Chris: Hello and welcome to another episode of Cyber speak with InfoSec Institute. Today’s guest is Fred Kniep. Wait, no, I did it wrong already. It didn’t I.
Fred Kniep: It’s all right.
Chris: I’m going to start this over right, Fred Kneip. I’m looking right at it and I’m saying the wrong one. All right, we’re going to do this again. Sorry.
Fred: No worries.
Chris: Hello and welcome to another episode of Cyber Speak With InfoSec Institute. Today’s guest is Fred Kneip, the CEO of CyberGrx. We’re going to talk about the security risks for companies who work with third party vendors, those both globally focused and those closer to home. As chief executive officer Fred Kneip is responsible for the overall company direction of CyberGrx. Prior to joining the company, Fred served in several senior management roles at Bridgewater associates, including head of compliance and head of security. Before that, Fred was an associate principal at Mckinsey and company where he led the company’s corporate finance practice. Fred has also worked as an investor with two later stage private equity investment firms. Fred holds a BSC from Princeton University and an MBA from Columbia business school. Fred thank you for joining us today.
Fred: Thank you.
Chris: Let’s start out with a very general question. How did you get started in computers and security or some of your formative experiences that made you want to sort of move down this path?
Fred: Yeah, it’s interesting. It’s probably very different than some of your other guests. Majority of my background is actually in investments and strategy. I worked a lot with Mckinsey and such on that front and help companies thinking more about longterm growth strategy, acquisition strategy, et Cetera.
When I joined Bridgewater associates, which is the world’s largest hedge fund, kind of a unique organization in Westport, Connecticut. I actually moved over to start managing the compliance and the security departments and that was my introduction to some of the areas and particularly the cybersecurity space. And it really took to me that the recognition of what we had to do there to really improve the program. And you can apply some of the same strategic work I’d done previously to help me build out more robust cybersecurity programs and planning for the future there.
Chris: I see. As I said, we’re talking today about sort of third party risks with large corporations in terms of security. You’ve claimed that large retail corporations, like big banks and global travel companies and other multi-component organizations face higher than average security issues from working with smaller third party vendors. What are some of the concerns these globe trotting mega companies should be on the lookout for?
Fred: Yeah. One thing, just to put some context around that is that recognition that over the last decade or so, companies are really no longer self contained. They now are dependent upon a network of suppliers and other vendors, et cetera. That help build the organizations that they are. There are massively more efficient as a result to do that.
Apple, for example, it doesn’t actually build anything. They design a lot of things, and then they send those out to sub-contractors, and such to build for them. Similarly, supply chains are now segmented out into specify a specific component. A jet engine for GE is built by hundreds of different suppliers as well as back office services or CRM with sales force, et cetera.
These are all services and tools that allow companies to really focus on their core strengths, and then leverage an external services. The problem with that is it’s created a massive expansion of the attack surface, and so instead of now just defending your house, you need to be cognizant of all the houses of all the people you’re dependent upon or companies are dependent upon.
And what we’ve seen is security programs haven’t really kept pace with that change in the way companies operate. People still focus on here’s what we’ve implemented in our environment. Here’s what we run for our environment, and then they send their most confidential information out to an analytics tool or they send … They allow a back channel, a connection into their environment for real just in time delivery or whatever it happens.
And what the issue and what you’re commenting on there is, people need to be much more aware of where their information is or who is accessing their network. And the data shows that now anywhere between 50 to 70% of reported breaches come through, third parties. Hackers are smart. They say, okay, we’re going to focus on protecting their environment, but we really want the data, we don’t care where we get it from. We’ll go and find where they send it to, and we’ll hack them there or we’ll go after that.
And so the exposure that I’m talking about as you think about retailers and others in particular, is that that data is now spread out much more than they may even realize. And they need to start tracking it down and understanding what the security program looks like of all the companies they might work with.
Chris: What are some of the most common attack vectors for hackers or fissures are fraudsters using this sort of third party vendor carriers to infiltrate large companies? And what are some of the common ones, also whatever surprising techniques you’ve seen that actually works?
Fred: Sure. Well, and it’s interesting, you know, when we talk about hacking. The simple answer is it’s actually not that sexy. What people go after is unpatched software. If you think about two things that you can do to make your environment more secure or ensure your broader ecosystem is, are they patching their software? The vast majority of breaches are taking advantage of known issues with software, and it can be easily remedied with that. I think I’ve seen statistics that say something like 90% of breaches can be r prevented just matching a software.
The other is the vast majority of breaches begin with a phish. It is either a spear phish if you’re in a specific industry where they’re actually targeting individuals or it’s a broader phishing campaign. And if you are not training your employees to understand or put the right tools in place to monitor that, you’re exposing yourself.
That’s the real issue of understanding, what are people doing on those two fronts. I wish I could tell you, oh, this is really cool, you know, mission impossible type hack that thing. But honestly it typically is, oh, we’re going to go and phish one of your third parties. That typically is a smaller organization that doesn’t have as robust security. And then they have a trusted connection in some way. The one that everyone loves to talk about is the target breach.
Chris: Just gonna to bring that up.
Fred: As the old mechanical services were the company who had access to the network to run diagnostics on HVAC machines, and then they were able to navigate through the network to get to the point of sale and a credit card data. Interestingly, the one that also has got a lot of press recently is the dragon fly kind of attacks on critical infrastructure.
Once again, if you look, and these are state sponsored attacks are all going after third parties on that, those utilities and other critical infrastructure companies are reliant upon. They’re not going after them directly. They’re saying, okay, let’s go compromise this smaller organization. It’s probably not spending as much on security, but who’s able to log in and run certain system and use that as a way in. I wish it was something fancier. It’s actually add to the basics.
But the other element of that is to address it. It also can be a lot more of the basics. Looking at your own environment, are you patching your software, are you providing phishing training are you managing access et cetera. And then the other is, ensuring that all the companies you operate with have similar controls and kind of that first line of defense. And that’s step one, if you will, of the path for you.
Chris: This literally just occurred to me now, and I don’t even know if this is workable option. But it seems interesting to me that people who are running diagnostics on HVAC system. That there was such a porous wall between the sort of HVAC stuff, and then going straight over to like payment data. Are there ways of sort of you have only sort this much access, and you can’t sort of break through to other parts of the company. I mean, obviously it’s a mistake you learn once and painfully but-
Fred: Right. You’re absolutely right. You shouldn’t be on what’s called a flat network where you can move across. You want typically called network segmentation. If you think of your house, you have different rooms, and someone coming into your house doesn’t walk straight into your bedroom. There’s walls, et cetera to get in between. And the same concept that exists in a network. Other kind of core security principles or concepts like least privilege, which basically means you should only give access to something to those who really need it versus, oh, let’s just open the door and it’s a master key to every lock . And so I don’t, I don’t, I haven’t seen the target network nor have I gone through granular detail that are to know what happened there. But we know step one was they got in through the third party, whether they’re able to do internally there are other controls that could have potentially prevented that.
Chris: Sure. In trying to compensate for these insecure third party vendors, what are some of the major security mistakes that large companies fall into? You said basically they spend too much time and resources strengthening their own defenses. Why is that seen as like a preferable option or do you think they just don’t really give it much thought?
Fred: There’s a lot of … it depends on that. The statistic I shared with you before if 50% to 70% of breaches come through third parties. It’s only getting a small fraction of budget spent. That’s Interesting, you think that people want to focus on that a bit more. What is happened here, I believe is a lot of it is the problem has scaled massively and people don’t often know how to address it.
10 years ago, if you had … yeah there’s 25 companies we know we’re dependent upon, that’s easy to manage now that’s 2,500, now what do I do? And you have all these different parts of the organization are using this small analytics tool they’re setting this data here, et cetera. Controlling and managing your information, and gauging what can be brought in is actually very important.
What can people do on that front? A couple of things that we’ve seen that are kind of classic mistakes, if you will, in a managing third parties. One is recognizing that people often say, “oh, I’m just going to take whoever I spend the most money with. That has to be the more important one to me. That is not the best proxy for risk. You may be spending a ton of money with a cafeteria services provider versus a backup IT company that’s only there for contingency that has full access to your network.
And so you really want me to actually do a level of inherent risk mapping of your third parties. Who should I be concerned about? Who am I sharing confidential information with? Who has access to my network? To really use that as a means to prioritize where you spend your time and energy.
The others actually spend time truly breaking down the security there and understanding what exists. It doesn’t mean everyone has to have perfect security, which you need to know what it looks like, that you can plan appropriately and say, “Okay, this company here that we really rely upon has these three problems.” We need to put some kind of mitigating control within our environment to have to make sure that we’re prepared for that.
This area needs a lot more focus and attention, and we’re seeing it now. We are actually seeing, and it’s interestingly a board level conversation now where people are starting to talk about third party risks and that’s accelerating now, which is great. As I go back to kind of … it’s not the most exciting area you’re talking about. Does my third party patching program or do they have a phishing training program, that doesn’t get you up in the morning to go and look at that now.
Cool AI driven anomalous behavior detection with some kind of blockchain thing layered in, that’s cool. And people get excited about the new tools and such on that front. And it’s also the element of tangible right in front of you. I can see this implemented in my environment versus assessing, and understanding what’s out there. You’re one more step removed. It hasn’t been the top of mind historically it is becoming and what you’re seeing, literally you pick up the paper almost every day now. There are more and more comments about this third party breach brought this big company into the headlines that they don’t want to be there and so we’re seeing more and more people pay a lot more attention today.
Chris: Just sort of to pick up on something you mentioned in there. You said that it sounds like maybe what another issue is that there’s not a unified security structure. This part of the company is doing this small thing, and this part of the company is doing this small thing. But there’s not as much sort of thought being given to like an overall sort of security program for all third parties or this third, they have to pass a security screening system or something like that. Is that, also sort of the case, or?
Fred: What some will do Is they’ll typically have their own program that they’ve built out … Here’s my questionnaire and this is what we ask companies and we’ll do it once a year for a select few. And then we’ll do it once every two years or once every five years. And anyone who is in the security industry will know, kind of waiting five years to assess a company’s kind of crazy. It is a bit of a one size fits all approach to people build out. But the problem is they’re now doing that for a thousand companies and then guess what their peer company is doing that for the same thousand companies.
And so one of the things that always blows me away is we’ve spoken to the ADP the payroll company, they were assessed 4,000 times last year. It’s 4,000 different customers reached out and said, hey, please fill out my questionnaire. And that’s massively inefficient. It’s silly almost. And then what people are doing there, the vast majority of time is just saying, yes, I did an assessment.
They’re not actually taking that data, doing something and doing real risk management with it. It is a bit of a compliance check the box type exercise versus risk management and loss. You see continued reaches there. And we can talk more about CyberGRX our company and how we’re trying to address that problem. That’s really helping people say stop spending all your time collecting data and repeating that process and focus all your time on understanding where the risk lies and doing something about managing it.
Chris: Okay. Now if let’s say you see your company adopting these unsafe practices and how do you convince your supervisors or your c-suite that, they need to sort of change paths. How do you convince them to take the additional steps or money to strengthen your supply chain security? How do you even explain to them what needs to be done?
Fred: You’re asking the golden question. And anyone who works in security is how do you get more budget. But it’s a because you’re effectively, you’re preventing an outcome versus showing it out there. It’s like I spend money here and less bad things happen, It’s a, it’s a harder sell then I build this new factory, and here’s the new revenue that comes from. There is a recognition of the kind of monetary impact from breaches. Those numbers are going up and going up quickly. And a recognition also out here is a viable path forward to address them.
I’m one of the things that we’ve found with some of our customers is. It really was a unbearable problem of I have no idea how to address this. I can’t scale up and hire 27 more people to do this the way we’re doing it today. So in a lack of solution it’s very hard, when you can say, okay, here’s a way I can do this. I feel confident and move forward and provide that data and analytics. What we’ve found … and I’m a bit specific on our company here. When we can provide the data says, “Here’s what we’re looking at today, here’s how I’m improving my program, here’s the effect of ROI from that,” Is more compelling argument.
Now there’s the different ways of influencing. There’s appeal to logic, which I just went through there. You can go back to the kind of the scare tactics as well, which is an element of look here are all the companies in my industry that have been breached, and that have had a third party breach. And any industry you’ll look at that and say did target want to be in the headlines?
Did Delta or Sears want to be in the headlines because the chatbot was compromised. Do these critical infrastructure providers want to be in tHe headlines because one of their … You look at these companies and there’s the monetary impact of losing PCI data’s, and then there’s the reputational impact and these components here. And you’re seeing it happen more and more. I think that argument is easier. There is no prescription of “Oh yeah, let’s do this, this and this and you’re guaranteed money.” But it is a bit more of what … the facts are out there.
This is happening It’s a clearly established, a known attack path. And then we haven’t spoken to a company yet that says, “Oh yes, I got this locked up, I feel confident with this.” It’s always, yes, here’s more I can do. And I think that’s something if you can prevent that tangible path, I think it really is an easier conversation.
Chris: We talked about phishing and patch management and so forth. And you said that there’s not a lot of mission impossible type things. But before the interview you told me a little bit, there was a, an example of a spine chip that was inserted into super micro equipment by the Chinese military, and use to infiltrate US supply chains. Can you tell me a little bit about that?
Fred: A hardware hack is very hard, very rare because you have to get into the process, either when it’s manufactured or at some time in transit before it’s delivered. That is almost definitely going to be some kind of a state sponsor. I would like to have the resources to do something like that. This one was pretty interesting in that effectively what it did is it compromised the chip that allowed it to then alter the operating system to allow it to open it up to be manipulated. And then it also beaconed out to call to certain computers that download additional information.
So effectively created this tool to do this. This goes well ahead of a lot of this software type breaches. And it’s scary because this is being used in countless data centers. And it depends on which news you read as to whether or not it actually did impact Apple, Amazon et cetera Or not. But the reality is it was there and it was something that was inserted. Those are really hard to find. I wish I could say, “Oh yes, that’s a simple for this.”
Part of what … as we think about the applicability of the assessments are something that CyberGRX works on is, is understanding the security practices and kind of chain of custody of these products through the manufacturing process. And what type of programs and control do they have in place to manage that, and giving you a sense here. But this is something that’s pretty hard to identify, and that’s part of also why they’re so rare. And these are really hard to put in place. You know it does point to China obviously. What is it 75% or so of electronic equipment manufactured there. And this is you’re seeing government intervention here to say, we need to be much more cognizant of the products we’re using in. I believe these chips were using the drones and some CIA computers and other things which is really concerning.
Back to your question. Yeah, if you build your program around preventing hardware hacks, that’s, you’re probably going a little too far on the spectrum. But it’s a recognition that those types of things exist. And what can you do in terms of preventive controls to understand where that exposure might exist? If you’re going to work with a key supplier for you. And it turns out that they don’t ever pay attention to where things are along the production line and they have no controls over who has access to it. Throughout that exposure goes up, heightened, locked down, you can have more confidence.
Chris: Right. You’re not necessarily building your security program around finding a mission impossible style microchips, but it does sort of allow you to ask the question of like, where is all the equipment coming from? What kind of monitoring is happening at the factories, and things like that.
Fred: That’s right. And it’s basically saying how do you manufacturing company monitor that to ensure that, that thing doesn’t happen? Once again, no one is going to able to say yes, I can guarantee that will never happen. It’s a matter of are they putting the right prevention’s in place to keep that from happening. Similarly, if you think about your protecting your home you could leave the door wide open and have no security system, that’s one approach. Or you could lock the door put bars on the windows, and that’s a much stronger approach. If someone wants to break into your house, they still probably could, so you can’t fully prevent that unless you’re in some kind of bunker somewhere. But you’ve put a lot of those things and if I’m the opportunistic thief, or even if I’m a determined thief, I walk by that house, I’m not going to mess with this one here with the open door.
Chris: As a new homeowner, I hate that example. You said in our pre discussion that organizations on a global scale, need to back the curtain and understand how exactly they must go about the process of mitigating these types of risks. How exactly should they go about doing this? What are some steps that global company should be putting in place right now to avoid this sort of thing?
Fred: Okay, we’ll talk a little bit about this before. The first and foremost is know who your third parties are. We talked to countless companies who are still trying to figure out who they are even working with. And it’s hard to protect the flow of information if you don’t know where it’s going. And so the first and foremost is who are your third parties? How are you containing that? How are you controlling that? And having the right policies in place. You don’t want to fully disrupted business and put no draconian rules place. But something that at least gives you clarity as to what those third parties are.
The next is using a risk based prioritization to understand which third parties should you be focused on. And it’s very simple questions around this. Are you sharing sensitive information? Are you giving them credentials into your system? Are they direct access or do they come onsite? These types of questions, we’ll give you a sense of how important they are or what the potential exposure is to you, and you can use that as a means to then prioritize the attention you should be spending with each of these companies.
There is not a company out there today that I’m aware of. It’s not sharing sensitive information to at least some other provider that would really be a bad outcome for them if that provider was compromised. You need to know what that provider looks like and you need to have some kind of program in place to look at their security posture, and is it appropriate based on the amount of information that you’re sharing with them. And the level of risk or taking of putting that out there.
It’s a simple concept there. And once you do it, and then once you identify it, then you’re going to almost always identify areas where, wow, that’s a greater exposure than I wanted. And then you have to determine your path there. Do I want to move to another provider? Do I want to reach out to that company and say, I need you to fix these things and I’ll follow up and do that. And how are we going to make or you to say, I can accept all this, but I’m going to put some kind of mitigation control. I’m going to get in control in my own environment that allows me to gain higher competence.
And that’s risk management 101. Effectively. It’s saying this is this third party ecosystem concept is real and you can’t ignore it. You got to pay attention to where that data is going. And you need to have a basic process in place. And even that alone, we just walked through there for a minute, gets you a kind of 90% of the way there.
Chris: It sounds like your remedies are pretty universal, but is there any way that these lessons that you’re prescribing for global companies could also be scaled down to smaller mom and pop operations? Any company from grandma’s rug weaving company or whatever can still get thread from other countries, other vendors. How do we sort of explain these risks to people who think, well, I’m not Bank of America, how are they gonna … what they wouldn’t even want to deal with me or something like that.
Fred: Interestingly there’re more likely going to be the attack vector into Bank of America versus the that being their third parties being an issue. That being said, you’re going down to the rug manufacturer. There are plenty of medium size business out there that are very susceptible to a third party attack, and need to be focused and building out a program … the primary difference there is that the smaller companies won’t have as much leverage over their third parties. They won’t be able to say, I need you to do this or I need you to fill out your approach. There are means for them to build that program or build that capability, leveraging a product like CyberGRX, but it can get really granular detailed data.
There are other tools that are, give them a higher level snapshot that may be appropriate for their purposes. It’s important for them to also recognize where am I sending my information? What happens if that gets out there? One of the big issues that larger companies face is they may be reliant upon a smaller provider. Those providers, if they get hit by an attack or a breach of some kind, could likely cost a business that greater, that’s a multimillion dollar impact to them. That they might not be able to manage that. That’s something that the larger company needs to be cognizant of in terms of their dependence on that third party. Going back to the basics, I hate to say it, it’s that smaller company they should also focused. Are they patching their software? Are they, do they understand what a phish is?
Those are likely going to be opportunistic … it’s kind of drive by a breaches is not necessarily a targeted attack. The defenses against that can be pretty straightforward. Basically, anti malware software, and other tools like that, are just something that in this day and age, it’s silly not to have that in place. Even though it’s … not everyone’s thinking about, let me spend on cybersecurity when I have a tight budget. The downside risk is so high that some of the basics there can go, it can be pretty affordably put in place and help them get to know at least the first base there.
Chris: Now, if I’m speaking in kind of like a high sort of legal level, if you could sort of wield the magic gavel and then enact legislation tomorrow to prevent or minimize these types of attacks. What would you propose?
Fred: It’s an interesting question. I’m going to give you a slight defense. I don’t think it’s the right approach. Mainly because legislation typically lags meaningfully from when things actually happen. It has to be identified, has to go through committee, et cetera. The way these things actually are solved is through a market driven approach. How can you show people that cybersecurity is important.
And therefore, when I’m going back to your question of how might the CSO going to get additional budget, if I can show that my CEO or head of sales that we are losing contracts because our customers see us as inferior from a security posture to our competitors. That’s how dollar starts to flow into building cybersecurity programs.
And so part of that is greater transparency. When you start to create a more standards and understanding of what cybersecurity looks like across organizations as you’re now considering working with three different law firms, for example, and I know these two have pretty good program or controls in place.
I know these guys have absolutely no data protection controls, and I’m about to go send a very sensitive agreement over to them. I’m now gonna to start focusing on the numbers one and two. What that means is number three, it starts to realize, okay, I’m losing business. I now have to invest and the whole tide lifts off. I don’t think You’re ever going to get that with a pure regulatory mandates, et cetera. People then basically just kind of do what they have to do to achieve that and move on. Versus, hey, this is revenue driven.
It’s actually impacting my business. That comes from greater awareness and companies appreciating the exposure and the importance of cybersecurity. Just like, you know, most people won’t bring on a new vendor today without doing some kind of a DNB reviewed to understand their financial profile. I’m going to go work right close to these guys and I know that already go out of business next week. That’s a problem. You should be doing the same thing for third party on, for cyber risk as well. And understand that, how exposed are they if not, then I’m going to move on.
Chris: If we start to wrap up today, tell me a little about your company CyberGRX. How does your company helped theIr clients strengthen their security profiles specifically?
Fred: We are a third party cyber risk management platform and, really, really focusing on companies, understanding what that broader ecosystem looks like. The innovation for CyberGRX is effectively the one to many exchange concept where we do an assessment of a company, and we house that data centrally and we allow it to be used multiple times. And so it’s kinda, instead of a lot of the one to one exchanges. Like I mentioned to you, I believe ADP earlier, instead of them being pummeled with 4,000 requests, they do one CyberGRX assessment, and then they can share that with 4,000 companies. And what we’ve done is we’ve taken all the data collection. I’m out of the process so that a consumer of CyberGRX information instead of them chasing ADP or countless others down to fill out my questionnaire, et cetera.
That data’s all live there in our platform so they can now spend their time, and energy on managing that risk, identifying where pockets of risk exists across individual third parties or certain areas that could say out of my HR third parties look compared to my finance or parties, et cetera. And so you can start to run a real risk management capabilities while inserting efficiency into the whole process. And it’s been great. It’s been a kind of explosive year for us as more and more large organizations are coming on our platform. Recognizing that this allows them to scale. You go back to the question you asked about how do you solve this problem. This means that instead of hiring 25 more resources to go from doing 20 assessments to 2000, you can actually scale with those same resources, because all the busy work is out of it. Now those resources are focused on risk management. That’s what CyberGRX enables and kind of builds that kind of ecosystem of sharing.
Chris: Alright. So wrapping up as these security issues continue to be discovered in plugged, what are some ways that you think hackers and thieves will be trying to infiltrate supply chains in the future? Where’s the next big wave of fraud coming from or it sounds like we haven’t really figured out how to stop the current wave.
Fred: Honestly, I don’t think they need to innovate right now. We have a ways to catch up to do that and as you go down the chain in smaller and smaller organizations who are playing a larger role, because they have new innovative concepts to insert into larger organizations processes. They typically don’t focus on security. And so they’re ripe and open to be exposed as an easy path in, as people start to become more and more robust on their evaluation of third parties. And the basic hygiene is cleaned up, then attackers need to become more innovative. They have to compromise in a much more focused way. But right now there are so many companies out there who are not regularly patching their software, who are so susceptible to a phish that hackers have plenty of space to work with
Chris: for the night. Thank you for joining us today.
Fred: It’s my pleasure. Thank you.
Chris: Okay, and thank you all for listening and watching. If you enjoyed today’s video, you can find many more of them on our YouTube page. Just go to YouTube.com and type in Infosec institute. Check out our collection of tutorials, interviews, and past webinars. If you’d rather have us in your ears during your workday. All of our videos are also available as audio podcasts, including this one. Please visit infosecinstitute.com/cyberspeak for the full list of episodes. If you’d like to qualify for a free pair of headphones to the class signup podcast listeners can go to infosecinstitute.com/podcast to learn more, and speaking to something that Fred talked about. If you’d like to try our free security IQ package, which allows a includes a set of phishing simulators you can use to fake phish, and then educate your colleagues and friends in the ways of security awareness, please visit infosecinstitute.com/securityiq. Thanks once again to Fred Kneip and thank you all again for watching and listening. We’ll speak to you next week.