EPISODE 63
Quick look at the “Essential Eight” mitigations

EP 63: Quick look at the “Essential Eight” mitigations

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

September 29, 2020

Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and Cybersecurity Practice Lead at Focal Law Group, do a quick review of the Essential Eight mitigations published by the Australian Signals Directorate.

Tags:

Episode Transcript

Automated Speaker: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey Jake, welcome to the next episode. And today what we're going to do is we're going to learn about a cool thing called the Essential Eight. But no, it's not a new superhero group, but I believe the Essential Eight has what I think of as heroic potential for cyber risk managers, so there you go.

Jake Bernstein: Well, that sounds great. I'm glad we're not talking about The Sinister Six. That's a little different. Doesn't sound like there's going to be a new MCU movie about the Essential Eight. Although you know what-

Kip Boyle: That would be cool.

Jake Bernstein: Although, if you take the Fantastic Four and multiply them by two, you would get the Essential Eight.

Kip Boyle: Oh boy, we better be careful before we get a DTMA take down notice.

Jake Bernstein: Yeah, totally. This is for your use people.

Kip Boyle: Yeah, their use.

Jake Bernstein: Okay. So-

Kip Boyle: well, anyway, I don't have any control over whether this is going to become a movie, although I do think it would be cool, but I have to confess that I did collect comic books prolifically when I was a kid, and I actually still have some of them in a box. So I mean, Oh my gosh, I haven't looked at those things for years.

Jake Bernstein: I have some too, but just not very many.

Kip Boyle: Okay. Well anyway, too much lore. Let's go on, the Essential Eight. Right? So let me tell you a little bit about the Essential Eight. The idea behind them is... Well, first of all, there're mitigations, all right, they are technical mitigations, and the goal is to make it much harder for an adversary to compromise your systems when you have the Essential Eight installed and operating. And the whole idea here in terms of business value is this, if you can get proactive and put the Essential Eight into your infrastructure, although it's going to cost time and energy and money, it's going to be more cost effective in the long haul because you're going to greatly reduce the chance that you're going to have to respond to a large scale cyber security incident.

Kip Boyle: And as we've covered in previous episodes, and as anybody can discover by doing a quick Google search, the cost of a large-scale cybersecurity incident is extremely high. They never come at a convenient moment. So that's the idea behind these, and we're going to unpack them in this episode.

Kip Boyle: Now, when I talk to customers about the Essential Eight, the way I try to put it in business terms is I say, "Look, these are cyber hygiene practices that you will perform every day, multiple times a day, if necessary, to greatly reduce the risk of malicious code infection." Now, the idea of being focused on reducing malicious code infection really depends on your threat model. What's nice about the Essential Eight, and we're going to cover them one by one in a moment, is that depending on what your threat model is, you can implement them in different orders and at different maturity levels. So you get a lot of flexibility.

Kip Boyle: So if Ransomware, for example, is your big concern, and it is for a lot of people today and it should be, then there's a particular order that you can implement the Essential Eight. But if your threat model is somebody stealing your intellectual property, because that's the heart of your company, if you're say a biotech or something like that, then there's a different order that you would put them into and there's guidance about how to do that. And so anyway, prioritization, man, that's what it's all about.

Jake Bernstein: Yes. I do know how you love prioritization for sure. And I think what's really interesting about the Essential Eight is the concept of reasonable cyber security really is going to come into play in this episode. I mean, this is primarily a technical episode, but keep in mind that whenever we talk about technical controls like this, it is always going to be part of a overall cyber risk management strategy. And this, even the name evokes this concept of, "Gosh, if you aren't doing these, then you're leaving a lot on the table, which maybe you shouldn't leave on the table." So I think it's pretty interesting.

Kip Boyle: Yeah, what I've noticed is a lot of people are pursuing the center for internet security top 20 critical controls. That comes up over and over and over again in conversation. And so that seems to be the de facto standard when people start thinking about, "What should I be doing from a technical perspective to protect myself?" And I actually think, and we can talk about this in a separate episode, we can go more deeply, but the critical security controls as they exist now came into being quite some time ago. And I think two things, one is they're really not reasonable for a mid-sized or small company or startup. They're only reasonable for a large enterprise. And that's really the context from where they came.

Kip Boyle: And the other thing I believe is that they are antiquated. I really don't think that they're the choice, that I don't think they're the number one choice. If you're trying to deal with malicious code attacks, I don't think that that's the best choice anymore. And this episode is really designed to tell you why I think the Essential Eight is your best choice.

Kip Boyle: There's a lot of overlap, but I like the Essential Eight for a number of reasons. Number one, there's only eight of them, as opposed to 20. And the prioritization I think is better, and it has flexibility of prioritization. The critical security controls comes in its own prioritization. And the last time I looked at it, there wasn't a lot... I mean, you could reorder it any way you like, but there really wasn't any guidance about how you should do it and under what circumstances. So in any event... So, since I love to be ruthless about prioritization, I love this episode.

Jake Bernstein: Yeah. So obviously the CIS top 20, the CSC, those come from the center for internet security, as you mentioned. where-

Kip Boyle: Well, they came from the SANS organization originally, and then SANS gave them over to the center for internet security, for care and feeding and maintenance.

Jake Bernstein: So where does the Essential Eight come from?

Kip Boyle: So the Essential Eight is a relatively new framework, and it comes from our friends in Australia. They have an organization which is roughly equivalent to the American National Security Agency. So the spooks, right? The people who do all the clandestine computing in the United States, both in terms of code breaking and code making. So the Australian Signals Directorate or the ASD, that's where the Essential Eight comes from. And it was designed very specifically to deal with the problem that they were facing, which was endless attacks by criminals and nation state actors with the primary goal of getting some form of malicious code on your computer, because almost every cyber attack starts with dropping a piece of malicious code on your computer. Now there's some that don't, but I think the most prolific ones do. I think about NotPetya for example, I mean, that was the delivery of a malicious code monarchy right? Some of the biggest baddest compromises have had to do with malicious code.

Jake Bernstein: And just to clarify, we often will, we've said this statistic repeatedly, that most attacks start with phishing, but what we should clarify is that many of those phishing attacks, their goal is to install something on your machine, which takes us right into this malicious code concept. So it's-

Kip Boyle: Right. Some Phishing attacks are designed to dupe you into moving money. And this essentially isn't going to do a lot to help you with that, but the vast majority are designed to get malicious code.

Jake Bernstein: And I would say, and let's talk about this briefly, there's also the classic phishing attack, which is just trying to get credentials. And the Essential Eight aren't going to stop credential social engineering attacks, but I would say that certainly from a technical security perspective, malicious code execution is probably one of the most dangerous events that you can have happen. And so we really think that this Essential Eight can be used to really mitigate greatly the risk of malicious code running on your hardware. And that's really going to help a lot.

Kip Boyle: Oh my gosh, yes. Because a lot of malicious code is silent. You get it on your machine and you have no idea that it's there. They don't want you to know until they want you to know. So like Ransomware, the research shows that a typical Ransomware attack against an organization has actually been in progress for several months before the victims actually see the screens demanding the ransom. So a remote keystroke logger, a remote access Trojan, different ways of getting into the organization and establishing a persistent silent access is a prerequisite to a lot of these attacks.

Kip Boyle: The Equifax breach, it was documented that the people broke in and then established a foothold from which they could operate. That way, if one machine is patched and you lose it, you've got others that you can use as backup. But to go back to the origin, so the Australian Signals Directorate said, "Oh my goodness, look at all this malicious code coming at us, we've really got to come up with something that's going to specifically deal with this and other things too." But I love how they got so practical with it. And one of the things that's in there is multi-factor authentication. So even if you get phished and they steal your user ID and password, if you've got multifactor authentication turned on as part of the Essential Eight, not much can be done with those credentials that were just stolen.

Jake Bernstein: That is often true. Okay. So what are they? Lets list the Essential Eight, and then we can talk about them.

Kip Boyle: Okay, great. So here you go. And this is the implementation order to guard against Ransomware and malicious code. The first thing is offline backups of your data, the second is application whitelisting, the third is you need to patch your applications on an ongoing basis, the fourth is you need to restrict the execution of Microsoft office macros, number five is you have to harden your web browser against attacks, having to do with active content and advertisements, things like that, number six, you have to restrict administrative privileges as much as possible, number seven, you need to patch your operating systems, and number eight is multi-factor authentication. So that's the eight. And I'm thinking of each one of them with their long flowing hair in capes.

Jake Bernstein: Yeah. Or in the fantastic four case, there are no capes.

Kip Boyle: That's right. Yeah. Edna Mode is very much against capes.

Jake Bernstein: Yeah, she is. Okay, so should we take a brief look at each one and see what we can do?

Kip Boyle: Lets do.

Jake Bernstein: Okay. I know how much you liked them. And I know that I had to actually talk you out of doing a single podcast episode out of each one. I think everyone now is very thankful for my work on talking about that.

Kip Boyle: Yes, you've arrested me. I'm guilty as charged. I can't help, but to play the lawyer lingo here, but I don't know. I mean I may take another run at it one day, especially if we get some listener feedback that says, "Yeah, let's check it out." Okay. So are you ready to go through each one in turn? And I'll be very brief. I'll give enough, and then if you have any questions ask me.

Jake Bernstein: Sure. I'm going to start with offline backups. And I want to say that this one is really important. And the reason is, is that I've actually seen this matter. I'm sure we both have.

Kip Boyle: Yeah. I mean, it's the safety shoot on your rocket ship, right? If anything goes wrong, your crew capsule can be detached and you can safely float back to earth. So, I mean, you can try to prevent a lot of things from going wrong, and the backup, the data backup mitigation is going to be your safety net.

Jake Bernstein: No, hold on it. I do have a question though. Why offline backup? I mean, isn't that going back in time to a more primitive era?

Kip Boyle: It is. Yeah, but offline backups don't mean we actually have to go back to magnetic tape and manual tape swaps. There's other ways to do it. But yeah. So the idea here is that the adversary is making a lot of money right now, in case anybody didn't realize that. Ransomware is a boon for attackers, they're making billions of dollars. And guess what? There's only so many yachts and pinky rings that the criminals can probably buy before they get sick of that. And so they actually allocate most of their ill-gotten gains to increasing the effectiveness of their code. And we've actually watched Ransomware improve over time. In the beginning, Ransomware completely disregarded, shadow copies, online backups and all that stuff. But over time, as they realized that a data backup could prevent them from getting paid, they've actually been increasing the effectiveness of their Ransomware to first locate backups, encrypt them, then to encrypt the actively used data, and then show you a notice.

Kip Boyle: So you think you're covered, you go to your online backups, but then you find, "Nope, they've already been encrypted." And so they're of no use to at all. And so we're talking about air gaps now, right? I mean, because if the malicious code can find out that you've mapped a drive or that you've got any kind of a file sharing in order to facilitate backups, then it's going to get on there, and it's going to compromise you.

Jake Bernstein: I want to be very clear about what offline in this case means. It doesn't just mean using network attached storage instead of a Cloud service. I mean, obviously auto backing up is very convenient and it's nice and easy. And it happens in the background and there's all kinds of services from dedicated backup solutions to standard Cloud storage, but even a local network, semi old school backup solution is vulnerable to this type of attack. And so when we say offline, we mean air gaps, not connected, unavailable, unless there is a physical person doing something. And-

Kip Boyle: Yeah, there has to be a little bit of manual intervention.

Jake Bernstein: There really does. It's really important because let's be clear, if software can find it, then the Ransomware bad guys can find it.

Kip Boyle: Yeah. And the algorithms for finding it are pretty good, because why? Because I will bet you that the adversary has a fully functional, fully implemented copy of every mainstream data backup solution that is commercially available, and they have tested their malware with every one of them. So if you think that this is just, "Well, they'll never figure out my particular way of doing things," because you skated it, they're going to find it.

Jake Bernstein: Well, that's a common security fallacies of security vibe security.

Kip Boyle: Yeah. By itself, that is not helpful. You have to combine it with other strategies, but okay. So there's offline backups, right? So again, the idea is if everything else goes wrong, at least you've got these and you should have multiple backups, types of backups by the way. You can have backups that are quick restore for like, "Oops, I deleted the file," but you ultimately have to have some an offline backup too. So go to your backup vendors that you're using and say, "Look, I want to make sure we're Ransomware resistant," and get them to tell you how to configure yourself and do it. I mean, just do it.

Kip Boyle: Okay. Number two, application whitelisting. Now these next one, two, three, four controls are all clustered under the category of preventing malware delivery and execution. The last three that we're going to look at are really designed to limit the extent of the cybersecurity incident should something get through anyway. And that's the thing, I mean, there's no perfect security here. So even if you do these flawlessly, the adversary still might get through. So there's some things we can do.

Jake Bernstein: Well. And that's why defense in depth is never going away. That's just a core part of any security strategy. And it's just very, very basic, it goes to the core of any situation like this, where you need to have the layers of the onion approach to security. So that's why.

Kip Boyle: Don't be suspenders, as we say sometimes. But let's talk about application whitelisting. It's sometimes referred to as application control, because for some reason, when I say application whitelisting, I see a lot of CIS admins will roll their eyes and get jittery, because they are fearful of the massive administrative headache. And I get that, but there's ways to do it, which are not nearly as difficult. For example, don't use file hashing and don't use certificates. You can just use, you can just restrict execution based on folder path. And actually, that's extremely good these days. So don't get crazy with it. And we've actually done some whitelisting work with our customers. And so we've seen what works, we've seen what doesn't.

Kip Boyle: And yes, there will be some additional work here to be clear, but the value is tremendous. I mean, think about it. Even if a piece of malicious code could be delivered successfully to your computer, it would be a dud. It couldn't do anything. It would not be allowed to execute by the OS. And how wonderful, because you don't have to rely on a signature from an antivirus vendor, you don't have to rely on behavioral analysis, which may or may not work. It's really simple, "Is this thing on the list of approved stuff?" "No." "Denied can't run." It's so powerful. So that's number two.

Jake Bernstein: Okay.

Kip Boyle: Okay. Essential number three is patching your applications. I see a lot of people struggle with this because when this control says applications, it really means everything, not just Microsoft Office, which is one of the easiest things to patch.

Jake Bernstein: Can I interrupt? I actually, I just had a thought, I'm sorry. I'm going to go back. Is it okay if I go back one?

Kip Boyle: You want to go back to the whitelisting?

Jake Bernstein: Just briefly, yeah.

Kip Boyle: Okay, do it.

Jake Bernstein: One of the things about whitelisting, so something you said it was percolating in my mind. You said we can do a path restrictions and there's different ways of doing it. And I just thought to myself, if you can restrict bypath, then why aren't the bad guys going to figure that out and just put their malware and the most likely path that's going to be allowed to run?

Kip Boyle: That's entirely possible. And that's why I say these things are not full proof. But here's the thing, I know that cyber-criminals are essentially looking for the lowest hanging fruit possible. If you make their jobs, just the slightest bit more complicated, there's a great chance that unless you're targeted, unless you have something very specific that they want. But if they're just opportunists, they're just going to go, "Forget this place." Because there's so many other people not doing this, there's so many easier targets. And so there's a lot of value in just making yourself a harder target.

Jake Bernstein: There are. And then the other thing about the application whitelisting is that just because it is, might be difficult and in some cases, a speed bump as opposed to an absolute brick wall, it adds another to that onion, and that is critical. And the other thing to consider is, oh, I know you probably IT people in particular thinking, "Oh man, my users are going to get up in my business about this. They're going to yell at me for restricting apps." Here's the thing, if it's a corporate asset, they don't get to decide what code gets to run on that machine. So even this, which is a very technical mitigation and control also involves people and processes and management. So-

Kip Boyle: The era of discretionary, do what you want on the company computer, I think is coming to a close. It really needs to. I was talking to a customer who had a warehouse and I was trying to explain this idea to him. And he said, "Well I just don't get it. Why should I even bother caring about what people put on these computers? If it's going to make them happy and more productive, shouldn't I want that?" And I said, "Well, let's talk about your warehouse." I go, "What would you think if your employees in the warehouse had a down moment and they said, "Let's drag race, these forklifts. Hey, I'll get one, you get in one, let's see how fast we can get these things going." I mean, you would never tolerate that. You would never allow that because you know that the consequences are serious. If somebody gets hurt, a shelving unit gets knocked over whatever, you'd never do that, right?" so an accompany asset has an authorized use and you restrict it to that. And I said, "You really need to get to that place with your computers."

Jake Bernstein: And that's what the authorized use policy is for.

Kip Boyle: Yeah. Okay. We don't have a lot of time, so we need to keep going.

Jake Bernstein: Let's go.

Kip Boyle: So let's return to patch applications. Now it's easy to patch Microsoft Office, which is great, but we need to patch everything else. Especially like our Adobe products, our web browsers, if you have vertical applications, we really need to patch everything. And so you probably are already patching applications, but you need to build on that and you need to get more and more of your critical applications into your patching regime. And why? Well, because vulnerabilities in applications emerge all the time and they're a common path to executing malicious code on systems. In fact, unfortunately, that's what happened with NotPetya was the vendor of a piece of software got compromised. A piece of malicious code got stuck into a patch that looked legit. The patch was distributed to all the users. And so the adversary actually hijacked a patching function in order to deliver their malicious code. So, yikes.

Jake Bernstein: And again, layer of the onion approach defense. Okay. So restricted Microsoft Office macros, this is easy-

Kip Boyle: You skipped, no you didn't. You got it right.

Jake Bernstein: No, I didn't. I didn't skip anything. Restricting Microsoft Office macros. These are legacy features and I think increasingly they don't play much of a future, that I'm sorry, they don't play a role in the future of even Microsoft Office as they have declared in going forward just because they have all sorts of different mechanisms coming more online, more collaborative software. So these really are a legacy issue. And I think because of that, the odds of an IT, modern IT professional, getting a user who says specifically, "Hey, enabled Microsoft Office, macros are pretty low." And if someone does that for some business critical piece of workflow, that's fine, you can address that then, but just by turning them off, you protect your entire organization against a fairly simple exploit. So I think-

Kip Boyle: And a well-trodden path to getting the malicious code into your environment. And that's the thing about the ASD, is they actually studied how does malicious code typically get into an environment? They looked at how criminals and attackers are actually doing it. And this is one of the main delivery mechanisms. And that's why this is on the list.

Jake Bernstein: Yep. Okay. Number five, web browser hardening.

Kip Boyle: Yeah, web browser hardening. So I've changed the name of this a little bit. In the standard, you'll see it called user application hardening, but that's, it's a little deceptive. I don't really like that label because really what they're talking about when you read this control is they're talking about the web browsers and the fact that you historically have had a way to do active content like Flash, Java, and then advertisements, and then different data sharing things like OLE, which became ActiveX, PDF viewers. I mean, there's just all this functionality.

Kip Boyle: I mean, Web browsers have really become a new operating system, right? That's not a new concept. We've been hearing about that for some time. I mean, look at Chromebooks, right? Chrome has become the OS. And so guess what, it's bristling with all these features and web browsers can actually talk directly to USB devices in some cases.

Kip Boyle: So you've got to harden this stuff, and I want to take a moment and talk specifically about advertisements. So ad blockers are available, and ad blockers have come from a philosophical stance against intrusive advertisements that slow down computers and distract you from what you're trying to do. And on the other side of that though, all these websites that we enjoy have to raise revenue somehow. And typically, they're selling ads. And I'm sympathetic to that. And I'm not trying to suggest that that's really the security issue here. The security issue here is that most websites have no control over which ads are displayed. They allocate space, and then they hand over ad display to a completely different company. And what I've noticed is that, the servers that typically serve up ads are often a cesspool of malicious code.

Kip Boyle: And even the best websites like forbes.com a couple of summers ago for a couple of weeks, had the ads that were being served up were a chock full of malicious code. And just loading that website, you didn't have to click a thing would put you at risk. So it's really necessary at work, I think, to restrict the execution of advertisements in your web browser.

Jake Bernstein: Absolutely. Okay. Number six, restrict administrative privileges. So we've just crossed over into the last overall goal, which in this case, it's to limit the extent of cybersecurity incidents and why don't you explain Kip, how restricting administrative privileges can do that?

Kip Boyle: Yeah, sure. So we all know that admin accounts make the tech support burden lighter because people can just self-serve and do what they need to do, whether it's installed a new piece of software or adjust the date and time or something like that. And so I think that's why admin accounts in the hands of end-users is a pretty common thing. But the problem is that, when malicious code shows up on your computer, the authors of that malicious code assume that the person who invited it, unwittingly like a vampire, over the threshold onto their computer is an admin. And so the code executes with the same privileges as the user who actually brought the malware on the machine. So if the user's not an admin, guess what? Most of that malware is either not going to run or it's not going to run properly. And so it's a great barrier.

Kip Boyle: The other issue here of course, is from a people process perspective. I mean, people are going to play with settings, it's inevitable, and they might actually disable controls and make their overall machine more vulnerable than you realize. And then, so as the cyber risk manager, you're sitting there with a false sense of security. You think all this stuff's in place, but it's actually been taken apart brick by brick. And so yeah, admin accounts should be severely restricted.

Jake Bernstein: Yeah. And the other thing is that if you do restrict them, you also limit the ability of enterprising employees to engage in shadow IT administration.

Kip Boyle: Yeah. And shadow IT has some really wonderful aspects about it, but it also has a lot of potential downsides too. So think hard about that. And the bottom line here is the Australian Signals Directorate is saying, "Admin accounts are the keys to the kingdom, ladies and gentlemen." And we do not want our adversaries to have those keys.

Jake Bernstein: Patch operating systems. Same idea.

Kip Boyle: It's the same idea as patching our applications, but based on ASD analysis, it isn't the number one thing to prevent malware delivery and execution. Now, a lot of people in my line of work would be like, "Oh, that's BS, like patching applications, or sorry, patching operating systems, that's top, that's top of the list. We should do that before we hardened our web browsers." And I think what they're missing is the fact that the battle, the cyber battles that are being fought these days are happening on the desktop. They're not happening on the network so much. Nobody's doing a frontal assault on a firewall or a server or any of that stuff. Now, if there's misconfigurations, sure they'll take advantage of that, but really what's going on is the adversary is fighting the battle on the desktop with phishing and they're trying to deliver malicious code there. And so you've got to put your focus on that in order to understand why these things in the order that they are in.

Jake Bernstein: And do you think that also possibly it has to do with the fact that modern operating systems are fairly auto patching these days? I mean, they do a much better job. It's different than it was-

Kip Boyle: If you set them up.

Jake Bernstein: If you set them up, yeah. Well like windows 10 out of the box is going to do that for the most part.

Kip Boyle: In a medium or small sized organization, you can just use a consumer grade version of windows with auto patching and it can just happen in the background, but I know that bigger organizations are still, they're still gun shy about that. I understand, because not every patch has the quality that is required to stay in business, but here's the thing, I've done the research, and the most cutting edge, chief information security officers, and the people who work on their teams are starting to realize something really important, which is the cost of unexpected downtime due to a flawed patch is a better risk than the cost of a massive security incident because you didn't push the patch fast enough.

Jake Bernstein: Absolutely.

Kip Boyle: So it's a no-win situation, it's the Kobayashi Maru of our career, I get it, but you need to make a choice, you can't have... I don't know how to have it both ways.

Jake Bernstein: No, I don't either. Okay, multifactor authentication. This one, we've talked about many times let's run through it real fast so we can wrap up before going too far over or time limit.

Kip Boyle: Okay. So what you want is multi-factor authentication everywhere. Now, you don't just flip a switch and turn it on everywhere. You've got to take it in steps. But let's talk about VPNs, it needs to be there, remote desktop protocol, secure shell, any kind of remote access that you have, no matter what it is, you really need to have multi-factor authentication on it because if somebody grabs credentials... And by the way, there are billions of compromised credentials available on the internet to stuff into automated compromised machines. So the fact that we have so many credentials available on the internet has really made a multifactor authentication necessary because I mean, really how likely is it that I'm going to think up of a new user ID and password combination that isn't already out there somewhere? I mean-

Jake Bernstein: Well, if you use a password manager pretty good.

Kip Boyle: Well, it's going to help, right? But the thing is, is that password management adoption, isn't where it needs to be.

Jake Bernstein: No, Agreed.

Kip Boyle: And also, I think in a structured company setting, you can give people a password manager and you can say, "You should use it, and you can train them, and you can monitor them, you can cajole them, and blah, blah, blah, blah, blah."

Jake Bernstein: You can fire them for not using it.

Kip Boyle: You can dismiss them for not using it. You can do a lot of things.

Jake Bernstein: That might be extreme Kip, I'm not sure.

Kip Boyle: Well, I'm just saying. What my point here is that, password managers are very people intensive thing to administer, but multi-factor authentication is way simpler. You set it up, you train people. I mean, there's still a human factor here, but once people settle down with it, it's much less likely to go wrong or to be used badly. That's still an issue of course, but multi-factor authentication really does a nice job of making the fact that all these billions of credentials are freely available on the internet irrelevant. And that's what I love about it, is you want to make these kinds of things irrelevant.

Kip Boyle: And let's go back to application whitelisting for a moment. The fact that people are clicking on phishing links and downloading malicious code, I am done with this idea that we're going to train our way out of that, right? And now we should probably still train people about if they click on a test phish, we should tell them, "Hey, you clicked on a test to phish," but we really need to make clicking on links, malicious links, irrelevant. Like, "You clicked on it? Whatever. I've got an application whitelisting, I've got the Essential Eight. It doesn't matter."

Jake Bernstein: Well, and it goes back to the defense in depth layers of the onion concept. Here's the thing, is that ultimately, we're playing a numbers game. And we've often said, even if not on this podcast, that the extreme difficulty faced by defenders is that, defenders have to be right a hundred percent of the time, whereas, the attacker only has to be right one time. And it's essentially impossible to get 100% of any group of people to not do something or to do something. So when you say, "We're not going to train our way out of it," that's not saying that we shouldn't continue to train, because obviously, if we stop training and suddenly 50% of our employees are busily clicking on phishing links, well, that's just going to increase the odds that something gets through. So we'll still train, but the point is that you have to have mechanisms because we know that no single mechanism will be full proof.

Kip Boyle: That's right. And even the statistics released by the training companies themselves, go pull their latest reports, and you'll that they can get the rate of clicking on malicious codes down from, say 18% down to 3% or 2%, or even 1%. But that just emphasizes your point that, okay, 1% is still an acceptable rate of compromise for an attacker.

Jake Bernstein: Oh, it's great. I mean, think of it this way. If you have a 10,000 employee company, which would be that's solidly in the enterprise space, but 10,000 employees, 10% or 1% of 10,000 is still, is it a hundred? I think it's a hundred. It's still a hundred people. And that is, Hey, more than happy to take that type of-

Kip Boyle: I mean, think about Spam, right? Spam's selling off brand or black market Viagra or whatever, all they need is a response rate of like one half of 1% or one third of 1%. And they are making profit, so-

Jake Bernstein: Again, it's a numbers game.

Kip Boyle: It is a numbers game. So, all right. So that takes us to the end of the Essential Eight. And I just want to close with a couple more thoughts. One of them is, is that I continue to see articles on social media magazines saying like, "Hey, we got to get back to the basics." And I really agree with that because here's the thing, expertise is I think defined by a mastery of the basics. And my assertion here is that the Essential Eight are the new basics for protecting your company. And I believe you need to master these before you start getting interested in esoteric stuff, machine learning, AI, whatever, whatever. If you don't have these things under control, then you really need to question whether you should be messing around with other things. So-

Jake Bernstein: Don't let your onion have a hollow core.

Kip Boyle: Ogres don't have hollow cores, so your onion shouldn't either.

Jake Bernstein: Yeah, exactly.

Kip Boyle: Okay. Shrek reference for anybody who didn't get that. Sorry. Okay Jake, that's my closing thought. Do you have a closing thought other than hollow onions?

Jake Bernstein: I do not. Let's go ahead and close the episode.

Kip Boyle: Let's leave it on hollow onions then. So that wraps up this episode of The Cyber Risk Management Podcast. And today we did a quick review of the Essential Eight mitigations. You should reach out to us if you have more questions, because there's so much more to say, but we'll see you next time.

Jake Bernstein: See you next time.

Automated Speaker: Thanks for joining us today on The Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So, if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.