New episodes every two weeks
June 26, 2022

S01E05 - Cybersecurity's Curious Inability to Share


Does Cybersecurity hold things a little too close to the chest? Ever wish you could know more about attackers and their methods - besides what we get via CNN or the FBI? How great would it be if your neighbors shared with you how their house was broken into - so you can better protect your house? Or should we not put at risk our reputations and be potentially liable for over-sharing? Join Paul and Jason as they have their biggest constructive debate of the season. From Oscar Wilde to Prince, to the meaning of "F-Sides" - like how we got the name... this episode is all over like an ice cream cone on a four-year-old - good stuff. Oh, and before you listen - just sign our NDA. 

Transcript

S01E05 Cybersecurity’s Curious Inability to Share

Paul Love [00:00:12] Hello and welcome to outsiders.

Jason Loomis [00:00:14] That was Paul.

Paul Love [00:00:15] And that was Jason.

Jason Loomis [00:00:18] And this is offsides. This is the Cyber Humanity podcast. We're going to focus on the human side of cybersecurity.

Paul Love [00:00:26] Yeah. Thanks for joining us today. For our tens and tens of listeners out there, which, by the way, is why I'm warning collared shirt, because once we hit double digits, I decided to dress up for all of you. We have a great show for you today. Shh.

Jason Loomis [00:00:39] Shh. I don't think you should be sharing the agenda for the show.

Paul Love [00:00:42] Oh. What? What? What do you mean?

Jason Loomis [00:00:45] Well, if you're if you share the agenda, hackers might know what we're intending to do, and they could use that information to attack us. So, you know, don't share too much, man.

Paul Love [00:00:53] That's a great idea. We should not be sharing ahead of time. It should almost be.

Jason Loomis [00:00:57] Oh, my God. You took the bait. I messing with you, Paul. And total investors.

Paul Love [00:01:00] Should be like this. Networks that we're like. You get to discover the flavor after you, after you bite into it.

Jason Loomis [00:01:08] I love you, man. We're going to dig into this very topic today.

Paul Love [00:01:12] Well, so, you know, for for those of you playing at home who may not know, share a little bit about why why we chose f sides. Because I think for the random person like F sides, what does that mean? Can you share a little bit about that, Jason?

Jason Loomis [00:01:29] Yeah, absolutely. So f sides, it's a bit of a double entendre with, you know, without the risque or indecent part of normal double entendres, maybe something more clean like the from Jack Wilde's importance of being earnest if you get that double entendre a very famous joke. So a clean double entendre.

Paul Love [00:01:45] That was a dry line. That was tough. You're going to have to work on that delivery. Go ahead.

Jason Loomis [00:01:49] Was my drum beat roll. But it's really it's a play on B-sides. Paul, you're familiar with B-sides, right?

Paul Love [00:01:56] Yeah. So, you know, that's a great point out, Jason, because the B-sides are a alternative cyber security conference. So, you know, the some practitioners, some security practitioners out there got together, you know, they saw the standard security conferences were becoming very corporate and, you know, the standard type of vendor presentations and, you know, things that were very focused on commercial side. Well, this group got together and made B-sides, which is the alternative to the corporate conference, and some of them aligned directly to the big, very, very large security conferences. And they have their own. It's usually, in fact, not not usually. It always is user generated content. You get experts who share. It's not always as polished, which is good, right. Because you're really having it feels very conversational. So it's it's an alternative to the corporate security conferences that have been exactly on.

Jason Loomis [00:02:54] Right. Thanks, Paul. So so that's one entendre. Hold, please. We have one of our ten of ten callers in there asking what is an entendre? Well, for for those playing at home, an entendre is actually French for understanding or hearing. So double entendre means a double understanding or a double meaning. So case closed on. That's Goldie. Thank you caller for calling in. You've been great. The second part of that entendre is not only is it like the B side, which the entendre to that is that it's the B-side of a record. By the way, did you know that Erotic Cities by Prince was a B-side?

Paul Love [00:03:28] I did not know that. And plus, by the way, I learned some French today, so I feel like I'm almost filled up with learning. So just that.

Jason Loomis [00:03:36] This is a walking encyclopedia of a show. And did you know you can always get what you want by the Rolling Stones was also a B-side Crazy did not.

Paul Love [00:03:44] We should go through together one day and pick out like all of our favorite songs that turned out to be B-sides. I bet you there's a lot of them, those hidden gems, which feels like kind of what we are. I don't know.

Jason Loomis [00:03:54] So you noticed it's B-sides? Yeah.

Paul Love [00:03:56] So what is the F stand for?

Jason Loomis [00:03:59] Great. Another. Maybe there should be triple entendre. So maybe much like, you know, the number 42 from the computer deep thought is response to the ultimate question. This is a Hitchhiker's Guide to the Galaxy reference. It can mean whatever you want it to mean. Paul I hate that answer. That's actually the worst sales answer ever.

Paul Love [00:04:16] Yeah.

 

Jason Loomis [00:04:18] Well, what do you want it to do? You know, tell us what that product. Yeah. F is meant to represent fun. You might be thinking, wait, isn't it the cyber humanity podcast? Like H H sides just did not sound great but funded and F can be whatever you want it to be. So H they just didn't have a good ring to it. We want this to be kind of more of a fun podcast. Plus I tend to cost a little bit. You might catch on to this to make sure we got good. No, bleep that out. I do. I'm telling you, a well-placed F bomb is a key leadership tool.

Paul Love [00:04:51] Yeah. So let's go to this topic, because I have a feeling you're going to start sharing all the words that you believe are good leadership tools. So this week's conversation is a little bit of a serious one, but we're going to you're going to hear two different views and are in fact, some of our views may be similar, but, you know, it's different perspectives on sharing within the cybersecurity community.

Jason Loomis [00:05:16] Sharing is caring.

Paul Love [00:05:17] Sharing is caring. And that, you know, for those of you that grew up during the Care Bears area, you'll remember sharing is caring. I don't remember which care bear that was. I should look that up because. Or was it the whole.

Jason Loomis [00:05:28] When are the care bears coming back? My Little Pony just hit it big through the stratosphere of pop culture. The care bears need to make a resurgence.

Paul Love [00:05:34] The cameras are actually kind of fun. I mean, I never had one, but at least, you know, I like. Sure, you know, I really did. But I thought they were cool. So, you know, the. Sharing is caring is is interesting. But, you know, let's we're going to talk a little bit about, you know, our perspectives on sharing within the cyber security community. And you know what? Sharing. Yeah. Sharing information, sharing attacks and so forth. So this it should be interesting. And just, again, two different perspectives. And, you know, we we we're we're going to have different views. But in the end, it's all for a common goal of securing our organizations. And, you know, eventually we going to have to come to a conclusion because there is a.

Jason Loomis [00:06:17] Certain disclaimer that you're playing nice ball because I want to make.

 

Paul Love [00:06:20] Sure I Jason's always calling me out for putting to Buddy.

Jason Loomis [00:06:22]  I, I love that you were that you said there's, there's the sharing that goes on in cybersecurity. My hypothesis thesis argument debate topic is that there is nowhere near enough sharing and I get frustrated that there isn't enough sharing. And here's the analogy I want to use. My neighbor's house gets broken into the company next to me as a small to medium sized business. My neighbor's house gets broken into, but they're not going to tell me how they got broken into because it's under NDA and it's confidential and oh, if I tell you, you might go tell a threat actor or another hacker out there that someone else, someone is going to break in. And I just call B.S. on that. And I think that's a problem with cybersecurity today, is that we're not sharing TTPs with each other close to the event or even after the fact. So many attacks happened out there that just aren't shared.

Paul Love [00:07:11] Share what ETPs are for like explain that a little bit for our Jason likes to use big fancy words. So let's go ahead and I'm going to have you.

Jason Loomis [00:07:19] Those are called acronyms.

Paul Love [00:07:20] Yes, big fancy.

Jason Loomis [00:07:21] And they're just as bad.

Paul Love [00:07:22] Yeah.

Jason Loomis [00:07:23] They're just as bad. When we use acronyms, you understand what TPTB stand for, tactics, techniques and processes. So it's it's like how that burglar it's basically how that burglar broke into that house. What did they use? Oh, they used a crowbar. They case the joint. That could be a tactic. A technique is they wear all black and a process is that they have a common crowbar that breaks off the lock because they know the brand of the lock. So tpz or and often a way to classify the bad guys or hackers out there of how they get into our stuff. And if you're trying to protect your home, you want to know what they're going to do to break in. Oh, they're going to break glass. I should get a glass alarm sensor to detect that. Or if they're going to come into the roof Santa Clause style, you're going to want a defense that blocks your chimney from access from Bad Santa Clauses.

Paul Love [00:08:08] So thanks for sharing all the techniques that burglars use. We appreciate that in the podcast. Do not try that at home. But you know, from a security perspective, though, you know, for those of us that have been in the field for a long time, especially starting in the government sector, you know, sharing.

Jason Loomis [00:08:25] An ex-military.

Paul Love [00:08:26] I was a former I'm a marine. Right. And not a non active duty Marine. You know, I spent eight years in the start of my career. And, you know, you're not sharing, especially outside of the organization is not something you do. Right. You're you're taught to keep the information closed because the the enemy could use it to exploit it. So, you know, with your analogy, you just used if a similar sized company were to have a a breach and they share that information, I would contend, and I still believe in this, that it has to be controlled information sharing with a known group of people. Right. And I think I don't know if you disagree with that, you know, because you don't want the bad people to get, you know, access to that information and re exploit. Right.

Jason Loomis [00:09:17] Yeah. And I hear that argument often out there. I hear that that's the primary reason why. Well, you can't share those because somebody could use that information. That's what. Legal teams or internal risk teams will always say enterprise risk to say no, you can't share that because it could make us vulnerable. I'll give my to be honest. My personal opinion is that it has nothing to do with threat actors. It's because they don't want the company to look like they made a mistake. And that's why it's not shared.

Paul Love [00:09:43] Well, it may be.

Jason Loomis [00:09:44] Because external threat actor might get their way.

Paul Love [00:09:47] And it may be a bit of both. And that's why you see legislation coming through on protecting organizations that share information. And, you know, these groups, like I say, the information sharing and analysis centers that are put out for different industries that are a controlled method of sharing information with a known, authenticated group of individuals so that you can do exactly what you're saying but not make it potentially available to external entities.

Jason Loomis [00:10:16] Yeah. And in is that for the federal government, the ISAC.

Paul Love [00:10:19] I know there's a.

Jason Loomis [00:10:20] Lot of great another great acronym.

Paul Love [00:10:22] Really. And I still Isaid what the acronym was. So you can't get beyond that. It is the information sharing.

Jason Loomis [00:10:26] And I had to go and edit myself out so that I can call you on something. Yeah, you can't.

Paul Love [00:10:30] Call me out. I pre I prefaced, I made sure so. No, but these are groups. There's like the FCC, the financial services, there's multiple different ones for different industries now.

Jason Loomis [00:10:41] Yeah. And it's not fast moving enough for me I think to get down to SMB and SMB. A small to medium size business will never share their information, even under ISAC because they feel it puts the company at risk from financial, from lawsuit, from stakeholders. And it's this over protection that is actually causing more harm to cybersecurity, in my opinion, than sharing those TPS and sharing information with each other. It's frustrating that I, for example, if I want to go look at another person, soc, another C, so hey, I want to come in and check out your soc. Oh, I've asked so many CISOs in my career and it's if I can even get it. It's mountains of paperwork, it's mountains of days of note. Well, we don't really want to share that. We don't want to show it. And I'm telling you, it's it's not because of a threat actor or worried about a hacker getting in because they're sharing that information. It's because they don't want to show, you know, people I think it's because they want to show how bad of cybersecurity they are, how underfunded they are.

Paul Love [00:11:43] Interesting, because I would actually the way I would see it is in highly regulated industries. There are certain criteria, depending on how you interpret it, on people accessing sensitive areas like your data center, which the SOC may be part of. Right. I don't know the specifics, but there are some there can be background reasons why. But no, you know what I think? I think you and I agree that there should be sharing. I think you and I, the part that we're discussing are focusing on is who should you share with? Right. And I'm contending that you share it with people who have background checks, who are, you know, how to handle the information you're sharing so that somebody can't be exploited or.

Jason Loomis [00:12:27] Yeah. And, you know, I think that works great for your small subset of the world of highly regulated industry. And to be honest, I think the majority of cybersecurity practitioners out there are for SMB and not highly regulated industries, let's say even 5 to 10% out there or working in a highly regulated industry like that where you can have those mechanisms in place. But for the large majority of employees, small to medium sized business is the backbone of America and is the backbone of GDP for this country. That's really what represents most of cybersecurity hacks and most of cybersecurity work. So for that portion of the population, there is nothing. And it's this over protection that I just you know, I get frustrated.

Paul Love [00:13:06] I actually.

Jason Loomis [00:13:06] I don't have a solution, but I want to be able to go next door to my neighbor and tell them how my house got broken.

Paul Love [00:13:11] Into. Well, and its entry, by the way, that was very, very well said. Thank you. I feel like you should have had an American flag behind you because it felt very patriotic and very you should be running for office, maybe the governor of some state. But I do a little bit. But, you know, you.

Jason Loomis [00:13:26] Bring up the state of disarray.

Paul Love [00:13:29] Yeah. You know, I think we you know, in concept, it sounds very good right now, is actually going to ask us that. And Jason, I didn't talk about this beforehand, so I'm going to put you on the spot. You did you did caveat. So you don't have a solution. But, you know, for the actionable part of our our our podcast, I'm going to ask you, what options would you suggest right now?

Jason Loomis [00:13:53] I, I, I do have a solution that that's a great call it. I don't have a solution. I should have said that I do because there is no regulation on what we share or don't share with us with private companies. It's not I there is no law that says I can or can not share this. I can't share personal identifiable information or that's about it. But I can absolutely share https with the company next to me or another company in my vertical or another. C so that I have a personal relationship with what's stopping me. There is no law. It's. It's. Misconception and and what I believe is a misperception of risk.

Paul Love [00:14:30] Good that we're.

 

Jason Loomis [00:14:30] Actually going to be we're going to decrease risk by sharing that information with that, see, so that I know and tell them, hey, let me show you how they got in and what they did once they were in.

 

Paul Love [00:14:40] Yes. I think we actually really shockingly agree, because you just the solution that you had is very similar to what I what I was saying in that you should.

 

Jason Loomis [00:14:49] Without the background check.

 

Paul Love [00:14:50] Yeah. Well okay. Not the background checks. No. Without the background check. See I use French by the way because I learned a French word earlier today. So now you're saying share with double Tuesday. Okay. So you're saying share with individuals that, you know, see, so as you know or see CEOs of organizations that work in your similar vertical. Right. So you're basically saying what I do it just based off of your personal knowledge and relationships. Is that.

Jason Loomis [00:15:18] True? Yes. So a blocker for that is my are typically not mine. My team is great, but blockers for that in the industries are typically mostly legal teams, legal departments that have an overabundance of caution and overabundance of risk and they actually tend to legal teams, in my experience, can easily override any cybersecurity risk assessment. When a cybersecurity CEO comes up and says, Look, I think this information needs to be shared with them, I want to share this out. Legal typically will say no because they feel puts the business at risk.

Paul Love [00:15:51] It depends on the organization, right. If they've had high this risk in the past, like I've I've worked with some but.

Jason Loomis [00:15:58] I'm arguing that that's a majority of organizations out there.

Paul Love [00:16:00] I've worked with some attorneys who are incredibly supportive of security and get it right. I really work with some who would actually suggest, yeah, let's share it. Let's just sanitize the information that we need to sanitize to protect our customers. Right. Like PII, like you said, PCI data, card information, so forth. And in organizations that have faced a lot of lawsuits, I've seen the opposite where it's, you know, over, you know, to the point of you don't want to share anything because in the past that's been used against them. So, you know, I think it depends on the culture of the organization. But, you know, I agree CISOs should have the ability to share the information with peers, you know, known peers. Right. I just you know, I didn't from what I heard from the first part of your solution is it sound like you're saying let's publish it on a website? And I would absolutely argue against that. Right. Well, that's to me is oversharing, because you can.

Jason Loomis [00:16:56] We can Paul, we can create this can this conversation up a level? Let's do that. Let's crank up to the level to ratification. Absolutely. I would love to see publication now. Yeah. With the caveat that let's say I was as CEO of company Acme, we were breached. But as soon as I have sealed that hole and I've got and I'm good and I've my incident response is done and protected, I, I want to publish that information.

 

Paul Love [00:17:24] It's like no disagreement because you put in a very important.

 

Jason Loomis [00:17:27] But nobody knows nobody is doing that upgrade.

Paul Love [00:17:31] Well, maybe. Hmm. Interesting.

Jason Loomis [00:17:35] They need to. I don't know. This is my God.

Paul Love [00:17:37] But maybe that's you and me going to a conference and sharing that, like, sharing like opinions on that. I don't know. I mean, because you put in a very important caveat that I think was probably the most important portion is once it's once the vulnerability or whatever was used to attack is sealed and contained, then at that point, it's historical information and it's good for others to know. So I'm I agree with that. Okay.

Jason Loomis [00:18:04] That sounds like we're coming up with with our next framework, private information sharing between small to medium sized businesses, you know, audit.

Paul Love [00:18:11] Yep.

Jason Loomis [00:18:12] Awesome. Well, for for anybody else out there, call in. Actually, we don't even have a call in number. By the way, I did make up that whole thing about a call and there was nobody on the phone. I probably fooled everybody that's watching. I know crazy. I was actually surprised to.

 

Paul Love [00:18:25] I wanted to hear it.

 

Jason Loomis [00:18:27] Yeah it for anybody who's listening who has any kind of say in cybersecurity sharing. Share, share, share, share, share, share, share. Because it's only going to help us out. That's that's my takeaway from this share as much as you can about what happens with attackers and how you're running your cybersecurity program with other CISOs, because it's only going to get all of us to be better now.

Paul Love [00:18:47] And I would say, if you if you have the ability to join an ISAC, an information security analysis center, do it right. They it's it's a subscription. So you do have to pay for it. But it is a great way to share information with a known group of people. And that's a good start, in my opinion. Good.

Jason Loomis [00:19:04] I fell asleep again there with that acronym. Why are we so acronym happy today? I'm on LinkedIn so you can share with me on LinkedIn and chat me up. I love it. I love to hear how you got hacked out. You know, I can't share my stuff. Yeah, no, I can. I can say.

 

Paul Love [00:19:17] Yeah, and I, you know, I would love to hear people's opinions too, while you they can't call in Jason. That's a feature you need to add, by the way, because I think we might get a random. Accidental sales call.

Jason Loomis [00:19:25] Your co-host waking.

Paul Love [00:19:27] Skills. But I say I get an AT&T call like, Hey, would you like to subscribe or something? Or, you know, I remember them spam calls, but now this is this would be good to hear from others. Please share your experiences and your thoughts.

Jason Loomis [00:19:40] Absolutely. Thanks. Everybody hopes the other next episode is the.

Paul Love [00:19:43] Elephant in the room.