First, a note of thanks. The premiere episode of CYBER24 debuted to rave reviews and proved there is a desire among business leaders and policy makers to better understand cybersecurity issues.
Admittedly, we gave you your money’s worth in episode one. So this week we keep it nice and tight: 35 minutes with a breakdown of the Senate Banking Committee questioning the head of Equifax, the appearance of someone called Rich Uncle Pennybags, breaching the phone of the White House Chief of staff and a discussion with the State of Utah’s Chief Information Security Officer.
In the news
The hits just keep coming in the Equifax breach saga. The number of impacted Americans is now at 145 million – a modest uptick of 2.5 million persons. As with any public foul up, the head of Equifax was called before Congress to answer questions and take criticism from elected officials on the Senate Banking, Housing and Urban Affairs Committee.
In one exchange, Republican Senator John Kennedy (no, not of those Kennedys, this one from Louisiana) inquired about a $7 million contract the IRS just awarded to Equifax after the aforementioned breach became public. When now-former Equifax CEO Richard Smith, who, you may recall, abruptly retired shortly after the breach was announced, stated that he was not overly familiar with the details of the contract, Senator Kennedy replied: “You realize to many Americans right now that looks like we’re giving Lindsay Lohan the keys to the mini bar.”
Mr. Smith replied, “I understand your point.”
Mr. Monopoly (5:35)
If you caught any video clip of the proceedings, you would have been hard pressed to miss what appeared to be Rich Uncle Pennybags sitting just a few rows behind the former head of Equifax. You likely know Mr. Pennybags by his more common nickname, Mr. Monopoly. His appearance was actually part of a stunt to draw attention to a non-related issue, but it made for a pretty interesting visual.
Chief of Staff hack (7:37)
We also discuss the news this week that White House Chief of Staff John Kelly, who also served as Secretary of the Department of Homeland Security, noticed his personal cell phone was acting funny. He took it to the White House tech specialists, and it turns out the phone may have been compromised.
This brings up three main concerns:
- Eavesdropping: Camera and microphones on personal cell phones could be turned on without knowledge so what could they pick up from high level conversations Kelly was certainly having?
- Location: Knowing the physical location and movements of the Chief of Staff has potential impacts on the safety of the President of the United States as cell phones can be tracked.
- Blackmail: Hacking one’s private cell phone likely gives ne’er do wells access to photos, text messages, notes, etc. and potentially exposes a high level official to blackmail.
Culture of cybersecurity (10:47)
Our in-depth discussion this week was with Phil Bates, the chief information security officer for the State of Utah. Bates works in the Department of Technology Services, a presenting partner of our podcast. His job is to assess the state’s cybersecurity risks and coordinate with the executive branch agencies to secure that information.
“Basically, my job is to know what we have, what the risk is to what we have and then to properly protect it,” says Bates.
And just how big of a job is it to protect the state’s various databases and cyber operations? Very big.
“We’re blocking on average about 200 million attempts to talk to devices on our network per day,” says Bates. That number is significant but far less than the levels attempted attacks hit during the election season last autumn. “Through the elections we topped out at about 750 million a day.”
Testing vulnerabilities (21:41)
In the second segment of our discussion with Bates, we talk about how the state identifies its weakest link and how it makes that wink link stronger. One way they do that is by phishing their own employees – essentially trying to scam their own employees to see who falls for it.
“We will craft emails with some obvious things that should be red alerts to folks,” says Bates. “And then we send these to our users and see how they react to them – if they report them to us like they should or if they are responding to them inappropriately. That’s helped out a lot.”
Finding your weaknesses and fixing them before they are exposed is key to a smart cyber strategy.
5 steps to start (28:11)
The National Institute of Standards and Technology (NIST) lists over 800 steps to building a secure a network. That’s a bit overwhelming for, well, everyone. So Bates suggests focusing on the top five because they are the most important and they don’t change much – meaning they will be the most important in for the foreseeable future.
- Maintain an inventory of devices you have on your network
- Maintain an inventory of software used on your devices
- Secure configuration – passwords, encryption, firewalls
- Vulnerability assessments and remediation
- Controlled use of administrative privileges
You can hear Bates give his thoughts on each of these steps on the podcast.