Ashish Rajan: Hello, and welcome to another episode of cloud security podcast with Virtual Coffee with Ashish. For people who are coming in today, we’re talking about digital risk prediction and digital shadows. It’s always interesting and fascinating to hear what happens online and how do we react to some of those.
Things that happen online to our brand, our organization. Today I have Sam Small and before we go into get into it this is a weekly podcast and today we have our 49th episode. we go live every week over here, YouTube or LinkedIn, I guess, wherever you are on Periscope as well.
Right. Enough about this and let me welcome our guest. Hey, Sam How are you?
Sam Small: I’m great. How are you?
Ashish Rajan: Good. Good, good. thank you so much for taking the time out and I’m super excited to get into this so for people who don’t know you, what was your part into the cybersecurity world?
Sam Small: Sure. Yeah. So, I was a nerd as a young child, which shouldn’t surprise anyone cause I’ve remained a nerd well into [00:01:00] adulthood. and, so I was really interested in computers and video games and all that stuff when I was a kid and I was one of those kids that was the last generation of analog and digital together.
and so I just, I really got into that stuff. My brother used to let me play with his computer after school and, started programming. And, and so I went to college for computer science. And I was really into studying systems and networking. And those types of things were much more interesting to me pragmatically than theory and, algorithms and that kind of stuff.
so I found myself studying those things and it was an interesting time because, security wasn’t really mainstream yet. And at least in academia, there was academic research happening. But when I went to college, there was lots of classes, but there was no. Security class for undergraduates. Cause it was, it was really just before that really took off.
And so when I got to grad school, I went originally to do, research in network systems. but at the time when I joined Johns Hopkins, it was just this like fantastic kind of. a lightning flash in a bottle or whatever you want to call it. just really smart faculty and students. [00:02:00] And I was sitting there in my lab and like, these guys are all really smart and talented and they work on really cool problems and it’s so neat to watch them do things that people say can’t be done.
And. I kind of want to do that. So, I found my way, you know, angling to, to join them and shift from just being systems and network focused to being systems and network security focus. And, and I changed advisors and, and started to work with all my, all my really smart friends. And it was, it was fantastic and fun.
And, haven’t looked back since that’s, that’s all I’ve done ever
Ashish Rajan: since. That is awesome, man. I’m glad cybersecurity could attract to you because we definitely need people who are problem solvers and think very differently
this is a really interesting topic and I almost wonder. where does one start with this? Cause I was trying to Google this and I’m like, Oh my God. And I think people like you and I we have all these well, for lack of a better word. Quote-unquote digital persona of us created on the internet. And so it also has a digital persona for organizations as well. And then it just gets into this really [00:03:00] complicated worled so let’s just simplify it for everyone here.
What is digital shadow and what is the digital risk protection?
Sam Small: so the concept of a digital shadow, I don’t know about that as a term of art, there is a company called digital shadows.
Ashish Rajan: Oh, right. Sorry. It was like more of your digital profile is just another name for it.
So maybe I should just rename that to digital profile. Bye.
Sam Small: Bye. You know, it’s actually funny. Cause digital shadows is a competitor of the company.
It’s all good. so, but, but these names are confusing, right? So like I always tell people like , let’s break it down. Digital risk protection. What does that mean? Okay. Like digital involves computers, risks sounds like security. Related and there’s risks and we want to protect against them.
Okay. So you’ve just described all of computer security. What does, what does that actually mean? But why we call it? there’s the analyst community, right? So there’s like Gartner and Forrester, and that’s what they’ve decided to call this class of threats and risks. And so it can be difficult if you don’t already.
Have a product or know about programmatically, like, these types [00:04:00] of problems and how solve them in an enterprise security setting then? Yeah. when I say digital risk to people, they just think I’m talking about security risks, so what is DRP and what are digital threats and digital risks in that particular nomenclature?
Really what it means is kind of anything. That targets your business, your employees, your customers, your brand, your executives, any of that type of stuff, where the activity is happening, kind of beyond the notional concept of your perimeter. Right? So we know this idea of like an enterprise perimeter is like, it doesn’t really exist, but there still is this concept of, of control and ownership.
And the idea that if something bad happens on a machine, whether it’s a virtual machine or a physical machine, you know, mine, or I provisioned it, I can like reach in and stop something bad or. or I can kind of, isolate it from my network or I can deprovision it or turn it off or wipe it. But if there’s something happening on a digital platform, third-party platform, a SAS application, or I’m not, I don’t have control or visibility or ownership.
I have to ask someone else to remove something [00:05:00] and it’s happening on the dark web, but there’s no, I wouldn’t even to ask. So the idea is, you know, it’s one thing to protect all that kind of stuff inside your perimeter, but like, how do you proactively identify and then how do you. You know, remediate, if you can mitigate, if you can’t do that and assume the risk, if you can’t do either of those, when it’s all happening elsewhere.
Right. And you have to ask someone for help, or you have to go through some other channel or you have to, you know, manually go search for these things. you know, and so that’s the idea is how do you solve these types of problems? And the reason that we’re talking about that now, and that this name.
Isn’t that familiar or resonant with so many people is because it wasn’t a problem that existed like 15 years ago. I wish we had a better name for this category, but, I don’t think anyone should feel like they missed something. Right. This is all relatively new.
Ashish Rajan: it’s really interesting concept where a lot of us who are getting into the organization, or I guess getting into organizations or getting into cybersecurity, a lot of conversations are about, you should make a blog.
You should make a YouTube channel. You could do like [00:06:00] all the conversations that you hear around. How do you stand out so that you get that next cyber security job is all about. Building a digital profile, building a digital profile just outside of your LinkedIn account, outside of your resumes or what makes you stand out and to your point, it’s fairly, that’s also, I mean, not everyone has a blog, not everyone has a Twitter account where they’re ranting about how Saturday is the new feature or whatever.
But I feel like. It definitely is a coversation that we should be having. And this is probably the right time to have this conversation also because, I think we were talking about this, sometimes confusing to find out who do I reach out to? I mean, I can go, Hey Sam, like, I think someone’s made, you made a duplicate account for myself or a fake account. how do I react to this? Who do I reach out to? But not everyone does so. I’m definitely keen to kind of go a layer, deeper into some of these like, how do I identify this could be a digital risk.
what are the broad categories, if any, for this?
Sam Small: Yeah, sure. So I think that the biggest [00:07:00] standout one and probably the easiest one is impersonation. Right. So it’s difficult for someone to impersonate you on your corporate system, right? Because usually you have to get like hired and then there’s an onboarding process.
And you know, it’s going to be really difficult for someone to show up in your. Active directory domain with the same name as you and a similar, email address and all that stuff. But again, like in these digital communities, like you can go on any of these review platforms or any, you know, Facebook or Twitter or Instagram and you just sign up and you say, this is my display name, and this is my avatar or my profile photo.
And you know, this is happening at such a large scale within these communities that people join every day, you know, authentic, real. Users and maybe actors that, I mean, there’s no way that you know, that these organizations that want to grow because the value of a social media company is the size of their community.
Like they’re not going to put any breaks on signing up new users to verify [00:08:00] every single one of them, all those sorts of things. so impersonation is easy right now. , what’s better than impersonation, but more difficult and more expensive in terms of an investment would be an account takeover.
Right? So if I actually was able to get a hold of like your Twitter account, for instance say you didn’t have multi-factor authentication turned on and let’s say your password was like the greatest of all time insecurity is Sam exclamation 0.1. Which just stop using that password really.
Ashish Rajan: But
Sam Small: you know, this is more powerful than impersonation because you have built a community and a sense of trust with your followers. So you have this built in audience in anything you say. Like they already have this thing in their head that like, Oh, it’s Ashish he shared a Bitly link to some cool thing.
I’m going to click it. Right. And that’s dangerous. That’s you just, whether you’re a person or an enterprise or an organization or anything like that. And so, and if you think back to like more classical. Computer security problems or network security [00:09:00] problems. And we think about, you know, in the early two thousands, we saw like a lot of worm activity and worms kept getting more sophisticated.
And one of the ways that worm authors found they could get really explosive growth early on in terms of saturation across the internet was to have a hit-list. They would go out ahead of time and find finding all the servers that are vulnerable to the exploit I’m going to use. To propagate this worm.
And let me start with that hit list, because then I know I can spray, you know, thousand victims immediately before I have to start scanning the IP space to look for potential victims. And so it’s kind of that similar idea of like, if I take over your account and you have a lot of followers, there’s not even a question of, is this the real.
Ashish account because we chatted before on here and I can trust him because every other message I’ve seen him post, like wasn’t scammy or dangerous or anything like that. So that’s another big issue. and that kind of plays into the other issues is like, okay, well then what do you do once you have fooled someone once you’ve [00:10:00] broken that kind of, assumption of trust around identity?
Well, then you have all kinds of stuff, right? Then you have your scams and fraud, like kind of social based fishing. It might be malware delivery. it might be like a dry bite download by sending you to a page and having a vulnerable browser or plugin. It might be by. Asking you to log into a page that looks like some other person’s page.
It might be giving you directions to follow on your computer. Like, Hey, you want to improve? Security on computer, go follow up. You change the settings on your computer. It could be any of those things because once you’ve abused trust people aren’t willing to do whatever they would trust you to tell them to
Ashish Rajan: do.
I find that fascinating because this is just an individual level there’s an organization level as well. I think one of the categories also is that on the fact that ,you have exposed cloud assets being the cloud security podcast.
Cause I wanted to bring that angle as well. as an organization, we used to call it, shadow IT in the on-premise for now. It’s like shadow cloud, for lack of a better word where someone just not for credit card with a big enough, I guess a corporate credit card with a [00:11:00] big enough limit that you could just wipe and go, all right.
My entire it infrastructure is going to be an AWS or Azure or Google. I do not care, but , as a security person, that’s a. this digital risk production, for, for me as a security guy, a identifying that I already have that exposed somewhere. That’s a challenge because there is no way, unless you’re using the existing network now because of COVID, everyone’s working from home.
So, Hey, I don’t even know if they’re actually there. So do you find that, as an organization level, is that similar, like the whole impersonation thing, or like I’m representing Cloud Security Podcast, but then there’s another Ahish somewhere in another country who’s just like promoting it to a completely different audience and probably uses the same episodes.
Sam Small: Yeah, of course it is. I still consider that shadow IT or shadow SAAS, and I think there’s other problems there too, right? I mean, Most organizations have traditionally gone, like all in, on one cloud provider. But even now, you know, the people more , at the cutting edge of this stuff are like, you shouldn’t rely on just one [00:12:00] cloud provider.
So you should have like a multi-cloud provider. So, you know, strategy and all those sorts of things. And those are great points. But now, and the problem is most organizations, especially as they get larger, they there’s a lot of redundant services as well. So like a lot of organizations like they’ll use.
Dropbox for some things or Google drive for some things, but then they use box.com for other things. And, and so there’s like all these different places where you could have shared files and you could have different permissions on all of them and different RBAC on all of them. And the problem is they don’t all offer the same controls, nor do they offer, similar like language or configuration language, even around those things.
And so it’s easy to get something wrong on one system that you got right on another system. And because these are all SAS applications, you know, they’re, you don’t typically have any. Control or visibility over to when they upgrade the system. Right? So if they change the way they do our back or they change the, you know, they add some more granular permissions in one of their like silent SAAS updates, you might not even be [00:13:00] aware of that.
And it might expose you in a way that you hadn’t thought of, or it might come with a fail open or fail closed sort of control. So you just don’t know. And then that makes it really difficult. And I think, I think that goes to, you know, all the work that we have to do here. Right. So
Ashish Rajan: the more people hear about the problem space. The more like, Oh my God, like. At any given point in time, I have no idea what’s out there. Like none of us are scrolling the internet to find, Hey, who’s representing my name and most fortunately, because of the internet, we’ve kind of identified all of us have very common names, right?
Is this the same as a threat intelligence? Like, because it sounds a lot more like I’m looking out for threats and looking out for digital shadows. Is this similar?
Sam Small: So like in a lot of my slides, when I talk about these issues, I have a VENN diagram. And in this VENN diagram, there’s, there’s digital risk protection.
And then there’s the overlap with cyber threat intelligence. And in particular, what we’re really talking about is an external cyber threat intelligence. If there is a distinction to be made there you can’t do DRP digital [00:14:00] risk protection without cyber threat intelligence.
And so then what’s the difference? you asked 10 people what threat intelligence is. You’ll get 10 different answers, but we won’t go into that. But, you know, when I think about threat intelligence, I really think about like threat data. And then it’s like, what do you do with that data?
You, you typically would like use that data to like enrich or contextualize or prioritize. Things that are specific lead germane to your concerns or risks or business and those sorts of things. so then what’s digital risk protection, digital risk protection is like more of a programmatic feature of a security, group or a program.
Right. For lack of better word, to repeat myself. But in that is really about what is our plan? Like what’s the process. what’s the technology and who are the people that are going to be responsible for taking these signals, applying them through the lens of our risks, and then deciding what is to be done about them, whether that is responding or whether that’s going back to our configurations and maybe, improving some of our controls or whether it’s developing better [00:15:00] relationships with some of these providers that, have digital.
collaboration systems that we are constantly being attacked on or, or our customers are being, targeted and, and our brand is being abused to target them, et cetera. cyber threat intelligence is a part of DRP and DRP is really more in the same way, you have an application security program in a typical enterprise security team, and you’re logging and auditing.
and compliance things like DRP is a programmatic feature. And so you can talk about. The maturity of digital risk protection in terms of where you are today, where do you want to be tomorrow? How the landscape’s changing, but cyber threat intelligence will always be a part of that
Ashish Rajan: Its almost like a subset.
would that be a fair statement then?
Sam Small: I feel like it’s a super set. it all kind of depends on what you want to do. It turns out you can use stock with intelligence to create academic research. You can use it to, evaluate the.
Ashish Rajan: the next to get to zero day or whatever?
Sam Small: yeah, even evaluate like how good our CVSs scores in, [00:16:00] you know, in truth, when we look back and you can use some data for that, but digital risk protection is using cyber threat intelligence to understand, what your attack surface is, what the activity is across that attack surface externally, and then, having.
The, the responsibilities and playbooks around dealing with those issues and the incident response, when those things are actually a problem,
Ashish Rajan: it’s an interesting segway into my next question. I guess anyone, executive level who’s listening to this sort of managerial level, listening to this from a security standpoint.
They’re like, it’s not, it doesn’t sound, I don’t think we have any social profile. I don’t know, worry about this to put a risk lens onto this. what kind of risks are we talking for an organization? that digital risk protection is protecting them against.
Sam Small: Yeah, well, so there’s like a really classic one that people maybe wouldn’t even consider as digital risk protection.
And I think that’s one of the things here that’s, that’s tough is like all these kinds of risks and, and maybe like by themselves, they all seem unrelated. So like, DRP is an [00:17:00] attempt to add some sort of system or taxonomy or clustering to these things because they have some similarities, but they aren’t always obvious.
So to your question, if you think about fishing, like classic email fishing, No, that’s usually done through an impersonating domain. It’s not in a person eating a cow on a social media platform, but someone went to a domain registrar and they registered. You know the name of your show, you know, plus something else email@example.com, even though you’re clearly, you know, in Australia.
So, and so identifying those signals, like even just watching domain registrations and comparing that to, your personal brand and in terms that would associate that domain with you through just, you know, someone who’s reading that domain name or receives an email from that domain name, likewise to your business, Even taking those singles as cyber threat intelligence data, and then applying it into your DRP program that’s useful.
but then again, How do I prioritize? Like, let’s say you have a really common name, as you mentioned earlier. And like, these [00:18:00] things are popping up all the time. So like part of DRP is also like not only taking in that data, but then like applying some kind of logic or rules or natural language processing or something to help kind of weed out the signal from the noise.
And then on top of that, there’s other things that like your digital risk protection program should have as a mature capability, which would be like, okay, I’m going to watch this domain name and these other thousand domain names. I’m not going to do anything about it until there’s an MX record that pops up behind that domain, or there’s a name record, and now there’s a website.
And then, so I’ll escalate that to a higher priority, but then even there, if it’s an AME record and a website goes live again, it might just be a similarity. So now I’m going to watch the page and see, do they ever use any copy from my webpage right in my stuff? Or do they ever use a photo that looks like me or do they ever use.
an image that looks like my brand image. And so, and in that I escalate even higher and now I, you know, that’s, that’s what gets severity. And you’re like, this is critical. Someone has a website up and pretending to be us. They got a login page. They’re using all of our [00:19:00] stuff. Like this is like, we can’t ignore this any longer or, and, or, you know, this, this goes to the top of the triage list and then there’s all the things to do about it.
Ashish Rajan: Yeah, I think so. To your point, it’s almost like a brand reputational risk because at that point you’re like, are you okay for someone else to be www.apple.com? And just talking, starting to sell Apple airpods. it’s all just about putting a fake website out there and would Apple be okay with it?
Sam Small: And let me tell you why they wouldn’t be okay with it. So, let’s say I bought like, you know, Apple AirPods, cheap.us or whatever. Okay. Like I’m sure that happens all the time. But if on that page, There’s a sign in with your Apple ID right here.
And people enter in their Apple ID, credentials. Apple certainly cares about that, right? Because now they’re going to have to deal with, you know, charge backs or, you know, even just the volume on their customer support line. If that page gets. You know, popular and people are like, I’m locked out of my account and I never got the AirPods and all that stuff.
So it really does become a cost [00:20:00] to organizations. And, , if you think about kind of like, fraudulent transactions and bank fraud and those sorts of things, it has some similarities and that like, Look, we’re never going to eliminate this risk, but like, can we do reasonable things to keep this risk bounded under a certain level where then we can reason around costs and or insurance and or other things so that this is a planned expense and our CFO will be happy.
That, we’re not going to end up, you know, having a surge in customer support costs at the end of the year or something like that.
Ashish Rajan: Right. So it’s sort of state of emergency every time you find out there’s a fake Apple website and CFO’s like, why would you not plan for this? There’s no budget for it.
I’ve got a good question from Vineet as well, its a good Segway, do they have any digital brand protection at the moment apart from going to take legal action? Is it something that can be done?
Sam Small: of course this is the whole product category. So, and then, so like the company I worked for, ZeroFOX like, this is something that we sell to commercial businesses and enterprise businesses.
And people that have a [00:21:00] higher social profile and there’s other vendors in this space as well. And , if you wanna learn more about this in a vendor agnostic or neutral way, you can go onto your favorite search engine and look up, for instance, like Forrester or Gartners
publications on digital risk protection, just put digital protection and quotes and file type PDF, or, you know, whatever you want to do. You’ll find some stuff to read. Also. I’m happy, you know, if people wanna connect with me on LinkedIn, I’m happy to give them some resources that again are agnostic to any particular provider.
there is this whole market here, but again, it didn’t exist 10 years ago
Ashish Rajan: just to take a leaf from his question as well. That legal question part is also not straightforward as well. Right. He can’t really just, I’m going to the help desk of Twitter or Facebook or Instagram or any of these social media or even LinkedIn for that matter.
And I’m going to just Sue you guys. Yeah, good luck.
Sam Small: I was talking. To the CISO of one of the hottest newer finserv companies. okay.
[00:22:00] Recently about this issue. And he was like, well, I, you know, my legal team takes care of all that stuff. I’m like, Oh, you should revisit this. Right. So, you know, honestly, this is a challenge. And the reason I talk about digital risk protection rather than threat intelligence is these issues require.
Collaboration with your security team, your marketing team or communications team and your legal team. And if you put it in only one of those three or two of those three, you’re not going to be doing this efficiently and you’re not going to be doing it effectively. And that’s because asking your legal team to be experts in.
Fast identification of threat intelligence signals that are abusing. Like they don’t have those skills and they’re very expensive, but likewise, I wouldn’t ask my security team. Who’s really great at like using tools or writing scripts to do all that proactively. They’re not great at writing a cease and desist letter.
At the same time. I see cease and desist letter is not the fastest, this way to get something removed, especially when it’s clearly violated some terms of service or some law. it looks a little complicated, but there are certain things that like your security team can handle on their own.
if there’s [00:23:00] someone pretending to be you on a social media platform and they have a link that, you know, is that is a phishing site or malware. You can go directly to that platform and ask them to take it down and you don’t need to be a lawyer. or any of that kind of stuff, but now sometimes there are other issues with other providers in other countries and you try all those things that you can automate or do with your L1 and L2 analysts and you hit a wall and you’re like, okay, now someone needs to send like a cease and desist letter.
Okay. Now that goes to legal or now, or maybe, you know, you write a report to show legal, Hey, Our brand abuse. Risks are really growing quarter after quarter. We need to invest more in this or, or what have you. And likewise, when marketing registers 10 new domains for a product, that’s just about to launch our service, that they just are about to launch.
Like they need to tell the security team ahead of time. So they don’t identify those domain registrations and say, Oh, shoot, like someone’s about to in person is let’s go take all those down. And all of a sudden your CMO is at your door. Like. You just like we’re a week behind on our launch now, because you’ve just, you just had all of our domains taken down.
I’m like, well, you didn’t tell unless you were [00:24:00] registering them. So we thought they were impersonations. So that coordination is super important. And you can’t just think about this as threat intelligence, because that’s just too small of a scope to look at this. , as a real, like process issue.
Ashish Rajan: And to bring it home for some of the cloud security kind of conversations as well, I think some of the common use cases, which is kind of a similar, is a lot of organizations. I’m gonna use an AWS example where exactly your point.
You have a domain, but you thought you were keeping it on your dev environment or test enviornment for some time you’ve already deleted it. It still hangs around somewhere. Someone’s just able to go create an AWS account and link that to a route 53 because they, AWS likes AWS. So it’s easy to link up with.
You can search a global directory of AWS suddenly. someone has a, your domain, your website, but it’s actually their website, but yeah the scenarios that can, you can come up with it just like amazing to me. And I find that really interesting. One, another one, which I came across and I love it.
You know how its common [00:25:00] on LinkedIn for people to share resumes, share links to your point about the shortened URL earlier, and like never met these people and they give you links to share or click on this link because, this is the best job you would ever look for. Or this is that interview that I was talking about.
it amazes me till today when people just seem to click on a link that they were never heard from this guy for the first time. I had this job for you. Best job in the world, click on this resume. And you do not want to miss this job.
Sam Small: Sometimes it’s even worse because we’re in the security industry.
And my best friend is a. He’s an amazing hacker. And I won’t even click on his links because I know he’s trying to get control of my machine so I cant even trust my best friend with a link. It’s tough, especially when you’re faced with something you don’t know.
Ashish Rajan: in general, if you’re trying to reach out to people on social media, don’t really try with, I link in your first message.
Definitely not, I just probably put that out there, but I think to your point, we have a whole social engineering field as well [00:26:00] that we’ve created in cybersecurity. Now, is there like an overlap between that and this?
Sam Small: Oh, definitely. in my mind, I always kind of think like what we have today in terms of these digital risks, it’s really like social engineering, went to college and learn some new skills and the internet blew up.
this is the new social engineering. it used to be a lot harder. Like I used to actually have to go to the town. That the company was in that I wanted to social engineer and I had to like buy a fake costume and a fake mustache and like get a water container and like go in and pretend to be there, to deliver the water and then sneak into the network closet.
That’s like, that takes time. It’s expensive. I can only do that so much. Now. All I have to do is like, I don’t even have to come up with a really great phishing email or fake impersonation because, if, I spread that across a large enough audience, even if the yield rate is super low, it doesn’t matter.
Like, you know, five, half percent of 100,000 attempts is still going to be valuable and worth my time. And it doesn’t cost a penny. To create one of these accounts on these networks. Now it costs a [00:27:00] little bit of money to set up, maybe some of the infrastructure for like, if you want to host a phishing kit or registered domain, but that’s still pennies.
Right. And you still have the number of people that are on the internet. Surely like the large numbers, there’s going to be stupid people. There’s going to be unsophisticated people. There’s going to be people who are just distracted. There’s going to be people that, you know, so it runs the gamut. And even the smartest people fall for these things because of pretexting and all that kind of stuff.
This is the new face of social engineering and if you were a criminal, that’s the better face of social engineering. Cause you’re even farther away. You’re like, well, my cell phone, wasn’t in the vicinity of that, you know, I watch a lot of the show forensic files and it’s always like someone, yeah, we’ll go do something terrible to someone.
And it’s like, they have their cell phone in their pocket their whole time. And then they’re like, Oh, I wasn’t there. Your cell phone was. and so again, like, it’s great. Like I can be in some other country that doesn’t have extradition laws and you know, and I can attack anyone in the world or, you know, target anyone in the
Ashish Rajan: world.
That’s a good segway into Chris’s question. Is this activity a [00:28:00] trend on the rise?
Sam Small: Yeah, definitely. Definitely. Especially I think with people that work from home, I think criminals are taking advantage of, this like rapid shift that a lot of ITteams and security teams have had to deal with, which was, you know, traditionally remote work was more of an exception.
and now it’s the rule and the expectation. In 2019 CISOs were applying their budgets to solutions and products that were more assumptive over this work from home exception. And so all this stuff that we had invested in, in to protect the enterprise and secure our enterprise systems and assumptions that we had around the way that we configure it and set those things up has been blown out of the water.
And, you know, for some companies it’s not a big deal because they were already using a ton of SAAS stuff and they had their things. But there’s other types of businesses where they were never going to allow anyone to remote log in to touch that particular data. Like you can maybe think of cases like in healthcare or other types of critical systems, and now they have to deal with that.
And you have people at home on their work machine. [00:29:00] And like they’re probably doing stuff they wouldn’t normally do on the work machine. Cause there’s no one in the cubicle next to them or walking by them. And so they’re visiting these sites and clicking on these links perhaps, or, or even they’re doing it on their home computer, but it’s in the same network.
As their work computer is in. And again, like corporate security team, doesn’t do anything to protect your home network. So it’s complicated and there’s a lot of things that are gonna fall through the cracks and cyber criminals are gonna take advantage of that. And because people are outside and aren’t doing these things and because there is so much uncertainty around these new procedures and protocols, it’s, it’s even easier to get someone to believe that.
You know, like, Hey, I’m your new coworker. We haven’t met yet. I’m joining the team on Monday. Imagine
Ashish Rajan: those ones as well, where you have new staff member who hasn’t had an email, created the reach out from their personal email saying, Hey, just reaching out. Cause I haven’t had my email being issued yet.
Could you help me get access to this machine? Yeah. [00:30:00] Like, Ooh, just after that. cause that is a real scenario these days, you can’t be like,
Sam Small: in research that we’ve conducted that show this growth and show these trends, the FTC just published, sorry. The federal trade commission in the United States just published a report like about a month ago, about the rise in social media scams and the rising costs in them as well. And in addition to that, there’s plenty of data in research. I have an inflection point at COVID-19 where we saw a rise in these scams as well. to back up, the anecdotal stuff we were talking about a moment ago.
Ashish Rajan: that is scary stuff, man.
I’ve got team members have started remotely, a lot of people are talking about social challenges, but somehow security kind of got, Oh, we need to be able to just connect people quickly.
We had this like one or two month window where it was like, almost like a do or die. So yeah, I
Sam Small: totally get that. If you have to choose between business continuity and being secure from all risks, corporate board or CEO is going to choose business continuity and you can’t blame them. Yeah, because you got to keep trying to make [00:31:00] money.
And obviously you want to do that in a secure way possible
Ashish Rajan: yeah. And I think it’s almost like saying, Oh, we need to do the right way. So I need to evaluate this for a month before I can let people have VPN connections or anything else.
It’s just. it blows my mind, but this leads to another question, right? So we’ve kind of talked about social media. I’ve spoke about social engineering. We’ve touched upon the, the rise to due to COVID-19 and you touched on the point that people obviously have, like, I’ve got two laptops over here. here, like, or three machines already.
One of them was comparing
Sam Small: my laptop, my iPad to iPhone.
Ashish Rajan: Sad started to say that like, you know, I imagine it’s the same situation that a lot of home places as well, because before COVID, a lot of us were asked to get a personal laptop. Don’t use your work laptop for your personal things. Now with homeschooling and a lot of people not having individual laptops for the kids, like everyone’s blending into your work laptop.
Right. And now,
[00:32:00] Sam Small: you know, I was just thinking, as you were saying that, you know, there used to be this thing that like bring your kid to work day. And like that’s cool. And people like that, but would anyone be okay with bringing your kid’s device to work day?
Ashish Rajan: that’s right. Because nowadays they have iPads and iPhones, which connect to a wifi and they want to be online.
You only get to be watching YouTube or something else so that they don’t scream the heart out in the, in the office. Not that all kids scream, to add to that now, imagine in a state where I was going back to my example of LinkedIn was used as a medium.
Someone gave me a link I can go to somehow they go to the virtual back to the machine, right? I’m like, Oh shit. I need to inform someone. I call it security. I go, Hey, Sam. I think I might have screwed up over here. I think I have a remote desktop, something now. At that point, although, because LinkedIn is kind of like the medium.
it’s not responsible for it.
Sam Small: I call it the, the tip of the spear, right? like that penetrated the outer layer. And then we went to a more traditional type of attack and now you have [00:33:00] malware or ransomware. And so now you’ve got to deal with
Ashish Rajan: yeah.
That’s right. And as a response, a team people are looking for, how do I get to the point of origin? How do I able to go, go to the next level and find out what are my options there? Cause like, are people like LinkedIn and, well, I don’t want to get banned from LinkedIn, but in case you guys are awesome.
Yeah, that’s right.
Sam Small: My friends that work at LinkedIn are especially awesome. There you go. That’s
Ashish Rajan: fine. If you guys are listening to this conversation, but to your point. if they are a tip of the spear as to, as you mentioned, like, what other options is there then, should we be reaching out to LinkedIn?
Like how do you respond to those kinds of things?
Sam Small: Yeah. That’s a great question. That’s the right question to ask. And it’s the right question to ask before it happens, right? Because like a lot of times what I see happen is, Unfortunately, you know, security is tough because it’s cost center. And like you could spend infinite money on your security team and tools and budgets and people and all that stuff.
And one of the consequences of that is, sometimes until something bad happens in a certain Avenue, like no, one’s going to spend any money on a solution for it yet. [00:34:00] So it’s too often that organizations don’t have any programmatic way to deal with this until something bad happens. there’s something I always often say here is do you want to lead the narrative or you want the narrative to lead you?
do you want to find these things proactively and deal with them proactively? Or do you want to get like an angry phone call from, you know, someone on the executive team or a board member or a reporter saying, what’s your comment on this data breach on the dark web? And you’re like, what can you give me the link?
And then do you don’t want to spend like two hours, like right at the time of the incident, like Twitter, you know, like Twitter security team, email address in your search engine, or like how to escalate my problem to the LinkedIn security team, because I get that’s where you are in the first, you know, two or three hours of your response plan.
Like the blast radius is still growing from the actual problem. this kind of is, a parallel to what we talked about earlier with cloud security controls and everyone does it differently. And that lack of homogeny.
Makes things difficult and inefficient. You have the [00:35:00] same thing with all these digital platforms. Every digital platform has a different mechanism and expectations and protocol or Avenue from which to report things. And they all want you to report different things in different ways, but that’s through a form or an email and you have to provide these artifacts, which may be, you know, screenshots or links, or maybe even, a copy of your.
brand and trademark, authorization. And, and so it’s different on every single one and the expectations around response time and take downtime or having to know exactly what clause of their terms of service to call out. It’s a mess. and so there’s a lot that needs to be improved here. And that is why digital risk protection as a vendor solution or a partner solution.
That’s why that’s attractive to so many businesses because they’re like, this is really messy. I don’t want my. Team to have to become experts in these skills. In addition to all the other SOC management skills they already have. So can we outsource this to some other group who focuses exclusively on these problems?
[00:36:00] That’s why. I’m able to pull a paycheck every two weeks and that’s why the company I’m with used to grow and the other vendors in the space continue to grow because it is really messy. And, you don’t want to be the best in the world at securing your business and also have to be the best in the world at doing your own DIY digital risk protection program with, your own tools and people and processes from treasury because it’s unforgiving and the volume could change.
At any moment, you know, you could have this perfect staffing for the attack volume you have today, but tomorrow you might go viral. Your business might become really popular or attackers might become really interested in your business overnight. And , that’s why we exist. Sure
Ashish Rajan: I when people talk about cybersecurity awareness training, right?
And you can put all the things in the world, don’t click on a link on your email, but I wonder how many people actually cover don’t click on a link on a, on a LinkedIn profile or Facebook profile.
Sam Small: it’s a lot less prevalent. And I’ve seen some data in the past that like, We’ve actually done a pretty good job of training people, not to click email links on emails from [00:37:00] people they don’t know or haven’t met.
And so I think the last numbers I saw, which might be all, it was like, there was like a 10% chance that like an employee would click a link first when they didn’t know. But the percentage of people who would accept a LinkedIn, a request from someone they didn’t know, I hadn’t met was like 40%. And again, we think about those trust things again, if like, well, there’s a picture and there’s a name.
And like, there’s a history of communication that like makes this person really seem authentic and legitimate. But like
Ashish Rajan: this person seems to work in Apple for sure. He’s an Apple employee. It’s like how I find, our professional worlds are moving to a place where earlier, when Facebook was still getting popular, people would be like, Oh, well, it’s not official until it’s on Facebook.
Right. They used to be that people would use that phrase quite often. I feel like it’s a, it’s a similar thing with LinkedIn as well, these days, or any of the professional media platforms on Twitter as well. Cause you can be verified or not verified or whatever. But it’s becoming true over there as well.
Like people kind of feel like, Oh, if it’s from LinkedIn, I don’t believe it. Cause I could [00:38:00] just saying, I’m just like this amazing billionaire doing this from my cockpit or whatever, but I just, it just happens to be a green screen in the back. It’s actually a cockpit or take off, but it’s actually becoming quite common
Sam Small: right.
Cause I could like stock some Instagram pages of LinkedIn employees or employees of any company. And I could probably find a picture where one of them’s wearing their work badge and then I can just like Photoshop my own. And then I could wear that. And one of my pictures, I give you, there’s all these like little, like tiny little kind of ways you can use to
Ashish Rajan: Photoshop has made a lot of things possible Photoshop is justamazing.
But that begs another question though. So it’s great that we’ve kind of. Identified the problem space we’ve spoken about it. We’ve spoken about, I guess, how we can probably proactively deal with it as well, to some extent maybe cyber security awareness or whatever, but you can use some vendors to do tracking, but is there like a maturity level to this as well?
Like how do you go from like, in your mind, some of the people that you may have helped or the conversations you’ve had, [00:39:00] what’s a good maturity versus like, Oh, you guys should up your game.
Sam Small: Yeah, that’s a good question. I think I’d give different answers depending on, like if you’re an individual or your business and then kind of what kind of business and are you a business?
That has a lot of interaction or, or, relies on these other digital platforms to conduct your business. So for instance, , there’s a lot of businesses now today that do initial customer support over, , like they’re watching for people to complain about some, or ask a question, a technical support question or something, Twitter’s become really popular for that, for instance.
So, for any business, that does a lot there, or is maybe an online, only business. It’s going to be like super important and especially financial services industry, because, the direct line between, between some sort of attack and actual cash, that line is, is so short.
Whereas maybe other types of businesses, it requires a few hops. those people clearly need to be. Really assessing your maturity and trying to get there as quickly as [00:40:00] possible. but it all goes back down to risk calculus, right? So, the first thing you gotta do is, you know, like understand how much of a risk is this for us?
What are the potential repercussions? This is where, , insecurity. we do a lot of tabletop exercises and things like that. I think that’s one, a way you can try to, baseline, your maturity and understand, Okay, well, if this were to happen to us today, we’re not happy with what our response would be, or our level of risk that we would have to assume is, so where do we want to be?
How do we get there? What’s the reasonable amount of time and budget and spend and all that kind of stuff. So it’s not an easy question to answer, but there’s a way to do it. And, and again, I mean, if anyone wants to go more into that offline, I’m happy to answer and discuss that further.
Ashish Rajan: Yep. Yep.
Awesome. And I think it’s a great way to put this across as well, because a startup may be worried because they might have some seed funding or they would want to make sure that the impression that they make on the future venture capitalists, that they will get money from is not hampered.
And they have a [00:41:00] certain level of trust that they create. But on the other extreme, then you would have say brands which have been there for years, they were never online, but now they’re suddenly online. So some of their staff may not be trained for, they have marketing teams who are growth teams who will help them go online, but they necessarily would not know.
Like, if they will be trained enough to not, I would respond to this appropriately. Like, do they actually know that you just reach out to security people? If they say this looks like a bit of a suspicious thing? I think I found a fake profile of, I don’t know, insert company here. If you look at social media as well, how often do you find people who use someone else’s image as their image, which is like, I don’t know why people do that, but I feel like it’s really interesting how people would rather have.
I celebrity face on their profile and show their own face and like, Oh, okay.
Sam Small: Yeah.
Ashish Rajan: Yeah, yeah. And I wonder if he even goes on LinkedIn though. Have you seen one on LinkedIn yet?
Sam Small: I’ve seen fake LinkedIn profiles where people are trying to run like HR recruiting scams. Like, Hey, we want to hire, you [00:42:00] would just like send us your resume and a $20 application fee.
I’ve seen a lot of those types of things. I think the other thing that’s kind of related to kind of what you were talking about that I was thinking about a moment ago is that, you know, when a company doesn’t take this seriously, there’s like other types , of problems. You know, when you don’t deal with brand abuse, it can really affect the trust and confidence people have in your brand.
So I’ll just give an example without calling out the specific company. There’s a sunglasses manufacturer. and for many years, people were abusing their brand on like Facebook and Twitter in particular, like posting a photo of their very popular, a sunglasses brand with like 20% off follow this link.
And, it got so bad that it was always this one brand that like I’m to the point now where as a consumer. I will never click on any advertisement, even if it’s legitimate from that company, because I’ve just been trained to condition that like scam scam, like the first thing I think of when I see a digital ad from this company is scam.
That doesn’t mean I wouldn’t buy their sunglasses, but I’m only going to do so maybe in person or if I directly go to their domain, but then that kind of blows up their [00:43:00] whole digital advertising campaign. Any, any spins that they put in digital advertising marketing, because they didn’t take care of this.
it’s, it’s very ineffective. , they’re getting pennies on the dollar of their investment, whereas like someone else who is very aggressive about dealing with brand abuse, like they get a dollar. So, you know, they get a dollar value for dollar spend on their digital ads.
Ashish Rajan: And I think Chris has mentioned a comment, so, he said, even ASIO thats Australian security intelligence organization, it’s not campaign to watch out for foreign interference approaches on social media. it’s amazing how. before cloud and before social media, we used to all be worried about someone getting into our network.
But now it’s almost like we’re already outside the network.
Sam Small: when I was young, it was like, you have to get EIP or you got to get the instruction pointer , and it was tough. And , you could bang your head against the wall forever. And now I’m jealous.
Ashish Rajan: there’s so many guys who are doing bug bounty, it’s like, yeah.
A hundred percent to your point, even if out of 10,000 or a hundred thousand, I get 1% hit rate. That’s still pretty good hit rate. Yeah. And I [00:44:00] just automate the whole thing. Just keeps spamming the internet for it. It’s like a billion people out there on the internet.
Sam Small: Exactly. Exactly. You only need to be right once. And, and with such a large pool of potential victims, Well, it’s a better option for some people, , then whatever opportunities they may have in their community or given their, you know, given their other options or, you know, whatever, maybe they just don’t care that, I can’t get into the psychology of why people do illegal things or try to scam people, but, , it’s always going to be there.
There’s always going to be people. You know, who are too trusting, there’s going to be people who take advantage of that. And then there’s going to be somewhere in the middle where, you know, they’re an to try to catch someone when their guards
Ashish Rajan: down. Yeah. And I think, let’s say it’s just human rule.
Right? Good people, bad people,
Sam Small: well, good day. Bad day. Right? Like it’s, it’s less about that and more just like you made a bad decision and you made it for too long.
Ashish Rajan: Yeah. Yep. That’s right. It says something about the space. Cause I know this space is quite new as well. I guess it’s been there for a while, [00:45:00] but now there’s a term for it.
Is there something that you feel you feel people should talk more about in the space? That means they may not be at the moment.
Sam Small: Yeah. so again, you know, I still meet like really smart. Accomplished experienced CISOs. And you talk about these issues and they still don’t fully understand or appreciate the, the, just how deep and how dangerous these things can be and not dealing with them.
And at the same time, like, I, I give them a pass on that because I still think, you know, even like 20 years into all the basic stuff, that’s in like the Sans 20 or which is now the SIS know 20, like we’re still struggling at so many organizations dealing with the blocking and tackling of asset management and vulnerability management and prioritization and identity and authentication and password security.
So I get it that like, It said one more thing to be like, ah, like I’m not done with this yet. And now you want me to pay attention and invest in that. so, you know, I do think though that like [00:46:00] us as security executives, like, and security program managers and leaders need to get more up to speed on that and understand that kind of where it sits, you know, shoulder to shoulder with these other things.
That’s one thing. And I think the other thing that people should be paying attention to is we’ve really let these digital platforms kind of. Move at their own pace and their own speed and set the expectations, for businesses and consumers who are being targeted or who are facing brand abuse or, or any of these sorts of things on these platforms.
And I think the power is a little too much in there and they’re under the spectrum and what I would like to see, and I’m not calling for like regulation or law necessarily anything, but I would like to see a little more. Kind of, commitment or consistency around the expectations and the automation and the maturing on their side, because we can’t force that we can build all the tools and systems we want to automate finding and reporting these things.
I can’t force any of them to invest more in handling that, you know, [00:47:00] increases or changes in volume or, codifying. You know what they’re going to do or what the expectations are or standardizing, that communication.
Ashish Rajan: And I truly hope that the kind of learning as it’s growing, because it is around us. , as I tell people about when they do security administrating as well, internet is still like, I think no one expected a small network that a university is going to start.
It’s going to turn into this massive thing. That’s going to connect the world. It happens so quickly and all around us and we’ve gotten used to it. We were introducing our kids to it. We’re interested in introducing our families to it, our parents into it. And, and
Sam Small: thank God for it too, because if COVID-19 was here and we didn’t have.
If we, if this wasn’t already all here, I mean, yes, I hate being on zoom all day, but at least I can be on zoom. Like, you know, we’re trying to do this on the telephone for the last seven, eight, nine months, however long it’s been. Right.
Ashish Rajan: That’s right. But I guess to close off that point as well were [00:48:00] totally grateful for all this, but at the same time, people like you and I, and others who are kind of watching out for, Hey, Where does this really mean?
Because I think it’s more about generating awareness of this as well. It’s not like saying, Oh, this is like a dark world. Stay away from it. It’s just where, like, you need to be aware of what you’re getting into as well.
Sam Small: Yeah. Yeah. It’d be like, if you spend all your time putting, locks and sensors on all the doors and windows on the front of your house and like totally ignoring the fact that, you know, the back door to the basement, like is wide open
Ashish Rajan: so, this is probably where very are moving into the last, section of our podcast . Dude. I just want to say thank you so much for coming in, man. I think I got a lot of value out of this. I’m sure the audience does as well based on the questions, but this was really awesome for me. Where can people find you online?
if they want to connect with you and find out more about this topic.
Sam Small: Yeah, sure. the social. Yeah, platform I’m most engaged and involved in his LinkedIn for, you know, any of this stuff professionally. And so just connect with me on LinkedIn and, if it develops, , [00:49:00] then we’ll move to email or phone or a video chat or whatever, but like, that’s the easiest way for me to manage inbound stuff, I think.
And then if you want to learn more about this stuff again, just put like digital risk protection in quotes, be wary of like, , where the information is coming from, because if it’s coming a vendor, even if it’s my company, like everyone’s got their own spin on what they think, you think the most important things should be, because that’s what they do really well and sell.
So you can use your best judgment. There are plenty of people who’ve read about these topics, et cetera, that aren’t affiliated with a vendor. And again, I’m more than happy to share those resources and others with anyone who’s interested. And it only takes me a minute to copy and paste links. So.
Ashish Rajan: thank you so much.
can’t wait to bring you back again, man. This, this has been awesome. So thanks. I
Sam Small: would love to have coffee with you, even if we weren’t live streaming it. So let’s not, let’s not miss the opportunity.
Ashish Rajan: I will definitely be following up on that as well. Sam, thanks so much for coming in, man.