In this three-part series, Blumira VP of Operations Patrick Garrity interviews Dr. Chase Cunningham, information security analyst, advisor and author of Cyber Warfare: Truth, Tactics and Strategies – strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare.
His book provides insights into the true history of cyber warfare, and the strategies, tactics, and cybersecurity tools that can be used to better defend yourself and your organization against cyber threat.
Some of the key features include:
Listen to the full interview here:
In part 3, they discuss:
Here’s a few summarized excerpts of their questions and answers:
So you talked a bit about the use of open-source tools and open-source intelligence. Visibility is one of those things that’s particularly important to know where to focus efforts and where real risks are. Even with some of these free tools and free ways to do this, why is there still, in some cases, a significant number of organizations that aren’t taking security and these types of things seriously?
Well, I mean usually it’s two things: It’s either a lack of leadership. I talked about that in the book of not having someone that will say, you know, the buck stops here. We’re going to do this – follow me towards victory and dragging people kicking and screaming towards success.
And then the other one is that they usually wind up with many many threads going at the same time, which makes it very hard to complete any one objective and that just doesn’t work in a war-fighting domain. If you’re going to take the initiative, you go house to house and you continue to take ground one by one by one until you own that space and then you move to the next one. Not running all over the place at once and hope that you can continue to gain ground.
In the book, you have a few different laws and principles to be put in place. And I think these laws are intended to tie back to the cyber warfare side. The first one is default means dead. This one is a no-brainer and still shocks me every day that nearly most of the IT systems out there are configured by default in a way that isn’t secure. What, if any, responsibility is there on the vendor to make sure that the default isn’t bad?
The reality of most of that is that the default configurations are put out there by the vendors and they’ll let you know that that’s what’s there and that there’s something you need to do to fix that. Most of them will say things like reset the password; don’t use the default; whatever else, and it’s on the user to actually do it.
It’s just like, you know Dodge trucks might give me a really great truck – and they put a really nice airbag and a seatbelt in it. But at the end of the day, it’s on me to strap in and actually drive that thing in a safe, you know fashion. It’s not on them. They just provided me with my means to go pick up stuff from Lowe’s. It’s sad people more or less need to take the time to do what’s right as far as what has to be configured properly on the firewall so someone doesn’t get admin access. What needs to be configured on this host so it doesn’t get owned. Email system – kind of the same thing.
Fourth one – kill the password – agree a hundred percent. One of the things you talked about here is expanding to biometrics. My philosophy is, biometrics are great. I think it’s important that you don’t centralize them and it’s likely at the point of access or the device. What’s your philosophy of using biometrics from an IT and security perspective?
I think biometrics is one of the better ways to go. I think that that’s kind of where evolution is moving towards. I mean like right now sitting here – I’ve got Windows Hello on my Surface that logs me in and does my stuff. It checks me with two-factor auth on my phone and then vice versa. If I’m going to go to my bank on my phone, it checks my face and then it asked me for an out-of-band auth and sends me an email.So like there’s this back and forth, but what does it use to first make sure Chase is who Chase says he is.
The last law, our fifth law, was to limit the blast radius, meaning containing things when they go wrong and making sure the impact is limited, as well as making sure it’s not cascading, right?
Yeah and given bad stuff is going to happen; there’s going to be a compromise; somebody’s going to click on something. The inevitability of impact is very real. It’s going to happen, but it’s not that that’s going to happen, it’s – does it proliferate; does it go from 30 machines to 300,000? Like, is it an IT problem? Or is it a, oh my God, shut everything down; we just lost the network? It’s important to really limit that risk from a cascading perspective because it will end up into a bigger problem if you can’t handle containing the things when you do find them.
Check out the first interview video, Cyber Warfare, Part 1: BYOD, Social Influence & Autonomous Vehicles, and the second, Cyber Warfare, Part 2: Deep Fakes, War Strategy & Scaling Security.