Tom Garrison: Hi, I’m Tom Garrison and welcome to the Cyber Security Inside podcast. With me today is my co-host Camille Morhardt. Hi, Camille, how are you doing today?
Camille Morhardt: Hi Tom. I’m doing well. It’s raining, which I’m not happy about, but I will say that the leaves are just phenomenally beautiful right now in Portland. Yeah,
Tom Garrison: I agree with you. And it’s a great time of year, especially when it’s not raining the crisp autumn days with the trees. It’s one of my favorite times of day. Yeah. So today I thought it would be good to think about the person aspect of the human aspect of cyber security. Cause we talk a lot about technology and what are some of the trends going on. But at the end of the day, there’s always a human involved and it feels like we haven’t explored that area enough in our previous episodes.
Camille Morhardt: Yeah, I think we’ve had some really good conversations around the human element and kind of how to look at that. But the person that we talked to today was trained by the NSA and advise the last administration on using techniques and AI to identify certain patterns that were likely to be human trafficking, that they could go investigate, for example.
So he’d really focused on. The human element and using cybersecurity to get to the bottom of, that’s a
Tom Garrison: very interesting conversation to understand how do you use the techniques when it comes to things like human trafficking and so forth. And he’s got a really interesting background as well. So why don’t we just jump straight to it? Whad’ya say?
Camille Morhardt: Yeah. Sounds good.
ANNOUNCER 00:03
You’re watching cybersecurity inside a videocast where you can discover what you need to know about cybersecurity. Here are your hosts, Tom Garrison and Camille Morhardt.
Tom Garrison: 00:15
Today’s guest is Rick Jordan founder and CEO of reached out technology. Over the past 20 years, Rick has been trained by the CIA and NSA established the Geek Squad as a US b2b brand, you know, today served as managing partner and director at ISI a private security agency, and developed advanced cybersecurity programs used by countless organizations across the nation. Today, we’ll be discussing the human element of cybersecurity, what it is, why it’s important, and how you can use it to your advantage. So welcome to the podcast, Rick,
Rick Jordan 00:50
Tom and Camille, thank you for having me. It’s great to be here. I’m excited for our conversation.
Tom Garrison 00:55
You worked with the CIA and NSA, can you tell us about that?
Rick Jordan 00:58
I was trained as a civilian by those two organizations that the NSA was hacking, and that was a little bit more recently, as far as ethical hacking go, and also being trained in the different types of threat actors that exist, and different AI initiatives that exist even to where I was in the White House last year consulting the previous administration on their AI policy, and border protection around that, and I’m not talking physical build the wall Border Protection, I’m talking AI based protection against human trafficking, because that’s a passion of mine, too. There’s a clause that I’m really deeply rooted in as far as how I care so much for human life. And the CIA was surveillance and elicitation actually being able to monitor humans, behaviors, environments, and elicitation is being able to extract any piece of information out of anybody or anything that you need to in order to get the job done. I’m sure you can imagine now after hearing that background, how that equates the human element in cybersecurity, especially with the threat actor profile, one of the main profiles being insider threats.
Tom Garrison: 02:02
That’s actually a great lead into our topic for today. And we’re gonna you know, I’m sure cover lots of ground.
Camille Morhardt 02:08
I’m scared I’m gonna take the rest of this one.
Rick Jordan 02:12
No, it’s really, what should we talk about my first job? My first job was McDonald’s, shift manager there.
Tom Garrison 02:20
Well, that could be scary in its own right. But no, so back to …
Rick Jordan 02:23
the baseball for nine years.
Tom Garrison: 02:25
There you go back to the human element of cybersecurity. Yeah. So let’s start by just talking about I think most people concur, sort of string the words together and say they sort of basically understand what that means. But what in your professional background? What does the human element of cybersecurity mean?
Tom Garrison 02:45
I’ll give you a very recent example. I was reading in the journal about the new ways that hackers gain access, and it says that, hey, these are the new ways, but it’s really the old ways. And it’s just coming to light now, because cyber awareness is definitely more proliferated than what it used to be five years ago, even three years ago, I’m sure you guys would agree, right? This article was talking about how hackers gain and I had this in my training from the NSA to how hackers gain access to networks. Because if you think of the different profiles, some of them are nation states when their motivations are typically geopolitical, meaning they’re trying to destabilize another nation, the economics or the the geography if they want to overtake it in some way. If you look at E crime groups, think about like Pablo Escobar. I always equate hackers to like Pablo Escobar, because of all these, like cloaked people in hoods that you see, when you type in dark web and look at the images on Google search. That’s not what the frickin hackers look like, you know, they look like you and me. And when I speak from stages, and I throw up like a family from like Sri Lanka or something like that from Getty Images saying that this is your typical hacker, just like Pablo Escobar had a frickin family when he was dealing with cocaine, it’s for monetary gain. That’s their motivation. And just like you and I, just like Intel, as a business, just like reach out as a business a for profit business. So are they and in order to develop new products, Intel has to do what r&d, right? You guys have a huge portion of your budget towards r&d. Well, he crime groups do the same freaking thing. They have to devote money aside to find out where these zero day attacks can happen. Where these backdoors can be punctured. It’s expensive to try to hack into these things just brute force nowadays. And the r&d is just the costs are skyrocketing for these crime groups or the hackers. They could spend $5 million $6 million to find that backdoor to vine that zero day vulnerability when it’s a lot less money to pay the unhappy employees Sitting within Intel, to give you access to their systems give you their credentials in order to get in. This just happened with at&t a little bit ago with this dude that was unlocking phones, unlocking iPhones for a crime groups across the seas, they were charging 200 bucks a pop to unlock phones. But this was an internal employee within at&t that gave access to the systems to these hackers for profits. And these companies are paying these D crime. They’re actually businesses, right? That’s what I call them, companies are paying up to $100,000. Now, for an employee’s credentials for their usernames and passwords. That’s a lot cheaper than five and 6 million.
Camille Morhardt 05:41
Is your intervention coming then with? Why is it that an employee has an ability to unlock somebody’s credentials? Or is your intervention coming with the hacker level?
Tom Garrison 05:51
That’s a great point. And it really, you can look at it from two different ways, because they can gain access that way, that’s not the backdoor anymore. For cyber security, the human element really is the front door, it’s somebody that’s in there saying, like, Hey, come on into my house, I might have back taxes that I owe, I might have some credit card debt that I need to pay off. And Intel hasn’t been making me too happy these days, because a COVID Oh, maybe they want me to come back to the office, I don’t know, I’m just making this stuff up right now. These are discontent employees for whatever reason, but usually their discontent doesn’t really have to deal with the place that they work, it has to deal with external factors that are pressing in on them. And because of where they work, and now they’re contacted by a hacker and E crime group. Now they see an easy financial way out or almost like wiping the slate clean of their debts, maybe back child support taxes, you know, maybe it’s a medical bill, they got whatever it is, but because of their discontent in life, they see this opportunity. So Camille, to answer your question, where’s the intervention, where’s the mitigation in something like this, it has to be on both sides, you have to have things in place within an organization to protect against the human elements. And then the technical part of it has to deal with the hackers on the outside, right? So when you’re inside an organization, trying to protect yourself against the people that are there, that’s the human elements outside the external forces, the craigers, the nation states, all of that, that’s where a lot of the tech can come into play with AI, with any new security solutions we have coming out, I mean, all the way back to traditional firewalls, all of those things. That’s where most of the technological advances exist. But there’s a blending that has to take place for the mitigation within the organization.
Tom Garrison: 07:36
You can’t really control what’s going on in people’s lives outside of work, correct?
Rick Jordan 07:40
Yeah.
Tom Garrison: 07:41
So there’s that element, which means the way to protect yourself as a company is guarding against What rights do people have within their accounts. So if their account is somehow compromised, you don’t have the full keys to the kingdom, just because Tom was somehow swayed over to give his credentials over. So there’s that element, it seems like that’s a similar sort of mitigation for even the unwitting employees that clicks on something that they weren’t supposed to. And now all of a sudden, their account is compromised. Either way, their account is compromised, either knowingly or unknowingly. Make sure that that person’s account can’t do a significant amount of damage or more than the minimal amount that’s possible.
Tom Garrison 08:26
Tom, you’re right on man. And this isn’t really super technical either, is it? No, I love this aspect of cybersecurity, because a lot of it comes down to common sense. I was this way, man, I was the engineer, I was a very linear thinker. I cut my teeth in this industry working for Merrill Lynch, I deployed 120,000 workstations, 20,000 servers to all their branch offices across the whole us. That was my first experience within cybersecurity was implementing the security policies. I have the engineer chops, but engineer thinking in cybersecurity is very linear, isn’t it? Whereas common sense kind of lives all the way out here? It’s more abstract thoughts. That stinks sometimes, because engineers are expected there’s a lot of pressure I get it, I was that dude, a lot of pressure on engineers or cisos, or whoever to take a look at what’s right in front of them, almost forcing that tunnel vision. And when you’re in cybersecurity, that will cost you you can’t just focus on this one thing, because you have to start trying to put yourself in everyone else’s shoes and saying, What’s the common sense here? If this was like my kid, what would I do to protect it?
Tom Garrison: 09:35
There’s an element of common sense where occasionally comes across here like, Oh, I didn’t think about that. But I think more often than not, people absolutely think about it. But it’s work. It takes more work. To set up permissions in a way that person only has the minimum amount of permissions they need to get their job done. It’s much easier to say, you know what, I don’t want to deal with that. Let’s just make permissions easier. Maybe more open, so that I don’t have to manage these things, as people change their job, now I have to change their permission, I just don’t want to do that work. That’s sort of what I’ll call it laziness, even though it’s not really laziness, it’s complexity, that amount of complexity is something that gets companies in trouble, because they just don’t want to have to do the work.
Camille Morhardt 10:17
Well, you’re also looking at the IT side versus, say, training your engineers, because most corporations, you have it who’s dealing with that protection, or some version of a group like it, that’s dealing with product security within the company, who’s maybe working on those permissions, but then you have this other entire element within a company, which is everybody who’s designing and building product, and they’re trained to develop for functional use cases, they’re not necessarily trained, at least out of the gate, to think about abuse cases, they’re following the marketing direction to code, something that will perform as it’s intended to perform. But what about all of the other things that somebody might be able to do, but unless you make them aware of that, and even what threats are out there, best intentions won’t help to be the best engineer on the planet, they’re doing the perfect work. But if it’s not taking into account, the unknown and the threats, then it won’t be included.
Tom Garrison 11:19
The stress on the security engineers to this past year and a half has been horrible, because Camille, what you’re talking about here is trying to allow business to continue at a reasonably acceptable pace, without having to lock down everything that slows down that production schedule. And that we saw that a lot with work from home or work from anywhere this past year and a half with the pandemic is there was a lot of lacks, and security, because everyone had to move so fast at the beginning of this, and when they moved into their homes, all of a sudden it was, well you have corporations with 1000 10,000 employees, and all of a sudden, everybody has to work from home. And you have the IT team, the poor IT team, oh my lord, a lot of alcohol probably was consumed last year to buy our industry, these guys and girls, were trying to figure out the best way that they possibly could to where it just became, hey, these corporations did not have budget, of course, set aside for this to deploy company owned assets, I’m talking laptops, tablets, desktops, whatever to go in everybody’s home to continue to work. They just said, use your own stuff from now because we’re figuring this out and allow it do the best that you can. But then there was this balance back and forth that I saw, I saw the frustration in our industry, from the security professionals and the IT professionals. But then I saw the frustration from the executives too, because it was this thing. It’s like the executives like we still have to keep business flowing. We have to keep to our production schedules, we have to meet our deadlines, we have to stay within our financial budgets that we have. And the IT team has kind of like thrown their hands up in the air, it’s like well, you got to choose,
Tom Garrison: 12:55
we’re sort of circling a bit of the problem. So we understand the complexity and how challenging that is. The part of the introduction when we first started was, how can we use this to our advantage in your line of work, right? What do you see that works well, where you can take this human element, and make it an advantage for companies.
Tom Garrison 13:17
It’s really awesome, because there’s tech tools, and then there’s the human as I was talking about blending them together, you can’t have the human element without the tech and you can’t have the tech without the human elements. That’s one thing that I’ve learned over the past decade. And if you look at things that are out there right now for, let’s say, employee productivity and behavioral monitoring, usually, those least when they came out, it was like Big Brother, Big Sister kind of looking over your shoulder, there was a lot of pushback against them, because what my employer is going to spy on me now, everything that I’m doing, and that was probably what it was at the onset. No joke, let’s just call it what it was. Employers and even managed service providers in my space would try to sell this based on fear, which I hate, by the way, saying you don’t know what they’re doing at their desk, they’re on Facebook all day, they’re watching Netflix know or God forbid, they’re on Pornhub, all day long, whatever, they’re not getting the job done, and it was sold based on fear. But then if you flip it around and say, You know what, these are good tools. And then we have real human beings that take a look at this because we can identify where your people are stuck, where they get frustrated in their jobs where they can’t proceed forward and identify a business process problem. That’s the human element because if they’re not as frustrated in their jobs, they’re not going to become that discontent threat actor of an insider threat, if they’re paid well if they’re taken care of. And they feel like they’re contributing to something bigger than themselves. And something that was built upon a cybersecurity perspective and platform is now saying, Hey, we want to actually help you do your job better. Imagine if we can help sales people close 20% more this month, hey, their paychecks are gonna go up too because we are able to use the same tools and identify a process problem that was holding them up.
Camille Morhardt 15:02
Are you looking for anomalies in behavior of people through their devices? Like normally when I wake up I open outlook, first thing I do. So if that’s not what I’m doing, and suddenly, instead of exporting large files to my Gmail, you might wonder a couple of red flags that go off with that. Yeah, you know, might be a personal situation that I’m addressing, but it could be something else that you might want to pay more attention to, is that the kind of thing that we’re talking about here? Or are we talking about process improvements, like, I got frustrated, because my outlook crashed, and then I ended up surfing the web for two hours, every time it crashed?
Rick Jordan 15:41
It’s kind of a mixture of both of those, and you’re hitting the nail on the head, because there is that first element that you’re talking about that is analyzed, and systems that are put into place can do this. And they can take a look at the individual. And you can set individual parameters on a single person if you want, and apply those as a template. I’m not getting technical on this, but you can say, treat everybody the same. So if that’s the case, if everybody does an open outlook first thing in the morning, then there’s a problem with this one person. But I’ve seen it more successful when you take a look at business functional groups. So if I were to take a law firm, for example, you have partner attorneys, then you have associate attorneys and you have paralegals, then you have separate legal secretaries, then you have clerks, if you take a look at the functional groups and look at the anomalies within those functional groups, the data is a lot more accurate and predictable in those ways. Because if one individual that’s a paralegal, like you were saying in your example, sends out a whole crapload of information one day, their data usage or their network bandwidth spiked 2,000% over everybody else compared to their functional group. That’s something to where a human being would have to go in and take a look at that, and analyze that data and see exactly what that data was. Because it could be very legitimately that the firm took on a brand new client, that’s this huge client. And now they have this enormous case that they’re going to be trying. And this is just a natural exchange of information for case files. That’s very possible. And then at that point from business process improvement, because of the other side of it, too. from an IT perspective, imagine that crossing over from just that security professional into someone that says, Wow, you’re doing a lot more, how can we help? It seems that you just took on a higher workload, is this something that we can be an advocate for with the partner attorneys, and maybe get some other people to help you in your project that you’re working on right now. Or maybe we can get you some better tech tools to help you with this. Or maybe we can just put in an SD LAN or something like that and add a couple more carriers to it. So you can transmit these things faster. So you’re not sitting there and waiting for cloud file shares to sync for three hours, it happened in 10 minutes. Now. It’s really both sides of this. So there’s a security element to it. But there’s most definitely a business process element too.
Tom Garrison: 18:03
Have you seen cases where things like either automation or artificial intelligence, these other tools are being brought to bear for that analysis? Like in your example, you said a human is going to have to look at this and figure out what’s going on? Do you see this transition towards more automation and AI to help there or do you think are always going to be a human?
Tom Garrison 18:26
I hope there’s always a human for certain circumstances. If you look at Apple, and how they were just in the press recently, and how they’re going to be scanning iMessage contents for a child trafficking, underage pornography, all that. That’s something to where they’re still having a human review. It’s if it matches, but this is really the kind of the perfect example that you’re talking about Tom, is they have AI that’s analyzing that message data first. And then if it goes outside the boundaries of that AI, there’s Parameter Set to now a human has to take a look at it, especially when you’re talking something that involves a crime. And really, everything that we’re talking about from a cybersecurity perspective today, could potentially be considered criminal. It depends on if it includes IP, intellectual property, then it can end up being espionage. There’s been some close calls man, for, for my team to we’ve never had some big, big things go wrong. But there’s been super close calls. One of them was a salesperson, you were talking about large amounts of data, right? And he was within a sales functional group. And we saw that there was a large amount of data transferred from the systems that they were using to his business asset, his laptop. So when a human went in there to analyze it just five minutes later, that’s it just five minutes, started looking through what data that was, and saw that it was customer files, financial records, and so on. And then it became a phone call to the client that said, Hey, is this normal? Is this something This person should do and they say, well, we don’t feel that it is. And we say, Okay, how about we go one step further because they had a fleet of company vehicles, and we said, I think we need to track this person, they had GPS on their company vehicles, then we see that that person took that data, copied the data to a USB flash drive. And now their company vehicle was sitting in the parking lot of their largest competitor. But now we know we can easily follow the trail to what the motive was at this point. And where that endgame was, and this was within maybe about 20 minutes time, overall, from the time that the red flag was raised to the time that we tracked the individual and made the phone call to that competitor. And by this time, the attorney from our client already started to draft up a cease and desist order, because this was going to be obviously internal information that was going to be leaked. And, to me, that was a pretty badass response. That’s a pretty short time period. But still, five minutes later, that data could have been in the hands of the competitor already. It never actually transferred.
Tom Garrison: 21:07
That’s shockingly short. That’s definitely the exception, not the rule in terms of response time.
Tom Garrison 21:14
Again, that was still close, because it happened so fast. This is a story that’s in my book, too, because it’s situational ethics, because this is what happens with with, especially insider threats. I’ve seen this, and that’s where it’s almost like it’s not their fault, because people are humans, and they have struggles. And maybe they made bad choices to get to this point. But now they make even worse choices to try to compensate for the bad choices they made or maybe something wasn’t even their fault whatsoever. And they’re just having hard times, especially after like, again, this last year, a lot of people were hit hard with the pandemic. And you see individuals even in my industry and managed service providers, you talk about the keys of the kingdom, Tom, this can happen in my industry to where we’re a target now. Because we have those passwords stored in systems and almost like the keys to the kingdom to all of our clients. Yeah. So if there’s someone in my organization that’s compromised, that’s a really bad day.
Tom Garrison: 22:08
You know, Rick, there’s so many things we could talk about. I feel like we just sort of started scratching the surface. But before we let you go, we do have a segment on our podcast, we like to call fun facts. And I like it. And so yeah, I wonder, is there a fun fact that you would like to share with our listeners?
Tom Garrison 22:28
Yes, I would love to share a fun fact. When I was seven years old, I wanted to be a meteorologist. Specifically a tornado chaser, right?
Tom Garrison: 22:35
You’re probably watching twister. There you go.
Rick Jordan 22:38
Yep.
Tom Garrison: 22:39
It freaked me out. I used to live in Houston. And I used to have dreams, like this recurring dream where I beat whatever be going on, I’d look out the window, and there’ll be a tornado out the window.
Tom Garrison 22:49
Here’s the fun fact because the US Of course, we’re in the Northern Hemisphere, and tornadoes will rotate in a counterclockwise direction. This is the Fun fact, we see that the storms typically move from southwest and Northeast. That’s the direction that the storms will move the supercells in the southern hemisphere, they move in a clockwise direction, they rotate in a clockwise direction, and the storms will typically move from northwest to southeast.
Tom Garrison: 23:15
Interesting, I did not know that. Then it’s always the same way and always in the Northern Hemisphere?
Tom Garrison 23:20
There’s a few rare exceptions and this is where from the movie Twister I don’t know that this is where I geek out right? I said the Hey, those two cells have merged or something like that and created this monster tornado that was the one at the end of it. Sometimes when that happens for a brief moment, that tornado will spin the opposite direction. Because it counter rotations of these two storms that kind of merge together. But generally speaking, when they just form it’s counterclockwise in the Northern Hemisphere and clockwise in the southern hemisphere.
Tom Garrison: 23:48
Wow, that is really cool. That is very, very cool. Fun fact. Yeah, no, excellent. So, Camille.
Camille Morhardt 23:55
You might have noticed I turned off my camera for this because I don’t want to be seen with this story.
Rick Jordan 24:02
Oh boy. I gotta I gotta buckle up. Right?
Camille Morhardt 24:06
I’m just gonna go for it anyway. So Rick, you mentioned you did in your private security company, you guarded assets. And then of course my question is, what is an asset is that a person or a diamond or? And you said exactly both. It took me back to a while ago I was on a trip to Santa Barbara. And my daughter is pretty young. She’s like 10 and I made the mistake of letting her read People Magazine while we were checking out in the grocery line. during which time she discovered that Harry and Megan lived in the town next door to Santa Barbara and demanded that we drive to to see their house. So we were like alright sure we’ll drive to the house. You’re not going to be able to see the house you know that’s what it’s going to be a big gate. You’re not going to see anything but in probably you’re not going to have the right address anyway but we went because we wanted to see the town anyway and When we got to the place on the map that said it was where they lived, there was no gate, there was a little dirt road. And there was a small sign just about 20 feet into the dirt road. That said something like premises protected by armed guards. So I was just wondering, since you were in that line of work, I guess it’s a question slash Fun fact, is that kind of a common practice where you actually don’t have a lock on your door, you just have a warning That’s so scary that nobody would ever try.
Tom Garrison 25:31
It is and that’s just a mental deterrent. It’s the same principle as if you have ADT is your security company, and you pop the sign in your yard, right? It just says, Hey, if you’re gonna break in here, you’re gonna get caught versus come up to Prince Harry’s residence, you’re gonna get shot, it’s, it’s the similar thing. So it’s the first thing and that will keep out well over 99% of people just by posting that sign in because it any private security agency, you really don’t ever want to escalate things. There’s so many and assign is one of these, there’s so many de escalation protocols that you’re supposed to follow, so that it never even gets there. and assign is one of the best ways to be able to do that. You know what I wish there was a sign that we could post for hackers getting into digital networks, that would be pretty awesome. When that says, hey, if you get in here, we’re gonna send like a feedback signal and wipe out everything you have or something now I’m getting into movies again, but that would be phenomenal. Let’s come up with that. Okay, right here within cell, all right, that’s a new product, I just want to help.
Tom Garrison: 26:36
Well, I’m going to change it up completely. And I’m going back to the animal world, I have been fortunate enough to where I have people now send me some of these, which are just great. I love them. So this fun fact is that there is a moth in Madagascar that feeds exclusively on the tears of sleeping birds. When I got this, I’m like, I cannot believe this. So I did more research. And it is absolutely true. The beak actually has like a hook to it, the moth will land on the bird and then we’ll place that hook right underneath their eyelid. And researchers are saying now that the that they don’t know if there’s an anesthetic involved to try to deaden the area, because you can imagine, if you’re a moth, a pretty dangerous place to be is right next to a birds beak. And so you better be pretty good at your job.
Rick Jordan 27:38
That’s amazing. I think you win the prize for today, Tom.
Tom Garrison: 27:41
Yeah, I don’t want to know, brick. I do want to thank you on behalf of Camille and myself for coming on. It was a great topic today. With security and human factor element. There’s a lot there to be discovered. So thanks for the topic, and thanks for the wisdom that you brought.
Rick Jordan 27:55
I was a lot of fun. Thanks for having me on.
ANNOUNCER 27:58
Thanks for joining us for cyber security inside. You can follow us here on YouTube or wherever you get your audio podcasts. The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.
