comSpark Podcast - Mike Rock, Executive Security Management Consultant at Vernovis
AP: It's good to have you here. My name Alex Perkins. I'm with Global Business Solutions. We are a full- service IT managed service company with AV, cabling and full service to a suite of solutions headquartered out of Newport, Kentucky. It's good to be here with you, Mike. Mike, the meltdown inspector vulnerabilities that have come to light in recent weeks, how worried should we be?
MR: For companies out there, that are concerned about the specter and a meltdown vulnerabilities, I think that everybody should have a certain level of healthy concern, but it should be an educated concern. Understand how does it apply to your particular environment? Most companies, if you have good mature security practices and good IT hygiene, I think your level of concern is likely to be lower. And this is also this type of vulnerability is also why a lot of companies talk about having layered defenses. So, if you can prevent these malicious individuals from actually gaining the access necessary to use these exploits, then you have a lot less to be concerned about it.
AP: So how might this affect our businesses in terms of I'm looking for the scope and wondering how deep do these vulnerabilities go because obviously we know who they effect multiple hardware and platforms. How might this affect our business?
MR: I see it similar to other critical vulnerability fix. The only difference is that we are actually having to patch firmware, which is not quite as smooth as doing perhaps say a simple patch because you have to take the system down and then you have to gain access to the hardware and apply that. And if anything goes wrong you have to have a backup plan. And firmware upgrades don't always have cleaned backup plans. So, to me it's more of an IT operations issue and if they, if they have good maintenance windows, they can get the job done with very little business interruption. There have been reports of some of these patches creating some application and operating system errors. But the way I look at it is most companies are accustomed to dealing with small IT outages. It typically doesn't bring business to a grinding halt anymore. They are used to, ‘oh, this happened, we'll be back in a couple of hours’ and people usually work around that. It’s not usually going to bring the company to its knees. So, you know, from a business standpoint it's, needs to be taken care of, it needs to be prioritized. But during these patches something could happen and you could have a small outage. I would just encourage you not to panic. IT departments know what to know, what they're supposed to do.
AP: So, going in from a business perspective, these vulnerabilities going to affect personal devices or tablets or smartphones, et cetera. We know the vulnerabilities exist. How deep do you think that's going to go?
MR: So, if you want to talk about on the personal side, I mean almost everyone, almost all of us have, you know, a smart phone, some sort of pocket computer, be it a tablet or whatever else. But, this is where I would like to, again, rather than tell people they need to worry, they should just have some educated concern. You know using technology is kind of like driving a car. Every time you'd get in a vehicle and it begins moving, there's a little bit of risk involved. If you're careful, a defensive driver there's a lower likelihood you're going to have an accident, but it's not guaranteed. If you're a reckless driver, there is a greater chance of an accident. The same can be said for any of these big security findings that we have stumbled across over the last few years. If you're careless with your devices, your passwords, or you're the content, you view or even the conductivity you have, you know, thinking public, Wi-Fi, there's a much greater chance you're going to become a victim of this attack. So it's a broad spectrum of concern. If you're, again, if you're very conservative and you keep your device buttoned up and you change all your passwords and you don't put things on your device you don't know what it is, it's a very low risk, but for those that just have no awareness of what these risks are, I would be a little more worried.
AP: It's really incumbent upon the organization to educate their employees because we obviously know that employees are the first line and how most vulnerabilities are accessed.
MR: I absolutely agree. I have been there. Keeping employees aware and engaged has been one of my top priorities are for the last few years. I have been with multiple companies where we have done road shows. We have really taught people and teenage children how to be safe with the devices that they use on a daily basis that they may not even understand what those risks are. But what I find is very useful is when you teach them how to protect their personal information, the residual effect is that they begin to understand and put those same practices into place for the company. Just because it becomes habit, but if you make it personal for them, the what's in it for me kind of concept. They'd like to pay attention and they really appreciate it.
AP: I think that's great. I've never heard a company going to that extent of teaching them more and educating the personal side and then having the flow down to the business. That's very interesting. Very interesting. Device hardening - should all companies harden their devices?
MR: I can say that hardening all devices would certainly raise the bar. It will make it much harder for malicious individuals out there to gain footholds or to even just steal the information that is on that current device. It’s also, it is a good thing to do. It's a wise thing to do because from a company perspective you can prove to your customers and governments and whoever else was asking the question that yes, we take protecting your personally identifiable information seriously. And we do so by putting these certain protections in place. However, the flip side of that is, is sometimes it becomes a user experience concern because people don't necessarily want you to have to take two or three extra steps to get to their email or they don't like the fact that they can't use their favorite app because it's been proven to be insecure. So, you have to balance those costs and those user experience implications, with the perceived benefit. And I think every company has to look at that differently. It depends on what is your exposure to this type of information, how far do they want to go?
AP: What would you recommend to a company that really has no security or a governance plan? And where do you start? What is your recommendations?
MR: First, I'd like to say that my definition of a security program is it's a business plan to protect your information assets. And I used that explanation with business leaders and they understand that because you say security program, and it sounds like some sort of big, complex black box that only security people understand. And that's true to a point, but when you say it's a business plan and business plans evolve, a business plan does not have an end date. Same thing can be said for security program. There is an objective, you will have certain goals, you have investments and you have certain things that you're going to check off as you, as you proceed down through the year and anything you don't get done to get pushed into the next year and you keep on going. So, your program evolves as well, just like the business environment changes and you have to make changes to your business plans. Your security program evolves based on the changes to the threat environment or acquisitions and divestitures or whatever else. So that being said, anybody that does not already have a security program or a good security leader in place, I would highly recommend you find somebody that has experience doing this and get educated. Lean on your associations, lean on some of the public web casts that are out there for your industries. Security is in the news all the time. Educate yourself to point where you can at least understand the space to be able to have rudimentary conversations with security experts and you can begin to understand the language and the objectives that are discussed in this space. You can also look at there are some government agencies that have a lot of helpful information on their websites.
I don't know any off hand, but, it would probably be good if we could link a few for our Ohio and Kentucky folks and show them, look, here's some places that the government's trying to help, particularly small and medium size businesses that don't have the internal expertise, but they need to know where do I start. So it's not always just about googling the question. You have to look for, I would say good, valid expertise. Once you've learned enough, then, I would highly encourage you to use your, your network. So, you've talked to build trusted business partners, some of your employees or some of your friends and find out who does this and who has reputation and track record, not only for delivering but for integrity and for being able to be flexible. Because no security plan is the same for any company. Everything is custom made. Just because it was custom made doesn't mean it has to be super expensive. So, once you get the education and then you talk to your friends and find a good couple of good references, people who have used these people before, then call them in and have them explain to you what they would do.
AP: Well, sounds like sage advice from Mike Rock with, Vernovis. Thank you for being here with us today. And good luck in everything in your future.