Joseph Carson:
Hello everyone. Welcome back to another episode of 401 Access Denied. I'm Joe Carson, your host, Chief Security Scientist and Advisory CISO at Thycotic. It's a pleasure to be here. I'm joined with a world-renowned awesome guest who's coming with me today to have a very important topic. So, Quentyn, would you like to give the audience a bit of introduction about who you are and what you do?
Quentyn Taylor:
Thanks, Joe. I mean, I don't know if I live up to all of that, but yes, I'm Quentyn Taylor. I look after information security at Canon. I've been there for quite a while. I do also have a YouTube channel where I do various RFID hacking and various other bits and pieces. I've been in information security virtually my entire career. I'm probably one of the youngest of the old guard if that's actually exactly what to say.
Joseph Carson:
I would agree. We've been around for a long time. Actually, I miss having conversations with you. It's been so long. The pandemic has kept us apart, but on social, I highly recommend the audience to subscribe to your YouTube channel because it is so much fun and educational. I even learned a lot from it. I've got a couple of Proxmarks, which I've bricked a few times. And yourself and Chris has really helped me get them back. So, very educational. I'll definitely recommend.
Joseph Carson:
I'll let you explain. Given the audience a little bit of understanding of what you actually do on your YouTube channel and what things you share on there, because I think it's really important and very educational.
Quentyn Taylor:
Yeah, sure. My YouTube channel has got a bit of a drone bits and pieces on there, but mainly it's a lot of RFID. And I've been doing a lot of collaborations with Tim Yosnov at the moment, and Leon Galloway was on there as well just over the summer talking about everything from contactless credit card security. And this all came about actually, because I did a video where I said confidently that card clash was all that you needed to prevent credit card fraud.
Quentyn Taylor:
And Tim emailed me and said, "Are you absolutely sure?" Which was his very Russian way of saying, "I think you're wrong. And actually, I'm quite an expert in this." So I said, "Well, why don't you come on the channel and show me?" And then he did, and I realized just how little I knew about certain aspects of security, and we've done several collaboration since. It's been absolutely awesome.
Joseph Carson:
Fantastic. I think it's really important. That's when we start really learning is when we get those experts in the field to come and help us really understand about some of the things that happens in the background. The same for me. I was never into physical security until maybe about seven, eight years ago. And that really got me into looking at Proxmarks and RFID cloners and really getting into the details about how it really works.
Joseph Carson:
So, year videos and Iceman's, and all the people there are fantastic, because it really helps educate and really can get into the understanding about it. I think one of the topics we're going to be talking about in the episode and the main theme is, of course, Iran is the state of cybersecurity. And sometimes for me, I always like to think of things in the physical world and do those relations. And I think when I look at things like RFID or physical security and door locks and even padlocks, sometimes it is a really good way to teach and educate what it is like in a digital scenario. I think those really relate.
Joseph Carson:
You're talking about some of the reasons why you like to focus around the physical security and the door locks and RFID contactless stuff, but do you kind of use that as basis for teaching and educating on the digital side?
Quentyn Taylor:
Yeah. Because if you can't get the physical stuff right, then all of the cyber controls ... I was talking to someone recently at a conference and he said, "Why is this important?" And I'm like, "That's a really good question." He's like, "Well, the access controls to your data center, how are they controlled?" "Oh, via RFID." "Right. So, if I can copy your data center access card, which probably has 24 hour access, I can get directly into your data center and probably past all of the doors in the middle of the night." Yes. He was like, "Exactly."
Quentyn Taylor:
And that's why this stuff is important, because with a lot of the software side, we are very much used to saying, "What crypto algorithm, what this, what that, what the other." Yet with RFID, people just take the RFID fob or token or plain white card, and they go, "Oh, it's an RFID card." And you say, "Well, do you know that, that RFID card is breakable and that one is less breakable? They look identical. And if you don't actually ask what ones what, how are they all set up ..."
Quentyn Taylor:
I was doing a physical assessment of a building and it had an ancient in dollar based system in it. And we were looking at it and I said ... And I looked at the cards and then in dollar cards, the first four digits of the serial number on the card is the year of ... It can be the year of manufacturer, depending if you bought the expensive cards where you did.
Quentyn Taylor:
And I looked at it and I looked around the room and I said, "Do you realize that this card was made in 1980, which makes this card physically older than every single person in this room?" And it was like, "So, we're currently dealing with a system that was in store before all of us here were born, and somehow we would never trust." If you said, "Oh, I've got a web server and it's from 1982 and it's still running." You'd go, "Oh god, that probably got security by total obsolescence, and no one knows how to hack it anymore." But you'd never do that. Whereas in physical security, you stick these locks in and they go, "Oh, it will last 20 years, last 30 years."
Joseph Carson:
Yeah. We've done a lot of topics and discussions around the things like IoT and critical infrastructure and those things is that we see systems that's been in for ... I worked in a lot of maritime and shipping industries and power stations. Time and time again, you see this old equipment that's been around for 20, 30 years.
Joseph Carson:
I was fortunate enough to watch a satellite decommissioning project. The button that was designed to start decommissioning of that satellite had been designed 30 years ago. They're just going, "No one has pushed this button until now and we hope it works." So, sometimes, you're sitting in those elements, the basis and foundation of everything could be really old. Do they ever get updated? Do anyone ever takes a second look?
Joseph Carson:
So, my question to you, and when we think about this, I'm always looking to, for example, the Verizon data breach investigations report. I look at a lot of the yearly reports that come out. As a bit of a temperature gauge into whether we're improving or getting worse. And certain areas, I do see improvements and I do see prioritization changing. I just want to get a measurement from you. What's the current state of cybersecurity in the industry? I mean, is it something that we're making the right directions? Are we getting better? OR is it early for a concern? What's your thoughts in the current state?
Quentyn Taylor:
So, it depends upon when you say what's the current state to the cybersecurity industry. The cybersecurity industry itself is doing very well. More money is being spent. And let's be very honest here, and no offense to any instant response companies. When I see instant response companies soaring share prices, I worry a lot. It's not that I don't want see them as soaring share prices. I might end up working for one of them at one point in time. It would be great to get some good stock options.
Quentyn Taylor:
But my point really is when we see them soaring stock options and see huge amounts of money being spent on cybersecurity, the cybersecurity industry is doing brilliantly. And that's what worries me. We, as an industry, forget that we're here to protect everybody else. And I think that a lot of the bits of the cybersecurity industry are so busy in being buried in the cybersecurity industry.
Quentyn Taylor:
"Hey, look at this latest breach, isn't it great?" No, it's not great. A breach is never good. "Hey, look at this latest vulnerability. We can market that and stick in our product." No, that's not good, but the industry is doing very well. As a humanity, how are we doing with cybersecurity? We're improving dramatically, but the attackers and the attack surface and the dependency is also increasing at a far greater.
Quentyn Taylor:
So, we're going up, but we're getting this far greater thing going on, and we're starting to see true trickle down in not a good way. We're starting to see trickle down normally. "Oh, it gets on the space program." And then you penned really good and stuff. Trickle down in cybersecurity is it gets used by one nation state against another nation state. And then the lower end criminals start to use it and it becomes commoditized. And now, that attack that everyone thought, "Oh, that's really difficult. No one will ever do that." Now, it becomes a commoditized attack.
Quentyn Taylor:
I mean, what we're talking about with RFID earlier on, RFIDs are a great example of something when we're doing anything to with RFID, we're standing on the shoulders of giants. People have done amazing work before us to allow us to be able to play with RFID. But there's also criminals who are able to play with contactless credit card data. I mean, literally just behind me.
Quentyn Taylor:
Tim was doing the demonstration of how you stick a credit card with a known pin code, so a credit card you own, but then intercept the Bluetooth communications between the reader and the PC and rewrite the credit card number on the fly and the expiry date on the fly to one that you didn't put the pin number in, and suddenly you actually charge a different credit card. The second one you put in.
Quentyn Taylor:
So, the reader does a complete check to make sure that, that card and that pin code work. But the transaction is edited midstream to put a different credit card number in. Apparently, this is a very valid attack and people do this all the time for low numbers.
Joseph Carson:
That's one of the things. Really getting into the foundation, when we think about from a ... Everything is moving to basically low energy, near proximity communications especially for things like IoT for home smart devices.
Quentyn Taylor:
But if you look at some of the IoT locks ... Sorry, but Andrew Tierney did an awesome analysis where ... Cybergibbons on Twitter, who you should always follow.
Joseph Carson:
Yeah.
Quentyn Taylor:
He did great one where he took IoT lock, a new IoT lock and he took a standard six pound 95 Wickes. Other locks are available, mortise lock. And went through the physical security features pointing out that the six pound 95 lock was far more resilient to drilling, general breaking, a blow torch, any kind of picking and everything else than the 180 pound IoT cyber lock, which was not so good at cybery stuff. But anyway, imagine it was, but it was made of zinc, and you could just put a blow torch on it until it just dripped off and they go, "Oh, I'll ... Or I'll hit it with a hammer. Or I'll do any one of a number of physical attacks." Sorry, please.
Joseph Carson:
No, absolutely. This reminds me. I've watched a lot of the guys who's doing from the physical security. Even the air canister basically to open up the sensor doors.
Quentyn Taylor:
Oh, the sliding doors.
Joseph Carson:
The sliding doors. Some of the things in the creativity and the simple thing is basically open doors. I mean, I'm sitting here always next to me. I've got my handy, basically RFID cloner as well. It's something like 10 euros that you can basically clone most cards from. Those are the things.
Quentyn Taylor:
Oh, if you want to do low frequency. Low frequency. I did a bit of a competition to find the cheapest RFID cloner I actually possibly could. Sorry. Ah, here it's. The cheapest RFID cloner I could find that worked reliably. An actual fact, I thought was really good. It's one of these. 4.20 pounds this cost me. And then when I bought it about a week later, I got an advert on Amazon going 2.80 pounds. I was like, "Damn, I wish I bought even cheaper." That thing, for most low frequency stuff, just works. And you know what?
Joseph Carson:
It's fantastic.
Quentyn Taylor:
... Two buttons, read and write. You press one, it goes beep. You press against the tag, press right, boom, done.
Joseph Carson:
The one thing I was just saying, you can get a lot of cheap stuff out there, but there's also a lot of expensive things as well. That's the thing is it can be an expensive hobby as well. But going back to one of the things you said, and to kind of expand a bit on as well is that you're absolutely right. The one that concerns me is that when we're looking at the cybersecurity industry as a whole that budgets are increasing, their companies are becoming more profitable, revenues are increasing, but that is a concern because it means that companies that basically are needing to respond, they're needing to spend more. Instance are increasing, tax are increasing, the services are increasing.
Joseph Carson:
My concern is that we're still doing the same old approaches of reactive to security. We're patching yesterday's instance, yesterday's issues, yesterday's security. We're basically not thinking about how we can future proof it. How can we get to the point where...
Quentyn Taylor:
We're taking yesterday's architecture and then putting it into tomorrow's vulnerabilities.
Joseph Carson:
Yep. Exactly. The challenge that we're doing is that how do we start future proofing security. The good thing is at least one area that when I'm looking at the Verizon data breach investigations report, there was indications of certain areas of improvements. There's certain areas that awareness is improving, phishing is down. But, of course, ransomware is up, which means that basically some things we're getting better, but other cases were becoming more impacted from. What areas of organizations, what would you think about the areas that organizations can really look at that would be something they can invest in, would get the most improvements in their security risk or posture? What would be the basis of somewhere...
Quentyn Taylor:
Yeah, I would say with things like business email compromise, you can spend all your time trying to educate your senior management and you can spend all your time trying to filter the email. And you know what, they'll still get through, but you could spend a very small amount of time putting the right financial controls in place and the right trust model in place with the finance community to make sure that one single person getting fooled by an email, which they will get fooled by an email.
Quentyn Taylor:
And this is fallacy I'll come onto in a second. You could put that in place and that means that even if the person does get in, they can't transfer a material, sum of money. Actually, that's the best bang for buck right there. You could spend millions on trying to prevent all the emails coming through. You could spend millions on educating and doing awareness movies. And you probably should. Maybe we'll spend millions, but probably should anyway. But you know what on that particular one? Just spend your time with the finance team and say, "Actually, how do I stop someone from making a material monetary transfer if they get fooled?"
Quentyn Taylor:
Because it was a great story that came up today, I believe, about a load of social media accounts, 4,000 social media accounts were stolen by some hackers. And they were trying to steal mainly YouTube and Instagram accounts. And the way they were doing it would be reaching out to people and saying, "Hey, we would like to sponsor you, and we'd like to do a colab. Could you install this software and then review it?"
Quentyn Taylor:
Now, someone will go, "Oh, these stupid people installing this software." I replied quite negatively going, "Actually, this is the person who is hoping to make YouTube their career, their life. It's going to become their income source. They don't have the ability to be able to say, 'No, that sounds dodgy.' They have to say, 'You know what, I have to take a risk. Because if I don't, I can't ... I have to collaborate with people. I have to do these things.'"
Quentyn Taylor:
And that's the problem, and attackers know that. And they know where your weaknesses is. And if that case, you have to do it. Anyone who thinks that they will not be fooled by a sufficiently well written phishing email hasn't met a sufficiently well written phishing email, or hasn't realized they've already clicked on them.
Joseph Carson:
Yep. You're absolutely right. I mean, as security professionals as well, we have to be so diligent on everything that comes in. They are so authentic looking, so difficult to detect today that the attackers are ... They know what we're looking for. They know how to obfuscate it. They know how to disguise it. They know how to make sure that it's something that we want and it gets very difficult.
Joseph Carson:
And you're absolutely right. One of the things I want to kind of hone in on and talk about is that I completely agree is that we can't ... Basically, that's been a priority is, of course, cybersecurity awareness training. And I think it's important. I think it's important to certain aspect. But what we shouldn't be relying on is turning all of our employees into cybersecurity professionals. That's not going to work. It's not the way to reduce the risk. Because ultimately, attackers only need one success. They only need one person to click on something or just type something in.
Joseph Carson:
So, you're absolutely right that we need to start thinking about ... That shouldn't be my, basically, dependency. I shouldn't be dependent, and all employees becoming cybersecurity professionals and not clicking on something. What we should be looking at, to your point, is how do we make sure that if somebody does click in something that it limits the impact.
Quentyn Taylor:
How do we improve resilience?
Joseph Carson:
Yes.
Quentyn Taylor:
It's like I was having a great conversation with someone a long, long, long time ago about children on the internet. And this person was taking a completely different approach where they said, "Don't try and block your child from being to access all dodgy sites, because it will not work at all. Teach them resilience. Look, you're going to see horrendous stuff. You're going to see this. This is going to happen and teach them that they have the right level of resilience so the actual fact, they go, 'Oh, you know what? That wasn't for me.'"
Joseph Carson:
Yep. No, you're absolutely right. It reminds me. Anyone who's had kids, the kids are going to put their hand in the stove, but you want to teach them ... you know...
Quentyn Taylor:
I've seen it more than once.
Joseph Carson:
I think you're absolutely right. What happens is that even plugs in the house, we used to arrive putting all of these little protection on the sockets that didn't have anything plugged into it, so if kids put their finger into it. I was one of those parents who actually went around and did all of those safety things and we realized ... And we did that with our first child.
Quentyn Taylor:
Yes, but you didn't do it on your second, did you?
Joseph Carson:
We didn't do with the second one.
Quentyn Taylor:
We're exactly the same here. We had all the corners masked off for our ... Sorry, my children. If you do watch this at some point in time, yes. For Ellie, we did everything. And for Annie, it was like, "You know what, probably not necessary." See, I was a third child, and someone described it vastly.
Quentyn Taylor:
When you're making pizzas at home, when you make your first pizza at home, it's perfectly made with all the right ingredients. When you make your second pizza at home. Well, maybe you run out a bit of the sauce and a bit of the cheese, but you kind of make it okay. By the third one, it's just like, "I've got a bit of dough. I just may just get this in. I'll make something, maybe it will kind of go." And so, that's what being a third child is.
Joseph Carson:
The leftover toppings for the pizza. Whatever is remaining. But you're absolutely right. When I think about second child comes along and you're thinking, "Okay." Rather than being that buffer of everything and try to protect them from the bad world, but what you do is you try to teach them and educate them into what's right and what's wrong. You teach them how to use the plug and suck it rather than preventing them from learning. And I think that's really what we need to get into is the learning and awareness to prevent them from doing something. It should be to learn them to make sure how they do it, what the least risk. And ultimately, where they don't harm themselves or they don't bring the company down.
Joseph Carson:
What we really want to do is make sure as children that teach them how to use a socket. Teach them that there's bad things out there that basically that they need to be aware that not everything in the Internet is real. So, we should be teaching them. Rather than preventing them from getting to those places, we should be making sure that they can make educated decisions about how to make sure it doesn't harm them or impact them. So, absolutely right. What we should be doing is treating all our employees like our second child.
Quentyn Taylor:
Yeah. I mean, we need to be teaching our employees about resilience, and that's what we talked about. We talk about resilience and say, "Look, you are going to click on things. Bad things are going to happen. What we try and do is we try and make it so that when these bad things happen, you can react, and recover, and recognize, and move on." For example, if you're selling things online, you are going to get ... Buying things online, you're going to get ripped off. It's going to happen. You try and make sure that if it does happen, because it's going to happen, it's not the end of your buying or selling career online.
Joseph Carson:
Absolutely. To your point, you talked about the credit card side of things is that you want to make sure that you have the ability to make sure that, that limit is flexible. That you can change that limit to when you need it to be higher, you can increase it, but don't leave it at that amount. Reduce it back down to the month that you use on a daily basis. So, make sure that your risk is dynamic. So, your credit card isn't open to whatever, 30,000 euros or whatever, and you leave it at that, but you actually put it down to the limit that you use more frequently and only increase and decrease it when you want it to do with those bigger purchases.
Quentyn Taylor:
And this is a good conversation to have internally. We were having a conversation, which I believe comes out of retail ALE, annual loss expectancy. And it's interesting that in retail, they have the concept of shrinkage and people understand that you will get a certain amount of stuff stolen every year. You can't prevent it.
Quentyn Taylor:
And then when you talk to people outside of retail and you go, "So, how many incidents are okay in a year?" And they go, "Well, none." I had a great conversation with someone who was actually working for a three letter agency, and we were having an argument about how many ... And we weren't going into the politics here, but if it was acceptable for them to monitor everything and acceptable for the kind of breaches of privacy that they were being accused of at the time.
Quentyn Taylor:
And he turned around and said, "So, how many major incidents, major terrorists incidents are okay every year?" And I said, "Two." And he goes, "What?" I went, "Well, you asked for a number. Don't ask for a number and then be surprised. Yes, zero is a number." I said, "I don't think it's two." I said, "But I don't know." I said, "But you can't have it as zero." Because to prevent everything from happening, bad stuff is going to happen.
Quentyn Taylor:
I mean, even when you look at your risk profile, you're saying, "Well, that's a once every 50 years, that's a once every 100 years, that's a once every five years." These things happen. And sometimes, we try and set ourselves up to go, "That must never happen." And that's often where the security industry fails, because we turn around, and what do we say?
Quentyn Taylor:
When a company has a major security breach, what's the first thing that gets screamed at by mainly armchair CISOs? "Fire the CISO." And I say, "Really?" You notice that's mainly armchair CISOs who say fire the CISO, rather than actual CISOs who are going, "No, I've got a mortgage to pay. I would really like to continue paying that mortgage." But the point here is if your first response on any security incident is to get rid of the very experience and the muscle memory in that organization, I'm not kind of sure what organization you're trying to build, but I don't want to be part of it. And that's an industry where we can change. And we can start to educate our own stakeholders and say, "Look, that stuff is probably likely to happen."
Quentyn Taylor:
A very good friend of mine, I don't mention his name because I'm not sure if he's ... This is Chatham House Rules. One of his people said to him, "Have you got enough money?" And he goes, "Well, I've never got enough money, but if you give me a large amount of money, I'll guarantee you that probably nothing will happen. If you give me even more large amount of money, I'll try and guarantee that even less will happen." And that's the point. You can't prevent everything. So, you've got to set yourself up to fail.
Joseph Carson:
One thing I realized years ago, I did a pen test at a power station. It was really interesting, because when I learned things from different events, it's what changes me, and that's what's significant. In this particular event, what I realized, to that point in time, I thought my job was about enforcing cybersecurity. That's what I thought my job was. And that was a realization when I had a conversation with this CEO and CFO at the time. They changed my opinion forever.
Joseph Carson:
That day, when basically I tried ... Me and the CISO were doing a presentation to get more budget. And the CEO and CFO said, "Great presentation, but you need to show what you're doing is helping the company. How is it making the employee's job better?" And that was a realization for me that my job isn't cybersecurity anymore. It may have been to that point, but my job is to actually listen and understand business risk. And this was a fundamental change, and you're absolutely right, we cannot limit all risks. We can't prevent all risks.
Quentyn Taylor:
And neither should you. Absolutely neither should you try and eliminate or risk. Because if you remove all risk, then you'll remove all potential for profit. I mean, someone ever said, Unix allows you to do really stupid things, so you can do really intelligent things. And if you turn around and said, "I am going to pack every employee into this little bubble that they cannot possibly make a mistake." Even if you can do that, I'll show you a company that will wither and die within five years.
Joseph Carson:
Absolutely. And this was the thing. Actually, there's been a big conversation. I was doing an interview about cybersecurity awareness month. And for me, I was actually a bit upset. The theme for the fourth week of October was all about cybersecurity first. And I completely disagree with it. I was thinking that, that's the wrong approach, because it is not cyber security first. It's people first. It's business first. It's operational success, it's profit. Cybersecurity is supporting element of all of those.
Quentyn Taylor:
There's lots of different risks, and we like to take cybersecurity and put it up on its pedestal and forget that if you're in a sales organization, there's like sales risk, there's market risk, there's what's going on. I would think that I would like my CEO and senior management to be saying that cybersecurity risk is not the biggest risk on their minds at this moment in time.
Joseph Carson:
It's not. It shouldn't be. It almost goes back to that point where I had that conversation, I realized that my job was all about risk. The conversation, it was interesting, because the conversation with the CFO was one of the most interesting. And ultimately, basically, it made me realize that my job was to reduce the impact. You want to understand what is the potential, what is the likeliness of that risk happening. What is the potential impact if it does happen and when it does happen? And how can I reduce the impact? How can I make sure that I can actually ...
Joseph Carson:
The CFO, at the time, they're willing to spend a certain amount of percentage of that total risk to reduce it. That's where I got a better understanding about the potential budget was. But actually, it made me realize that cybersecurity is not first. Cybersecurity is a supporting element across all other business functions and services. It's a supporting element. And it's one thing that we use. We use cybersecurity to reduce risk, but it's not a first. It's not even potentially second, it's an element.
Joseph Carson:
And some of those things might be process. It might be technology, it might be people, it might be even insurance. They might look at different ways to reduce that risk, but cybersecurity is only one component. It's a method and technique of reducing risk and reducing the impact. That was a big realization for me. That was, for me, this whole theme of cybersecurity. Cybersecurity is not just one month, it's every month of the year. We should be practicing it, but it made me realize that, yeah, our job is all about risk and reducing that risk.
Quentyn Taylor:
It's about giving the C level members of staff confidence to be able to make the decisions, understanding or knowing that they've got all the information they need to have. So, that they can take risk if they want to. And they should be completely logical and healthy to take risk.
Joseph Carson:
Absolutely. And this means that one of the things that you mentioned earlier, and I think this is probably one of the areas that businesses really need to think about as part of that risk reduction is resiliency. It is really about if something does happen, how do you recover and continue? And how do you make sure that, that is more likely than less likely? So, meaning, when I've done worked on incidents, and I remember organizations face that ... One organization had lost a complete one year's worth of their digital data. I've seen individuals.
Joseph Carson:
I've had to help advise and consult individuals who their home PC and machine that basically had a huge hard drive connected to it, of all their entire 30 years of digital life, their baby pictures, family pictures, their educational, their university content, everything sitting on that hard disk encrypted with no backup. And you're also looking at businesses with that same scenario where their backup strategy was actually protecting against hardware failure or data corruption, and it was online.
Quentyn Taylor:
And actually, you make a really, really good point. This why ransomware is so damaging. If you talk to a lot of pure play IT people and look at their business continuity plan, their entire business continuity plan is about natural incident. It's about a data center fire. It's about a flood. It's about a tape unit falling over. It's about whatever these things are. It's about the big difference between playing a computer game against bots versus playing against human players.
Quentyn Taylor:
If a data center is on fire, it burns in a mathematically predictable way. You got oxygen, you've got fuel, and heat, and this will basically create this triangle, and it will go through in a very predictable way. It doesn't suddenly start a fire in a totally different data center, because it sees you put all your resources into fixing that one. And that's the big difference that a lot of the IT people are then unused to dealing with an incident where someone is watching and they are trying to make the worst possible thing happen to you potentially.
Joseph Carson:
Absolutely. And a lot of the incidents as well is that it needs to be more opportunistic and automated. Where now, you're getting more people hands-on keyboard, and they're watching, and learning, and changing their techniques. They're modifying their attack path in order to get around your response to those, basically, techniques. So, it's getting more difficult for organizations.
Quentyn Taylor:
And you've got segmentation of the market as well. So, you got initial access brokers who are just getting in and then selling that bit. I was discussing it with one of our sales people and he looked at me and he goes, "But that's exactly what we do. As in, we segment the market and we do bits that are profitable and we let other people take the opportunity on bits that are less profitable. All that we don't want to take the risk on." I was like, "Exactly." It's exactly the same model.
Joseph Carson:
What was really interesting, and I remember doing an incidence response in one organization as well is that when you start doing digital transition, you start looking through logs. You start finding that actually there's multiple attackers on the network at some point in time. It's just the last one that you find because they're the most destructive. That when you seriously start looking at the logs and start uncovering.
Joseph Carson:
But to your point, the organized crime, the cyber criminals are definitely ... They're focusing on skills. The crypto creators are no longer trying to deploy the crypto. What they're doing is they're creating affiliate programs and making this as a service and giving it to those who will then use and abuse it.
Joseph Carson:
And those who are using, abusing the crypto, they're actually buying the access from access brokers who's just specializing getting the access. And then they don't want to talk to you when they deploy the ransomware. They'll hire a help desk team who will actually communicate with you to negotiate the ransom and actually help you recover the files. So, it's this whole, basically, production line of criminal networks who are getting more specialized and investing in those specialization. Feeling very difficult for organizations to ...
Quentyn Taylor:
And as we found out, there's also then cybersecurity organizations who allegedly then go to the cyber criminals and go, "How much do you want? Okay. That plus 10% is what we'll charge back to the client."
Joseph Carson:
Yeah.
Quentyn Taylor:
I heard that story as well, and you're going, "Oh, that was someone who stepped over a line somewhere."
Joseph Carson:
Insurance companies are taking that into their own hands as well, because they're faced with the double scenario into how do they make sure that they don't lose as much. And they're also hiring security and professionals who will communicate with the criminals to try and negotiate a lesser ransom.
Quentyn Taylor:
And I've also heard now that some of these cyber insurance companies are now doing their own security assessments to then inform their decisions for what risks they actually want to take, which I'm not surprised at really. But I think what's going to happen is going to be exactly the same as happened in the physical market, in that you're going to start to see the cyber security defense market being driven by the insurance companies.
Quentyn Taylor:
I have a five-lever mortise lock on the door. I've got another lock on the door. I have an alarm. I have all of these things and security lights. I have all of those things because my insurance company demands it. And I think exactly the same thing is going to start to be.
Quentyn Taylor:
We started to see that in the questionnaires, but I want to see them where they start saying, "If you do not have MFA on all of your admin accounts, we will not insure you." I think they need to start getting down to very prescriptive measures where they say, "These are a basic couple of things if you don't do, sorry, you can't get insurance unless you have those things."
Joseph Carson:
Absolutely. And you also need to prove it and demonstrate that you've got them in place. Because you're absolutely right. I grew up in Belfast. Getting my first car, it was almost impossible to get insurance. You couldn't get a car unless you had insurance. It was the most difficult thing, so therefore, you had to make sure that you had all the locks and had basically protection. You had locks and nuts in the wheels, so people couldn't steal the wheels. And then you had to have steering wheel locks, and you had to have chains around your steering wheel. You had to have all of those things in place. You had to have a car alarm. You have to have proper center locking.
Quentyn Taylor:
We have a real example from the car industry. I don't want to say the manufacturer, you can Google it. Where they had a major problem with what they called a keyless entry theft. And the insurance companies just chucked the certain models of high-end 4x4 into uninsurable category. And suddenly, the manufacturer decided they could fix this issue.
Joseph Carson:
Yep. The wireless keys. Yeah.
Quentyn Taylor:
Yeah. And because they turned around and they said, "Well, we can't fix this." And then the customers said, "I can't inure your car, so I can't buy it." And, of course, in that market, it's really interesting, especially on the high end stuff, a lot of people had it on finance or PCP. So, it was very easy for the consumers just like, "If I can't insure it, I can't have it, so I need to go elsewhere." And suddenly, the insurance companies got the car manufacturer to fix their problem.
Joseph Carson:
So, a question. I mean, we saw that with the car industry and it's fairly effective. Let's put that into the cybersecurity landscape side of things. Coming in the near future, let's say governments will require organizations that's providing digital solutions or whatever to have insurance, or some regulation. We got PCI, we got Cyber Essentials. One of those regulations, whether it be GDPR or CCPA, Cyber Essentials, that's going to say, "Okay, for you to get the certifications, you also have to have insurance." Basically, what's going to happen is that for their own, that will force organizations that in order to get cyber insurance, they have to have certain X, Y, and Z in place.
Quentyn Taylor:
No, I don't think that's going to occur in that way. I think it will be a case of if you want insurance, then the insurer will insist on certain things, but I don't think that any of the current legislations will force the insurance.
Joseph Carson:
Okay. Maybe in certain industries. Maybe in certain areas that industries that could be potential ...
Quentyn Taylor:
Maybe in certain industries, because I can't imagine that demanding that someone pay for insurance. Even car insurance, you don't have to insure your car. You can lodge a bond of money and essentially just say, "I've got enough money to pay out any claim. I don't need insurance." That's not legal advice. Please double check. I know in this country, at least, you can drive without insurance. Because essentially, you just lodge a ginormous chunk of cash, and I think it's what the MOD do and people like that, because they can't insure, so they just self ... You can self-insure. I don't think anyone is going to force you to ensure via a third party. Now, maybe they might turn around and say, "You'd have to force self-insurance." But I think what's going to happen ...
Joseph Carson:
Yeah. You need to cover it yourself. Yeah.
Quentyn Taylor:
Yeah.
Joseph Carson:
It's mandatory for insurance to have for the driving roads, public roads. So here, you would have to have ...
Quentyn Taylor:
I'm sure that self-insurance is not possible.
Joseph Carson:
Not necessarily.
Quentyn Taylor:
It's rare in the UK, but it is possible.
Joseph Carson:
Yeah. Not in Estonia. Here, you have mandatory road insurance, but what you can do is then you are basically liable then to the damages to third-parties and everything else, but you have to have the minimum insurance to drive it on the road. I could go without insurance. I have a car at my country house that is uninsured, but we can only drive it around our field. We can't drive it in public roads. You get limited to what your usage would be. Maybe there's a potential of that might happen. I think it would be more industry specific that if you are going to be providing some type of service that might be regulated, that there might ultimately be some type of insurance that would come there.
Quentyn Taylor:
I think what they'll do is they'll make it morally responsible to have third-party insurance to cover certain risks. I think that's the cost go up and up and up and up. Obviously, with things like car insurance for large corporate, self-insurance becomes quite attractive, especially with huge company with large car fleets because they know exactly what their annual loss expectancy is going to be. They know exactly what the cost of the premiums are going to be. And when you take the premiums and the premium tax and how much money they could spend out in the last 20 years, they instantly go, "It's such cheaper for us to self-insure, easy for self-insure." Whereas with cyber attacks, I don't think that maths can be done at this moment in time, because let's be honest, they don't know.
Joseph Carson:
Yeah. Some companies are doing it, what's called a cyber captives. Cyber captives is exactly, to your point, is that ... Well, they're basically saying, "Well, we can't get insurance. Whatever. But what we can do is we can basically take a certain amount of money as a captive and invest that and make money off that, but it's basically set aside for when instance do happen."
Joseph Carson:
I think that's actually what Target had used. They had a cyber captive and several policies as well when they were attacked. So, somewhat large organizations who have that ability to offsite it themselves, insuring themselves, per se. If they have enough cash to put aside for that. And that is an investment. They will actually use that for gaining investments and profit, but it is there in case they do need to respond to it sometimes.
Quentyn Taylor:
I think people are forgetting on the whole cyber insurance. It's not just the money that you may need. It's also the fast access to services that you may need to have. So, you don't need to get that from your insurance company, you could just build up a large portfolio of companies that you have on retainer that you can call in and you can manage all of that. But sometimes, it's a lot easier and cheaper to actually let somebody else manage that retainer and portfolio. And that's also the other aspect of what you get from insurance.
Joseph Carson:
Yep. I sort completely agree. We've had a guest on the show who specialize in, for example, incidence response and they highly recommend that you do have a retainer, because when you have a major incident ... And several companies are hit at the same time. What happens is resources are become almost unavailable. It's making sure you have access to expertise and resources who come in and know what they're doing to help you recover quickly, because recovering quickly, that's what's costing money.
Joseph Carson:
If you're delaying your recoverability ... The organization I mentioned about the ransomware case, their backup was encrypted, but they were fortunate enough to have a system that was one year old that was part of a migration, so hardware migration. That was still around, and they were able to use that as a baseline to recover, but it took them two months to get back to a state where, actually, services were basically providing the same services they were before the ransom.
Joseph Carson:
You think about that limited services for two month period. That's what organizations should be really looking at, that type of indicator. But what if your organizations stopped providing your services for two months? What's that impact to your business?
Quentyn Taylor:
Revenue impact.
Joseph Carson:
Exactly.
Quentyn Taylor:
What's the long-term impact where customers ... And this is the point is if it's a cybersecurity incident, it will be different to, for example, like COVID or chip shortages like at the moment, because that impacts the entire industry or impacts entire sector. It's typically not affecting customer A or whatever, whereas a cyber attack is affecting probably just you. So, your customer can go to the side. You've then got the bottled water conundrum where the customer can just walk to the next person and buy the service from the next person, depending on what industry you're in, of course. And I think that makes them so worrying.
Joseph Carson:
Yep, absolutely. So, I want to wrap it up a little bit and get into summarization. I think one of the things I've got so far ...
Quentyn Taylor:
This is a positive note, because we've come across a bit of a downer. Let's come back up again.
Joseph Carson:
Let's come back up again. I do think one is that organizations are becoming more resilient. They are looking at these. They are going through the practices and they're taking that knowledge and making sure that they are becoming, not just incidence response plans, but incidence response ready, and they are investing in the right areas. What concerns me is when these response companies are doing really well. That's not a good indicator or a measurement of how the threat landscape is happening.
Quentyn Taylor:
A cybersecurity industry who is not servicing humanity particularly well in certain respects. I don't want to call out any bad behavior. We've all seen it where the industry is essentially eating the IT industry, and certain people are kind of forgetting on what side of the fence that they're on.
Quentyn Taylor:
When you see the red teamer who's overjoyed because there's a vulnerability that they can use to now break into companies and make lots of money. You've got to be really careful there, because actual fact, yes, you can make lots of money, but you're making lots of money if ... You should be trying to do yourself out of a job. That's the old, old, old joke. A cybersecurity person, you should be trying to do yourself out of a job. And I think as an industry, there's a lot of people who are sitting there going, "Well, actually, how can I prolong this industry?"
Joseph Carson:
Yep. You're absolutely right.
Quentyn Taylor:
I don't want to fix the problem, I want to make money off this problem. And there's a very subtle line between doing good and prolonging the issue. If you're like the lawyer who could close the case, but is acquiescing to the client's demands. Yeah, you can sue for an extra 50 million. Yeah, you can do this. Whereas an actual fact, they should be saying, "Actually, no, just close it down. It's better for everyone if you close it down." But if you close it down, my revenue stream stops. I'll make a lot more money if you keep on suing these people. And that's the worry that I have in certain elements of our industry.
Joseph Carson:
Yeah. Years ago, remember, in the ... Actually, when you think about it, it just brought back something, a memory in the insurance industry. There's discussions around, for example, doing cyber insurance like a P&L as a collective. And the idea was, is that you would basically pay cyber insurance. That if you didn't use it, just like you have, like for example, in the car no claims bonus is that at the end of the year, we didn't make a claim, you got a little bit of back and you made money off basically that insurance.
Joseph Carson:
Actually, there was an idea several years ago into doing the same on insurance is that people would actually go into the economy of sharing. All organizations go together. We put it this money into insurance. And all of us didn't actually have any claims in the year because by getting that insurance, you had to have some bases of best practices and controls in place. That was actually a profit. That was actually became a profit stream, because that was being invested.
Joseph Carson:
But it was also that you might have some of the companies within that portfolio become victim, but it meant that there was enough money in that entire pot to help that company recover. Actually, there was discussions around treating it like that type of scenario where it actually became a lucrative investment. It wasn't just a money that you put in and never seen again. It was actually something that if you didn't have claims and you didn't request the health from insurance company, that you actually get a bonus back every year. So, maybe that's a look of the way ...
Quentyn Taylor:
That would be. Cyber insurance companies, if you are watching this, that's what we want.
Joseph Carson:
We want it to be profitable for everybody.
Quentyn Taylor:
Exactly. We want money back at the end of the year.
Joseph Carson:
Absolutely, for me, I think what we're getting away from this and discussions I'm having is really that it's all about making sure that it isn't cybersecurity first. And it isn't about making everyone in the frontline cybersecurity professionals. It's about helping, understand what the risk is and looking where possible to reduce the impact. To your point, making organizations more resilient. Being able to recover quick, have access to the expertise, resources, and make sure that, one, you don't have to be faced with paying a ransom. That you can recover in a much more efficient and operational manner. That you're not looking at losing your service for two months, and what would potentially that cost be. And potentially, cyber insurance might be an option to help you offset that risk.
Quentyn Taylor:
And this might worry people. What happens if paying the ransom is actually cheaper than fixing the security problem?
Joseph Carson:
That's where really ransomware becomes commoditized. Actually, there was one of ...
Quentyn Taylor:
That's when it becomes protection money. Is it cheaper to pay that one that protects your rate that one? And then when does the one that you're paying to protect you against all the rest of them actually just become a legitimate security company?
Joseph Carson:
I remember actually on a panel not long ago, I actually think it was with Rick Ferguson and we had the discussion. Ultimately, what happened was at the end, I thought, "Ultimately, what's going to happen is ransomware is going to turn into a subscription service. Is that you'll actually pay the ransomware criminals to not attack you and actually getting into that subscription. Ransomware is a subscription, so that they're actually protecting you and telling you that, 'Oh, you're vulnerable.'" This is how we're going to get access.
Quentyn Taylor:
I wonder, actually, if Terry Pratchett called it. You've read about Terry Pratchett. The Thieves' Guild. You'll have the ransomware guild that you will simply pay into and ransomware will be over. You heard it here first folks.
Joseph Carson:
Yeah. Let's come back to the old mafia protection money. Any final thoughts or any final comments for the audience?
Quentyn Taylor:
My focus would be focus on cyber hygiene, focus on making the organization resilient and focus on making the people resilient. And remember, you can't protect against everything and neither should you try. Don't set yourself up for failure. If you're in the cybersecurity industry, have a conversation with your senior leadership so that they understand that you're not godlike. You can't protect against everything and neither should you. You should be advising them on what risks they could and should take and bad things going to happen. And you know what, you'll be standing right next to them to help bring the company back when those things happen.
Joseph Carson:
Absolutely. Tat is the wisest advice I've ever heard and spot on. So, it's a great way to end. Quentyn, it's been a pleasure having you on. I'm really looking forward. I'd definitely recommend the audience do subscribe to Quentyn's ... What's your YouTube channel name?
Quentyn Taylor:
Just Quentyn Taylor. Just search for my name. If you search for RFID hacking, you'll probably find me as well, but I also ... My Twitter handle is going to be somewhere around here as well. My YouTube channel is in that bio.
Joseph Carson:
Yep. We'll make sure it's in the show notes, for sure, if it's okay to add them. And I do love when you're in the little man cave. It's always fun to watch. It's been a pleasure. So, thank you for having you on the show. It's been great discussion. Some things for improvement in the industry, but definitely some highlights of things that we can prioritize and focus. So, it's been awesome.
Joseph Carson:
For the audience, tune in every two weeks for the 401 Access Denied. Subscribe, go back and listen to previous episodes. Quentyn has been fantastic. Maybe we'll do one on RFID hacking. Maybe we also get Chris on the show as well. But thank you and awesome. Stay safe. Take care of everyone.