Smart Security Awareness Training with Paula Januszkiewicz

Joseph Carson:
Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. And it's a pleasure to be here. I am your host of the episode, Joseph Carson, chief security scientist and advisory CSO at Delinea. It's a pleasure to be here. And I'm really excited about a special guest, someone who I've been waiting for a long time to get onto the podcast. And it's a pleasure to have Paula joining us today. So, Paula, welcome to the Access Denied podcast. Do you want to give us a bit of background about yourself, what you do and some of the things you do in the industry?

Paula Januszkiewicz:
Yeah, absolutely. Thank you so much, Joseph, for your invitation. Absolutely pleasure. And it's a great name and I'm pretty sure that everybody says this. So I'm going to be yet another person that's going to say it's a great name for the podcast, for sure. And a couple of things.

Paula Januszkiewicz:
So as you know, Paula Januszkiewicz. What I'm doing for a living it's purely cybersecurity, which means that I'm engaged in the cybersecurity industry for over 17 years right now. Sounds like a long time. And I'm also a CEO of CQURE. This is the company that I have established 13 years ago. So we celebrated at the end of the year the 13th anniversary. And technically I've been doing for my whole life pen testing, incident response forensics. And I have access to the source code of Windows. And even though I get this business role within a company, I am all the time engaged in projects and I don't plan to give that part up.

Joseph Carson:
Absolutely. That's a lot. From one of the things that I've always enjoyed is that when getting to meet you at some of the events, because that's where we started meeting at the events several years ago. I've always enjoyed watching you doing the actual very technical demonstrations during the Arsenal events. I think it was Black Hat and even RSA. So do you want to give an overview of what you demonstrate and some of the tool sets that you typically cover there?

Paula Januszkiewicz:
Yeah, absolutely. So Black Hat Arsenal, of course, it's a great opportunity to share tools. Yeah. So every year we release some new tools and we've got a privilege to demonstrate it at Black Hat. So one of the major tools that we have or major toolkits that we have created are the ones that we use for the data protection API. So the cryptographic platform in Windows. And not absolutely bragging about it or anything like this, but as far as we know, we are the only and the first team in the world that fully reverse engineered data protection API.

Paula Januszkiewicz:
So we've got over 40 tools that are supporting the process of decrypting data from Windows in various ways, extracting keys to a private key from the domain controller that is allowing you to decrypt every user's secrets in a whole enterprise. So it is important to know how your data is stored, and that's why we basically share these tools and we made them public. But, of course, there are also other tools. Yes. So for pen testing for forensics and RSA as well, it's a great opportunity to present some case studies to talk about how not only the tools, but also how we are able to deal with certain situations that are inconvenient, for example, we are under attack or anything similar and what steps you can do to recover. Because we've got, I think I can say that quite a lot of experience as a team as well to participate in various also incident response project. So I'm always super happy to share these stories and to be completely open about it and what things happened and what things someone did to recover, because someone technically might find it useful.

Joseph Carson:
Absolutely. That's one for me is important. I always like to do those use cases as well, because from instant responses, the real world scenarios, and I think there's a lot of people who can learn from the lessons and experience that other organizations have had to do those. And it's really important because the lessons you learn from there really helps you understand about what's the risk, what's the common techniques and how you can reduce. And what I see, some of the things that you've been doing is I really think you've taken the flag from Mark that's been doing the Sysinternals tools for a long time, because that's one thing that I started off with many, many years ago, the Sysinternals to troubleshoot and find out what's really happening under the covers.

Joseph Carson:
And I think I do see you has taken the flag from Mark and continuing down. Even though that Mark's still involved at Microsoft and still does the Sysinternals updates. And, of course, they just did the Windows internals updating the books, which has been fantastic as well, which has been written for a long time. But I think what you're doing is really taking, continuing that great work that Mark did, but in a different angle. So fantastic.

Joseph Carson:
The main theme of today's episode is all about what's been happening over the past few years? What's the landscape? What types of instances have you seen? What's the trends? Can you share a little bit about what you've been seeing in the industry in the past few years that should be important, that we should be looking at?

Paula Januszkiewicz:
Yeah, absolutely. So I can tell you one thing for sure that during the pandemic we have seen and we are still seeing the huge increase in various attacks. And that is completely crazy, because there's lots of different projects that are coming in and there is yet another company that's getting affected in some way by mainly ransomware, because ransomware is definitely on the rise. And if we look into statistics, maybe let's first mention those because they are creating us a really nice platform to start this conversation. For example, when we look into start summarizing 2021 from companies like Trend Micro, IBM and so on, we can read that ransomware attacks on the financial organizations, they have increased by 1318%. So looking at that stat, it's like, hey, since, when do we see in the statistics something increasing by 1000%? 100 is already a lot. But normally we are like, oh, 50% increase. And then we feel like, okay, that's a lot. But 1,300, that's a lot too.

Joseph Carson:
Absolutely. It's a big number. And I'll tell you, with those figures, we've be considered doing extremely well.

Paula Januszkiewicz:
Yeah. So it's like, okay. So question is why? Because, well, answer will be pretty straightforward, because it's a very lucrative business. You can earn illegally lots of money to run various ransomware campaigns. And unfortunately the other side looks at these points of entry that we are thinking about. So simple user passwords, no multifactor authentication, possibility to run the macro from the attachment from the email, something that goes through on the phishing filter. This is not even stopped on the Windows platform, but it can be. Yeah.

Paula Januszkiewicz:
So here is the problem. So these points of entry are not only predictable, but they're also easy to manage and they are still there. And that's why lots of people decided to step in into the ransomware business. And according to some other stats ransomware, if it was a country, it would be the third richest country in the world. So this cyber crime part.

Joseph Carson:
It does pay.

Paula Januszkiewicz:
It definitely does pay. Yes. And also the cost of getting a lead. So getting to a target is also very low. So it's very encouraging to actually step into some illegal actions. And that's what we see. So we've got to ransomware brought to the field. But another angle is that we can also see plant attacks that are coming through vendors. And that's maybe not a new reality, but we see that one happening quite often so that there is an IT company supporting bigger organization, these guys are attacked. Of course, they store credentials for the other company somehow. Yeah. If it's not safe, then or whatever the way, would be, how do they connect? Yes. Is it like logins cached password somewhere, maybe in the remote desktop files? These simple things. And then they manage to get access.

Paula Januszkiewicz:
And, for example, we got a case of a customer, it's a series of factories, a place all around the world where their data that has been encrypted. Unfortunately, they did not have backups that were up to date. They had to pay the ransom. Of course, we don't know whether that would work or not. But luckily for them, there was a hackers help desk that answered with the decryptor and decryptor unfortunately was not working. So they paid half a million euros for something that didn't work. And our job was to verify whether this decryptor, it's indeed not working because it's just nothing or maybe there is something wrong in it. And then it appeared that data when it was encrypted, it was encrypted couple of times because the encryptor, so ransomware, was just crashing because the data was in use. So therefore the decryptor could not deal with that okay. So we did compile it, we analyzed it, we tried to figure out what was going on. And then basically we managed to decrypt their data. But I'll call it the luck actually.

Joseph Carson:
That is quite lucky to be able to identify the problem at the beginning, because a lot of cases I do find is that when I've looked at a lot of different burnings of ransomware, the encryption process is pretty impressive how fast they work by just doing even the headers and dealing with large files, even doing only specific directory paths in order to really make it painful for the customer. But ultimately what I look at when I see the encryption process is that it's an area that the ransomware creators don't really invest much time into. And I see in many cases it fails a lot. Very few organizations that when they get to the encryption key and encryption utility, that the time takes to restore the data is very lengthy as well and can sometimes take days and weeks to do.

Joseph Carson:
So I think there's one area that the actual ransomware gangs are going to improve on is I think they're going to improve on the decryption capability, because ultimately, they want to show that it's a service and get paid for it. And, of course, my view is to not pay, but ultimately when it does come down to it, it is a business decision. I can only make my recommendations to victims, but ultimately, it's a business decision to determine what's the right way forward.

Paula Januszkiewicz:
That's absolutely true.

Joseph Carson:
It's always a challenge in that case. But one of the things you mentioned about know a lot of those entry points, I've seen and even in the service provider side, I've seen a lot of organizations where I've seen third party accountants who have access and simply basically to an RDP, basically desktop. So they're basically public facing RDP, simply protected with the username and password.

Joseph Carson:
And ultimately then, when we get into the system, one thing that really annoys me is that today what's happening is the browsers really want to capture all of the credentials. So when you log into something using any browser, it will say, would you like to store the credentials in the browser to make it easier for you in the future? But by default, the browser security's turned off. And it means that simply, for me, in many cases, the browser itself is no better than simply storing in clear text in the desktop. It's just in a different location.

Joseph Carson:
And I think one of the things that I've had discussions in the past, we really need to move away, not just to... Because the browsers do have security by design, but we need to start moving to more security by default, it being on. You actually have to go and purposely switch it all.

Joseph Carson:
So if you are using the security feature that you want to make sure that actually the security parts of it is enabled. Because anytime in that situation where this organization did become a victim of a ransomware attack, and in that case it was the CryLock version, the updated version of Cryakl. And yeah, they were saving all of the passwords, usernames, credentials and all of the URLs that they go to, SaaS applications all saved in the browser, all the easy access for the attackers to get access to. Any thoughts? Is that something similar that you're seeing as well?

Paula Januszkiewicz:
Yeah, absolutely. So, first of all, what we need to know is that storing passwords in a browser, like you mentioned, is not a good idea. And many reasons, of course, for that. First of all, especially from the end user perspective, how do we know what technology really is used behind to store these passwords? That's one thing. Second within the DP API that we mentioned, you've got a possibility to extract these passwords very easily. And it's basically the case that every app that you run on your computer, that's the case of a cryptographic platform within Windows. And I'm not saying it's bad. That's just basically how it works. Then basically we are able to access any other passwords that's stored by any other app.

Paula Januszkiewicz:
So if I, for example, run application ABC, this application potentially might have access to passwords used by Outlook, Chrome and so on. Yeah. So different apps. That's the point. Now, of course, we live in a world right now where we doubt and we have lots of trust that's lost to applications being signed. Yeah. So there are many examples that show this. For example, let's say it loudly we had a case of the SolarWinds. So we all try rusted the vendor. It's a popular solution. But on the other hand, something went wrong in a process. Let's just shorten this story. And then everybody received sign software, which contained malware. So this can happen to the best as we can see.

Paula Januszkiewicz:
So, of course, we are running these applications, but do we really know whether we are experiencing this attack right now? We don't. Therefore, storing passwords, of course, in the manager, so key boss and so on, it's the greatest idea of what we got. Plus we can secure it with the solutions like UB keys and so on, in order to make sure that everything is well protected with the good industry standards. So yeah. And these points of entry, so the simple passwords as well, it's another problem, of course. And if the user is an unmanaged user, if the user doesn't have an MFA, same story here, then, of course, we are just asking ourselves for trouble.

Joseph Carson:
Yeah. And we're leaving the door open wide enough for the attackers to be able to easily see it, especially when things are public facing. One of the things you mentioned as well, talking about when users are misconfiguring or deciding which passwords to choose. One of the things that we look at is I prefer, and this practice that I do all the time is the principle of least privilege, is having the least privilege that I'm operating on. So in all my Windows machines, I'm actually operating under a standard user and having the most limited privilege possible. So even if I do click on something, it's going to either prompt me for UAC or prompt me to elevate privileges. What's your thoughts around operating under the principle of least privilege or making sure that people aren't over-privileged so to reduce the potential impact of when they do click on something?

Paula Januszkiewicz:
Yeah. So this is definitely the trend that we were not really talking about, let's say five, six years ago. Now, of course, we are talking about a strict role separation and there are also various third party solutions that are allowing us to implement that in a little bit more of a smooth way and to restrict the possibility to jump into the server's area, if you're managing work stations and so on. So we've got this clear role separation and also separation into tires, into various layers of components in the infrastructure.

Paula Januszkiewicz:
So my perspective on that, it's very simple. That's what we all should have and that's what we should have in our minds years back. Yeah. But, of course, the attacks were not so popular. Yeah. The ransomware was just starting to grow. So we were just experiencing less attacks or different kinds of. So these ones that we got right now are leveraging simple points of entry. And then if, just because we do not have a Privileged Access Management, they are able to escalate farther in the infrastructure, it's better for them, because they will be able to destroy more things. So one thing is, of course, encrypting data. But second one is just to stay there in the infrastructure and monitor it for the couple of months. And that's what we are observing at our customers infrastructures too.

Paula Januszkiewicz:
So we were dealing last year, with a really huge project of, let's say, semi-governmental organization, where hackers were sitting in the infrastructure for over nine months. So what can you do? Saying it in another very engineering way, we could do everything. So everything means what? Literally everything. So you could be domain admin, spy on people, literally set up everything that would allow to infiltrate this particular organization. Plus, of course, another aspect comes to place, which is data PR. And that could also introduce some troubles to this organization, because organization is responsible for protecting that type of information. And when it leaks, whose problem is this? Yes, hacker is not taking responsibility for that.

Paula Januszkiewicz:
So there are lots of aspects, not only the business continuity related, but also legal that are impacted by that escalation. So Privileged Access Management definitely go all together with the possibility to have wide listing in the organization. Why are we running the code that we don't know? Why we even allow that? That was always the question that I was asking. And I'm still asking that question. Even we've got 2022 and companies still don't have that.

Joseph Carson:
Yeah, absolutely. I think for me, the concern, of course, and when we look at the SolarWinds is that we're always looking to patch and update things as quickly as possible. And it was always about signed libraries being the way, that root of trust, being able to determine whether that was something that you could trust from a third party source. And we've seen over the last couple of years keys being compromised. And that root of trust has been basically broken. And it means that when you need to update and patch, when's fast enough, or when do you need to run it in a sandbox in order to observe and see if it's doing something malicious. So those are some of the challenges that we have.

Joseph Carson:
One of the things that you brought to my mind was around doing a lot of instant responses when you actually going and dealing with something like a ransomware case. And, of course, cryptocurrencies has really also made it much more easier for the money payment side of things. So it can be much more anonymized and can be laundered and filtered and so forth. So it's made it much easier, of course, from the money trail to pass through the criminals.

Joseph Carson:
But one thing that you brought to mind absolutely tend to be when I'm responding to certain incidents, and you're going in and you're doing the digital forensics side of things, you tend to find other evidence of other criminals having access for long periods of time, for months in some cases. So sometimes you're dealing with one incident, you tend to uncover maybe two or three others of evidence of other criminals being on the networks. And one thing that I find was as well a few years ago, I've seen a few cases where that, of course, some criminals were not actually doing anything malicious within the organization, but what they were doing was actually insider trading. They were actually using the information at the gathering from internal knowledge of the organization about how well they're performing and actually going on the public stock market and making bets based on their performance, because that's insider information that no one publicly has.

Joseph Carson:
And that type of money trail is much more difficult to be able to find, because basically it's public domain. So it's using basically the stock market in order to make money. And how do we actually make that connection back to insider trading. So that's another thing that many organizations need be worried about is also that internal information being available to external attackers and be able to make publicly financial bets based on the organization, whether it be acquisitions information, legal cases being resolved and attackers can manipulate to make bets depending on that information becoming public. So those are other challenges that many organizations have to face as well.

Joseph Carson:
Going back to the user side of things, I think it's always important that we make sure that we educate and make users much more aware. But one trend that I get worried about is that we can't expect all users to become cyber security professionals. It's not their job, it's not what they get measured to do. Where is the balance between cybersecurity awareness side of things and making sure that people are aware enough, but not, let's say depending on them to make the right decisions when it comes to security? What's your views around security warning training and what we can do better around that area?

Paula Januszkiewicz:
Yeah. That's a great question. And I'm glad to see that we are also on the same page, because users definitely are not trained to be cybersecurity professionals and it's not their job to identify every threat that they might potentially step into. Therefore, the role of text technology comes to place and the role of awareness comes to place. So these two things, they have to be cooperating with each other very well, because for the fact that we are going to make all users aware, of course, it does not solve all of our problems.

Paula Januszkiewicz:
So one thing is to introduce technology, if we can. That will allow us to sleep as well, meaning that users can click potentially anything they want to and nothing's going to happen. Yeah. All these points of entry, they have a certain characteristic that it's not new for us. So, for example, we've got an email, there's a macro. A macro most probably has a child process that's going to be running from Excel, let's say, or it might be, for example, running inside Excel. Then, of course, we've got an exploit guard, for example, addressing this problem or we've got attack surface reduction rules addressing this problem. So there are solutions that are allowing to sleep as well. We just need to implement it.

Paula Januszkiewicz:
But, of course, there are some technological, let's call it exceptions. So there are certain situations where there are so many people in this world, and someone's going to figure out something that's going to allow us to bypass these solutions. Obviously, that's what cybersecurity is about. So let's say it's going to be a user and therefore comes awareness very important, backing us up factor, which should be introduced well in the organization. And awareness should be brought to the point when it's becoming useful for a user. So it's my personal account on Facebook, it's my personal account on LinkedIn, it works in a similar way as we got in the organization. We need to make sure that we are not losing our identity.

Paula Januszkiewicz:
The problem is that people nowadays, I think in our companies may not be, of course, generally saying yes. But there's one point missing, what does it mean to have that identity stolen? It sounds like a very romantic title for a movie, but when it happens to someone, it's a real nightmare because we are losing access to all of our friends, to all of our resources, pictures, whatever that'll be. Plus our account is becoming a feeder for hackers to get access to the other accounts. Yeah. And that might also impact our friends' relationships. Who knows? Yeah. So it's a lot of mess.

Paula Januszkiewicz:
So people need to be aware why this is happening, how this is happening. So awareness nowadays should have examples brought to the field so the people see, hey, this is how hackers act. That's the video where we demonstrate what's going to happen exactly. And we connected the dots, we explain it from three different angles so that people are like, uh, so there is something to protect. And we do it in the same way, both for personal life and also company life. So role of awareness, especially for personal life, it's crucial nowadays. So the better, of course, and with more examples, security training, we are able to deliver, the better.

Joseph Carson:
Absolutely. You're so right on that point is that when I look at security for myself, I'm almost thinking about I can secure myself to a certain point, but it's my social sphere around me. And one of the things that I really realize that I'm only secure as the people I'm connected to in my social network and the people that I interact with daily. And one of the things I find, and this came back years ago doing a security audit for a large transportation company, and one of the things that they did was that we realized we were failing in our security awareness and enforcement side of things, because we were the security team of saying, no, you must do this and enforcing everything.

Joseph Carson:
And ultimately what happened was it was really interesting, because when we revised it and we did basically a review of what we were doing, the organization realized that actually, anything we do in security awareness has to also improve the external employees home life, personal life, the people around them. And that was one of the things that they ended up even giving free security solutions, antivirus and password managers for them actually for their home machines, not just the corporate machines. Because if we fast forward to today, everyone's using the personal devices also for work as well. And for me, that was about 11, 12 years ago. And that was almost a forward thinking idea.

Joseph Carson:
But in today's reality, it's so critical that we need to be doing anything that security awareness needs to also make an impact to people's personal lives and improve their security of their social sphere. And that's one of the things that for me is so critical. And to your point as well, definitely making sure that we make their lives when it comes down to the impact side of things and raising awareness. And that time as well, that we find during the analysis, that it was all about the best people actually becoming cyber mentors or cyber ambassadors was victims. Because if you lose your identity... Let's say, most people were worried about losing, let's say credit card payments or debit card payments when they do internet shopping. And all of a sudden, they pay something fraudulent, lose some money in their credit card.

Joseph Carson:
When you look at it, it's so much easier to get your money back if there's a financial thought in your credit card, versus if you have an identity theft. It's so much more difficult to get your identity back online. And the process that you have to go through can be... Actually, some people can take years before you can get your identity back. And also we think about that everyone's identity revolves around their email account, unfortunately. And if your email account is ever compromised, that you end up that they can go and reset all your passwords of all your accounts and take over those accounts as well. So if you lose your email access from an identity theft, that can be devastating.

Joseph Carson:
Any things you recommend that people can do from best practices around reducing that risk? Because for me, I think identity theft can be very devastating for many people.

Paula Januszkiewicz:
Absolutely. So therefore, anything like multifactor authentication with the complex password, it's something that we need to definitely have. Regularly changing passwords, that's another classic tip for everybody. And also if it's a business email, then, of course, we've got various solutions that are allowing us to identify where someone is logging on from to allow only logins a certain location, for example, in a world, certain time, in a certain way and so on. So these are the logics that we have access to right now. And they're clickable through the portal, which we, for example, use to manage our whole corporate email. And it's very easy to implement those. So multifactor authentication, it's clearly a must because how else if not this way, we are able to protect ourselves from, for example, even using known password? Because, okay, that might happen, but we don't want to be that person that gets that guest. So that's one of the things.

Paula Januszkiewicz:
But I completely agree with you on also one thing here that in terms of security awareness, one thing is also needed and I think this is slowly but happening, so that's good news, is that cyber security being responsibility of all of us should be introduced also to the other spheres rather than cyber security. For example, other trainings that people take so that people are aware about cyber at any moment, whatever they step in. So, for example, they do training on marketing solutions. There is a module on cybersecurity. They do participate in financial training somewhere. There's a module about cyber security and threats related with finance. Yes. So there is this small maybe conversation about it, but yet showing that this is an important subject so that people understand that protection more. And if you got a chance at the end to turn on multifactor authentication on, for example, a LinkedIn, Facebook account, whatever that will be, then they will just do it. And that would be good.

Joseph Carson:
Absolutely, makes a big difference. Going to one of your point as well is that one of the things that historically and unfortunately I know, and this probably it's caused a lot of challenge for many organization is that cyber security has always been put into the IT technology bucket, and that's where it's left them accountability and responsibility. But it's so much more than that today. And you're right that it's no longer an IT responsibility, it's actually a business responsibility. And cyber security needs to move out of the IT realm and actually be a supporting part of the entire business function, whether being HR, finance, marketing, sales and so forth. It needs to move out of IT silo and become an integrated part across all of those. Just like you have health and safety or first aid training and so forth, that it needs to be much more thought around that it's actually a supporting part of actually the business itself.

Joseph Carson:
And actually it was one of the things that I remember last year we had cybersecurity awareness month and I was a bit upset that we had this cybersecurity first approach. And I always thought that cybersecurity shouldn't be first, it's always business first, but cybersecurity is a supporting part of the business, because at the end of the day, cybersecurity is all about making the business resilient, reducing the risk of the business and helping the business be successful. We don't do cybersecurity just for the sake of cybersecurity. So that's something that really got to me when we did that cybersecurity awareness month.

Joseph Carson:
One question I've got for you though is that you mentioned a lot about macros and that macros have definitely been a big pain for many organizations because, of course, we've seen a lot of exploits of Macro 4.0 in Excel and so forth. And Microsoft made the announcement to have a disabled by default. What's your thoughts around that about turning off macros by default?

Paula Januszkiewicz:
It's a bit of a dream of every cybersecurity specialist. But I can also imagine the business site being in pain because of that, because there are many macros that are used, especially in financial organizations to update this little thing from the database over there and so on. And it appears that it's a very crucial thing, crucial tool as they would call it, or even application as they call it, that is supporting, for example, dealing room operations and dealing room in a bank. Yeah. So yeah, it's a great change to be for time to get rid of that. But on the other hand, question is, okay, we can disable macros, but maybe we should think first why macros and which way macros are being a threat for us? Because the way how they behave, it's very patronized.

Paula Januszkiewicz:
So we've got, as we mentioned before, child process, or we can run things within the, for example, Excel itself, so Win32 API and so on. So that's where the problem is. And macros, of course, might be legit. There might be signs. We might maybe do some wide listing for the macros that will be also great setting, that we are allowing this and that macro because sometimes these macros are really advanced and rewriting them to the other functionality is lots of money and mainly time. Yeah.

Joseph Carson:
I agree. I was happy to see it, but I then thought in the same process as that when I put my business hat on, how is the business going to deal with this, because it is very... Especially influential, it's very a critical part of the business. And got me thinking why don't they move it to much more role based is that it's more of a policy that you're assigned to a user rather than actually having something that's part of the configuration of a computer or system or the application itself. So it becomes more role based.

Joseph Carson:
And also getting into, we do a lot of virtualization containers today, why can't it actually run in a container or sandbox? But the good point is that it's disabled by default, because the large forces of population do not need it and will never need it. So as long as they do make it easy to turn on for those business departments that do have dependencies on it, but the good they is at least it reduces the potential scope of the targets from micro base attacks. It at least makes it more difficult for the criminals to be successful.

Paula Januszkiewicz:
Definitely. But see, I would like to hear that about passwords, for example. Like from now on, we are disabling passwords. Everybody's going to be like, no. But at the end, everybody's going to be like, yay, because nobody likes to manage them anyway. So then we've got authenticator apps and so on. And, of course, different problems rise, but I think passwords, and that's not very rocket science, what I'm saying now it is a bit of an old way of authenticating into things. Right?

Joseph Carson:
Absolutely. Well, one of the things I'm hoping is that it's sometimes a bit of confusion. And this is one of the things that me and some of my peers have always had as I run passwords is that we hear a lot about password lists and we hear about biometrics and single sign on. And I think they're all great, but sometimes a misconception into the biometrics doesn't really replace the password, it's actually an improved identifier as part of authentication, which means that it has better security attributes. And what it has, yes, it's more difficult to replicate, but it replaces the username portion of the authentication. So you always want to get into either combining it. If it is something insensitive you're accessing, then you want to combine it with multifactor authentication.

Joseph Carson:
So doing biometric for some type of push notification or multifactor authentication that will replace the unit username of password. But we do need to stop having people managing the passwords, deciding what's the next great password. And we have to start moving it much more into the background, into an automated process. So when I talk about password lists, for me, it's not people assume that like Cortana or facial recognition on Apple devices is going to replace passwords. What it's doing is just really replacing where the mechanism for authentication is happening. So absolutely moving them into the background so that it can be much more managed in an automated systematically way so that we're not relying on humans choosing the next great fantastic password. Because we know that after 10 fingers and five passwords, we start reusing combinations of variations with the same thing. And that makes them weak and easy guessable.

Joseph Carson:
So absolutely passwords for many organizations, the more we move to alternative authentication and authorization mechanisms, the more difficult we make it for attackers to be successful. Because one of my sayings is that there's no 100% protection, there's golden bullet security. That what I do in my job every day is about making the attackers, making it more of a risk, making it more of a challenge and forcing them make more noise. And the more noise they make in my network, the more visibility I can get to stopping them from laterally moving or elevating or getting further into sensitive areas.

Joseph Carson:
So we want to make it as difficult as possible. Being from Belfast originally, one of the things that I always compare to when I think about in a real world scenario, it's like me parking my car next to a nicer car that has less security so that my car will not be stolen. And that was always a method. When you drive around, you're like, okay, where's the nicer looking car, so no one will be interested in stealing my car looking from a security perspective?

Joseph Carson:
So, hey, what's your thoughts on the direction of future that we're going? What's your forecasts or predictions that you have in the near future when it comes to cyber security?

Paula Januszkiewicz:
Sure. So that's a question that I really love, because every year the answer is going to be slightly different because we are having certain trends that we are observing that are increasing. For example, this absolutely crazy increase of ransomware attacks in 2021. But I'm saying always same thing that what the future should be is that we should revise the incident response plans for the organizations, because experience shows during the pandemics that lots of organizations, it's not that they have a wrong incident response plans, they just don't have any.

Paula Januszkiewicz:
And the part of that, and it's also quite funny is that also according to some stats, we've got approximately 70% of organizations that basically did not even approach professionally incident response planning. So they did not construct the team, they did not plan the process. So when we get an incident, what do we do? Yeah. Okay. They might have a backup, but they do not have this procedure that allows them at least to gather the evidence.

Paula Januszkiewicz:
And I'm always laughing, even though it's maybe not really funny, but kind of funny, is that when we get an incident, one of the things that I ask for first, of course, amongst many other steps is to collect the evidence if we can. So we collect the memory down first, we do the disc dump so that maybe we are going to need it in future. Who knows? Maybe that's going to be helpful for the analysis. It's good to know more for sure. And one of the questions is like, okay, so how do we do that? And I'm like, okay, so we need a guidance. Great. It means that incident response isn't in place. Okay. We explain.

Paula Januszkiewicz:
And then the second question is how much space do we need on these external drives? And, oh, no. So that's telling me one thing that obviously they have an empty drive maybe somewhere next to their hands. And another part is, okay, so how much memory you got? 64 gigs. Okay. So this plus drive. Okay. That means four terabytes. Oh, but we don't have a drive like that. Oh, that's a problem, because we will have to figure it out. So then they order it on Amazon or something. Same day delivery if it's possible. They go to the market store immediately. But immediately means two hours plus.

Paula Januszkiewicz:
So time is absolutely crucial in these incidents. Lots of things can happen in two hours. We know that. And it'll be great to know more again. So when we do the memory dump earlier, this dump earlier, we're going to get things in a better condition. Yeah. Maybe nothing's going to be destroyed, maybe something, we don't want it. We don't want any loss over there. So yeah, incident response plan should start with preparing ourselves a good pile of drive that addresses our current average configuration of the servers. And let's start with that one.

Joseph Carson:
Absolutely. It's not just about even having instant response plan, it's also being instant response ready and actually practicing. Because when you're not using those techniques on a daily basis, they become a bit dated. And so you do need to practice when you're taking images of machines, whether being in raw format or DD format or whether using something like in case or something that's going to basically do the imaging for you. And what I always come to is the same thing is that one of the questions I've got is that when I'm going into an incident and they do have a plan, but they have no idea how they act upon it or what to do first. And time's ticking and you're going, okay, where's the log files? Well, we don't archive them. And the attackers deleted all of the event logs, so they're all gone. Okay. So this one thing. Okay.

Joseph Carson:
Now, which accounts do I have that I can actually use in order to do the forensics? Well, we actually had to disable all the accounts in the system, because they've been compromised by the attackers. So therefore they have to go and create new ones. And you're going well, you mean they own the domain and you're going to create the accounts in the same network or they're going to give you same accounts that you end up contaminating the evidence. Because then how do you differentiate between my work that I'm doing and the attackers? So you're in that situation.

Joseph Carson:
And then absolutely you're right about the end you're getting into. We need to take images of all of these systems now, the impacted systems, where you're going to store the data and they don't have that size of space. And for me, when I get into the incident response, it ends up coming out of my discs that I've got my archive that are clean and ready and you end up exchanging that way. But it really shows that organizations they think they have it when they go through this checkbox approach, but when they actually don't practice it, they don't have the reality into what it really means to actually really respond to an incident.

Paula Januszkiewicz:
Whether it's good to do something or not. And yeah, exactly, what steps should I take?

Joseph Carson:
How do you find patient zero? How do you do the attack path? How did they get in? How do you make sure you've closed the door? And you get into the questions well about backups, the backup scenario, every single time it's been online backup that the same credentials for the active directory is the same credentials for the backup system. So the attackers have simply encrypted the backup. I've seen cases where the backup has actually backed up the ransomware so that when they restored, they actually restored a ransomware. And it triggered again at the later stage, because basically it was actually already backed up in the system. So yeah, absolutely better instant response planning and preparation and readiness is something I would like to see organizations really prioritize going forward.

Paula Januszkiewicz:
See, what comes from my mind, maybe a bit of an offline comment here is when I was doing the pen test once in the organization and when I managed to get in, I've seen the administrator literally crying, because he was so sad about the fact that I managed to get in and that's his infrastructure that he really cared about. And that was very inconvenient, for sure, situation for him. So I wonder what emotions they get when the incident happens and they're not prepared.

Joseph Carson:
Yeah. I think from emotional perspective, that's when a lot of people burn out actually is when you're dealing with those types of incidents. And it's more of a blame rather than people realizing that when you're responding to an incident, you're... One thing I've got in my bag is chocolate bars and earmuffs and something warm and a pillow sometimes, because you never know where you're going to be sleeping. And you end up getting into that these people are working on their severe stress, typically no sleep or run the clock, because you have to respond and anything that you leave uncovered is another potential risk that you could be dealing with it again very quickly after that.

Joseph Carson:
So it is a very stressful scenario and it does take a good leadership and good incident response project managers to make sure that the team has everything they need to be able to do what they need to get done, because I've seen a lot of people leave their jobs after incidents.

Paula Januszkiewicz:
Or if they're fired.

Joseph Carson:
Or they're fired ultimately, but more leaving on their own will because they just didn't want to deal with the stress again. The burnout was too much for them.

Paula Januszkiewicz:
Yeah. Good point.

Joseph Carson:
So to that point, I think that was important. I think one of the things I'd like to then get is what's good measurement? How do you know you're good at cyber security? What's the indicators that you're doing the right thing? I think that's one of the important topic.

Paula Januszkiewicz:
Yeah, that's a very cool topic, because we all see that in cyber security. Even though there are some recommendations, there are some probes for standards and so on, there's nobody that's going to say, "Hey, you're good because you got this, this and that." Usually we say, you're good because you've got lots of experience. So how to be good without having that experience yet and how to get this experience. These are the most important questions we are hearing in an education part of cyber security. And one of the features, let me quote it this way that I really like to see in people that are starting and in general in everybody, but especially the ones that are starting, when they're not having even any knowledge around cyber security, it's huge curiosity to the bones and also the willing to share with the team.

Paula Januszkiewicz:
So it's really hard to be there in a cyber security field by yourself because you may lose a picture of the certain solutions, scene, whatever that will be. And you might think something and then it's going to come out, well, within your measurements, but then in the whole infrastructure, your little research might think something completely else. So we always have to verify our knowledge, whether the thinking patterns that we got is good, are the other people agreeing of us.

Paula Januszkiewicz:
That's why I really always appreciate the power of team. And especially cybersecurity, it's a busy job as well. You travel somewhere, for example, even to the customer side, the zero day happens, you really want to know what's going on, but you have no time to check. Who's going to do that? Team's going to do it. They're going to help you or you're going to do this for them. So what it means to be good is definitely to be curious, to be willing to research more, to be not afraid to say I don't know, because in cyber security, lots of things are unknown and we are used to not knowing things. And also finding yourself in some community and definitely saying maybe brutally use of it, but at the same time giving. So that's basically what it means to be good. And the time is going to bring the rest.

Joseph Carson:
Absolutely. Now, you remind me of a few important points. Absolutely. For me, it's the networking community around which is so critical. I know that I haven't got the knowledge for everything, but when something bad happens, I know who to go to that will help me get that answer. And it's the people I know more valuable than me doing a Google search, because, of course, we still revert to Google searches on occasion. But that if I know someone who has in depth knowledge, that's the person I go to.

Joseph Carson:
And for me, that's what the likes of RSA and Black Hat have become. They are not just conferences, they're community events for us all to get together and share our knowledge. And you are so right, one of the things I always remember, one of my problems many years, more than 20 years ago, was I was a perfectionist and I wouldn't share anything until I knew it was 100% correct. So when I was working on a script or some project or some system or automation, I would basically be perfecting it so that there would be no errors or that it would work perfect in every scenario. And my manager back then at the time was Brian Honan. And he said to me that, with criticism, it's one of my good things, but it's also one of my bad things is that perfectionism. And when I realized that, yes, that the important thing was sharing early and getting more feedback early will help me make sure that I'm sharing the knowledge, that other people are getting value from it, that I can get feedback into making it even better as I go along.

Joseph Carson:
So communicating, being part of a team, that's what's really critical. And that's what definitely helps organizations become much more resilient because we have access to that community. The attackers are doing the same thing. They're doing the same process. They're sharing and they're communicating and they're collaborating on different forums, but we also need to make that our strength as well. So you're absolutely right. Being part of a team and being on the organization is not just about being a team in the organization, but it's being a team in the community will definitely make a big difference.

Joseph Carson:
Paula, it's been fantastic having you on the podcast and it's been great catching up. It's been too long.

Paula Januszkiewicz:
Thank you so much.

Joseph Carson:
And the pandemic itself has kept us far apart for a long time, but hopefully events like these will be able to communicate and chat. And as things start to go back to normality again, I'll look forward to catching up in the future. Any final words that you have for the audience that would make a difference?

Paula Januszkiewicz:
Yeah. I think that what I would have for the audience is to rethink the goal of the pen tests, because pen tests have been there for so many years. And, of course, it's our method of verifying whether a hacker gets access to our infrastructure from many different angles. But, well, I was thinking, and that is also the feeling that we are getting from our customers is that pen test should be maybe sometimes looking towards a direction of reviewing or focusing on the identity. Identity has become more important than ever means that, in general, if the identity is stolen, as we discussed, we got a problem. But identity is also a part of the attack.

Paula Januszkiewicz:
So what we have to rethink is where do we use what kind of identity? Where do we obviously use privileged access? That's a must have to review. But also, if the hacker manages to get into some user account, how the whole environment look like. So if this password leaks, if the VPN access leaks, what are these identities? What applications we're using? So that different angle for the pen test.

Paula Januszkiewicz:
And pen test in general should be reviewed also from the perspective of usefulness, because it's great to have one or two weeks or three weeks to have a look at the potential points of entry within that period of time. But maybe pen test could transform into a continuous service while we are verifying all the time what things potentially are changing, of course, in infrastructure, but what are the other points of entry? Because usually, and I bet you would agree with me, pen test projects, they obviously last certain time and then we write a report. And then maybe there is a reject and maybe another one. Who knows? And maybe in one year another pen test. Okay. But this is still three weeks period, for example. Do hackers have more time? Sure.

Joseph Carson:
Unlimited time.

Paula Januszkiewicz:
Unlimited time. That's the problem. So maybe we should think about rethinking the idea of that service and implementing it in a little bit different way. And maybe for customers, it's going to be cheaper to do it this way. And for us, it's going to be also more convenient because we will be able to use our old skills on that infrastructure, not just limit ourselves to the most important one within the period of time that we got, just a thought.

Joseph Carson:
Absolutely, very wise words. For me, I think, the term purple teaming is really evolving into really it's about collaborating with the defenders and the attackers, the red and blue team together. And that's where you get that collaboration education knowledge. And it's also about measuring. It's about is it creating the noise that you can get that visibility? And is it about creating the defense? Is it measuring your security tools and solutions you've got in place? It has to become much more than what it has been, which is that yearly check box into you've done it to meet some auditing compliance. It needs to evolve into something. It's a bit more active and continuously active within the business itself. So absolutely wise words.

Joseph Carson:
So, Paula, it's been fantastic having you on the podcast. It's been great catching up. And looking forward to some of your talks in the future. I think the next time people get to you will be at RSA. I think it will be in June.

Paula Januszkiewicz:
Yes, exactly. We're going to be there. Yeah.

Joseph Carson:
Fantastic. So for anyone, definitely go and look and connect to Paula. She's amazing. She creates amazing work and it's been a pleasure. So for the audience, this is 401 Access Denied. Your biweekly podcasts, Joe Carson, here signing out and looking forward to seeing you and hearing from you on future podcasts. So thank you so much, and take care.