Preparing For Potential Cloud Data Breaches With Nat Shere
Host: Hi everyone. Thanks for tuning into our Scale to Zero show. I am Purusottam, Co-founder and CTO of Cloudanix. Scale to Zero is a forum where we collect questions from curious security professionals and invite security experts to learn about their journey and also to get these questions answered. Our goal is to build a community where we learn about security together, and we leave no security questions unanswered.
So with that, let’s get started with today’s episode. So for today, we have Nat Shere.
Nat is currently working as a Technical Services Director at Craft Compliance, where he helps customers to set up security programs, and perform pen tests and vulnerability scanning. Prior to that, he was a product security engineer at Zotec Partners.
Nat welcome to the show. It’s my pleasure to have you here today.
Nat: Thank you. It’s my honor to be here.
Host: Lovely. So I want to start with your experience a little bit, right? One of the things that’s intriguing about your experience is you have a passion for ethical hacking, and we have seen that in your blogs. Right. So you’re sort of working on both the sites on the attack side sometimes and you’re helping customers with the different side as well. It’s like playing good cop bad cop and switching roles for different cases.
So, How do you see the world as a hacker and also like, someone who is preventing hacking from outside?
Nat: Right, right. Yeah. Good question. It definitely gives me a bit of a unique experience. I know I don’t do a lot of physical penetration testing. Personally, I focus mostly on technical web application networks, sort of tests. But even when I just walk into a building these days, I tend to look for cameras and look for entrances and exit. And sometimes I feel a little bit like Jason Bourne looking around, trying to think about how would I actually try to get in here if I could? I know anytime I pull up a website, I’m immediately looking for signs and signals – that could be no, I’m not working right now, turn it off, turn it off. But yeah.
So right now I focus more on the offensive side as a consultant. But in my previous role, I did very much divide my time both with the developers working to remediate issues and with the security team just hacking away at our websites and trying to find vulnerabilities. As they say, “the good defense is the best offense”.
Something like that. I’ve completely mangled it. You know what I’m trying to say.
It’s that unique perspective of trying to find those vulnerabilities that is unique and I think is very important in the development process.
I’ve worked with a number of developers who, with modern applications these days, so much of the time, you have all these back end requests that you don’t actually see in the browser. It’s all happening kind of behind the scenes and JavaScript code and all those sorts of things and very often the developers are shocked when I pull up those requests and show them vulnerabilities because they say, well, how did you even find those? I said that’s the attacking perspective that I’m bringing here. This isn’t hidden; it’s just not visible. Right. My go to line is –
there are two types of people who bring up developer tools in your browser. It’s developers and hackers. So I’m the hacker and the developer bringing those together there.
Host: Right. And on those same lines, once you know that there are these vulnerabilities, how are you thinking about preventing those hacks nowadays?
Nat: So, of course you try to talk to the developers about how to remediate those issues, but then it’s always taking it one step further to say, how else could I exploit it? So you want to make sure that you’re not only just putting a bandaid over the issue but also truly fixing the underlying issues. Talked about sometimes symptoms and causes. Right. Talking about those JavaScript API requests, sometimes you fix that one, but really that’s just a symptom of the issue, the underlying causes. The developers weren’t aware that was even an attack surface. Right, so, yes, so you have both just the technical side of fixing the issue, but I also think the more general education side of trying to make developers more security conscious.
Host: Yeah, I want to continue a little bit on the education side, right? That even though when you bring these to the developers, they address it and stuff like that.
But for a first-time security leader, how should they prepare or plan or budget around these things?
And also get executive buy-in so that any future attacks can be prevented, like data breaches or ransomware attacks, right?
Nat: Right. When you’re dealing with executives specifically, you really need to talk their language. It’s something that, having worked both with developers and with security professionals, it’s something I have to think about a lot. I have to change how I’m talking depending on who I’m talking to. And executives is the same thing. Anytime I get a chance to actually sit down with CEOs or CISOs and those sorts of things, they think more in terms of business risk and business financials; how much is it going to cost me? And security, for the most part, is just a cost. That’s how they see it. Right? It’s just you want more money for more tools, you want more money for more employees, okay, fine, whatever. And even when you come in, and you say, well, but we have these compliance requirements, that’s why I need this, it’s just fine. So they’re just checking the box. They say, all right, so to have stock compliance, to have HIPAA compliance, it’s just part of the cost of having that compliance. They don’t fully understand the security impact of it.
So when you’re talking to them, there’s kind of two sides to it. One is the risk side. Right. We’ll come back to the financials in most one is just the risk side where I was talk to them and say, okay, you try to sometimes say it’s not if we get hacked, it’s when we get hacked. But even then, that’s when the executives just say, well, we’ll get cyber insurance and that’ll cover it, we don’t need anything else. And that is an important part of a security program. I do generally recommend getting cyber insurance, particularly for data breaches and ransomware and those sorts of things.
But even though cyber insurances these days, the premiums are skyrocketing and the requirements that you actually have to show in terms of security controls because they also don’t want to actually pay out, so they want to see you’re actually doing some things here. So even if you’re getting cyber insurance, you still need some level of security. And so there’s that on the risk side of things. But even from the financial side, we’re seeing more and more studies these days where users and customers actually care about the security and privacy of the applications they’re using. And so the security can actually be just as marketable as any other feature. It’s the same way that you would say we have the most efficient, we have the most streamlined, to be able to say we have the most secure, is going to give you a chunk of the market and that’s actual dollars in bringing that your security features are bringing you in.
Host: Sort of additional revenue to your business, right?
Nat: Right.
Host: Helps with the sales and stuff like that. Yeah, that makes a lot of sense.
Now, let’s say I have all the cyber insurance, the security, everything in place, right, but even with all of that, with all the preparation, budget and everything, we still see a lot of ransomware attacks and data breaches. Right, so in that case, what should the response plan look like from communication perspective, internal and external, from building the trust, right, definitely it’s damaged always because of the attacks or the data breaches.
How do you rebuild trust and any potential loss of customers?
How do you manage all of these communication like repair to the damage of the trust and then again building that trust again and avoiding any attacks in the future? How do you address those?
Nat: Yeah, well, first to address it, you plan for it, right. Even if it’s never happened for you. You come up with an instant response plan and then you practice it at least once a year. If not two or three times a year. Whether it’s just running through to make sure that contacts are still up to date. That the software and emergency numbers are still up to date. To even running an actual simulation or a tabletop exercise where you get all the stakeholders into the same room, and you say. All right. We’re going to be pretending here we just got hit with ransomware. What do we do? Step through it and run through it.
I’ve led some of those types of tabletops a few times, and they’re sometimes very illuminating as you get to a certain point and everyone just kind of looks around the table and says, oh, I don’t know what we do at this point. Who’s taking control now? So you make a plan, and in that plan, you’re kind of coming at it from two angles, both the technical side and then more general communication side. So the technical side, of course, you want to stop whatever is happening, stop the attack in progress if it’s still going on, stop the problem, stop the bleeding. Then of course, you want to figure out how they were attacked, how you were attacked, excuse me and remediate it, patch any vulnerabilities, and remove the risk of getting attacked again. It’s amazing. I don’t know the exact statistic, but I think they’ve said like half to two-thirds of companies that get ransomware end up getting ransomware again because they just don’t go in and patch the issues. It’s mind-blowing.
Definitely part of that plan. You want to fix the issues that led to getting hacked in the first place, and some of that’s going to come in with security professionals who are trained at that. If you don’t have those kinds of people on your team specifically, then from the communication side, of course, yes. You were talking about building trust and maintaining trust. That is very, very key because I think there’s a mindblowing study from McKinsey in 2020 – that showed more people, more customers actually would trust a company that was hacked but handled it well than a company that wasn’t hacked to begin with.
Oh, I couldn’t believe it. I quote this study almost every month in various capacities. But yes, that being hacked, but handling it well was deemed to be more trustworthy than not being hacked to begin with. One of the cool things about 2022 at this point is now we’ve got 10-15 years of data breach, analysis and statistics that we can look over, and it’s easy to see these sorts of things, right.
So Home Depot huge hack years back, right? If you look at their stock price going through that period, barely a dip. Barely a dip. Nothing happened. Yeah, they had a lot of penalties and everything. They had to pay out a lot of money did not affect their stock price. Now, does anybody even care at this point? Right? And part of that came from their response, right.
The CEO got on. The media immediately apologized. They said, hey, we are so sorry. We have to improve, and we’re going to get better. And they were clear. There’s two things, right? You have to be transparent about what’s going on, and about what you know, and you have to be clear with your customers. Right. Very important.
On the other hand, you have Equifax, who everyone looks back and still says, that was one of the worst bungled responses I’ve ever seen. Every step of the response made things worse than it originally was. Right. Because they set up new sites that made everything look like fishing. They weren’t clear. Nobody understood what was going on. People were selling. It was just absolutely they weren’t transparent. Nobody understood what was going on. And then every step of the way they were making things worse. They completely lost trust of everything. And you can see it in the stock prices. Boom. Nose dives down, and the stock prices have risen back up. But again, everyone still looks back and nobody trusts sacrificed. At this point, it’s basically I’ve got a black mark for itself in the security realm; in the security industry, it’s just Home Depot on the other hand, people still remember it was hacked, but otherwise they kind of moved on. Nobody minds it as much.
Host: Yeah, I think two things that you mentioned were very key. Right.
One thing I was very surprised, the McKinsey study that you mentioned, even I didn’t expect that. When you get hacked and you address it with full transparency and you own it, you have a much better chance of recovering your business versus not getting hacked at all. I never expected that would be the case. The second thing is more around the example that you gave, right? Home Depot versus Equifax. It boils down to owning the mistake and being transparent and saying that, hey, I’m sorry, and we are sorry, and we’ll address it. Right. Versus playing around it and not addressing it head on.
Yeah, those are lovely insights.
Nat: I think one of the phrase you want to absolutely stay away from making sure all of your marketing, lawyers, everybody, never use the phrase- We take your security seriously after data breach, just strike it.
Big red letters on all of your documents. Never use this phrase anywhere. Right.
Host: Because it’s the contradictory.
Nat: Right, exactly. And it’s the go to phrase. You can find look and data breach responses all over the web. And that’s the number one phrase that just kind of pops out and you go, well, no, you clearly don’t. You got off. That’s what happens. Right?
Host: Yeah, that makes sense. On that front, you mentioned about planning, right. And when you plan, you work with many teams and there are many areas of security as well, right. App security, infrast security, network security compliance, et cetera. There are many. And for each of them, nobody does it manually. Right. Everybody uses some vendors, some tools. Right.
So when it comes to working with multiple tools, multiple vendors, from an organizational security posture, what metrics should be kept in mind or what KPI should be set up at the organization level?
Nat: Yeah, I love this question because first and foremost, it assumes that you are of course using metrics and KPIs. Right. Which is 100% right. I still do work with too many organizations and companies that it’s just really kind of a Wild West they get a new tool and they say, all right, now we’re more secure. Okay, how do you know that? What we have the tool.
What is the tool doing for you? I don’t know. It’s working, it’s sending us data. I’m getting alerts. Okay, so to answer your question, but then get back to your question, there are two really more high level metrics that you want to focus on. Everything else boils up into these two.
Number one, you want to increase the amount of time it takes for a hacker to exploit a vulnerability. And then number two, you want to decrease the amount of time it takes for security to detect an attacker. Every other metric within your organization is going to boil up into one of those two kind of metric goals, so to speak. Right. So I’ve seen organizations and worked with teams that are tracking a number of vulnerabilities. I think that’s an okay metric to track, but that’s going to boil right up into increasing the amount of time it takes for a hacker to find a vulnerability. Right. Because the fewer vulnerabilities there are, the more time it’s going to take them to find them in the same vein. Right.
The number of alerts, but more importantly, the amount of time it takes to respond to an alert is that second side of security. How fast does it take for security to detect an attacker and as a penetration tester coming into projects and engagements and basically doing the hacking? Right. I’m the hacker coming into this scenario, and I sometimes get to the end of the project and I say, all right, I’m all done, I’m going to write the report. And they say, oh, that was nice, we didn’t really see much activity from you. All right, well, let’s back up here because that’s a problem.
I’m going to give you a report here showing exactly what access I did, what tests I ran, and when you should be able to take that and go back to your alerts, your security monitoring systems, and say, yes, we see. Yes, he was attempting SQL injection here, or he was brute-forcing passwords here. And if you’re not seeing that that is part of that, we need to look at that metric again and figure out why you’re not seeing it.
Host: Yeah, makes sense. And one of the things that you highlighted, right, is that having a tool, having the alerts, or having some sort of posture report from a tool gives the security professionals a false sense that we are secure. Right. And sometimes some security professionals also take compliance certifications as a measure for that as well. Right. That we have SOC2 certified or HIPAA certified, so we are good.
So how do you see those, whether they are same or different, like having the certification versus actual security, and if they are different than what’s the right time to invest in improving the overall security?
Nat: Yeah. So the right time is now. Whatever you’re doing right, to improve your security, the time is now. The expression goes is that security is not compliance. It’s a little bit unfortunate, and I do want to clarify, right? I work right now with Craft Compliance. We didn’t call it craft security. It’s called Craft Compliance. And that’s for a reason, right? Compliance does have its space, it does have its purpose. I always look at compliance as kind of the bare minimum. It gives you a starting point, which is very important because security professionals are notoriously awful at being explaining in very simple terms. Here is ABC, what you need to do to be secure. Because of course we come in and say, well, there’s really no actual security. It’s all risk management, and it depends on your environment. So let’s talk about your configurations. And then before you know it, you’re way into the weeds, deep into the weeds. Yeah, exactly. And the non technical person, business owner sitting there just going, I just want to know the basics of what to do.
So that is where compliance steps in and says, here’s a very simple framework to follow that will get you the bare minimum of what you need to do. But even if you’re not in security, even if you’re non technical, you say, all right, I’m going to get this bare minimum. But I do want to always be thinking about how I can take it one step further. So for example, many compliance frameworks, they talk about password complexity. Usually it’s an eight character minimum.
That was okay in 2000. Now today eight characters is actually pretty short and we generally would recommend 10-12, even 16-character minimums. But that does depend on what you’re doing, right?
So if I’m setting up a brand new website and I want to attract users, telling those users, hey, you need a 16-character password, many are going to look at that and go, this is just not worth it anymore; I don’t even want to sign up. On the other hand, maybe for your internal employees, that’s a different story. And you can say, hey, no, we really want to build a security culture here. We want to push security from the very start. So we’re going to encourage you all to choose 16 character passwords for our internal proprietary services and things like that.
And that’s usually something that employees understand and they say, okay, yeah, that’s annoying, but I’ll take one password and we’ll move in. That’s protecting the company, protecting resources and all that sort of stuff. So we talked about that kind of risk analysis for executives and stuff beforehand. It all kind of plays into that as well. Your compliance framework, that’s kind of your bare minimum. And then from there you look at, all right, can I do a little bit more in this situation or that situation? What can I do feasibly that makes sense, both for the business as well as for my risk appetite in terms of getting hacked?
Host: Yeah, I like that approach that you start with compliance as your foundation and then you focus on your KPIs or metrics that you want to achieve. Like as you mentioned in the earlier question, how early can you respond to an attack? Like for the security engineer? Or how can you delay the attack as well? Like defining some of these metrics and criteria and then working on the overall security program. That sounds like a very good plan for any midsize organization. Right?
Nat: Right. And usually the big organizations, of course, they’ve got teams of people to handle these sorts of things. So for them it’s no sweat whatsoever. It’s always the medium or just smaller organizations that just get overwhelmed by all the possibilities, the frameworks and everything. So, yeah, having that set of minimum requirements to start with and then going from there is so important.
Host: Yeah. Makes a lot of sense. Thank you so much for answering these questions. There are many things that I learned as well as part of the process.
Summary
- When it comes to Preparation for data breaches or ransomware attacks, focus on both Business Risk & Financial Impact. Have an Incident Response Plan & Perform frequent simulations with all the stakeholders to check your preparedness.
- When working with other Teams & Executives, use Tailored Messaging to educate & bring consensus on the Security needs for the organization.
- There are 2 Key metrics which every security team should follow. First, keep lower MTTD (Mean time to Detect) and lower MTTR (Mean time to Recovery).
Rapid Fire
So the first question is,What’s your persona animal?
Nat: I would have to say a basset hound. They have big floppy ears, they’re a little bit awkward, but they’re just super happy to be here. And that’s pretty much me.
Host: Oh, wow, that’s lovely.
What’s the biggest lie you have heard in cyber security?
Nat: Rotate your passwords, right? Change your password every six months or something like that. It got into compliance frameworks 10 -15 years ago and has just been ridiculous. It’s just been entrenched somehow. That’s the big thing, I think, that compliance really does not get right. I generally recommend picking a more complex 16 -20 character password and then just sticking with it. As long as you don’t have any data breaches or anything like that with the service that you’re using, then there’s no point in changing it.
Only if there’s an actual security issue with your password, then you should change it. But otherwise rotating it, you’re more likely to just pick something that you can remember that you just add 12345 at the end of whatever. You actually reduce the quality of your passwords with it. So, yeah, don’t rotate your password. Just pick good, strong, unique passwords for all your services and go from there.
Host: I must say that’s a very different perspective from the regular security thinking, right? That you should always rotate. Maybe that’s because of the because we have compliance-driven mindset now, because we have been hearing about this for a while.
Nat: Compliance was driving it and ate partners. As far as I’m aware, they still rotate passwords, but it was a compliance requirement. And I came in, I said, no, this is actually less secure. But they said our hands are tied. That’s the compliance requirement. So it’s a growing movement now among the security industry to push back on this. But I am seeing it more often.
I’m hoping compliance will catch up soon.
Host: Let’s hope so.
What advice would you give to your 25-year-old self starting in security and why?
Nat: Yeah, I can even remember. So, for 25 years, I was super focused on certifications, and my advice would be, don’t worry about it. Right. If you just focus on your on the job, you get so much better training, working your job. Then you do those trainings and certifications on the outside and most likely give it a few years in your job, focusing, just working it. You’ll be able to just basically overnight sign up for a training, take the test, and you’ll ace without studying just because you are working on your job and you know all the stuff anyway.
Host: So hands on experience beats sort of security certifications. Right? Anyway. Absolutely right.
Nat: That does change. If you’re looking for a job, then it’s a little bit of a different story. Trying to break in, trying to get that job. They require certifications. That’s a whole other ball of wax. But if you’re on a job, you’re in a job, focus on that, on hands training because that’s so much more valuable.
Host: Yeah, absolutely.
A one-liner quote that keeps you going.
Nat: Whatever my two-year-old has said today, he’s super cute and adorable. Yes.
He just started school this past last week, and I get them at the end of the day and say, so what did you do at school? I don’t know. All right, moving on.
Host: That’s a fun way to keep you going. Yeah, so the last one
How do you stay up to date on current events and any new security threads or anything new going on in the security world?
Nat: Yes. This is so important for security. So I follow a number of newsletters. I actually have a filter rule in my inbox, so like 30 minutes a day or something, I go, I check those and read through some of those. And then being on LinkedIn, follow a lot of awesome security professionals, and they’re sharing content and articles and all that sort of stuff. And then to make sure that I’m actually reading the content. So then I also write a blog, and a newsletter about security issues, and then I’m posting pretty regularly on LinkedIn about some of the same things. So, yeah, both the reading and then making sure that I read it by teaching it out again.
Host: Yeah. I think there is a saying, right, that teaching is the best way to learn as well, because you have to first learn and then you can teach. Right? Right.
Yeah. So, thank you so much, Nat. It was very insightful to speak with you and learn about different areas of security. Looking forward to learning more from you in future.
Nat: I’m glad. Thank you so much. This is a lot of fun.
Host: Yeah, absolutely. And for our viewers, thanks for watching. Hope you have learned something new as I did in this episode.
If you have any questions around security, share those www.scaletozero.com. We’ll get those answered by an expert in the security space. See you in the next episode. Thank you.
Thank you, Nat.
Nat: Thank you.