Preventing and repairing security breaches

Chris Sienko: Hello and welcome to another episode of the Cyber Work with InfoSec Podcast. Each week, I sit down with a different industry thought leader to discuss the latest cybersecurity trends and how these trends are affecting the work of InfoSec professionals, as well as tips for those trying to break in or move up the ladder in the cybersecurity industry. Our guest today, John Torres, is the president of Guidepost Solutions Security and Technology Consulting Practice.

He works on matters related to risk mitigation, anti-money laundering, security assessments, due diligence, investigations, crisis management planning, cross-border security, event security management, federal counseling, and government compliance. Prior to joining Guidepost Solutions, he served as the special agent in charge for Homeland Security, the second largest investigative agency in the federal government and prior to that, as acting director for the US Immigrations and Customs Enforcement. He is frequently asked to comment on data security breaches and compliance issues, which is one of the many things we wanted to discuss with him today. John, thank you for your time.

John: My pleasure. How are you today?

Chris: I'm good, thanks. Yeah, lovely day. To start things off, how far back does your interest in computers and tech and security go? Was that something you were always interested in or is that something that came later in life?

John: Actually, I found myself early in my career, when I was a young federal agent in Los Angeles, trying to find ways to obtain better evidence, more credible evidence. Early in my career work, I worked a lot of cases in Los Angeles that were related to counterfeiting, smuggling, trafficking, you name it.

John: But many of those investigations, many of those were undercover also. They relied heavily on eye witness testimony, material witness testimony, and of course some physical evidence. But depending on the type of case it was, for example, if it was human trafficking, the evidence were the people.

Chris: Right.

John: Those cases can be very frustrating to prosecute because people's memories fade over time or the recollection is not that good or their credibility can be challenged in court. Sometimes those cases were a nightmare to prove in court. I found myself working with a team of agents saying, "How can we get better evidence?"

We really started to focus in on technology back then; computer evidence, different types of camera, surreptitious recordings, whether they were audio or video. Really at that point when you could bring those cases to the US attorney's office to prosecute, what you're looking at is the video of the crime taking place or an audio recording of a suspect trying to make a deal and then you could incorporate that with fingerprints or follow the financial trail and you end up having a pretty locked down case that usually did not end up going to trial.

Very early in my career, I was always looking at technology to see how we could move things along further. In fact, at one point I was asked to stand up what's called the Law Enforcement Support Center, which today is really the nerve center for Homeland Security with all law enforcement agencies across the country. At the time we started it, it was a small little pilot program in Burlington, Vermont with about eight people. Today, it's a 60,000 square foot office that has hundreds of people working in it 24 hours a day and all law enforcement agencies can connect to DHS through that center now.

Chris: Wow. It sounds like you were spearheading the increase in use of technology for information data collecting. Was this met with resistance from your supervisors or did they understand the importance of it pretty much right away?

John: Well, that's funny you bring that up. My original supervisor, when I said I wanted to use more technology, at a very early stage of my career, he says, "No. This is how we do it. We've always done things this way. Just go out there and make the case." I remember one time, we worked a case for about a month, did a number of under-cover deals, long surveillance hours overnight. Then ultimately, because we didn't have all this technology, we weren't allowed to use it at the time, when we went to do the search warrant, they had moved out in the middle of the night and we ended up with nothing.

Chris: Wow.

John: At that point, I sat there in my boss's office, he says, "You know what? Let's try it your way next time and see how this goes." That really changed everything in that office going forward.

Chris: Yeah, yeah. Sometimes, all right, it's time to go with plan B and then it turns out plan B turns into plan A.

John: We had to learn the hard way on that.

Chris: Yeah. While you've clearly had numerous jobs and responsibilities and worn a lot of hats over the years, the area of your expertise that we're specifically interested in today at the Cyber Work Podcast is your work preventing and repairing damage caused by security breaches. I thought we could start there if possible. What are some specific cases, issues, or attack vectors that you and Guidepost have been focusing on lately with regard to security breach?

John: Well, I can tell you some of the industries that have been calling quite frequently for us is the ...

Chris: Okay.

John: ... The education sector. Really, we're getting a lot of schools and universities calling, not just for cyber breaches and cybersecurity, but for all things security. Security design work, training for active shooter. It has really been something that has been at the forefront of our mission and services that we provide to clients probably for the past two years now.

It seems like, I read a statistic recently that said there have been over 650 shootings in schools since September. That's basically 650 shootings this past school year and every time we start to work on one for another university, you see something in the news, it seems like every week, so last month's shootings are old news already. We're seeing a lot in the education sector.

A lot in the healthcare sector. We see some disgruntled patients that may be violent towards doctors where they feel that they received poor healthcare or poor healthcare for a loved one. Then we have the HIPAA issues trying to protect the client information with the electronic records of the doctors that they're using now. It's very convenient to go online, see all your medical records, and access them almost in real time, but that comes with a lot of security issues as you can imagine because that's very sensitive information that is in someone's cloud somewhere.

Then of course, we still do a lot of work in the financial sector. Banks, financial industries, anti-money laundering, compliance, a lot of software, a lot of data as well as financial transactions that take place on a daily basis. We're seeing a lot more now in the sports and entertainment industry, whether it's through movie studios or actual leagues or stadiums and arenas that want to have better protection because you're starting to see a lot more of the internet of things where historically, things weren't as connected as they are today.

Chris: Yes, for sure. Now, do you see any particular through-lines between the different ways that security is being breached, especially online and electronically, between these industries? Are people using the same techniques to get into healthcare that they are to get into finance sectors and so forth?

John: Sure. We see a lot of phishing obviously, but you see a lot of the similar techniques where they just try to get people to click on something they shouldn't to be quite frank. Unfortunately, with the healthcare industry you see a lot of it in Florida where you have many retired people, they're more susceptible to clicking on a link because it's a generational thing about being taught on using computers and emails and what to click on and what not too. It's very easy for them to think, "Well, this is coming from my doctor. I should just click on this link," and there goes all their information.

Chris: Yeah. Now, with regard to specifically healthcare and I guess also with schools and so forth, you combined security breaches with regards to electronic breaches, i.e., theft of data with also actual perimeter breaches, active shooters and so forth. Are those combinations a common caseload for you and how do you combine electronic safety with physical safety?

John: Initially, they were not.

Chris: Okay.

John: We had a lot of requests to just come in and do training for example or do security design work, change the layout of how someone, when someone enters a lobby, what they can actually gain access to.

Chris: Okay.

John: Make stronger doors, so people can't get into the school or a doctor's office. But that then transitioned over to, "Can you come in here and do a full assessment?" Because really, if we went in and did the training and we did it for a number of employees, for example, if it was teachers or bankers or lawyers, you had executive training versus rank and file training.

Chris: Okay.

John: More times than not, the rank and file, the average employee would say, "Hey, this is all great that you're teaching us how to respond in an active shooter situation, but what is the company doing for everything else? How are they making us safer? Because someone could just walk in the front door, it's always open and there are no locks, there are no cameras."

Chris: Right.

John: We found a number of clients who said, "Can you come in and do an assessment and look at everything including potential cyber breaches?" What we end up doing now is more of a comprehensive look, a security master plan, to address all things and then we can then phase it for them and say, "Here's a menu of options and you could build it out over a timeframe," based on what they think was the highest risk that's in front of them today.

Chris: Okay. That seems like that's the way of the future here, that we're thinking in terms of not just electronic, but a comprehensive plan for every aspect of your organization.

John: Right, right.

Chris: Yeah. Now, as mentioned at the top of the show, we're talking about a lot of different things today, but the focus of Cyber Work is to talk about careers in the cybersecurity industry. I was hoping you could tell me a little bit about the career path you took to become a security consultant the way you are. What are some of the intermediate steps along the way in terms of important skills you needed to learn, titles you needed to earn, information absorbed that got you into this position in your career?

Yeah, that's actually a very good question. One of the things I tell, especially college students or young professionals, please learn how to write. It's critical in any profession to be quite frank with you. Whether you're starting out as a federal agent as I did and worked a number of different types of investigations or security events throughout my career. Quite frankly, that was able to translate into a career for me in security.

But I always start with saying, "You got to learn how to write." If you can write, there's a lot of report writing in our world, whether you're presenting a prosecution report to a US attorney's office or in our world today, doing a security assessment, putting a report together for a client. They pay a lot of money and they expect a certain level of professionalism and they don't want to see something scribbled together on half a page here.

Chris: Right.

John: That's part one. But part two is, there's a lot of training people can do and a lot of certifications that they can get. In our world at Guidepost Solutions, for example, we have a number of security specialists that have backgrounds in engineering and architecture or IT security for example.

That's because we do a lot of security design work as opposed to the boots on the ground that you hear about with the guards in uniform standing post for example. We'll go in and design security systems for an NFL stadium or NBA arena or a university or a high-rise, like what used to be called the Sears Tower for example. Now, Willis Tower ...

Chris: Kitty-corner from my office here.

John: Right, right. Today, it's Willis tower.

Chris: Yep.

John: We have a lot of design specialists and they have all kinds of certifications from a certified protection specialist or even certified cloud security professional. We even have some people that are LEED, Leadership and Energy and Efficiency Design.

Chris: Okay.

John: Or Payment Card Industry, PCI specialists or computer security incident response teams. All of those are a service that we can provide that are critical to many of our clients because they really want to incorporate all those different facets of security when they're looking at what the risks are for their company or for themselves.

Chris: Okay. I think possibly people who are not currently working in cybersecurity, but are interested in transitioning toward it, probably their ears perked up a little when you said that you have IT people and architects and so forth.

When you were hiring people who have these, I wouldn't say non-traditional, but you wouldn't maybe pull them first out of the resume pile, what was it that you saw in people who had IT and security architect background or IT architect background that you thought would make them capable of doing this job? Were there certain things that they needed to show or were you able to transition them more towards the security framework?

John: Yeah. There's been two parts to that and in the best of both worlds, people will have both of these. But we have some people that can do great design work. They'll pull out the specs, they can do it through some of the software that's available now. We basically have services, a managed services division out of our Dallas office, and also a support division that will sit there and do a lot of that design for all of our offices.

But that doesn't necessarily translate into being able to communicate with people very well and so we have some people that are great communicators/salespeople, but they don't have the technical background. In our world, what we see is people that can do both, that have a technical background that can actually do the physical security assessments or the computer IT type of assessment or the architecture of the system and then also be able to get in a boardroom or C-suite and communicate that to the clients very efficiently.

That's not always the case. That doesn't necessarily mean we still don't want to hire you because we still need people that can actually do that, that can work in their office or sit in a cubicle and really roll up their sleeves and get that work done. But the people that are succeeding the most in our company are the people that can do both.

Chris: Okay. Can you walk me through your average day at Guidepost? What are some jobs, tasks, responsibilities that are constant on most days? Like, what time do you get into work? What do you start with?

John: The one thing that I like about my job is it varies every single day. You don't have the consistency. It's not a nine-to-five job.

Chris: Okay.

John: One of the things people ask me about is, "Do you have to go in the office every day?" I say, "No, not necessarily." In fact, I travel a lot. We have offices around the globe and so I'm either traveling to meet with our offices or clients for example. We have a number of clients across the country and globally as well. When I'm not traveling, if I am in the office, for example, I'll try to get in real early before traffic or I'll wait and let it die down a little bit for commute purposes and get in a little later.

But then I end up being ... My daughter asked me this the other day, "What do you do dad?" I said, "Besides talk on the phone and sit in meetings all day?" She looked at me and says, "That sounds kind of boring." I had to explain it to her a little more and talk about how we try to solve people's problems. My typical day is responding to client needs, client emergencies, which happen more often than not.

Taking calls at two o'clock in the morning from our office in Singapore or early in the morning from our UK offices. Now we've just expanded into Latin America, South America and I'll be heading down to Columbia here in another couple of weeks. There's a lot going on and I'm usually out of the office working with clients or meeting with employees from our different offices.

Chris: Okay. What is the most challenging, if you can think of it, most challenging cybersecurity breach or case you've ever worked on and what did you do to turn it into a successful outcome?

John: Yeah. Well, there have been a number of them, but I'll mention one here that we did a couple of years ago that involved a financial institution where an executive at that financial institution received a package in the mail that had a number of customer data sheets. Basically, the personal data and financial data of a number of the financial institution's clients.

Chris: Okay.

John: It was sent to them including the data of himself and a close relative of his. They said, "Here's an example of the data that's being breached from your institution and here's the name of the person that is stealing it from you and selling it out on the open market."

John: He immediately called the FBI. FBI came in and took a look at it and said, "This doesn't really rise to a level of a federal investigation. You'll have to handle this yourself as part of an internal investigation." He turned around and hired us. They asked us to come in on a holiday weekend when the bank was closed and go through as much of the background data as we could.

John: We brought in our IT and cyber professionals. We did a cyber forensic investigation as well as interview witnesses that were listed on this letter and ultimately what we found out is that that person who had been temporarily suspended pending the investigation was not involved at all. She was being falsely accused by another employee who was jealous of her promotion.

Chris: Wow.

John: Really what ultimately allowed this person to get access to all this information is this financial institution did not really have the good checks and balances in place. They weren't using technology like cameras. They weren't using notification systems with their software. Basically anyone, any employee could access anyone's information and not leave a trail or it wouldn't trigger any alerts. On top of that, they could then go copy all that information on their copiers and there were no cameras in common places, so they could see what was going on after hours.

John: They didn't have any access control monitoring, so you could see who was coming in and out at odd hours. There were a number of things that they had to improve ultimately. What made us successful is really having our computer forensic people go through and go through the digital trail. We were able to determine the only three people that accessed the majority of those records and two of them we were able to rule out as being involved in that and really left with the one person that ultimately the bank had to let go.

Chris: That's another example of, like you said, you're not just working with either just the technical side of security compliance, but also the physical side. You were suggesting cameras and locks and so forth.

John: Right, right, exactly. And different types of compliance control issues. Policies that needed to be followed. They are in a much better place today. That couldn't happen again. But similar with many clients, they don't think it's ever going to happen to them until it does and then it ends up costing them a lot more money to get it fixed.

Chris: Yeah. Then they have to call Guidepost. You already mentioned specifically 2:00 AM, but my next question was about what, if any, are some downsides to the kind of work you do? Since your job is a dream job for a lot of security folks, what are some of the, as I put it, it's 2:00 AM and I'm still up dealing with this nonsense, aspect of the work that they should know about as well?

John: Yeah, I do get a lot of that, but that comes with the territory. That's to be expected somewhat. It doesn't happen as often as it did when I was in the federal government. It happened at least once or twice a night back then. Some of the issues I see is you can get some very demanding clients with unrealistic expectations.

Chris: Okay.

John: We've had some clients that for the amount of money that some of them pay, they just assume, "What I'm paying you, this should be fixed tomorrow."

Chris: Right.

John: Or you get clients that they really don't want to spend the money on security or compliance until they have to and then of course by then, it's too late and it becomes, "You can pay me now or you can pay me a much higher premium later because we're going to have to drop everything and scramble an entire team as opposed to one or two people up front that could put together a comprehensive security plan for you." That can be frustrating, but I understand it. Security and compliance does not generate revenue for many companies. It's a cost and so they try to keep their costs down as much as they can.

Chris: While it's impossible to know everything about cybersecurity and also still do your day-to-day responsibilities, your clients obviously depend on you for this. They need you to be able to assess risk and advise mitigation often on challenges that are evolving minute by minute. How do you address this challenge? Obviously, I'm assuming you have advisors who are keeping up-to-date with all the security, changes minute by minute. I guess, what is your team look like in that regard?

John: We do have teams that are continually taking training and going through the most recent generations of software and technical equipment, so we can stay on top of that. Really what I see is, how do you address that evolving challenge? One of the best ways to do that is by having a security master plan.

Chris: Okay.

John: As opposed to put Band-aids on different types of areas. We had one client recently approach us and say they wanted to build a smart center. Not just an operation center, not a security center, not a global security operation center, but a smart center that is really going to control everything for them. That can turn on and off the lights, it could unlock doors, it could handle the thermostat temperature in different buildings. Really, you end up saving money that over the longterm, it can pay for itself.

But really the genesis of it is, is security. While some companies don't want to invest that kind of money and we understand it, we also provide solutions where people can do managed services and we can basically chase the sun for them, depending on where they have their offices, whether it's here, West Coast, India, Asia, and we'll work it overnight for them out of our operations center, similar to a help desk that's located somewhere.

John: What we do is put protocols in place that say, "If this event happens or this alarm goes off, how do you want us to respond? Do you want us to call a particular person? Do you want us to just call the security company on the ground?" Really, it becomes a much more efficient process that you stay on top of the trends and things that are happening in real time.

Chris: From a security and technology standpoint, what's the most important yet overlooked thing that you think that enterprises don't do to protect their data? Are there any examples of strategies that used to be a problem conversely, that most companies seem to have figured out by now? I guess that's two questions there. What's the thing that you wish more companies were systematically doing and then, are there any things that people are starting to systematically do that's reducing certain types of breaches?

John: Yeah. We're doing a lot more data center security design.

Chris: Okay.

John: Which goes hand-in-hand with cloud data protection that people need ... They're getting much better. As recently as two or three years ago, people were saying, "What's the cloud? What are you talking about?" Today, they're being very aggressive in protecting a lot of data. Out here in Northern Virginia where I live, there are data centers popping up left and right that are going in with the state- of-the-art design protections that didn't exist a couple of years ago.

But one of the things I see them ... The companies are figuring that out. They're also figuring out the simple things like complex password policies that didn't exist, that they are a pain to all of us that are the users. That I have to change my password again. It's only been 90 days and these are the last eight that I used and it's got to include all 15 characters and et cetera.

But they're getting better at that and added in too, factor authentication also. Those are some of the things I think that have really progressed very well in the last few years and quite frankly they've had to because that was where the majority of the breaches were coming through.

Chris: Going back again to job related things, for someone who is say, feeling stuck in a lower level security job, like at a help desk or some other place where they don't feel like they can break out of, what are some things that they can take on today, whether they're reading about a new skill, signing up for a course that could move them in the direction of a career as a security consultant?

John: Sure. Sign up for a new course. Getting certified in many of those areas we mentioned earlier are very helpful as well as learning how to do security assessments and audits.

Chris: Okay.

John: If you're bored at a help center or help desk, this will get them out of the office. They will be onsite with clients. That comes with its own issues as you can imagine too. We recently did some onsite assessments for a hospital in Milwaukee a couple of months ago and in the middle of the polar vortex. We had a couple of teams out there doing the parking garage and having to walk around the hospital and they said, "It's as cold as they've ever been."

But you know what? They weren't stuck in the office. It helps them to get their foot in the door when they can do that because it's really like the first step for all the rest of the security we can do is, people want to start with an assessment. Can you come in here and do an assessment?

Even if they have their own security team that does assessments, I'm talking about corporations or sports teams, for example, we'll still get hired by maybe the CEO or by the team owner and say, "Can you come in here and do a peer review? I want to make sure that I'm getting what I'm supposed to be getting." They'll ask us to do an independent outside assessment. It starts with the assessment and then we can make recommendations based on their budget as to what changes that they might need to make.

Chris: Okay. You mentioned certifications real briefly. What are the particular certifications that you like to see on a resume or that indicate that this person has the background that I'm looking for?

John: Sure. The Certified Security Professional is usually the basic accreditation or certification. Then depending on specifically what we're looking for in the computer industry, the Computer Security Incident Response Team, the C-SIRT is very good, as well as the Certified Information Security Assistant Security Professional, the CISSP. Then there is CCSP, the Certified Cloud Security Professional. Those are all pretty much key to resolving a lot of the problems we have.

It demonstrates that they've been able to grasp and learn this information in this industry and of course, that's your basic building blocks, the foundation if you will, for them to then come in at Guidepost and learn even more from mentors or some of the other professionals we have on the ground already.

Chris: As we wrap things up today, within your area specifically within cybersecurity, what are some of the security challenges that you see on the horizon for 2019, 2020, and beyond?

John: A couple of things. The internet of things.

Chris: Okay.

John: As I was driving in this morning, there was wifi in my truck. There's wifi in airplanes. There's wifi in everyone's houses including controlling your refrigerator, your television, your thermostat, your electricity. It really comes down to how well protected are you? What kind of password do you set on those things? We saw the incident where someone went on the plane and hacked into the systems of the plane just to prove that he could do it. He wasn't going to do anything nefarious or bad, but still to show that someone can get on an airplane, get on their wifi and then hack the system.

Chris: Wow.

John: That's a huge problem as you can imagine. I see that as being a significant challenge in the years coming up as well as the ransomware. We still continue to see people being subjected to ransomware where their entire system gets locked down and then they've got to pay a lot of money to get back into it.

Chris: We've had a few guests talk about ransomware. What are your particular strategies in terms of someone calls you about ransomware? Do you advocate for paying the fee? Do you advocate for trying to unlock it? Do you have a set policy or does it vary from case to case?

John: It does vary from case to case. I was actually just going to say that. We have to look at the totality of circumstances and the type of breach as well as what type of data the client needs to get access to and how critical is it? Is it a hospital where machines are going to get turned off and people are going to die? You take a look at the totality of circumstances. To the extent you think you might be able to break that? Great. But in some instances, time is of the essence as well as the potential risk for life and in some instances, we've had to pay it.

Chris: Okay. Again wrapping up, if people want to know more info about you, John Torres or Guidepost security, where can they go online?

John: The best place is our website, Guidepostsolutions.com or they can follow us on our Guidepost Solutions Twitter and LinkedIn accounts. Those are the easiest ways to get more information.

Chris: Okay. That's at Guidepostsolutions?

John: Right. Or they can reach out to us directly through the website. Happy to talk.

Chris: Great. John, thank you so much for joining me today.

John: My pleasure. Thanks for having me.

Chris: Thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to YouTube and type in Cyber Work with InfoSec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your work day, all of our videos are also available as audio podcasts. Just search, Cyber Work with InfoSec in your favorite podcast catcher.

To see current promotional offers available for podcast listeners and to learn more about our InfoSec Pro Life bootcamps, InfoSec skills on demand training library, and InfoSec IQ security awareness and training platform, go to InfoSecinstitute.com/podcast or click the link in the description below. Thanks once again to John Torres and thank you all for watching and listening. We'll speak to you next week.