Joining us this week is Danny Jenkins, CEO and Co-founder of ThreatLocker, an Orlando-based cybersecurity firm providing zero-trust endpoint security. Danny shares insights on the challenges facing critical infrastructure, particularly water systems that continue to be targeted with today’s latest headline grabbing financial + ideological threat of ransomware. And he poses the question, “Will we get to a point where we have to stop drinking tap water?”
He also provides perspective around the nuances of compliance (note: listen for the motorcyclist example!) versus regulation and getting on a path to proactive versus reactive security while moving to a collective mindset of ‘what can I do to improve security this week’? And you don’t want to miss ThreatLocker’s must-read report on protecting water infrastructure from cyber attacks available here.
[00:58] Zero Trust Endpoint Security and Ransomware Relationship Status
Rachael: We have Danny Jenkins. He's the CEO and co-founder of ThreatLocker, a company that provides zero trust endpoint security. They've got a lot going on and he's got a lot of the same interests I do, like ransomware.
Danny did a report on protecting water infrastructure against cyber attacks. You guys are Orlando based in Florida, so you had a front-row seat to what was going on with the water treatment facility. Your report brought out so many really interesting facts. I'd love to touch on that and how that came about and why the focus that your company put on that.
Danny: We're seeing so many cyber attacks and it's not just water, but local government, police, and various different infrastructure. We've seen so many cyber attacks happen, attempted cyber attacks on this infrastructure. Being in Florida and being water, it made me think, am I going to stop drinking out the faucet soon? This attack forwards to essentially potentially poison the water, not too far from where I live.
Thankfully I'm in a different city, a different municipality. But I have no confidence that the municipality that I'm in has any better security than this company. It really raised basic security concerns. This wasn't some genius hacker. We're not talking about the level of sophistication that was used in the SolarWinds Orion attack. But we're talking about someone who got into a computer that had TeamViewer installed on it. They essentially turned the dial that potentially would have poisoned the water if it hadn't been spotted pretty much immediately.
Two Scary Parts of the Attack
Eric: We got lucky that it was spotted by somebody who worked there immediately.
Danny: Well, that's it. There's two parts that scare me about this attack. One is that TeamViewer was running on a computer that can essentially poison the water. But also that someone who's sitting at that desk who is a $45,000 a year paid civil servant can turn that dial himself and poison the water. There's so much lack of control, so much lack of oversight as to what can happen here. There are so many areas where things can go horribly wrong.
From the water system systems being shut down to water being poisoned, to various things that can happen. It seems like there's not enough controls in place to stop them from happening. That is a common theme we see across, not just government agencies or businesses, but government agencies and infrastructure companies are businesses that affect us all. We don't get a choice of where we get our water from.
Eric: In your investigation, did you ever determine what level of cybersecurity capability that water processing plant had? Did they even have someone in charge of cybersecurity?
Danny: We didn't work on that particular plan, but we did a lot of investigation. Obviously, we read what was publicly available. But if we look at lots of similar companies and we've worked with lots of similar companies. Typically, municipalities outside of the big New York City ones and San Francisco ones tend to have very little cybersecurity full stop.
The Ransomware Relationship Status of the Guy in the Basement
Danny: They run a local IT guy that has always fixed things and it's the same guy who's been there for 20 years. He's Bob in the basement and he's done a great job at what he's doing, but he's got no cybersecurity experience. There is no CISO or even virtual CISO managing and giving them advice and putting any suggestions in place for them.
We've seen that from municipality to municipality. I saw one company that got breached, they got ransomware. It was a police department or it was the city police department. The head of cyber crime was responsible for the ransomware having happened. This is essentially a cop who comes in, plugs in a USB device that you found in the parking lot.
Eric: Yes, this is the world we live in.
Rachael: It's like going to Black Hat. You find a USB key on the ground, you're like, "Oh, what is this? I'm just going to plug it in."
Eric: Look at that, free USB drive. I wonder how big it is, let me plug it in and find out.
Danny: Well, they dropped him in the hotel.
Eric: They come with your room rental. You got upgraded, you want 3000 points or a Russian USB drive? It's your choice. So Danny, I was reading your blog. On August 3rd, your organization put out a blog posting called Protecting Water Infrastructure Against Cyberattacks. You cited some data from the Water Sector Coordinating Council cybersecurity 2021 state of the industry report that blew me away. I never saw the data, but 51.4%, let's just call it 51% of survey respondents from the water sector are with a department of a municipality or a county.
No Cybersecurity Budgets
Eric: We're really talking about the local government there. 33% are a special district or independent government entity. Then 9.5% basically are private non-profit profit cooperatives. 6.4% are privately owned or investor owned. We're really talking about state and local governments in the United States who typically don't have cybersecurity budgets. It typically isn't a major priority for them. Seeing the data blew me away.
Danny: We see this all the time. I remember the year before 2020. In 2019, there were three Florida cities hit by ransomware in the same month. Collectively, they paid over $2 million to get their data back. I sat there at this point and I thought, wait there. We're letting people chop heads off without paying ransoms.
But we're suddenly paying $2 million to essentially terrorist groups overseas to turn on local municipalities. If someone had said to me on September 12th, 2001, 20 years ago this week, that in 20 years time, we're going to pay people $2 million so we can get our computer systems back.
Eric: And maybe don't even get them back.
Danny: I would've laughed at them. Maybe you don't even get them back. That's the point, but they paid for it. The reality is, we work with cities all the time and we do everything we can, but trying to get $3,000 as a budget from a city is unbelievable. But they unanimously voted yes to pay $2 million to a cyber criminal somewhere in Ukraine or somewhere random in the world to get their data turned back on. So it's funny. They don't have the budget, but in fairness, they choose not to have the budgets.
Danny: In many cases, a lot of these budgets are set by committee. The committee say, "We've been okay for 20 years, we'll be fine." Suddenly it becomes a reality when something serious happens. They say, "We're going to spend some money on this now." But unless they've been hacked or their neighbor's has been hacked, they're very much like, "Well, we've been okay for the last 20 years, what's changed?"
Eric: Right. It never happened to me . Who cares about me? I'm in the middle of Idaho or pick your location, your locality. It's a real problem. So what do we do about it?
Rachael: There's two pieces here though. The security in municipalities is prioritizing that, but then there's also the ransomware challenge. Which pot do you want to dig in first, because these are pretty meaty topics right here?
Eric: I don't know. But whether you're talking about water or power, school systems, city, state, local governments, we're really not talking about a lot of privately owned, investor owned utilities. We went after Colonial Pipeline, which was publicly owned at least. But how do you go after a municipality? The state can go after the municipality, but they have no money, no capability.
Danny: The point is they do have money. We saw that because they paid the money and these attackers. Bear in mind, most of the attacks we're seeing on the news today are business-driven attacks. These guys are trying to make money. They're encrypting your files. Do we sort it with Colonial that they paid $4.5 million, they're there to make money. But there are still attackers out there who have ideological reasons to attack the United States, to attack our water, to attack our oil supplies.
You Have To Ask the Ransomware Relationship Status
Danny: You have to ask the question, what happens if Colonial paid the $4.5 million, which is a rounding error for them? They didn't get their data back, they didn't turn on the oil pipeline. What happens if someone takes down the water systems? These cities in Florida that were taken down in 2019, they couldn't bill the water. They lost all their water billing data, and they weren't able to send out water bills.
So they had to pay those $2 million combined. But what happens if they paid the $2 million? Then the guy says, "Now we've managed to take down the United States and get paid for it." It's a real threat. The problem is, everyone's thinking about this. Too many people are thinking about this from an insurance point of view. What if I get ransomwared, I'll put a claim into my insurance and it will pay at least a portion of it.
But there's so many ransomware attacks I see where you don't get the data back either because guess what? These guys aren't very good at keeping their word, their support isn't very good. The key's wrong and they messed up on saving it.
Eric: They didn't care.
Danny: They just didn't want to give you the data because look, they want to hurt the United States. They want to hurt our government agencies, they want to hurt our infrastructure.
Eric: When I think of Colonial Pipeline and billing, that's one thing. But in this case, weren't they going to put an excessive amount of lye into the water to poison it?
[08:23]No One Even Knows the Ransomware Relationship Status
Danny: Sodium hydroxide. They were increasing the chemical. No one even knows in this case. Did someone do this because they just happened to connect to a TeamViewer session by typing in a random code? Or did someone actually hack into the water supply intentionally and it's really hard to see. This wasn't a ransomware attack, it wasn't a business attack. It wasn't, I'm trying to get money. But equally, it could have been someone who just went on a machine and said, "I can just mess around with this computer that I run and connected to." Not even knowing what they were playing with and what buttons they were pressing.
Eric: Same result.
Danny: If that happened, I'm hoping that somewhere down the line, some systems would have been shut down. But I don't know. I'm not confident of that. I've been drinking out of bottles for a while.
Eric: We definitely see that with ransomware where there were massive impacts. I'm less worried about the water, them not being able to bill for water, municipality not being able to bill for water. That to me, that's like paying the ransomware fee. The bigger issue is when the water gets polluted. Imagine if someone had the ability to take a septic waste treatment and merge it in with water or something like that. That would be a massive impact.
Danny: Or shut off the pumps. I live in Florida, we'd have hurricanes. Sometimes the water goes out, so we're prepared. We have created backup water. We've got gallons and gallons of water. If you lose water in Florida unexpectedly, if the pumps get shut down, just like they did, I know it was oil.
The Same Principle
Danny: It's the same principle. They're pumping something through a pipe. Poisoning the water I would hope is less likely to succeed. But suddenly showing off water to a county that has temperatures upwards of 95 degrees, that's not a situation you want to be in. It's a very real situation right now. I've reviewed so many local government networks, there isn't a single one that I wouldn't have been able to break into in 30 to 40 minutes. They are poorly prepared.
Eric: We've talked about that a bunch on the show. It's what do you do though? How do you get these municipalities to understand the risk? Understand the cost and serve their populations when they're in the middle of the country. Don't feel that they can be attacked? I hope legislation is going to help force it because we either wear a seatbelt when we get in the car. We want to wear a seatbelt and we want to be safe, because if we don't, we're going to get a ticket. But either way, most people wear a seatbelt when they get in the car.
Regulation is not always going to solve every problem. If you have regulation that forces the following of standards, whether it be CIS or whether it be NIST 800-171, it's going to force people to do things regardless of whether they think they're a target or not. Then you take away the opinion out of it. Of course, someone who really wants to do it is always going to do a better job. But we need to be a lot more secure than where we are now.
The New Infrastructure Executive Order
Eric: Obviously the new infrastructure executive order goes towards that. It goes towards making sure critical infrastructure is protected. The problem is that regulation legislation takes too long. They don't necessarily have the orders in place. But the first thing is, let's send a list out there to every municipality. Saying, you've got to implement EDI, you've got to implement a zero trust framework. You've got to implement permissions, lease privilege, all of these things.
Dual factor authentication. You must turn off remote access tools. You have to have regular scans on your firewall. Give them those lists of tangible items that need to be done and say, you've got to do this. If you're not doing this, then you're not doing your job. We're going to come in. We are going to audit you. Maybe the federal government helps pay towards that because it's a federal problem. Cybercrime, their job is to protect us from foreign threats.
Eric: I'm trying to think of a couple of years ago at RSA, I sat down with a relatively senior person. I won't tell you the state, on the Department of Homeland Security at the state level though. It was a panel discussion we were prepping beforehand and we were talking about her challenges. The problem is the people who are representing these organizations at a school.
The head of cybersecurity for a countywide school district might be the cyber security teacher who five years ago was teaching math at the middle school level. So when you talk XDR, when you talk zero trust, her concern was there's no capacity to receive that and do anything with it. They just moved into this role and they don't have a 20-year history.
How Much Experience Do We Have With Ransomware Relationship Status
Eric: Think about where you and I went to school. We didn't go to school together but think about school back in the day. They didn't even have an IT department, it was an audio visual department. Now they have IT, but who's running it? How much experience do they have in cyber security against potentially nation-state or nation-state-supported or allowed attackers?
Rachael: It's the business calculus. They roll the dice and say, it’s probably not going to happen to us. If it does, we've got this little pocket, to Danny's point. There's money somewhere. If you can pay ransomware, why couldn't you have funded a security expert? A lot of people it's like, let's just see what happens. Unfortunately, as we know, everything is driven by these extreme events. Then it does happen, you're like, "Maybe let's put some more money into it now in an official capacity."
How do you change that mindset is the big question. I know the administration is trying to get there with public disclosure policies and the treasury department. Saying, "If you pay ransomware to a nation-state attacker, we're going to find you." They're trying to get it together, but it's very disparate.
Danny: There's two areas. One is having some kind of tangible task force, the people in these roles. This is a government problem across the board. In the private industry, cybersecurity pays a lot of money. They pay money based on someone's ability to do the job, someone's experience, someone's understanding, someone smart. It's not based on what level of qualification in college they go. They're looking for the best people.
Eric: And we still fail and have problems.
The Ransomware Relationship Status Have More Success Rates
Danny: The interesting thing is when you start looking at the bigger banks, they tend to have more success rates because they have better people. The small organizations still have the same problem. The government is tied against the wall because they pay very much for college qualification. They say, if you've got a bachelor's, a master's, or a PhD, it’s going to determine your paycheck.
When people leave college with no experience, they actually do well by going into the government industry. They have no experience, they come out, they know nothing. We hire a lot of people from college too, basically taking on juniors. The challenge is if they're good, they quickly move to high-end private industry because the government's never going to pay them. No cybersecurity professional is going to get paid $65,000 to $75,000 a year who knows what he's doing.
You have these local guys that can't do the job. That leads to either a federal or state-level government. It comes in and says, we're going to hire a team at least to audit and suggest. Then it becomes a case of, can you implement this to a state where we can audit it? We can say, "I've checked this box. You've implemented application white listing. You have implemented a file-based permissions. You've done firewalls gangs.
You've done penetration testing. You got patch management plays. Can we give you this check box of tools, can we monitor that?" If you can't, then we start saying, where are they going to pull state or federal funding from you? All of these guys are getting some funding or we're going to pay for it for you to get somebody in, to come and do your job properly.
We Get Back to Compliance
Eric: But then we get back to compliance, which in this case I might agree with you is a necessary first step. We talk a lot on the show about compliance versus actually doing proper security. Checking the box. We made sure that we're patching. But the compliance piece, it's a good first step, I'll leave it at that. It's something.
Danny: I have a slide that I show quite often in presentations that sums up compliance really well. There's a guy on a motorcycle, he's wearing a helmet, but he's completely naked up side of that. It says this guy has compliance. So you have to build that picture in your head. You can't see too much. But the point is that, there's two fundamental falls with compliance. Quite often, it's written in response to a problem. We don't have a problem with people riding around on motorcycles naked. So we didn't pass a law to say, you have to have clothes on, on a motorcycle.
But we did pass a law, we did have a problem. In Florida, people don't have to wear helmets anyway. But in some states we pass it off saying you have to wear a helmet because they had a problem with not wearing helmets. A lot of compliance is driven by that. We don't have a problem with people installing an antivirus because everyone has one. But we do have a problem with whitelisting not being implemented with privileged access management not being implemented. We're going to write compliance laws around that.
[21:18]No Such Thing as Complete Secure Ransomware Relationship Status
Danny: Quite often, compliance has these big gaping holes in it. It's always responsive to failure for people to do basic things before. But equally it goes towards getting closer.
There is no such thing as completely secure. There’s no perfect security in the world, but what we can do is be more secure than we were last week. If everyone wakes up every Monday morning and says, what can I do to improve my security this week? If you can get up by 5%, that's 5% less than you were the week before, better than where you were the week before. The harder you are to hack, the more difficult, the more likely someone's going to give up.
Eric: With the customers and prospects that you talk to in your travels, how many people at the state, local, municipality, critical infrastructure level have security personnel. Not physically, but IT security personnel that wake up every day and say, "How do I make this enterprise I represent more secure today?"
Danny: Less than 1% of city or government people I talked to. In totality, I speak to people who call us up. People who say, I want to do something, they're the exception. But if I'm at a government trade show or RSA or a Black Hat, security trade shows, or even an IT trade show. I speak to a local county, they are normally IT people, not security people. They're more interested in the fact that the first thing you often hear is that it's going to be too much hard work for us. "I couldn't do that, it's too much hard work."
A Fundamental Problem
Danny: There is a fundamental problem. It's IT people that have to implement security, in many cases, cybersecurity. But it isn't an IT job, it's a security job. It's almost like it can. An insurance adjuster came in and said, "I know how to quote a building, but my job is to quote it to lower the costs and not to actually build the building." Security is supposed to be at odds with the IT department. They're supposed to be a pain in the ass. So pay for the IT department.
If it's the same function quite often, they are so conflicted with how do I make IT work smoothly versus how do I make it secure? In some respects, they can't always exist together. I have a lock on my front door. That stops me getting in and out of my house easily. I set my lock to auto because sometimes I'll forget to lock it and that's a pain because I walk out to the car. I come back and it's already locked, but it's just a security function.
As an IT person, if your job is to get less tickets on a help desk, less calls, security is always a problem for you. So big companies, big enterprises, always completely separate those departments. You'll have a CISO who should report directly to the board. If you're a small company, a virtual CISO, and it shouldn't be the IT department that's left to do that.
Eric: We do see it in the government, which is our area there, my area of expertise. We do see the CISO reporting up to the CIO more often than not. But I have one question I want to go back to.
Making Security Better
Eric: They wake up every day, less than 1% are really focused on making security better for that organization they represent. But you're seeing them at Black Hat, DEF CON, RSA, the different shows. Why are they going?
Danny: Well, it's cool.
Eric: I was afraid that'd be the answer.
Danny: You go to Black Hat, it's cool.
Eric: It's fun to go to Vegas. RSA, it's great to go to San Francisco.
Danny: It's in Vegas. I love that it's not to say that they're not saying I'd like to improve my security. The challenge that you have is that they don't want to improve security at the risk of upsetting people. I always say, if you want friends, work in the IT department. Don't work, become a security expert because security expert, security department don't have friends. They're the compliance people. They hate y'all people. They're the people that nobody likes and you don't have friends in that department.
So if you want friends, work in the IT department. If you're okay with not having friends, work in the security department. Because your job is not to be friendly. Your job is to walk into the CEO's office and tell him, "No, you can't have domain unrestricted access to the entire business. That's too dangerous." Of course he can always override if he's the CEO of the company. But the point is, if you haven't got the backbone to say no to the CEO of a company or no to the lady at the front desk, get out of the job. Our job is to say no.
The Executive Order on Ransomware Relationship Status
Eric: Switching over to the executive order that came out on May 12th. We've got the new draft, a zero trust guidance, which is out, which people are looking at. Does that compliance component, then do some of those mandates help enable these people who can't get it done? Who helped them to say no, we can't do that because of the executive order? Or because the government is forcing us to do X, Y, and Z.
Danny: The executive order mostly points to implementing standards, obviously issuing budgets, and following a zero trust framework. What I liked about the executive order is the first time I've ever seen zero trust defined in a legal stance. We see it on every billboard we go by. I started reading it and I was reading zero trust. We use zero trust in all of our marketing, but for us, zero trust means least privilege. It means don't let an application run if the user doesn't need it.
Don't let an application access more than it needs to access. But for many people, it means don't trust bad stuff, which I think is odd or review logs more often. Now, zero trust was very clearly defined in a legal stance for the first time ever. I've seen it as least privileged, which means only apply access when needed to anything.
Eric: They're talking identity, they're talking devices, networks, applications, and data.
Eric: But what does Wired say as of this weekend about zero trust?
What Does Zero Trust Means
Rachael: There was an article that basically what does zero trust means? It means whatever you want it to mean. That's been one of the interesting parts of zero trust. It's fairly open to interpretation and then of course, and then how do you execute? That's where a lot of people have struggled in how do you move forward with that strategy? What does it look like? That was part of some of the pain points of when this came out. There's a lot of talk about zero trust, but how do I put one step in front of the other to actually get there?
Danny: I was talking to a CISO at a major airline in the US about zero trust. He hated the word zero trust and I don't disagree with him. Zero trust is somewhat of a marketing word. I say that because it's being turned into a marketing word and everyone wants to achieve zero trust. Is it a mindset as well as a product? In theory, it's a mindset of operating more and less privileged. But it can be twisted and manipulated into anything you want it to be.
But ultimately, if you think about security from a least privileged perspective, rather than trying to add so many different tools on top of it to find the bad guys, because that's what everyone's been doing for the last 10 years or 20 years. They've had antivirus and next gen antivirus and AI antivirus and threat hunting and EDR and XDR. It's like, we're going to find all these bad guys. It is much smarter to say, "We can't find all the bad guys. It's fine to look for them."
[29:28]The Ransomware Relationship Status and Principle Approach
Danny: I have a house alarm in my house. What we've ended up with is companies with three house alarms, with motion sensors and contact sensors, and glass breaking sensors. They have a dog that makes a lot of noise, they have some cameras that have laser shooting out of them. But guess what? They haven't taken the principal approach of I'm going to lock my front door and someone can still walk in the house and take the TV off the wall.
If you think about security from a control point of view, this is what a lot of government legislation talks about. It's not about getting a better antivirus or having a more expensive antivirus or having a better EDR. It is very much about, do you have a firewall in place that operates a default EDR policy? You only allow rules that are needed to access your network. Do you have application whitelisting in place to only allow explicitly authorized software to execute?
And do you have a backup system in place that takes off site backup? Do you have a dual factor? These are what I like to call absolutes. If you think about a piece of malware, think about a piece of ransomware. Whether a user opens it or not, you have no control over it. You should train your users, but you have no control over that. If your antivirus detects it or doesn't detect it, you have no control. But when you start thinking about controls, they are absolute. Is it on the whitelist or isn't it on the whitelist? These are much more certainties.
Putting Controls in Place
Danny: A lot of compliance and focus towards putting those controls in place. Yes, they do tell you to put an antivirus in place. They do tell you to have some level of detection, but they're not saying get a better detection system. They're saying implement more controls, implement these privileges. If you forget the words zero trust and you think I just want less in my network, I want more restrictions. More controls to only allow what is needed in my network. On my endpoints, on my permissions, their security gets a lot better. If companies would focus less on the words like zero trust and what these mean, then they would probably be in a bit better state too.
Eric: I feel it's replacing artificial intelligence and machine learning. There were a couple of years where everything had to have AI and ML in it. Now it's, everything has to be zero trust from a marketing perspective. Customers are asking for it. All companies are throwing zero trust in there. I had somebody who was close to Rachael recommend changing our name to zero trust. They were joking, but think about SEO, the search engine optimization which you get, being zero trust as a company.
Danny: The least privilege of what we do is reflective of zero trust more than what a lot of things do. When someone says to us, what does it like to do, we don't say zero trust. We say, "We stop anything from running that isn't explicitly trusted." We've always said that before we use that word at all. So people getting down to the actual nuts and bolts of what things do, having a list of controls in place, it's a sensible way.
The Federal and State Governments Ransomware Relationship Status
Danny: That's what the federal governments, the state governments need to say. Look, these are the controls you need in place. We need to put this in place, go and check these boxes and come back to us with the ones you can't check. You can't check every box every week, just do a box and move on to the next one.
Eric: But this almost goes back to earlier in the conversation with the local municipality school districts, you name it. Do what you can, understand where you are. These are concepts that they can implement internally and should.
Danny: But again, if you don't have the talent inside, or you've got a conflicted department, because the department wants to make IT run as smoothly as possible. Now, you did something that requires people to get approval for new Chrome extensions. That slows down IT, but it also helps potentially protect from massive cyber breaches.
Eric: Are there anything missing that the administration should add to the draft from your perspective? Like an area of focus maybe?
Danny: There's a lot of words in that draft. I feel like the executive order is a political response to a complete failure of infrastructure security. It provisions money, which is probably the most any politician can do. Let's face it, we are really asking Joe Biden to write a security principle. From a political point of view, rather than trying to get deep into the details, we should be saying, we have to follow the standards. Pick some standards, whether it's CIS, whether it's NIST, someone has to go out.
Danny: They have to implement these standards and we're going to put money aside to help do that. There's some of that in the executive order. Like I said, it is a political response to a specific breach. There are breaches every day of the week, but that one just rattled the White House because it's oil. No one messes with oil.
Eric: Look at Flint, Michigan. Long-term water, nothing to do with cybersecurity, but that hit the press too and that was very significant. So water, oil, they're critical infrastructures. Infrastructure sectors are important and do become political when a problem rises to a certain level.
Danny: Water always hits the press but it didn't affect the White House.
Eric: But the problem was averted, that’s the difference. When the problem is averted, if Orlando didn't have water or had poisoned water, we'd have seen a very different level of focus in that. We become very reactive as a society.
Danny: That's human nature to react to. This happened to me, I'm going to respond to this incident above all other incidents. If someone broke into my house, I know what it feels like, so I want to deal with that. If you don't know anything about your car, I don’t know, because nobody's broken into my car. So that's human nature.
Eric: To put out these zero trust guidelines, the executive order that was out, the new one that's likely coming around these guidelines, that's important. But funding has to co-flow with it. These local organizations, you can tell them what to do. Without the funding, they don't even have the ability to understand the NIST guidelines around the risk management framework, 800-53 or 171, or any of these.
Eric: What's zero trust, like 207, I think 800-207. They don't even have anybody to read them in many cases, let alone understand them. Let alone deploy capabilities or take protective actions in accordance with them.
Danny: Having task forces that are trained on this as well, because finding someone to hire is very difficult. How does someone who doesn't understand the security interview for someone who's a security expert?
Eric: And where do you find people? I mean, funding.
Danny: It's a problem every business has. Find people. It helps, but it doesn't tell you if that person is good at the job or having a taskforce set up, helping people, hiring people or finding consultants. Having those things that can help small businesses because as a small business, we face this challenge in every single department. I want to hire a sales leader. But I don't know that much about sales. I want to hire a marketing leader, but how much do I know about marketing?
What questions should I be asking? So what you do is you often look at resumes of previous people. But in security, that's a little bit more challenging because the industry is growing so fast. The number of people is growing so fast. There is no magic qualification. Now you're saying, "Well, this guy sounds like he knows what he's talking about so let me go and hire him."
So having tangible help saying, "Okay, we're going to give you money and we're going to help you interview. We are going to help you find it. We're going to recommend accredited consultants or something along those lines to get these local governments, the smaller governments, smaller water supplies, smaller, critical infrastructure, aware of what they're actually bringing in."
[38:08]We Can’t Guess the Ransomware Relationship Status
Danny: Otherwise they're just doing what the rest of us do, which is, guess at the time we're hiring staff in other departments. We can't guess with security, we can't take a roll of dice and say, maybe I got to go, maybe I don't.
Eric: It almost makes me think like a volunteer program. You're in Orlando, we had the potential water problem in Orlando. There are a lot of smart cybersecurity and IT personnel in the Orlando area. If they had the ability to bring volunteers on board in some capacity to help local municipalities. To help state and local governments who do have that expertise, who can make their mark on their local communities.
Whether it's hiring or best practices or just understanding, what is the risk management framework? How do I implement that, how do I understand that? What is zero trust? How do we look at that? Bringing community level experts in because in a lot of communities, we do have experts. They're just doing different jobs.
Danny: You have to be careful about the type of people that tend to volunteer. Have you ever been to a meeting? So you have to be careful about that too.
Eric: It's a good point. I certainly am not pretending to have the answer. Rachael's probably more likely to have the answer on this one. I don't know, but I hear what you're saying. We need expertise in order to hire and leverage expertise and make things happen.
Danny: And train.
Eric: How does a local school board make a determination on what they should hire for? Who should they hire? How much should they spend?
Rachael: It is a problem.
Eric: How do they believe that?
Constantly Fascinated by the Ransomware Relationship Status
Rachael: I don't have the answers, I will say that. But can I totally pivot though, because I really want to talk about ransomware. I'm constantly fascinated by ransomware, and I think you mentioned this earlier in the podcast, it is big business. People getting paid, then you have subcontractors of ransomware gangs getting paid and throwing up a kickback.
A lot of people talk about financial incentives. How do you shut that down and if we were to regulate cryptocurrency, for example? Is that the right lens to look at this? I know you guys are dealing with this day in and day out at ThreatLocker. I'd love your perspective as someone who's on the front lines here.
Danny: Here's the problem. There are really two types of ransomware, the ones that scare me and not the dark sides and the big organizations. The reason they don't scare me as much is because quite often that's easier to trace and detect. It's clearly not easy enough because we're still seeing massive companies shut down. But there are intelligence communities, there's antivirus communities, there's EDR communities that are tracking these software, tracking those publications, looking for those known code.
What scares me is the niche ones that you see, the guy who sat in his basement. I demonstrate how easy this was. He just wrote a custom piece of code to encrypt your files because he happens to be a programmer. That's not going to be detected by anyone. It's very hard to shut down. The problem is the cryptocurrency has definitely been a way of transitioning that money. I'm not a big fan of cryptocurrency anyway.
I Don’t See Value in the Ransomware Relationship Status
Danny: I don't see value in it although for 10 years, I've been saying this is going to hit the ground. This cryptocurrency doesn't keep buying it and keeping it wrong. But, I'm not sure you could shut it down at this point in time. Possibly shutting it down is going to help restrict the payments but then they'll find another way of getting the money. Whatever we do, they're going to find some way of getting around that politically, how do I get the money? Do they have to do a wire or just go to a country that doesn't extradite me? There'll be so many things they can do.
Of course there can be more legislation. There can be more cooperation between Russia and the US, the places where they're harboring these criminals. But it's not going to go away from that, because there's just too much about it. How can the FBI launch an investigation when there's thousdands of cases every single week in one state.
Rachael: I guess that's the other question too. What can you do to start for the smaller companies out there that aren't realizing that maybe they are targets because of the supplier network or vendors that they work with. It's a gateway drug to get the bigger fish. How should companies be thinking about how to protect themselves? Aside from making sure you backup your stuff, make sure you're doing basic cyber hygiene, running the updates. What else should these companies be thinking about?
The Ransomware Relationship Status Is One Big Misconception
Danny: Quite often that's one big misconception. People say, I'm not a gateway into a big fish. You don't have to be a gateway into a big fish. I don't answer this online, but if you think about it as yourself, if someone encrypted all of your recordings and all of your data, how much money would you pay to get that data back? It's probably not a good thing to answer. But if you think about that as a small organization, we're not necessarily thousands of endpoints. How much money would you pay to get that back?
That's what people miss all the time because the news is printed. CNN is putting out there and Fox News is putting out there when someone gets hit with big ransomware payments. Big companies like Garmin and Colonial and JBS Foods. But for every one of those, there are a thousand small companies. A thousand local dental offices that just paid $20,000, $40,000, $100,000 to get that data back. Guess what? Those small businesses will go out of business too.
It's not always about getting into a big company. These guys realize they can go after the small companies and they can do it with half the effort. They can get 10 hours work, 20 hours work, and you get $20,000, $50,000, and $100,000. That's not a bad return.
Eric: And no risk.
Danny: Yes. Because the police won't even take your call, if you try and report that.
Eric: They don't even know what to do if they did.
[44:29]A Small Business without Internal Security
Danny: I'll give you a police report with a number on it, that's the best you can get. What you can do is, as a small business without internal security, you have to rely on external. Find yourself a good managed security service provider or an MSP. Make sure that they are looking after things for you. If you're paying them hardly anything, they're probably not doing a good job. It doesn't mean if you're paying them a lot, they're doing a good job. Make sure they're credible, make sure that they can talk about their insecurity practices.
Ask them what tools they're putting in, ask them if they are implementing a zero trust framework. Are they implementing an antivirus? Do they have white listing, do they have privileged access management? What are you doing about local administrators accounts? Find out if they're people pleasers. There's lots of resources out there. Find a company that can look after these for you, because you cannot do this alone. You can't have a friend or your grandson looking after your IT. That's not going to cut it. Doesn't matter how much you like the guy and how much you trust them. If you are a small business, you can be crippled.
Think about this, if you lost all of your data tomorrow, how much would you pay to get your business up and running? These guys know exactly what you'll pay. They have a matrix. You're a dental office. You have these many employees. You've probably got this much money in your bank account. This is your liability. These are your HIPAA fines. I'm going to come up with a ransom based on all those metrics.
Before They Demand the Ransom
Danny: Guess what? They also look at your bank balance. Just before they demand the ransom, they've already known your bank balance.
Eric: It's a bad situation.
Rachael: You're trying to push that rock up the hill, but the rock never seems to get to the top. There's no magic bullet or silver bullet, as we like to say in security. This one in particular just runs rampant. They get more and more creative, which is fascinating to watch. We were talking about Media Express. It wasn't ransomware, but a Media Express attack on the Iranian railway system. They were trolling the Iranian government, asking them to call the supreme leader's phone number to complain. Delays courtesy of a cyber attack.
So there's some folks having fun. To Danny's point earlier, some guy in his basement, wherever that might be like, "This is kind of cool. I can do this and there's zero accountability." You're not going to be prosecuted, or extradited depending on what country you're in and it's a hard problem. It's a fascinating one, too.
Eric: But as a small business, state, local municipality, whatever it may be, you've got to think about it. You've got to think about what the value of your data is to you, especially if it's all gone. I love the cloud providers in that case or the MSPs, they provide an enhanced level of capability. They're not hiring an IT security person. Even law firms don't have great and they make a ton of money.
Danny: Well, if you ever try to get $50 out of a lawyer, it's hard.
A Relatively Advanced Hire
Eric: I'm not going there, but I know what you mean. It's a relatively advanced hire. I don't know what the data shows. But I would imagine a small business would have to be beyond 50, 70 people before it hires an IT security person.
Danny: I wouldn't even expect to see it, an IT security. Normally you see a 100% use of business with one IT person. That's probably the average of what we see. Now, if you get into certain industries, finance, banking, healthcare, you might see a little bit more concentration there. Typically, one IT person to 70, to a 100 people.
I wouldn't typically see a dedicated security person until they are up at 400 or 500 people. But, use an MSSP, use an MSP but make sure you are asking them the questions. Make sure, do you have whitelisting? Go down the CIS list and say, are you doing this? Are you doing that? Ask them, what are they doing to stop these threats?
Because if they can't answer them, and we have a less hackable white paper which would give for small business owners that gives like 20 things that just ask your IT guy, what is he doing? Realistically, every one of these, these are the most basic controls. If they're not on this list, then you've got a problem.
Eric: Give us an example. It was like patching one of the 20?
Danny: Patch management system and with tracking and patching. Dual factor authentication is a huge one. Application whitelisting is a huge one. Ring fencing. Every time you run a game on your computer, it can eat all of your files.
Danny: Every application you run has access to all of your data, even if you're not an administrator. Making sure you ring fence your applications is another one that you should be asking. Do my applications have untethered access to everything?
Eric: Yes, they do.
Eric: Backups? We don't need backups.
Danny: On offsite backups. But look, if you're restoring for your backup, you've already gone. That's like, I failed, but how much can I recover as opposed to my security is good. Backup is not a security backup. It’s the, I failed, what can I do now? My security failed, what can I do?
Eric: Think about it. How many small businesses do run and test their backups and have offsite backups, have a plan, even. That's an IT function more than a security function. Many that I've talked to, friends who own businesses, they don't even think about it. I certainly don't have an exhaustive list or looked at any surveys lately, but they don't even know to think about it.
Danny: You know what I would do if I was a small business owner and I want to test my IT guy? I'd unplug my server, walk out, take it home and call the IT guy and say my server was stolen. I need you to restore it. See what happens.
Eric: Probably not a good test. Rachel, we've covered water, municipality, we've covered zero trust, ransomware.
Rachael: Danny, this has been such a great conversation. We greatly appreciate you, particularly dialing him all the way from Ireland for today's conversation. This was awesome.
Ransomware Is the End Game
Danny: Thank you for the invite guys. I appreciate it. I will say one thing. Ransomware is the end game for any cyber breach. Ultimately, it's one of the many end games, but people often think it's the source. How do I stop ransomware, but how do I stop someone getting into my network? And how do I stop software running?
Ultimately all of these different ways, whether it's SolarWinds Orion or somebody clicking on an email link that downloaded some malware or the latest Microsoft vulnerability. All of these are ultimately ways to get to the endgame for the cyber criminal. It’s how I make money from you, and ransomware is one of the ways you can make money if you're a cyber criminal.
Eric: Very lucrative, proven, low risk. What a great gig. That's why we see so much of it. Tough world.
Rachael: Thank you for joining us for this week's podcast. Please smash the subscribe button. You get a fresh episode every Tuesday right in your inbox. Until next time, next week, stay safe.
About Our Guest
Danny Jenkins is the CEO & Co-Founder of ThreatLocker, an Orlando-based cybersecurity firm providing zero-trust endpoint security. Danny is a leading expert in cybersecurity with over two decades of experience in building and securing corporate networks, including many roles on red teams and blue teams. He is dedicated to educating industry professionals about the latest cyber threats and frequently speaks on the topics of ransomware, zero trust, and zero-day vulnerabilities.
Before taking the reins at ThreatLocker, Danny co-founded MXSweep, a global provider of email and internet security SaaS applications based in Dublin, Ireland, that sold exclusively through the channel. MXSweep later went on to be sold to J2. Danny was also the CEO at Sirrustec, specializing in white-labeled channel-delivered email security. Sirrustec Sold to Censornet in 2014.