Businesses of all sizes are affected by cybersecurity. How can middle market companies ensure they are secure? The NCMM gets the scoop from Joey Muniz, Technical Solutions Architect at Cisco Systems.


Cybercrime is rising. Everyone's a potential target. You may think you're safe-- are you?


Welcome to The Market that Moves America, a podcast from the National Center for the Middle Market which will educate you about the challenges facing mid-sized companies and help you take advantage of new opportunities.

Today's podcast is about what middle market companies can do to create first-class cybersecurity defenses, even if they don't have deep pockets. I'm Tom Stewart. I'm the Executive Director of the National Center for the Middle Market at the Ohio State University Fisher College of Business.

We're the nation's leading research center studying mid-sized companies, which account for a third of private sector employment and GDP, and the greater part of economic growth. It is the market that moves America. The National Center for the Middle Market is a partnership between Ohio State and SunTrust Banks, Grant Thornton LLP, and Cisco Systems.

With me today is a special guest, Joey Muniz. Joey is a Systems Architect at Cisco-- one of NCMM's sponsors-- and a cyber security expert. He's the author of several books published by Cisco Press and others on cybersecurity, a blog called The Security Blogger, and he's a highly regarded source of insight and best practice about data and network security. Joey, we're really pleased to have you here, welcome.

Thanks for having me, looking forward to it.

Let me just put a couple of data points on the wall, and then maybe, Joey, you can respond to them. One of them is that cyber attacks are an enormous cost, and a growing cost. The number I saw for the global economy is that the cost of cyber attacks is something like $450 billion-- that's billion with a B. That's half a trillion bucks.

And the US is, I think, about a quarter of all the cyber attacks. And in the US, the average cost of an attack is 20 million bucks for the average cost. Now, we read a lot about the impact of cybersecurity attacks and hacks on big companies, but Joey, these impacts hit the middle really hard too, don't they?

Well, it's interesting. I mean, if you think about the middle-- well, I'll do it in three categories-- large, medium, and small. Small being, like, a restaurant, medium being, like, a somewhat established business, and then large being, like, a Walmart or Amazon. I mean, who do you think is the biggest target? It's not actually the larger companies. It's really the small companies.

And the question is, why? And the answer is kind of obvious. The large companies have budget, so they're going to have security, where the small companies-- like your Thai restaurant or a church or something-- the attackers know these are easy targets. They know they don't have the next-gen firewalls and all that kind of stuff. So therefore, they're the easier target.

However, everybody really is a target. And what happens is, in a lot of cases, those small companies-- restaurants, et cetera-- get owned, and they're used as pivot points to attack the larger companies. And the reason why is, again, they know the larger companies have things like web security and reputation security.

So you can't just stand up a fake website and start attacking them. But if you pivot through a trusted school that's been online for 20 years, it looks more trusting. So it allows them to bypass the layers of security. So really, the short answer is everybody's a target in different ways. Large business being attacked through other businesses, where small business, it's usually-- if you look at volume, they usually get the most attacks because they're the easiest. And then middle is somewhere in between.

So one of the things that I was startled to learn-- I guess I'd gone with the blithe assumption that somewhere out there in the dark parts of the web, there were people who were looking for the juiciest targets and let me go into this bank, or let me go into this big retailer, and I want to get a big, massive target.

But one of the things that I've started to learn is that in a world of ransomware, the size of the target almost doesn't matter. If I'm a bad guy, I might just want to go for as many targets as I can get and collect a few thousand or a few hundred bucks from a lot of them. Is that right? Is that the way the market-- the cybersecurity industry, let's call-- the cybersecurity industry is changing?

Well, you're talking about the attacker side, not the cybersecurity industry.

Yeah, right, I'm sorry. Yes, exactly.

So what you're talking about-- the industry uses the term smash and grab, which is-- rather than targeting a specific person, I'm going to target everybody. I'm going to try a specific vulnerability against everybody, and that tactic's been around for a long time. I mean, even ransomware itself has been around a long time.

A lot of people don't know ransomware's been around since the early '90s. The only reason why, now, ransomware is becoming popular in the news is there's been some innovations in technology-- particularly things like Bitcoin-- where we can't track the payment system. And things like the dark network-- your Tor networks-- where it's hard to track the communication, and the more advanced key handshakes where you've got these key exchange happening where now it's basically asymmetric.

It doesn't matter-- the bag I have-- the private key-- you can't get it. So it's these various technologies that have allowed ransomware become what it is. But I mean, attackers have been doing smash and grab-- which is, I'm going to find, let's a Struts vulnerability or a Flash vulnerability, JAVA vulnerability. They'll find something that is common amongst multiple systems and then, basically, use something like MASSCAN, scan the network, and basically try to identify devices and see if they have that vulnerability. Like that tactic has been around forever. So I would say the attackers, they're using the same tactics. They're just changing it around a little bit. And ransomware is just the flavor of the month.

So that means that I'm a target, whether or not I think I'm a target. I'm not a target because of who I am. I'm a target because I have an IT--


--that at least you know. Think about the times you don't know. I mean, ransomware tells you, I've owned you. How many times has there been breaches where you don't know? So, I mean, ransomware is scary, but I would say the stuff you don't know is even scarier.

Talk to me about that. I mean, the story is that there are two kinds of companies-- companies that have been hacked and companies that have been hacked but don't know it yet.

Yeah. Yeah, actually, there's a guy called Kerbs on Security. The whole joke is he's also a very popular researcher and blogger. People have said, Kerbs is my IBS, meaning I find out I'm owned, because this blogger will blog that I'm owned. Then, I don't know, and I find out after the fact. Unfortunately, that's a popular saying, because it's true in a lot of cases. People, they invest heavily on bringing up the brick wall. They'll buy a firewall, or they'll buy some technologies which are important, by all means, but they'll put all their eggs in one basket. They'll even say, I'm going to layer firewalls and buy multi-vendor firewalls. That doesn't necessarily help you for what happens when things get through the firewall.

I make it very simple. Basically, if I'm going to own you, if I'm going to attack you, I'm going to try to basically take advantage of a vulnerability. That's basically exploitation. Once I do that, I'm going to do something on your network. What a lot of people don't realize is they just look at that exploit, the attack. They buy anti-virus, they buy firewall, they buy IPS, all these signature-based technologies looking for the attack. What they don't do is they don't have anything for when the attack works. And then when the attack works, people get inside their network-- hence insider threats-- and they have no what we call east/west or no lateral movement, no insider technologies. So they're blind, and they literally have no validation that their firewalls and IPS are working, because there's nothing inside to make sure, to check to see if something gets through.

So in a lot of cases, you know these companies buying next gen whatever, getting overconfident in their security thinking they're great. But they have nothing on the inside. Hence, they've been owned for three or five years, like you're talking about. They just don't know, because all they can see is what's on the perimeter. They have no internal defense.

So I'm a castle with a great wall but nothing inside.

In a lot of cases, it's like that. And the thing is it's easy to bypass the castle. People think that because they have a shiny appliance, it's going to do well. Here's another really simple concept. I'm a vendor. I work for Cisco. And I can be fortunate. I can be Palo Alto. I can be anybody. I make a product. My product is going to be used in multiple industries. It's going to be used by, let's say, federal government. It's going to be used by big oil companies. It's going to be used by that Thai restaurant. It's going to be used by Wal-Mart. Different industries with different practices. How can I create an appliance with signatures that are going to be perfect for every industry? I can't. You just can't do it.

So what happens is I create a best practice type signature base and say, this will protect the majority of stuff out there. It's up to you to tune this. And 99% of the customers aren't really tuning it. So essentially, they're getting the best practice for the government, the oil company, Wal-Mart, et cetera, where 30%, 40% of those defenses have nothing to do with their organization. And 20% or 30% are not being protected because they're not spending the time to basically tune that device for themselves. Therefore, the attackers can easily pivot around it.

So, Joey, dial this down a little bit to a company with revenues of $50 million, $100 million, an IT department of 5 or 10 people. I mean, when we think about-- and maybe not enough resources to put a dedicated chief information security officer in place. As you look at companies of that size, how should they begin to put together the best possible I won't call it necessarily defense, but the best strategy for protecting themselves against the damage hackers can cause?

Well, first off, I mean, manpower issues apply to pretty much everybody. Everybody's got to do more with less, and the reason why is simply there's more jobs than people. And this is a common problem. I've met with big companies and I've met with small ones that have skeleton IT staffs. The reason why is they just can't find the people, and when they do, the people end up going somewhere else for more money or go for fame. So really--


Right, these are the hottest jobs in a tight market.

Yeah. So I would say there's two parts to that answer. One is going to be internal training, and the other one will be automation. So internal training is the idea of, well, start to create programs. And this is free for you. You can literally say, why don't we start to offer the ability to shadow IT people, the ability to cross-train? So essentially, you start to bring junior-level people up to the senior level. And there's some benefit, as well. I mean, the idea of due diligence, where now you've got multiple people that know how to do the job. Bob gets sick, Julie can come right in and fill in the spot.

The second thing is it's more security. Now you don't have two or three people that have the keys to the kingdom. Now you start to spread out responsibility. So if there was to be an insider threat, more or less, from an employee, it's going to require multiple people to be involved versus one person, like the original Jurassic Park movie, where the guy shuts down the park by himself. You have more IT staff, you don't have that. So the training idea is definitely something to think about.

The other one is automation, and what I mean by automation is a lot of IT staffs waste a lot of time doing things that could be automated. Prime examples, access control. If you don't have access control, that means I can plug in and own your network. Therefore, you may turn on port security. You may turn on the ability to lock down ports. But now, you're going to spend time re-enabling ports when the wrong people plug stuff in. Well, why not automate that? You can do things like network access control. Another one is vulnerability scanning. You may spend time looking for vulnerabilities, finding people that are compromised, and going to fix it. Automate that. Take your Nexpose, take your Core Impact, maybe link it into your access control system. So now, when somebody comes on the network, they're automatically scanned.

And even the remediation, you can drop a breach detection tool that will automatically find the infection and pull it off. Start to find ways where automation can happen so your small staff can do more, versus trying to hire more to basically deal with stuff that could be automated.

So that's two ways in which I can get, basically, more IT capability for the same amount of money-- automate things, on the one hand, and create people who are cross-trained in IT so that they become sort of deputy IT managers, right? Talk to me a little bit about the process and human defenses against attacks. Because as you were saying earlier, it's impossible to protect everything. And my understanding is that even those people with the artiest of the state-of-the-art technology defenses get breached because employees or others screw up. How do you build the sort of security consciousness? And I think particularly in the smallish company, where we don't want to have too much bureaucracy. We're all family here. How do you build the sort of awareness so that people don't fall for phishing scams, for example?

In the industry, we call that layer 8. I've heard some people call it layer 0. So your IP stack is 1 through 7. Layer 8's the people. People, it's tough. And to be honest, I work at Cisco, and we do internal phishing. And right now--


Internal phishing meaning you test yourselves?

Yeah, we do internal phishing. So what we do is we send out fake emails, and if you click the email, a pop-up comes up to educate you on why it's fake. And then you get added to this wall of shame. And literally, you're in this web page that you can be looked up in and people laugh at you. It's a very tactical way. And what's funny is every year, the most popular email that comes out that always works is this one that's a fake UPS. It's like USP or UPSS, because everybody thinks they're getting Christmas gifts or their wife or husband bought something and just like automatically clicks to see what their wife or husband bought. And then, boom, they get hit. So it's tough to be 100% on anything, particularly people oriented.

But there's a couple of things you can do. First off, security, in general, needs to be something that has meaning behind it. And what I mean by that is we've all seen-- like we've gone to a company and we get that pop-up that says don't do bad things. And it's this boring legal language. That means nothing. People ignore that. They say, whatever.


They say, that's a boring, old rule, right?

--matter. I'm sorry?

They say, that's a rule. That's an obstacle.

Yeah, that's a rule.

Yeah, that's a pain.

Yeah, it's not an enabler, exactly. Where if you were to say-- like you shoot out an email, as a CEO, and say, hey, we've been getting hit with a lot of these type of attacks, and it's costing the organization x amount of dollars. We may not be able to give out raises in the next few months. Our company may have this kind of impact. Please be aware that we are a target right now. Yours truly, Mike, or something. Make it personal, where people realize, OK, it's not a rule. This is actually impacting me, the person here, and the business. Make it personal is the first thing I'd recommend.

The second thing is there are ways to, again, automate. So people, even when they make the mistake, the impact is limited. Technology to think about, reputation security. What that is is it's basically adding a layer so if somebody clicks the wrong thing, that site is evaluated before it's allowed to connect. So if it says, hey, wait, that's going to a bank that's been online for two hours hosted from GoDaddy, that's not a bank, and it's dropped. So it allows people to make that mistake. And there's things like DNS security.

And pretty much, I would recommend check out a site that's called ihaveabadreputation.com. It's a test site, so you won't actually be infected with something. But again, ihaveabadreputation.com, and see if you get a blocked page or not. If you don't get a blocked page, that means you do not have reputation security. That means if somebody clicks the wrong thing, it's very likely they're going to get owned. Because you're basically allowing any website to communicate versus trusted sources. It's not 100%, but it dramatically reduces that concept of somebody clicking the wrong thing. So again, I would say automate tools to allow people to make that mistake would be one thing. The second thing would be is making the message personable, like stop with the hurdles and making security seem like a problem. And try to let people know why you're doing it, and people will actually care.

You know, I heard a story about a year ago from a woman who runs a family business. Her grandfather had started it. I think 75 employees in Cleveland. And one Friday-- this was not penetration, but this was a ransomware attack. And one Friday at 4:59, suddenly the computers went dark. And it was send us x number of bitcoin by such and such a time or we'll shut your-- you know, we'll destroy all your data. And this woman, describing the event a year later, was in tears thinking, this is the business that my grandfather started and my father built and that I inherited, and it's going to blow up on my watch.

And she was all right. She'd done the things she needed to do. She had backup for all her data. I don't think she ended up paying the ransomware. She was able to get around it. She knew the right people to call when the attack came, so she was all right. But when you talk about this being personal, this was personal. And it was not only personal for her, but as she told the story to her employees, I mean, it was personal for them. This was an existential threat to the company, she felt, and she wanted to make sure that they all understood it. And so it's just to underscore your point about this is not just some sort of thing. This is pretty critical and affects your hopes and dreams.

Yeah, I'll tell you this. If you to learn more about it, I spoke at RSA Europe in 2013, and you can look up a talk called Emily Williams. You can do social engineering, Emily Williams. I basically created a fake person. So I'm an attractive blonde and became a new hire at a company. So I just used Facebook and LinkedIn and posted Christmas cards around Christmas and got people to click my Christmas cards. And when they clicked it, I used a tool called BIF, the Browser Injection Framework, and pretty much stole their VPN passwords and VPN'd inside their network. And I owned them so bad that-- my buddy, Aamir Lakhani and I, to give credit. Both of us owned them so bad that in January, at their sales kickoff, they had this Emily Williams in their new hire pamphlets, and they announced her during the new hire ceremony at their sales kickoff.

So it's not as hard as you think it is to do these attacks. And that was a research project based on--


I think we just hired her.

--attacking just from Facebook and LinkedIn.

Wow. That's really remarkable. I guess that there's another thing that I wanted to talk about. I know we don't have too much time here. But one of the things I want to talk about also is helping companies understand-- if you go back to that castle metaphor-- what are the crown jewels. How do you help companies think through what are the things they need to make sure that they have protected or duplicated at all costs? Knowing that you can't protect everything, knowing that you can't afford enough insurance to insure everything, how do you help a company understand what are the absolute crown jewels? And should they? Is that an important thing to do? And if so, how do they do it?

Well, first off, there's a couple of things. One, there's a statement I always say, and I hope that if I can-- if you're listening to this, if there's anything you remember, it's security is a journey. It's not a destination. You don't become secure. You continue to be secure. Today, you may be somewhat secure, and then somebody comes on the network or adds a new system or configuration problem, and now you're less secure. So it's a journey. But the best practice I typically talk about is you have to layer your security. And layering security has been around for a while.

In my best practice, I have four areas I focus on. I first start with the edge, which is-- if you're going to have low budget, start there. Secure your edge. Then, secure your end users, so the actual desktops, laptops, et cetera. Then, look at access control, which is controlling those devices as they come and leave the network. And then, lastly, continuous monitoring on the inside. I mean, it can go deep into those four areas, but really, it's about layering. It's about thinking about attacks, how people are going to attack you. So like think about before, how people are going to plug in, how they're going to communicate with you. How the attackers will communicate. Is it before? Think about during, what type of tactics they're going to use. And then after, what happens when they're on the network?

And when you start to think like that-- I call that the before, during, and after. Cisco's been using it for a while. What you can do is you can literally get a white board-- and I challenge anybody on this call here that's listening or listening to this broadcast to do this. Go back, get a white board, write before, during, and after. And by those definitions, list out what you have. Like what stops people from contacting your users? VPN would be a before, because it's encrypted, so the attackers can't get you. Access control is a before. Firewall, IPS, anti-virus, these would be during. They actually detect when somebody attacks you. And maybe like a NetFlow or a honeypot or some kind of breach detection type technologies, the after stuff. Maybe incident response services. These fall in the after.

But do this and make sure that you have something in every category, versus everything's in the before but you have very little detection and nothing on the breach detection. Then, obviously, that's where you need to start. But I would say that. Then, lastly, whatever the data's at, protect your data. I mean, if you have your data center, focus your security there, not on the perimeter. You don't want to have everything by your receptionist and by your front doors and then have no guard by your data center. Focus on where the data's at versus just adding security.

And one of the things that I think is interesting is that as we worked out and put this framework up on the National Center for the Middle Market Cybersecurity Resource Center, if you think about before, during, and after, and then under there, you think about what do we need to do about people? Getting our people smart, trained, so on and so forth before. People during, so do people know the drill? Do I know who you're going to call when we've discovered somebody's-- there's a breach or somebody's in the network. Who do I know people at the FBI? So there's people before, during, and after. There's people, process, and technology.

So what have I got in the people area? Have I got my playbooks, and have I got my technology? And I think if we pull those things together, you at least have a better chance of being prepared, becoming a somewhat tougher target, and also being able to recover better given the inevitability of being attacked at some point.

One last point on this is if we don't have the people, at least know who to call, like you've mentioned. In some cases, maybe you talk to a vendor and say, quote me on incident response services. I may not pay for this now, but at least I know-- it's like the red phone. I know who to call where if I do get in that situation-- you mentioned your friend that had ransomware. And she was devastated, and she knew who to call. At least know, all right, if we have this type of breakout, I can call somebody and they'll be here within 48 hours. If I have to call the police, call the police now. Say, hey, who would I talk to if I ever had a cyber breach? Find out who that person is now, because when you're under the heat, you don't want to be doing that scrambling.

I go through those exercises right now so you know who to call. It's not about just paying to hire somebody or it's about investing the money now. This is a free exercise. Just do the effort of getting quotes for emergency services and go through the actual process of calling people so you know exactly who to call. That also will help out, as well.

That's why we have fire drills, right? So with that, I want to thank you, Joey. Joey Muniz from Cisco Systems has been talking to us about cybersecurity and middle market companies and has really, I think, given us some really good ideas. First of all, about how you can get sort of virtual depth and scale, additional IT capacity, where you didn't think you had it. About some of the important-- well, the absolute criticality of cybersecurity for middle-market companies, not only because they're targets themselves, but because they're targets as gateways to others. And about some of the things that companies need to be doing to think before, during, and after an attack about the people, processes, and technologies that they need to do to protect themselves.

So, Joey, thank you very much. And for more about Joey, you can check out his website, thesecurityblogger.com. And please go to the Cybersecurity Resource Center that the National Center for the Middle Market has created, where we have collected and curated the most important cybersecurity materials, specifically bearing in mind the needs of mid-sized companies. The URL for that http://cybersecu ritycenter.middl emarketcenter.org.

Thank you for listening to The Market That Moves America. Never miss a new episode. Subscribe to the podcast on iTunes, Stitcher, Google Play, or wherever fine podcasts can be found. Or you can subscribe and learn more about us at our website, middlemarketcenter.org. Thanks very much.