance and they're working on a technology to actually lets you export and import pasky. So we'll see where that goes. But I, Brian, I wanna throw this to you because that makes almost seem like your legacy sites that are out there that still require passwords. You know, obviously if you could combine a password manager with it that's secured with a pass key that leads to lead better than still typing your password or maybe, you know, securing or actually leaking your password in that case, is there, is, is it make it better or is it not gonna really make it better?

Brian Chee (00:25:42):
I I'm crossing my fingers and saying, yeah, it should make it better. Mostly because having talked to a lot of folks, a grand total of password authentication systems or any authentication sy o o has been a huge, huge thing for a lot of the industry. And at this moment, I don't think anyone in their right mind, unless they're really, really well funded, is gonna write their own authentication system. There are quite a few out there. OA happens to be one of the more famous and most more common. So because it's so widely rolled out within the industry, especially in the world of open source that once the OAuth modules are vetted and have transitioned to pass key that's going to in one fell through, changed an awful lot of the industry. And I, for one avi have actually been shopping I've been browsing the Yuki site because I want to try and find the, some YubiKeys or some, some tokens that I don't have to have like a dozen of them in order to handle all the different platforms that I use.

(00:27:08):
So I think it's gonna be a transition. My personal opinion is password managers such as Bit Water, which is what I've gone to with a say something like a YubiKey is going to be a really good answer as we make the migration. Cause I don't think it's gonna happen all at once. It's just not gonna happen. There's going to be a lot of friction. There's go, well, actually a lot of inertia especially the higher you go in a company, the more inertia there is for abandoning what you have experienced with and, you know, the comfort level. I certainly saw that when I tried to implement retina scanning on an international funds transfer system that I'd built for a bank. And almost universally everybody said, not only no, but heck no. And I had to go and change it to a PIM system because nobody wanted that light to go and shine in their eye. I think we're gonna have maybe less pushback, but we're still gonna have pushback and it's gonna take a while for the coming generations to fully accept the change in the world.

Louis Maresca (00:28:23):
Right Now I've worked with a ton of organizations out there that they'll, they wanna actually implement this. However, just like I, I want to go back to what Curtis is saying is the fact that sometimes when you add some additional impedance in the pipeline around actually setting up things like, I'll give you an example. I worked with the organization recently, which set up this scenario of using hardware pass keys. And, you know, users were, they started implementing zero trust and accessing particular resources required them to use their device to log in. However, some users, they don't always have their device with them in order to access these things. They, they used to be able to still type in their password if they didn't have their device available to them. And, and so this organization ended up going backwards and allowing still both for the time being. Now, Curtis, how, how do you see this a lot in the, in the industry where organizations they get almost bullied by their, by their user base to, from a productivity perspective, that puts them in this bad bad case of kind of stepping backwards or stepping in the, in the reverse when they're trying to move forward with security?

Curtis Franklin (00:29:28):
Yeah, and I, I think a lot of companies fall victim to the, well, what if argument as you say, well, you know, we we're gonna need you to do this. Well, what if I left my phone at home? When's the last time you did that? Well, I never have, but what if I did? Well, that would be a problem, wouldn't it? Well, what if I, what if I lost this? What if I didn't bring this? Well, what if you didn't wear pants to work? We would send you home and the likelihood of you forgetting your phone is right up there with you forgetting to wear pants. So I think that in some cases, this is a little bit of bullying on the part of the employee employees. In some cases, it's a way for an employee who feels out of control to try to wrestle a little bit of control back.

(00:30:18):
And some of it is this same resistance. Some employees are going to have to any change in the workplace, I mean, faced it, we have all in our careers known people where if you got a new microwave in the break room it would require, you know, 10 days of retraining and, you know, taking to the fainting couch in order to, to deal with it because it would just wreck their entire existence. These people exist, I recognize it, and sometimes the organization just has to find ways to work around them. And I think that's ultimately what will happen in this case. Now, I, again, I know that I am unusual for a variety of reasons. I am essentially never without my, my mobile smartphone. But the fact is that most adults, oh, let's be honest, most people in our society who are 12 years old or older have a smartphone phone on or around them all the time. And there's no reason not to take advantage of it for these purposes, especially when it really does make a significant difference in the overall security of the organization.

Louis Maresca (00:31:42):
I'd like to, I'd agree. One more thing too with that is that you're right about the trying to gain back a little bit of control. In fact, I worked with an organization where people complained and said, Hey, if I used to have to use my smartphone, then the, the company actually needs to pay for my smartphone because now I have to use it for business case purposes. So that, that was an interesting case, but again, I think it, again, it's to go back to that point that, you know, users, people, they want, they want a little bit more control over what's going on. But we'll have to see just how how, how well passkey get adopted. Well, folks, that does it for the bites. Next up, we get to have our guests drop some knowledge on the TWIT riot. But before we do, we do think another great sponsor of This Week in Enterprise Tech and that's Decisions Business Process Organization used to require developers.

(00:32:26):
They used to require programmers to be on staff, plus you had to hire domain experts in the area you wanted to actually automate. While low and no code solutions have changed the game decisions give it business experts, the tools to automate anything in your company, all within one no-code platform. They are proven to fix any business process and prepare you to withstand economic uncertainty. To be recession resilient, you need to make deliberate management choices around resources and the flexibility to adapt to decisions. No code environment makes it easy for your team to collaborate, to build and adjust workflows, dynamic forms and decision processes that fit your unique and ever-changing business needs. This is especially important with today's IT talent shortage Decisions Process automation software is a complete toolkit that allows developers and business users alike to build applications and automations with no code required. Now, their no code platform is powerful, pretty powerful, and it includes robust rules and workflow engines and a host of actually pre-built integrations that connect to any legacy system via N A P I all within its simple drag and drop visual interface design.

(00:33:38):
And it can be deployed on-prem or even in the cloud. Companies were caught, they were caught flatfooted at the onset of the pandemic. But decisions customers were fully equipped to respond. One of the country's largest private banks built an entire P p P loan application process for small businesses affected by covid 19 in just two days, and they were the first to market issuing 1 billion in loans before their competitors even got started. Decisions lets you customize workflows to automate the small decisions, producing faster results with even greater AC accuracy, while allowing your team to focus on the important decisions that are out there. Scale your business to better serve your customers, or reducing operational costs and saving your team valuable time. Here's one great example of how decisions automation software can actually help Otis Elevators. You know, 'em, they implemented decisions to run daily pulse checks across their 2 million units operating globally.

(00:34:33):
By finding potential problems before they occur, they actually avoid downtime and manager service technicians super efficiently. Now, you happen to be riding a notice elevator, you can be assured, you'll arrive safely to your destination as a recession approaches, the durability of a business's foundation will directly impact its performance and its ability to survive. How strong is your foundation decisions? Automation platform provides the solution to any business challenge, automating anything and changing everything to improve your company's speed to market financial growth and operational success. They help industry leaders alleviate bottlenecks and automate pain points in their business so you can do what you do best and change the world. To learn more about decisions, no-code automation platform and scope, your free proof of concept visit decisions.com/TWiT. That's decisions.com/TWiT. And we thank decisions for their support of this weekend Enterprise Tech. Well, it's now time to bring the guest in to drops some knowledge on the twh, and today we have Lisa LaPointe, she C e O of Terranova Security, and the author of the Human Fixed to Human Risks, five Steps to Fostering Culture of Cybersecurity Awareness to help us actually navigate through the ever-changing landscape of security awareness.

(00:35:54):
Welcome to the show, Lisa.

Lise Lapointe (00:35:56):
Oh, well thank you. Thank you for inviting me.

Louis Maresca (00:35:58):
Absolutely. Now we have a number of important topics that are coming up and I want to get to them, but first, our audience is a wide range of professionals, whether they CISOs, CTOs, CEOs, IT professionals, programmers, whatever. Some of them love to hear por people's origin stories. Can you take us through an abridge journey through tech and what brought you to Terranova Security?

Lise Lapointe (00:36:17):
Yes I've been an entrepreneur all my life. So my, my third company is Terranova Security. I started in IT when I was 24 with my first company in software development and afterwards education. So I was in always interested in both together <laugh>. So for me in 2000, I sold my first company and afterwards I wanted to go international and have products and not be a service company. So it brought me to security awareness and building some it was really the, the beginning, right, 2001 starting to develop content and there were no really laws and regulations regarding security at that time. So it all started very slowly. And 2015, Gartner came out with this magic quadrant and we, we figured like a leader in security awareness. So it, it helped us a lot to continue our journey with large enterprise. And after we went through me medium enterprise and small businesses and we continued until today. Yep.

Louis Maresca (00:37:29):
Amazing, amazing. No, I, I work with a large, a large number of global businesses year and year out, and all of them find, you know, securing their accesses really hard because of the fact, the human factor that goes into it. Now, I want to ask you about just common misconceptions that you hear organizations have when they're thinking about security and security assess assessment. Do, do they have, are they going about the wrong way normally?

Lise Lapointe (00:37:55):
It depends a lot on the type of company that we're talking about, because some companies have been doing that, like banks or insurance for many, many years, <laugh> because of the type of business, right? So depending on what you have to protect, of course. And so some organizations have large teams of security awareness and do it very well. But they still need help because they don't have a lot of resources, insecurity, awareness, a lot of time. So we're there to help. And this is why people today, they don't really develop anymore their own content, which they would do 20 years ago, right? So they will customize it instead of redoing everything. It takes a whole lot of time. So yeah, so I would say that

Louis Maresca (00:38:44):
A lot of, a lot of organizations have pretty similar surfaces that are, you know, exploitable like for instance, email. They have you know, sites that they, you know, browse, let people have internet access, that kind of thing. Now are you seeing that most organizations, in order to solve some of their security problems and to help security assessment, do they just use, basically add additional services and solutions in the mix to make it better?

Lise Lapointe (00:39:09):
Oh yes, they do. Like I do, like just said, of course they, they use content a lot. Some companies are only your content, but others complete platforms like turnover, security has a complete platform with the content where you do simulations on phishing, for example, or SMS and things like that. So you have a complete solution in insecurity awareness. So, and also helping to plan a lot of one of the biggest problem is that people don't really plan. They think that just giving training is okay and enough, but if you just do training, the same thing for everybody, it's, it's not enough. You have to plan depending on the issues that you have internally, right? So when you have also to target the right people, the right audience, teach them the right things, and use the all the languages that if you're an international company and you people speak Spanish and you give the course only in English, there's a good chance that some people won't understand. So there's a lot of different things you have to think about when you build a security awareness plan. It's not just putting a course online and okay, everything's gonna be fine,

Louis Maresca (00:40:20):
Right? No, i, I would say a lot of large majority of security issues that we see out there are usually due to human exploits. Social engineering techniques are the one of those things that are super complex. How does, how does it add more complexity to, to help building these type of awarenesses?

Lise Lapointe (00:40:38):
We use a lot of simulations for that to teach all the different type of things that people could go for. And so I would say that usually in a security awareness plan, you will fish people once a month or depending, could be more than that for people that are more targeted or that have more sensitive information, but you have to teach them. And when they, they do fall for the fish, then you have to train them more. And they have to understand what's the risk, what's the consequence of falling for that, and what will happen if, if it, if they do so when they, and they need to know what to do in, in that situation. So what this is what we try to, to explain to the users that the importance of their, their, you know, being there and protecting the information, it's not just a security team. They have to participate and they're, they have to be a aware that the information that they, they have, they need to protect it.

Louis Maresca (00:41:43):
Now, a lot of, you know, I've seen, I've worked with a lot of organizations where they've, they've put in a place to security awareness and they've gone through training their users. However, sometimes that's not enough. Sometimes the users are okay, I'm aware, and then they just kind of go through it and there's no, I would say incentives for them to, to essentially really look into things that are happening. And so, have you seen this with organizations where some organizations need a little bit of additional incentives in order them to move forward with such a, such an awareness program kind of thing?

Lise Lapointe (00:42:11):
Yes. And it depends a lot also on the culture. We have clients in Europe, in United States and Canada all over the world, and it's quite different. So I think it depends on the type of motivation that they have. So we also need to measure that. So what's the motivation of our people learning new things, learning security information, knowing all that, that knowledge. So we, you, you touched that when you wanna change a behavior, it takes time, you have to repeat it, and you have to understand also what the motivation level is of your people. So some companies that we have, like large companies are, it's like marketing, right? The part of it is marketing security through the company to make people understand. And we have clients that have very, very good ideas to motivate their people to do that, and to understand and to measure it.

(00:43:06):
And others think that, you know, they, they're more conventional. When it's, you're more conventional. It, it gets boring. So some companies, they will do draws, they will win things, they will have all kinds of stuff. We have a company, for example, that has an, an online where people more, they they do the training less. They fall for fish. They, they built like an avatar. And so it, it gets interesting. So once all the a, he has all the pieces of the avatar, then they could win things, you know? So it's, there's a lot of things you can do to motivate your people, but it starts there. It's motivation,

Louis Maresca (00:43:47):
It is a full song and dance. I love that <laugh> definitely help. Yeah, no, we've been, we've told by security experts that, you know, obviously we should never trust, we should always verify or the concept of assume breach in the last, you know, especially the last several years, has this changed the way people have gone through security awareness?

Lise Lapointe (00:44:05):
I think what changed the most in the past, I would say years, is the integration of security awareness with technology, with secure technology where, and also with the behavior analysis where you could target people that are instead of doing, I would, I would say like five years ago, you would do a training for everybody the same way, right? Even though you know what you're talking and the other person doesn't know. So today it's different where you target the people that are the most vulnerable, that has more information to protect, and then you, you target those people. So it's integrated a lot with technology today, which wasn't before. So having all this information on behavior, on motivation, on on what they do over the web and everything. So you have all that information to be able to make programs or that are more focused toward the user, not the one fits all.

Louis Maresca (00:45:08):
Right? Right. So actually I, I can admit, I actually read your book before the show and I can, I definitely say it reads almost like a manual for organizations to look to design and implement their, you know, successful security assessment program. I think it's great. Now I want to ask you a question. Maybe you can give us a little tease. Can you tell us maybe just a few of the five steps that you put in that book?

Lise Lapointe (00:45:27):
Yes, of course. So the first step is to analyze <laugh> you. So you want to analyze your information, what you wanna do after it's the plan, depending on this information, cuz there's, it's not the only program that's going on in the organization in that year, of course, and how you're gonna, some, how much time you'll have to do the program per month, per quarter, per year. And also after you want to measure, so you measure the results and you measure the results with all the, the different reports that you'll get, of course. And you do the deployment and you also, at the end when you have all this information together, you'll, you'll go back and see, okay, how did I do? Is it better than it was? How can I improve it? So the last step is really like improving your program on a monthly, quarterly, or yearly basis, depending on the number of resources and the information that you have.

Louis Maresca (00:46:24):
Fantastic. Well, we have lots more to talk about here, especially about security assessment and I wanna bring my co-host back in. But before we do, we do have to thank another great sponsor of this weekend Enterprise Tech and that's Bit War now. You've heard us talking about it now more than ever do you want your organization to be more secure? And the best way is to manage out the risk with passwords. Moving to Bit Worn for me is nothing short of a game changer. Bit Worn is the only open source cross-platform password manager that can be used at home, at work, or on the go and it's trusted by millions. Even our very own Steve Gibson has switched over and give the thumbs up there. Now with Bit Worn all of your data in your vault is end to end encrypted, not just your passwords.

(00:47:06):
Protect your data and privacy with bit worn by adding security to your passwords with strong randomly generated passwords for each account. Go further, even with your username generator, create unique usernames for each account, or even use any of the five integrated email alias services. Now. Bit Warn also has new features to announce in their latest release, including there will now be an alert when Bit warns. Autofill detects a different URI than the saved vault items, such as an when an iframe is used for the login process. That's great. New users who create their accounts on mobile apps, browser extensions and desktop apps can now check known data breaches for their perspective master password via H I B P. Logging in with a new device is now available for additional clients. Login requests can also be initiated from browser extensions, mobile apps, and desktop apps starting later this month.

(00:48:01):
The bit worn application will begin alerting users if their K D F iterations are lower than the recommended default of 600,000 for pbk DF two. Argon two ID is also an optional alternative to kdf for users seeking specialized protection. Stronger master password has a higher impact on security than kdf iterations. So you should have long, strong and unique master password for the best protection. Share private data security with coworkers across departments or the entire company with fully customizable and adaptive plans. Bitwarden's team organization option is $3 a month per user while their enterprise organization plan is just $5 a month per user. Individuals can always use the basic free account for an unlimited number of passwords, upgrade any time to a premium account for less than a dollar a month, or bring the whole family with the family organization option to give up to six users premium features for only $3 and 33 cents a month.

(00:49:03):
At TWiT, we are fans of password managers. Bit Warn is the only open source cross platform password manager that can be used at home on the go at work and is trusted by millions of individuals, teams, and organizations worldwide. Get started with a free trial of a teams or enterprise plan or get started for free across all devices as an individual user at Bitwarden.com/TWiT. That's Bitwarden.com/TWiT and we thank Bitwarden for their support of This Week in Enterprise Tech. Well folks, we've been talking with Lise Lapointe C of security and the author of The Human Fix to the Human Risk Five Steps to Fostering Culture of Cybersecurity Awareness. And we've been talking about cybersecurity awareness, lots of fun stuff, what's good information here. But I do wanna bring my co back in cuz they have lots of questions here and lots of experience in this area. Let's start with Curtis. Curtis.

Curtis Franklin (00:49:58):
Thank you Lou, I appreciate that. You know, one of the questions I have is, you know, you were talking about knowing where a company is starting. No way. So, because you want to know what kind of change you're making, can you tell me a little bit about the way you go in and assess a company's risk and really how the human factor is incorporated into that risk assessment? Is, is that all you look at or do you look at a broader risk assessment for the company?

Lise Lapointe (00:50:32):
So we don't really do risk assessment, we really do only security awareness, but we work with companies that do that. Usually our clients have their departments of risk assessment and we recommend in the analysis phase to use all this information to, to be able after to, to plan in a better way for their screwed awareness.

Curtis Franklin (00:50:56):
Now, when companies are using your firm, are they interested in knowing what kind of changes the training is having on their security posture and on their security situation? You know, is this part of what you end up talking with your clients about?

Lise Lapointe (00:51:18):
Yes, definitely. And now more and more on the platform to get a lot of information on the change of behavior, the change of culture. And you, you do measure that with different quizzes, with different training, with also having interviews knowing what's happening in your organization for certain users that are more at risk than the others. So all this information and some of our companies even, they will put some simulations on passwords to add some more information. So all this information together will give the administrators the information, but what we try to do today as another level is bring the information to the user. Also the user must know where he stands in the organization to give him the information and to motivate him to go further in learning security awareness.

Curtis Franklin (00:52:21):
Well, you know, you're talking about motivating employees, and I'm curious there, I have seen a variety of different methods for motivation. Everything from gamification, which so many people talk about to positive reinforcement to negative reinforcement. Do you have particular methods that you find work best? In most cases,

Lise Lapointe (00:52:47):
I would say depends a lot of on the people that you're teaching, right? Because for some people gamification is a lot of fun and they learn better that way, but for other people, they, they think they're losing their time by doing games, you know, so it depends a lot on your audience. So we recommend, we have all kinds of trainings that different approaches for different type of people. So you could choose, you know, that you could have example training on passwords. You could have a game, but you could also have a regular training and you, so there's a lot of different ways to train people depending on what their mo how they like to learn.

Brian Chee (00:53:35):
Well, I'm gonna jump in. So I I've been through several types of organizations and what are some of the risky behaviors that we really ought to be taking a good hard look for all the time, not just when your, your people are on premise.

Lise Lapointe (00:53:55):
So a lot of, you know, it's it's still the same for many years now. A lot of it is comes from fishing. People get caught a lot still. And they seem, you know, not to understand how to really identify it's that it's a phish. So sometimes it it, and we do every year with Microsoft as a sponsor we do a fishing exercise and any company in the world could apply and we give all the information on what's happening and what we use is the, the example of Phish that Microsoft sees that people fall for the most. So, you know, it's still, it's still the most important thing that, that we have to teach people on.

Brian Chee (00:54:46):
Well, let me ask the other side of the question. Every once in a while we're gonna have a particularly gullible employee <laugh>, but they're very high. They're, they're valuable to us. Do you have any suggestions on what organizations can do on dealing with that? You know, how do you, how do you break the news to a valued employee that, oh my goodness, you're really gullible. Could you do something about that?

Lise Lapointe (00:55:15):
<Laugh> being an entrepreneur, I, you know, I've seen that <laugh> so in, even in our company sometimes. So I, what I think is really, you have to make the employee aware of the consequences of a breach. They really need to understand the risk, what they have to do and feel responsible. But at the end of the day, you know, we always say we hire for competency, but we fire for values. So if the person doesn't wanna change or is not applying secure measures, sometimes you have to make difficult decisions.

Louis Maresca (00:55:51):
Well, folks, unfortunately, when time flies, when you're having fun leasing so much for being here we're running a little low on time. I wouldn't give you a chance to tell the folks at home our vast audience that's out there more about Terra Terranova Security, where they can learn more about it, where they can get started with security awareness.

Lise Lapointe (00:56:07):
Yes. So they could go of course on the website, on Terranova Security.com or on Terranova by Fork today. And also the book, I think the book brings a lot of information on how to build the security awareness and to start, so the book is on Amazon also. So they could start with that reading the book. There's all kinds of different you could have the ebook or you have printed book or, so there's depending on what, what you prefer, they can even read it for you. <Laugh>, if you wanna, the audiobook <laugh>.

Louis Maresca (00:56:46):
Well, folks, you've done it again, you're set through another hour of the best thing enterprise and IT podcast in the universe. So definitely tune your podcast Towe. I wanna thank everyone who makes this show possible, especially to my wonderful co-host the Veryo, Mr. Curtis Franklin. Curtis, what's going on for you in the coming weeks? Where can people find you?

Curtis Franklin (00:57:04):
Well, as always, people can find me online. I'm at Twitter at KG four gwa. I'm on LinkedIn. Curtis Franklin suggests that people follow me, both of those places. I'm also doing things like Mastodon where I'm kg four gwa mastodon.sdf.org. Who knows where I'll be next, but one place I know I'll be is right here in my office. I don't have any travel plan for the next few weeks. So I get to stick around here for a little while, get some writing done. I've got a number of reports to do from interviews that I, that took place out at RSA and all kinds of stuff happening. So please look me up, follow me and let me know if you have any special interest.

Louis Maresca (00:58:04):
Thank you, Curtis. Well, we also, also thank you everyone, Mr. Brian. She, Brian, it's great seeing you. You can tell folks at home worthy where it's going on for you in the company. We, where can people find you and get in touch with you.

Brian Chee (00:58:14):
I'm actually gonna be wandering around the Orlando area. There's a couple of conferences vendor specific conferences coming in. I'm actually putting on my wisp hat and going to the WindCom convention over at the JW Marriott. That'll be fun. Anyway, hey, you know, I'd love to hear your comments. I'd love to hear your so show suggestions. I would love to hear what threads you want me to try and weave through our schedule. And probably one easy way is throw it at me on Twitter. I am A D V N E T L A B advanced etla, or you can drop me a line on my email, which is cheever spelled C H E e B e R t TWiT.tv, or you can throw an email to twt TWiT.tv and that'll hit all the hosts. We'd love to hear your comments, your so suggestions. I have pretty thick skin, so if you didn't like something I listen or I'll try to listen. And even if you are listening in a country where English is not your first language, don't be afraid. The machine translators are not as horrible as they used to be. I've had several questions sent to me in French and German and in in Spanish. I will use the machine translator and try and get you a reply as soon as possible. Y'all take care and be safe.

Louis Maresca (00:59:45):
Thank you, Brian. Well, we also have to thank you as well. You're the person who drops in each and every week to get your enterprise goodness, who wanna make it easy for you to watch and listen, to catch on, catch up on your enterprise in 19 News who go to a show page right now, TWiT TV slash twill, and all the amazing backup episodes, all of our notes, co information, all the guest information, but more importantly, next to those videos there, you'll get those helpful subscribe, end dow the link support the show by getting your audio version of your video version of your choice. Listen on any one of your devices, any one of your podcast applications, cause we're on all of them. And if you subscribe, you definitely support the show. Plus you wanna also support the show. You can support the show by joining Club Twit as well.

(01:00:26):
That's right, it's a members only ad free podcast service with a bonus TWIT plus feed that you can't get anywhere else. And it's only $7 a month. And there's a lot of great things about Club Twit that TWiT plus feed is one of them. But another one is also exclusive access to the members only Discord server. You can chat with hosts, producers, there's a lot of discussion channels, a lot of fun ones in there. Plus they also have special events, right? They're on Discord. Lots of fun stuff. So definitely join Club TWiT, be part of that movement. But a TWIT TV slash Club TWiT Club TWiT also offers corporate group plans as well. So make sure you check that out. If you wanna get it for your organization, it's a great way for you to give your team access to our Ad Free Tech podcast.

(01:01:05):
The plans start with five members at a discounted rate of $6 each per month, and you can add as many seat as you like there. Plus it's really a great way for whether it's your IT department, your developers, your sales team, your tech teams to stay up to date with access to all of our podcasts. And just like regular members, they can join the TWIT discord server as well as get that quit plus bonus feed as well. So go ahead and jump over to TWiT tv slash Club TWiT now, after you subscribe, you can impress your family members, your friends, your coworkers, whoever, give them the gift to twt because we are on, we talk a lot of fun tech topics on this show. We guarantee that you'll find it fun and interesting as well. So definitely check that out. I'll have them subscribe. And if you've already subscribed and you're available on 1:30 PM Pacific time, on Fridays, we do this show live.

(01:01:52):
That's right. If you wanna check it out live TWiT tv we're on, we have a ton of streams out there. You can come see how the pizza's made, all the behind the seeds, all the fun and banter we do before and after this show. So come and watch the show live. And you can also be part of our chat room as well as the IRC dot TWiT tv, our wonderful and amazing i r c channels that are in there. And some great characters. In fact, they're giving us some good show titles right now. So thank you guys for all your support and all your help and some good creative stuff thinking in there. So thankfully, keep keep that coming. Now, Walsh, you wants you to hit me up on TWiTter@TWiTter.com slash lu. I'm there, I post all my enterprise tidbits. I have lots of great conversations, direct MessageMe show ideas, whatever I'd love to hear from you.

(01:02:33):
Plus I'm also on I'm luma at TWiT social as well and mask it on. So please check me out there and hit me up there if you, if you want, also on LinkedIn, Louis Maresca on LinkedIn. There I am. Thank you to thank you. And for that of course you know, hit me up with direct messages, whatever around show ideas, topics, getting into the industry. Whatever you need, please, please reach out to me. I, I wanna thank everyone who makes this show possible, especially to Leo and Lisa. They continue to support the speaking enterprise tech each and every week, and we couldn't do the show without him. Thank you for all their support over the years. Thank you to Mr. Brian Chee one more time. He's not only our co-host, but he's also our Titleist producer. He does all the show bookings in the plannings before the show and we really couldn't do this show without him.

(01:03:15):
So thank you Chiefer, for all your support. Of course, before we sign out, I thank our editor for today because they make us look good after the fact. Cut out all my mistakes. So thank you too very much for all your support. And of course our technical director for today, as well as Mr. Ant Pruitt. He's not only our TD but he's also a very talented photographer and show guy. And so hosts and he does a great show called Hands-On Photography, which I check out each and every week. What am I gonna learn this week? Ya.

Ant Pruitt (01:03:41):
Well, thank you Mr. Lou. I appreciate that. This week we're back into the world of video editing and taking a look at a free tool in Da Vinci Resolve, which is motion tracking and using video mass to create some very, very cool effects, such as changing the eye colors of a cat because we can dak gum it. So check it out, TWiT.tv/h o p.

Louis Maresca (01:04:07):
Love it. Thank you. And for, for ch giving us all the skills. I love the love this photography skill that you hand out there. Thank you so much. Well, until next time, I'm Lewis Maki just reminding you if you wanna know what's going on in the enterprise, just e dw.

Rod Pyle (01:04:22):
Hey, I'm Rod Pyle, editor in Chief of Ad Astra Magazine, and each week I joined with my co-host to bring you this week in space, the latest and greatest news from the Final Frontier. We talk to NASA chiefs, space scientists, engineers, educators and artists, and sometimes we just shoot the breeze over what's hot and what's not in space books and tv. And we do it all for you, our fellow true believers. So whether you're an armchair adventurer or waiting for your turn to grab a slot in Elon's Mars Rocket, join us on this weekend space and be part of the greatest adventure of all time.

 

All Transcripts posts