For the next interview in our series speaking to technical leads from around the world, we’ve welcomed experienced cybersecurity specialist and author Greg Scott.
Tell us about the project you represent, what is your vision & goals?
I want to raise public awareness about cybersecurity. Because even after decades of headlines, and more sensational attack stories than I can remember, the public still believes Hollywood hacker stereotypes about cybersecurity, and that somebody from the government will make everything all better. I want to help fix this problem.
“Bullseye Breach: Anatomy of an Electronic Break-In,” published in 2015, shows how Jerry Barkley and an ad-hoc team in Minneapolis stopped overseas attackers after they stole 40 million customer credit card numbers from a fictional retailer, Bullseye Stores, during a busy Christmas shopping season. In “Virus Bomb,” published in 2019, after nobody heeded his warnings, Jerry Barkley uncovered the largest cyberattack in history and saved millions of lives from the follow-on biological attack.
What inspires and energizes you within your work?
A good day for me is when I find a reader who enjoys my novels and learns real-life cybersecurity lessons from them.
Can you share a little bit about yourself and how you got into cybersecurity?
It all started in November 2000, when my wife complained she couldn’t get to the Martha Stewart Web site, or anywhere else on the Internet, and what did I do to the computers this time? I investigated and found my house LAN was indeed running very slow. I operated a public-facing DNS server and found a process running: ping -s 65000 -f nn.nn.nn.nn (I won’t share the target IP address.)
It blasted traffic as fast as my 14 kb IDSL internet connection would allow to a system across the Internet. When I killed the process, the performance went back to normal. Telnet also behaved strangely. When I tried to connect via telnet, it wouldn’t echo anything and lately would just tell me the process was ending.
A feeling of dread came over me and my adrenaline started pumping. And then I got mad as I realized somebody had broken into my DNS server and set up this attack. I called a friend more experienced in this area than me. He laughed and told me I’d been suckered by the oldest trick in the book. Somebody probably replaced the real telnet with a fake version designed to steal passwords for later transmission to my attackers. The system had definitely been compromised.
The technical recommendation: Wipe the hard drive and rebuild the system from scratch. The next recommendation: Call the FBI immediately because the IP address my system attacked belongs to the Brazilian National Government, and I could face legal trouble if I didn’t report it.
As soon as we hung up, I called the Minneapolis FBI office and asked for somebody who deals with computer crime. Unfortunately, this office was unhelpful and when I followed up on my case, nobody had any record of my earlier call and they blew me off.
I wrote a column about my experience in “Enterprise Linux Magazine” and then rebuilt my DNS server from bare metal. Lesson learned patching is important.
The article ran in Feb. 2001, and my phone rang a few days later. It was a manager in the Minneapolis FBI office and he wanted to troubleshoot. I thanked him for the call but said I could not afford to shut down my life and wait three months for a callback from law enforcement. I had long ago wiped and rebuilt that system.
He said that since I called on a Saturday (remember, I really called on a Tuesday) I must have connected to a weekend operator. That was why they had no record that I had ever called.
That taught my next lesson that solely relying on law enforcement is often not enough in data breach scenarios. Over the next several years, I would learn that lesson again and again.
What gave you the idea to write fictional books based on the worst-case scenarios of cybersecurity failing?
In 2014, after spending too many years watching too many eyes glaze over when I offered cybersecurity advice, I decided to try fiction to present the truth better than the news. If I could not keep peoples’ attention with facts, maybe offering compelling fiction would do the job. And so I invented Jerry Barkley, an independent IT contractor who’s been through his share of adversity, and a fictional world similar to the real world with a few name changes.
What are some misconceptions that you believe businesses have about cybersecurity?
Too many people still believe Hollywood hacker stereotypes about cybersecurity and that somebody from the government will make everything all better. Many business leaders view their IT infrastructure as an expense instead of an asset, and so they minimize their expense instead of maximizing their asset value. That mindset drives problems.
News stories document how IT professionals lead the post-COVID great resignation phenomena. Unhealthy stress reactions and PTSD plague too many CISOs. Ransomware and other attacks still regularly succeed.
Too many leaders leave their organizations vulnerable by hiding behind a veil of secrecy, and so they lose any collective wisdom from people in similar positions. We keep making the same mistakes because everyone must learn the same lessons from scratch. That leads to a litany of tactical blunders we read about in nearly every attack.
- Failure to patch
- Poor backups
- Poor password/passphrase management
- Failure to realize that security is a process and not an event.
What are best practices for today and how can businesses avoid cyber threats such as ransomware, phishing attacks, etc.?
A few years ago, after somebody compromised his computer yet again, an organization leader asked me what he could do to protect his computer and organization from attack. I started my typical lecture and he stopped me after about five words.
“Greg, just tell me everything I need to know in twenty-five words or less.” I left frustrated. Why do people ask for help and then blow it off?
Months later, a different communication approach came to me. To protect themselves and their organizations, busy leaders should embrace an easy, six-word rhyme. Everything flows from there. Care and share to be prepared.
Nineteen words to spare.
Care enough about your cybersecurity to actually invest instead of just talking about investing, share what you learn liberally and often, and expect everyone else to share what they learn, liberally and often. Bad guys spend all day probing good guys and all night collaborating with each other to improve the next day’s probes. Just look at some of their forums. Good guys hide behind a veil of secrecy, and bad guys pick us off like shooting apples in an arcade game.
Good guys must learn to break that cycle by embracing open instead of closed and learning to collaborate. This means publishing what they do for security, presenting details at conferences, and subjecting themselves to a gauntlet of peer scrutiny.
Embracing open is controversial. The debate goes back to at least 1853 when Alfred Charles Hobbs published a book revealing to the public how mechanical locks worked. Many people complained that he enabled attackers. Here is how Hobbs answered.
“A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and they know already much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock—let it have been made in whatever country, or by whatever maker—is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of honest persons to know this fact because the dishonest are tolerably certain to be the first to apply the knowledge practically, and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.”
Alfred Charles Hobbs, “Rudimentary Treatise on the Construction of Locks,” edited by Charles Tomlinson, published in 1853, page 2.
Hobbs would be an internet security researcher if he were alive today. People who fought open were wrong in his era, and they’re wrong today. Good guys need to embrace open because bad guys already know how to attack good guys, but good guys don’t know how to defend themselves. For evidence, just follow the news.
Every cybersecurity program should address these tactical areas:
- Email hygiene; teach end users about phishing.
- Patching strategy; keep systems updated to guard against the latest threats.
- Authentication; make sure the other is who they claim to be.
- Trust; learn how trust over the internet works.
- Password/passphrase management.
- Backups; practice recovering from bare metal.
- Social media; because lies travel farther and faster than truth.
- Mobility; especially in the COVID era.
- Tech tools such as antivirus subscriptions, and email and website filters
- Awareness; there is no substitute for old-fashioned human awareness.
What one vital tip would you give to companies who are reviewing their cyber security?
Care enough about your review to take it seriously. Share what you learn in public. Even if it’s embarrassing. And then repeat. Security is a process, not an event.
What are your thoughts on CMMC?
The Cybersecurity Maturity Model Certification looks like a useful framework. But there are lots of useful frameworks. Zero Trust Architecture is another recent one. Use them as a guide but focus on good defence, not checking boxes in checklists
Does your organization use log and metrics data to improve and secure your systems? How do you find managing logs assists your day-to-day work?
Teams of people who support larger customers in my day job use logs every day for analysis and troubleshooting. In my personal environment, I often use website logs to manage my website. I also use the email server logs and other logs for troubleshooting.
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
Look for quality, sophistication, and volume of the same types of attacks we’ve seen over the past forty years to increase. Hopefully, we will wake up and meet this ongoing challenge.