Mark Lanterman on Brute Force Attacks and Corporate Cyber Defenses [Podcast]

07/27/21 • 12 min

Post By: Adam Turteltaub On July 1, 2021 the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), FBI, and UK National Cyber Security Centre (NCSC) released an advisory reporting on “malicious cyber activities by Russian military intelligence against U.S. and global organizations…” The advisory shared that “brute force” is being used to “penetrate government and private sector victim networks.” To understand what this means for organizations and what they should do we talked with Mark Lanterman (LinkedIn), Chief Technology Officer at ComputerForensic Services. He explains in this podcast that it’s not just the brute force attacks that should cause concerns. It is these efforts combined with the use of “known vulnerabilities” to access data undetected. What should organizations do to protect themselves? He advises following the recommendations in the advisory. For one adopt multi-factor authentication along with time out and lockout features. Other steps to take include network segmentation and closely monitoring access controls. He also suggests that organizations review existing protocols to ensure that they are actually being followed. Just because a policy is documented, he warns, doesn’t mean it is being applied. If your organization is using a cloud provider, he recommends take the time to revisit its value as a tool, what protections are in place, what data is stored and where it is stored. Ask your cloud provider about the infrastructure it uses, how it is protected, and what are the backup and protection policies. Trusting any third party with your data, including a cloud provider, is not something that should be done lightly. Inside your organization, he argues for rethinking the approach to data security, changing it from something you train on once a year to an entire culture. There can’t be a set it and forget it mentality. A much more dynamic approach is required. Listen in to learn more about how you can better protect your organization against brute force and more subtle attacks.

Previous Episode

Jenny Radcliffe on People Hacking [Podcast]

Post By: Adam Turteltaub Liverpool-based Jenny Radcliffe, who leads Human Factor Security, is not your typical hacker, clad in a black hoodie and working out of basement. Rather than spending her time hunched over a keyboard, she seeks to hack people. What does that mean? As she explains in this podcast, she uses persuasion, psychology and influence methods to make her way into systems, and even into physical premises. She is often hired to break alarms and see if she can talk her way into a building. She does it by capitalizing on the all-too-human aspects of our personalities, and from her experiences she has learned how phishing emails and other techniques also capitalize on human weaknesses to enable hackers to breach computer systems. What’s both terrifying and fascinating, is how hackers take advantage of our weaknesses, tailoring their attacks, knowing that different scams work for different people and cultures. In fact, she explains that the organization culture you have, is the hack you invite. In a hierarchical organization the hacker will likely use authority principles. In a younger, less rules-driven culture attackers may use registration for a social activity as a way to steal passwords and IDs. Hackers also take advantage of human emotions and stress. As she memorably says, “Emotion kicks logic off the cliff.” That’s why techniques such as promising a prize or threatening the release of embarrassing information can be so successful in getting people to click where they shouldn’t. She advises companies create “cognitive firewalls” within their organization, helping employees to watch for red flags such as: Any approach via email, call or social media that makes the recipient emotional The mentioning of money The request to act, especially if asked to act quickly How else can you protect your organization? By making it safe for people to come forward when they make a digital mistake. The more comfortable they are coming forward, the faster they will and the sooner the breach is remediated. And how do you find the internal bad actor? That, she says, falls on the shoulders of line managers, who need to be on the lookout for changes of behavior that may indicate stress. Listen in to learn more, including the risks that can come as employees return to the workplace.

Next Episode

Marjorie Doyle and Art Weiss on Polishing Your Corporate Values [Podcast]

Post By: Adam Turteltaub What do the current times and the times to come mean for corporate values? To answer that question we turn in this podcast to Marjorie Doyle, Principal, Marjorie Doyle & Associates, and Art Weiss, Principal, Strategic Compliance and Ethics Advisors, SCCE & HCCA President and Chief Compliance and Ethics officer at TAMKO Building Products. These two compliance veterans, and members of the SCCE Basic Compliance & Ethics Academies faculty, will be addressing the topic in their session “Polish Your Brand! Make Your Values Apply to Current Issues” on September 19th at the 2021 SCCE Compliance & Ethics Institute. When faced with such monumental changes as we are today they advise sticking to your values but looking to see if it is time to evolve the definitions. As an example they point to the value of safety, which now should likely reflect not just preventing injuries from things such as falls, but also from COVID-19. Likewise, they argue that with remote work values remain just as important, but organizations need to recognize that the application of those values is different. Studies have long shown that company values tend to be stronger for employees in the corporate headquarters than they are for those farther away. With so many workers no longer in the office, organizations will need to work harder to keep their values front and center and a driver of corporate culture. And how can organizations bridge the very different experiences of workers who come into the office and those who don’t? They advise regular communications from leadership filled with examples that reinforce the organizational culture. Those communications, and others, should also explain how the organization’s values are being applied to meet the changing environment. Listen in to learn more, and be sure to join us at the 2021 SCCE Compliance & Ethics Institute.